SOAP handlers and the WebLogic Security Provider Framework

Similar Messages

• The weblogic.security.Security.runAs() and JAAS Subject

  Let say that I have Java client with some JAAS code that authenticates
  the user. The LoginContext generates a Subject containing the Principal
  name of the authenticated user, but also some private credentials that
  makes the Subject secure.
  Now I want to call an EJB on WLS.
  Having JNDI (EJB) code inside a PriviledgesAction and using the
  weblogic.security.Security.runAs() method, I assume that the Subject is
  sent over the wire with the EJB call. If not, please correct me.
  Question is: How does WLS authenticate this call? What modules are
  called? IdentityAsserter? LoginModule? Is the Subject simply assumed
  "valid"? Any documentation describing how this is done?
  /Bo

  Hi,
  Problem is solved, we also got security exception when we tried to call MBeans.For this to work we have to set
  -Dweblogic.disableMBeanAuthorization=true in weblogic startup script so that our application can access MBeans.
  Thanks
  girish

• Weblogic.security.provider.PrincipalValidatorImpl deprecated

  http://edocs.bea.com/wls/docs103/javadocs/weblogic/security/provider/PrincipalValidatorImpl.html says the class is deprecated though the documentation(http://edocs.bea.com/wls/docs103/dvspisec/atn.html#wp1089150) suggests its use.
  Anyone have any knowledge of the replacement api usage (com.bea.common.security.provider.PrincipalValidatorImpl) which does not seem to have a default constructor..

  Same Problem here. It seems com.bea.common.security.provider.PrincipalValidatorImpl has no API Reference. and weblogic.security.provider.PrincipalValidatorImpl which is obviously for the WLS 8 release is deprecated.
  Where to find an API Reference or some other documentation to com.bea.common.security.provider.PrincipalValidatorImpl ?

• An error was encountered by the CAS Security Provider:   Error Code: SVR_ER

  Hi Everybody,
  when i open dimension library that time i get a error
  An error was encountered by the CAS Security Provider:
  Error Code: SVR_ERR_SESSION_MGR_CAS_SECURITY_ERROR
  How i can resolve i donot know ,pleas any body know help me.
  Regards,
  Ashis

  I ran into the same problem. It appears to be an "undocumented feature"; however, there is a patch that is supposed to resolve the issue. The link to the patch is here:
  https://updates.oracle.com/ARULink/PatchDetails/process_form?patch_num=9921096
  See the following for more details:
  Workspace: An error was encountered by the CAS Security Provider: Not SpecifiedError Code: SVR_ERR_SESSION_MGR_CAS_SECURITY_ERROR [ID 1265746.1]
  Modified 22-NOV-2010 Type PROBLEM Status PUBLISHED
  In this Document
  Symptoms
  Cause
  Solution
  References
  Applies to:
  Hyperion Planning - Version: 11.1.2.0.00 and later [Release: 11.1 and later ]
  Information in this document applies to any platform.
  Symptoms
  When trying to access BPMA via the Workspace, Active Directory users get the following error:An error was encountered by the CAS Security Provider: Not SpecifiedError Code: SVR_ERR_SESSION_MGR_CAS_SECURITY_ERROR.
  Cause
  This behaviour is described in unpublished bug 9921096
  When MSAD is configured as an external directory there is an option to enable or disable support for external groups. If Support Groups is disabled this triggers a code bug which leads to the observed behaviour on navigating to the Dimension Library.
  Solution
  As a workaround you can enable Support Groups.
  If you want to be able to disable Support Groups you must apply patch 9921096.
  References
  Related
  Products
  •Middleware > Enterprise Performance Management > Planning > Hyperion Planning
  Hope this resolves your problem!
  Jennifer

• I cannot connect to the iTunes Store.  I receive Error Code -1202.  This problem began yesterday.  I have been successfully connecting to the store for months on this PC.  I am running Windows 7 and the Windows Security Center.  Thanks for any help

  TS1368 I cannot connect to the iTunes Store.  I receive Error Code -1202.  This problem began yesterday.  I have been successfully connecting to the store for months on this PC.  I am running Windows 7 and the Windows Security Center.  Thanks for any help.

  Hello alankilner,
  And welcome to Apple Discussions!
  Using Proxy: Yes
  Try temporarily disabling this setting by following the steps outlined in this Apple support document.
  http://support.apple.com/kb/TS1490
  B-rock

• SOAP Encoding and the real need

  I just read the below from the site here-
  SOAP encoding has fallen out of favor in the Web services community. It is not supported by the WS-I basic profile. So JAX-WS, as the latest incarnation of Java Web services, has disallowed SOAP encoding. JAX-RPC supports SOAP encoding, so if you really must use SOAP encoded messages, stick with JAX-RPC.
  I am new to Web Services and am familiar with DOC/Literal only.
  Why will anyone want to create a "new" Web service in Encoded format?
  What was the real need SOAPEncoding has served when there is a separate standard named XML Schema?
  Just curious to explore-

  Hello,
  The WS-I work constrains the various web service specification to a
  functional subset that exhibit the greatest degree of interoperability;
  certainly there are many other features (quality of service, security,
  attachments, etc.) that are provided by WebLogic web services; this does
  not negate the fact that BP 1.0 compliance can be easily achieved.
  Regards,
  Bruce
  Vasudev Kumarjiguda wrote:
  >
  Hi,
  The Basic Profile 1.0 forbids SOAP encoding, yet Bea WebLogic documentation mentions
  that RPC-oriented WebLogic Web Service operations use SOAP encoding.
  Am I missing something here (since Bea supports the Basic Profile 1.0) ?
  thanks
  Vasu

• Custom Policy Step and the WS-Security header attibute "mustUnderstand"

  Hi there,
  I have some issues testing the custom policy step that comes with OWSM (CustomAuthenticationStep), which i describe next.
  I manage to compile/deploy the custom step successfully. I also restart the server and add the brand new step into the request pipeline. The pipeline only has two steps, a log step and a custom authentication step.
  I develop a client for the gateway service which use the "Username to Authenticate" option of the Proxy Security. The other options (inbound/outbound integrity/encryption) are all unchecked.
  When I test the client, the following SOAP message is produced:
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:ns0="http://agesic.entidad/types/"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <env:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
  env:mustUnderstand="1">
  <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:Username>test</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </env:Header>
  <env:Body>
  <ns0:reverseElement>
  <ns0:aString>Holas!</ns0:aString>
  </ns0:reverseElement>
  </env:Body>
  </env:Envelope>
  Which looks just fine. However I get the following exception:
  javax.xml.rpc.soap.SOAPFaultException: SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
       at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
       at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
       at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
       at agesic.cliente.gateway.proxy.runtime.EchoReverseSoapHttp_Stub.reverse(EchoReverseSoapHttp_Stub.java:78)
       at agesic.cliente.gateway.proxy.EchoReverseSoapHttpPortClient.reverse(EchoReverseSoapHttpPortClient.java:44)
       at agesic.cliente.gateway.proxy.EchoReverseSoapHttpPortClient.main(EchoReverseSoapHttpPortClient.java:33)
  If i look at the log produced by the custom step, it looks like the step was successfully passed.
  ********** Entering Custom Authentication execute method **********
  Processing stage is Request
  Request SOAP message is <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="h
  ttp://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-ins
  tance" xmlns:ns0="http://agesic.entidad/types/" xmlns:wsu="http://docs.oasis-ope
  n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><env:Header><wsse
  :Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004
  /01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.or
  g/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://sche
  mas.xmlsoap.org/soap/envelope/"><wsse:UsernameToken xmlns:wsse="http://docs.oasi
  s-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http:/
  /docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ws
  se:Username>test</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/
  wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse
  :Password></wsse:UsernameToken></wsse:Security></env:Header><env:Body><ns0:rever
  seElement><ns0:aString>Holas!</ns0:aString></ns0:reverseElement></env:Body></env
  :Envelope>
  User locale is English
  Client ip address is rhel4.tecinfo.com.uy:7777
  Verified user is test
  The problems is with the mustUnderstand attribute. It looks like no step tells the OWSM that he understands the header, so the OWSM pass through the pipeline and when it ends it thinks that that header was not processed properly.
  I try to find documentation on this issue but I didn't find any.
  Any ideas? Is there any way to specify that the step actually understands the ws-security header?
  Thanks!
  Leo

  Ok. Thanks. The problem here is a little bit different. At the client side, we have the following:
  <?xml version="1.0" encoding="UTF-8"?>
  <oracle-webservice-clients xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:noNamespaceSchemaLocation='http://xmlns.oracle.com/oracleas/schema/oracle-webservices-client-10_0.xsd'>
  <webservice-client>
  <service-qname namespaceURI="http://agesic.entidad/" localpart="EchoReverse"/>
  <port-info>
  <wsdl-port namespaceURI="http://agesic.entidad/" localpart="EchoReverseSoapHttpPort"/>
  <runtime enabled="security">
  <security>
  <inbound/>
  <outbound>
  <username-token password-type="PLAINTEXT" add-nonce="false" add-created="false"/>
  </outbound>
  </security>
  </runtime>
  <operations>
  <operation name='reverse'>
  </operation>
  </operations>
  </port-info>
  </webservice-client>
  </oracle-webservice-clients>
  The <outbound> here is requered in order to use the WSS UserName token profile. I try to remove the <inbound/> to check if it was a problem like yours, but we still have the same exception.
  The problem seems to be with the gateway at the server side.
  Intercepting the communication between the client and the server, we are getting the following response:
  <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:ns0="http://agesic.entidad/types/">
  <env:Body>
  <env:Fault>
  <faultcode>env:MustUnderstand</faultcode>
  <faultstring>SOAP must understand error:
  {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security</faultstring>
  </env:Fault>
  </env:Body>
  </env:Envelope>
  We need a way to instruct the gateway that he actually understands the wss header.
  Any ideas?
  Thanks!
  Leo

• P6 R8 And The WebLogic Advantage

  Hi,
  I am going deeply within WLS in the last month and this brought me to some things about the relationship of P6 and WLS. I think that WebLogic is a really tough as platform to base P6 in large environments. I am starting to appreciate the response time and the picture we can have of whatever is going on.
  The point is that WebLogic cannot be conceived as a tool or a mean to run something else. This is a valid approach for solutions like JBoss 5.0.1 used to run P6 Web up to P6 v7. With WebLogic the application server administration skills and knowledge should need to be considered upfront of the implementation.
  Practically, the checklist should start with the question:
  - do we have a professional to manage Weblogic?
  Fabio D'Alfonso
  http://www.fabiodalfonso.com

  Hi,
  yes that is the summary.
  I have experience with P6 Web v7 and have chosen at that time JBoss. The v7 runs on JBoss 5.0.1. I found that the best solution because the JBoss has a small footprint and having no administration interface was ideal to "stay behind" the scenes. I managed to run P6 Web, P6 Web Services, P6 Progress Reporter, Contract Management, on a single instance of JBoss, using the port sets for P6 and the arbitrary choice for the CM port. Also, using Firedeamon, got servers running as services and detached from the console (no stop of services logging off).
  Solved the various problem I forgot the existence of JBoss. The only thing to remember is to monitor the tmp folders within domains, growing time by time (and Gigabyte by Gigabyte).
  I would have never thought to WebLogic as an alternative to Jboss in the described scenario. Consistently I got started with WebLogic in the process of getting knowledge of SOA Suite with the of a robust list of books:
  *> J2EE Developer Handbook*
  *> J2EE in 21 (LONG) Days*
  *> Oracle Professional WebLogic Server*
  *> Getting Started with SOA 11g*
  (total of 4,000 pages)
  Starting to appreciate the WebLogic environment in the context of J2EE application frameworks as SOA, shows the complexity and the unique features in the flavour of solutions to architectural challenges. I think that convergence of P6 and WebLogic requires an upfront existing framework and experienced administrators, that are able solve P6 application problems in a hosting platform perspective, as WebLogic is for managed servers.
  Otherwise the first issue will quickly become a disaster.
  Fabio D'Alfonso
  http://www.fabiodalfonso.com

• Multiple Recordsets and the Oracle OleDB Provider

  We are trying to return multiple recordsets from an Oracle SP through the Oracle oledb provider using VB. First of all, is this possible and is there any example code out there. Having trouble finding some info on this.
  Thanks

  After reading install guide I figured out waht might be the problem.
  I put OLEDB install into the same home (ora81).
  It was suppose to go into different home directory (ora92).
  Also, OLEDB is one of few components which can't exist in more then one
  home dir on single machine. Installer knows that, and skips install of
  OLEDB provider itself. So in my case I had to first uninstall OLEDB provider 8.1.7
  and then install OLEDB provider 9.2
  Thanks,
  ...dejan

• Unmounted HDD and the latest Security update

  Yesterday I installed the latest security/Java update and it crashed my system, just like it has done to quite a few other people: http://discussions.apple.com/thread.jspa?messageID=9053491#9053491
  In trying to reinstall OS X, I ran across what I guess is the second installation disc error, where after the first disc is installed and the system reboots, it never finishes booting nor does it ask for the second disc.
  I thought my problem might be a HDD error, so I ran the installation disc and did the Disk Utility. I asked it to repair the disc if needed. It could not complete the repair because of an "Invalid sibling link." And this is where things went really bad.
  Foolishly, I searched the internet for "invalid siblining link" and found this site: http://www.macosxhints.com/article.php?story=20070204093925888
  Which suggests that to fix this error you need to unmount your HDD and run fsck_hfs -r in the Terminal.
  Why would I be so stupid as to follow this advice and unmount my HDD with little-to-no understanding of what unmounting does or of Terminal commands? Why would I not bother to read the comments following that post which decry the dangers of unmounting? The only excuse I can think of was that I was delirious after nearly 8 hours of trying to salvage my iMac from the Java/Security update. Needless to say, I successfully unmounted my HDD but did not successfully run the fsck test. Leaving me without a HDD and unable to install OS X.
  At this point, I'm planning on taking to the Genius Bar in Austin over the weekend, hoping that they can salvage my new machine (less than a year old!) from the mess I/Apple made. Any one have any suggestions on remounting a HDD or any advice in general?

  A wiser head may step in on this as regards to the mounting issue, but I am not currently under the impression that that is what is wrong. I think that command only applies when you are running the computer and once you turn off the computer and turn it on again the drive should appear in Disk Utility. In fact, if the drive were wiped clean your Disk Utility should see it. Yes, if you unmount it to run fsk, you then need to mount it to get it to show under that session, but if you turned off the computer or restarted it then all would be reset.
  So, if you turn off your computer, boot from your install Disk and start up Disk Utility, does the drive show up at all? If so you're off the a start. If not then it is suggesting serious problems (terminal?) with the drive.

• Using xs:all element and the Weblogic provided SAX Parser

  I am trying to validate XML documents against an xsd schema which has within it
  the xs:all element to indicate that certain elements should be present but the
  order in which they appear is not important. I have found that when I try to parse
  a document against this schema using the SAXParser that is provided with Weblogic
  the xs:all element seems not to be supported.
  Has anybody else experienced this?
  I have tried the same code but using a different SAX Parser (Apache provided)
  and this no longer seems to be a problem.
  Any advice would be appreciated.

  Hi Jonathan,
  I took a quick look through our problem reports and did not see anything
  related to this issue. Is this with WLS 8.1SP1? I'd suggest creating a
  small reproducer and open a case with our award winning support group:
  http://support.bea.com or [email protected]
  Thanks,
  Bruce
  Jonathan Davison wrote:
  >
  I am trying to validate XML documents against an xsd schema which has within it
  the xs:all element to indicate that certain elements should be present but the
  order in which they appear is not important. I have found that when I try to parse
  a document against this schema using the SAXParser that is provided with Weblogic
  the xs:all element seems not to be supported.
  Has anybody else experienced this?
  I have tried the same code but using a different SAX Parser (Apache provided)
  and this no longer seems to be a problem.
  Any advice would be appreciated.

• I have The latest Firefox installed on an older Dell, and the CA security suite thru my ISP, which takes all my CPU and causes everything to freeze when I try to access it's features. I need a free internet security program that does tax my system so much

  Have older Dell Dimension 32/bit with Win XP Prof 2002. I have installed CA security suite from my ISP, which is a huge program and uses 100% of CPU on start-up & shut down, slowing everthing to a snails pace. I have removed evrything I don't need using 30 day free Revo Unistaller Pro, but when I try to access CA's Firewall to add programs to the exception rule, it will open, then freezes along with Firefox tabs and anything else. Can't even shut down from start menu. I want to get rid of CA(although it is a good program, it's too big), and go back to using my Win Firewall(or another better free firewall that's good for more than 30 days trial) and some other free internet security program that is easy, runs in the background and doesn't take all my resources and isn't just a 30 day free trial till you buy the program. I am also trying to install a wireless adapter so I can drop my ISP and use the free city/county signal as no work for 20 months!
  == This happened ==
  A few times a week
  == Trying to access CA security Suite Firewall

  I am the original poster, and I got rid of CA Security Suite & and loaded the Avast! which has some great features even on the freeware. No more crashes or freezing & yes I think there is a problem with CA & Firefox, but am not sure what it is. CA was a big time hog. I also got rid of my ISP and installed a Intellinet Wireless G PCI Card & now am completely wireless on my PC. Faster by far than what I was paying $50/month for & I use my Windows Firewall.

• TS1368 I cannot connect to the iTunes Store.  I receive Error Code -1202.  This problem began yesterday.  I have been successfully connecting to the store for months on this PC.  I am running Windows 7 and the Windows Security Center.  Thanks for any help

  I am unable to connect to the iTunes Store.  This issue began yesterday, 3/11/13.  I previously have been able to connect to the store successfully on this computer which runs Windows 7 and Security Center since November.  I also used the iTunes Store on my previous computer for several years.  I am able to connect to the store with my new iPod Touch 5th generation.  I did a Google search for Error Code -1202 but did not find any pertinent results.  I would greatly appreciate any assistance in troubleshooting this situation.  Thank you!

  Hello alankilner,
  And welcome to Apple Discussions!
  Using Proxy: Yes
  Try temporarily disabling this setting by following the steps outlined in this Apple support document.
  http://support.apple.com/kb/TS1490
  B-rock

• Is there going to be support by the nvidia web page concerning gtx 680 M and the software features provided for it ( e.g. Drivers, Mac version of 3D TV Play)?

  By now there were no imac features to be found on the official nvidia-webpage, though there was full support for windows based products.
  I'm certainly satisfied with the product quality and therefor think it would deserve equal maintenance and usability.
  yours sincerely
  GlobeCitizen

  In general, Apple does Not support your using any downloads from their video card Manufacturer's websites.  Apple provides you with all of the firmware and driver Updates from Nvidea that they feel are stable with Apple's hardware and logic board in the iMac.  The required Updates are provided to you by the OS X Updates Apple periodically provides.  iMacs are NOT like a PC in this manner.  You do not have to and should not be downloading software from the nVidea site.

• The best and the most secure way?

  I wonder what way i have to go on this one. I have the situation working but i like to know if we have doen the right thing.
  This is the situation:
  we have a user named BIGREPOSITORY and we have a user named VIEWREPOSITORY. The user BIGREPOSITORY is the owner of a table named REP_WOLRDLIST and we like to give VIEWREPOSITORY a strict view only acces to the table REP_WOLRDLIST.
  What have we done:
  we created a view named VIEW_REP_WORLDLIST in BIGREPOSITORY to "SELECT * FROM REP_WORLDLIST" and we have granted the object option "select BIGREPOSITORY.VIEW_REP_WORLDLIST" to the user VIEWREPOSITORY.
  Is this the correct way or should we only have to grant the object option "select BIGREPOSITORY.REP_WORLDLIST" to the user VIEWREPOSITORY? Is the way we have done it "over"done?
  Regards,
  Johan Louwers

  Granting SELECT on the table, and granting SELECT on a view based on SELECT * FROM table are equivalent. The only reasons you would really need to use a view for security purposes are:
  If viewrepository should only see a subset of the columns of the table and/or viewrepository should only see a subset of the rows of the table.
  In those cases, you would construct a view that selects only the appropriate columns and/or rows from the table.
  TTFN
  John