Synchronize Application Roles

Similar Messages

• Weblogic application roles not visible

  Hello,
  We are trying to grant a weblogic account the application role BPMWorkflowAdmin using the enterprise manager of the SOA Suite 11g. This works without problems on a non-clustered environment. However, in our clustered environment we cannot see the application roles. When we try to select the Application Stripe, the drop-down list doesn't show any values. Has anybody a clue what is going on?
  Regards, Jeroen

  Hi,
  It is a known issue that file based identity and policy stores will run into synchronization issues in a clustered environment. To avoid this you have to setup the environment using
  1. Shared file system as per the documentation below:
  http://docs.oracle.com/cd/E15586_01/doc.1111/e15483/preconfiguration.htm
  2. Use database or LDAP based identity and policy store
  Please review below metalink id and document for the same issue.
  Roles Missing in system-jazn-data.xml in Node of Cluster [ID 1467202.1] :this suggests to use a centralized LDAP-based or database security store in cluster environment
  Oracle Docuementation reference: http://docs.oracle.com/cd/E21764_01/core.1111/e10043/cfgauthr.htm#CHDEFHHA
  If this helps please mark.
  Regards,
  Kishore

• Error assigning users to application Role in Obiee 11.1.1.7.0

  Hello
  I installed Obiee 11.1.1.7.0 both on Windows and Linux platform and after that, I successfully set Active Directory integration. I have a problem assigning users to Application Role in EM. When I'm trying to search a user on Display name, the Principal userName returned is blank and the error is : Java Null Pointer Exception
  After that I install a fresh copy of 11.1.6.0. After AD Integration, I was able to assign users to Application Role. I made 11.1.1.7.0 upgrade and same error has come. I think this is a bug because same AD settings on 11.1.1.6.0 works.
  The error:
  ava.lang.NullPointerException
  #{viewScope.emas_pagemodel_security_EditAppRole.searchPrincipal}: java.lang.NullPointerException
       Hide Additional Trace Information
  javax.faces.FacesException: #{viewScope.emas_pagemodel_security_EditAppRole.searchPrincipal}: java.lang.NullPointerException at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:118) at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:190) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:103) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:97) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.broadcastEvents(LifecycleImpl.java:1086) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:434) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:207) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emSDK.license.LicenseFilter.doFilter(LicenseFilter.java:101) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:128) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446) at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177) at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emas.fwk.MASConnectionFilter.doFilter(MASConnectionFilter.java:41) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:180) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.AuditServletFilter.doFilter(AuditServletFilter.java:179) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.EMRepLoginFilter.doFilter(EMRepLoginFilter.java:203) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.model.targetauth.EMLangPrefFilter.doFilter(EMLangPrefFilter.java:158) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.app.perf.PerfFilter.doFilter(PerfFilter.java:141) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.ContextInitFilter.doFilter(ContextInitFilter.java:542) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119) at java.security.AccessController.doPrivileged(Native Method) at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324) at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460) at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103) at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171) at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209) at weblogic.work.ExecuteThread.run(ExecuteThread.java:178) Caused by: javax.faces.el.EvaluationException: java.lang.NullPointerException at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:51) at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) ... 67 more Caused by: java.lang.NullPointerException at oracle.sysman.emas.model.security.DialogAdminBean$1.compare(DialogAdminBean.java:567) at java.util.Arrays.mergeSort(Arrays.java:1270) at java.util.Arrays.mergeSort(Arrays.java:1281) at java.util.Arrays.sort(Arrays.java:1210) at java.util.Collections.sort(Collections.java:157) at oracle.sysman.emas.model.security.DialogAdminBean.fetchPrincipals(DialogAdminBean.java:563) at oracle.sysman.emas.pagemodel.security.identity.EditAppRolePageModel.searchPrincipal(EditAppRolePageModel.java:496) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(Unknown Source) at com.sun.el.MethodExpressionImpl.invoke(Unknown Source) at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:46) ... 68 more
  Any suggestion?
  Thx
  Gabriel
  Edited by: Gabbriel on Apr 23, 2013 10:46 PM

  We received from Oracle a work-around of this problem.
  It seems to be related to the virtualize flag set to true. I f you set it to false the problem disappear (it works for me).
  (rif. http://docs.oracle.com/cd/E28280_01/bi.1111/e10543/privileges.htm#BABDCJBH)
  There's an open BUG on this problem: Bug 16808088 - 11G JAVA.LANG.NULLPOINTEREXCEPTION ADDING USER TO ROLE AFTER UPGRADE TO 11.1.1.7.
  Hope this works.
  S.

• Is Distributed Transaction Coordinator services of the application role are required by SQL Server 2012 for clustering and support of SharePoint 2013.

  All I want to know is if Distributed Transaction Coordinator services of the application role are required by SQL Server 2012 for clustering and support of SharePoint 2013.
  I have been planning and deploying my companies first Windows Server 2012/SQL Server 2012 Always On cluster and Always On Availability Groups Multi-Subnet cluster and instances for SharePoint 2013, and I will be brutally honest, the documentation on either
  the MSDN and TechNet leave alot to be desired. Continually finding links in the documentation will take me from a Windows 2012 reference to a page talking about Windows Server 2008 or R2, The differences of which there are so many when it comes to configurations,
  settings, roles, services when working with SQL Server 2012. I have been confused, frustrated, screaming mad, with all the misdirection in this documentation.  The documentation takes me windows 2008 R2 which is different than 2012!
  Tired and trying to pick myself up off the floor!
  Greg
  Gman

  In general, DTC is not required for SQL 2012.  But, since you are asking specifically about SharePoint, it would be better to ask in a SharePoint forum.  They would be more likely to know those situations where FTC might be needed by SharePoint. 
  .:|:.:|:. tim

• OBIEE 11g issue - same user assigned to the multiple application role

  Hi All,
  We are facing an issue when assigning a user to the multiple application role and applying the data level filter on the different column of the same table.
  For example, we have a table Department with three columns Department No, Department name, Department location.
  Application Role A1 and A2 are created.
  Data Level security Applied on the application role A1: Department Name='Finance'
  Data Level Security Applied on the application role A2: Department location='US'
  The user "User1" is created in LDAP and is assigned to both the Application roles A1 and A2.
  When logged in with "User1", none of the filters of Role A1 or A2 is applied in the report. If this user is assigned to only one role, either A1 or A2, then the filter is applied. It seems the filter will not be applied if a user belongs to multiple roles with data filter applied on the same table across these roles.
  Please reply if anyone has faced similar issue.

  Hi All,
  Regarding the above issue to update the analysis we came up that the user if assigned to the multiple group with the data filter applied on the same column of the table is getting an *"OR"* join.
  We had a requirement to get an "AND" in the query condition. Please let us know if any one faced the issue and the resolution of the same.
  Regards,
  Jyotshna

• Qualifications not shown in all e-rec application / role

  Hi,
  we have created qualifications and they are shown/ accessible in some e-rec application roles, but not all.
  So, I don't think the problem is to activate any feature.
  The roles where qualifications are not shown are: Employee (Internal) and Internal Recruiter.
  Does anyone have experience with the same type of issue, or have any documentation available?
  Thank you!
  Kind regards,
  Hilde Bakkemyr

  The button "New entry" is also missing from Qualifications, but not from "work experience", "edication" etc. Can this be a web service issue, if so, does anyone know what transaction and settings must be made?
  regards,
  hilde

• LDAP user to application role mapping

  Hi All,
  OBIEE 11.1.1.5
  I have a table with ldap username and role. I have also configured external LDAP server in RPD. Users are able to login to portal.
  Can some one guide me, how to make sure that when user login to OBIEE automatically by table the role will be fetched and mapped with application role created?
  Or, In simple words,
  How can I assign an external ldap user to be mapped to application role? One by one?? or Via table as mentioned above?
  Anyone can help? All documents are not giving this simple picture to me.
  It was easy in 10g, In 11g is it rocket science so that my company can loose the hope to go ahead with 11g?

  Hi,
  1. Create block to initialize USER variable with user name from LDAP
  2. Create block to initialize GROUP variable with role name from external table
  3. In initializtion block for GROUP variable add precedence with User init block to make sure that USER variable have value
  4. If one user can have few roles you should check row-wise-initialization oprion
  Hope it's helpful

• Can't create Application Role in Obiee 11g Enterprise Manager

  Hi All,
  I was working on obiee11g enterprise manager. I created some of the groups in weblogic console. Now I wanted to create application roles in enterprise manager for those groups. I am surprised that, the "*Create*" button is inactive on the application role page of enterprise manager. I only i could see tthe actives ones "*Create Like*", "*Edit*" and "*Delete*".
  Please assist shoud I need any additional configuration for the same.urgent!!
  Thank you in advance,
  BK.

  Click on Create Like button
  Then click cancel on the Create Like dialog box
  Go back to the Create button, it now works
  But if you log out and log back in, the Create button is disabled again
  so may repeat the above process of accessing the 'Create Like' button first to enable the Create button
  < Bug:13983399> CREATE BUTTON IS DISABLED IN FUSION MIDDLEWARE CONTROL IN OBIEE 11.1.1.6.0 ENV
  Please mark helpful or correct if answered.
  Thanks,
  - A.Y

• Assign Application Roles

  Hi All,
  I am new to SOA and I want to know how to assign application roles (Not global roles) through EM Console. As, I am unable to assign the roles through  BPM workspace. I can go to the administrator tab and assign the roles to me. But in the task list I am unable to get the task.
  Thanks and Regards,
  Ram

  Hi Ram,
  Refer this doc:
  http://docs.oracle.com/cd/E24628_01/doc.121/e36415/sec_features.htm#CJADDBGA
  HTH
  Mani

• Applications Roles in FMW (Enterprise Manager) OBIEE11g

  Hi,
  Please specify, how to migrate new created Application roles in production from Test @Enterprise Manager (FMW).
  Regards
  Rahul

  Good question. In the documentation it's with the hand.
  See: http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10540/lifecycle.htm
  Application Role (Policy Store) Migration
  There are several options for migrating application roles between development, test, and production systems.
  For simplicity, this document assumes you will re-key a small number of application role names by hand.
  Links to additional content on migrating application roles for larger-scale batch cases are provided later in this appendix.And of course, no appendix ...
  Cheers
  Nico

• Migrate Application Role from uat to prod in 11.1.1.6.10

  Hi All,
  We have to migrate the UAT Application Roles to Prod instance. I followed Rittman Mead policy store migration. servers  in LINUX
  http://www.rittmanmead.com/2011/04/oracle-bi-ee-11g-migrating-security-policy-store-part-2/
  But at MigrateSecurityStore step, I am facing an issue with the wlst script which is throwing below error.
  I am getting bellow error
  wls:/offline> migrateSecurityStore(type="appPolicies",srcApp="obi",configFile="/ usr/app/MW/SecurityMigration/jps-config-policy.xml",src="sourceFileStore",dst="t                                                                                                         argetFileStore",overWrite="false")
  Oct 17, 2013 11:41:27 AM oracle.security.jps.internal.config.xml.XmlConfigurationFactory initDefaultConfiguration
  SEVERE: org.xml.sax.SAXParseException: The XML declaration must end with "?>".
  Command FAILED, Reason: The XML declaration must end with "?>".
  Traceback (innermost last):
    File "<console>", line 1, in ?
    File "/usr/app/MW/oracle_common/common/wlst/jpsWlstCmd.py", line 955, in migrateSecurityStore
    File "/usr/app/MW/oracle_common/common/wlst/jpsWlstCmd.py", line 927, in migrateSecurityStoreImpl
          at oracle.security.jps.internal.tools.utility.source.JpsInitializerSource.getSources(JpsInitializerSource.java:155)
          at oracle.security.jps.internal.tools.utility.JpsUtility.<init>(JpsUtilty.java:62)
          at oracle.security.jps.internal.tools.utility.JpsUtilMigrationPolicyImpl.migrateAppPolicyData(JpsUtilMigrationPolicyImpl.java:151)
          at oracle.security.jps.tools.utility.JpsUtilMigrationTool.executeCommand(JpsUtilMigrationTool.java:231)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
  oracle.security.jps.JpsException: oracle.security.jps.JpsException: The XML declaration must end with "?>".
  This is config.xml file
  <?xml version='1.0' encoding='utf-8'? standalone='yes'?>
  <jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd">
     <property name="oracle.security.jps.jaas.mode" value="Off"/>
     <propertySets>
  <propertySet name="sam1.trusted.issuers.1">
  <property name="name" value="www.oracle.com" />
  </propertySet>
  </propertySets>
     <serviceProviders>
        <serviceProvider type="POLICY_STORE" name="policystore.xml.provider" class="oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider">
           <description>XML-based PolicyStore Provider</description>
        </serviceProvider>
     </serviceProviders>
     <serviceInstance name="srcpolicystore.xml" provider="policystore.xml.provider" location="/usr/app/MW/SecurityMigration/uat/system-jazn-data.xml">           
    <description>File Based Policy Store Service Instance</description>       
    </serviceInstance>
    <serviceInstance name="policystore.xml" provider="policystore.xml.provider" location="/usr/app/MW/SecurityMigration/prod/system-jazn-data.xml">           
  <description>File Based Policy Store Service Instance</description>       
  </serviceInstance>
     </serviceInstances>
      <jpsContexts default="default">       
  <!-- This is the default JPS context. All the mendatory services and Login Modules must be configured in this default context -->       
  <jpsContext name="sourceFileStore">           
  <serviceInstanceRef ref="srcpolicystore.xml"/>       
  </jpsContext> <jpsContext name="targetFileStore">           
  <serviceInstanceRef ref="policystore.xml"/>     
  </jpsContext>   
  </jpsContexts>
  </jpsConfig>
  Please let me know if i need to provide further inputs.Appreciate your help.

  make sure you are running the wlst.sh from this path /MWHOME/Oracle_BI1/common/bin/wlst.sh
  you can take a look at this too Migrating Security Policies from Development to Standalone WLS 11g
  http://ssssupport.blogspot.com/2013/02/obiee-11g-application-role-migration.html
  Obiee11g: Migrating application role from DEV to Prod server in obiee11g

• Webcenter Application Roles not getting imported in UCM on Migration

  Hi All,
  I migrated the webcenter resources (Service Data, Customizations and security policies) and UCM content (Using configuration utility, Archiver and Folder Archive components). After migration I am able to see the application roles in the destination webcenter spaces instance by navigating to Webcenter Spaces -> Security -> Application Roles, but I am not able to see the corresponding accounts created in the UCM for that particular user.
  For Ex: I have a application role: s1a472022_f8bb_48e1_a519_15841780df72#-#Moderator in Webcenter Spaces for user ABC
  In UCM I am not able to see the account AUTHEN/s1a472022f8bb48e1a51915841780df72 for the user ABC.
  I verified in the source UCM instance and I am able to see the accounts in that instance.
  Please help me out. Let me know if extra details required.
  Thanks,
  Sachin

  Hi Srinath,
  Yes, I have migrated data from UCM1 to UCM2 using insert script. But, I think there should be some other way also. There may be some options to check while creating export archive. We can migrate UCM schema tables also while migrating the content but I was not able to find USEREXTENDEDATTRIBUTES table. There are some other options like export additional user config, I need to check those options also.
  Thanks,
  Sachin

• OBIEE 11g Custom Application Roles

  Hello Experts,
  I would need to create our Custom BI Consumer, Author Application Roles. I have followed the steps are
  1) Created an Application Role "Revenue Data Access Role" for Data Level Security and added the users into it
  2) Selected the existing BI Consumer Role & Created Like "Revenue Dashboard Consumer Access Role" and added "Revenue Data Access Role" into it.
  3) Selected the existing BI Consumer Application Policies & Created like "Revenue Dashboard Consumer Access Role"
  After Restarting OBIEE, I could see that Data level security is working fine but the users don't have Consumer Level access at dashboard level. am i missing anything here? Please advice.

  John,
  We can do it in repository level right..Manage---Security-Application Role.... double click the application role there u can set right?Correct me if am wrong?
  Thanks,
  SN.
  Edited by: 926238 on Sep 1, 2012 5:57 PM

• Best practices on enterprise and application roles in OIM and OAM 11g?

  Hi, all,
  I wonder if any of you can give me some advice on role design for OIM and OAM 11g. I'd like to have both enterprise roles, such as Accountant II, and application roles, such as App1_User, App1_Admin, etc. Ideally, the enterprise role would automatically give the user the appropriate application roles, but I can't figure out how to do that. We tried using OIM 11g's inheritance, but when the application role is inherited, OAM doesn't see it in OID/OVD and therefore doesn't think the user has the correct authorization to access the application. I thought about using role membership rules, but those seem to only allow you to use user attributes to control membership, which doesn't help at all in my situation.
  How is this situation best handled? Any advice much appreciated!
  Ariel Anderson
  Senior Business Analyst
  Zirous, Inc.

  Hi,
  I am assuming in clustered environment you are having two instances running.
  It must be an issue with a single server,,because the problem is intermittent.
  To see which server is causing problem....just perform the following steps:
  1) Stop server1 and keep running server2..and fire new registration request...
  2) stop server 2..and keep running server1.....and fire new registration request.
  Using above, atleast you can see which server is causing the problem...
  Regards,
  J
  Edited by: J_IDM on Mar 21, 2011 10:52 PM

• Assign application roles after authentication

  Hi,
  It's been some time now I'm struggling with this issue...
  I have a client application (not a web one) trying to access an EJB resource.
  The EJB is first looked up through jndi and then asked to invoke a method, say test().
  In ejb-jar.xml I have the following:
  <security-role >
  <role-name>AN_APP_ROLE</role-name>
  </security-role>
  <method-permission >
  <role-name>AN_APP_ROLE</role-name>
  <method >
  <ejb-name>EJB NAME</ejb-name>
  <method-intf>Remote</method-intf>
  <method-name>test</method-name>
  <method-params>
  </method-params>
  </method>
  </method-permission>
  I manage to have OID perform the authentication, so that I can perform the EJB lookup and call non protected methods. Issues arise when trying to get the roles working.
  I know that i can <security-role-mapping> AN_APP_ROLE to an oid group; what I am trying to accomplish is to have oid do the authentication and be able to fetch the application roles from a database.
  As a starting point what I've done is a client LoginModule that first authenticates against the OID (by looking up an EJB resource) and then, in the commit(), do the following:
  this.subject.getPrincipals ().add (new RoleExtended("AN_APP_ROLE"));
  Nevertheless access is denied when the client tries to access the protected test() method.
  It seems that somehow even if the Subject has the role within its principals, the container doesn't threat it such.
  I am pretty stuck, and starting to wonder if this is the right approach...Nevertheless I don't think putting the application roles in oid is a good idea, since application roles should remain an application property not a enterprise directory one.
  Any hint?!
  cheers,
  Francesco
  p.s: in jazn.xml I have
  <property name="role.mapping.dynamic" value="true"/>

  Hi,
  It's been some time now I'm struggling with this issue...
  I have a client application (not a web one) trying to access an EJB resource.
  The EJB is first looked up through jndi and then asked to invoke a method, say test().
  In ejb-jar.xml I have the following:
  <security-role >
  <role-name>AN_APP_ROLE</role-name>
  </security-role>
  <method-permission >
  <role-name>AN_APP_ROLE</role-name>
  <method >
  <ejb-name>EJB NAME</ejb-name>
  <method-intf>Remote</method-intf>
  <method-name>test</method-name>
  <method-params>
  </method-params>
  </method>
  </method-permission>
  I manage to have OID perform the authentication, so that I can perform the EJB lookup and call non protected methods. Issues arise when trying to get the roles working.
  I know that i can <security-role-mapping> AN_APP_ROLE to an oid group; what I am trying to accomplish is to have oid do the authentication and be able to fetch the application roles from a database.
  As a starting point what I've done is a client LoginModule that first authenticates against the OID (by looking up an EJB resource) and then, in the commit(), do the following:
  this.subject.getPrincipals ().add (new RoleExtended("AN_APP_ROLE"));
  Nevertheless access is denied when the client tries to access the protected test() method.
  It seems that somehow even if the Subject has the role within its principals, the container doesn't threat it such.
  I am pretty stuck, and starting to wonder if this is the right approach...Nevertheless I don't think putting the application roles in oid is a good idea, since application roles should remain an application property not a enterprise directory one.
  Any hint?!
  cheers,
  Francesco
  p.s: in jazn.xml I have
  <property name="role.mapping.dynamic" value="true"/>