Urgent-------ACLs with Custom Realm.
Can anyone list acls that have to define in my Custom Realm to start default server
successfully?
Thanks.
Have a look in the web server log to see under what account the failed
accesses took place, that will help in identifying the cause.
"Bill Welch" <[email protected]> wrote in message
news:3b2a6431$[email protected]..
>
I've set up my web.xml with <auth-method>BASIC, and I've defined a customrealm
for authentication. When I enter a valid userid/password at login, I cantrace
authUserPassword() in my custom realm, and I can see that it is returningan object
which is a subclass of weblogic.security.acl.User, as it should. However,rather
than acknowledging a successful login and moving on, the login dialog isredisplayed,
(minus password). Further attempts to enter the same userid/passworddon't invoke
authUserPassword(), presumably since the "failed" login is still cached.What
am I missing?
Similar Messages
-
Authorization with custom realm
Hello,
I have created a custom realm to access user and role information stored in a database. It is working fine for authentication. However, the Subject, Principal, and roles/groups do not seem to be used for later authorization steps. How should this information be stored so that the containers can access it?
In particular, when enabling security constraints in web.xml to limit the access of a particular url to a particular role, that url can never be accessed. The server generates messages implying that the user is not logged in:
Checking Web Permission with Principals : null
Checking with Principal : nonlogin-principal
Any suggestions on how to appropriately store the login information would be appreciated.
Thanks!I have had a custom realm that handles ACLs since 5.1. My question is I want to
mix it with the out-of-the box ldaprealm v2. I was hoping for a failover mechanism
where I can supply a custom realm that knows how to authorize and leave it up
to the canned ldaprealm to authenticate. The filerealm behaves in such a manner,
does it not.
I will try your idea about extending the ldaprealm. But, the challenge will be
in dealing with the delegate.
"Utpal" <[email protected]> wrote:
If you extend the weblogic.security.ldaprealmv2.LDAPRealm and implements
newAcl, deleteAcl, newPermission,
setPermission etc, I think it's doable.
=========
public class weblogic.security.ldaprealmv2.LDAPRealm extends
weblogic.security.a
cl.AbstractListableRealm implements weblogic.security.acl.DebuggableRealm
=========
-utpal
"Utpal" <[email protected]> wrote in message
news:[email protected]..
Why don't you use the Custom Security Realm? You can construct an ACLin a
custom seecurity realm.
http://edocs.beasys.com/wls/docs61/security/prog.html#1042361
-utpal
"Ziad Kurdi" <[email protected]> wrote in message
news:3c9b4c80$[email protected]..
Is there a way in 6.1 to use the supplied LDAP Realm V2 for
authentication
and
managing groups, but enhance it with ACL's (stored in a database)
for
authorization?
Obviously, I would like to take advantage of the server's caching
realm
capabilities.
I currently running a custom realm (from 5.1 which works in 6.1)
that
mixes LDAP
authentication, group management, and DB ACL's for authorization,
but I
no
longer
wish to capture the user's password (due to sorporate policies) and
would
like
to avoid maitaining the authentication code.
Thanks in advance for any assistance. -
auth-method BASIC with custom realm
I've set up my web.xml with <auth-method>BASIC, and I've defined a custom realm
for authentication. When I enter a valid userid/password at login, I can trace
authUserPassword() in my custom realm, and I can see that it is returning an object
which is a subclass of weblogic.security.acl.User, as it should. However, rather
than acknowledging a successful login and moving on, the login dialog is redisplayed,
(minus password). Further attempts to enter the same userid/password don't invoke
authUserPassword(), presumably since the "failed" login is still cached. What
am I missing?Have a look in the web server log to see under what account the failed
accesses took place, that will help in identifying the cause.
"Bill Welch" <[email protected]> wrote in message
news:3b2a6431$[email protected]..
>
I've set up my web.xml with <auth-method>BASIC, and I've defined a customrealm
for authentication. When I enter a valid userid/password at login, I cantrace
authUserPassword() in my custom realm, and I can see that it is returningan object
which is a subclass of weblogic.security.acl.User, as it should. However,rather
than acknowledging a successful login and moving on, the login dialog isredisplayed,
(minus password). Further attempts to enter the same userid/passworddon't invoke
authUserPassword(), presumably since the "failed" login is still cached.What
am I missing? -
Recursion Problem with custom realms built on EJB's
Hello there,
We have developed a web-app which uses authentication on a derivative of
RDBMSRealm, except that instead of RDBMSDelegate we have created our
'EJBDelegate' to do all of our database dirtywork. Unfortunately there
appears to be a problem that after a certain length of time some
security check happens in the EJB layer, which calls getUser(), which
calls the EJB layer, and I am stuck in an infinite recursive loop.
Ideal solution - I disable security for the EJB's entirely as we view
web-app level security as sufficient.
Any ideas on where I might find such a setting?
Thanks much,
Daniel Wabyick
Server Applications Engineer
Fluid, Inc.
http://www.fluid.comHi Tony,
i got the same problem as described on :
Use of "displaytag" on WebAS 6.4
Did you already found a solution how to deal with this displaytag-tld problem?
hope to hear from you. thx in advance,
lars -
Hi,
I try to use JAAS authentication with custom Realm. So I invoke it like that:
subject = Authentication.login("myCustomRealm", new MyCustomCallbackHandler( ...
I have a "myCustomRealm" in my console and it seems to be configured correctly.
When I use a function 'Validate this Security Realm' i get 'The realm myCustomRealm
has been validated successfully'.
However, when I run the application I get an exception:
weblogic.security.service.InvalidParameterException[Security:090396]: Realm myCustomRealm
does not exist.
Any idea what can be a problem ?
Thanks
Marcin Stanski"Marcin Stanski" <[email protected]> wrote in message
news:3fb35d55$[email protected]..
>
Hi,
I try to use JAAS authentication with custom Realm. So I invoke it likethat:
>
>
subject = Authentication.login("myCustomRealm", newMyCustomCallbackHandler( ...
I have a "myCustomRealm" in my console and it seems to be configuredcorrectly.
When I use a function 'Validate this Security Realm' i get 'The realmmyCustomRealm
has been validated successfully'.
However, when I run the application I get an exception:
weblogic.security.service.InvalidParameterException[Security:090396]:Realm myCustomRealm
does not exist.
Any idea what can be a problem ?
Make sure that myCustomRealm is set as the default realm. -
Help with Weblogic 6 sp1 Custom Realm !!!!
We are trying to run Weblogic 6.0 sp1 with our current environment (ejb 1.1, custom
security realm)
We can compile and deploy our ejb 1.1 beans. We wish to start with ejb1.1 and
move to ejb2.0 once we can get our custom security working.
The JDBC connection pools are fine.
Our custom security realm uses LDAP for user authentication and an Oracle table
for authorization (acls).
Earlier, I wrote to the board and received the below following instructions to
use our existing custom realm in wl 60. You can read below, but I followed these
instructions on Solaris 5.6.
1. I ensured the SunOS patches were up to date.
2. We ensured the LD_LIBRARY_PATH reflected weblogic 6 (and not 5.1). We moved
the 5.1 classes over to wl6.
3. We copied our custom realm properties file to the weblogic root and/or the
config subdirectory (tried them both).
4. We ensured the security realm class we wrote is in the classpath (we bunch
all our serverside classes in a jar file anyway).
5. Then we created a custom realm via the console – name BFXRealm and it’s
class name <package>.BFXRealm, left configuration box blank.
6. Then we created a custom caching realm BFXCachingREalm and set its basic realm
as the custom realm, BFXRealm. All of the enable caches are checked to true.
7. Then we set the default realm to the BFXCachingRealm.
Now, when we perform a query, the everyone group should be implied. We don’t
implement LDAP lookup on queries. If I try to run a query from a client, I see
the client box connecting with the server:
Last line - you can see the client box connecting to the server -
<May 30, 2001 2:20:07 PM EDT> <Info> <J2EE> <Deployed : DefaultWebApp_myserver>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <WebLogic Server started>
<May 30, 2001 2:20:07 PM EDT> <Info> <Configuration Management> <Backed up booted
configuration /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml
at /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml.booted>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <ListenThread listening
on port 7001>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <SSLListenThread listening
on port 7002>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <System has file
descriptor limits of - soft: '1024', hard: '1024'>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Using effective
file descriptor limit of: '1024' open sockets/files.>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Allocating: '3'
POSIX reader threads>
<May 30, 2001 2:20:23 PM EDT> <Info> <HTTP> <[HTTP myserver] Created log stream
/opt/apps/weblogic/beasp1/wlserver6.0sp1/config/mydomain/logs/access.log>
<May 30, 2001 2:21:50 PM EDT> <Info> <WebLogicServer> <Adding address: 152.51.164.233/152.51
The client receives the error:
javax.naming.AuthenticationException. Root exception is java.lang.SecurityException:
Authentication
for user aws4270 denied in realm weblogic
It’s as if the fileRealm.properties is only being looked at. We do not
use this for our user/groups/acls in wl5.1.0 and we do not want to in wl6
For “fun”, I added a user to the fileRealm.properties file via the
console and ran a client query. It worked.
But when I tried to call an ejbCreate from the client, I received these errors
from the server:
BFXSecurityRealmException is a custom exception we have written. A query works
but a create does not - obviously cannot get to acl in database (?)
and why the ejb20 errors? We just want to start with ejb 1.1
In SeqStoreSecurityHelper.isUserAuthorized(): schema = seqStore.INTNUC, class
= bioseq, project = HIPPI, permission = create
<May 30, 2001 2:50:10 PM EDT> <Info> <EJB> <EJB Exception in method: ejbCreate:
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBean.ejbCreate(BioSequenceBean.java:1562)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanImpl.ejbCreate(BioSequenceBeanImpl.java:833)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.ejb20.manager.DBManager.create(DBManager.java:408)
at weblogic.ejb20.internal.EntityEJBHome.create(EntityEJBHome.java:353)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl.create(BioSequenceBeanHomeImpl.java:111)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl_WLSkel.invoke(BioSequenceBeanHomeImpl_WLSkel.java:78)
at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:373)
at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerRef.java:128)
at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:237)
at weblogic.rmi.internal.BasicRequestHandler.handleRequest(BasicRequestHandler.java:118)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:17)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
The client receives the error:
java.rmi.RemoteException: EJB Exception:; nested exception is:
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
o
ccurred.
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
HOW CAN WE GET THE SERVER TO BYPASS FILEREALM and use BFXREALM ???????????
Thanks,
Anne
Subject: Re: Do Custom Security Realms have to use Mbeans?
Date: 17 May 2001 06:38:23 -0800
From: "Tom Moreau" <[email protected]>
Newsgroup: weblogic.developer.interest.security
Yes this can be done. Here's how:
1) I'll assume that the classname to your custom realm is "com.yourcompany.YourCustomRealm"
2) I'll assume that your custom realm has some kind of properties file from which
it reads its configuration data. Let's call this file "YourCustomRealm.properties"
3) Copy YourCustomRealm.properties to every machine that you're running wls on
(you are probably already doing this today).
4) Make sure that com.yourcompany.YourCustomRealm is in the classpath when you
start wls (you should already be doing this today)
5) In 5.1, there used to be some utility classes that customers used for their
custom realms - something about Pools & Factories. These have been renamed in
6.0. If you're using these classes, then go to your 5.1 weblogic jar file and
pull out these classes and add them to your classpath for 6.0.
6) In the console, create a custom realm and set it's realm class name to com.yourcompany.YourCustomRealm.
Leave the configuration data section blank.
7) In the console, configure your custom realm as the alternate realm. That is,
create a caching realm and set it's basic realm to your custom realm, then set
the realm's caching realm to the caching realm you just created.
I'm pretty sure this should work for you. We did this to provide a patch that
let 6.0 users uses the LDAPRealm rewrite from 5.1.
The downside is that you don't get single point of administration - that is, you
have to make your custom realm's configuration data (YourCustomRealm.properties)
available on all the machines you're running WLS on. If you rework your custom
realm, then the configuration data gets put in the custom realm configuration
you create via the console and automatically copied to other machines for you.
- TomWe are trying to run Weblogic 6.0 sp1 with our current environment (ejb 1.1, custom
security realm)
We can compile and deploy our ejb 1.1 beans. We wish to start with ejb1.1 and
move to ejb2.0 once we can get our custom security working.
The JDBC connection pools are fine.
Our custom security realm uses LDAP for user authentication and an Oracle table
for authorization (acls).
Earlier, I wrote to the board and received the below following instructions to
use our existing custom realm in wl 60. You can read below, but I followed these
instructions on Solaris 5.6.
1. I ensured the SunOS patches were up to date.
2. We ensured the LD_LIBRARY_PATH reflected weblogic 6 (and not 5.1). We moved
the 5.1 classes over to wl6.
3. We copied our custom realm properties file to the weblogic root and/or the
config subdirectory (tried them both).
4. We ensured the security realm class we wrote is in the classpath (we bunch
all our serverside classes in a jar file anyway).
5. Then we created a custom realm via the console – name BFXRealm and it’s
class name <package>.BFXRealm, left configuration box blank.
6. Then we created a custom caching realm BFXCachingREalm and set its basic realm
as the custom realm, BFXRealm. All of the enable caches are checked to true.
7. Then we set the default realm to the BFXCachingRealm.
Now, when we perform a query, the everyone group should be implied. We don’t
implement LDAP lookup on queries. If I try to run a query from a client, I see
the client box connecting with the server:
Last line - you can see the client box connecting to the server -
<May 30, 2001 2:20:07 PM EDT> <Info> <J2EE> <Deployed : DefaultWebApp_myserver>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <WebLogic Server started>
<May 30, 2001 2:20:07 PM EDT> <Info> <Configuration Management> <Backed up booted
configuration /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml
at /opt/apps/weblogic/beasp1/wlserver6.0sp1/./config/mydomain/config.xml.booted>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <ListenThread listening
on port 7001>
<May 30, 2001 2:20:07 PM EDT> <Notice> <WebLogicServer> <SSLListenThread listening
on port 7002>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <System has file
descriptor limits of - soft: '1024', hard: '1024'>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Using effective
file descriptor limit of: '1024' open sockets/files.>
<May 30, 2001 2:20:08 PM EDT> <Info> <Posix Performance Pack> <Allocating: '3'
POSIX reader threads>
<May 30, 2001 2:20:23 PM EDT> <Info> <HTTP> <[HTTP myserver] Created log stream
/opt/apps/weblogic/beasp1/wlserver6.0sp1/config/mydomain/logs/access.log>
<May 30, 2001 2:21:50 PM EDT> <Info> <WebLogicServer> <Adding address: 152.51.164.233/152.51
The client receives the error:
javax.naming.AuthenticationException. Root exception is java.lang.SecurityException:
Authentication
for user aws4270 denied in realm weblogic
It’s as if the fileRealm.properties is only being looked at. We do not
use this for our user/groups/acls in wl5.1.0 and we do not want to in wl6
For “fun”, I added a user to the fileRealm.properties file via the
console and ran a client query. It worked.
But when I tried to call an ejbCreate from the client, I received these errors
from the server:
BFXSecurityRealmException is a custom exception we have written. A query works
but a create does not - obviously cannot get to acl in database (?)
and why the ejb20 errors? We just want to start with ejb 1.1
In SeqStoreSecurityHelper.isUserAuthorized(): schema = seqStore.INTNUC, class
= bioseq, project = HIPPI, permission = create
<May 30, 2001 2:50:10 PM EDT> <Info> <EJB> <EJB Exception in method: ejbCreate:
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBean.ejbCreate(BioSequenceBean.java:1562)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanImpl.ejbCreate(BioSequenceBeanImpl.java:833)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.ejb20.manager.DBManager.create(DBManager.java:408)
at weblogic.ejb20.internal.EntityEJBHome.create(EntityEJBHome.java:353)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl.create(BioSequenceBeanHomeImpl.java:111)
at com.gw.bioinfo.ejb.bioSeq.BioSequenceBeanHomeImpl_WLSkel.invoke(BioSequenceBeanHomeImpl_WLSkel.java:78)
at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:373)
at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerRef.java:128)
at weblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:237)
at weblogic.rmi.internal.BasicRequestHandler.handleRequest(BasicRequestHandler.java:118)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:17)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
The client receives the error:
java.rmi.RemoteException: EJB Exception:; nested exception is:
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
o
ccurred.
com.gw.bioinfo.exception.BFXSecurityRealmException: BFX-90000: A BFXSecurityRealmException
occurred.
HOW CAN WE GET THE SERVER TO BYPASS FILEREALM and use BFXREALM ???????????
Thanks,
Anne
Subject: Re: Do Custom Security Realms have to use Mbeans?
Date: 17 May 2001 06:38:23 -0800
From: "Tom Moreau" <[email protected]>
Newsgroup: weblogic.developer.interest.security
Yes this can be done. Here's how:
1) I'll assume that the classname to your custom realm is "com.yourcompany.YourCustomRealm"
2) I'll assume that your custom realm has some kind of properties file from which
it reads its configuration data. Let's call this file "YourCustomRealm.properties"
3) Copy YourCustomRealm.properties to every machine that you're running wls on
(you are probably already doing this today).
4) Make sure that com.yourcompany.YourCustomRealm is in the classpath when you
start wls (you should already be doing this today)
5) In 5.1, there used to be some utility classes that customers used for their
custom realms - something about Pools & Factories. These have been renamed in
6.0. If you're using these classes, then go to your 5.1 weblogic jar file and
pull out these classes and add them to your classpath for 6.0.
6) In the console, create a custom realm and set it's realm class name to com.yourcompany.YourCustomRealm.
Leave the configuration data section blank.
7) In the console, configure your custom realm as the alternate realm. That is,
create a caching realm and set it's basic realm to your custom realm, then set
the realm's caching realm to the caching realm you just created.
I'm pretty sure this should work for you. We did this to provide a patch that
let 6.0 users uses the LDAPRealm rewrite from 5.1.
The downside is that you don't get single point of administration - that is, you
have to make your custom realm's configuration data (YourCustomRealm.properties)
available on all the machines you're running WLS on. If you rework your custom
realm, then the configuration data gets put in the custom realm configuration
you create via the console and automatically copied to other machines for you.
- Tom -
Custom Realm Bug in WebLogic SP3?
I recently upgraded WebLogic 6.1 from SP1 to SP3 and am now
receiving a ClassCastException when invoking the checkPermission
method on a Custom realm ACL that extends weblogic.security.acl.AclImpl.
This code worked fine in SP1. It seems that other developers
have experienced this problem when applying service packs to
WebLogic 5. Any one else encountering this problem with
WebLogic 6 and what is the workaround? (Stack trace attached)
TIA
[aclimplexception.txt]I was unable to determine the cause of the problem, but I was
able to identify that AclImpl was changed between SP1 and SP3.
I updated SP3's weblogic.jar with the weblogic.security.acl.AclImpl
class in the weblogic.jar from SP1 and the exception went away.
I did not see anything in the release notes for SP2 and SP3
that indicate what may have changed. Does anyone know?
"Jason Southern" <[email protected]> wrote:
>
>
>
I recently upgraded WebLogic 6.1 from SP1 to SP3 and am now
receiving a ClassCastException when invoking the checkPermission
method on a Custom realm ACL that extends weblogic.security.acl.AclImpl.
This code worked fine in SP1. It seems that other developers
have experienced this problem when applying service packs to
WebLogic 5. Any one else encountering this problem with
WebLogic 6 and what is the workaround? (Stack trace attached)
TIA -
WebLogic Server doesn't start after configuring a Custom Realm
Hi,
We are having problems getting WebLogic server to startup after configuring a
Custom Realm. It outputs the error message "User System not authorized to boot
WebLogic Server. Security Excpetion".
For debugging purposed we had our Custom Realm classes output some debug statements
to the console. From the output it was apparent that all the users were getting
authenticated properly including System, Administrator, wliSystem etc. But after
the initial authentications we get this error message. I am attaching the log
file for your reference. Do we have to implement Authorization also (by implementing
ACLImpl) in the Custom Realm. Our Custom Realm was planned to be used only for
authentication.
Appreciate any feedback on the cause of the problem.
Thanks
Vikram
[test.log]Thanks Deyan. I will give it a try and let you know.
"Deyan D. Bektchiev" <[email protected]> wrote:
Vikram,
You should make your user that you use to startup the server a member
of
the Administrators group.
In other words there should be a Principal "Administrators" in the
Subject that your LoginModule returns.
I'm not sure if you can configure this afterwards but this is how it's
done out of the box.
Dejan
Vikram wrote:
Mike,
We are working with a Platform domain on Weblogic 7.0. When you implementa custom
realm it can be implemented just for authentication and not for authorization.
In our case we used the Custom Realm only for authentication. ACLs storeall the
authorization information. We assumed that the standard Weblogic useraccounts
like system, administrator are already part of the ACLs with the appropriateprivileges.
Please let me know if you have any suggestions.
Thanks
Vikram
"mike" <[email protected]> wrote:
You mix up authentication and authorization. The fact that a user is
a valid user
(authentication) does not guarantee that he/she can perform a certain
action (authorization).
The second is defined by ACLs or something, which is probably (most
likely)
not
set in your case. To go on ranting I need to know which version youare
on (looks
like 7, grey area for me).
"Vikram" <[email protected]> wrote:
Hi,
We are having problems getting WebLogic server to startup after configuring
a
Custom Realm. It outputs the error message "User System not authorized
to boot
WebLogic Server. Security Excpetion".
For debugging purposed we had our Custom Realm classes output some
debug
statements
to the console. From the output it was apparent that all the userswere
getting
authenticated properly including System, Administrator, wliSystemetc.
But after
the initial authentications we get this error message. I am attaching
the log
file for your reference. Do we have to implement Authorization also
(by
implementing
ACLImpl) in the Custom Realm. Our Custom Realm was planned to be used
only for
authentication.
Appreciate any feedback on the cause of the problem.
Thanks
Vikram -
Admin Console Integration for Users in a Custom Realm
We are implementing a custom realm and are having troubles getting our Users to
show up in the User list.
Our user class extends weblogic.security.acl.User, and is forced to use the default
CTOR because our data access layer requires it.
Unfortunately, getName() returns null if the User(String) constructor is not used.
Furthermore, Identity::setName() is final, so it seems as though there is no
way to set the user's name after construction.
I am correct in this?
If so, any thoughts on whether it is worth going down the path of making my user
class implement Principal instead of extending weblogic.security.acl.User? I
would be forced to try to guess at what methods in User are required to integrate
with the admin console, I believe. I have not been able to find any documentation
that specifies what api/contract the console uses when it attempts to display
user, role, acl information for a custom realm.
Any advice would be greatly appreciated.
-chrisMy comments mixed with your text
"Chris Goodacre" <[email protected]> wrote:
>
We are implementing a custom realm and are having troubles getting our
Users to
show up in the User list.
Our user class extends weblogic.security.acl.User, and is forced to use
the default
CTOR because our data access layer requires it.
Unfortunately, getName() returns null if the User(String) constructor
is not used.Yes.
Furthermore, Identity::setName() is final, so it seems as though there
is no
way to set the user's name after construction.
I am correct in this?Yes. Changing a user's name on a constructed user object is like mutating that
user to another user - a security hole. It isn't allowed.
>
If so, any thoughts on whether it is worth going down the path of making
my user
class implement Principal instead of extending weblogic.security.acl.User?I'd try to stay with extending weblogic.security.acl.User, but also implement
weblogic.security.acl.CredentialChanger, so you can change passwords through the
console (otherwise you get NullPointerExceptions).
You really want to get around not being able to supply a user name as part of
the ctor.
I
would be forced to try to guess at what methods in User are required
to integrate
with the admin console, I believe. I have not been able to find any
documentation
that specifies what api/contract the console uses when it attempts to
display
user, role, acl information for a custom realm.
Any advice would be greatly appreciated.
-chris1. Your realm should extend AbstractManageableRealm and implement DebuggableRealm
if you want to integrate with the console.
2. The only contract is to implement all the methods!
3. Check the type of the user and group objects being passed to your realm - if
they're not your user and group type, reject the call.
4. The documentation is indeed terrible, and often wrong. The examples shipped
are incomplete (the RBDMS realm shipped has approx 1/3 of the functionality).
You'll get good with jad.
Should all be better in 7.0 with JAAS. The realm interfaces is a dog.
Good luck,
simon. -
Custom Realm using LDAP?
Hi,
has anyone implemented a custom realm using LDAP? I was suprised to learn that
ACLs are not supported in the LDAPRealm. Our corporate direction is to have a
central LDAP security store - including ACLs. Unfortunately the LDAP server is
MS SiteServer! Anyway, I assume this means I need to implement a custom realm
- unless there is an alternative.
-chrisYou are correct - you'll need to write a custom
realm to do this.
-Tom
"Chris Jones" <[email protected]> wrote:
>
Hi,
has anyone implemented a custom realm using LDAP? I was suprised to
learn that
ACLs are not supported in the LDAPRealm. Our corporate direction is
to have a
central LDAP security store - including ACLs. Unfortunately the LDAP
server is
MS SiteServer! Anyway, I assume this means I need to implement a custom
realm
- unless there is an alternative.
-chris -
Client certificate authentication with custom authorization for J2EE roles?
We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
<auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--ThanksWe have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* <P>A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* <P>IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
protected void init(Properties props)
throws BadRealmException, NoSuchRealmException
public java.util.Enumeration getGroupNames (String username)
throws InvalidOperationException, NoSuchUserException
public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* <P>The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* <P>This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* <P>The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* <P>Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
protected AuthenticationStatus authenticate()
throws LoginException
private String[] authenticate(String username,String passwd)
private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* <P>The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* <P>There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* <P>The certificate realm needs the following properties in its
* configuration: None.
* <P>The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
protected void init(Properties props)
* Returns the name of all the groups that this user belongs to.
* @param username Name of the user in this realm whose group listing
* is needed.
* @return Enumeration of group names (strings).
* @exception InvalidOperationException thrown if the realm does not
* support this operation - e.g. Certificate realm does not support
* this operation.
public Enumeration getGroupNames(String username)
throws NoSuchUserException, InvalidOperationException
* Complete authentication of certificate user.
* <P>As noted, the certificate realm does not do the actual
* authentication (signature and cert chain validation) for
* the user certificate, this is done earlier in NSS. This default
* implementation does nothing. The call has been preserved from S1AS
* as a placeholder for potential subclasses which may take some
* action.
* @param certs The array of certificates provided in the request.
public void authenticate(X509Certificate certs[])
throws LoginException
// Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM -
Error occurred while finding users using API with custom field
Hi All,
I am getting the following error while searching user using API with custom attribute. Did anybody faced the same problem before ?
Hashtable<Object,Object> env = new Hashtable<Object,Object>();
env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");
env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://localhost:14000");
System.setProperty("java.security.auth.login.config","C:\\Oracle\\Middleware\\Oracle_IDM1\\designconsole\\config\\authwl.conf");
System.setProperty("OIM.AppServerType", "wls");
System.setProperty("APPSERVER_TYPE", "wls");
tcUtilityFactory ioUtilityFactory = new tcUtilityFactory(env, "xelsysadm", "Weblogic123$");
OIMClient client = new OIMClient(env);
client.login("xelsysadm", "Weblogic123$".toCharArray());
SimpleDateFormat formatter = new SimpleDateFormat("yyyy-MM-dd");
tcUserOperationsIntf moUserUtility = (tcUserOperationsIntf)ioUtilityFactory.getUtility("Thor.API.Operations.tcUserOperationsIntf");
Hashtable mhSearchCriteria = new Hashtable();
mhSearchCriteria.put("USR_UDF_ACTUALSTARTDATE",formatter.format(date));
tcResultSet moResultSet = moUserUtility.findAllUsers(mhSearchCriteria);
printTcResultSet(moResultSet,"abcd");
log4j:WARN No appenders could be found for logger (org.springframework.jndi.JndiTemplate).
log4j:WARN Please initialize the log4j system properly.
Exception in thread "main" Thor.API.Exceptions.tcAPIException: Error occurred while finding users.
at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
at Thor.API.Operations.tcUserOperationsIntf_e9jcxp_tcUserOperationsIntfRemoteImpl_1036_WLStub.findAllUsersx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
at com.sun.proxy.$Proxy2.findAllUsersx(Unknown Source)
at Thor.API.Operations.tcUserOperationsIntfDelegate.findAllUsers(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at Thor.API.Base.SecurityInvocationHandler$1.run(SecurityInvocationHandler.java:68)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
at Thor.API.Base.SecurityInvocationHandler.invoke(SecurityInvocationHandler.java:79)
at com.sun.proxy.$Proxy3.findAllUsers(Unknown Source)
at oim.standalone.code.OIMAPIConnection.usersearch(OIMAPIConnection.java:209)
at oim.standalone.code.OIMAPIConnection.main(OIMAPIConnection.java:342)
Caused by: Thor.API.Exceptions.tcAPIException: Error occurred while finding users.
at com.thortech.xl.ejb.beansimpl.tcUserOperationsBean.findAllUsers(tcUserOperationsBean.java:4604)
at Thor.API.Operations.tcUserOperationsIntfEJB.findAllUsersx(Unknown Source)
at sun.reflect.GeneratedMethodAccessor1614.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.oracle.pitchfork.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:34)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.oracle.pitchfork.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:42)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy347.findAllUsersx(Unknown Source)
at Thor.API.Operations.tcUserOperationsIntf_e9jcxp_tcUserOperationsIntfRemoteImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
at Thor.API.Operations.tcUserOperationsIntf_e9jcxp_tcUserOperationsIntfRemoteImpl.findAllUsersx(Unknown Source)
at Thor.API.Operations.tcUserOperationsIntf_e9jcxp_tcUserOperationsIntfRemoteImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:667)
at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:522)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:518)
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Thank youHi J,
Thanks for the reply. But the code is working fine for OOTB attributes and for 11g API i am getting permission exception
Exception in thread "main" oracle.iam.platform.authz.exception.AccessDeniedException: You do not have permission to search the following user attributes: USR_UDF_ACTUALSTARTDATE.
at oracle.iam.identity.usermgmt.impl.UserManagerImpl.search(UserManagerImpl.java:1465)
at sun.reflect.GeneratedMethodAccessor1034.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy366.search(Unknown Source)
at oracle.iam.identity.usermgmt.api.UserManagerEJB.searchx(Unknown Source)
at sun.reflect.GeneratedMethodAccessor1449.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.oracle.pitchfork.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:34)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.oracle.pitchfork.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:42)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy365.searchx(Unknown Source)
at oracle.iam.identity.usermgmt.api.UserManager_nimav7_UserManagerRemoteImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
at oracle.iam.identity.usermgmt.api.UserManager_nimav7_UserManagerRemoteImpl.searchx(Unknown Source)
at oracle.iam.identity.usermgmt.api.UserManager_nimav7_UserManagerRemoteImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:667)
at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:522)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:518)
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: oracle.iam.identity.exception.SearchAttributeAccessDeniedException: You do not have permission to search the following user attributes: USR_UDF_ACTUALSTARTDATE.
at oracle.iam.identity.usermgmt.impl.UserManagerImpl.search(UserManagerImpl.java:1462)
... 44 more -
Error provisioning a resource with custom approval process
Hi,
While trying to provision a resource with custom approval process, I get the following error:
<May 11, 2012 8:07:18 AM IST> <Warning> <oracle.wsm.agent.handler.wls.WLSPropertyUtils> <BEA-000000> <WLSPropertyUtils:getOperationName(),operation name is null>
<May 11, 2012 8:07:18 AM IST> <Warning> <org.eclipse.persistence.session.oim> <BEA-000000> <
Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.0.2.v20100323-r6872): org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLException: ORA-12899: value too large for column "DEV_OIM"."REQUEST_APPROVALS"."APPROVAL_STATUS" (actual: 442, maximum: 32)
Error Code: 12899
Call: UPDATE REQUEST_APPROVALS SET APPROVAL_STATUS = ? WHERE (REQUEST_APPROVALS_KEY = ?)
bind => [com.oracle.bpel.client.BPELFault: faultName: {{http://schemas.xmlsoap.org/ws/2003/03/business-process/}selectionFailure}
parts: {{
summary=<summary>XPath query string returns zero node.
The assign activity of the to node query is returning zero node.
Either the to node data or the xpath query in the to node was invalid.
According to BPEL4WS spec 1.1 section 14.3, verify the to node value at line number 251 in the BPEL source.
</summary>}
, 6]
Query: UpdateObjectQuery(oracle.iam.request.vo.ApprovalData@11e00d4b)
at org.eclipse.persistence.exceptions.DatabaseException.sqlException(DatabaseException.java:324)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.executeDirectNoSelect(DatabaseAccessor.java:801)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.executeNoSelect(DatabaseAccessor.java:867)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.basicExecuteCall(DatabaseAccessor.java:587)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.executeCall(DatabaseAccessor.java:530)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeCall(AbstractSession.java:914)
at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism.executeCall(DatasourceCallQueryMechanism.java:206)
at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism.executeCall(DatasourceCallQueryMechanism.java:192)
at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism.updateObject(DatasourceCallQueryMechanism.java:715)
at org.eclipse.persistence.internal.queries.StatementQueryMechanism.updateObject(StatementQueryMechanism.java:430)
at org.eclipse.persistence.internal.queries.DatabaseQueryMechanism.updateObjectForWriteWithChangeSet(DatabaseQueryMechanism.java:1141)
at org.eclipse.persistence.queries.UpdateObjectQuery.executeCommitWithChangeSet(UpdateObjectQuery.java:84)
at org.eclipse.persistence.internal.queries.DatabaseQueryMechanism.executeWriteWithChangeSet(DatabaseQueryMechanism.java:287)
at org.eclipse.persistence.queries.WriteObjectQuery.executeDatabaseQuery(WriteObjectQuery.java:58)
at org.eclipse.persistence.queries.DatabaseQuery.execute(DatabaseQuery.java:675)
at org.eclipse.persistence.queries.DatabaseQuery.executeInUnitOfWork(DatabaseQuery.java:589)
at org.eclipse.persistence.queries.ObjectLevelModifyQuery.executeInUnitOfWorkObjectLevelModifyQuery(ObjectLevelModifyQuery.java:109)
at org.eclipse.persistence.queries.ObjectLevelModifyQuery.executeInUnitOfWork(ObjectLevelModifyQuery.java:86)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.internalExecuteQuery(UnitOfWorkImpl.java:2898)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuery(AbstractSession.java:1225)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuery(AbstractSession.java:1207)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuery(AbstractSession.java:1167)
at org.eclipse.persistence.internal.sessions.CommitManager.commitChangedObjectsForClassWithChangeSet(CommitManager.java:233)
at org.eclipse.persistence.internal.sessions.CommitManager.commitAllObjectsWithChangeSet(CommitManager.java:108)
at org.eclipse.persistence.internal.sessions.AbstractSession.writeAllObjectsWithChangeSet(AbstractSession.java:3260)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.commitToDatabase(UnitOfWorkImpl.java:1413)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.commitToDatabaseWithChangeSet(UnitOfWorkImpl.java:1518)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.writeChanges(UnitOfWorkImpl.java:5499)
at oracle.iam.request.repository.ApprovalRepository.updateApprovalInstanceWithOutcome(ApprovalRepository.java:84)
at oracle.iam.request.impl.ApprovalManager.approvalInstanceComplete(ApprovalManager.java:111)
at oracle.iam.request.impl.ApprovalPolicyServiceImpl.updateApprovalResult(ApprovalPolicyServiceImpl.java:52)
at oracle.iam.request.api.ApprovalPolicyServiceEJB.updateApprovalResultx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy351.updateApprovalResultx(Unknown Source)
at oracle.iam.request.api.ApprovalPolicyService_1nib43_ApprovalPolicyServiceRemoteImpl.updateApprovalResultx(ApprovalPolicyService_1nib43_ApprovalPolicyServiceRemoteImpl.java:462)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:84)
at $Proxy184.updateApprovalResultx(Unknown Source)
at oracle.iam.request.api.ApprovalPolicyServiceDelegate.updateApprovalResult(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at Thor.API.Base.SecurityInvocationHandler$1.run(SecurityInvocationHandler.java:68)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
at Thor.API.Base.SecurityInvocationHandler.invoke(SecurityInvocationHandler.java:79)
at $Proxy350.updateApprovalResult(Unknown Source)
at oracle.iam.request.workflowcallback.ApprovalCallBack.completed(ApprovalCallBack.java:28)
at oracle.iam.platform.workflowservice.ws.CallbackServiceImpl.callback(CallbackServiceImpl.java:98)
at oracle.iam.platform.workflowservice.ws.wls.CallbackService.callback(CallbackService.java:33)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:92)
at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:74)
at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:151)
at com.sun.xml.ws.server.sei.EndpointMethodHandlerImpl.invoke(EndpointMethodHandlerImpl.java:265)
at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:100)
at weblogic.wsee.jaxws.tubeline.FlowControlTube$FlowControlAwareTube.processRequest(FlowControlTube.java:155)
at weblogic.wsee.jaxws.tubeline.FlowControlTube$1.run(FlowControlTube.java:94)
at weblogic.wsee.jaxws.tubeline.FlowControlTube$1.run(FlowControlTube.java:92)
at javax.security.auth.Subject.doAs(Subject.java:337)
at weblogic.wsee.jaxws.tubeline.FlowControlTube.processRequest(FlowControlTube.java:91)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:604)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:563)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:548)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:445)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:373)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:524)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:255)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:140)
at weblogic.wsee.jaxws.WLSServletAdapter.handle(WLSServletAdapter.java:208)
at weblogic.wsee.jaxws.HttpServletAdapter$AuthorizedInvoke.run(HttpServletAdapter.java:310)
at weblogic.wsee.jaxws.HttpServletAdapter.post(HttpServletAdapter.java:223)
at weblogic.wsee.jaxws.JAXWSServlet.doPost(JAXWSServlet.java:124)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at weblogic.wsee.jaxws.JAXWSServlet.service(JAXWSServlet.java:79)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.doFilter(OAMServletAuthenticationFilter.java:260)
at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilter(OAMValidationSystemFilter.java:133)
at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentWrapperFilter.java:121)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:330)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused By: java.sql.SQLException: ORA-12899: value too large for column "DEV_OIM"."REQUEST_APPROVALS"."APPROVAL_STATUS" (actual: 442, maximum: 32)
at oracle.jdbc.driver.SQLStateMapping.newSQLException(SQLStateMapping.java:74)
at oracle.jdbc.driver.DatabaseError.newSQLException(DatabaseError.java:135)
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:210)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:473)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:423)
at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:1095)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:205)
at oracle.jdbc.driver.T4CPreparedStatement.executeForRows(T4CPreparedStatement.java:1040)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1379)
at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:3568)
at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePreparedStatement.java:3694)
at oracle.jdbc.driver.OraclePreparedStatementWrapper.executeUpdate(OraclePreparedStatementWrapper.java:1508)
at weblogic.jdbc.wrapper.PreparedStatement.executeUpdate(PreparedStatement.java:172)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.executeDirectNoSelect(DatabaseAccessor.java:792)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.executeNoSelect(DatabaseAccessor.java:867)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.basicExecuteCall(DatabaseAccessor.java:587)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.executeCall(DatabaseAccessor.java:530)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeCall(AbstractSession.java:914)
at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism.executeCall(DatasourceCallQueryMechanism.java:206)
at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism.executeCall(DatasourceCallQueryMechanism.java:192)
at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism.updateObject(DatasourceCallQueryMechanism.java:715)
at org.eclipse.persistence.internal.queries.StatementQueryMechanism.updateObject(StatementQueryMechanism.java:430)
at org.eclipse.persistence.internal.queries.DatabaseQueryMechanism.updateObjectForWriteWithChangeSet(DatabaseQueryMechanism.java:1141)
at org.eclipse.persistence.queries.UpdateObjectQuery.executeCommitWithChangeSet(UpdateObjectQuery.java:84)
at org.eclipse.persistence.internal.queries.DatabaseQueryMechanism.executeWriteWithChangeSet(DatabaseQueryMechanism.java:287)
at org.eclipse.persistence.queries.WriteObjectQuery.executeDatabaseQuery(WriteObjectQuery.java:58)
at org.eclipse.persistence.queries.DatabaseQuery.execute(DatabaseQuery.java:675)
at org.eclipse.persistence.queries.DatabaseQuery.executeInUnitOfWork(DatabaseQuery.java:589)
at org.eclipse.persistence.queries.ObjectLevelModifyQuery.executeInUnitOfWorkObjectLevelModifyQuery(ObjectLevelModifyQuery.java:109)
at org.eclipse.persistence.queries.ObjectLevelModifyQuery.executeInUnitOfWork(ObjectLevelModifyQuery.java:86)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.internalExecuteQuery(UnitOfWorkImpl.java:2898)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuery(AbstractSession.java:1225)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuery(AbstractSession.java:1207)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuery(AbstractSession.java:1167)
at org.eclipse.persistence.internal.sessions.CommitManager.commitChangedObjectsForClassWithChangeSet(CommitManager.java:233)
at org.eclipse.persistence.internal.sessions.CommitManager.commitAllObjectsWithChangeSet(CommitManager.java:108)
at org.eclipse.persistence.internal.sessions.AbstractSession.writeAllObjectsWithChangeSet(AbstractSession.java:3260)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.commitToDatabase(UnitOfWorkImpl.java:1413)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.commitToDatabaseWithChangeSet(UnitOfWorkImpl.java:1518)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.writeChanges(UnitOfWorkImpl.java:5499)
at oracle.iam.request.repository.ApprovalRepository.updateApprovalInstanceWithOutcome(ApprovalRepository.java:84)
at oracle.iam.request.impl.ApprovalManager.approvalInstanceComplete(ApprovalManager.java:111)
at oracle.iam.request.impl.ApprovalPolicyServiceImpl.updateApprovalResult(ApprovalPolicyServiceImpl.java:52)
at oracle.iam.request.api.ApprovalPolicyServiceEJB.updateApprovalResultx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy351.updateApprovalResultx(Unknown Source)
at oracle.iam.request.api.ApprovalPolicyService_1nib43_ApprovalPolicyServiceRemoteImpl.updateApprovalResultx(ApprovalPolicyService_1nib43_ApprovalPolicyServiceRemoteImpl.java:462)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:84)
at $Proxy184.updateApprovalResultx(Unknown Source)
at oracle.iam.request.api.ApprovalPolicyServiceDelegate.updateApprovalResult(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at Thor.API.Base.SecurityInvocationHandler$1.run(SecurityInvocationHandler.java:68)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
at Thor.API.Base.SecurityInvocationHandler.invoke(SecurityInvocationHandler.java:79)
at $Proxy350.updateApprovalResult(Unknown Source)
at oracle.iam.request.workflowcallback.ApprovalCallBack.completed(ApprovalCallBack.java:28)
at oracle.iam.platform.workflowservice.ws.CallbackServiceImpl.callback(CallbackServiceImpl.java:98)
at oracle.iam.platform.workflowservice.ws.wls.CallbackService.callback(CallbackService.java:33)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:92)
at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:74)
at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:151)
at com.sun.xml.ws.server.sei.EndpointMethodHandlerImpl.invoke(EndpointMethodHandlerImpl.java:265)
at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:100)
at weblogic.wsee.jaxws.tubeline.FlowControlTube$FlowControlAwareTube.processRequest(FlowControlTube.java:155)
at weblogic.wsee.jaxws.tubeline.FlowControlTube$1.run(FlowControlTube.java:94)
at weblogic.wsee.jaxws.tubeline.FlowControlTube$1.run(FlowControlTube.java:92)
at javax.security.auth.Subject.doAs(Subject.java:337)
at weblogic.wsee.jaxws.tubeline.FlowControlTube.processRequest(FlowControlTube.java:91)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:604)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:563)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:548)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:445)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:373)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:524)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:255)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:140)
at weblogic.wsee.jaxws.WLSServletAdapter.handle(WLSServletAdapter.java:208)
at weblogic.wsee.jaxws.HttpServletAdapter$AuthorizedInvoke.run(HttpServletAdapter.java:310)
at weblogic.wsee.jaxws.HttpServletAdapter.post(HttpServletAdapter.java:223)
at weblogic.wsee.jaxws.JAXWSServlet.doPost(JAXWSServlet.java:124)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at weblogic.wsee.jaxws.JAXWSServlet.service(JAXWSServlet.java:79)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.doFilter(OAMServletAuthenticationFilter.java:260)
at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilter(OAMValidationSystemFilter.java:133)
at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentWrapperFilter.java:121)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:330)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
<May 11, 2012 8:07:18 AM IST> <Error> <oracle.iam.request.impl> <IAM-2050200> <Failed to create the request in the repository.>
<May 11, 2012 8:07:18 AM IST> <Error> <oracle.iam.request.impl> <IAM-2050050> <Exception thrown Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.0.2.v20100323-r6872): org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLException: ORA-12899: value too large for column "DEV_OIM"."REQUEST_APPROVALS"."APPROVAL_STATUS" (actual: 442, maximum: 32)
Error Code: 12899
Call: UPDATE REQUEST_APPROVALS SET APPROVAL_STATUS = ? WHERE (REQUEST_APPROVALS_KEY = ?)
bind => [com.oracle.bpel.client.BPELFault: faultName: {{http://schemas.xmlsoap.org/ws/2003/03/business-process/}selectionFailure}
parts: {{
summary=<summary>XPath query string returns zero node.
The assign activity of the to node query is returning zero node.
Either the to node data or the xpath query in the to node was invalid.
According to BPEL4WS spec 1.1 section 14.3, verify the to node value at line number 251 in the BPEL source.
</summary>}
, 6]
Any idea how to resolve this ??
Thanks,Based on the error trace
Caused By: java.sql.SQLException: ORA-12899: value too large for column "DEV_OIM"."REQUEST_APPROVALS"."APPROVAL_STATUS" (actual: 442, maximum: 32)
you are inserting a value too large for REQUEST_APPROVALS.APPROVAL_STATUS column. It should contain values like COMPLETED, approved, rejected etc... Check your custom approval process again.
Regards
user12841694 -
Urgent change with unlock tasklist
Hello everyone,
the problem occured to our customer with customizing urgent change. They want import transport request manually through tasklist, but if urgent change is in status "Authorized for Production", tasklist is still locked.
I can release transport only through action "Import Urgent Change into Production System".
I think it has something to do with SAP Solution Manager > Capabilities (Optional) > Change Request Management > Make Settings for Change Transaction Types. We tried many options with action, but without success.
Could you somebody help me.
Best regards
Jan StrakošHi Luigi,
You may always use imports via task list of the project that linked to UC.
but this is import all project buffer in que.
What the reason of customers that they want use only task list and not actions?
And what is the problem to use actions?
Unlocked task list of UC will not give any benefits regarding to UC transport import or release.
It is more easy to switch UC statuses via actions and import will be done automatically.
Otherwise you need to go to Task list and press additional buttons that will do the same.
Rg Dan -
Forgot-Your-Password process with multiple realms
We’re running OAS 10.2.0.2 and we’re considering adding a second identity management realm in order to have, among other things, a different set of password reset validation fields for one group of portal users versus another group.
With two realms in place and OID/SSO configured so that all users from both realms use a common login mechanism, and, presumably, one forgot-your-password mechanism, will the password rest validation fields that are enforced for a given user automatically be based on the realm of which they are a member?
More specifically, will all users from both realms be able to use one common URL to access the OIDDAS forgot-your-password wizard? If so, I’m assuming that when the user enters their username in that wizard, they are then searched against their realm and the policies of that realm then come into play for the rest of the wizard, right?
In other words, with two realms, is this scenario possible without any custom programming:
We have a link to the OIDDAS forgot-your-password link on our existing portal login.jsp page. User A clicks that link and is taken to the OIDDAS forgot-your-password wizard. First he is asked for his username, which he supplies. Then, to verify his identity, he is asked for his Social Security Number, which he supplies, after which he is able to set a new password.
User B, who is in a different realm, clicks the same forgot-your-password link on our login page. After supplying his username, he is asked for his employee I.D. number, which has been configured as the password reset validator in his realm. After supplying that number, he is able to change his password.
--Steve HuntressHi Steve!
AFAIK each OID realm has its own set of policies.
This would mean that your setup should work. I guess the only difficult thing would be that a user must somehow be uniquely identifiable. When you login into OID with multiple realms you need to supply the realm - or have a unique ID (eg email address) and OID must be setup to search from the top.
In order to get to the right forget your pwd wizard you need the realm.
cu
Andreas
Maybe you are looking for
-
Hi all, I am facing some issue in the provident fund for the Mid month joined employees. As per the client requirement, SAP is not calculating. I need your help in this. For all the employees we are maintaining the IT 0587 has whichever is less. I go
-
Xorg-server 1.6 - black screen with mouse cursor
Hi First of all: I'm really new to Arch, so maybe there is a real easy fix for this problem Since upgrading to xorg-server 1.6 (and today to 1.6.1) I'm not able to get a running Desktop Environment. Usually I am using gnome with compiz-fusion on my G
-
How many different users can use the same Apple ID to use apps?
In a corporate environment, if we have multiple users each with their own iPad. What is the terms and conditions for using apps across all those devices? Is it legal to download an app to the corporate Apple ID and use them across our multiple device
-
When I activated the sync contacts with iCloud option, only 93 of 912 contacts showed up in iCloud.com. I assume it is because all 829 missing are considered as Exchange contacts. As stated when you activate Contacts sync in iCloud, Exchange cannot b
-
Best way to read in File of characters...
I have a file whose size is roughly 16k-20k. I need to read in the file and perform some logic based on each character of the file. Is wrapping a FileReader within a BufferedReader the most efficient way to do this? Or is there some nio package or cu