User security roles

Hi,
I'm kind of new to setting up security the "right" way in J2EE applications. I was wondering if anyone could offer some help or point me towards some good resources.
I am building a Struts J2EE application on my company's intranet.. I'm using Weblogic 7, on a Windows 2000 box. This application needs to enforce restrictions based on who is accessing the it and their role. I already know the users's NT username by using a JCIFS filter. I use this information to look them up in a database that has their application security access defined (no LDAP yet... still waiting for them to get that going). I know that you can define certain roles in the web.xml and restrict access to resources based on those roles. My question is: In my application, how do I associate a user with a role defined in my web.xml? Also, how (if at all) can I use Weblogic to make things easier? I've found tons of documentation, but nothing with any real life examples, and nothing relating to exactly what I am trying to do. Also, am I going about this the right way? Perhaps there is a simpler solution.
I would appreciate any help.
Thanks,
Ed

for info
java.sun.com/products/jaas/index.jsp
FOr api's it has been integrated with jdk1.4.2
for simple example
http://java.sun.com/security/jaas/doc/module.html

Similar Messages

Using the SDK to check if user security role membership

Is there any way to check if a user is in a particular security role using the SDK?
I ask because I am considering adding a web based ticket search by ID/key word look-up web service since this function is not part of the Self-Service Portal. I am looking into what it takes to maintain the system's security model or at least limit
the information given to the users. I am thinking that affected users might get some ability to modify their tickets.
I've already built a web portal hosting complex forms for several of our teams where the Self-Service Portal was too limited to collect necessary information. The forms portal already uses the SDK to submit work items directly into Service Manager.
This would be a welcome extension of the web site's capabilities.

Hi,
You may try powershell, here are two PowerShell scripts that use
SMLets to reveal interesting information about user roles in SCSM, please refer to it:
https://gallery.technet.microsoft.com/Service-Manager-SCSM-User-ebcdfcd6
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Unable to assign all security roles to a user with a new custom security role

Dear All,
Happy New Year.!
I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
any desired security role to the new user.
However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
to assign some other security roles, including 'Support User Role', to new user 'y'.
I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
Appreciate any help that you can provide on the above issue.
Thanks in anticipation.

Hi,
Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
Refer:-
http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
Hope this helps!!!
Thanks,
Prasad
Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

AppServer: problems trying to add users to roles in security dialog

I'm trying to learn J2EE using AppServer. My current example has a client accessing
an entity bean. I want two classes of user - Reader, and Updater. Most methods
of Home and Remote are accessible to both classes, a few are restricted to users
in Updater role. I'm currently having problems adding users to roles in deploytool.
I have defined users using the Admin client.
I have implemented and test run client and entity bean without security restrictions, it works.
I have defined roles associated with the application.
I have allocated roles to every method in Home and Remote interface of bean.
I have extracted the generated XML file and checked the <assembly-descriptor> section and
it appears that all roles and role descriptions are defined as required.
deploytool lets me use the "Security Role Mapping" dialog, I can select either of my roles and
try "Add user to role" - subsequent dialog shows my users and allows me to "Map user to role" -
but selected user does NOT appear in the user names panel.
What am I doing wrong or what am I omitting? Hints please!

Thanks for suggestions. (I'm using Windows so file-protections pretty
non-existent).
I looked in the Sun file you mentioned and found the users were defined.
When I restarted AppServer and deploytool, the users were shown in the appropriate
panel.
There is probably some minor bug in deploytool that causes the User Panel not
to be updated as it should be after a user has been added to a role.

How can I know the security role of the logged in user

When you design an enterprise bean or Web component, you should always think about the kinds of users who will access the component. For example, an Account enterprise bean might be accessed by customers, bank tellers, and branch managers. Each of these user categories is called a security role, an abstract logical grouping of users that is defined by the person who assembles the application. When an application is deployed, the deployer will map the roles to security identities in the operational environment.
But wondering when I log into my application with some user name and password (specified in my Oracle database),wondering how this works with the security role I created .How does J2EE know the security role of the logged in user.
Thanks
Manohar

shet wrote:
role at run time.
When I login say as "manju" and password as "money" then how does it know that this user belongs to this security role.Is that the j2ee administrator has to say that user manju has this this security role.Programmitically how does it really work.I am confusedThe j2ee implementation assigns the roles using the JAAS module you have configured for your application on your application server. different JAAS modules get roles in different ways. many allow a single static role to be assigned using a config file. if using a database, often there will be configuration to specify additional database fields which specify the role for a given username.
At runtime, a developer can test roles using methods like EJBContext.isCallerInRole().

Redirecting user to acustom page depending on security role after glassfish

Hi,
I have a JSF application using glassfish authentication mechanism. I'm planning to use a jdbc realm and form based authentication (I'm using a jsp page to get username and password) . I have 3 different user roles (student, admin and staff)
However I cannot find how to redirect a user to a different page (Ex: staff report page if the logged in user is in the security role staff). I have configured sun-web.xml and web.xml to map the roles and groups. The problem is after authentication the user is always redirected back to the home page, which is the login page. I understand this is how the glassfish authentication works by default. But is there a way to navigate the user to a different page depending on his role.
I'm new to EJB security. Please help me on this subject. Thanks a lot in advance.

Check this blog post, which provides an alternate solution (You can choose the best possible solution based on your use-case).
http://andrejusb.blogspot.com/2007/10/security-in-oracle-adf-and-automatic.html
Thanks,
Navaneeth

Receiving an error when trying to remove P00 Security role from the user

Hi All,
I am receiving an error when trying to remove P00 Security role from the user.
After logging on to GRC CUP, clicking on u201CCreate requestu201D, and filling out required information,
I click on Select Roles/Groups
On the next screen,
I click on Existing Roles/Groups
ERROR MESSAGE appears X Action failed and no roles appear in the box to select for removal.
Regards,
Vineet

Hi Vineet,
My be your selection is incorrect
Try this
in Applicaiton Area -- Select ALL
Functional Area -
Select ALL
Company -
Select ALL
Role/Profile/Group Names --- Give p00* and execute the report
if you give only p00 it wont give any result
Hope this helps
Thank you,
Kishore

Using ADF Security user in role context to change field value

Hi I was wondering if it was possible to change an input text field value depending on the ADF authentication login values.
So if the user in role is manager value is dino2dy if it's Boss its Frank Nimphius.
My idea is that I want the field user to be read only so no one could change it, but since it's a foreign key in the table I need to have values in it for committing to the database.
Since different users will be accessing the application I want every user to have his user name automatically entered into a read only field. Then commit that value into the database.
I have ran into some problems so far, as if I put in a straightforward value in a field, and make it read only, when committing I get an error User field needed. As if the field is empty even though I can see the value on the page.
Hope you guys can help

Yeah I have tried that but I can only use it for true or false values, I do not know how to use it to change a value. I ve used it to make something read only or disabled depending on the user in role.
It still wont work if I change the value in the field. It has to be the database value thing in there. As soon as I change it it starts giving me the you need Korisnik error. But I cant put it as a default value in the database because it defeats the purpose.

How to get security roles in a JSF portlet

I need to get the LDAP user-roles available in the Sun Portal Server 7 in my JSF-168 portlet.
I've added the mapping file, updated the portlet.xml and web.xml, deployed the portlet (psconsole). But the portlet shows the "content not available" error with javax....title title.
I've probably messed up the descriptors, but I don't see what is wrong. Here they are:
roleMaps.properties
cn\=VSM.Administrator,dc\=neco,dc\=cz=Administrator
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4">
<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>server</param-value>
</context-param>
<context-param>
    <param-name>javax.faces.CONFIG_FILES</param-name>
    <param-value>/WEB-INF/navigation.xml,/WEB-INF/managed-beans.xml</param-value>
</context-param>
<context-param>
    <param-name>com.sun.faces.validateXml</param-name>
    <param-value>true</param-value>
</context-param>
<context-param>
    <param-name>com.sun.faces.verifyObjects</param-name>
    <param-value>false</param-value>
</context-param>
<filter>
    <filter-name>UploadFilter</filter-name>
    <filter-class>com.sun.rave.web.ui.util.UploadFilter</filter-class>
    <init-param>
      <description>
          The maximum allowed upload size in bytes. If this is set
          to a negative value, there is no maximum. The default
          value is 1000000.
        </description>
      <param-name>maxSize</param-name>
      <param-value>1000000</param-value>
    </init-param>
    <init-param>
      <description>
          The size (in bytes) of an uploaded file which, if it is
          exceeded, will cause the file to be written directly to
          disk instead of stored in memory. Files smaller than or
          equal to this size will be stored in memory. The default
          value is 4096.
        </description>
      <param-name>sizeThreshold</param-name>
      <param-value>4096</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>UploadFilter</filter-name>
    <servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet>
    <servlet-name>ExceptionHandlerServlet</servlet-name>
    <servlet-class>com.sun.errorhandler.ExceptionHandler</servlet-class>
    <init-param>
      <param-name>errorHost</param-name>
      <param-value>localhost</param-value>
    </init-param>
    <init-param>
      <param-name>errorPort</param-name>
      <param-value>25444</param-value>
    </init-param>
</servlet>
<servlet>
    <servlet-name>ThemeServlet</servlet-name>
    <servlet-class>com.sun.rave.web.ui.theme.ThemeServlet</servlet-class>
</servlet>
<servlet>
    <description>Generated By Sun Java Studio Creator</description>
    <display-name>CreatorPortlet Wrapper</display-name>
    <servlet-name>VSMPortal</servlet-name>
    <servlet-class>org.apache.pluto.core.PortletServlet</servlet-class>
    <init-param>
      <param-name>portlet-class</param-name>
      <param-value>com.sun.faces.portlet.FacesPortlet</param-value>
    </init-param>
    <init-param>
      <param-name>portlet-guid</param-name>
      <param-value>VSMPortal.VSMPortal</param-value>
    </init-param>
</servlet>
<servlet-mapping>
    <servlet-name>ExceptionHandlerServlet</servlet-name>
    <url-pattern>/error/ExceptionHandler</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>ThemeServlet</servlet-name>
    <url-pattern>/theme/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>VSMPortal</servlet-name>
    <url-pattern>/VSMPortal/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
    <welcome-file>faces/null</welcome-file>
</welcome-file-list>
<error-page>
    <exception-type>javax.servlet.ServletException</exception-type>
    <location>/error/ExceptionHandler</location>
</error-page>
<error-page>
    <exception-type>java.io.IOException</exception-type>
    <location>/error/ExceptionHandler</location>
</error-page>
<error-page>
    <exception-type>javax.faces.FacesException</exception-type>
    <location>/error/ExceptionHandler</location>
</error-page>
<error-page>
    <exception-type>com.sun.rave.web.ui.appbase.ApplicationException</exception-type>
    <location>/error/ExceptionHandler</location>
</error-page>
<jsp-config>
    <jsp-property-group>
      <url-pattern>*.jspf</url-pattern>
      <is-xml>true</is-xml>
    </jsp-property-group>
</jsp-config>
     <security-role>
          <role-name>Administrator</role-name>
     </security-role>
</web-app>
portlet.xml
<?xml version='1.0' encoding='UTF-8' ?>
<portlet-app xmlns='http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd                         http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd' version='1.0'>
     <portlet>
          <description>Created By Java Studio Creator</description>
          <portlet-name>VSMPortal</portlet-name>
          <display-name>VSMPortal Portlet</display-name>
          <portlet-class>com.sun.faces.portlet.FacesPortlet</portlet-class>
          <init-param>
               <name>com.sun.faces.portlet.INIT_VIEW</name>
               <value>/Uctarna.jsp</value>
          </init-param>
          <expiration-cache>0</expiration-cache>
          <supports>
               <mime-type>text/html</mime-type>
               <portlet-mode>VIEW</portlet-mode>
          </supports>
          <supported-locale>en</supported-locale>
          <portlet-info>
               <title>VSMPortal</title>
               <short-title>VSMPortal</short-title>
               <keywords>Creator</keywords>
          </portlet-info>
          <security-role-ref>
               <role-name>Administrator</role-name>
               <role-link>Administrator</role-link>
          </security-role-ref>
     </portlet>
</portlet-app>If I don't use the security-role and security-role-ref tags, the portlet works, and the isUserInRole method obviously doesn't.

Nobody uses the LDAP roles in a portlet? Anybody knows other thread discussing similar issue (I can't find anything)?

How to use security roles in Weblogic server?

Hello Gurus,
I am new to Weblogic server and I am trying to investigate how to make
use of security roles in weblogic server (5.1.0). Can anyone point me
to some documentation. Specifically, I am looking for instance level,
and method level security and how to use it.
Thanks for taking your time to read this e-mail.
Thank You all in advance,
Hari.

You should read the security information in the Servlet 2.2 specification
that WL 5.1 implements:
http://java.sun.com/products/servlet/download.html
Chapter 11 deals with declarative and programmatic security, and includes a
section on roles:
11.4 Roles
A role is an abstract logical grouping of users that is defined by the
Application Developer or
Assembler. When the application is deployed, these roles are mapped by a
Deployer to security
identities, such as principals or groups, in the runtime environment.
A servlet container enforces declarative or programmatic security for the
principal associated with
an incoming request based on the security attributes of that calling
principal. For example,
1. When a deployer has mapped a security role to a user group in the
operational environment. The
user group to which the calling principal belongs is retrieved from its
security attributes. If the
principal's user group matches the user group in the operational environment
that the security
role has been mapped to, the principal is in the security role.
2. When a deployer has mapped a security role to a principal name in a
security policy domain, the
principal name of the calling principal is retrieved from its security
attributes. If the principal is
the same as the principal to which the security role was mapped, the calling
principal is in the
security role.
Cameron Purdy
http://www.tangosol.com
"Hari" <[email protected]> wrote in message
news:[email protected]..
Hello Gurus,
I am new to Weblogic server and I am trying to investigate how to make
use of security roles in weblogic server (5.1.0). Can anyone point me
to some documentation. Specifically, I am looking for instance level,
and method level security and how to use it.
Thanks for taking your time to read this e-mail.
Thank You all in advance,
Hari.

How to get security roles

Hi All,
I want to know how to get the security roles which we configured in adfsecurity.
Regards,
Smaran

Hi,
to get all roles associated with the current user, try
SecurityContext secCtx = ADFContext.getCurrent().getSecurityContext();
String[] roles = secCtx.getUserRoles();
To get access to the roles defined on the system (not user specific) then this requires OPSS access. The JavaDocs are here:
http://download.oracle.com/docs/cd/E17904_01/apirefs.1111/e10686/toc.htm
From the top of my head. this is how get access to the JPS context to query system resources.
JpsContextFactory jpsfact = JpsContextFactory.getContextFactory();
JpsContext jpxCtx = jpdfact.getContext();
IdentityStoreService store = jpxCtx.getServiceInstance(IdentityStoreService.class);
... from here on I have no further hint without trying it myself. However, I hope I go you started
Frank

Map security roles to group within LDAP using external 3rd Party LDAP

I'm haveing a problem mapping my logical role defined in my web.xml to a role within Active Directory. I'm currently authenticating using Active Directory succsfully, however after the user is authenticated I get a message from the OC4J container that my role can not be found. Can you map a logical role to group within Active Directory? Below are details about my configuration.
Any help would be greatly appreciated.
Log.xml log entry that confirms webtA is communicating successfully with AD.
SG_TEXT>JAAS-LDAPLoginModule: authenticating user wmgraham</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>JAAS-LDAPLoginModule: DN for user wmgraham is cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
Error reported in the log
<MESSAGE>
<HEADER>
<TSTZ_ORIGINATING>2008-08-27T11:38:05.991-04:00</TSTZ_ORIGINATING>
<COMPONENT_ID>j2ee</COMPONENT_ID>
<MSG_TYPE TYPE="TRACE"></MSG_TYPE>
<MSG_LEVEL>16</MSG_LEVEL>
<HOST_ID>F2287032-W</HOST_ID>
<HOST_NWADDR>30.30.16.14</HOST_NWADDR>
<MODULE_ID>security</MODULE_ID>
<THREAD_ID>14</THREAD_ID>
<USER_ID>wmgraham</USER_ID>
</HEADER>
<CORRELATION_DATA>
<EXEC_CONTEXT_ID><UNIQUE_ID>30.30.16.14:59560:1219851485804:6</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>for group=[JAZNGroupAdaptor: webta] there's no matching role found.</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
Web.xml Logical Role definition
<security-constraint>
<web-resource-collection>
<web-resource-name>allpages</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>WEBTA_J2EE_USER</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>WEBTA_J2EE_USER</role-name>
</security-role>
Orion-web.xml This file maps the logical role defined in webxml to a group within Active Directory.
<security-role-mapping name="WEBTA_J2EE_USER">
<group name="webta"/> <-- Group defined in AD -->
</security-role-mapping>

What is the name of the group in AD (provide the DN) that you want to map the j2ee logical role WEBTA_J2EE_USER? What are the group search base and group mapping attribute?
When wmgraham logs into the app, the 3rd party ldap login module will attempt to query for the groups wmgraham is a member of - this is done using the group search base configuration for the provider.
In this example, the DN is "cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and likely user search base is set to "ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi".
Assuming group search base is (say) "ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and and group mapping attr is "cn", then the role mapping you mention should work for group DN "cn=webta,ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi"

Invalid Security role-name error in Web Project

Hi All,
I have imported a J2EE application project built in JBOSS into NWDS 7.1.
While building the project i get the following error
<b>CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN</b>
This error directs me to the following code in web.xml
<security-constraint>
          <display-name>Default JSP Security Constraints</display-name>
          <web-resource-collection>
               <web-resource-name>Portlet Directory</web-resource-name>
               <url-pattern>/jsp/*</url-pattern>
               <http-method>GET</http-method>
               <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
               <b><role-name>PEHNTAHO_ADMIN</role-name></b>
          </auth-constraint>
          <user-data-constraint>
               <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
     </security-constraint>
<b>I have tried out the following things to resolve this issue :</b>
<b>1) Remove the role manually</b>(as suggested by various people in other J2EE forums), but then some other error came in to picture
<b>2)Then I added the following code in web.xml</b>
<security-role>
          <role-name>PEHNTAHO_ADMIN</role-name>
     </security-role>
Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
     java.rmi.RemoteException: class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
version status: HIGHER
deployment status: Admitted
description:
          1. Error:
Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
ERRORS:
Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
     
</web-app>
" is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
WARNINGS:
Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
<b>3) I had also added the following code in web-j2ee-engine.xml</b>
<security-role-map>
          <role-name>PEHNTAHO_ADMIN</role-name>
          <server-role-name>all</server-role-name>
     </security-role-map>
but still i get the same deployment error.
Please help me in resolving this problem.
Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
Thanks and Regards,
Sruti

Hi Malathy,
Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
Could you please let us know you created a roles named users in WLS ?
Thanks & Regards,
Murali.
============

Security-role and security-role-assignment not working in WL7.0

Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

Below are the screen shots for PFCG:

Problem mapping LoginModule roles to ejb security roles

I have "successfully" managed to implement the DBSystemLoginModule. When I run my application I successfully authenticate to the database, the login module successfully retrieves the users roles from the database and adds them to the subject:
PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
LoginContext lc = new LoginContext("current-workspace-app", cbh);
lc.login();
I then perform a lookup on a bean using the same user:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory");
env.put("java.naming.security.principal",username);
env.put("java.naming.security.credentials",password);
env.put("java.naming.provider.url", "ormi://localhost:23891/current-workspace-app");
Context ic = new InitialContext(env);
final SessionEJBHome sessionEJBHome =
(SessionEJBHome) PortableRemoteObject.narrow( ic.lookup( "SessionEJB" ), SessionEJBHome.class );
Finally, I create an instance of the bean and call a method of this bean.
SessionEJB sessionEJB;
sessionEJB = sessionEJBHome.create( );
sessionEJB.testMe( );
I am expecting (hoping) that the roles retrieved from the database by the login module may be used to authenticate the ejb methods. i.e. if (in ejb-jar.xml) the method "testMe" has a method-permission with role-name of "ABC" then this method may only be accessed if the user is a member of the "ABC" role retrieved from the database by the login module. However I get the message:
"username is not allowed to call this EJB method"
When I add a security-role-mapping in orion-ejb-jar.xml mapping the role "ABC" to the group "ABC" (and impliesALL="true") then the method is called successfully. However, if I add a security-role-mapping mapping the role "DEF" to the group "DEF" (which the user is not a member of) the ejb method is (wrongly) called successfully (with implies all="false" the method always fails). In other words there seems to be no mapping of the roles retrieved by the login module to the ejb security roles.
Can anyone please enlighten me on how I can achieve the mapping of the ejb security roles to the roles obtained from the login module.
Thanks
PS I have this problem with JDeveloper 10.1.3 (Developer Preview 10.1.3.0.2.223 and Early Access 10.1.3.0.3.3412)

Hi Sebastian,
yes, it is possible to do such mapping. And here how it works:
1. define security roles in the ejb-jar.xml within the <security-role>. For example:
<security-role>
     <role-name>test</role-name>
</security-role>
2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
<security-permission>
   <security-role-map>
      <role-name>test</role-name>
      <server-role-name>myUMErole</server-role-name>
   </security-role-map>
</security-permission>
the myUMErole must be defined in the UME!
Does this answer your question?

User security roles

Similar Messages

Maybe you are looking for