!! Warning on javax.security classes !!

WARNING: be aware that weblogic.jar in WLS 6.1 contains at least one class
from the javax.security package that has been customized by Bea and is
significantly different (i.e. incompatible) from the class provided in the
'official' Sun J2EE library.
The particular class we have examined is javax.security.auth.Subject, which
is used to carry security details for a subject (person, etc). This is used
when authenticating client log-ins with WebLogic server security. No doubt
Bea obtained permission from Sun to break the usual licence agreements and
release a custom version of the class in the same package, but this seems to
negate the whole concept of Java packages and has cost us a lot of time and
expense to unravel.
We have spent considerable time trying to trace the cause of an
IncompatibleClassException thrown by WLS when our clients attempted to
log-in. We eventually discovered that the server was picking up the
'official' Sun version of javax.security.auth.Subject.class from the Java
bootclasspath, whereas the clients were sending the WebLogic custom version
of javax.security.auth.Subject.class from weblogic.jar. The two versions are
terminally incompatible.
I would be interested to hear a realistic justification for this kind of
package abuse...
Dave

Hi
Frank reply is as follows
Hi,
ADF UI components use peer classes to adopt to different browser behaviors. The request issued by ADF Faces for its server communication is through the XMLHttpRequest object (unless its a GET request for the initial page load. All subsequent requestst are either partial XMLHttpRequest requests of JSF postback requests)
Frank
I am not able to understand the solution what is he trying to say.. Could you please explain like what should i change in my code to avoid that security error
Regards
Zarrakh

Similar Messages

  • Why javax.security.* doesn't work for me ?

    I am newbie in Java. Recently I met a problem which confused my a lot. I am a class named CSecurity which can throw LoginException. Code sample is
    public class CSecurity
    userLogin() throws LoginException
    When compiling it, "unresolved symbol - Can't locate LoginException class" error message appears, although I put "import javax.security.*;" in the front. Compilation succeeds, if I change it to "import javax.security.auth.login.LoginException;". My question is why character "*" doesn't work at all, since it is supposed to work. I assume "import javax.security.*;" should import all class under security branch. Am I wrong about this ?
    Regards,
    WenBin

    when you import * it doesn't import sub packages, only the specified one.
    so you would need to do..
    import javax.security.auth.login.*;

  • Using javax.security.auth.LoginContext to generate a renewable ticket

    Hi,
    I tired to use javax.security.auth.LoginContext (with kerberos) to generate a forwardable and renewable ticket. With this ticket I authenticate the user at an other server.
    My problem is, that the code generates a forwardable ticket, but not a renewable one. If I use the kinit (console tool) I am able to generate a renewable one.
    Here is the JAVA-code:
    System.setProperty("sun.security.krb5.debug","true");
    System.setProperty("java.security.krb5.conf", "krb5.conf");     
    System.setProperty("java.security.auth.login.config", "login.conf");
    lc = new LoginContext("SampleCXF",new LoginGuiCallbackHandler());
    try {
         lc.login();
    }catch(Exception e) {
         e.printStackTrace();
         System.exit(1);
         Subject subject = lc.getSubject();
         KerberosTicket kt = (KerberosTicket) subject.getPrivateCredentials().iterator().next();
         System.out.println(kt);
         Subject.doAsPrivileged(subject, new PrivilegedAction<byte[]>() {
              @Override
              public byte[] run() {
                   try {
                        JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
                        factory.setServiceClass(TestService.class);
                        factory.setAddress("https://server.at/TestProjektServer/services/TestService");
                        TestService client = (TestService) factory.create();
                        String message = client.service1("param service 1");
                        //String message = client.service1("param service 1");
                   }catch(Exception e) {
                        e.printStackTrace();
                   return null;
         }, null);
    the login.conf contains:
    SampleCXF {
    com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true debug=true renewTGT=true doNotPront=true;
    the krb5.conf contains:
    [libdefaults]
    default_realm = TESTREALM
         kinit = {
         forwardable = true
         proxiable = true
         renew_lifetime = 5d 0h 0m 0s
    [realms]
    TESTREALM = {
    kdc = aba.hostingcenter.uclv.net
    admin_server = aba.hostingcenter.uclv.net
    [domain_realm]
    *.test.net = TESTREALM
    .test.net = TESTREALM
    [logging]
         default = FILE:/var/log/kdc.log
         kdc = FILE:/var/log/kdc.log
    [appdefaults]
         pam = {
              renewable = true
         forwardable = true
         renew_lifetime = 5d 0h 0m 0s
    If I use my client principal and password a ticket will be generated. This ticket is not renewable!!
    If I use the ticket cache (kinit -r, and kinit -R), a renewable ticket was loaded. On the server side the forwarded ticket is not renewable. It seams that the client generates a new ticket with the forwarded flag, but the renewable flag is not set.
    does anyone have an idea?
    Thanks a lot
    Ludi
    Edited by: user6714014 on Dec 13, 2011 7:34 AM

    nobody knows?

  • Authentication Failed: User xelsysadm javax.security.auth.login.FailedLogin

    Hi All,
    I have an critical ssue to be solved on Production environemt :(,
    we have oim installed on cluster in production(OIM11g installed on server ), the configuration is as mentioned below
    cluster 1--oim1,soa1--server1--holds admin server
    cluster 2--oim2,soa2--server2--managed server and no admin server
    This instance was working fine, we had to restart the server machine for some reason and i am not able to start OIM server :( after that.
    following is the exception i get when i start the OIM server , Please help :(
    2011-05-13T13:42:29.585+05:30] [wls_oim1] [NOTIFICATION] [] [oracle.adf.share.weblogic.listeners.ADFApplicationLifecycleListener] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000IzcQVWHFo2w6wFNa6G1DhbE300075k,0] [APP: oim#11.1.1.3.0] ADFApplicationLifecycleListener.preStop. Cleaning up Application caches.
    [2011-05-13T13:42:29.585+05:30] [wls_oim1] [NOTIFICATION] [] [oracle.adf.share.config.ADFConfigFactory] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000IzcQVWHFo2w6wFNa6G1DhbE300075k,0] [APP: oim#11.1.1.3.0] Clean up Application Caches
    [2011-05-13T13:42:29.585+05:30] [wls_oim1] [NOTIFICATION] [] [oracle.adf.share.config.ADFConfigFactory] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000IzcQVWHFo2w6wFNa6G1DhbE300075k,0] [APP: oim#11.1.1.3.0] ADFConfigFactory.cleanUpApplicationCaches. Calling ADF Config instance implementation: class oracle.adf.share.config.MDSConfigImpl.releaseResources()
    [2011-05-13T13:42:29.600+05:30] [wls_oim1] [NOTIFICATION] [] [oracle.adf.share.config.ADFConfigFactory] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000IzcQVWHFo2w6wFNa6G1DhbE300075k,0] [APP: oim#11.1.1.3.0] ADFConfigFactory.cleanUpApplicationCaches. Calling ADF Config instance implementation: class oracle.adf.share.config.MDSConfigImpl.releaseResources()
    [2011-05-13T13:42:29.600+05:30] [wls_oim1] [NOTIFICATION] [] [oracle.adf.share.config.ADFConfigFactory] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000IzcQVWHFo2w6wFNa6G1DhbE300075k,0] [APP: oim#11.1.1.3.0] ADFConfigFactory.cleanUpApplicationCaches. Calling ADF Config instance implementation: class oracle.adf.share.config.MDSConfigImpl.releaseResources()
    [2011-05-13T13:42:29.600+05:30] [wls_oim1] [NOTIFICATION] [] [oracle.adf.share.config.ADFConfigFactory] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000IzcQVWHFo2w6wFNa6G1DhbE300075k,0] [APP: oim#11.1.1.3.0] ADFConfigFactory.cleanUpApplicationCaches. Calling ADF Config instance implementation: class oracle.adf.share.config.MDSConfigImpl.releaseResources()
    [*2011-05-13T13:42:30.193+05:30] [wls_oim1] [ERROR] [] [OIM Authenticator] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000IzcQVWHFo2w6wFNa6G1DhbE300075k,0] [APP: oim#11.1.1.3.0] Error while retrieving user xelsysadm*
    *[2011-05-13T13:42:30.224+05:30] [wls_oim1] [ERROR] [IAM-0020011] [oracle.iam.platform.auth.client] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000IzcQVWHFo2w6wFNa6G1DhbE300075k,0] [APP: oim#11.1.1.3.0] Login Exception encountered when trying to login as admin {0}[[*
    *javax.security.auth.login.LoginException: javax.security.auth.login.LoginException: java.lang.SecurityException: [Security:090304]Authentication Failed: User xelsysadm javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xelsysadm denied*
    at weblogic.security.auth.login.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:199)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:684)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
    at Thor.API.Security.LoginHandler.weblogicLoginHandler.login(weblogicLoginHandler.java:62)
    at oracle.iam.platform.OIMClient.login(OIMClient.java:134)
    at oracle.iam.platform.OIMClient.login(OIMClient.java:114)
    at oracle.iam.platform.OIMInternalClient.loginAsAdmin(OIMInternalClient.java:69)
    at oracle.iam.scheduler.impl.util.SchedulerUtil.getSchedulerService(SchedulerUtil.java:735)
    at oracle.iam.scheduler.webapp.SchedulerStartupServlet.resetRunningJobStatus(SchedulerStartupServlet.java:247)
    at oracle.iam.scheduler.webapp.SchedulerStartupServlet.stopScheduler(SchedulerStartupServlet.java:123)
    at oracle.iam.scheduler.webapp.SchedulerStartupServlet.destroy(SchedulerStartupServlet.java:261)
    at weblogic.servlet.internal.StubSecurityHelper$ServletDestroyAction.run(StubSecurityHelper.java:303)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at weblogic.servlet.internal.StubSecurityHelper.destroyServlet(StubSecurityHelper.java:81)
    at weblogic.servlet.internal.StubLifecycleHelper.destroyOneInstance(StubLifecycleHelper.java:144)
    at weblogic.servlet.internal.StubLifecycleHelper.destroy(StubLifecycleHelper.java:134)
    at weblogic.servlet.internal.ServletStubImpl.destroy(ServletStubImpl.java:438)
    at weblogic.servlet.internal.WebAppServletContext.destroyServlets(WebAppServletContext.java:3232)
    at weblogic.servlet.internal.WebAppServletContext.destroy(WebAppServletContext.java:3192)
    at weblogic.servlet.internal.ServletContextManager.destroyContext(ServletContextManager.java:241)
    at weblogic.servlet.internal.HttpServer.unloadWebApp(HttpServer.java:461)
    at weblogic.servlet.internal.WebAppModule.destroyContexts(WebAppModule.java:1540)
    at weblogic.servlet.internal.WebAppModule.deactivate(WebAppModule.java:513)
    at weblogic.application.internal.flow.ModuleStateDriver$2.previous(ModuleStateDriver.java:389)
    at weblogic.application.utils.StateMachineDriver.previousState(StateMachineDriver.java:167)
    at weblogic.application.utils.StateMachineDriver.previousState(StateMachineDriver.java:160)
    at weblogic.application.internal.flow.ModuleStateDriver.deactivate(ModuleStateDriver.java:141)
    at weblogic.application.internal.flow.ScopedModuleDriver.deactivate(ScopedModuleDriver.java:207)
    at weblogic.application.internal.flow.ModuleListenerInvoker.deactivate(ModuleListenerInvoker.java:261)
    at weblogic.application.internal.flow.DeploymentCallbackFlow$2.previous(DeploymentCallbackFlow.java:538)
    at weblogic.application.utils.StateMachineDriver.previousState(StateMachineDriver.java:167)
    at weblogic.application.utils.StateMachineDriver.previousState(StateMachineDriver.java:160)
    at weblogic.application.internal.flow.DeploymentCallbackFlow.deactivate(DeploymentCallbackFlow.java:182)
    at weblogic.application.internal.flow.DeploymentCallbackFlow.deactivate(DeploymentCallbackFlow.java:175)
    at weblogic.application.internal.BaseDeployment$2.previous(BaseDeployment.java:1281)
    at weblogic.application.utils.StateMachineDriver.previousState(StateMachineDriver.java:167)
    at weblogic.application.utils.StateMachineDriver.previousState(StateMachineDriver.java:160)
    at weblogic.application.internal.BaseDeployment.deactivate(BaseDeployment.java:453)
    at weblogic.application.internal.EarDeployment.deactivate(EarDeployment.java:58)
    at weblogic.application.internal.DeploymentStateChecker.deactivate(DeploymentStateChecker.java:199)
    at weblogic.deploy.internal.targetserver.AppContainerInvoker.deactivate(AppContainerInvoker.java:98)
    at weblogic.deploy.internal.targetserver.BasicDeployment.deactivate(BasicDeployment.java:263)
    at weblogic.deploy.internal.targetserver.BasicDeployment.deactivateFromServerLifecycle(BasicDeployment.java:458)
    at weblogic.management.deploy.internal.DeploymentAdapter$1.doDeactivate(DeploymentAdapter.java:74)
    at weblogic.management.deploy.internal.DeploymentAdapter.deactivate(DeploymentAdapter.java:215)
    at weblogic.management.deploy.internal.AppTransition$6.transitionApp(AppTransition.java:67)
    at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:240)
    at weblogic.management.deploy.internal.ConfiguredDeployments.deactivate(ConfiguredDeployments.java:199)
    at weblogic.management.deploy.internal.ConfiguredDeployments.undeploy(ConfiguredDeployments.java:191)
    at weblogic.management.deploy.internal.DeploymentServerService.shutdownApps(DeploymentServerService.java:195)
    at weblogic.management.deploy.internal.DeploymentServerService.shutdownHelper(DeploymentServerService.java:127)
    at weblogic.application.ApplicationShutdownService.stop(ApplicationShutdownService.java:106)
    at weblogic.t3.srvr.ServerServicesManager.stopInternal(ServerServicesManager.java:495)
    at weblogic.t3.srvr.ServerServicesManager.stop(ServerServicesManager.java:316)
    at weblogic.t3.srvr.T3Srvr.shutdown(T3Srvr.java:1036)
    at weblogic.t3.srvr.T3Srvr.gracefulShutdown(T3Srvr.java:939)
    at weblogic.t3.srvr.GracefulShutdownRequest.run(GracefulShutdownRequest.java:41)
    at weblogic.work.ContextWrap.run(ContextWrap.java:41)
    at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    Thanks in advance

    Agreed with all above pointers.
    I think you have to raise SR with oracle, because it is prod environment.
    If you still want to do some R&D.
    1. Also check this URL might help, but not sure.
    http://download.oracle.com/docs/cd/E21764_01/doc.1111/e14308/handlinglcm.htm#CIAJCEEF
    http://download.oracle.com/docs/cd/E21764_01/doc.1111/e14308/handlinglcm.htm#CIAEFAGF
    2. Restart all servers (along with Admin server and DB).

  • Why javax.security.Policy is deprecated ?

    I was trying to refresh Policy object in my application. When I was coding as following, a warning message pops up. It says, "javax.security.Policy is deprecated." That is, I can't use it any more. I want to know why ? And how can I refresh system policy object, if my policy file is changed. I don't want to restart my application, which will be running as a server.
    Policy policy = Policy.getPolicy();
    policy.refresh();
    Regards,
    WenBin

    Up.

  • NotSerializableException: javax.security.auth.login.LoginContext

    Hi,
    I'm using the JAAS-API for a JDBC-based user login procedure.
    Although it worked fine for months, suddenly it doesn't work anymore (i.e., after user enters name+password and clicks login-button, nothing happens besides the browser bottom line 'waiting for localhost'). I tried to debug this, but then Creator always crashed.
    I just looked inside the server-log-files and found the following exception stack trace. It was stored in the files during every login procedure.
    Because it worked fine before, this issue probably is not critical and could be solved by reinstalling Creator, but anyway I would greatly appreciate, if someone would have an idea what the problem is.
    Regards,
    Felix
    [#|2006-07-10T17:41:50.494+0200|INFO|sun-appserver-pe8.2|org.apache.catalina.session.ManagerBase|_ThreadID=17;|Cannot serialize session attribute SessionBean1 for session 5918037189ed39ffffffffc4ba0330aded7d1
    java.io.NotSerializableException: javax.security.auth.login.LoginContext
        at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1075)
        at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1369)
        at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1341)
        at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1284)
        at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1073)
        at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:291)
        at org.apache.catalina.session.StandardSession.writeObject(StandardSession.java:1775)
        at org.apache.catalina.session.StandardSession.writeObjectData(StandardSession.java:985)
        at org.apache.catalina.session.StandardManager.doUnload(StandardManager.java:543)
        at org.apache.catalina.session.StandardManager.unload(StandardManager.java:482)
        at org.apache.catalina.session.StandardManager.stop(StandardManager.java:711)
        at org.apache.catalina.core.StandardContext.stop(StandardContext.java:4675)
        at org.apache.catalina.core.ContainerBase.removeChild(ContainerBase.java:956)
        at com.sun.enterprise.web.WebContainer.unloadWebModule(WebContainer.java:2122)
        at com.sun.enterprise.server.WebModuleDeployEventListener.moduleUndeployed(WebModuleDeployEventListener.java:198)
        at com.sun.enterprise.server.WebModuleDeployEventListener.moduleUndeployed(WebModuleDeployEventListener.java:278)
        at com.sun.enterprise.admin.event.AdminEventMulticaster.invokeModuleDeployEventListener(AdminEventMulticaster.java:920)
        at com.sun.enterprise.admin.event.AdminEventMulticaster.handleModuleDeployEvent(AdminEventMulticaster.java:905)
        at com.sun.enterprise.admin.event.AdminEventMulticaster.processEvent(AdminEventMulticaster.java:427)
        at com.sun.enterprise.admin.event.AdminEventMulticaster.multicastEvent(AdminEventMulticaster.java:139)
        at com.sun.enterprise.admin.server.core.DeploymentNotificationHelper.multicastEvent(DeploymentNotificationHelper.java:288)
        at com.sun.enterprise.deployment.phasing.DeploymentServiceUtils.multicastEvent(DeploymentServiceUtils.java:155)
        at com.sun.enterprise.deployment.phasing.ServerDeploymentTarget.sendStopEvent(ServerDeploymentTarget.java:283)
        at com.sun.enterprise.deployment.phasing.StopPhase.runPhase(StopPhase.java:126)
        at com.sun.enterprise.deployment.phasing.DeploymentPhase.executePhase(DeploymentPhase.java:71)
        at com.sun.enterprise.deployment.phasing.PEDeploymentService.executePhases(PEDeploymentService.java:639)
        at com.sun.enterprise.deployment.phasing.PEDeploymentService.stop(PEDeploymentService.java:409)
        at com.sun.enterprise.deployment.phasing.PEDeploymentService.stop(PEDeploymentService.java:444)
        at com.sun.enterprise.admin.mbeans.ApplicationsConfigMBean.stop(ApplicationsConfigMBean.java:725)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at com.sun.enterprise.admin.MBeanHelper.invokeOperationInBean(MBeanHelper.java:305)
        at com.sun.enterprise.admin.config.BaseConfigMBean.invoke(BaseConfigMBean.java:360)
        at com.sun.jmx.mbeanserver.DynamicMetaDataImpl.invoke(DynamicMetaDataImpl.java:213)
        at com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
        at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
        at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
        at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at com.sun.enterprise.admin.util.proxy.ProxyClass.invoke(ProxyClass.java:54)
        at $Proxy1.invoke(Unknown Source)
        at com.sun.enterprise.admin.server.core.jmx.SunoneInterceptor.invoke(SunoneInterceptor.java:272)
        at com.sun.enterprise.admin.jmx.remote.server.callers.InvokeCaller.call(InvokeCaller.java:38)
        at com.sun.enterprise.admin.jmx.remote.server.MBeanServerRequestHandler.handle(MBeanServerRequestHandler.java:92)
        at com.sun.enterprise.admin.jmx.remote.server.servlet.RemoteJmxConnectorServlet.processRequest(RemoteJmxConnectorServlet.java:69)
        at com.sun.enterprise.admin.jmx.remote.server.servlet.RemoteJmxConnectorServlet.doPost(RemoteJmxConnectorServlet.java:94)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:767)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
        at sun.reflect.GeneratedMethodAccessor82.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:257)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
        at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:132)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:933)
        at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:189)
        at com.sun.enterprise.web.connector.grizzly.ProcessorTask.doProcess(ProcessorTask.java:604)
        at com.sun.enterprise.web.connector.grizzly.ProcessorTask.process(ProcessorTask.java:475)
        at com.sun.enterprise.web.connector.grizzly.ReadTask.executeProcessorTask(ReadTask.java:371)
        at com.sun.enterprise.web.connector.grizzly.ReadTask.doTask(ReadTask.java:264)
        at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:281)
        at com.sun.enterprise.web.connector.grizzly.WorkerThread.run(WorkerThread.java:83)
    |#]

    just to make it clearer, the important Exception seems to be the following line:
    java.io.NotSerializableException: javax.security.auth.login.LoginContext
    The first thought of mine was to add an implements Serializable to the class, but that's not possible, because the class is read-only.
    So does anyone know, how this could be solved?

  • Oracle 9I JAAS problem: javax.security.auth.login.LoginException

    I have problem with Oracle 9IAS JAAS. I got "javax.security.auth.login.LoginException: unable to find LoginModule class" no matter where I put the classfile, either on JVM options(-cp), WAR file, or add it on the Web Admin, or manually edit 9iAS's configuration file.
    None works, any one can help, I am using JDK1.3
    I had the same problem on Tomcat, but I solved the problem by put the Class in the the JVM's classpath. But for 9iAS, it just ain't work.
    Thank you for the help

    Bet you have solved this, but
    the right place for jaas related stuff is
    as installed extension i.e:
    jre/lib/ext
    where jaas.jar and jars containing login modules should be located.
    /Kullervo

  • Javax.security.auth.login.LoginException: No LoginModules configured

    Hi all,
    I am trying out the implementation of custom login module with a j2ee web application.
    I followed this<a href="http://help.sap.com/saphelp_nw04/helpdata/en/b9/9482887ddb3e47bd1a738c3e900195/frameset.htm">link</a>to create the login module.
    When i run the application i get the error-
    javax.security.auth.login.LoginException: No LoginModules configured for MyLoginModule.
    This exception is pointing to my servlet where i've written the code-
    LoginContext lc = new LoginContext("MyLoginModule");
              try {
                     // start authentication
                     lc.login();
                   // user authenticated successfully
              } catch (LoginException le) {
    throw new Exception("Error authenticating user");
    where <i>MyLoginModule</i> is the name of the custom login module i have implemented and registered in the security provider!
    Message was edited by:
            swarnadeepika subramanian

    Hi,
    this is the code in my login module class-
    public void initialize(Subject subject, CallbackHandler callbackHandler,
                                           Map sharedState, Map options)
                                     this.callbackHandler = callbackHandler;
                this.subject = subject;
                this.sharedState = sharedState;
                this.options = options;
                this.successful = false;
                this.nameSet = false;
            public boolean login() throws LoginException {
                Callback[] callbacks = new Callback[1];
                callbacks[0] = new HttpGetterCallback();
                ((HttpGetterCallback) callbacks[0]).setType(HttpCallback.REQUEST_PARAMETER);
                ((HttpGetterCallback) callbacks[0]).setName("username");
                try {
                    callbackHandler.handle(callbacks);
                } catch (UnsupportedCallbackException e) {
                    return false;
                } catch (IOException e) {
                    throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
                //Returns an array of all request parameters with name "user_name".
                String[] requestParameters = (String[]) ((HttpGetterCallback) callbacks[0]).getValue();
                if ((requestParameters != null) && requestParameters.length > 0) {
                    userName = requestParameters[0];
                if (userName == null) {
                    throwNewLoginException("No user name provided.");
                try {
                    refreshUserInfo(userName);
                } catch (SecurityException e) {
                    throwUserLoginException(e);
                String prefix = (String) options.get("user_name_prefix");
                if ((prefix != null) && !userName.startsWith(prefix))
                    throwNewLoginException("The user is not trusted.");
                if (sharedState.get(AbstractLoginModule.NAME) == null) {
                    sharedState.put(AbstractLoginModule.NAME, userName);
                    nameSet = true;
                successful = true;
                return true;
            public boolean commit() throws LoginException {
                if (successful)
                    Principal principal = new Principal(userName);
                    subject.getPrincipals().add(principal);
                    if (nameSet)
                        sharedState.put(AbstractLoginModule.PRINCIPAL, principal);
                else
                    userName = null;
                return true;
            public boolean abort() throws LoginException
                if (successful)
                    userName = null;
                    successful = false;
                return true;
           public boolean logout() throws LoginException
                if (successful)
                    subject.getPrincipals(Principal.class).clear();
                    successful = false;
                return true;
    From my understanding, this module gets the value that i enter in the(basic authentication) window and compares it with the prefix tat is set in the visual admin
    am i right?
    Can you elaborate about the HttpCallBackHandler? without understanding the code i dont think debugging is possible!
    Regards
    Deepika.

  • OIM 9.1.0.1 on JBOSS 4.2.3GA  javax.security.auth.login.LoginException: jav

    ERROR,11 Feb 2009 15:39:42,453,[XELLERATE.JBOSSLOGINHANDLER],Error in creating l
    ogin context
    javax.security.auth.login.LoginException: java.lang.NoSuchFieldError: TRACE
    at org.jboss.logging.Log4jLoggerPlugin.isTraceEnabled(Log4jLoggerPlugin.
    java:85)
    at org.jboss.logging.Logger.isTraceEnabled(Logger.java:122)
    at org.jboss.security.ClientLoginModule.initialize(ClientLoginModule.jav
    a:96)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
    java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
    sorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
    86)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6
    80)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
    at Thor.API.Security.LoginHandler.jbossLoginHandler.login(Unknown Source
    at Thor.API.Security.ClientLoginUtility.login(Unknown Source)
    at com.thortech.xl.client.base.tcAppWindow.internalLogin(Unknown Source)
    at com.thortech.xl.client.base.tcAppWindow.login(Unknown Source)
    at com.thortech.xl.client.base.tcAppWindow.<init>(Unknown Source)
    at com.thortech.xl.client.base.tcAppWindow.main(Unknown Source)

    Backup the original file log4j-1.2.8.jar in oimclient/xlclient/ext
    copy the log4j.jar from JBOSS folder - JBOSS/server/default
    Paste the file in client folder with original log4j-1.2.8.jar
    Rename log4j.jar file to log4j-1.2.8.jar
    start ur JBOSS.. this shd work.
    AKSHAY
    Edited by: user640639 on Feb 11, 2009 12:20 PM

  • Missing security classes

    Hi all,
    I have updated Security Class dimension via EPMA (added but also removed some classes). Deploy was successful and the application is in sync with EPMA.
    When I wanted to update security class access via HSS, I couldn't find new classes and old ones (which I removed via EPMA) were still there.
    How is that possible? I don't see any problem in interconnection between HFM and HSS but this seems that security classes haven't been refreshed in HSS.
    Could anyone help me with this please?
    BR
    Vladino
    EDIT
    I can see newly added classes but I can see also old ones. This is really weird... I have duplicated the application, cleared all data and metadata but old classes are still there. :-/
    Edited by: Vladino on Jul 11, 2011 1:49 PM

    Solved.
    The issue was because of migrating the old application into new one with different security classes. After clean deploy everything was fine but the migration (using command-line utility) replaced security settings with that coming from the old application.
    Vladino

  • Javax.security.auth.AuthPermission createLoginContext.Userpass

    Hi,
    I am working on authentication using JAAS.
    I have created small application and calling it in one of the jsp file. When I try to access the jsp I am getting the following error:
    createLoginContext.Userpass : access denied
    (javax.security.auth.AuthPermission createLoginContext.Userpass)
    When i run the java application it is authenticating the user but when I try to run it by calling it from JSP it is giving the above error.
    I have java.policy file and I have modified that too and it is able to give permissions to all the jar file accept the one which I have created.
    Can any body suggest how to give permission to (javax.security.auth.AuthPermission createLoginContext.Userpass).
    Edited by: Vaibhav818 on Jun 30, 2008 2:54 AM

    The error occurs because you don't grant createLoginContext permission to the Sample jar file in your policy file or you do but you don't specify your policy file. Below is example for authorization sample.
    grant codebase "file:./SampleAzn.jar" {
    permission javax.security.auth.AuthPermission "createLoginContext.Sample";
    permission javax.security.auth.AuthPermission "doAsPrivileged";
    Cheers
    Zi

  • Javax.security.auth.login.LoginException: Cannot authenticate X509(Urgent!)

    I'm trying to sign my messages between client & webservice using X509 certificates. I've created a keystore and imported:
    privatekey1, certificate1(public key) and trustedCertAuthority that published certificates.
    I've configured webservice & client to use that keystore and privatekey1 to sign request/response, but web service keeps throwing following exception:
    javax.security.auth.login.LoginException: Cannot authenticate X509 certificate, User EMAILADDRESS=[email protected], CN=testUser, ... does not exist in our system
    How can I configure web service to find that certificate?
    Thnx for help.

    Yes, I did. I found the problem..
    I had also checked to Authenticate with X509 certificate... and obviously I should somehow set the Securtiy provider, although, I don't know how (but it's not so important right now).
    But I do have another question - how can I use private key & public key in certificate X509 to encrypt messages. In the sample you mentioned, it's written that there shoud be separate key for signature & encryption, but I have separate keystores for client (with client private key & server public certificate) and for server (with server private key & client certificate). But I can't get it to work... It seems to me that in that case signature key alias at service should be the same as key needed to decrypt the message?
    Am i missing something again?
    Thanks.

  • Shared Services Security Classes

    Hello,
    I wanted to know what the real value of having Security classes set up? I understand that having Security Classes on Shared Services is not mandatory. Under which circumstances should you use Security Classes and as I am involved in setting up Shared Services, I was wondering if I should use this option or not. We are currently in the development phase of HFM and Planning.
    If anyone can shed light on this issue, it would be greatly appreciated. Thank you.
    -- A

    Hey guys,
    I really appreciate the response.
    The fact that Security Class may be assigned at the Entity level does ring bells. We do want to ensure that certain entities can only see their own data and not others.
    I believe I will use Security class at the entity level for our company.
    Can you give me some examples of assigning Security classes for HFM?
    Wintee's suggestion of assign - ready only and stuff like that is okay but seems a bit generic. Thank you very much for your suggestion though Wintee.
    I also wanted to know the exact difference between an administrator, delegated administrator, application administrator. Who assigns who?
    If you had to make a hierarchy of users for Shared Services, what would it be: Admin, Delegated Admin, App. Admin, Provisioning Mgr, Directory Mgr? Who comes at the top? Thanks so much for your help so far guys...much appreciated.
    -- A

  • Securing class files

    Hello,
    I read all these topics about securing class-files,
    and about encryptors and stuff like that
    so I tought this could be possible :
    I've made an application and you can run it by using an exe-file.
    In the same directory you find the class-files.
    Now I archived the class files with winrar, and set a password on it.
    I tried to use the exe-file to run the application, but it can't.
    Obvisiously, it can't find the mainclass.
    So I was wondering if there is a way to make clear to the exe -file, that the main class is in that zip-file, and that you need <this password> to get in to the zip-file.
    I think it's possible, but I don' know how to do it.
    I thought Google would know it, but he don't.
    ...

    The collision wasn't "stumbled" across it was found
    because the researchers
    found a way (from your link) to "reduce the search
    space".I didn't say "the collision was "stumbled" across"...
    >
    This means that, under certain circumstances, inputs
    producing the same hash
    can be found for other inputs + hashes.That is what I said...
    >
    Did you have a look at the PDF ?
    http://eprint.iacr.org/2004/199.pdf
    This doesn't damage the use of MD% for verifyingthat
    file contents are unchanged, so to OP - go aheadand
    use it.Well, it does because it means that there is the
    potential for another
    file that is not the same to return the same
    sum - hence the program
    won't realise the difference.And the situation is no worse now that before the duplication was found. Any encryption/hashing routine can create duplicate hashes - because none of them have an infinitely large numberspace.

  • Can applet load own security class, class loader

    i tried this own security class extends SecurityManager class but exception thrown as applet cannot initate new security manager class.
    i have done throw policy file entry to allow applet to write file in client machine.
    i feel this extra burden novice user...
    what is alternative way....
    plz..

    An applet should never be allowed to install its own security manager. That is why it is burdensome.

Maybe you are looking for

  • Background job scheduling edit

    Hi i have a program which executing as a background job for every 3 minuts. but some times the job which is in process is taking a long time like up to 5 minuts and as per job scheduling after 3 minuts of first scheduled job, it is starting another s

  • Cisco RV120W crashed several times a day

    Hello, we are using the Cisco RV120W for our little network. The latest firmware (1.0.4.10) is installed! But the router crashes about 6-10 times a day and have to be restarted. The Web Interface is also not available then. It is configured as the su

  • Just what does it take to use a 3 TB hard drive.

    I recently purchased my first 3 TB hard drive. When I tried it in several external hard drive enclosures (FireWire 800) I found that only about 800 GB was recognized. I then slid the same 3 TB drive internally into my Intel Mac Pro. Inside the Mac Pr

  • WBS and Profit Segment fileds should be filled at Sales Order item level

    Hi, When i create a Sales order I want to save both PA Segment and WBS Element fields in Account Assignment tab at item level. By default Profit.Segment is filled beacuse COPA is already activated in this system, when i try to enter WBS element in Ac

  • Polling web service problem

    I am trying to create a polling asynch web service. But I am having a problem. The method that performs the polling, blocks until the initial request to the web service which started the conversation completes. It seems that as long as the web servic