Weblogic implementation of java.security.acl.Group
hi guys
Do you know of any specific reason why there isnt a implementation of the
java.security.acl.Group interface in the weblogic jar.
I am trying to create a simple user manager service which uses the mbeans
exposed by weblogic. However the interface I am coding to expects me to return
java.security.acl.Group when I create a Group. This has resulted in a deadlock
as I havent been able to locate a non deprecated implementation.
Thanks
anand
Yes, you can do this.
Alexandre Vauthey wrote:
Hi,
If I write my own securrity realm, am I able to use my own implementaion of
'java.security.acl.Acl' and 'java.security.acl.AclEntry' or do I have to use
the implementation provided by weblogic ? When Security.checkPermission() is
called, does it solely rely on APIs defined in 'java.security.acl' or does
it really expect to talk to an instance of weblogic 'AclImpl' ?
Thanks, Alexandre.
Alexandre Vauthey
Software Engineer
Application Networks
444 Ramona street
Palo Alto, CA 94301
Similar Messages
-
Can I provide my own implementation of java.security.acl.Acl ?
Hi,
If I write my own securrity realm, am I able to use my own implementaion of
'java.security.acl.Acl' and 'java.security.acl.AclEntry' or do I have to use
the implementation provided by weblogic ? When Security.checkPermission() is
called, does it solely rely on APIs defined in 'java.security.acl' or does
it really expect to talk to an instance of weblogic 'AclImpl' ?
Thanks, Alexandre.
Alexandre Vauthey
Software Engineer
Application Networks
444 Ramona street
Palo Alto, CA 94301Yes, you can do this.
Alexandre Vauthey wrote:
Hi,
If I write my own securrity realm, am I able to use my own implementaion of
'java.security.acl.Acl' and 'java.security.acl.AclEntry' or do I have to use
the implementation provided by weblogic ? When Security.checkPermission() is
called, does it solely rely on APIs defined in 'java.security.acl' or does
it really expect to talk to an instance of weblogic 'AclImpl' ?
Thanks, Alexandre.
Alexandre Vauthey
Software Engineer
Application Networks
444 Ramona street
Palo Alto, CA 94301 -
The role of java.security.acl in Java 2 security
I have been trying to assess the role of the java.security.acl package within the Java 2 Security architecture. I have some questions regarding it.
First where in the JVM are the interfaces of java.security.acl used? Are there any examples out there to guide developers in understanding their proper implementation?
What is the relationship between this package and the core security package? There seems to be a Permission interface in the acl sub-package and an abstract Permission class in the core security package. Why is this the case? Why is the core abstract class not used instead of declaring a new Permission interface within the acl subpackage?
Are not PermissionCollections and Permissions analogous to ACLs? If so then wouldn't that fact make the acl subpackage redundant?
JSR 115 tries to bridge the gap between Java 2 Security in the SDK with security in J2EE. Namely enabling the RBAC-like approach to security in J2EE while using the AccessController of the J2SE to do the evalualtion of J2EE (Servlet/EJB) Permissions. Why are the Group and Owner interfaces defined here not leveraged in both JSR 115 and in general for Role Based Access Control?
Could someone give some background on the vision behind creating the acl subpackage and how it relates to the historical progression of security advances in Java security architectures?
Thanks much,
Alex KarasuluI see from the defined interfaces that its an attempt at a formal approach to RBAC. However RBAC can be implemented without it all together using existing J2SE and JAAS based constructs. This does not answer the redundancy question. Could you elaborate a little bit more?
Thanks,
Alex -
Java.security.acl.NotOwnerException when Administration Port is set
I get the NOE, posted below, when I start some of my managed servers, while other managed servers
start fine. After some scrutiny I discover the differences is that in /console, I've set some of my
managed server's Administration Port to that of my admin server, and these are the ones that are
busted! Those that I left as default '0' start up just fine. Hence the question: "What the heck
is the use of this field???"
<Apr 3, 2001 3:12:02 PM PDT> <Info> <WebLogicServer> <IIOP subsystem enabled.>
<Apr 3, 2001 3:12:02 PM PDT> <Emergency> <Server> <Unable to initialize the server: 'Fatal
initialization exception
Throwable: java.lang.IllegalAccessError: java.security.acl.NotOwnerException
java.lang.IllegalAccessError: java.security.acl.NotOwnerException
at weblogic.security.acl.Realm.getRealm(Realm.java:91)
at weblogic.security.acl.Realm.getRealm(Realm.java:36)
at weblogic.security.acl.Realm.authenticate(Realm.java:183)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at weblogic.security.acl.internal.Security.authenticate(Security.java:116)
at
weblogic.jndi.WLInitialContextFactoryDelegate.pushUser(WLInitialContextFactoryDelegate.java:429)
at
weblogic.jndi.WLInitialContextFactoryDelegate.newContext(WLInitialContextFactoryDelegate.java:272)
at
weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java
:244)
at weblogic.jndi.Environment.getContext(Environment.java:135)
at weblogic.jndi.Environment.getInitialContext(Environment.java:118)
at weblogic.management.Admin.initializeRemoteAdminHome(Admin.java:894)
at weblogic.management.Admin.start(Admin.java:311)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:331)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
'>
The WebLogic Server did not start up properly.
Exception raised: java.lang.IllegalAccessError: java.security.acl.NotOwnerException
java.lang.IllegalAccessError: java.security.acl.NotOwnerException
at weblogic.security.acl.Realm.getRealm(Realm.java:91)
at weblogic.security.acl.Realm.getRealm(Realm.java:36)
at weblogic.security.acl.Realm.authenticate(Realm.java:183)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at weblogic.security.acl.internal.Security.authenticate(Security.java:116)
at
weblogic.jndi.WLInitialContextFactoryDelegate.pushUser(WLInitialContextFactoryDelegate.java:429)
at
weblogic.jndi.WLInitialContextFactoryDelegate.newContext(WLInitialContextFactoryDelegate.java:272)
at
weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java
:244)
at weblogic.jndi.Environment.getContext(Environment.java:135)
at weblogic.jndi.Environment.getInitialContext(Environment.java:118)
at weblogic.management.Admin.initializeRemoteAdminHome(Admin.java:894)
at weblogic.management.Admin.start(Admin.java:311)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:331)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
Reason: Fatal initialization exception
Gene Chuang
Join Kiko.com!Ah, I see! The introduction of an "admin server" in 6.0 caused the confusion for me. The
Administration Port is NOT the port number of the admin server!
Gene
"Kumar Allamraju" <[email protected]> wrote in message news:[email protected]...
This is equivalent to weblogic.system.AdministrationPort in 451/510.
In 451/51 if you start WLS server with
java -Dweblogic.system.administrativePort=2000 weblogic.Server
and then executing
D:\releases\510>java weblogic.Admin admin://localhost:2000 VERSION
returns the WLS version.
WebLogic Build: 5.1.0 Service Pack 8 12/20/2000 16:34:54 #95137
Bottom line is, once you set admin port, all admin stuff can be done on admin protocol only.
It appears this is not happening/broken in 6.0 . There's already an engg issue filed on thisproblem.
>
Kumar
Gene Chuang wrote:
I get the NOE, posted below, when I start some of my managed servers, while other managed
servers
start fine. After some scrutiny I discover the differences is that in /console, I've set someof my
managed server's Administration Port to that of my admin server, and these are the ones that are
busted! Those that I left as default '0' start up just fine. Hence the question: "What theheck
is the use of this field???"
<Apr 3, 2001 3:12:02 PM PDT> <Info> <WebLogicServer> <IIOP subsystem enabled.>
<Apr 3, 2001 3:12:02 PM PDT> <Emergency> <Server> <Unable to initialize the server: 'Fatal
initialization exception
Throwable: java.lang.IllegalAccessError: java.security.acl.NotOwnerException
java.lang.IllegalAccessError: java.security.acl.NotOwnerException
at weblogic.security.acl.Realm.getRealm(Realm.java:91)
at weblogic.security.acl.Realm.getRealm(Realm.java:36)
at weblogic.security.acl.Realm.authenticate(Realm.java:183)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at weblogic.security.acl.internal.Security.authenticate(Security.java:116)
at
weblogic.jndi.WLInitialContextFactoryDelegate.pushUser(WLInitialContextFactoryDelegate.java:429)
at
weblogic.jndi.WLInitialContextFactoryDelegate.newContext(WLInitialContextFactoryDelegate.java:272)
at
weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java
:244)
at weblogic.jndi.Environment.getContext(Environment.java:135)
at weblogic.jndi.Environment.getInitialContext(Environment.java:118)
at weblogic.management.Admin.initializeRemoteAdminHome(Admin.java:894)
at weblogic.management.Admin.start(Admin.java:311)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:331)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
'>
The WebLogic Server did not start up properly.
Exception raised: java.lang.IllegalAccessError: java.security.acl.NotOwnerException
java.lang.IllegalAccessError: java.security.acl.NotOwnerException
at weblogic.security.acl.Realm.getRealm(Realm.java:91)
at weblogic.security.acl.Realm.getRealm(Realm.java:36)
at weblogic.security.acl.Realm.authenticate(Realm.java:183)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at weblogic.security.acl.internal.Security.authenticate(Security.java:116)
at
weblogic.jndi.WLInitialContextFactoryDelegate.pushUser(WLInitialContextFactoryDelegate.java:429)
at
weblogic.jndi.WLInitialContextFactoryDelegate.newContext(WLInitialContextFactoryDelegate.java:272)
at
weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java
:244)
at weblogic.jndi.Environment.getContext(Environment.java:135)
at weblogic.jndi.Environment.getInitialContext(Environment.java:118)
at weblogic.management.Admin.initializeRemoteAdminHome(Admin.java:894)
at weblogic.management.Admin.start(Admin.java:311)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:331)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
Reason: Fatal initialization exception
Gene Chuang
Join Kiko.com! -
ClassCastException: weblogic.security.acl.internal.FileRealm
Hi,
I am trying to create new user through the CachingRealm.newUser(?,?,?) method..What
I do is -
weblogic.security.acl.BasicRealm baseRealm =
(weblogic.security.acl.BasicRealm)weblogic.security.acl.Security.getRealm();
weblogic.security.acl.CachingRealm realm = (weblogic.security.acl.CachingRealm)
baseRealm;
However it is not able to classcast to CachingRealm , it gives the exception -
java.lang.ClassCastException: weblogic.security.acl.internal.FileRealm..
Do I need to do anything else ?
ThxHi Kumar,
I took a look at config.xml
Looks like you do not have an alternate realm hooked into WebLogic and that is the
source of the problem.
If you try to cast anything to CachingRealm and call methods on it, when you don't have
an alternate realm, then the cast will fail with ClassCastException.
For example, take a look at the very, very simple JSP code
<%@ page import="
import java.util.*,
import weblogic.common.*,
import javax.servlet.*,
import javax.servlet.http.*,
import java.io.*,
import weblogic.security.*,
import weblogic.security.acl.User,
import weblogic.security.acl.Security,
import weblogic.security.acl.Realm,
import weblogic.security.acl.CachingRealm,
import weblogic.security.acl.*,
import java.security.acl.*,
import java.security.acl.Permission,
import java.security.Principal,
import javax.servlet.http.*,
import weblogic.html.*,
import weblogic.common.internal.WLColor
"%>
<%
response.setContentType("text/html");
BasicRealm basicRealm = Security.getRealm();
try {
((CachingRealm) basicRealm).clearCaches();
} catch (ClassCastException ce) {
out.println("There is a class cast.. getRealm ain't no returned a
CachingRealm");
out.println("This probably means that you don't have a pluggable realm hooked
into WebLogic.");
out.println("No pluggable Realm = no Cachingrealm!");
%>
This JSP will give you a class cast if you do not have some alternate realm hooked up
(LDAP, NTREalm, UnixRealm, RDBMSRealm)
But will work just fine if you do have an alternate realm hooked up .
I think that this is what you are seeing.
Hope this helps
Joe Jerry
kumar wrote:
Hi Jerry,
Thanks for your response.
I have attached my config.xml . It is a very small config.xml with all the default
configurations. Please look at it ..
Thx
Jerry <[email protected]> wrote:
Hi Kumar,
Do you have an alternate realm hooked into WebLogic (LDAP, UNIXrealm,
NTRealm,
CustomRealm)?
Thanks,
Joe Jerry
kumar wrote:
Hi,
I am trying to create new user through the CachingRealm.newUser(?,?,?)method..What
I do is -
weblogic.security.acl.BasicRealm baseRealm =
(weblogic.security.acl.BasicRealm)weblogic.security.acl.Security.getRealm();
weblogic.security.acl.CachingRealm realm = (weblogic.security.acl.CachingRealm)
baseRealm;
However it is not able to classcast to CachingRealm , it gives theexception -
java.lang.ClassCastException: weblogic.security.acl.internal.FileRealm..
Do I need to do anything else ?
Thx
Name: config.xml
config.xml Type: XML Document (text/xml)
Encoding: base64 -
AclEntry.setNegativePermissions() implemented by weblogic.security.acl.AclEntryImpl?
I've implemented a custom realm on wl6.1 sp1 which extends the LDAPv2 realm
(implementing the ManageableRealm interface) for users and groups and
delegates to a rdbms delegate for aclentry management. I read an earlier
post about revoking a permission which requires a custom realm to augment
the weblogic.security.acl.AclImpl class. My question is similar in nature.
In a situation where a positive AclEntry needs to be changed to a negative
entry, what are the requirements imposed on the custom realm implementer?
Do I need to worry about the checkPermission call on the Acl implementation?
On the AclEntry implementation? Is there a BEA recommended path similar to
that for revoking permissions?
I would also recommend that the BEA responses to the revoking permissions
post and this be included in the documentation outlining the
responsibilities for implementing a custom realm.
Thanks!
Jon
Jon Wilmoth
Software Architect
eSage Group
(206) 264-5675 (Voice & Fax)
[email protected]
http://www.esagegroup.comHi Jon,
Your issue should be raised with BEA support. With regard to your second isssue:
"and this be included in the documentation outlining the
responsibilities for implementing a custom realm."
You should raise this as an enhancement either via the support channels or via
[email protected]
Kind Regards,
Richard Wallace.
Senior Developer Relations Engineer.
BEA Support.
"Jon Wilmoth" <[email protected]> wrote:
I've implemented a custom realm on wl6.1 sp1 which extends the LDAPv2
realm
(implementing the ManageableRealm interface) for users and groups and
delegates to a rdbms delegate for aclentry management. I read an earlier
post about revoking a permission which requires a custom realm to augment
the weblogic.security.acl.AclImpl class. My question is similar in nature.
In a situation where a positive AclEntry needs to be changed to a negative
entry, what are the requirements imposed on the custom realm implementer?
Do I need to worry about the checkPermission call on the Acl implementation?
On the AclEntry implementation? Is there a BEA recommended path similar
to
that for revoking permissions?
I would also recommend that the BEA responses to the revoking permissions
post and this be included in the documentation outlining the
responsibilities for implementing a custom realm.
Thanks!
Jon
Jon Wilmoth
Software Architect
eSage Group
(206) 264-5675 (Voice & Fax)
[email protected]
http://www.esagegroup.com -
Weblogic.security.acl.User extends java.security.Identity which is deprecated
I have been developing a custom realm for WLS5.1 and I discovered that the
weblogic classes seem to be based on JDK1.1 classes some of which
have been deprecated (e.g. java.security.Identity). I checked the docs
for WLS6.0 and it also uses the same classes.
When do you (BEA) intend to bring the weblogic security classes up
to date? JDK 1.2 has been out for a LONG time!The WLS security group is currently looking into this.
-Nelson -
Weblogic.security.acl.realm.authentication... Exception
Hello All
the reason I'm moving a post-question from JMS to this section is people there
suggested this. anyway,
when I tried to use an applet which implemented MessageListener to send message,
I got the following exception ( the port 7001 had been granted to connect, resolve
in java.policy)
javax.naming.AuthenticationException [root exception is java.lang.SecurityException:Authentication
for user admin denied in realm webogic start server side trace: java.lang.SecurityException:Authentication
for user admin denied in realm weblogic at weblogic.security.acl.Realm.authentication(Realm.java
212) at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java 233) at weblogic.security.acl.internal.Security.authenticate(Security.java
135) at weblogic.kernel.bootSevicesImp.authenticat(BootServicesImp.java 119) at
weblogic.kernel.ExecuteThread.run(ExcuteThread.java:120 ..
My Question is why servlet or swing or other application out of applet don't generate
such exceptions even most codes are similar ? How to deal with this?
Thanks
John
Hello All
the reason I'm moving a post-question from JMS to this section is people there
suggested this. anyway,
when I tried to use an applet which implemented MessageListener to send message,
I got the following exception ( the port 7001 had been granted to connect, resolve
in java.policy)
javax.naming.AuthenticationException [root exception is java.lang.SecurityException:Authentication
for user admin denied in realm webogic start server side trace: java.lang.SecurityException:Authentication
for user admin denied in realm weblogic at weblogic.security.acl.Realm.authentication(Realm.java
212) at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java 233) at weblogic.security.acl.internal.Security.authenticate(Security.java
135) at weblogic.kernel.bootSevicesImp.authenticat(BootServicesImp.java 119) at
weblogic.kernel.ExecuteThread.run(ExcuteThread.java:120 ..
My Question is why servlet or swing or other application out of applet don't generate
such exceptions even most codes are similar ? How to deal with this?
Thanks
John
-
Weblogic.security.acl in Weblogic 6
I came across the following in the migration documention
(http://edocs.bea.com/wls/docs60/notes/migrate.html#1026915):
I'm assuming that this is just a typo or wording issue but it currently
reads "weblogic.security.acl" is deprecated? Can't be the whole package.
Anyone else notice this?
Deprecated APIs and Features
The following APIs and features are deprecated in anticipation of future
removal from the product:
a.. weblogic.security.acl
b.. WebLogic Events
WebLogic Events are deprecated and should be replaced by JMS messages with
NO_ACKNOWLEDGE or MULTICAST_NO_ACKNOWLEDGE delivery modes. See Programming
WebLogic JMS for more information.
c.. WebLogic HTMLKona
d.. T3 Driverrequest.getRemoteUser() still works fine for me after I implented a custom
Autthenication / LoginModule.
"patrik" <[email protected]> wrote in message
news:[email protected]..
>
Yes, I have. see:
http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.develo
per.interest.security&item=8553&utag=
>
But if you've managed to get out the information from it I'd be gratefulto know
how.
/Patrik
"Utpal" <[email protected]> wrote:
Have you tried weblogic.security.Security.getCurrentSubject() ??
-utpal -
Weblogic.security.acl.DefaultRealmImpl missing
I try to implement a custom realm. I get an Exception because
weblogic.security.acl.Realm tries to use the class
weblogic.security.acl.DefaultRealmImpl which is missing. Instead the
class seems to exists in the package weblogic.security.acl.internal. Is
there a workaround out there to make the whole thing work. Or do I have
to wait for the next service pack (how long)?
Thanks, Bodo.solved!
simply import weblogic.jar in the project -
Weblogic.security.acl.internal.AuthenticatedSubject not resolved
Hi guys,
when I try to implement that code:
CallbackHandler handler = new URLCallbackHandler(username,
password);
Subject mySubject =
weblogic.security.services.Authentication.login(handler);
weblogic.servlet.security.ServletAuthentication.runAs(mySubject, request);
// Where request is the httpservletrequest object.
in my servlet I get that issue in workshop 9.2:
The type weblogic.security.acl.internal.AuthenticatedSubject cannot be resolved. It is indirectly
referenced from required .class files
Any idea??
Thanks a lot
L.solved!
simply import weblogic.jar in the project -
Javax.security.auth.Subject and weblogic.security.acl.User
Hello,
We are trying to move some old authentication code (Weblogic 5.1) to JAAS
which comes with Weblogic 6.1. Here is my problem:
I can succesfully authenticate the Subject through my RDBMS Realm. But then, the rest of my code uses weblogic.security.acl.User
and not javax.security.auth.Subject for authorization and other tasks. So, how can I extract weblogic.security.acl.User from javax.security.auth.Subject?
I tried subject.getPrincipals(), since User indirectly implements Principal, but it comes back empty.
Any suggestions?Hello,
We are trying to move some old authentication code (Weblogic 5.1) to JAAS
which comes with Weblogic 6.1. Here is my problem:
I can succesfully authenticate the Subject through my RDBMS Realm. But then, the rest of my code uses weblogic.security.acl.User
and not javax.security.auth.Subject for authorization and other tasks. So, how can I extract weblogic.security.acl.User from javax.security.auth.Subject?
I tried subject.getPrincipals(), since User indirectly implements Principal, but it comes back empty.
Any suggestions? -
Weblogic 8.1 JAAS login.configuration.provider from java.security does not seem to work?
We configure a custom implementation of the JAAS
javax.security.auth.login.Configuration class for our applications security
framework in JRE_LIB/security/java.security using the entry
login.configuration.provider=com.foo.SecurityConfiguration
However, this does not seem get picked up and the configuration provider
class instead seems to default to
weblogic.security.service.ServerConfiguration
instead.
Has anyone else seen this?
We're using the JDK bundled with Weblogic 8.1
TIA for your helpThanks for all the posting re. this issue....
I think the way Weblogic implemented "support" for JAAS in 8.1 totally
blows. In fact, when I asked BEA support about this, they basically sent me
an email saying that "Weblogic owns the JAAS configuration" so if you have a
security framework that is application server agnostic, but leverages JAAS
then you are screwed when deploying on Weblogic 8.1.
I looked for a workaround and believe that instead of using an entry in
java.security for your custom configuration class, if you set the JVM
parameter
-Dlogin.configuration.provider=com.foo.SecurityConfiguration
then what happens is that the Weblogic custom class
weblogic.security.service.ServerConfiguration is invoked by JAAS. It tries
to load the login module configuration and if that fails, it delegates to
com.foo.SecurityConfiguration. So this should enable both the weblogic
security framework and a custom security framework that are both based on
JAAS
I'm currently testing this out
"Lloyd Fernandes" <[email protected]> wrote in message
news:[email protected]...
>
Robert Greig <[email protected]> wrote:
Lloyd Fernandes wrote:
"Lloyd Fernandes" <[email protected]> wrote:
"Prashant Nayak" <[email protected]> wrote:
We configure a custom implementation of the JAAS
javax.security.auth.login.Configuration class for our applications
security
framework in JRE_LIB/security/java.security using the entry
login.configuration.provider=com.foo.SecurityConfiguration
However, this does not seem get picked up and the configuration
provider
class instead seems to default to
weblogic.security.service.ServerConfiguration
instead.
Has anyone else seen this?
We're using the JDK bundled with Weblogic 8.1
TIA for your help
As per documentation in the API JAVADOCS forjavax.security.auth.login.Configuration
>>>>
>>>>
The default Configuration implementation can be changed by settingthe
value of
the "login.configuration.provider" security property (in the Java
security
properties
file) to the fully qualified name of the desired Configurationimplementation
class. The Java security properties file is located in the file named
<JAVA_HOME>/lib/security/java.security,
where <JAVA_HOME> refers to the directory where the JDK was installed.
Have you tried to use a startup class to set the configuration providerusing
javax.security.auth.login.setConfiguration(YourConfigClass);
Weblogic probably uses this to set the configuration class to it'sown.
You have to consider whether this is really something you want to do
however. If you want to get WLS to use a custom authenticator use its
SSPIs. You can configure the order etc. in the admin console.
By overriding the configuration you override it for the server as a
whole which can mean for example that you cannot login to the admin
console. Having said this, from memory, I believe that the property is
ignored in WLS. However you can still call
Configuration.setConfiguration if you really want to.
The fact that there is a "global static" in the Configuration class is
a
Bad Thing IMHO, that was never really designed for an app server
environment.
Robert
If it is a bad thing to have a static how come Weblogic uses it instead ofthe
standard way of modifying the property in java security file - it isbecause
weblogic wants it's own way of implementing instead of using using the'plugable
module' architecture of JAAS.
When weblogic advertised that it will support JAAS the impression was thatWeblogic
would provide a login module that will implement the security mechanism itwanted
- instead it went it's own way.
Also consider the following
1. JAAS specifies a mechanism for multiple configurations based on a'application'.
This is not possible in the current 'weblogic security mechanism'
2. Weblogic says it supports JAAS but what it does not tell you is that inorder
to use available login modules you have to write a whole bunch of code tosupport
principal validators and authenticators. (I begin to wonder if write oncedeploy
anywhere is not part of Sun's certification process anymore) -
This looks like it might be a bug in 6.1SP5,
weblogic/kernel/Kernel.java at line 85.
It's trying to do the right thing to ignore an exception if in
an applet but it's ignoring the wrong exception
(SecurityException, when it looks like the stack
trace is throwing a java.security.AccessControlException).
If you need a fix, this would need to go through support
and be filed as a problem with WLS Core.
"Ram Gopal" <[email protected]> wrote in message
news:[email protected]...
>
> We are in the process of migrating from Weblogic 6.1 SP2 to SP5. We have
an applet
> that subscribes to a JMS Topic.
> The applet is throwing the following exception with SP5:
>
> java.lang.ExceptionInInitializerError:
java.security.AccessControlException: access
> denied (java.util.PropertyPermission weblogic.kernel.allowQueueThrottling
read)
>
> at java.security.AccessControlContext.checkPermission(Unknown Source)
>
> at java.security.AccessController.checkPermission(Unknown Source)
>
> at java.lang.SecurityManager.checkPermission(Unknown Source)
>
> at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
>
> at java.lang.System.getProperty(Unknown Source)
>
> at weblogic.kernel.Kernel.initAllowThrottleProp(Kernel.java:79)
>
> at weblogic.kernel.Kernel.<clinit>(Kernel.java:54)
>
> at
weblogic.jndi.WLInitialContextFactoryDelegate.<init>(WLInitialContextFactory
Delegate.java:166)
>
> at java.lang.Class.newInstance0(Native Method)
>
> at java.lang.Class.newInstance(Unknown Source)
>
> at
weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFact
ory.java:147)
>
> at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
>
> at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
>
> at javax.naming.InitialContext.init(Unknown Source)
>
> at javax.naming.InitialContext.<init>(Unknown Source)
>
> at
com.fedex.efm.frontend.model.JMSMessageProcessor.<init>(JMSMessageProcessor.
java:266)
>
> at
com.fedex.efm.frontend.view.EFMAbstractApplet.startMessageProcessor(EFMAbstr
actApplet.java:81)
>
> at
com.fedex.efm.frontend.view.EFMAbstractApplet.start(EFMAbstractApplet.java:1
87)
>
> at com.fedex.efm.frontend.view.EFMApplet.start(EFMApplet.java:430)
>
> at sun.applet.AppletPanel.run(Unknown Source)
>
> at java.lang.Thread.run(Unknown Source)
>
>
> Any ideas as to what I am missing?
>
> Thanks,
> Ram
I suggest going through customer support, I don't know what
the resolution was. You might also try the security newsgroup,
as no JMS code has been called by the application yet at
the point the exception is thrown.
Tom
lee wrote:
> All:
> We are upgrading weblogic 6.0 to weblogic 6.1 and encounted exactly the same error. Just wondering if you guys were able to fix the issue with bea.
>
> Your response is highly appreciated.
>
> Thanks!
>
> Li
-
We are in the process of migrating from Weblogic 6.1 SP2 to SP5. We have an applet
that
subscribes to a JMS Topic. The applet is throwing the following exception with
SP5:
java.lang.ExceptionInInitializerError: java.security.AccessControlException: access
denied
(java.util.PropertyPermission weblogic.kernel.allowQueueThrottling read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at weblogic.kernel.Kernel.initAllowThrottleProp(Kernel.java:79)
at weblogic.kernel.Kernel.<clinit>(Kernel.java:54)
at weblogic.jndi.WLInitialContextFactoryDelegate.<init>(WLInitialContextFactoryDelegate.java:166)
at java.lang.Class.newInstance0(Native Method)
at java.lang.Class.newInstance(Unknown Source)
at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:147)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at com.fedex.efm.frontend.model.JMSMessageProcessor.<init>(JMSMessageProcessor.java:266)
at com.fedex.efm.frontend.view.EFMAbstractApplet.startMessageProcessor(EFMAbstractApplet.java:81)
at com.fedex.efm.frontend.view.EFMAbstractApplet.start(EFMAbstractApplet.java:187)
at com.fedex.efm.frontend.view.EFMApplet.start(EFMApplet.java:430)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Any ideas as to what I am missing?
Thanks,
RamPrasad,
It's one thing not to have to modify the security policy on the server,
but on a client and applets have even bigger restrictions this might
very well be the only way since the default applet restrictions would
not allow a lot of permissions granted by default for normal Java
applications.
Dejan
Prasad Peddada wrote:
Deyan D. Bektchiev wrote:
Ram,
You are missing a permission grant in your policy file and the
SecurityManager doesn't allow the code to read that property.
You have either configured a different security manager or have the
wrong file in use.
For applets this file might be in the user's home directory and named
.java.policy
you need to have the following line somethere in it:
grant {
permission java.util.PropertyPermission "*", "read,write";
Which will allow any applet to read and write any JVM property.
Look at Java permissions is you need more info:
http://java.sun.com/j2se/1.3/docs/guide/security/permissions.html
--dejan
Ram Gopal wrote:
We are in the process of migrating from Weblogic 6.1 SP2 to SP5. We
have an applet
that
subscribes to a JMS Topic. The applet is throwing the following
exception with
SP5:
java.lang.ExceptionInInitializerError:
java.security.AccessControlException: access
denied
(java.util.PropertyPermission weblogic.kernel.allowQueueThrottling
read) at java.security.AccessControlContext.checkPermission(Unknown
Source) at java.security.AccessController.checkPermission(Unknown
Source) at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source) at
java.lang.System.getProperty(Unknown Source) at
weblogic.kernel.Kernel.initAllowThrottleProp(Kernel.java:79) at
weblogic.kernel.Kernel.<clinit>(Kernel.java:54) at
weblogic.jndi.WLInitialContextFactoryDelegate.<init>(WLInitialContextFactoryDelegate.java:166)
at java.lang.Class.newInstance0(Native Method) at
java.lang.Class.newInstance(Unknown Source) at
weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:147)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source) at
javax.naming.InitialContext.init(Unknown Source) at
javax.naming.InitialContext.<init>(Unknown Source) at
com.fedex.efm.frontend.model.JMSMessageProcessor.<init>(JMSMessageProcessor.java:266)
at
com.fedex.efm.frontend.view.EFMAbstractApplet.startMessageProcessor(EFMAbstractApplet.java:81)
at
com.fedex.efm.frontend.view.EFMAbstractApplet.start(EFMAbstractApplet.java:187)
at com.fedex.efm.frontend.view.EFMApplet.start(EFMApplet.java:430)
at sun.applet.AppletPanel.run(Unknown Source) at
java.lang.Thread.run(Unknown Source)
Any ideas as to what I am missing?
Thanks,
Ram
This is a WLS bug. You shouldn't have to modify security policy.
Please approach support for a fix.
Cheers,
-- Prasad
Maybe you are looking for
-
File not found error on Uninstall
Hi, Got a problem with the deinstallation of Labviewer. I deployed Labviewer with all moduls using the setup.exe's and specfiles. Installation worked fine and the software runs well. But when I try to uninstall running "uninst.exe /log C:\temp\uninst
-
When I right click and go save image/page/ect as the file save popup screen appears and on the right side of the File Name bar there is an arrow. If you click the arrow it shows the last 20? items that have been saved and their save location. Is ther
-
Why is Adobe Reader crashing immediately on launch?
Everytime I open Adobe Reader XI, either straight from the application shortcut or by opening a PDF file, the program launches and then immediately crashes and indiates "not responding". I have already checked for updates, unistalled the program and
-
Hi! How do I make compilation albums (e.g. Trojan-boxes) with different artists on each track to show up togeather as one album i my music library? And how do I make several albums by the same artist to show cronologically instead of aphabetically?
-
Error while trying to install Premiere pro CS5
I tried a few times with the disk and rhe just downloaded it (thinking the disk was the problem) but I keep getting the same error message while insalling the software! Can anyone help me? It says "YOur insallation encountered errors" ( Im not able t