WebLogic/Metro interop policy assertions
Hi,
I'm merging Glassfish-Metro WS-policies into the WebLogic 10.3.1 server as part of a migration project. I call the web services with a Metro 2.0.1 client to verify that everything still works in WLS.
My original policies contain the following assertions:
<sp:RequireIssuerSerialReference />
<sp:RequireDerivedKeys />However, when I call my web services with the original policies, WLS responds with:
<?xml version='1.0' encoding='UTF-8'?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>Error on verifying message against security policy Error code:3000</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>When I remove the assertions mentioned above everything works.
Q: What impact does it have on the security of our web services to remove the assertions mentioned above?
Our original policy is pasted below.
Thanks,
Bas
X-post: http://forums.java.net/jive/thread.jspa?threadID=154128
<?xml version="1.0"?>
<wsp:Policy
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:tcp="http://java.sun.com/xml/ns/wsit/2006/09/policy/soaptcp/service"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsam:Addressing wsp:Optional="false" />
<tcp:OptimizedTCPTransport enabled="true" />
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="AckRequested"
Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
<sp:Header Name="SequenceAcknowledgement"
Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
<sp:Header Name="Sequence"
Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
<sp:Header Name="CreateSequence"
Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
</sp:SignedParts>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
<sp:RequireDerivedKeys />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
<sp:RequireDerivedKeys />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
</wsp:Policy>
Answered on java.net forurm: http://forums.java.net/jive/thread.jspa?threadID=154128
Similar Messages
-
Workshop 10.3 generated WSDL does not conatain policy assertions
when I use a WS-RM policy in my JWS the workshop generated WSDL (right-click gen WSDL) does not conatain these assertions.
bug? is documented somewhere?Yes of course the policy is located with the jws.
For the the mtom, it does not work for WLS 9.2 target.
your sign example does not work because it is missing the policy: so if I change it to
@Policy(uri="policy:sign-policy.xml") and try then
I cannot see any Policy assertions in the WSDL.
if I try with
@Policy(uri="policy:sign-policy.xml",attachToWsdl=true)
I get:
attachToWsdl can not be set to true for policy "policy:sign-policy".
see my other posting for this.
Again it does not even work with the WS-RM example provided with WLS92
maybe it is related to the WLS version?? -
Weblogic SSO with Negotiate Asserter to AD Windows2003
Hi
Im making the configuration of the SPNEGO negotiate asserter of Weblogic 11gR1 to enable SSO in Windows clients without the need of entering credentials. I went through the steps of the Securing Oracle WebLogic Server guide, http://download.oracle.com/docs/cd/E21764_01/web.1111/e13707/sso.htm#i1102003 , but so far no success, also i followed this post http://wlsjavatips.blogspot.com/2011/06/configuring-wls-for-sso-using-kerberos.html
I have created the user wlshost to identify weblogic in AD, created the keytab using ktpass windows server 2003 utility, verified with setspn -L:
C:\Documents and Settings\Administrador\Escritorio>ktpass -princ HTTP/wlshost@MY
TEST.COM -pass Admin123 -mapuser wlshost -mapOp set -DesOnly -crypto DES-CBC-CRC
-pType KRB5_NT_PRINCIPAL -setPass -out wlshost.keytab
Targeting domain controller: kdcserver.mytest.com
Using legacy password setting method
Successfully mapped HTTP/wlshost to wlshost.
WARNING: The Key version used by Windows (-1) is too big
to be encoded in a keytab without truncating it to 255.
This is due to a limitation of the keytab file format
and may lead to interoperability issues.
Do you want to proceed and truncate the version number [y/n]? y
Key created.
Output keytab to wlshost.keytab:
Keytab version: 0x502
keysize 50 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 255 etype 0x1
(DES-CBC-CRC) keylength 8 (0xb9622f7c49762515)
C:\Documents and Settings\Administrador\Escritorio>setspn -L wlshost
Registered ServicePrincipalNames for CN=wlshost,CN=Users,DC=mytest,DC=com:
HTTP/wlshost
I created the user "user" for the client which is on windows XP running IE 7. I verified all Internet options as the guide says.
Copied the keytab to the Linux OEL 5 server where weblogic 11gR1 is installed and tested with:
[oracle@wlshost ~]$ kinit -V -k -t /home/oracle/wlshost.keytab HTTP/[email protected]
Authenticated to Kerberos v5
[oracle@wlshost ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_54321
Default principal: HTTP/[email protected]
Valid starting Expires Service principal
11/22/11 11:12:54 11/22/11 11:22:54 krbtgt/[email protected]
Kerberos 4 ticket cache: /tmp/tkt54321
klist: You have no tickets cached
[oracle@wlshost ~]$
This is the jaas.login file:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/[email protected]" useKeyTab="true"
keyTab="/home/oracle/wlshost.keytab" storeKey="true" useTicketCache="true" doNotPrompt="true" debug="true";
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/[email protected]" useKeyTab="true"
keyTab="/home/oracle/wlshost.keytab" storeKey="true" useTicketCache="true" doNotPrompt="true" debug="true";
This is the krb5.conf, located in /etc/ :
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYTEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600
forwardable = yes
[realms]
MYTEST.COM = {
kdc = 10.0.2.15:88
admin_server = kdcserver
default_domain = MYTEST.COM
[domain_realm]
.mytest.com = MYTEST.COM
mytest.com = MYTEST.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
I put this arguments in the server start tab, arguments field, on weblogic admin console:
-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=/home/oracle/Oracle/Middleware/user_projects/domains/testdom/jaas.login -Djava.security.krb5.realm=MYTEST.COM -Djava.security.krb5.kdc=kdcserver -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true
This is the output of the log file:
####<Nov 22, 2011 11:09:34 AM COT> <Debug> <SecurityAtn> <wlshost> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321978174434> <BEA-000000> < Header: Referer : http://wlshost:7001/BasicSecureApp2/>
####<Nov 22, 2011 11:09:34 AM COT> <Debug> <SecurityAtn> <wlshost> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321978174436> <BEA-000000> <Negotiate filter: new session, no negotiation has started>
####<Nov 22, 2011 11:09:34 AM COT> <Debug> <SecurityAtn> <wlshost> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321978174568> <BEA-000000> < Header: Cookie : JSESSIONID=n0N4TLJpcTJ5yPnJ5NvGFBss8qzp5WMP2GtWQ8RRJVvPTMQw6nKc!464000287>
####<Nov 22, 2011 11:09:34 AM COT> <Debug> <SecurityAtn> <wlshost> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321978174568> <BEA-000000> < Header: Authorization : Negotiate YIIEkAYGKwYBBQUCoIIEhDCCBICgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBFYEggRSYIIETgYJKoZIhvcSAQICAQBuggQ9MIIEOaADAgEFoQMCAQ6iBwMFACAAAACjggNxYYIDbTCCA2mgAwIBBaEMGwpNWVRFU1QuQ09NohowGKADAgECoREwDxsESFRUUBsHd2xzaG9zdKOCAzYwggMyoAMCAQOhAwIBBKKCAyQEggMgVlRx4QjpWItkCIzJGtOxmQHOCMtDhe2SvVofXst+hs0/FOCGnztFc/+c1nXIoHXdnomWoWsn5gfGwWbtIUFW2vnK1YYRbdxRUz6LGnH7Gu3NLXV1jf/uC+eLO/NnllDnJmS6H4AiFWqKuQ6Q0/VG+MlcD4l+eoGkOgbZ1XMJtfvvkRop9MDeqFkpC9w8ZTPxe/Y2AuOL26NlnejfD5G8ZrpGYz5qrKD1odkxuXE96taCVB1nIL9w3xMLXtn6v01OsY17QPo5JRpLi7vx6hrr8CNYkoM5z4Aq9CZi9x3AEyUsofA6YlY90T52U39No7Qk/GGkuPzrZKg6Ic8UDrvadgky+XhbeNDJ1yhWPp7tgztRxVh3zuImS0yzamoqYYj1cUyVkdbw7oXWVBkua6vVD5ZxWxIwH5QdHZoIjHEnpq0eemFc2A481rKy2IRAb9XlXq0uERqJAbIPPoZ7zuKht8lv/0KrD9T/N6HmxmR+SwWJgv8hAb0DB/vPqOJXAI7qM0paj086JQA6mGNw4l9U82rSkVxdKLAM0m1DhTZ7QrODeTimvFZiVbkbKMVhxZXlvTUQ1WEri2Mqij6n/85wH7dkMjh+fQK/q5zf3cdN8v7OM6LCVtEV3GRztxczn+QR6JPKU8q5tX9Zv28dCHRtyYgJY2Zh+2ntm6y0buLpEnrQ7a8okmyH2h43eEnbK1OWb5IaeOWqznmIPuM+b21NDRFdsn67NBVvKnPP9SzfAPtzWTKU6aXqh0Q2FBFRuKcnxMQxwV9cOsboeyl7O8rTN/5APTdKTaZxczHYk9S1IuQelXtxEnR7lXcU1Gw5gz+GU/kk7sBA+wpPtqBuPAOMVnkEs8xOKLACjV7pz9rIwjWKxEWY+NzievOt4ivGi2S2E/QYs6rUPioc8SXvOsVZrVRjTetn3pRJftlFQVGzs2MVJYuja/98KABMDPlMe6G0HBBRbv9r1Aq2iFK5d4Cq8mXWIbu7GvBoFJ6cq5subjSTcGWcUPlTRugrcOnDByjlbDp5OosusQLFwqhg9x8XFlXojpkFcoxzzrWTGfc6jVWkga4wgaugAwIBA6KBowSBoHMwCgxl/R8+X/kx7Bh/fkNyNMg2c/2RWVUZpFFgkPx+Wv2PRIdbPBbwiN4VOuDWTDZUOiu3lpEB2EZBGZ6GRxccFUiJWPegNYgDKjShJZbbyD3VqJ+026aGjsTSbzSVLiEaUqjm6Y3WmDaae3x34gMlwCIEJ+hwN3fZRWBhgToToQAaCdNyQzdugnzs6FSLnEZ42F2JVhM7WvfIAf2g7Pc=>
####<Nov 22, 2011 11:09:34 AM COT> <Debug> <SecurityAtn> <wlshost> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321978174569> <BEA-000000> < processing header: Negotiate YIIEkAYGKwYBBQUCoIIEhDCCBICgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBFYEggRSYIIETgYJKoZIhvcSAQICAQBuggQ9MIIEOaADAgEFoQMCAQ6iBwMFACAAAACjggNxYYIDbTCCA2mgAwIBBaEMGwpNWVRFU1QuQ09NohowGKADAgECoREwDxsESFRUUBsHd2xzaG9zdKOCAzYwggMyoAMCAQOhAwIBBKKCAyQEggMgVlRx4QjpWItkCIzJGtOxmQHOCMtDhe2SvVofXst+hs0/FOCGnztFc/+c1nXIoHXdnomWoWsn5gfGwWbtIUFW2vnK1YYRbdxRUz6LGnH7Gu3NLXV1jf/uC+eLO/NnllDnJmS6H4AiFWqKuQ6Q0/VG+MlcD4l+eoGkOgbZ1XMJtfvvkRop9MDeqFkpC9w8ZTPxe/Y2AuOL26NlnejfD5G8ZrpGYz5qrKD1odkxuXE96taCVB1nIL9w3xMLXtn6v01OsY17QPo5JRpLi7vx6hrr8CNYkoM5z4Aq9CZi9x3AEyUsofA6YlY90T52U39No7Qk/GGkuPzrZKg6Ic8UDrvadgky+XhbeNDJ1yhWPp7tgztRxVh3zuImS0yzamoqYYj1cUyVkdbw7oXWVBkua6vVD5ZxWxIwH5QdHZoIjHEnpq0eemFc2A481rKy2IRAb9XlXq0uERqJAbIPPoZ7zuKht8lv/0KrD9T/N6HmxmR+SwWJgv8hAb0DB/vPqOJXAI7qM0paj086JQA6mGNw4l9U82rSkVxdKLAM0m1DhTZ7QrODeTimvFZiVbkbKMVhxZXlvTUQ1WEri2Mqij6n/85wH7dkMjh+fQK/q5zf3cdN8v7OM6LCVtEV3GRztxczn+QR6JPKU8q5tX9Zv28dCHRtyYgJY2Zh+2ntm6y0buLpEnrQ7a8okmyH2h43eEnbK1OWb5IaeOWqznmIPuM+b21NDRFdsn67NBVvKnPP9SzfAPtzWTKU6aXqh0Q2FBFRuKcnxMQxwV9cOsboeyl7O8rTN/5APTdKTaZxczHYk9S1IuQelXtxEnR7lXcU1Gw5gz+GU/kk7sBA+wpPtqBuPAOMVnkEs8xOKLACjV7pz9rIwjWKxEWY+NzievOt4ivGi2S2E/QYs6rUPioc8SXvOsVZrVRjTetn3pRJftlFQVGzs2MVJYuja/98KABMDPlMe6G0HBBRbv9r1Aq2iFK5d4Cq8mXWIbu7GvBoFJ6cq5subjSTcGWcUPlTRugrcOnDByjlbDp5OosusQLFwqhg9x8XFlXojpkFcoxzzrWTGfc6jVWkga4wgaugAwIBA6KBowSBoHMwCgxl/R8+X/kx7Bh/fkNyNMg2c/2RWVUZpFFgkPx+Wv2PRIdbPBbwiN4VOuDWTDZUOiu3lpEB2EZBGZ6GRxccFUiJWPegNYgDKjShJZbbyD3VqJ+026aGjsTSbzSVLiEaUqjm6Y3WmDaae3x34gMlwCIEJ+hwN3fZRWBhgToToQAaCdNyQzdugnzs6FSLnEZ42F2JVhM7WvfIAf2g7Pc=>
####<Nov 22, 2011 11:09:34 AM COT> <Debug> <SecurityAtn> <wlshost> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321978174609> <BEA-000000> <SPNEGONegotiateToken.discriminate: SPNEGO static oid 0: 0606 2b06 0105 0502 ..+.....
####<Nov 22, 2011 11:09:34 AM COT> <Debug> <SecurityAtn> <wlshost> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321978174735> <BEA-000000> <GSSExceptionInfo:>
####<Nov 22, 2011 11:09:34 AM COT> <Debug> <SecurityAtn> <wlshost> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321978174735> <BEA-000000> < major: (13) : No valid credentials provided>
####<Nov 22, 2011 11:09:34 AM COT> <Debug> <SecurityAtn> <wlshost> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321978174735> <BEA-000000> < minor: (-1) : Failed to find any Kerberos Key>
####<Nov 22, 2011 11:09:34 AM COT> <Debug> <SecurityAtn> <wlshost> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321978174739> <BEA-000000> <acceptGssInitContextToken failed
com.bea.security.utils.kerberos.KerberosException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access$000(KerberosTokenHandler.java:41)
at com.bea.security.utils.kerberos.KerberosTokenHandler$1.run(KerberosTokenHandler.java:227)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:224)
Caused By: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:95)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:183)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:220)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:301)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:252)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access$000(KerberosTokenHandler.java:41)
at com.bea.security.utils.kerberos.KerberosTokenHandler$1.run(KerberosTokenHandler.java:227)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:224)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:153)
at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:59)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:210)
at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.java:130)
This is what the user sees:
Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46)....
Please any help or tip is welcome, i been stuck on this almost a month and i do not find any hint of whats going on. Thanks in advance.
Edited by: carlos.herrera on 25/11/2011 11:31 AMHi, i did a tweak to the debug to see more, im getting this caused by message after invalid creds message:
Caused By: javax.security.auth.login.LoginException: Null Server Key
at com.sun.security.auth.module.Krb5LoginModule.commit(Krb5LoginModule.java:965)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:707)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:576)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)
at sun.security.jgss.krb5.Krb5Util.getKeys(Krb5Util.java:185)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:82)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:79)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:183)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:220)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:301)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:252)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access$000(KerberosTokenHandler.java:41)
at com.bea.security.utils.kerberos.KerberosTokenHandler$1.run(KerberosTokenHandler.java:227)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at $Proxy31.process(Unknown Source)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterServletAuthenticationFilter.doFilter(NegotiateIdentityAsserterServletAuthentica
tionFilter.java:34)
at weblogic.servlet.security.internal.AuthFilterChain.doFilter(AuthFilterChain.java:38)
at weblogic.servlet.security.internal.SecurityModule$ServletAuthenticationFilterAction.run(SecurityModule.java:645)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.security.internal.SecurityModule.invokeAuthFilterChain(SecurityModule.java:534)
at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:98)
at weblogic.servlet.security.internal.SecurityModule.checkAccess(SecurityModule.java:121)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:82)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2213)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Any ideas? Thanks in advance -
WebLogic with WebSphere MQ as an XA resource
I have been using WebLogic MDBs with WebSphere MQ as an external JMS provider. We just bought MQ Extended Client that would let external transaction managers do XA management with MQ. I have looked at IBM's document @
http://publibfp.boulder.ibm.com/epubs/pdf/csqzar00.pdf. This document indicates that Weblogic cannot be used to do XA with MQ; only three txn managers are mentioned - CICS, Encina, and Tuxedo.
I don't believe that to be true because it says that it can be used with any XA compliant transaction manager. Is anyone aware of documents showing how to configure a WebLogic server (expecially MDBs) to use MQ extended client to do XA?WL is an XA compliant TM, and many customers use it with MQ. For more information, you can start with this FAQ:
http://e-docs.bea.com/wls/docs81/faq/interop.html#268632
Also see the notes I've appended below.
Finally, you can search this newsgroup - you will see that your question comes up quite a bit.
Tom, BEA
JMS Integration of Foreign Vendors with BEA WebLogic Server
The following notes are derived mostly from "http://dev2dev.bea.com/technologies/jms/index.jsp".
For additional questions, a good forum for WebLogic questions in general is "newsgroups.bea.com". These can be mined for information by using Google's newsgroup search function.
JMS Integration Overview
- For integration with "non-Java" and/or "non-JMS" platforms, see "Non-Java Integration Options" below.
- For a foreign JMS vendor to participate in a WL transaction it must support XA. Specifically, it must support the javax.jms.XA* interfaces.
- In WL versions 6.0 and up it is possible to make synchronous calls to foreign JMS vendors participate in a WL transaction as long as the foreign vendor supports XA.
- WL 6.0 and 6.1 MDBs can be driven by foreign vendors non-transactionally. They can be driven transactionally by a select few foreign vendors (MQ is not part of the select few)
- WL 7.0 and later, MDBs can be driven by foreign vendors transactionally and non-transationally.
- WL 6.1 and later WL provides a messaging bridge feature. Messaging bridges forward messages between any two JMS destinations, including foreign destinations, and can transfer messages transactionally or non-transactionally.
- WL 8.1 JMS provides additional features that simplify transactional and JNDI integration of foreign vendors. See http://edocs.bea.com/wls/docs81/jms/intro.html#jms_features
Integration with 8.1 Details
A good overview of 8.1 JMS interop capability is the presentation "Integrating Foreign JMS Providers with BEA WebLogic Server" here:
http://www.bea.com/content/files/eworld/presentations/Wed_03_05_03/Application_Servers/1097-Foreign_JMS_Providers_WLS.pdf
This document refers to helpful new 8.1 features, which simplify integration. These include:
http://edocs.bea.com/wls/docs81/ConsoleHelp/jms_config.html#accessing_foreign_providers
http://edocs.bea.com/wls/docs81/jms/j2ee_components.html#1033768
And are also summarized here (under interoperability):
http://edocs.bea.com/wls/docs81/jms/intro.html#jms_features
Also read the MDB documentation, which extensively covers integrating foreign vendors:
http://edocs.bea.com/wls/docs81/ejb/message_beans.html
The 8.1 features are likely sufficient for most 8.1 integration needs, and you may not need to refer "Using Foreign JMS Providers With WLS" white-paper mentioned below.
Integration with 6.1 and 7.0 Details
Read the "Using Foreign JMS Providers With WLS" white-paper:
http://dev2dev.bea.com/products/wlserver/whitepapers/jmsproviders.jsp
Note that this white-paper does not take into account 8.1 features.
For 7.0 read the extensive 8.1 MDB documentation, which largely also applies to 7.0:
http://edocs.bea.com/wls/docs81/ejb/message_beans.html
Non-Java Integration Options
- WL JMS has a JNI based C client which is available for Windows and some UNIX platforms. This C client supports 7.0 and up, and will be officially packaged with WLS in 9.0 (virtually unchanged). The C API is currently only supported through the jms newsgroup. See "JMS C API", here:
http://dev2dev.bea.com/technologies/jms/index.jsp
- WL supports direct Windows COM access through its "JCOM" feature. This doesn't include the JMS API, but one can invoke EJBs which in turn invoke JMS. See
http://e-docs.bea.com/wls/docs61/jcom.html
http://e-docs.bea.com/wls/docs70/jcom/
http://e-docs.bea.com/wls/docs81/jcom/
- Similar to JCOM, but more advanced, WL supports IIOP standard based access on multiple platforms. You can use the BEA Tuxedo C client for this purpose (no license fee). This doesn't include the JMS API, but one can invoke EJBs which in turn invoke JMS. See
http://e-docs.bea.com/wls/docs81/rmi_iiop/
http://e-docs.bea.com/wls/docs70/rmi_iiop/
http://e-docs.bea.com/wls/docs61/rmi_iiop/
Unlike most other approaches, the IIOP client approach also allows the client to begin and commit user (JTA) transactions (not configured).
- If you already have a BEA Tuxedo license, one option is communicate through BEA Tuxedo (which has various APIs on Windows) and configure a WebLogic Server to respond to these requests via the WTC bridge. Search for "WTC" in the BEA docs. Unlike most other approaches, the Tuxedo API approach also allows the client to begin and commit user (JTA) transactions.
- Another approach is to interop via web-service standards. Or even to simply to invoke a servlet on the WL server using a basic HTTP call from Windows. These in turn can invoke the JMS API. There is a white-paper on "Interoperability Study of BEA WebLogic Workshop 8.1 and Microsoft .NET 1.1 Web Services", that demonstrates web-services here:
http://ftpna2.bea.com/pub/downloads/WebLogic-DotNet-Interop.pdf
- Yet another approach is to use a third party product that is designed to wrap any JMS vendor. There are even open source versions. In no particular order, here are some examples: Open3 WinJMS, CodeMesh, Active JMS, SpiritSoft
- Finally, there are .NET/C/C++ integration libraries that not specific to JMS, some examples are JNBridge, Jace, and CodeMesh.
Notes on MQ Remote Capable XA Clients
Until recently, IBM MQ JMS clients could not work transactionally unless they were running on the same host as their MQ server. This is a limitation unique to MQ that was relaxed with the introduction of IBM's new "WebSphere MQ Extended Transactional Client". See:
http://publibfp.boulder.ibm.com/epubs/pdf/csqzar00.pdf
The product is new, and for some reason, configuration of this client seems to be tricky, even when WebLogic is not involved at all. Oddly, the main sticking point seems to be simply making sure that class paths refer to the required IBM jars:
- Required on WLS where MQ objects are bound into JNDI:
com.ibm.mq.jar, com.ibm.mqjms.jar
- Required only if MQ objects are bound into JNDI on a different server:
com.ibm.mq.jar
If there are problems when using this client, first get it to work using a pure IBM client without any BEA classes involved. Once that is working, search the WL JMS newsgroup for answers and/or contact BEA customer support.
Notes on Oracle AQ Integration
If problems are encountered integrating Oracle's built-in queuing (Oracle AQ) JMS client, there is publicly available wrapper code that can aid integrating AQ directly into MDBs, JMS, or the messaging bridge. The solution is titled "Startup class to bind AQ/Referenceable objects to WLS JNDI", is not supported by BEA, and is posted to:
http://dev2dev.bea.com/codelibrary/code/startupclass.jsp
Caveats:
The solution doesn't directly support concurrent consumers. Perhaps Oracle requires that concurrent consumers each have a unique JMS connection? As a work-around, parallel message processing can be achieved indirectly by forwarding AQ messages into a WL JMS destination - which do support concurrent processing.
Up-to-date versions of Oracle may be required. For more information, google search the weblogic.developer.interest.jms newsgroup for "Oracle" and "AQ".
The solution doesn't seem to support transactions, it may be possible to extend it to do so.
MDB Thread Pool Notes
WL7.0SP? and WL8.1 and later support the "dispatch-policy" field to specify which thread pool an MDB uses to run its instances. In most cases this field should be configured to help address potential performance issues and/or dead-locks:
http://edocs.bea.com/wls/docs81/ejb/DDreference-ejb-jar.html#dispatch-policy
(Note that "dispatch-policy" is ignored for non-transactional foreign vendors; in this case, the MDB "onMessage" callback runs in the foreign vendor's thread.)
MDB Concurrency Notes
Queue MDBs driven by foreign providers can run multiple instances concurrently. Topic MDBs driven by foreign providers are limited to one instance (not sure, but transactional foreign driven topic MDBs may not have this limitation). The size of the thread pool that the MDB runs in and the "max-beans-in-free-pool" descriptor limit how many instances run concurrently.
Design Guide-Lines and Performance Tuning Notes
The "WebLogic JMS Performance Guide" white-paper contains detailed design, performance, and tuning information for Clustering, Messaging Bridge, JMS, and MDBs.
http://dev2dev.bea.com/products/wlserver/whitepapers/WL_JMS_Perform_GD.jsp -
MQ/WebLogic Topology and Architecture
I am new to MQ and am trying to get my head around a couple of basic "big
picture" things; I'll explain what I think is going on and hopefully someone
will jump in when I'm off in the weeds. I need to do is integrate a J2EE
application with a legacy MQ system and as you might expect, I cannot alter
that system, I must accommodate it (which J2EE is designed to do).
MQ is designed to be distributed; the idea that you'll install an MQ Server
on every Application Server machines seems like a special case. In my case,
it's academic.
First MQ itself:
There appears to be some internal and proprietary things MQ needs to do for
efficiency and possibly historical reasons. To achieve that, you must install
an MQ Client on each machine so that access appears to be local for Applications
that talk to MQ. I have written some code that talks directly to the server
using some of the Client libraries and I was able to send but could not get
messages off the queue; I found some documentation that said that this would
be the case in some circumstances. I suspect that the reason for this is
that I may have not used the "correct" client libraries since I found some
example code that doesn't yet run (we can ignore that for now).
The Client install does give you Java classes that provide connectivity and
it implies JMS support but in what form, since the classes appear to use
proprietary code?
Does the Client have the ability to run as a JMS Server that appears to be
a local JMS nexus that I can talk to with standard JNDI lookups?
WebLogic J2EE Integration:
The ultimate goal here is to integrate an existing MQ installation so I can
send and recieve from a J2EE Application I am working on.
I have been reading that there's at least three different ways to make this
connection.
1) Roll your own using the proprietary lib clients in a startup class
2) Using WebLogic's Bridge technology
3) Use WebLogic's Foreign Destination configuration.
Detailed questions below by item number:
1) -> I understand that directly using IBM's client libraries is supposed
to function the same as running the Client locally, that doesn't sound like
it would give the scalability of pooling and that solution won't route to
drive MDBs.
2) -> A lot of posts state that for WL/MQ integration this is not necessary.
I don't know a lot about the specifics of what I will need to do to talk
to this other system yet, I am just trying to get my head around the general
cases.
3) -> This is the most appealing to me since it sounds like it is a matter
of using the WL console to set up the JMS destination once I have the correct
libraries in the server's classpath. It would seem that the JMS queues look
like they are local, I can drive MDBs from this with all the manageability
built in. However, does the server use the same provider factory class as
I would in my own code or are there special considerations?
Comments and pointing to specific reading encouraged (don't just say, to
read the 677 page Java MQ docs).
ThanksWow! All I can say is "Thanks", it's gonna take we a while to get through
all this but I do appreciate the help. I tried to get the Client stuff installed
on my Linux dev box but it's not clear which rpms are needed and some complained
because I am still running RH7.3. I am in the process of moving to a supported
platform RHEL3.x or above... stay tuned.
Hello Tom,
> Hi!
>
> If you haven't already done it, the best place to start is to read
> through the entire "Integrating Remote JMS Providers" FAQ:
>
> http://e-docs.bea.com/wls/docs81/faq/interop.html
>
> I'm also appending my own integration notes which mention MQ (and
> which you may have already run across). I update these notes from
> time to time. Enjoy!
>
> Tom, BEA
>
> JMS Integration of Foreign Vendors with BEA WebLogic Server
> -----------------------------------------------------------
>
> The following notes are derived mostly from
> "http://dev2dev.bea.com/technologies/jms/index.jsp".
>
> For additional questions, a good forum for WebLogic questions in
> general is "newsgroups.bea.com". These can be mined for information by
> using Google's newsgroup search function.
>
> JMS Integration Overview
> ------------------------
> - For integration with "non-Java" and/or "non-JMS" platforms, see
> "Non-Java Integration Options" below.
>
> - For a foreign JMS vendor to participate in a WL transaction it must
> support XA. Specifically, it must support the javax.jms.XA*
> interfaces.
>
> - In WL versions 6.0 and up it is possible to make synchronous calls
> to foreign JMS vendors participate in a WL transaction as long as the
> foreign vendor supports XA.
>
> - WL 6.0 and 6.1 MDBs can be driven by foreign vendors
> non-transactionally. They can be driven transactionally by a select
> few foreign vendors (MQ is not part of the select few)
>
> - WL 7.0 and later, MDBs can be driven by foreign vendors
> transactionally and non-transationally.
>
> - WL 6.1 and later WL provides a messaging bridge feature. Messaging
> bridges forward messages between any two JMS destinations, including
> foreign destinations, and can transfer messages transactionally or
> non-transactionally.
>
> - WL 8.1 JMS provides additional features that simplify transactional
> and JNDI integration of foreign vendors. See
> http://edocs.bea.com/wls/docs81/jms/intro.html#jms_features and
> http://e-docs.bea.com/wls/docs81/faq/interop.html
>
> Integration with 8.1 Details
> ----------------------------
> To start, first read the "Integrating Remote JMS Providers FAQ"
> (released in Dec 2004) at:
> http://e-docs.bea.com/wls/docs81/faq/interop.html
>
> A good overview of 8.1 JMS interop capability is the presentation
> "Integrating Foreign JMS Providers with BEA WebLogic Server" here:
>
> http://www.bea.com/content/files/eworld/presentations/Wed_03_05_03/App
> lication_Servers/1097-Foreign_JMS_Providers_WLS.pdf
>
> This document refers to helpful new 8.1 features, which simplify
> integration. These include:
> http://edocs.bea.com/wls/docs81/ConsoleHelp/jms_config.html#accessing_
> foreign_providers
> http://edocs.bea.com/wls/docs81/jms/j2ee_components.html#1033768
> And are also summarized here (under interoperability):
> http://edocs.bea.com/wls/docs81/jms/intro.html#jms_features
> Also read the MDB documentation, which extensively covers integrating
> foreign vendors:
>
> http://edocs.bea.com/wls/docs81/ejb/message_beans.html
>
> The 8.1 features are likely sufficient for most 8.1 integration needs,
> but you may want to refer to the "Using Foreign JMS Providers With
> WLS" white-paper mentioned below, which is 7.0 specific but contains
> specific examples of configuring non-WebLogic JMS vendors. See also
> notes on "MQ" below.
>
> Integration with 6.1 and 7.0 Details
> ------------------------------------
> Read the "Using Foreign JMS Providers With WLS" white-paper:
>
> http://dev2dev.bea.com/products/wlserver/whitepapers/jmsproviders.jsp
>
> Note that this white-paper does not take into account 8.1 features.
>
> For 7.0 read the extensive 8.1 MDB documentation, which largely also
> applies to 7.0:
>
> http://edocs.bea.com/wls/docs81/ejb/message_beans.html
>
> Non-Java Integration Options
> ----------------------------
> - WL JMS has a JNI based C client which is available for Windows and
> some UNIX platforms. This C client supports 7.0 and up, and will be
> officially packaged with WLS in 9.0 (virtually unchanged). The C API
> is currently only supported through the jms newsgroup. See "JMS C
> API", here:
>
> http://dev2dev.bea.com/technologies/jms/index.jsp
>
> - WL supports direct Windows COM access through its "JCOM" feature.
> This doesn't include the JMS API, but one can invoke EJBs which in
> turn invoke JMS. See
>
> http://e-docs.bea.com/wls/docs61/jcom.html
>
> http://e-docs.bea.com/wls/docs70/jcom/
>
> http://e-docs.bea.com/wls/docs81/jcom/
>
> - Similar to JCOM, but more advanced and supported on more platforms,
> WL supports access via the standard IIOP protocol. You can use the
> BEA Tuxedo C client for this purpose (no license fee). This doesn't
> include the JMS API, but one can invoke EJBs which in turn invoke JMS.
> See
> http://e-docs.bea.com/wls/docs81/rmi_iiop/
> http://e-docs.bea.com/wls/docs70/rmi_iiop/
> http://e-docs.bea.com/wls/docs61/rmi_iiop/
> Unlike most other approaches, the IIOP client approach also allows the
> client to begin and commit user (JTA) transactions (not configured).
> - If you already have a BEA Tuxedo license, one option is communicate
> through BEA Tuxedo (which has various APIs on Windows) and configure a
> WebLogic Server to respond to these requests via the WTC bridge.
> Search for "WTC" in the BEA docs. Unlike most other approaches, the
> Tuxedo API approach also allows the client to begin and commit user
> (JTA) transactions.
>
> - Another approach is to interop via web-service standards. Or even to
> simply to invoke a servlet on the WL server using a basic HTTP call
> from the client. These operation in turn can invoke the JMS API.
> There is a white-paper on "Interoperability Study of BEA WebLogic
> Workshop 8.1 and Microsoft .NET 1.1 Web Services", that demonstrates
> web-services here:
> http://ftpna2.bea.com/pub/downloads/WebLogic-DotNet-Interop.pdf
>
> - Yet another approach is to use a third party product that is
> designed to wrap any JMS vendor. There are even open source
> versions. In no particular order, here are some examples: Open3
> WinJMS, CodeMesh, Active JMS, SpiritSoft
>
> - Finally, there are .NET/C/C++ integration libraries that are not
> specific to JMS, some examples are JNBridge, Jace, and CodeMesh.
>
> Notes on MQ Remote Capable XA Clients
> -------------------------------------
> Until recently, IBM MQ JMS clients could not work transactionally
> unless they were running on the same host as their MQ server. This is
> a limitation unique to MQ that was relaxed with the introduction of
> IBM's new "WebSphere MQ Extended Transactional Client". See:
>
> http://publibfp.boulder.ibm.com/epubs/pdf/csqzar00.pdf
>
> The product is new, and for some reason, configuration of this client
> seems to be tricky, even when WebLogic is not involved at all. Oddly,
> the main sticking point seems to be simply making sure that class
> paths refer to the required IBM jars:
>
> - Required on WLS where MQ objects are bound into JNDI:
> com.ibm.mq.jar, com.ibm.mqjms.jar
>
> - Required only if MQ objects are bound into JNDI on a different
> server: com.ibm.mq.jar
>
> If there are problems when using this client, first get it to work
> using a pure IBM client without any BEA classes involved. Once that
> is working, search the WL JMS newsgroup for answers and/or contact BEA
> customer support.
>
> Notes on Oracle AQ Integration
> ------------------------------
> If problems are encountered integrating Oracle's built-in queuing
> (Oracle AQ) JMS client, there is publicly available wrapper code that
> can aid integrating AQ directly into MDBs, JMS, or the messaging
> bridge. The solution is titled "Startup class to bind
> AQ/Referenceable objects to WLS JNDI", is not supported by BEA, and is
> posted to:
>
> http://dev2dev.bea.com/codelibrary/code/startupclass.jsp (older
> version) http://xa-compliant-oracleaq.projects.dev2dev.bea.com (newer
> version)
>
> Caveats:
>
> It may be that the solution doesn't directly support concurrent
> consumers. Perhaps Oracle requires that concurrent consumers each
> have a unique JMS connection? As a work-around, parallel message
> processing can be achieved indirectly by forwarding AQ messages into a
> WL JMS destination - which do support concurrent processing.
>
> Up-to-date versions of Oracle may be required. For more information,
> google search the weblogic.developer.interest.jms newsgroup for
> "Oracle" and "AQ".
>
> MDB Thread Pool Notes
> ---------------------
> WL7.0SP? and WL8.1 and later support the "dispatch-policy" field to
> specify which thread pool an MDB uses to run its instances. In most
> cases this field should be configured to help address potential
> performance issues and/or dead-locks:
>
> http://edocs.bea.com/wls/docs81/ejb/DDreference-ejb-jar.html#dispatch-
> policy
>
> (Note that "dispatch-policy" is ignored for non-transactional foreign
> vendors; in this case, the MDB "onMessage" callback runs in the
> foreign vendor's thread.)
>
> MDB Concurrency Notes
> ---------------------
> Queue MDBs driven by foreign providers can run multiple instances
> concurrently. Topic MDBs driven by foreign providers are limited to
> one instance (not sure, but transactional foreign driven topic MDBs
> may not have this limitation). The size of the thread pool that the
> MDB runs in and the "max-beans-in-free-pool" descriptor limit how many
> instances run concurrently.
>
> Design Guide-Lines and Performance Tuning Notes
> -----------------------------------------------
> The "WebLogic JMS Performance Guide" white-paper contains detailed
> design, performance, and tuning information for Clustering, Messaging
> Bridge, JMS, and MDBs.
>
> http://dev2dev.bea.com/products/wlserver/whitepapers/WL_JMS_Perform_GD
> .jsp
> -
Simple ws-policy demo not working
Hi Gurus,
It's been quite awhile, I could not work it out though. I guess your help would be the last change to stop it from driving me crazy~
The goal is to implement a simple ws-seurity enabled webservice demo using only username/password token as the policy. username/password in the ones listed in "myrealm" (might have SQL Authentication provider as well),and X509 is not the thing to be considered in this simple test.
Env:
WebLogic Server Version: 10.3.0.0
JVM: Sun one installed with weblogic
WebLogic Eclipse plugin: 1.0.0.2008.0808135653
Windows XP sp3
After reading that much docs, it came to below procedure and code:
1. Eclipse -> new Dynamic web project "WSTest3"
2. create file: example.ws.HelloW1.java
package example.ws;
import javax.jws.WebService;
import weblogic.jws.Policy;
import weblogic.jws.Policies;
@WebService(serviceName="HelloW1")
@Policies( { @Policy(uri = "policy:usernametoken.xml") } )
public class HelloW1 {
public String sayHi(String hi){
System.out.println("Already here: " + hi);
return "Welcome, you said: " + hi;
3. add "weblogic.jar" to build path
4. create WEB-INF/policies/usernametoken.xml
<?xml version="1.0"?>
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512"
>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>
5. Publish the project WSTest3 to weblogic server
6. Test the webservice within weblobic admin console, get below response which is expected since there is no input for user/pass in the simple test web page:
~~~~~~~~~~~~~~~~~~~
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>Error on verifying message against security policy Error code:1000</faultstring>
~~~~~~~~~~~~~~~~~~~
7. create the WSTest3Client project
8. new "web service client"
9. input the WSDL "http://127.0.0.1:7001/WSTest3/HelloW1?WSDL" and have the webservice related stub files created.
10. create java file: example.ws.client.Main.java
package example.ws.client;
import java.rmi.RemoteException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.security.cert.X509Certificate;
import javax.xml.rpc.ServiceException;
import org.apache.axis.client.Stub;
import example.ws.HelloW1_PortType;
import example.ws.HelloW1_Service;
import example.ws.HelloW1_ServiceLocator;
import weblogic.jws.jaxws.ClientPolicyFeature;
import weblogic.jws.jaxws.policy.InputStreamPolicySource;
import weblogic.security.SSL.TrustManager;
import weblogic.wsee.security.unt.ClientUNTCredentialProvider;
import weblogic.xml.crypto.wss.WSSecurityContext;
import weblogic.xml.crypto.wss.provider.CredentialProvider;
public class Main {
public static void main(String[] args)
throws ServiceException, RemoteException{
String username = "weblogic";
String password = "weblogic";
CredentialProvider cp = new ClientUNTCredentialProvider(username.getBytes(), password.getBytes());
List credProviders = new ArrayList();
credProviders.add(cp);
HelloW1_Service service = new HelloW1_ServiceLocator();
HelloW1_PortType port = service.getHelloW1Port();
Stub stub = (Stub)port;
stub._setProperty(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);
//Map rc = ((BindingProvider)port).getRequestContext();
//rc.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);
System.out.println(port.sayHi("nihao"));
11. add weblogic.jar to build path and let it go.
The expected output string was not coming, but still the exception there:
~~~~~~~~~~~~~~~
Exception in thread "main" AxisFault
faultCode: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}InvalidSecurity
faultSubcode:
faultString: Error on verifying message against security policy Error code:1000
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:Error on verifying message against security policy Error code:1000
at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222)
at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:129)
{WITH MANY OTHER LINES BELOW}
~~~~~~~~~~~~~~~~~~
use below code suggested from reference link (2)
Map rc = ((BindingProvider)port).getRequestContext();
rc.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);
to replace stub._setProperty, but I was told can not make the CAST from stub to BindingProvide, seems it's something in Jdeveloper11, not for my env.
if I comment "@Policies( { @Policy(uri = "policy:usernametoken.xml") } ) " off and republish the webservcie, the test would be running good, but defniately there is no anthentication, which is not what I want.
reference link (1): http://e-docs.bea.com/wls/docs103/webserv_sec/message.html
reference link (2): http://kingsfleet.blogspot.com/2008/12/simple-custom-policy-example-using-jax.html
I am grateful to have your input, thanks in advance and wish you a good day!
Regards,Hi, it comes to episode2.
Now the WS client's very smoothly working in my Jdev10.1.3, the code is very alike, but it uses
stub._setProperty(Stub.USERNAME_PROPERTY, "weblogic");
stub._setProperty(Stub.PASSWORD_PROPERTY, "weblogic");
// This source file is generated by Oracle tools and is subject to change
// It is a utility client for invoking the operations of the Web service port.
// For reporting problems, use the following
// Version = Oracle WebServices (10.1.3.1.1, build 070111.22769)
package proj2.proxy;
import oracle.webservices.transport.ClientTransport;
import oracle.webservices.OracleStub;
import javax.xml.rpc.ServiceFactory;
import javax.xml.rpc.Stub;
public class HelloW1PortClient {
private proj2.proxy.HelloW1_PortType _port;
public HelloW1PortClient() throws Exception {
ServiceFactory factory = ServiceFactory.newInstance();
port = ((proj2.proxy.HelloW1Service)factory.loadService(proj2.proxy.HelloW1_Service.class)).getHelloW1Port();
* @param args
public static void main(String[] args) {
try {
proj2.proxy.HelloW1PortClient myPort = new proj2.proxy.HelloW1PortClient();
System.out.println("calling " + myPort.getEndpoint());
// Add your own code here
myPort.setUsername("weblogic");
myPort.setPassword("weblogic");
System.out.println( myPort.sayHi("Hello") );
} catch (Exception ex) {
ex.printStackTrace();
* delegate all operations to the underlying implementation class.
public String sayHi(String arg0) throws java.rmi.RemoteException {
return _port.sayHi(arg0);
* used to access the JAX-RPC level APIs
* returns the interface of the port instance
public proj2.proxy.HelloW1_PortType getPort() {
return _port;
public String getEndpoint() {
return (String) ((Stub) port).getProperty(Stub.ENDPOINT_ADDRESS_PROPERTY);
public void setEndpoint(String endpoint) {
((Stub) port).setProperty(Stub.ENDPOINT_ADDRESS_PROPERTY, endpoint);
public String getPassword() {
return (String) ((Stub) port).getProperty(Stub.PASSWORD_PROPERTY);
public void setPassword(String password) {
((Stub) port).setProperty(Stub.PASSWORD_PROPERTY, password);
public String getUsername() {
return (String) ((Stub) port).getProperty(Stub.USERNAME_PROPERTY);
public void setUsername(String username) {
((Stub) port).setProperty(Stub.USERNAME_PROPERTY, username);
public void setMaintainSession(boolean maintainSession) {
((Stub) port).setProperty(Stub.SESSION_MAINTAIN_PROPERTY, Boolean.valueOf(maintainSession));
public boolean getMaintainSession() {
return ((Boolean) ((Stub) port).getProperty(Stub.SESSION_MAINTAIN_PROPERTY)).booleanValue();
* returns the transport context
public ClientTransport getClientTransport() {
return ((OracleStub) _port).getClientTransport();
the weird thing is when I moved "
stub._setProperty(Stub.USERNAME_PROPERTY, "weblogic");
stub._setProperty(Stub.PASSWORD_PROPERTY, "weblogic");
into Eclipse, it still complains the same error: "Error on verifying message against security policy Error code:1000", meanwhile the server outputs:
<WSEE:18>Trying to validate identity assertion token http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken<SecurityMessageInspector.inspectIdentity:629>
Thanks, -
How to connect weblogic 8.1 to IBM MQ Series from remote machines?
Hi,
I am trying to connect WebLogic 8.1 to IBM MQ Series 6.0 both are running in a seperate machines.Can we do using JNDI services? Can anyone help me to fix this issue?I'm cutting/pasting my notes on the topic, including MQ specific notes. Start with the Integrating Remote JMS Providers FAQ (link below). You can also search this newsgroup for answers.
Tom
JMS Integration of Foreign Vendors with BEA WebLogic Server
The following notes are derived mostly from "http://dev2dev.bea.com/technologies/jms/index.jsp".
For additional questions, a good forum for WebLogic questions in general is "newsgroups.bea.com". These can be mined for information by using Google's newsgroup search function.
JMS Integration Overview
- For integration with "non-Java" and/or "non-JMS" platforms, see "Non-Java Integration Options" below.
- For a foreign JMS vendor to participate in a WL transaction it must support XA. Specifically, it must support the javax.jms.XA* interfaces.
- In WL versions 6.0 and up it is possible to make synchronous calls to foreign JMS vendors participate in a WL transaction as long as the foreign vendor supports XA.
- WL 6.0 and 6.1 MDBs can be driven by foreign vendors non-transactionally. They can be driven transactionally by a select few foreign vendors (MQ is not part of the select few)
- WL 7.0 and later, MDBs can be driven by foreign vendors transactionally and non-transationally.
- WL 6.1 and later WL provides a messaging bridge feature. Messaging bridges forward messages between any two JMS destinations, including foreign destinations, and can transfer messages transactionally or non-transactionally.
- WL 8.1 JMS provides additional features that simplify transactional and JNDI integration of foreign vendors. See http://edocs.bea.com/wls/docs81/jms/intro.html#jms_features and http://e-docs.bea.com/wls/docs81/faq/interop.html
Integration with 8.1 Details
To start, first read the "Integrating Remote JMS Providers FAQ" (released in Dec 2004) at:
http://e-docs.bea.com/wls/docs81/faq/interop.html
A good overview of 8.1 JMS interop capability is the presentation "Integrating Foreign JMS Providers with BEA WebLogic Server" here:
http://www.bea.com/content/files/eworld/presentations/Wed_03_05_03/Application_Servers/1097-Foreign_JMS_Providers_WLS.pdf
This document refers to helpful new 8.1 features, which simplify integration. These include:
http://edocs.bea.com/wls/docs81/ConsoleHelp/jms_config.html#accessing_foreign_providers
http://edocs.bea.com/wls/docs81/jms/j2ee_components.html#1033768
And are also summarized here (under interoperability):
http://edocs.bea.com/wls/docs81/jms/intro.html#jms_features
Also read the MDB documentation, which extensively covers integrating foreign vendors:
http://edocs.bea.com/wls/docs81/ejb/message_beans.html
The 8.1 features are likely sufficient for most 8.1 integration needs, but you may want to refer to the "Using Foreign JMS Providers With WLS" white-paper mentioned below, which is 7.0 specific but contains specific examples of configuring non-WebLogic JMS vendors. See also notes on "MQ" below.
Integration with 6.1 and 7.0 Details
Read the "Using Foreign JMS Providers With WLS" white-paper:
http://dev2dev.bea.com/products/wlserver/whitepapers/jmsproviders.jsp
Note that this white-paper does not take into account 8.1 features.
For 7.0 read the extensive 8.1 MDB documentation, which largely also applies to 7.0:
http://edocs.bea.com/wls/docs81/ejb/message_beans.html
Non-Java Integration Options
- WL JMS has a JNI based C client which is available for Windows and some UNIX platforms. This C client supports 7.0 and up, and will be officially packaged with WLS in 9.0 (virtually unchanged). The C API is currently only supported through the jms newsgroup. See "JMS C API", here:
http://dev2dev.bea.com/technologies/jms/index.jsp
- WL supports direct Windows COM access through its "JCOM" feature. This doesn't include the JMS API, but one can invoke EJBs which in turn invoke JMS. See
http://e-docs.bea.com/wls/docs61/jcom.html
http://e-docs.bea.com/wls/docs70/jcom/
http://e-docs.bea.com/wls/docs81/jcom/
- Similar to JCOM, but more advanced and supported on more platforms, WL supports access via the standard IIOP protocol. You can use the BEA Tuxedo C client for this purpose (no license fee). This doesn't include the JMS API, but one can invoke EJBs which in turn invoke JMS. See
http://e-docs.bea.com/wls/docs81/rmi_iiop/
http://e-docs.bea.com/wls/docs70/rmi_iiop/
http://e-docs.bea.com/wls/docs61/rmi_iiop/
Unlike most other approaches, the IIOP client approach also allows the client to begin and commit user (JTA) transactions (not configured).
- If you already have a BEA Tuxedo license, one option is communicate through BEA Tuxedo (which has various APIs on Windows) and configure a WebLogic Server to respond to these requests via the WTC bridge. Search for "WTC" in the BEA docs. Unlike most other approaches, the Tuxedo API approach also allows the client to begin and commit user (JTA) transactions.
- Another approach is to interop via web-service standards. Or even to simply to invoke a servlet on the WL server using a basic HTTP call from the client. These operation in turn can invoke the JMS API. There is a white-paper on "Interoperability Study of BEA WebLogic Workshop 8.1 and Microsoft .NET 1.1 Web Services", that demonstrates web-services here:
http://ftpna2.bea.com/pub/downloads/WebLogic-DotNet-Interop.pdf
- Yet another approach is to use a third party product that is designed to wrap any JMS vendor. There are even open source versions. In no particular order, here are some examples: Open3 WinJMS, CodeMesh, Active JMS, SpiritSoft
- Finally, there are .NET/C/C++ integration libraries that are not specific to JMS, some examples are JNBridge, Jace, and CodeMesh.
Notes on MQ Remote Capable XA Clients
Until recently, IBM MQ JMS clients could not work transactionally unless they were running on the same host as their MQ server. This is a limitation unique to MQ that was relaxed with the introduction of IBM's new "WebSphere MQ Extended Transactional Client". See:
http://publibfp.boulder.ibm.com/epubs/pdf/csqzar00.pdf
The product is new, and for some reason, configuration of this client seems to be tricky, even when WebLogic is not involved at all. Oddly, the main sticking point seems to be simply making sure that class paths refer to the required IBM jars:
- Required on WLS where MQ objects are bound into JNDI:
com.ibm.mq.jar, com.ibm.mqjms.jar
- Required only if MQ objects are bound into JNDI on a different server:
com.ibm.mq.jar
If there are problems when using this client, first get it to work using a pure IBM client without any BEA classes involved. Once that is working, search the WL JMS newsgroup for answers and/or contact BEA customer support.
Notes on Oracle AQ Integration
If problems are encountered integrating Oracle's built-in queuing (Oracle AQ) JMS client, there is publicly available wrapper code that can aid integrating AQ directly into MDBs, JMS, or the messaging bridge. The solution is titled "Startup class to bind AQ/Referenceable objects to WLS JNDI", is not supported by BEA, and is posted to:
http://dev2dev.bea.com/codelibrary/code/startupclass.jsp (older version)
http://xa-compliant-oracleaq.projects.dev2dev.bea.com (newer version)
Caveats:
It may be that the solution doesn't directly support concurrent consumers. Perhaps Oracle requires that concurrent consumers each have a unique JMS connection? As a work-around, parallel message processing can be achieved indirectly by forwarding AQ messages into a WL JMS destination - which do support concurrent processing.
Up-to-date versions of Oracle may be required. For more information, google search the weblogic.developer.interest.jms newsgroup for "Oracle" and "AQ".
MDB Thread Pool Notes
WL7.0SP? and WL8.1 and later support the "dispatch-policy" field to specify which thread pool an MDB uses to run its instances. In most cases this field should be configured to help address potential performance issues and/or dead-locks:
http://edocs.bea.com/wls/docs81/ejb/DDreference-ejb-jar.html#dispatch-policy
(Note that "dispatch-policy" is ignored for non-transactional foreign vendors; in this case, the MDB "onMessage" callback runs in the foreign vendor's thread.)
MDB Concurrency Notes
Queue MDBs driven by foreign providers can run multiple instances concurrently. Topic MDBs driven by foreign providers are limited to one instance (not sure, but transactional foreign driven topic MDBs may not have this limitation). The size of the thread pool that the MDB runs in and the "max-beans-in-free-pool" descriptor limit how many instances run concurrently.
Design Guide-Lines and Performance Tuning Notes
The "WebLogic JMS Performance Guide" white-paper contains detailed design, performance, and tuning information for Clustering, Messaging Bridge, JMS, and MDBs.
http://dev2dev.bea.com/products/wlserver/whitepapers/WL_JMS_Perform_GD.jsp -
Problem in invoking a secure weblogic web service from javaws client
Hi all,
the situation is this: there is a secure web service (Wssp1.2-2007-Wss1.1-X509-Basic256.xml policy) which is accessed by a stand-alone remote web service client (swing-enabled) which is initiated via java web start. You'll probably wondering why this is a special case. Let me elaborate...
The first step was to develop the service and the client. This wasn't much of a trouble, since the documentation was very good apart from creating a ClientBSTCredentialProvider object at the client side. The documentation should explicitly state that the sixth argument, that of the server certificate, is required! In any case, the first step was a success and the invocation was encrypted and signed at the message level.
The second step was to create a stand-alone remote client, without any local weblogic installation. That was a bit of a problem, since wlfullclient.jar or wseeclient.jar or weblogic.jar were not enough. I should note that the client was created via netbeans 7.0 and not with the help of weblogic clientgen. So, I had to make a verbose run from netbeans, in order to enumerate the jars which are accessed and gather them into the same directory. That was OK too. The standalone client works just fine.
The third step is to simply (not so simply...) make a java web start version of the client. Since the previous step was a success (having all necessary jars in the same directory) this one should not be a problem. Well... that turned out to be a huge issue. What I get back as the error message (shown in the java web start console) is this:
java.lang.InternalError: error initializing kernel caused by: java.lang.AssertionError: Duplicate initialization of WorkManager
at weblogic.work.WorkManagerFactory.set(WorkManagerFactory.java:107)
at weblogic.work.ExecuteQueueFactory.initialize(ExecuteQueueFactory.java:23)
at weblogic.kernel.Kernel.initialize(Kernel.java:103)
at weblogic.kernel.Kernel.ensureInitialized(Kernel.java:64)
at weblogic.rjvm.wls.WLSRJVMEnvironment.ensureInitialized(WLSRJVMEnvironment.java:50)
at weblogic.protocol.ProtocolManager$DefaultAdminProtocolMaker.<clinit>(ProtocolManager.java:53)
at weblogic.protocol.ProtocolManager.getDefaultAdminProtocol(ProtocolManager.java:218)
at weblogic.protocol.ProtocolHandlerAdmin.<clinit>(ProtocolHandlerAdmin.java:23)
at weblogic.rjvm.wls.WLSRJVMEnvironment.registerRJVMProtocols(WLSRJVMEnvironment.java:120)
at weblogic.rjvm.RJVMManager.ensureInitialized(RJVMManager.java:87)
at weblogic.rjvm.RJVMManager.<clinit>(RJVMManager.java:46)
at weblogic.rjvm.LocalRJVM.<init>(LocalRJVM.java:97)
at weblogic.rjvm.LocalRJVM.<init>(LocalRJVM.java:28)
at weblogic.rjvm.LocalRJVM$LocalRJVMMaker.<clinit>(LocalRJVM.java:31)
at weblogic.rjvm.LocalRJVM.getLocalRJVM(LocalRJVM.java:72)
at weblogic.xml.crypto.utils.DOMUtils.generateId(DOMUtils.java:403)
at weblogic.xml.crypto.utils.DOMUtils.generateId(DOMUtils.java:395)
at weblogic.xml.crypto.utils.DOMUtils.assignId(DOMUtils.java:374)
at weblogic.xml.crypto.wss.SecurityBuilderImpl.assignUri(SecurityBuilderImpl.java:148)
at weblogic.wsee.security.policy.SigningReferencesFactory.getSigningReferences(SigningReferencesFactory.java:100)
at weblogic.wsee.security.wss.policy.wssp.SigningPolicyBlueprintImpl.addSignatureNodeListToReference(SigningPolicyBlueprintImpl.java:446)
at weblogic.wsee.security.wss.policy.wssp.SigningPolicyBlueprintImpl.addSignatureNodeListToReference(SigningPolicyBlueprintImpl.java:335)
at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.resolveSignatureList(SecurityMessageArchitect.java:574)
at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.resolveSignatureList(SecurityMessageArchitect.java:428)
at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.constructMessage(SecurityMessageArchitect.java:304)
at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.buildWssMessage(SecurityMessageArchitect.java:138)
at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.buildWssMessage(SecurityMessageArchitect.java:121)
at weblogic.wsee.security.wss.SecurityPolicyArchitect.processOutbound(SecurityPolicyArchitect.java:225)
at weblogic.wsee.security.wss.SecurityPolicyArchitect.processMessagePolicy(SecurityPolicyArchitect.java:123)
at weblogic.wsee.security.wss.SecurityPolicyConductor.processRequestOutbound(SecurityPolicyConductor.java:119)
at weblogic.wsee.security.wss.SecurityPolicyConductor.processRequestOutbound(SecurityPolicyConductor.java:91)
at weblogic.wsee.security.wssp.handlers.WssClientHandler.processOutbound(WssClientHandler.java:117)
at weblogic.wsee.security.wssp.handlers.WssClientHandler.processRequest(WssClientHandler.java:69)
at weblogic.wsee.security.wssp.handlers.WssHandler.handleRequest(WssHandler.java:112)
at weblogic.wsee.jaxws.framework.jaxrpc.TubeFactory$JAXRPCTube.processRequest(TubeFactory.java:222)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
at com.sun.xml.ws.client.Stub.process(Stub.java:272)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
at $Proxy29.fetchCSD(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
at $Proxy30.fetchCSD(Unknown Source)
at exchangecsdclient.CSDExchangeClientImpl.fetchCSD(CSDExchangeClientImpl.java:151)
at pdfutil.PDFUtilApp.initialize(PDFUtilApp.java:55)
at org.jdesktop.application.Application$1.run(Application.java:170)
at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:209)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:597)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:269)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:184)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:174)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:169)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:161)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:122)
at weblogic.kernel.Kernel.ensureInitialized(Kernel.java:66)
at weblogic.rjvm.wls.WLSRJVMEnvironment.ensureInitialized(WLSRJVMEnvironment.java:50)
at weblogic.protocol.ProtocolManager$DefaultAdminProtocolMaker.<clinit>(ProtocolManager.java:53)
at weblogic.protocol.ProtocolManager.getDefaultAdminProtocol(ProtocolManager.java:218)
at weblogic.protocol.ProtocolHandlerAdmin.<clinit>(ProtocolHandlerAdmin.java:23)
at weblogic.rjvm.wls.WLSRJVMEnvironment.registerRJVMProtocols(WLSRJVMEnvironment.java:120)
at weblogic.rjvm.RJVMManager.ensureInitialized(RJVMManager.java:87)
at weblogic.rjvm.RJVMManager.<clinit>(RJVMManager.java:46)
at weblogic.rjvm.LocalRJVM.<init>(LocalRJVM.java:97)
at weblogic.rjvm.LocalRJVM.<init>(LocalRJVM.java:28)
at weblogic.rjvm.LocalRJVM$LocalRJVMMaker.<clinit>(LocalRJVM.java:31)
at weblogic.rjvm.LocalRJVM.getLocalRJVM(LocalRJVM.java:72)
at weblogic.xml.crypto.utils.DOMUtils.generateId(DOMUtils.java:403)
at weblogic.xml.crypto.utils.DOMUtils.generateId(DOMUtils.java:395)
at weblogic.xml.crypto.utils.DOMUtils.assignId(DOMUtils.java:374)
at weblogic.xml.crypto.wss.SecurityBuilderImpl.assignUri(SecurityBuilderImpl.java:148)
at weblogic.wsee.security.policy.SigningReferencesFactory.getSigningReferences(SigningReferencesFactory.java:100)
at weblogic.wsee.security.wss.policy.wssp.SigningPolicyBlueprintImpl.addSignatureNodeListToReference(SigningPolicyBlueprintImpl.java:446)
at weblogic.wsee.security.wss.policy.wssp.SigningPolicyBlueprintImpl.addSignatureNodeListToReference(SigningPolicyBlueprintImpl.java:335)
at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.resolveSignatureList(SecurityMessageArchitect.java:574)
at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.resolveSignatureList(SecurityMessageArchitect.java:428)
at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.constructMessage(SecurityMessageArchitect.java:304)
at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.buildWssMessage(SecurityMessageArchitect.java:138)
at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.buildWssMessage(SecurityMessageArchitect.java:121)
at weblogic.wsee.security.wss.SecurityPolicyArchitect.processOutbound(SecurityPolicyArchitect.java:225)
at weblogic.wsee.security.wss.SecurityPolicyArchitect.processMessagePolicy(SecurityPolicyArchitect.java:123)
at weblogic.wsee.security.wss.SecurityPolicyConductor.processRequestOutbound(SecurityPolicyConductor.java:119)
at weblogic.wsee.security.wss.SecurityPolicyConductor.processRequestOutbound(SecurityPolicyConductor.java:91)
at weblogic.wsee.security.wssp.handlers.WssClientHandler.processOutbound(WssClientHandler.java:117)
at weblogic.wsee.security.wssp.handlers.WssClientHandler.processRequest(WssClientHandler.java:69)
at weblogic.wsee.security.wssp.handlers.WssHandler.handleRequest(WssHandler.java:112)
at weblogic.wsee.jaxws.framework.jaxrpc.TubeFactory$JAXRPCTube.processRequest(TubeFactory.java:222)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
at com.sun.xml.ws.client.Stub.process(Stub.java:272)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
at $Proxy29.fetchCSD(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
at $Proxy30.fetchCSD(Unknown Source)
at exchangecsdclient.CSDExchangeClientImpl.fetchCSD(CSDExchangeClientImpl.java:151)
at pdfutil.PDFUtilApp.initialize(PDFUtilApp.java:55)
at org.jdesktop.application.Application$1.run(Application.java:170)
at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:209)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:597)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:269)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:184)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:174)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:169)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:161)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:122)
The two invocations (one using java and the other using javaws) should obviously have not differences at all since all resources (jars) are the same.
I have tried all client jar combinations (with wlfullclient.jar, wseeclient.jar, weblogic.jar) and the result is the same. One additional piece of information is that when removing all security parameters (message level encryption and signing) from the web service the java web start client works just fine!!!
This is not an issue of additional jars that somehow mess with weblogic jars, since the same error occurs even in the basic hello world web service.
I wonder if someone has faced the same problem. I would really really appreciate any help. Thank you in advance and keep up the good work.
Cheers,
Paul.
Edited by: PaulP on Jan 11, 2012 5:31 AMHi Kal,
since we're currently evaluating the software and haven't acquired a license, we cannot contact support.
I only need to know if this is a solved bug or not. Does it have to do with the classloading process (I cannot think of anything else)?
Thank you again very very much!
Cheers,
Paul. -
Policy agent 2.2 amfilter local authentication with session binding failed
Hi All,
I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
Here is the error I got:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
Here is the error I found from agent log file, amFilter:
AmFilter: now processing: SSO Task Handler
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Logout Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: local logout skipped SSO User => amAdmin, principal =>null
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Auth Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: doing local authentication with session binding
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: result =>
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
-----------------------------------------------------------Hi,
I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
java.lang.IllegalStateException: invalidate: Session already invalidated
at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
Also, we I debug I see:
LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
Did you receive any solution for this?
Many, many thanks,
Philip -
Alternative to WebLogic 8.1 Execute thread Qs in Websphere 6.1
Hi All,
We are in the process of migrating from WebLogic 8.1 to WAS 6.1. We have few application in WebLogic that use custom execute threads so that trafic is moved to user defined thread instead of default thread pool. This is done in weblogic using dispatch-policy tag under weblogic.xml.
I appreciate if someone could help me understand the alternative of doing same thing in WebSphere 6.1.
I was going thru some site searching and came across Work Manager that does the same thing which is new to me but does similar job.
Thanks in advanceHi All,
We are in the process of migrating from WebLogic 8.1 to WAS 6.1. We have few application in WebLogic that use custom execute threads so that trafic is moved to user defined thread instead of default thread pool. This is done in weblogic using dispatch-policy tag under weblogic.xml.
I appreciate if someone could help me understand the alternative of doing same thing in WebSphere 6.1.
I was going thru some site searching and came across Work Manager that does the same thing which is new to me but does similar job.
Thanks in advance -
Hi JSF 1.2 is bundled with weblogic 10 and out of interest I tried to use it to see if it was suitable for our new development. The application works with both JSF-RI1.1 and myfaces 1.1, so I was hoping to see if 1.2 would bring any benefits.
I have set up my weblogic.xml to deploy the 1.2 version, but when I start my app I get an exception (see below) . Do I have to undeploy the other versions? Is there anything missing from the faces-config.xml, I changed it ti use the new XML schema, but this made no difference.
Is JSF1.2 useable in portal 10?
<faces-config xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-facesconfig_1_2.xsd"
version="1.2">
<application>
<view-handler>org.apache.myfaces.tomahawk.application.jsp.JspTilesViewHandlerImpl</view-handler>
</application>
<application>
<variable-resolver>org.springframework.web.jsf.DelegatingVariableResolver</variable-resolver>
</application>
</faces-config>
Log extracts::
Oct 15, 2007 6:48:46 PM com.sun.faces.config.ConfigureListener contextInitialized
INFO: Initializing Sun's JavaServer Faces implementation (1.2_03-b04-FCS) for context '/nop_portal'
Oct 15, 2007 6:48:48 PM com.sun.faces.spi.InjectionProviderFactory createInstance
WARNING: JSF1033: Resource injection is DISABLED.
Oct 15, 2007 6:48:49 PM com.sun.faces.config.ConfigureListener contextInitialized
INFO: Completed initializing Sun's JavaServer Faces implementation (1.2_03-b04-FCS) for context '/nop_portal'
<Oct 15, 2007 6:48:49 PM CEST> <Warning> <HTTP> <BEA-101162> <User defined listener com.sun.faces.config.ConfigureListener failed: j
ava.lang.AssertionError.
####<Oct 15, 2007 6:48:50 PM CEST> <Error> <Deployer> <FHD3076G> <AdminServer> <[STANDBY] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1192466930114> <BEA-149265> <Failure occurred in the execution of deployment request with ID '1192466874504' for task '1'. Error is: 'weblogic.application.ModuleException: '
weblogic.application.ModuleException:
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:950)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:353)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:204)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:26)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:60)
at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)
at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:117)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:204)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:26)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:60)
at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:26)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:635)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:26)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:212)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:154)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:80)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:566)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:136)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:104)
at weblogic.deploy.internal.targetserver.operations.StartOperation.doCommit(StartOperation.java:139)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:320)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:816)
at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1223)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:434)
at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:161)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:181)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:12)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:67)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:464)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)
java.lang.AssertionError
at com.sun.faces.application.ConverterPropertyEditorFactory$ClassTemplateInfo.loadTemplateBytes(ConverterPropertyEditorFactory.java:281)
at com.sun.faces.application.ConverterPropertyEditorFactory$ClassTemplateInfo.<init>(ConverterPropertyEditorFactory.java:172)
at com.sun.faces.application.ConverterPropertyEditorFactory$ClassTemplateInfo.<init>(ConverterPropertyEditorFactory.java:154)
at com.sun.faces.application.ConverterPropertyEditorFactory.<init>(ConverterPropertyEditorFactory.java:524)
at com.sun.faces.application.ConverterPropertyEditorFactory.getDefaultInstance(ConverterPropertyEditorFactory.java:544)
at com.sun.faces.application.ApplicationImpl.addPropertyEditorIfNecessary(ApplicationImpl.java:718)
at com.sun.faces.application.ApplicationImpl.addConverter(ApplicationImpl.java:675)
at com.sun.faces.config.ConfigureListener.configure(ConfigureListener.java:795)
at com.sun.faces.config.ConfigureListener.configure(ConfigureListener.java:538)
at com.sun.faces.config.ConfigureListener.contextInitialized(ConfigureListener.java:435)
at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:458)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:168)
at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1721)
at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:2890)
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:948)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:353)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:204)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:26)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:60)
at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)
at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:117)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:204)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:26)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:60)
at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:26)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:635)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:26)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:212)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:154)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:80)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:566)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:136)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:104)
at weblogic.deploy.internal.targetserver.operations.StartOperation.doCommit(StartOperation.java:139)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:320)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:816)
at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1223)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:434)
at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:161)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:181)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:12)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:67)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:464)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)It seems like you are running weblogic server 10 with assertion enabled.
The issue is a bug in JSF 1.2 reference implementation. Please refer to
https://javaserverfaces.dev.java.net/issues/show_bug.cgi?id=452+
for detail. The bug has been fixed. However, the JSF1.2 library bundled weblogc 10 does not catch the fix.
As a workaround, you can disable assertion to ignore the error. Please update if the workaround works.
Thanks,
-Fred. -
OWSM 11g: Custom policy implementation
Hi all,
I am unable to replicate the example as discussed in the section 14 of Security and Administrator’s Guide for Web Services 11g Release 1 (11.1.1) B32511-03, April 2010. I am applying the custom policy on a osb (11g r3) proxy service. Kindly take a look at the steps mentioned below & suggest suitably where i may be going wrong:
1. Creation of the IpAssertionExecutor class which holds the implementation logic (same as Step 1)
2. Creation of the policy-config.xml file (same as Step 2)
3. oracle.logging-utils_11.1.1.jar was also added to compile the above class.
4. IpAssertionExecutor Class & policy-config.xml were added as a jar file as mentioned in page no: 4 of the following link: http://www.scribd.com/doc/25941008/How-to-Create-OWSM-11g-Custom-Policy-Assertion (same as Step 4)
5. Updation of classpath (same as Step 5)
6. Creation of oracle/ip_assertion_policy file (same as Step 2)
7. Importing the Custom Policy File (same as Step 6)
8. Attaching the Custom Policy to a Web Service or Client (same as Step 7)
For testing purpose, i used soapui and specified the bind address in the request properties. However, the policy is not working as desired.
Additionally, i hardcoded the String ipAddr (ip address) in the IpAssertionExecutor class & redeployed the jar. But still couldn't get it working.
I shall be obliged if someone can help me.
Thanks in advanceIn the security tab for your OSB Service, ensure that you set the radio button for processing of ws header. Otherwise no policies appear to be called.
-
Step-by-step custom Credential Mapping using weblogic 10.3 SSPI
Folks,
I am trying to implement custom Credential Mapping using weblogic 10.3 SSPI. Am sure that few of you have already implemented the same. But here my questions in reagrds with the implementation
Right now, I have below
1.MyCredentialMapperImpl implements CredentialMapperV2
1.Overridden getCredential and gerCredentials method.But I am not sure what are all the other methods , I should implement here.
2.MyCredentialMapperProviderImpl implements CredentialProviderV2
Questions.
1.How to get ContextHandler to pass as param in MyCredentialMapperImpl -->gerCredentials method.
2.Should I need set up a database after deploying the MBean ?
3.How do I execute above implementation ?
4.Can I see the SAML Token in my client ?
If possible Please send me the step-by-step custom Credential Mapping implementation.
Thanks in advance.
RaviHi John,
I would like magic of course. However, in this case I want something special: my authentication provider uses special means and contents of headers, cookies and service from external identity management systems to determine the user's identity.
I do not want the application to present the login dialog! I want to derive the identity and the fact that the user is logged in from whatever the authentication provider returns in terms of Subject.
Ideally, the flow is something like:
- user accesses an unprotected resource - resource is shown, no interaction with authentication provider
- user presses a link or button that takes him/her to a protected resource
- the authentication provider is contacted to work with the identity asserter to establish the identity of the current user and create a subject object for this user
- the application can access the subject and principals
- ADF Security recognizes the identity and the roles (based on the principals) and coordinates access based on this.
the authentication method is client certificate. presumably this prompts WebLogic/OPS to use an identity asserter to work with custom headers and cookies ("... when you configure a web application to use CLIENT-CERT authentication. In this case, WebLogic can perform identity assertion based on values from request headers and cookies. If the header name or cookie name matches the active token type for the provider, the value is passed to the provider."). No login form should be presented to the user, as all information required to perform the authentication is already available.
I am trying to understand what I must do to have the ADF application adopt the subject set by the authentication provider - if anything?!
If you more ideas to share - I would love to hear them.
best regards,
Lucas -
Creating a Global Role using weblogic.Admin command
Hi,
Does anyone have an example of creating a global role using the weblogic.Admin commands? I think I have to use the INVOKE command with the DefaultRoleMapper and createRole method, but I'm not quite sure what the rest of the syntax is.
Thanks,
GabrielGabriel,
The following works for me:
weblogic.Admin -url t3://localhost:80 -username weblogic -password weblogic INVOKE -mbean "Security:Name=myrealmDefaultRoleMapper" -method createRole "" "MyGlobalRole" "Grp(Administrators)" ""
The null first parameter identifies this role as a global role.
The second param is the name of the role.
The third parameter is the policy expression. Here, I've mapped the role to the Administrators group. You can also map it to users or a combo of the two. For example, to map it to the "weblogic" user, use "Usr(weblogic)" as the policy expression. If you leave this parameter empty, the role will be created but will not be mapped to anything.
I'm not sure what the fourth parameter is for. It's not defined in the RoleEditorMBean docs but not including it causes an error. I suspect it's a description field because WLS does not seem to care what you put there.
HTH,
Mike -
Weblogic 9.2 Admin Server isnt getting start
This is the log:
starting weblogic with Java version:
java version "1.5.0_07"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_07-b03)
Java HotSpot(TM) Server VM (build 1.5.0_07-b03, mixed mode)
Starting WLS with line:
/usr/jdk/instances/jdk1.5.0/bin/java -server -Xms256m -Xmx512m -XX:MaxPermSize=128m -da -Dplatform.home=/var/jawed/SunWeb9.2/bea/weblogic92 -Dwls.home=/var/jawed/SunWeb9.2/bea/weblogic92/server -Dwli.home=/var/jawed/SunWeb9.2/bea/weblogic92/integration -Dweblogic.management.discover=true -Dwlw.iterativeDev=false -Dwlw.testConsole=false -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/var/jawed/SunWeb9.2/bea/patch_weblogic921/profiles/default/sysext_manifest_classpath -Dweblogic.Name=weblogic -Djava.security.policy=/var/jawed/SunWeb9.2/bea/weblogic92/server/lib/weblogic.policy weblogic.Server
<Apr 20, 2007 7:31:28 PM CDT> <Notice> <WebLogicServer> <BEA-000395> <Following extensions directory contents added to the end of the classpath:
/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/p13n/p13n-schemas.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/p13n/p13n_common.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/p13n/p13n_system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/commerce_system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/content_system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/groupspace_system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/netuix_common.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/netuix_schemas.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/netuix_system-full.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/netuix_system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/nf-jspcmods.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/nf-system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/wlp-schemas.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/wps_system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/wsrp-client.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/wsrp-common.jar>
<Apr 20, 2007 7:31:28 PM CDT> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with Java HotSpot(TM) Server VM Version 1.5.0_07-b03 from Sun Microsystems Inc.>
<Apr 20, 2007 7:31:30 PM CDT> <Info> <Management> <BEA-141107> <Version: WebLogic Server 9.2 MP1 Sun Jan 7 00:56:31 EST 2007 883308 >
<Apr 20, 2007 7:31:32 PM CDT> <Warning> <Management> <BEA-141230> <Could Not locate descriptor file for System Resource : dataSource.>
<Apr 20, 2007 7:31:33 PM CDT> <Info> <WebLogicServer> <BEA-000215> <Loaded License : /var/jawed/SunWeb9.2/bea/license.bea>
<Apr 20, 2007 7:31:33 PM CDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Apr 20, 2007 7:31:33 PM CDT> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<Apr 20, 2007 7:31:33 PM CDT> <Notice> <Log Management> <BEA-170019> <The server log file /var/jawed/SunWeb9.2/domains/domains/servers/weblogic/logs/weblogic.log is opened. All server side log events will be written to this file.>
<Apr 20, 2007 7:31:34 PM CDT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: java.lang.AssertionError: java.lang.reflect.InvocationTargetException
java.lang.AssertionError: java.lang.reflect.InvocationTargetException
at weblogic.descriptor.internal.AbstractDescriptorBean$SecurityService._invokeServiceMethod(AbstractDescriptorBean.java:1011)
at weblogic.descriptor.internal.AbstractDescriptorBean$SecurityService.decrypt(AbstractDescriptorBean.java:1039)
at weblogic.descriptor.internal.AbstractDescriptorBean$SecurityService.access$200(AbstractDescriptorBean.java:963)
at weblogic.descriptor.internal.AbstractDescriptorBean._decrypt(AbstractDescriptorBean.java:960)
at weblogic.management.configuration.EmbeddedLDAPMBeanImpl.getCredential(EmbeddedLDAPMBeanImpl.java:104)
Truncated. see log file for complete stacktrace
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at weblogic.descriptor.internal.AbstractDescriptorBean$SecurityService._invokeServiceMethod(AbstractDescriptorBean.java:1009)
Truncated. see log file for complete stacktrace
weblogic.security.internal.encryption.EncryptionServiceException: com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.
at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:78)
at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:94)
at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:87)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Truncated. see log file for complete stacktrace
com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.
at com.rsa.jsafe.JA_PKCS5Padding.a(Unknown Source)
at com.rsa.jsafe.JG_BlockCipher.decryptFinal(Unknown Source)
at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:68)
at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:94)
at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:87)
Truncated. see log file for complete stacktrace
>
<Apr 20, 2007 7:31:34 PM CDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Apr 20, 2007 7:31:34 PM CDT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Apr 20, 2007 7:31:34 PM CDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
I am working on Solaris platform. suggetions are highly wel-come.[email protected] <> wrote:
This is the log:
starting weblogic with Java version:
java version "1.5.0_07"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_07-b03)
Java HotSpot(TM) Server VM (build 1.5.0_07-b03, mixed mode)
Starting WLS with line:
/usr/jdk/instances/jdk1.5.0/bin/java -server -Xms256m -Xmx512m
-XX:MaxPermSize=128m -da
-Dplatform.home=/var/jawed/SunWeb9.2/bea/weblogic92
-Dwls.home=/var/jawed/SunWeb9.2/bea/weblogic92/server
-Dwli.home=/var/jawed/SunWeb9.2/bea/weblogic92/integration
-Dweblogic.management.discover=true -Dwlw.iterativeDev=false
-Dwlw.testConsole=false -Dwlw.logErrorsToConsole=
-Dweblogic.ext.dirs=/var/jawed/SunWeb9.2/bea/patch_weblogic921/profiles/default/sysext_manifest_classpath
-Dweblogic.Name=weblogic
-Djava.security.policy=/var/jawed/SunWeb9.2/bea/weblogic92/server/lib/weblogic.policy
weblogic.Server <Apr 20, 2007 7:31:28 PM CDT> <Notice> <WebLogicServer>
<BEA-000395> <Following extensions directory contents added to the end of
the classpath:
/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/p13n/p13n-schemas.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/p13n/p13n_common.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/p13n/p13n_system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/commerce_system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/content_system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/groupspace_system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/netuix_common.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/netuix_schemas.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/netuix_system-full.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/netuix_system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/nf-jspcmods.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/nf-system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/wlp-schemas.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/wps_system.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/wsrp-client.jar:/var/jawed/SunWeb9.2/bea/weblogic92/platform/lib/wlp/wsrp-common.jar>
<Apr 20, 2007 7:31:28 PM CDT> <Info> <WebLogicServer> <BEA-000377>
<Starting WebLogic Server with Java HotSpot(TM) Server VM Version
1.5.0_07-b03 from Sun Microsystems Inc.>
<Apr 20, 2007 7:31:30 PM CDT> <Info> <Management> <BEA-141107> <Version:
WebLogic Server 9.2 MP1 Sun Jan 7 00:56:31 EST 2007 883308 > <Apr 20,
2007 7:31:32 PM CDT> <Warning> <Management> <BEA-141230> <Could Not locate
descriptor file for System Resource : dataSource.> <Apr 20, 2007 7:31:33
PM CDT> <Info> <WebLogicServer> <BEA-000215> <Loaded License :
/var/jawed/SunWeb9.2/bea/license.bea> <Apr 20, 2007 7:31:33 PM CDT>
<Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Apr 20, 2007 7:31:33 PM CDT> <Info> <WorkManager> <BEA-002900>
<Initializing self-tuning thread pool> <Apr 20, 2007 7:31:33 PM CDT>
<Notice> <Log Management> <BEA-170019> <The server log file
/var/jawed/SunWeb9.2/domains/domains/servers/weblogic/logs/weblogic.log is
opened. All server side log events will be written to this file.> <Apr 20,
2007 7:31:34 PM CDT> <Critical> <WebLogicServer> <BEA-000386> <Server
subsystem failed. Reason: java.lang.AssertionError:
java.lang.reflect.InvocationTargetException java.lang.AssertionError:
java.lang.reflect.InvocationTargetException
at
weblogic.descriptor.internal.AbstractDescriptorBean$SecurityService._invokeServiceMethod(AbstractDescriptorBean.java:1011)
at
weblogic.descriptor.internal.AbstractDescriptorBean$SecurityService.decrypt(AbstractDescriptorBean.java:1039)
at
weblogic.descriptor.internal.AbstractDescriptorBean$SecurityService.access$20
(AbstractDescriptorBean.java:963)
at
weblogic.descriptor.internal.AbstractDescriptorBean._decrypt(AbstractDescriptorBean.java:960)
at
weblogic.management.configuration.EmbeddedLDAPMBeanImpl.getCredential(EmbeddedLDAPMBeanImpl.java:104)
Truncated. see log file for complete stacktrace
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585) at
weblogic.descriptor.internal.AbstractDescriptorBean$SecurityService._invokeServiceMethod(AbstractDescriptorBean.java:1009)
Truncated. see log file for complete stacktrace
weblogic.security.internal.encryption.EncryptionServiceException:
com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid
pad byte.
at
weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:78)
at
weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:94)
at
weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:87)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Truncated. see log file for complete stacktrace
com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid
pad byte.
at com.rsa.jsafe.JA_PKCS5Padding.a(Unknown Source)
at com.rsa.jsafe.JG_BlockCipher.decryptFinal(Unknown Source)
at
weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:68)
at
weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:94)
at
weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:87)
Truncated. see log file for complete stacktrace
>
<Apr 20, 2007 7:31:34 PM CDT> <Notice> <WebLogicServer> <BEA-000365>
<Server state changed to FAILED> <Apr 20, 2007 7:31:34 PM CDT> <Error>
<WebLogicServer> <BEA-000383> <A critical service failed. The server will
shut itself down> <Apr 20, 2007 7:31:34 PM CDT> <Notice> <WebLogicServer>
<BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
I am working on Solaris platform. suggetions are highly wel-come.This happens most of the time if a password entry isn't correct anymore
(copied from another location???).
Do you have a boot.properties? If so, can you remove that?
B
Schelstraete Bart
[email protected]
http://www.schelstraete.org
http://www.linkedin.com/in/bschelst
Maybe you are looking for
-
How to have all my music in one place!!
Hi All My itunes is in a mess!! My original computer broke and the itunes library had some of my cd collection as well as purchases from itunes. I cannot find the back-up discs from this original library, it is however on my old ipod (which hasn't
-
With both ApplyMRU and ApplyMRD, does one commit before the other runs?
This is related to another thread at How to stop insert of new row in tabular form if it's also being deleted I wanted to ask this question separately, however, for broader understanding. I have a tabular form configured so that if a user clicks on "
-
Crystal Report: Items sold by customer
Experts, I am creating a crystal report to return items sold by customer. 1) The report should allows me to choose date range, and if there is no date range selected, it should return all items sold, customer ID and name 2) The report should also let
-
Select all siblings if any child is modified and recalculate qty.
Hi All, I am in a following situation. with sales as select 1025 CUST_ID, '23239D' ITEM_ID, 1 qty_ord, 1 qty_Ship, 1 qty_Cancel, TO_DATE('12/08/2013 09:59:25', 'MM/DD/YYYY HH24:MI:SS') load_ts, TO_DATE('12/08/2013 09:59:25', 'MM/DD/YYYY HH24:MI:
-
How to increase Lion desktop icons more than 128?
Hi everyone, is there a way to increase the size of desktop icons more than 128 px on Lion? I've found these lines of code on the web to run in the terminal but i think they're for previous version of OSX and they didn't work: defaults write com.appl