WL Security realm

Similar Messages

• How to implement a tree like security realm?

  hi all:
  i am working on a project . it's a very complex one and most importantly there's
  so many
  functions( 1000 or more) and every fuction should be protected resources. so i have
  to define many roles and map the roles to the many functions. it's a very tiring
  job and
  i am not sure the role to function mapping is stable one. because the mapping is
  saved in
  a xml file and this file is depolyed with the application, so if there s any changes
  we have to redeploy all the application and restart the server.
  there s still another problem. we want security realm to be a tree instead of
  a flat one( weblogic's group is a flat one ) . if we assign a node to a role all
  its children
  belong to the same role.
  so is there way to do this. any solution?
  regards
  daniel wang

  maybe you could exploit the way ACLs have dotted names to reflect your tree
  structure, so the acl root applies to all functions, root.branch1 only
  applies to functions on branch branch1, and root.branch1.branch2 applies to
  functions on branch2 of branch1. there´s an api that gets the most specific
  acl given a path to a node.
  i'm not it´s acls that you want to correspond to nodes, but maybe you can
  work out some kind of scheme that gives you what you want.
  andrew
  "daniel" <[email protected]> escribió en el mensaje
  news:3d16efc7$[email protected]..
  >
  hi all:
  i am working on a project . it's a very complex one and mostimportantly there's
  so many
  functions( 1000 or more) and every fuction should be protected resources.so i have
  to define many roles and map the roles to the many functions. it's a verytiring
  job and
  i am not sure the role to function mapping is stable one. because themapping is
  saved in
  a xml file and this file is depolyed with the application, so if there sany changes
  we have to redeploy all the application and restart the server.
  there s still another problem. we want security realm to be a treeinstead of
  a flat one( weblogic's group is a flat one ) . if we assign a node to arole all
  its children
  belong to the same role.
  so is there way to do this. any solution?
  regards
  daniel wang

• How to retrieve Global Roles in a the current security realm?

  Is there a WLS API available that obtains a list of mapped global roles (defined in a security realm) from an application?
  I want to be able to do a getRoles call against an authenticated user. So far, I'm only able to use isUserInRole. What I need is a list of all global roles mapped to a user's group.
  Thanks all...
  Message was edited by:
  raymondng

  You can refer to the api
  http://e-docs.bea.com/wls/docs81/javadocs/weblogic/management/security/authorization/RoleReaderMBean.html#getRoleExpression
  -Ramkumar

• Adding a user to the File Security Realm

  Hello,
  When I attempt to add a new user to the file realm with Application Server->Security-Realms->file-> Manage Users, I get the error:
  A "com.sun.enterprise.tools.guiframework.exception.FrameworkError" was caught. The message from the exception: "Unable to get View for ViewDescriptor 'fileUsers'"
  The root cause is "java.lang.ArrayIndexOutOfBoundsException: 0"
  See the HTML source for more detailed (stack trace) information.
  When I look at the file C:\Sun\AppServer\domains\samples/config/keyfile I see the new user added, but the Admin Console is not happy...
  Please advise.
  -- POC

  There are some issues in admin gui for managing security service in beta.
  I have verified that this has been fixed in FCS branch.
  Since the user and password has been written to keyfile in your scenario, it may be OK.
  You can try to use the user. If this is not working, then restarting the server should work.
  Another way is to create user by using asadmin command. This is working fine in beta.

• Errors encountered while using a Custom Security Realm on a Platform Domain

  Hi,
  We have created a WebLogic Platform Domain. A WebLogic Portal application(Portal
  7.0) and some Web Service apps are running on this domain.
  We have created a Custom Security Realm b'cos of our application requirements
  and now when I startup the Platform Domain, I see lot of errors.
  Some of the errors typically are
  "<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-as user: wlisystem,
  for the servlet: ApplicationView for the webapp: /WLI_AI_Workshop_Control_Web,
  could not be resolved to a valid user in the system. Please check if the user
  exists.
  javax.security.auth.login.LoginException: Authentication Failed: User wlisystem
  denied in Realm Adapter realm weblogic"
  or
  Unable to deploy EJB: wlai-eventprocessor-ejb.jar from wlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
  weblogic.ejb20.interfaces.PrincipalNotFoundException: Authentication Failed: User
  wlisystem denied in Realm Adapter realm weblogic
  Do we have to create any predefined user accounts in the Security Store to get
  rid of these errors. I would appreciate if anyone can suggest some tips or workarounds
  for configuring or creating a Custom Security Realm for Web Logic Platform Domain.
  Thanks
  Vikram

  Hello Vikram,
  Are you using the new WLS 7.0 security framework? It is not supported for
  Portal 7.0. For Portal 7.0 apps you have to use compatibility mode (6.x
  style) security.
  Ture Hoefner
  BEA Systems, Inc.
  www.bea.com
  "Vikram Datla" <[email protected]> wrote in message
  news:3e273015$[email protected]..
  >
  Hi,
  We have created a WebLogic Platform Domain. A WebLogic Portalapplication(Portal
  7.0) and some Web Service apps are running on this domain.
  We have created a Custom Security Realm b'cos of our applicationrequirements
  and now when I startup the Platform Domain, I see lot of errors.
  Some of the errors typically are
  "<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-as user:wlisystem,
  for the servlet: ApplicationView for the webapp:/WLI_AI_Workshop_Control_Web,
  could not be resolved to a valid user in the system. Please check if theuser
  exists.
  javax.security.auth.login.LoginException: Authentication Failed: Userwlisystem
  denied in Realm Adapter realm weblogic"
  or
  Unable to deploy EJB: wlai-eventprocessor-ejb.jar fromwlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
  weblogic.ejb20.interfaces.PrincipalNotFoundException: AuthenticationFailed: User
  wlisystem denied in Realm Adapter realm weblogic
  Do we have to create any predefined user accounts in the Security Store toget
  rid of these errors. I would appreciate if anyone can suggest some tips orworkarounds
  for configuring or creating a Custom Security Realm for Web Logic PlatformDomain.
  >
  Thanks
  Vikram

• What is the best way to deploy/update custom security realm classes to WLS 6.0?

  From the WLS 6.0 console, I see that I can specify the Java class that
  implements my custom security realm but I am wondering what is the best way
  to deploy/update this code. I don't see a way to do this from the console.
  Does this mean that I have to manually copy the class files over that
  implement my custom security realm?

  Thanks Danut,
  A jar file seems to be a good way to package it up but it sounds like it
  still needs to be manually copied to each Weblogic server install directory
  post-installation and whenever it is updated. I thought it would be nice to
  be able to deploy/update the custom security realm by uploading it through
  the Console just as you can with web applications and EJBs.
  Brian
  "Danut Prisacaru" <[email protected]> wrote in message
  news:3aba2db0$[email protected]..
  You have to have your Custom Realm class in the class path. I usually havea
  jar file with all the Custom Realm classes and that jar I copy it in thelib
  folder. Then I modify "startWebLogic.cmd" and I add to the classpath
  ".\lib\CustomRealm.jar"
  set
  CLASSPATH=.;.\lib\weblogic_sp.jar;.\lib\weblogic.jar;.\lib\CustomRealm.jar;
  >
  Be aware that in order to have you custom realm besides creating thecustom
  realm using the console you also have to create a custom caching andchoose
  that one as your default caching realm.
  Here is how the security settings are looking in my "config.xml"
  <CustomRealm Name="CustomRealm"
  RealmClassName="Custom.appserver.weblogic.security.CustomRealm"/>
  <CachingRealm BasicRealm="CustomRealm" CacheCaseSensitive="true"
  Name="CustomCachingRealm"/>
  <Realm CachingRealm="CustomCachingRealm" FileRealm="wl_default_file_realm"
  Name="wl_default_realm"/>
  <FileRealm Name="wl_default_file_realm"/>
  <Security GuestDisabled="false"
  Name="mydomain" PasswordPolicy="wl_default_password_policy"
  Realm="wl_default_realm"/>
  Danut

• Authentication via weblogic security realm

            My servlet needs to access a session bean. The action in the session bean requires
            that a user has been authorized, i.e. at some point the session been calls
            String name = d_ctx.getCallerPrincipal().getName()
            This name may not be null at this time.
            What I would like to have is that the user executing the URL gets authenticated
            by my server realm 'myrealm' and that the associated prinicpal gets passed to
            the session bean. Is this possible. If so, how can the user pass along the username
            and password as this query is executed programmatically?
            markus
            

  http://www.weblogic.com/docs51/classdocs/API_acl.html
  Michael Girdley
  BEA Systems Inc
  "gennot" <[email protected]> wrote in message
  news:[email protected]..
  Could you send me the complete URL of these example, please?
  Thanks
  Enrico
  Michael Girdley <[email protected]> wrote in message
  39b87078$[email protected]..
  The passing of the client's certificate should be automatic to WebLogic.We
  have an example of getting the client side certificate from inside of
  WebLogic in our documentation.
  This does not require for SSL to be used from the Web server to
  WebLogic.
  >>
  Thanks,
  Michael
  Michael Girdley
  BEA Systems Inc
  "Bob Simonoff" <[email protected]> wrote in message
  news:[email protected]..
  I have read through the docs and haven't found anything that would
  address
  the following confusion:
  Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
  the back end application server (obviously). I have the need to use 2way
  SSL authentication. As I understand it the following applies:
  Client (browser) has a certificate as does the web server. Theyauthenticate
  each other.
  Now, the web server and weblogic need to communicate. WebLogic, in our
  environment does authentication via the security realm.
  What do I have to do to get the the web server (Apache or IPlanet) to
  communicate the client's certificate to WebLogic so the WebLogic canperform
  the authentication?
  Does the communication between the web server and WebLogic also need
  to
  be
  SSL?
  Thanks
  Bob Simonoff

• LDAP Security Realm

  Using Weblogic 7.0 I have an LDAP security realm setup with the LDAP URL admins
  user name and password. I want to be able to interface this connection to access
  the LDAP and make changes to user information within in the ldap. Right now in
  my code I make a connection to the LDAP and supply the same user name and password
  set up in the LDAP security realm. I want to be able to rather then re-supply
  the URL and user name and password in my code I want to be able to just get that
  (or create a connection simil;ar to a jdbc connection pool) connection to the
  LDAP that configured in the Security Realm. Is this possible? And how would I
  go about it if so?
  Thanks
  Sjb

  the LDAPConnection pool which is used WLS Realm is not accessible to public
  for programming.
  thanks
  kiran
  "Sjb" <[email protected]> wrote in message
  news:3f5744c1$[email protected]..
  >
  Using Weblogic 7.0 I have an LDAP security realm setup with the LDAP URLadmins
  user name and password. I want to be able to interface this connection toaccess
  the LDAP and make changes to user information within in the ldap. Rightnow in
  my code I make a connection to the LDAP and supply the same user name andpassword
  set up in the LDAP security realm. I want to be able to rather thenre-supply
  the URL and user name and password in my code I want to be able to justget that
  (or create a connection simil;ar to a jdbc connection pool) connection tothe
  LDAP that configured in the Security Realm. Is this possible? And howwould I
  go about it if so?
  Thanks
  Sjb

• BEA-090078 User ovowl in security realm myrealm has had 5 invalid login

  Hi,
  I created new domain for 10.3.4.0. there are two default users weblogic and OracleSystemUser. But in admin stdoutlog file, there are continuous below errors
  <XXXXXXXXX> <Notice> <Security> <BEA-090078> <User ovowl in security realm myrealm has had 5 invalid login attempts, locking account for 30
  minutes.>
  can you pls let me know where can i find ovowl user in weblogic domain.
  Thanks.

  my guess is this user "ovowl" doesn't exist at all.
  I have tried logging into the console for 5 times with a non existing username, and I got the same error:
  <17-May-2011 16:10:32 o'clock CEST> <Notice> <Security> <BEA-090078> <User weblogic1 in security realm myrealm has had 5 invalid login attempts, locking account for 30 minutes.>
  but there is no user "weblogic1"....

• Using LDAP as security realm

  Hi,
  Our goal is to use LDAP(Iplanet Directory Server 5.0) as a security Realm
  for Weblogic Personalization and Commerce 3.5.
  Using the WLCS console, I've modified the config.xml file and following
  elements are added:
  <LDAPRealm AuthProtocol='simple' Credential='admin'
  GroupDN='ou=groups,dc=netnumina,dc=com' GroupIsContext='false'
  GroupUsernameAttribute='uniquemember'
  LDAPURL='ldap://sanand.netnumina.com:389' Name='wlcsLDAPRealm'
  Principal='uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot'
  UserAuthentication='local' UserDN='ou=people,dc=netnumina,dc=com'
  UserNameAttribute='uid'/>
  <CachingRealm BasicRealm='wlcsLDAPRealm' CacheCaseSensitive='true'
  Name='wlcsCachingRealm'/>
  But when we try to restart the WLCS, it throws java exceptions that context
  is not initialized and I get the following error
  <Jun 15, 2001 3:41:28 PM EDT> <Emergency> <Server> <Unable to initialize the
  ser
  ver: 'Fatal initialization exception
  Throwable: weblogic.security.ldaprealm.LDAPException: could not get
  context - wi
  th nested exception:
  [java.lang.reflect.InvocationTargetException - with target exception:
  [javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
  Credential
  s]]]
  weblogic.security.ldaprealm.LDAPException: could not get context - with
  nested e
  xception:
  I tried using Windows NT as a security realm but that gave me errors too.
  Does anyone has any experience using anything other than the default Realm?
  Any help would be appreciated. Thanks!
  Asim Raja
  [email protected]

  I'm not sure, but I suspect you can't
  since this would create a circular dependency -
  your realm would rely on the upper level security
  checking calls but those calls would rely on your
  realm.
  My suggestion is to give it a try and see what
  happens.
  -Tom
  Ozcan ADIYAMAN <[email protected]> wrote:
  Hi ,
  I am implementing a simple custom security realm using LDAP as the
  security store and I can see the users, groups and acls from the admin
  console.
  My question is (a custom realm newbie question) ;
  Is it possible to use weblogic.security.acl.Security with my custom
  realm to check permissions, get the current user,etc.,
  OR
  is this class ONLY used with default realms (when ACL is stored in a
  file) ?
  Thanks
  Ozcan

• How to create default groups in Weblogic- Security Realms -- Groups

  Hi Team,
  Unfortunately I have deleted some default groups from Weblogic->Security Realms --> Groups. How to add the groups.
  Regards,
  Ravi.

  Hi Ravi,
  These are the defaults groups present inside Security Realms ,you can manually create them by
  Going inside Security Realms-->Users and Groups-->Groups-->New
  Administrators----Administrators can view and modify all resource attributes and start and stop servers-----------------------DefaultAuthenticator
  Deployers---------Deployers can view all resource attributes and deploy applications.---------------------------------------------DefaultAuthenticator
  Monitors-----------Monitors can view and modify all resource attributes and perform operations not restricted by roles.------DefaultAuthenticator
  Operators---------Operators can view and modify all resource attributes and perform server lifecycle operations.-------------DefaultAuthenticator
  Restart the Admin Server
  Regards
  FAbian

• Unable to use a custom security realm with Netscape Directory Server in WebLogic 7

  I have all users and groups stored in a Netscape LDAP server (version 4.1.6 on
  Solaris 8), so I want to create a custom security realm in WebLogic 7 (also run
  on Solaris 8) which uses my LDAP server as the Authenticator. I tried this by
  using the Admin Console and followed exactly the steps in Chapter 3 of the "Managing
  WebLogic Security" doc. However, when I rebooted WebLogic and logged into the
  Admin Console again and clicked the Users node under my custom realm, I saw this
  message in the right-hand pane: "There are no Authentication providers available
  that support the creation of Users". Also, I don't see my custom realm in the
  dropdown list under mydomain -> Security tab -> General tab -> Default Realm.
  What did I do wrong? Also, where does WebLogic store the custom security realm
  info? It is definitely not in config.xml.
  Thanks,
  Eric Ma

  Thanks for the info.
  I wonder when they will fix it.
  Jakub
  U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
  news:[email protected]..
  >
  According to BEA Tech Support, a known bug prevents the WLS 7 AdminConsole from
  displying users and groups defined in Netscape Directory Server.
  Eric Ma
  "Jakub Wroniszewski" <[email protected]> wrote:
  I have the same problem.
  Any new ideas?
  Rgds,
  Jakub
  U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
  news:[email protected]..
  Now I doubt my custom security realm is actually using the NetscapeDirectory Server
  as the authenticator. Unlike in WebLogic 6.1 Admin Console, whereclicking on
  the Users node displays all users in the LDAP server, in WebLogic 7I keep
  getting
  the message "There are no Authentication providers available that
  support
  the
  creation of Users." Any suggestions?
  "Eric Ma" <[email protected]> wrote:
  Never mind. I tried again by following the steps outlined at
  http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.deve
  l
  oper.interest.security&item=8463&utag=
  and it seemed to have worked for me.
  "Eric Ma" <[email protected]> wrote:
  I have all users and groups stored in a Netscape LDAP server (version
  4.1.6 on
  Solaris 8), so I want to create a custom security realm in WebLogic7
  (also run
  on Solaris 8) which uses my LDAP server as the Authenticator. I
  tried
  this by
  using the Admin Console and followed exactly the steps in Chapter3
  of
  the "Managing
  WebLogic Security" doc. However, when I rebooted WebLogic and logged
  into the
  Admin Console again and clicked the Users node under my custom realm,
  I saw this
  message in the right-hand pane: "There are no Authentication
  providers
  available
  that support the creation of Users". Also, I don't see my customrealm
  in the
  dropdown list under mydomain -> Security tab -> General tab ->
  Default
  Realm.
  What did I do wrong? Also, where does WebLogic store the customsecurity
  realm
  info? It is definitely not in config.xml.
  Thanks,
  Eric Ma

• Use another security realm

  I don't remember how have I done it. Somehow I made me a 'file' based realm (name file) and then set in weblogic-application.xml
    <security>
    <realm-name>file</realm-name>
    </security>and I remember that that was it...
  but now... it gives me weblogic.security.service.InvalidParameterException: [Security:090396]Security Realm file does not exist ...
  If i do the same thing with the defaul myrealm it works... I don't remember setting the file realm as default...
  Do you know how can I change the realm for my application?
  Thanks

  Thanks Vishnu,
  I made a stupid thing I added SQLAuthenticator to the default and the db instance is down ... now I have to manually remove it from config.xml

• BEA WebLogic 8.1 server not booting after adding a security realm

  Hi,
  I have added my own security realm for BEA WebLogic Server 8.1.
  However, when I try to boot the server using this realm, it simply hangs. I cannot
  take thread dumps as the server java process does not respond to "kill -3 PID"
  (after the server has hung).
  When I looked at the server log file, I observed that the server had hung after
  initializing the IIOP subsystem.
  I have attached herewith the following 3 files:
  1. config.xml (the server config file after adding entry for my security realm)
  2. default_realm.log (the server log file when booted through the default realm)
  3. netpoint_realm.log (the server log file when booted through my realm).
  Is there any way, I can debug where the server is exactly hanging?
  Thanks and Regards,
  Abhinay
  [BEA_Files.zip]

  is it admin server or Managed server which isnot starting?
  Mir

• OWSM security for a OSB service- authenticate from weblogic security realms

  Hello,
  I have a requirement to add security to a OSB service.
  The user details are configured in weblogic security realms. lets say there are ten different users.
  I need to protect my osb service using OWSM policy & the policy should be configured to authenticate the user from realms.
  I am new to OWSM & wondering if this is possible?
  Can the experts please direct me to any docs or steps?
  Thanks
  Ganesh

  Hi,
  Thanks for the links.
  I followed the blog and configured it using oracle/wss_username_token_service_policy.
  Now my requirement is to send the username,password from proxy to business and to the BPEL. (the bpel needs this username /password & and in header)
  The issue I am facing is the proxy service is not sending the soap header details to business service.
  I dont want to make the proxy as passthrough. (ie set Process WS-Security Header to NO)
  I have to authorize on proxy level and then send the same credential details to business service?
  So the question is, how can I retrieve the header after osb process it?
  Can anyone please help me here?
  Thanks
  Ganesh

• How to configure security realm for Active Directory ?

  Hi,
  Can any body suggest how to configure security realm in weblogic 8.1
  I have simple login page where in user can enter his credentials, and i have MS-Active Directory where we maintain all users.
  users who loged into web application has to be authenticated from Active Directory.
  please suggest what are the steps that we need to follow
  thanks in advance

  Hi Sankar,
  You can login to the weblogic server admin console and create a new realm.
  Once you have created the realm you can add the authentication provider.You add the Active Authentication Provider.But you must have the the configuration inforamation of MS AD.You can read my blog http://dev2dev.bea.com/blog/bishnu_kumar/
  where the integration is with iPlanet LDAP.Steps will be similar.
  You must have a login portlet in your portal application and that should have been in accordance with j2ee security standards.For example you may use basic authentication or userlogin control or p13n API
  Regards
  Bishnu