WL Security realm
All,
where should we put WL security realm classes for clustering WLS? (global or cluster weblogic.properties)? As we know WL security realm uses session to keep information available thru connection cycle, how does WL handle failed over to next available node?
Brian
Hi Steven
1. What you want is totally possible BUT you can have your Users only in one Security Provider. To access bpm/workspace, all the users will be referred in the first top most security provider. So make sure, your AD Authenticator is in the Top Most and also all these providers should be set to SUFFICIENT / OPTIONAL.
Below these 2 posts should give more details:
Weblogic administrator account is inactive after enabling DB Authenticator
Re: BPM 11g workspace not show user from OVD - top most authentication provider
Thanks
Ravi Jegga
Similar Messages
-
How to implement a tree like security realm?
hi all:
i am working on a project . it's a very complex one and most importantly there's
so many
functions( 1000 or more) and every fuction should be protected resources. so i have
to define many roles and map the roles to the many functions. it's a very tiring
job and
i am not sure the role to function mapping is stable one. because the mapping is
saved in
a xml file and this file is depolyed with the application, so if there s any changes
we have to redeploy all the application and restart the server.
there s still another problem. we want security realm to be a tree instead of
a flat one( weblogic's group is a flat one ) . if we assign a node to a role all
its children
belong to the same role.
so is there way to do this. any solution?
regards
daniel wangmaybe you could exploit the way ACLs have dotted names to reflect your tree
structure, so the acl root applies to all functions, root.branch1 only
applies to functions on branch branch1, and root.branch1.branch2 applies to
functions on branch2 of branch1. there´s an api that gets the most specific
acl given a path to a node.
i'm not it´s acls that you want to correspond to nodes, but maybe you can
work out some kind of scheme that gives you what you want.
andrew
"daniel" <[email protected]> escribió en el mensaje
news:3d16efc7$[email protected]..
>
hi all:
i am working on a project . it's a very complex one and mostimportantly there's
so many
functions( 1000 or more) and every fuction should be protected resources.so i have
to define many roles and map the roles to the many functions. it's a verytiring
job and
i am not sure the role to function mapping is stable one. because themapping is
saved in
a xml file and this file is depolyed with the application, so if there sany changes
we have to redeploy all the application and restart the server.
there s still another problem. we want security realm to be a treeinstead of
a flat one( weblogic's group is a flat one ) . if we assign a node to arole all
its children
belong to the same role.
so is there way to do this. any solution?
regards
daniel wang -
How to retrieve Global Roles in a the current security realm?
Is there a WLS API available that obtains a list of mapped global roles (defined in a security realm) from an application?
I want to be able to do a getRoles call against an authenticated user. So far, I'm only able to use isUserInRole. What I need is a list of all global roles mapped to a user's group.
Thanks all...
Message was edited by:
raymondngYou can refer to the api
http://e-docs.bea.com/wls/docs81/javadocs/weblogic/management/security/authorization/RoleReaderMBean.html#getRoleExpression
-Ramkumar -
Adding a user to the File Security Realm
Hello,
When I attempt to add a new user to the file realm with Application Server->Security-Realms->file-> Manage Users, I get the error:
A "com.sun.enterprise.tools.guiframework.exception.FrameworkError" was caught. The message from the exception: "Unable to get View for ViewDescriptor 'fileUsers'"
The root cause is "java.lang.ArrayIndexOutOfBoundsException: 0"
See the HTML source for more detailed (stack trace) information.
When I look at the file C:\Sun\AppServer\domains\samples/config/keyfile I see the new user added, but the Admin Console is not happy...
Please advise.
-- POCThere are some issues in admin gui for managing security service in beta.
I have verified that this has been fixed in FCS branch.
Since the user and password has been written to keyfile in your scenario, it may be OK.
You can try to use the user. If this is not working, then restarting the server should work.
Another way is to create user by using asadmin command. This is working fine in beta. -
Errors encountered while using a Custom Security Realm on a Platform Domain
Hi,
We have created a WebLogic Platform Domain. A WebLogic Portal application(Portal
7.0) and some Web Service apps are running on this domain.
We have created a Custom Security Realm b'cos of our application requirements
and now when I startup the Platform Domain, I see lot of errors.
Some of the errors typically are
"<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-as user: wlisystem,
for the servlet: ApplicationView for the webapp: /WLI_AI_Workshop_Control_Web,
could not be resolved to a valid user in the system. Please check if the user
exists.
javax.security.auth.login.LoginException: Authentication Failed: User wlisystem
denied in Realm Adapter realm weblogic"
or
Unable to deploy EJB: wlai-eventprocessor-ejb.jar from wlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
weblogic.ejb20.interfaces.PrincipalNotFoundException: Authentication Failed: User
wlisystem denied in Realm Adapter realm weblogic
Do we have to create any predefined user accounts in the Security Store to get
rid of these errors. I would appreciate if anyone can suggest some tips or workarounds
for configuring or creating a Custom Security Realm for Web Logic Platform Domain.
Thanks
VikramHello Vikram,
Are you using the new WLS 7.0 security framework? It is not supported for
Portal 7.0. For Portal 7.0 apps you have to use compatibility mode (6.x
style) security.
Ture Hoefner
BEA Systems, Inc.
www.bea.com
"Vikram Datla" <[email protected]> wrote in message
news:3e273015$[email protected]..
>
Hi,
We have created a WebLogic Platform Domain. A WebLogic Portalapplication(Portal
7.0) and some Web Service apps are running on this domain.
We have created a Custom Security Realm b'cos of our applicationrequirements
and now when I startup the Platform Domain, I see lot of errors.
Some of the errors typically are
"<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-as user:wlisystem,
for the servlet: ApplicationView for the webapp:/WLI_AI_Workshop_Control_Web,
could not be resolved to a valid user in the system. Please check if theuser
exists.
javax.security.auth.login.LoginException: Authentication Failed: Userwlisystem
denied in Realm Adapter realm weblogic"
or
Unable to deploy EJB: wlai-eventprocessor-ejb.jar fromwlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
weblogic.ejb20.interfaces.PrincipalNotFoundException: AuthenticationFailed: User
wlisystem denied in Realm Adapter realm weblogic
Do we have to create any predefined user accounts in the Security Store toget
rid of these errors. I would appreciate if anyone can suggest some tips orworkarounds
for configuring or creating a Custom Security Realm for Web Logic PlatformDomain.
>
Thanks
Vikram -
What is the best way to deploy/update custom security realm classes to WLS 6.0?
From the WLS 6.0 console, I see that I can specify the Java class that
implements my custom security realm but I am wondering what is the best way
to deploy/update this code. I don't see a way to do this from the console.
Does this mean that I have to manually copy the class files over that
implement my custom security realm?Thanks Danut,
A jar file seems to be a good way to package it up but it sounds like it
still needs to be manually copied to each Weblogic server install directory
post-installation and whenever it is updated. I thought it would be nice to
be able to deploy/update the custom security realm by uploading it through
the Console just as you can with web applications and EJBs.
Brian
"Danut Prisacaru" <[email protected]> wrote in message
news:3aba2db0$[email protected]..
You have to have your Custom Realm class in the class path. I usually havea
jar file with all the Custom Realm classes and that jar I copy it in thelib
folder. Then I modify "startWebLogic.cmd" and I add to the classpath
".\lib\CustomRealm.jar"
set
CLASSPATH=.;.\lib\weblogic_sp.jar;.\lib\weblogic.jar;.\lib\CustomRealm.jar;
>
Be aware that in order to have you custom realm besides creating thecustom
realm using the console you also have to create a custom caching andchoose
that one as your default caching realm.
Here is how the security settings are looking in my "config.xml"
<CustomRealm Name="CustomRealm"
RealmClassName="Custom.appserver.weblogic.security.CustomRealm"/>
<CachingRealm BasicRealm="CustomRealm" CacheCaseSensitive="true"
Name="CustomCachingRealm"/>
<Realm CachingRealm="CustomCachingRealm" FileRealm="wl_default_file_realm"
Name="wl_default_realm"/>
<FileRealm Name="wl_default_file_realm"/>
<Security GuestDisabled="false"
Name="mydomain" PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm"/>
Danut -
Authentication via weblogic security realm
My servlet needs to access a session bean. The action in the session bean requires
that a user has been authorized, i.e. at some point the session been calls
String name = d_ctx.getCallerPrincipal().getName()
This name may not be null at this time.
What I would like to have is that the user executing the URL gets authenticated
by my server realm 'myrealm' and that the associated prinicpal gets passed to
the session bean. Is this possible. If so, how can the user pass along the username
and password as this query is executed programmatically?
markus
http://www.weblogic.com/docs51/classdocs/API_acl.html
Michael Girdley
BEA Systems Inc
"gennot" <[email protected]> wrote in message
news:[email protected]..
Could you send me the complete URL of these example, please?
Thanks
Enrico
Michael Girdley <[email protected]> wrote in message
39b87078$[email protected]..
The passing of the client's certificate should be automatic to WebLogic.We
have an example of getting the client side certificate from inside of
WebLogic in our documentation.
This does not require for SSL to be used from the Web server to
WebLogic.
>>
Thanks,
Michael
Michael Girdley
BEA Systems Inc
"Bob Simonoff" <[email protected]> wrote in message
news:[email protected]..
I have read through the docs and haven't found anything that would
address
the following confusion:
Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
the back end application server (obviously). I have the need to use 2way
SSL authentication. As I understand it the following applies:
Client (browser) has a certificate as does the web server. Theyauthenticate
each other.
Now, the web server and weblogic need to communicate. WebLogic, in our
environment does authentication via the security realm.
What do I have to do to get the the web server (Apache or IPlanet) to
communicate the client's certificate to WebLogic so the WebLogic canperform
the authentication?
Does the communication between the web server and WebLogic also need
to
be
SSL?
Thanks
Bob Simonoff -
Using Weblogic 7.0 I have an LDAP security realm setup with the LDAP URL admins
user name and password. I want to be able to interface this connection to access
the LDAP and make changes to user information within in the ldap. Right now in
my code I make a connection to the LDAP and supply the same user name and password
set up in the LDAP security realm. I want to be able to rather then re-supply
the URL and user name and password in my code I want to be able to just get that
(or create a connection simil;ar to a jdbc connection pool) connection to the
LDAP that configured in the Security Realm. Is this possible? And how would I
go about it if so?
Thanks
Sjbthe LDAPConnection pool which is used WLS Realm is not accessible to public
for programming.
thanks
kiran
"Sjb" <[email protected]> wrote in message
news:3f5744c1$[email protected]..
>
Using Weblogic 7.0 I have an LDAP security realm setup with the LDAP URLadmins
user name and password. I want to be able to interface this connection toaccess
the LDAP and make changes to user information within in the ldap. Rightnow in
my code I make a connection to the LDAP and supply the same user name andpassword
set up in the LDAP security realm. I want to be able to rather thenre-supply
the URL and user name and password in my code I want to be able to justget that
(or create a connection simil;ar to a jdbc connection pool) connection tothe
LDAP that configured in the Security Realm. Is this possible? And howwould I
go about it if so?
Thanks
Sjb -
BEA-090078 User ovowl in security realm myrealm has had 5 invalid login
Hi,
I created new domain for 10.3.4.0. there are two default users weblogic and OracleSystemUser. But in admin stdoutlog file, there are continuous below errors
<XXXXXXXXX> <Notice> <Security> <BEA-090078> <User ovowl in security realm myrealm has had 5 invalid login attempts, locking account for 30
minutes.>
can you pls let me know where can i find ovowl user in weblogic domain.
Thanks.my guess is this user "ovowl" doesn't exist at all.
I have tried logging into the console for 5 times with a non existing username, and I got the same error:
<17-May-2011 16:10:32 o'clock CEST> <Notice> <Security> <BEA-090078> <User weblogic1 in security realm myrealm has had 5 invalid login attempts, locking account for 30 minutes.>
but there is no user "weblogic1".... -
Hi,
Our goal is to use LDAP(Iplanet Directory Server 5.0) as a security Realm
for Weblogic Personalization and Commerce 3.5.
Using the WLCS console, I've modified the config.xml file and following
elements are added:
<LDAPRealm AuthProtocol='simple' Credential='admin'
GroupDN='ou=groups,dc=netnumina,dc=com' GroupIsContext='false'
GroupUsernameAttribute='uniquemember'
LDAPURL='ldap://sanand.netnumina.com:389' Name='wlcsLDAPRealm'
Principal='uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot'
UserAuthentication='local' UserDN='ou=people,dc=netnumina,dc=com'
UserNameAttribute='uid'/>
<CachingRealm BasicRealm='wlcsLDAPRealm' CacheCaseSensitive='true'
Name='wlcsCachingRealm'/>
But when we try to restart the WLCS, it throws java exceptions that context
is not initialized and I get the following error
<Jun 15, 2001 3:41:28 PM EDT> <Emergency> <Server> <Unable to initialize the
ser
ver: 'Fatal initialization exception
Throwable: weblogic.security.ldaprealm.LDAPException: could not get
context - wi
th nested exception:
[java.lang.reflect.InvocationTargetException - with target exception:
[javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
Credential
s]]]
weblogic.security.ldaprealm.LDAPException: could not get context - with
nested e
xception:
I tried using Windows NT as a security realm but that gave me errors too.
Does anyone has any experience using anything other than the default Realm?
Any help would be appreciated. Thanks!
Asim Raja
[email protected]I'm not sure, but I suspect you can't
since this would create a circular dependency -
your realm would rely on the upper level security
checking calls but those calls would rely on your
realm.
My suggestion is to give it a try and see what
happens.
-Tom
Ozcan ADIYAMAN <[email protected]> wrote:
Hi ,
I am implementing a simple custom security realm using LDAP as the
security store and I can see the users, groups and acls from the admin
console.
My question is (a custom realm newbie question) ;
Is it possible to use weblogic.security.acl.Security with my custom
realm to check permissions, get the current user,etc.,
OR
is this class ONLY used with default realms (when ACL is stored in a
file) ?
Thanks
Ozcan -
How to create default groups in Weblogic- Security Realms -- Groups
Hi Team,
Unfortunately I have deleted some default groups from Weblogic->Security Realms --> Groups. How to add the groups.
Regards,
Ravi.Hi Ravi,
These are the defaults groups present inside Security Realms ,you can manually create them by
Going inside Security Realms-->Users and Groups-->Groups-->New
Administrators----Administrators can view and modify all resource attributes and start and stop servers-----------------------DefaultAuthenticator
Deployers---------Deployers can view all resource attributes and deploy applications.---------------------------------------------DefaultAuthenticator
Monitors-----------Monitors can view and modify all resource attributes and perform operations not restricted by roles.------DefaultAuthenticator
Operators---------Operators can view and modify all resource attributes and perform server lifecycle operations.-------------DefaultAuthenticator
Restart the Admin Server
Regards
FAbian -
Unable to use a custom security realm with Netscape Directory Server in WebLogic 7
I have all users and groups stored in a Netscape LDAP server (version 4.1.6 on
Solaris 8), so I want to create a custom security realm in WebLogic 7 (also run
on Solaris 8) which uses my LDAP server as the Authenticator. I tried this by
using the Admin Console and followed exactly the steps in Chapter 3 of the "Managing
WebLogic Security" doc. However, when I rebooted WebLogic and logged into the
Admin Console again and clicked the Users node under my custom realm, I saw this
message in the right-hand pane: "There are no Authentication providers available
that support the creation of Users". Also, I don't see my custom realm in the
dropdown list under mydomain -> Security tab -> General tab -> Default Realm.
What did I do wrong? Also, where does WebLogic store the custom security realm
info? It is definitely not in config.xml.
Thanks,
Eric MaThanks for the info.
I wonder when they will fix it.
Jakub
U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
news:[email protected]..
>
According to BEA Tech Support, a known bug prevents the WLS 7 AdminConsole from
displying users and groups defined in Netscape Directory Server.
Eric Ma
"Jakub Wroniszewski" <[email protected]> wrote:
I have the same problem.
Any new ideas?
Rgds,
Jakub
U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
news:[email protected]..
Now I doubt my custom security realm is actually using the NetscapeDirectory Server
as the authenticator. Unlike in WebLogic 6.1 Admin Console, whereclicking on
the Users node displays all users in the LDAP server, in WebLogic 7I keep
getting
the message "There are no Authentication providers available that
support
the
creation of Users." Any suggestions?
"Eric Ma" <[email protected]> wrote:
Never mind. I tried again by following the steps outlined at
http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.deve
l
oper.interest.security&item=8463&utag=
and it seemed to have worked for me.
"Eric Ma" <[email protected]> wrote:
I have all users and groups stored in a Netscape LDAP server (version
4.1.6 on
Solaris 8), so I want to create a custom security realm in WebLogic7
(also run
on Solaris 8) which uses my LDAP server as the Authenticator. I
tried
this by
using the Admin Console and followed exactly the steps in Chapter3
of
the "Managing
WebLogic Security" doc. However, when I rebooted WebLogic and logged
into the
Admin Console again and clicked the Users node under my custom realm,
I saw this
message in the right-hand pane: "There are no Authentication
providers
available
that support the creation of Users". Also, I don't see my customrealm
in the
dropdown list under mydomain -> Security tab -> General tab ->
Default
Realm.
What did I do wrong? Also, where does WebLogic store the customsecurity
realm
info? It is definitely not in config.xml.
Thanks,
Eric Ma -
I don't remember how have I done it. Somehow I made me a 'file' based realm (name file) and then set in weblogic-application.xml
<security>
<realm-name>file</realm-name>
</security>and I remember that that was it...
but now... it gives me weblogic.security.service.InvalidParameterException: [Security:090396]Security Realm file does not exist ...
If i do the same thing with the defaul myrealm it works... I don't remember setting the file realm as default...
Do you know how can I change the realm for my application?
ThanksThanks Vishnu,
I made a stupid thing I added SQLAuthenticator to the default and the db instance is down ... now I have to manually remove it from config.xml -
BEA WebLogic 8.1 server not booting after adding a security realm
Hi,
I have added my own security realm for BEA WebLogic Server 8.1.
However, when I try to boot the server using this realm, it simply hangs. I cannot
take thread dumps as the server java process does not respond to "kill -3 PID"
(after the server has hung).
When I looked at the server log file, I observed that the server had hung after
initializing the IIOP subsystem.
I have attached herewith the following 3 files:
1. config.xml (the server config file after adding entry for my security realm)
2. default_realm.log (the server log file when booted through the default realm)
3. netpoint_realm.log (the server log file when booted through my realm).
Is there any way, I can debug where the server is exactly hanging?
Thanks and Regards,
Abhinay
[BEA_Files.zip]is it admin server or Managed server which isnot starting?
Mir -
OWSM security for a OSB service- authenticate from weblogic security realms
Hello,
I have a requirement to add security to a OSB service.
The user details are configured in weblogic security realms. lets say there are ten different users.
I need to protect my osb service using OWSM policy & the policy should be configured to authenticate the user from realms.
I am new to OWSM & wondering if this is possible?
Can the experts please direct me to any docs or steps?
Thanks
GaneshHi,
Thanks for the links.
I followed the blog and configured it using oracle/wss_username_token_service_policy.
Now my requirement is to send the username,password from proxy to business and to the BPEL. (the bpel needs this username /password & and in header)
The issue I am facing is the proxy service is not sending the soap header details to business service.
I dont want to make the proxy as passthrough. (ie set Process WS-Security Header to NO)
I have to authorize on proxy level and then send the same credential details to business service?
So the question is, how can I retrieve the header after osb process it?
Can anyone please help me here?
Thanks
Ganesh -
How to configure security realm for Active Directory ?
Hi,
Can any body suggest how to configure security realm in weblogic 8.1
I have simple login page where in user can enter his credentials, and i have MS-Active Directory where we maintain all users.
users who loged into web application has to be authenticated from Active Directory.
please suggest what are the steps that we need to follow
thanks in advanceHi Sankar,
You can login to the weblogic server admin console and create a new realm.
Once you have created the realm you can add the authentication provider.You add the Active Authentication Provider.But you must have the the configuration inforamation of MS AD.You can read my blog http://dev2dev.bea.com/blog/bishnu_kumar/
where the integration is with iPlanet LDAP.Steps will be similar.
You must have a login portlet in your portal application and that should have been in accordance with j2ee security standards.For example you may use basic authentication or userlogin control or p13n API
Regards
Bishnu
Maybe you are looking for
-
IDVD burning one project on multiple macs? where are project contents?
How do I burn one project on multiple macs? I have a idvd project I created in keynote, added music to it in Garageband, exported to quicktime, and now is in iDVD burning just fine. However I have tons of these dvd's to make, I would like to put all
-
Dynamic Picklist in a switcher
Hi I have a requirement as follows: Populate picklist in a Switcher: <oa:table id="CompTable" shortDesc="Competencies" width="100%"> <ui:contents> <oa:switcher id="GlobalYesNoSwitch" prompt="Proficiency Rating" viewName="CompetenceElementsVO" viewAtt
-
Dear Friends, 1. There is a standard program (for Form 16 India) which has a normal selection screen and outputs a sapscript report. 2. The requirement is to EMAIL the report to each individual employees. (Thru a Y Program) 3. I had i
-
I have tried a couple of times to encrypt my 8. First time I left it overnight but it just stayed on the android image screen (circular activity monitor at the bottom of the screen seemed to remain static - not sure if that is what is supposed to hap
-
Interface e1000g0 not showing in running state
Hello all, I have a sun server SunOS PNR1RAD01 5.10 Generic_144488-09 sun4v sparc SUNW,Netra-T5220 where i have an interface e100g0. This was earlier in running state but now this doesnt show running state. I tried to reset the interface, checked the