WL51: Custom RDBMS realm interctions with CachingRealm
I think I partially understand the interactions between a CachingRealm and a
custom RDBMS realm (extending from ManageableRealm->AbstractListableRealm).
One thing that confuses me is how to deal with FlatGroups that contain other
groups.
Suppose I use the first constructor of FlatGroup which defers the loading of
members until a method is invoked. When my root group, "everyone" (of which
all other groups ultimately belong to), is called to test membership of a
user, each level in the group tree will be successively loaded since the
members weren't pre-loaded. This sounds like it could be terribly slow,
depending on the depth and width of the group tree.
One optimization being considered is to pre-load each group with its
immediate members. As each child group is added to its parent, it would
recursively be adding its children. Thus, "everyone" would have a full tree
of groups inside of it. However, havign been ecplitily loaded by the custom
realm, they weren't pulled through the cache. The entire tree is present,
but not accessible except through the "everyone" group.
Is there a way to load these groups into the cache pro-actively so that the
loading of a group and its children can be optimized (perhaps even using a
connect by, if not using at least a single database call)?
Regards,
Brian.
Hi.
Try posting this in the security newsgroup.
Regards,
Michael
"Brian J. Sayatovic" wrote:
I think I partially understand the interactions between a CachingRealm and a
custom RDBMS realm (extending from ManageableRealm->AbstractListableRealm).
One thing that confuses me is how to deal with FlatGroups that contain other
groups.
Suppose I use the first constructor of FlatGroup which defers the loading of
members until a method is invoked. When my root group, "everyone" (of which
all other groups ultimately belong to), is called to test membership of a
user, each level in the group tree will be successively loaded since the
members weren't pre-loaded. This sounds like it could be terribly slow,
depending on the depth and width of the group tree.
One optimization being considered is to pre-load each group with its
immediate members. As each child group is added to its parent, it would
recursively be adding its children. Thus, "everyone" would have a full tree
of groups inside of it. However, havign been ecplitily loaded by the custom
realm, they weren't pulled through the cache. The entire tree is present,
but not accessible except through the "everyone" group.
Is there a way to load these groups into the cache pro-actively so that the
loading of a group and its children can be optimized (perhaps even using a
connect by, if not using at least a single database call)?
Regards,
Brian.--
Michael Young
Developer Relations Engineer
BEA Support
Similar Messages
-
Is RDBMS Realm industrial-strength?
I can see that several people are using RDBMS Realm, which started out as an
example. Is the version shipped with WLS 6.0 reliable and robust? Is it
suitable for a commercial application?The RDBMS Realm shipped with WLS is a sample.
It is not industrial strength. For example,
the schema is string based and pretty slow.
Also, it doesn't support adding new groups or
acls via the console.
-Tom
"Al Fontes" <[email protected]> wrote:
I can see that several people are using RDBMS Realm, which started out
as an
example. Is the version shipped with WLS 6.0 reliable and robust? Is
it
suitable for a commercial application? -
Unable to use a custom security realm with Netscape Directory Server in WebLogic 7
I have all users and groups stored in a Netscape LDAP server (version 4.1.6 on
Solaris 8), so I want to create a custom security realm in WebLogic 7 (also run
on Solaris 8) which uses my LDAP server as the Authenticator. I tried this by
using the Admin Console and followed exactly the steps in Chapter 3 of the "Managing
WebLogic Security" doc. However, when I rebooted WebLogic and logged into the
Admin Console again and clicked the Users node under my custom realm, I saw this
message in the right-hand pane: "There are no Authentication providers available
that support the creation of Users". Also, I don't see my custom realm in the
dropdown list under mydomain -> Security tab -> General tab -> Default Realm.
What did I do wrong? Also, where does WebLogic store the custom security realm
info? It is definitely not in config.xml.
Thanks,
Eric MaThanks for the info.
I wonder when they will fix it.
Jakub
U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
news:[email protected]..
>
According to BEA Tech Support, a known bug prevents the WLS 7 AdminConsole from
displying users and groups defined in Netscape Directory Server.
Eric Ma
"Jakub Wroniszewski" <[email protected]> wrote:
I have the same problem.
Any new ideas?
Rgds,
Jakub
U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
news:[email protected]..
Now I doubt my custom security realm is actually using the NetscapeDirectory Server
as the authenticator. Unlike in WebLogic 6.1 Admin Console, whereclicking on
the Users node displays all users in the LDAP server, in WebLogic 7I keep
getting
the message "There are no Authentication providers available that
support
the
creation of Users." Any suggestions?
"Eric Ma" <[email protected]> wrote:
Never mind. I tried again by following the steps outlined at
http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.deve
l
oper.interest.security&item=8463&utag=
and it seemed to have worked for me.
"Eric Ma" <[email protected]> wrote:
I have all users and groups stored in a Netscape LDAP server (version
4.1.6 on
Solaris 8), so I want to create a custom security realm in WebLogic7
(also run
on Solaris 8) which uses my LDAP server as the Authenticator. I
tried
this by
using the Admin Console and followed exactly the steps in Chapter3
of
the "Managing
WebLogic Security" doc. However, when I rebooted WebLogic and logged
into the
Admin Console again and clicked the Users node under my custom realm,
I saw this
message in the right-hand pane: "There are no Authentication
providers
available
that support the creation of Users". Also, I don't see my customrealm
in the
dropdown list under mydomain -> Security tab -> General tab ->
Default
Realm.
What did I do wrong? Also, where does WebLogic store the customsecurity
realm
info? It is definitely not in config.xml.
Thanks,
Eric Ma -
Creating Users with RDBMS realm
"I am currently creating new users in the RDBMS realm by an EJB that inserts into
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by [email protected]:
Ralf,
Your syntax looks right so it migth be something else. Could you please post the full example and I'll try it out here.<HR></BLOCKQUOTE>
Sure:
<?xml version = '1.0' standalone = 'yes'?>
<SimpleUser>
<UserName>eclark</UserName>
<Password>ifs</Password>
<DistinguishedNameSuffix>.ambiguity.com</DistinguishedNameSuffix>
<AdminEnabled>false</AdminEnabled>
<HomeFolderRoot>/home</HomeFolderRoot>
<EmailAddressSuffix>@ambiguity.com</EmailAddressSuffix>
<PrimaryUserProfileAcl refType="name">Private</PrimaryUserProfileAcl>
</SimpleUser>
Without the PrimaryUserProfileAcl-Tag, the example works fine and the user is created; but when including the tag, I get the 21000-Error. Our iFS-version is 1.0.8, maybe it's a bug that is fixed in version 1.1? -
What is the best way to deploy/update custom security realm classes to WLS 6.0?
From the WLS 6.0 console, I see that I can specify the Java class that
implements my custom security realm but I am wondering what is the best way
to deploy/update this code. I don't see a way to do this from the console.
Does this mean that I have to manually copy the class files over that
implement my custom security realm?Thanks Danut,
A jar file seems to be a good way to package it up but it sounds like it
still needs to be manually copied to each Weblogic server install directory
post-installation and whenever it is updated. I thought it would be nice to
be able to deploy/update the custom security realm by uploading it through
the Console just as you can with web applications and EJBs.
Brian
"Danut Prisacaru" <[email protected]> wrote in message
news:3aba2db0$[email protected]..
You have to have your Custom Realm class in the class path. I usually havea
jar file with all the Custom Realm classes and that jar I copy it in thelib
folder. Then I modify "startWebLogic.cmd" and I add to the classpath
".\lib\CustomRealm.jar"
set
CLASSPATH=.;.\lib\weblogic_sp.jar;.\lib\weblogic.jar;.\lib\CustomRealm.jar;
>
Be aware that in order to have you custom realm besides creating thecustom
realm using the console you also have to create a custom caching andchoose
that one as your default caching realm.
Here is how the security settings are looking in my "config.xml"
<CustomRealm Name="CustomRealm"
RealmClassName="Custom.appserver.weblogic.security.CustomRealm"/>
<CachingRealm BasicRealm="CustomRealm" CacheCaseSensitive="true"
Name="CustomCachingRealm"/>
<Realm CachingRealm="CustomCachingRealm" FileRealm="wl_default_file_realm"
Name="wl_default_realm"/>
<FileRealm Name="wl_default_file_realm"/>
<Security GuestDisabled="false"
Name="mydomain" PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm"/>
Danut -
Hi,
I am currently using WLI 2.0 SP2 installation. Here is a very unusual thing I
noticed. Can somebody tell me what is going on ???
1 : I have set up the security realm as indicated in the config.xml file. As far
as I understand, the caching realm entry has attribute pointing to the wlpiRDBMSRealm,
which is a RDBMS implementation from the WLI 2.0 SP2 distribution.
2: I start the server, open the WLS console, and create a new user through the
console. I get no error message and it seems to work fine. ( I also click on the
save it to database link, and it returns with msg that cache is refreshed ).
3: I see an entry in the fileRealm.properties file, but no record is inserted
in the WLSUSER table in the database.
Since the RDBMS realm (from WLI distribution) is defined as basic
realm implementation, should it not insert entry into the database, instead of
the file realm.
Is this a general problem ( any RDBMS realm ) or is it specific to the WLI ?
Is there anything that I have not configured here that is causing this behavior
Is it just refreshing the cache instead of inserting record in DB ?
Why should it insert entry into fileRealm.properties ?
Thanks,
Girish
[noaa1.zip]Hi,
I turned on the caching realm through the WLS Console, (Security).
After this I get a very unusual error, which seems to be comming
from the RDBMS implementation class (from WLI 2.0 SP2 distribution).
Here is the msg that I get while WLS server boots (the WLS server boots ok, but
WLPI does not initialize) ....
Unable to initialize WebLogic Process Integrator:
SQL Exception: ResultSet not open, operation 'next' not permitted. Verify that
autocommit is OFF.
at c8e.k.j.l_(Unknown Source)
at c8e.k.j.l_(Unknown Source)
at c8e.k.j.j_(Unknown Source)
at c8e.k.n.checkIfClosed(Unknown Source)
at c8e.k.n.movePosition(Unknown Source)
at c8e.k.n.movePosition(Unknown Source)
at c8e.k.n.next(Unknown Source)
at com.bea.wlpi.rdbmsrealm.RDBMSDelegate.getGroup(RDBMSDelegate.java:425)
at com.bea.wlpi.rdbmsrealm.RDBMSRealm.getGroup(RDBMSRealm.java:235)
at weblogic.security.acl.CachingRealm.getGroup(CachingRealm.java:1120)
at weblogic.ejb20.deployer.SecurityRoleMapping.lookupPrincipal(SecurityRoleMapping.java:243)
at weblogic.ejb20.deployer.SecurityRoleMapping.getSecurityRolePrincipals(SecurityRoleMapping.java:96)
at weblogic.ejb20.deployer.SecurityRoleMapping.getSecurityRolePrincipals(SecurityRoleMapping.java:128)
at weblogic.ejb20.deployer.SecurityRoleMapping.isPrincipalInAnyRole(SecurityRoleMapping.java:174)
at weblogic.ejb20.deployer.MethodInfoImpl.checkAccess(MethodInfoImpl.java:214)
at weblogic.ejb20.internal.MethodDescriptor.checkAccess(MethodDescriptor.java:285)
at weblogic.ejb20.internal.BaseEJBObject.preInvoke(BaseEJBObject.java:90)
at weblogic.ejb20.internal.StatelessEJBObject.preInvoke(StatelessEJBObject.java:55)
at com.bea.wlpi.server.plugin.PluginManagerCfgBeanEOImpl.init(PluginManagerCfgBeanEOImpl.java:1301)
at com.bea.wlpi.server.initlistener.InitListenerBean.onMessage(InitListenerBean.java:151)
at weblogic.ejb20.internal.MDListener.execute(MDListener.java:221)
at weblogic.ejb20.internal.MDListener.onMessage(MDListener.java:175)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:1933)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:1892)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.Kernel.execute(Kernel.java:250)
at weblogic.jms.client.JMSSession.pushEnvelope(JMSSession.java:1779)
at weblogic.jms.client.JMSCallback.pushEnvelope(JMSCallback.java:69)
at weblogic.jms.frontend.FESession.execute(FESession.java:1972)
<Aug 22, 2001 11:56:01 AM MDT> <Notice> <WebLogicServer> <WebLogic Server started>
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
--------------- nested within: ------------------
com.bea.wlpi.rdbmsrealm.RDBMSException: caught SQL exception - with nested exception:
[SQL Exception: ResultSet not open, operation 'next' not permitted. Verify that
autocommit is OFF.]
at com.bea.wlpi.rdbmsrealm.RDBMSRealm.getGroup(RDBMSRealm.java:242)
<Aug 22, 2001 11:56:01 AM MDT> <Notice> <WebLogicServer> <ListenThread listening
on port 7101>
at weblogic.security.acl.CachingRealm.getGroup(CachingRealm.java:1120)
at weblogic.ejb20.deployer.SecurityRoleMapping.lookupPrincipal(SecurityRoleMapping.java:243)
at weblogic.ejb20.deployer.SecurityRoleMapping.getSecurityRolePrincipals(SecurityRoleMapping.java:96)
at weblogic.ejb20.deployer.SecurityRoleMapping.getSecurityRolePrincipals(SecurityRoleMapping.java:128)
at weblogic.ejb20.deployer.SecurityRoleMapping.isPrincipalInAnyRole(SecurityRoleMapping.java:174)
at weblogic.ejb20.deployer.MethodInfoImpl.checkAccess(MethodInfoImpl.java:214)
at weblogic.ejb20.internal.MethodDescriptor.checkAccess(MethodDescriptor.java:285)
at weblogic.ejb20.internal.BaseEJBObject.preInvoke(BaseEJBObject.java:90)
at weblogic.ejb20.internal.StatelessEJBObject.preInvoke(StatelessEJBObject.java:55)
at com.bea.wlpi.server.plugin.PluginManagerCfgBeanEOImpl.init(PluginManagerCfgBeanEOImpl.java:1301)
at com.bea.wlpi.server.initlistener.InitListenerBean.onMessage(InitListenerBean.java:151)
at weblogic.ejb20.internal.MDListener.execute(MDListener.java:221)
at weblogic.ejb20.internal.MDListener.onMessage(MDListener.java:175)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:1933)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:1892)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.Kernel.execute(Kernel.java:250)
at weblogic.jms.client.JMSSession.pushEnvelope(JMSSession.java:1779)
at weblogic.jms.client.JMSCallback.pushEnvelope(JMSCallback.java:69)
at weblogic.jms.frontend.FESession.execute(FESession.java:1972)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
"Girish Gupte" <[email protected]> wrote:
>
>
>
Hi,
I am currently using WLI 2.0 SP2 installation. Here is a very unusual
thing I
noticed. Can somebody tell me what is going on ???
1 : I have set up the security realm as indicated in the config.xml file.
As far
as I understand, the caching realm entry has attribute pointing to the
wlpiRDBMSRealm,
which is a RDBMS implementation from the WLI 2.0 SP2 distribution.
2: I start the server, open the WLS console, and create a new user through
the
console. I get no error message and it seems to work fine. ( I also click
on the
save it to database link, and it returns with msg that cache is refreshed
3: I see an entry in the fileRealm.properties file, but no record is
inserted
in the WLSUSER table in the database.
Since the RDBMS realm (from WLI distribution) is defined as basic
realm implementation, should it not insert entry into the database, instead
of
the file realm.
Is this a general problem ( any RDBMS realm ) or is it specific to the
WLI ?
Is there anything that I have not configured here that is causing this
behavior
Is it just refreshing the cache instead of inserting record in DB ?
Why should it insert entry into fileRealm.properties ?
Thanks,
Girish -
Accessing Custom Security Realm and NotOwnerException.
I have installed the RDBMS example security realm, which appears to work fine. However when I attempt to access this realm from a Servlet via Realm.getRealm("name") I get an NotOwnerException being thrown.
Ideas ?
regards,
Jeff.We did something similar in a past project, and it turned out to be more of a mess than
it was worth it (not only the "chicken-egg" dilemma with system, guest, administrator
users, etc., but also with various lookup and threading issues.) We ended up ripping
out the code and writing a new one which does not use an EJB.
EJB are supposed to be written in terms of container services (which security being one
of the services the container provides) but in this scenario you'd be writing one of the
container services in terms of EJBs, so it "breaks" the proper layering.
In our case, we wanted to "encapsulate" our security code from Weblogic's propreitary
realm mechanism, at the end we still achieved without having to create a session bean
(sometimes regular Java classes work just fine) :-)
regards,
-Ade
"watscheck" <[email protected]> wrote in message news:[email protected]..
>
Hi,
i want to use a sessonEJB as my security store for the custom security realm in
weblogic server 6.1.
Has anyone experience with that?
First i have to pass all filerealm users through my custom realm (csr) because
it is not possible to authenticate the system and guest users before the sessionEJB
itself is loaded.
OK, but my problem is the authentication of the csr at the sessionEJB, which is
itself secured by method-permission in it's assemblydesciptor. So i have to get
an initialcontext with an authorized user for the sessionEJB an invoke all protected
methods with this principal.
But Bea WLS has a problem with propagating this user back to the actual application.
Is there a way that the application (web-app and ejbs) is not affected by the
authentification of the csr at the sessionEJB (security store)?
And is it right that the new initialcontext in the csr always overrides the bea
context and with that the servlet request of the web-app?
thanks in advance
watscheck -
Hi,
I tried creating rdbms realm in mydomain.
I am able to see the rdbms realm users in the console when I click on users.
I am not able to see the new groups or new members in old groups when I click
groups. I can only see the old groups' entries.
When I click on ACL I get the following
weblogic.management.configuration.RealmException: RealmManager.listAcls - with
nested exception: [security.rdbmsrealm.RDBMSException: RDBMSEnumeration.nextElement
failed - with nested exception: [java.sql.SQLException: ResultSet has already
been closed]] at weblogic.management.configuration.RealmManager.listAcls(RealmManager.java:203)
at weblogic.management.console.pages._panels._mbean._acltable._jspService(_acltable.java:213)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:27) at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:213)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:1265)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:1622)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
Any idea whats wrong? I am using the default dbschema
I have the entries as listed below in my config.xml.
<CachingRealm BasicRealm="defaultRDBMSRealmForOracle" Name="defaultCachingRealm"/>
<Realm CachingRealm="defaultCachingRealm"
FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
<RDBMSRealm DatabaseDriver="weblogic.jdbc.oci.Driver"
DatabasePassword="tiger"
DatabaseURL="jdbc:weblogic:oracle:vogue"
DatabaseUserName="scott" Name="defaultRDBMSRealmForOracle"
Notes="I have changed the package to security.rdbmsrealm from examples.security.rdbmsrealm
example. I am using the same schema(in the ddl) in oracle"
RealmClassName="security.rdbmsrealm.RDBMSRealm" SchemaProperties="getGroupMembers=SELECT
GM_GROUP, GM_MEMBER from groupmembers WHERE GM_GROUP = ?;deleteGroup2=DELETE FROM
aclentries WHERE A_PRINCIPAL = ?;deleteGroup1=DELETE FROM groupmembers WHERE GM_GROUP
= ?;addGroupMember=INSERT INTO groupmembers VALUES ( ? , ? );getUser=SELECT U_NAME,
U_PASSWORD FROM users WHERE U_NAME = ?;getPermission=SELECT DISTINCT A_PERMISSION
FROM aclentries WHERE A_PERMISSION = ?;deleteUser3=DELETE FROM aclentries WHERE
A_PRINCIPAL = ?;getGroupNewStatement=false;deleteUser2=DELETE FROM groupmembers
WHERE GM_MEMBER = ?;deleteUser1=DELETE FROM users WHERE U_NAME = ?;getAcls=SELECT
A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries ORDER BY A_NAME, A_PRINCIPAL;getUsers=SELECT
U_NAME, U_PASSWORD FROM users;getPermissions=SELECT DISTINCT A_PERMISSION FROM
aclentries;getGroups=SELECT GM_GROUP, GM_MEMBER FROM groupmembers;getAclEntries=SELECT
A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries WHERE A_NAME = ? ORDER BY A_PRINCIPAL;newUser=INSERT
INTO users VALUES ( ? , ? );removeGroupMember=DELETE FROM groupmembers WHERE GM_GROUP
= ? AND GM_MEMBER = ?"/>
ananyaHi Narin,
I seem to have forgotten to mention that the problem got fixed when I set getGroupNewStatement
to true.
Anu
"Narinder Gaheer" <[email protected]> wrote:
Have you taken the RDBMSRealm example that comes with weblogic? If thats
the case, that example doesn't implement Group related functionality
as
pointed out by many posts earlier on this newsgroup. You need to provide
that implementation on your own.
"ananya" <[email protected]> wrote in message
news:[email protected]...
Hi,
I tried creating rdbms realm in mydomain.
I am able to see the rdbms realm users in the console when I clickon
users.
I am not able to see the new groups or new members in old groups whenI
click
groups. I can only see the old groups' entries.
When I click on ACL I get the following
weblogic.management.configuration.RealmException: RealmManager.listAcls-
with
nested exception: [security.rdbmsrealm.RDBMSException:RDBMSEnumeration.nextElement
failed - with nested exception: [java.sql.SQLException: ResultSet has
already>> been closed] atweblogic.management.configuration.RealmManager.listAcls(RealmManager.java:20
3)
atweblogic.management.console.pages._panels._mbean._acltable._jspService(_aclt
able.java:213)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:27) atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:213)
atweblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
ntext.java:1265)
atweblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
:1622)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137) atweblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
Any idea whats wrong? I am using the default dbschema
I have the entries as listed below in my config.xml.
<CachingRealm BasicRealm="defaultRDBMSRealmForOracle"Name="defaultCachingRealm"/>
<Realm CachingRealm="defaultCachingRealm"
FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
<RDBMSRealm DatabaseDriver="weblogic.jdbc.oci.Driver"
DatabasePassword="tiger"
DatabaseURL="jdbc:weblogic:oracle:vogue"
DatabaseUserName="scott" Name="defaultRDBMSRealmForOracle"
Notes="I have changed the package to security.rdbmsrealm fromexamples.security.rdbmsrealm
example. I am using the same schema(in the ddl) in oracle"
RealmClassName="security.rdbmsrealm.RDBMSRealm"SchemaProperties="getGroupMembers=SELECT
GM_GROUP, GM_MEMBER from groupmembers WHERE GM_GROUP =?;deleteGroup2=DELETE FROM
aclentries WHERE A_PRINCIPAL = ?;deleteGroup1=DELETE FROM groupmembersWHERE GM_GROUP
= ?;addGroupMember=INSERT INTO groupmembers VALUES ( ? ,? );getUser=SELECT U_NAME,
U_PASSWORD FROM users WHERE U_NAME = ?;getPermission=SELECT DISTINCTA_PERMISSION
FROM aclentries WHERE A_PERMISSION = ?;deleteUser3=DELETE FROM aclentriesWHERE
A_PRINCIPAL = ?;getGroupNewStatement=false;deleteUser2=DELETE FROMgroupmembers
WHERE GM_MEMBER = ?;deleteUser1=DELETE FROM users WHERE U_NAME =?;getAcls=SELECT
A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries ORDER BY A_NAME,A_PRINCIPAL;getUsers=SELECT
U_NAME, U_PASSWORD FROM users;getPermissions=SELECT DISTINCT A_PERMISSIONFROM
aclentries;getGroups=SELECT GM_GROUP, GM_MEMBER FROMgroupmembers;getAclEntries=SELECT
A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries WHERE A_NAME = ?ORDER
BY A_PRINCIPAL;newUser=INSERT
INTO users VALUES ( ? , ? );removeGroupMember=DELETE FROM groupmembersWHERE GM_GROUP
= ? AND GM_MEMBER = ?"/>
ananya -
How to Configure RDBMS Realm on WL6.0
We are trying to replace the default File Realm on WL6.0 with RDBMS Realm. We
have put the userId/password pairs in fnxuser table of the database, also we put
"reserve" permission for weblogic. jdbc.connectionPool.fnxconnection in the acl2entries
table (but for whatever reason, the fnxconnection setup won't show up when we
bring up acl config page in the console, just those defaults show up such as weblogic.jdbc.connectionPool,
weblogic.jdbc.connectionPool.oraPool, weblogic.jdbc.connectionPool.testPool).
When we log in using one of the valid userid/password in the fnxuser table on
the jsp page, we got the following error message:
LoginBean::loginAttempt() - get DB name : dev711
LoginBean::checkAccountStatus: Naming error:javax.naming.AuthenticationException
[Root exception is java.lang.SecurityException:Authentication for user bobdev
denied in realm weblogic]
We have a Java Bean Login Bean to get the JNDI context, the code is as follows:
Context ctx = FnxJndi.getJndiInitialContext(null);
if (sDatabase != null)
sDbname = sDatabase;
else
sDbname = (String) ctx.lookup(FnxJndi.getDefaultDbJndiKey());
System.out.println("LoginBean::loginAttempt() - get DB name : "+sDbname);
FnxJndi.deepBind(ctx, FnxJndi.constructUserDbnameJndiKey(sUsername), sDbname);
The following is part of our config.xml. Is there something we did wrong or we
missed? Any help is highly appreciated.
Thanks in advance.
Ting
<Realm CachingRealm="CachingRealm" Name="RdbmsRealm"/>
<FileRealm Name="wl_default_file_realm"/>
<CachingRealm ACLCacheSize="1000" BasicRealm="RdbmsRealm"
CacheCaseSensitive="true" GroupCacheSize="20"
Name="CachingRealm" PermissionCacheSize="100" UserCacheSize="1000"/>
<JDBCConnectionPool CapacityIncrement="10"
DriverName="com.sybase.jdbc.SybDriver" InitialCapacity="40"
MaxCapacity="500" Name="fnxconnection"
Properties="user=d711dbo;password=fnxltd;server=SYB_AXE"
RefreshMinutes="0" Targets="tingserver" URL="jdbc:sybase:Tds:axe:5000"/>
<JDBCDataSource JNDIName="fnxdatasource" Name="fnxjdbcdatasource"
PoolName="fnxconnection" Targets="tingserver"/>
<RDBMSRealm DatabaseDriver="com.sybase.jdbc.SybDriver"
DatabasePassword="fnxltd" DatabaseURL="jdbc:sybase:Tds:axe:5000"
DatabaseUserName="d711dbo" Name="RdbmsRealm"
RealmClassName="com.fnx.util.security.rdbmsrealm.RDBMSRealm" SchemaProperties="getGroupMembers=SELECT
GM_GROUP, GM_MEMBER from group2members WHERE GM_GROUP = ?;addGroupMember=INSERT
INTO group2members values (?, ?) WHERE GM_GROUP = ?;getUser=SELECT rtrim(user_ID),
rtrim(user_ID) FROM fnxuser WHERE user_ID = ?;getPermission=SELECT DISTINCT A_PERMISSION
FROM acl2entries WHERE A_PERMISSION=?;getAcls=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION
FROM acl2entries ORDER BY A_NAME, A_PRINCIPAL;getUsers=SELECT rtrim(user_ID),
rtrim(user_ID) FROM fnxuser;getGroups=SELECT GM_GROUP, GM_MEMBER FROM group2members;getPermissions=SELECT
DISTINCT A_PERMISSION FROM acl2entries;getAclEntries=SELECT A_NAME, A_PRINCIPAL,
A_PERMISSION FROM acl2entries WHERE A_NAME = ? ORDER BY A_PRINCIPAL;newUser=insert
into fnxuser values (?, ?);removeGroupMember=DELETE group2members WHERE GM_GROUP
= ? and GM_MEMBER = ?"/>
<PasswordPolicy Name="wl_default_password_policy"/>Please look into the previous posting of yours.
-utpal
"Amit" <[email protected]> wrote in message
news:[email protected]..
>
Hi,
I want to store user id, password, roles in the DB tables and providewebbased
forms to create/modify user.
How do I implement security relam for users stored in the DB table?
Thanks and Regards,
Amit -
[Fwd: Re: rdbms realm and connection pool]
Hi,
One reason why I would like to use the connection pool for the RDBMS
realm is because there is the retry machanism built into the connection
pool. With this retry, I don't need to re-start WebLogic if the DB
server is somehow re-started. With the current implementation, all the
connections maintained by the realm will become invalid if the DB server
has been restarted independently.
-------- Original Message --------
Subject: Re: rdbms realm and connection pool
Date: Wed, 27 Sep 2000 09:32:47 +0100
From: "Terry" <[email protected]>
Reply-To: "Terry" <[email protected]>
Organization: BEA SYSTEMS Inc
Newsgroups: weblogic.developer.interest.security
References: <[email protected]>
I believe not- the realm restricts access to connection pools to those
who
are allowed it, so if the realm needs the connection pool to start up,
and
you can't open the connection pool without the realm then you have a bit
of
a no-chicken and no-egg situation, which is I believe one of the reasons
why
there is no use of connection pools, ejbs, jndi, servlets etc. in the
realm
(along with other reasons, like why would it be provided with a servlet)
The delegate pool acts somewhat similarly to a connection pool, and can
even
use the same database, so I'm not sure what the advantage would be
Terry
Nirmala devi <[email protected]> wrote in message
news:[email protected]..
>
I think the rdbms realm uses different connection as it need to be setbefore
the connection pool for Database.Is there any that i can point my rdbmsrealm to use
the connection pool for Database instead
Thanks in advance
NirmalaI believe not- the realm restricts access to connection pools to those who
are allowed it, so if the realm needs the connection pool to start up, and
you can't open the connection pool without the realm then you have a bit of
a no-chicken and no-egg situation, which is I believe one of the reasons why
there is no use of connection pools, ejbs, jndi, servlets etc. in the realm
(along with other reasons, like why would it be provided with a servlet)
The delegate pool acts somewhat similarly to a connection pool, and can even
use the same database, so I'm not sure what the advantage would be
Terry
Nirmala devi <[email protected]> wrote in message
news:[email protected]..
>
I think the rdbms realm uses different connection as it need to be setbefore
the connection pool for Database.Is there any that i can point my rdbmsrealm to use
the connection pool for Database instead
Thanks in advance
Nirmala -
Hi,
I have just started out with EJB & weblogic security. I want to make a RDBMS realm in weblogic that connects to oracle dBase. Since I am new to security, I was wondering if anyone out there knew what fields would be added to a table that manages user?. Also how does a table manage ACLs? And last but not least, I noticed that when I was creating a RDBMS realm in weblogic console there is a tab that mentions that I have to write schema properties...what is this and what do I place in it. I have read all of the weblogic docs and there is nothing that addresses theses questions. I would really appreciate any help I can get.
Thank you,
Jay.
P.S I am using weblogic 6.0 with sp1Is this a continuation of http://forum.java.sun.com/thread.jsp?forum=60&thread=159878
It sure looks like it.
Have you read this weblogic doc http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1052867 -
I am using the RDBMS Realm that comes with Weblogic 6.0.
We have created ejbs to create and insert our users and group members into
the
tables that the RDBMS Realm reads from .
The problem is occasiounly the caching realm gets out of date. When a user
tries
to access a secured resource the attempts fails. After a few more attempts
the
cache will refresh itself and the access works fine.
When I make changes to my user data how can I programmatically tell the
caching
realm to refresh itself. (The refresh through the console will not help me
here).
...Or should I re-think the way I am creating and updating user data, i.e.
should I
only be doing this through the Realm class?
Thankss> 1. I get an Nullpointer exception on the flatgroups.java on some of the
s> api's.
s> like getAcls() ..etc.
More details would be useful. Stack backtraces with line numbers.
s> 4. Can i use weblogic.security.acl api's along with the RDBMS example.
s> Logically speaking i could ... but why exceptions are raised.
Insufficient information to be able to tell.
<b
Let us pray:
What a Great System.
Please Do Not Crash.
^G^IP@P6 -
WLS5.1 SP_9 RDBMS Realm problem
Hi all,
I am trying to configure the RDBMS realm examples that come with weblogic.
I am getting an error saying the Table Users was not found.
I created my own simple java class to check if the parameters from
rdbmsrealm.properties are working fine, they are. Then why is weblogic not
able to find the USERS table, where is it looking for this table.
Any Help is highly appreciated.
Ramesh
Stack Trace :
Unable to initialize server: examples.security.rdbmsrealm.RDBMSException:
realm
initialization failed, Connection.prepareStatement() failed on statement
"SELECT
U_NAME, U_PASSWORD FROM users WHERE U_NAME = ?", - with nested exception:
[SQL Exception: Table 'USERS' does not exist.]
fatal initialization exception
Properties File :
# - - - - - - ORACLE - - - - - - -
driver=weblogic.jdbc.oci.Driver
dbURL=jdbc:weblogic:oracle:bizpivot.india
dbUser=ramesh
dbPassword=******
#getGroupNewStatement=falseHi all,
Never Mind, I got it working. A couple of lines down the property lines,
the Cloudscape URL was uncommented and hence the webloigc server was looking
the USERS table in cloudscape instead of Oracle where I created them.
I figured this out by modifying the LoadDDL,java and asking it to print the
URL and other details that it read from the rdbmsldaprealm.properties file.
Thank you all.
Ramesh
"ramesh" <[email protected]> wrote in message
news:[email protected]..
Hi all,
I am trying to configure the RDBMS realm examples that come with weblogic.
I am getting an error saying the Table Users was not found.
I created my own simple java class to check if the parameters from
rdbmsrealm.properties are working fine, they are. Then why is weblogicnot
able to find the USERS table, where is it looking for this table.
Any Help is highly appreciated.
Ramesh
Stack Trace :
Unable to initialize server: examples.security.rdbmsrealm.RDBMSException:
realm
initialization failed, Connection.prepareStatement() failed on statement
"SELECT
U_NAME, U_PASSWORD FROM users WHERE U_NAME = ?", - with nestedexception:
[SQL Exception: Table 'USERS' does not exist.]
fatal initialization exception
Properties File :
# - - - - - - ORACLE - - - - - - -
driver=weblogic.jdbc.oci.Driver
dbURL=jdbc:weblogic:oracle:bizpivot.india
dbUser=ramesh
dbPassword=******
#getGroupNewStatement=false -
I am trying to run the RDBMS realm example provided by weblogic. I have
successfully managed to get it working but with few Exceptions on the api's.
1. I get an Nullpointer exception on the flatgroups.java on some of the
api's.
like getAcls() ..etc.
2 For most of the apis in the RDBMS Realm .. i do get NullPointer
exceptions.
3. Even if i try to execute some of the apis in weblogic.security.acl
...like getCurrentUser(), checkPermission() ..etc ... i get Nullpointer
exceptions.
4. Can i use weblogic.security.acl api's along with the RDBMS example.
Logically speaking i could ... but why exceptions are raised.
5. Please note that .. iahve successfully managed to run of the api's in the
RDBMS realms such as authPasswords() and getUser () ..etc.But i am unable to
do so for other cases ... addGroupMember(String..) .. getAcls(), getAcl()
..so on.
Can anyone please help me with an example on how about doing it.
thanx
sharad nangia
[email protected]s> 1. I get an Nullpointer exception on the flatgroups.java on some of the
s> api's.
s> like getAcls() ..etc.
More details would be useful. Stack backtraces with line numbers.
s> 4. Can i use weblogic.security.acl api's along with the RDBMS example.
s> Logically speaking i could ... but why exceptions are raised.
Insufficient information to be able to tell.
<b
Let us pray:
What a Great System.
Please Do Not Crash.
^G^IP@P6 -
RDBMS Realm Schema Properties - newbie looking for some general info
I am new to the world of WL Security Realms. I am trying to better
understand what is involved in setting up a RDBMS Security Realm and
speficially the Schema Properties within that security realm.
The situation that I am trying to solve right now is that I want to
provide authentication for a given application using a "user list"
from another DB that our application will have access to via JDBC.
First off, would using the RDBMS security realm allow me to do
something along these lines - ie access a "user list" from another DB?
If YES, then what sort of things would have to be done from the
schema properties standpoint in order to make this possible?
Note that the other DB will also be an Oracle instance managed by
WebLogic, the same as with our application, if it makes a difference
in any way.
Thanks for the help.
Chris BaglieriYou need to configure the schema so that it fits in with your database
getGroupMembers=SELECT GM_GROUP, GM_MEMBER from groupmembers WHERE GM_GROUP
= ?
deleteGroup2=DELETE FROM aclentries WHERE A_PRINCIPAL = ?
deleteGroup1=DELETE FROM groupmembers WHERE GM_GROUP = ?
addGroupMember=INSERT INTO groupmembers VALUES ( ? , ? )
getUser=SELECT U_NAME, U_PASSWORD FROM users WHERE U_NAME = ?
getPermission=SELECT DISTINCT A_PERMISSION FROM aclentries WHERE
A_PERMISSION = ?
deleteUser3=DELETE FROM aclentries WHERE A_PRINCIPAL = ?
deleteUser2=DELETE FROM groupmembers WHERE GM_MEMBER = ?
getGroupNewStatement=true
deleteUser1=DELETE FROM users WHERE U_NAME = ?
getAcls=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries ORDER BY
A_NAME, A_PRINCIPAL
getUsers=SELECT U_NAME, U_PASSWORD FROM users
getGroups=SELECT GM_GROUP, GM_MEMBER FROM groupmembers
getPermissions=SELECT DISTINCT A_PERMISSION FROM aclentries
getAclEntries=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries WHERE
A_NAME = ? ORDER BY A_PRINCIPAL
newUser=INSERT INTO users VALUES ( ? , ? )
removeGroupMember=DELETE FROM groupmembers WHERE GM_GROUP = ? AND GM_MEMBER
= ?
(Taken from bea's example RDBMS Realm)
Modify this to fit in with your schema
"Chris Baglieri" <[email protected]> wrote in message
news:[email protected]...
I am new to the world of WL Security Realms. I am trying to better
understand what is involved in setting up a RDBMS Security Realm and
speficially the Schema Properties within that security realm.
The situation that I am trying to solve right now is that I want to
provide authentication for a given application using a "user list"
from another DB that our application will have access to via JDBC.
First off, would using the RDBMS security realm allow me to do
something along these lines - ie access a "user list" from another DB?
If YES, then what sort of things would have to be done from the
schema properties standpoint in order to make this possible?
Note that the other DB will also be an Oracle instance managed by
WebLogic, the same as with our application, if it makes a difference
in any way.
Thanks for the help.
Chris Baglieri
Maybe you are looking for
-
Should arch symlink /usr/lib64 to /usr/lib?
After spending two hours debugging a bloody java applet accessing a smart card trough pcsclite (Buypass used for different services in Norway, including government services) it turns out it failed because it ONLY looked for 64bit libs in /usr/lib64.
-
PR Item Text Different for same Material in the same Plant.
I have a Query for SAP MM. Below is the Scenario: User raises a PR through SAP for a particular Material (Spare) which belongs to an Equipment. Let's say in Plant A, we have an Equipment 10001 & it has a sub-Equipment as 1000112 & further it has a sp
-
Hot Code Replace Problem...
Hi Everyone, I am using WebLogic 10 with Eclipse. Whenever i start the server in debug mode and make two three changes in the code... WHAM.... I get the Hot Code Replace error. Is there any way so that the server can keep up with the code changes. Pu
-
Table which contains Start & End Destination details
Hi All, I was trying to find out the table which contains the start and end destination details of a mileage claim in Travel Management. Can any one let me know the table names. Thanks and Regards Sri
-
Hi, I'm new to Qmaster, and I'm trying to use it to utilize multiple cores when exporting video from Compressor. I following instructions to get the option of a cluster other than "This Computer" in Compressor: First, go to System Preferences. Choose