WLS 9.1 bug with WebLogic Plug-In Enabled?

Similar Messages

• Optimistic Locking - Possible bug with Weblogic

  After extensive testing of a j2ee application Im involved with, it would appear their exists a problem with using Weblogic's Optimistic Concurrency (OL) mechanism.
  The exact problem is as follows:
  The ejbCreate and ejbRemove methods of a particular entity bean are as follows:
  public abstract class ProductBean implements javax.ejb.EntityBean {
  ejbCreate(){
  FolderEntityHome folderEH = FolderComponent.getFolderEntityHome();
  folderEH.create(getId());
  ejbRemove(){
  FolderEntityHome folderEH = FolderComponent.getFolderEntityHome();
  try {
  FolderBean folderEH.findByProductId(getId());
  catch(InvalidAccessRightsException iare)
  throw new RemoveException();
  Previously before OL was added when a RemoveException was thrown, this would cause the ejbRemove exception to fail, thus both the product and folder would still exist.
  After adding OL, when an InvalidAccessRightsException occurs giving rise to a RemoveException being thrown, weblogic simply ignores the RemoveException and deletes the Product even though the Folder could not be deleted. This causes system errors when users try to access the folder which contains a link to a product which no longer exists!
  Is anyone aware of this particular problem? Is it indeed a bug with Weblogic? For clarity, I believe I am using version 8.1 and the way in which I have implemented OL is to use an additional version column in the underlying tables for all entity beans.

  In case anyone's interested, it appears from further testing that the problem I've been having in the way the RemoveException behaves is down to the difference in which version 6.0 treats this exception compared to version 8.1!
  In version 6.0, if you threw a RemoteException at any point in the ejbRemove(), the entity would not be removed!
  In version 8.1, something wierd happens. If a RemoteException() is thrown in the ejbRemove() and sometime during the same transaction at the point of commit, the entity on which the exception is thrown is attempted to be accessed (through a finder), then the entity continues to be deleted! If on the other hand, a RemoveException is thrown and no access/modification is attempted on that entity within the same transaction, then at the point of commit, the entity is not removed!
  Seems this is indeed a problem which needs to be addressed in future releases.
  Message was edited by:
  rotan_imretxe
  Message was edited by:
  rotan_imretxe

• WebLogic Plug-In Enabled

  We use a product called Workbrain that has a Cisco Swithc with a virtual IP address for our application. The switch automatically load-balances its http sessions between 2 Apache Web Servers as a proxy that make queries against an Oracle backend. We currently have 4 servers in a BEA cluster. As far as I can tell the Apache Web servers are using the BEA Apache plugin. However, our BEA cluster does NOT have the "WebLogic Plug-In Enabled" option selected on the cluster. I am curious as to what the impact of not selecting could cause.
            I ask because I have had some end users report that if they make a connection directly to an individual server instance that their response time is 3 to 4 times faster than if they use the virtual IP that load-balances between the 2 Apache servers.

  Sure! Calling directly a server is more fast then pass through a load balancer and through a webserver and through (again?) the weblogic plugin (even if it's only a lib!!!)...
            Moreover you could have performance problem if you use hostname instead of IP address, cause for every client call a DNS query must be executed.
            One more thing... The only one load balancer algorithm you must use is the round robin, I'm not speaking about weblogic load balancing algorithm... But about hardware load balancer above the webserver.
            Regards
            Antenore Gatta
            Middleware Specialist
            Hequa S.r.l
            C.so Buenos Aires 77
            20124 Milano
            http://www.Hequa.it
            Tel +39(0)267493078
            Fax +39(0)267493079
            Mobile +39 3481537897
            ______________________________________

• How to set WebLogic Plug-In Enabled through admi in weblogic server 9.2

  Hi,
  how to set WebLogic Plug-In Enabled parameter for cluster through admin console in weblogic server 9.2 ???
  Actually i could able to find the option for individual servers. However i could not able to find the same for cluster??
  is it through only by WLST ???
  can any one please advice??
  regards,
  Praveen Kumar J

  Well, I don't know what you call a "BEA Admin", but please note that everyone here is trying to help.
  Some of them are not working for BEA but are deeply efficient.
  Well, for your problem, I started a 9.2.2 domain, created a cluster and found the "WebLogic Plug-In Enabled" option ...
  In your console, in the "Domain Structure" window, click myDomain \ Environment \ Clusters
  Then in the main page, you've got "Settings for myCluster".
  On the very first page, "Configuration > General" tab, you should have the folliowing attributes :
  * Name
  * Default Load-Algorithm
  * Cluster Address
  * Number of Servers In Cluster Address
  Go at the bottom of the page and under the last link "Number of Servers In Cluster Address", you have a little "Advanced" link in blue. Click on it and it will expand another part of the page.
  In that new part, you'll find new attributes and the one you're expecting.
  This time, it should definitely help.

• Apparent bug with ComboBox/TextFormat/Disable-Enable

  Anyone experience, or possible have a way to get around this
  issue? Apply a TextFormat with an embedded font to a combo box,
  disable it, then enable it, and the text in the label field stays
  "disabled" looking. It doesn't recover its color. Ask if you'd like
  a sample file. Thanks.

  Here you go.
  Combo Box Test.
  Test SWF

• Problem while using PrepStmt.executeBach with Weblogic 6.0sp1 and

   

  - I'm getting the same error when I use WLS 6.0 SP1 & thin driver. I'm not
  getting this error when I use thin driver without WLS.
  - This is definitely a bug in WLS. As a workaround put classes.zip {that
  comes with oracle installation} before weblogic.jar in your classpath. This
  way, classloader will load the oracle supplied classes & everything will
  work smoothly
  Manav
  "Joseph Weinstein" <[email protected]> wrote in message
  news:[email protected]...
  >
  >
  Ruta wrote:
  Hi Joe
  I tried using a java standlaone program using prep stmts and oracle thin
  driver
  and it works just fine.
  So is this a bug with Weblogic? Finally connection pooling isapplication server's
  responsibility, isnt it..
  I am inlcined to conclude this coz connection pooling works fine withStatement.executeBatch()
  but not with prepStatement.executeBatch()
  How do I resolve this now.
  Thanks
  Ruta
  ...Does it not release the connectionOk. Now let me see the JDBC code example. I'll see what's up.
  Joe
  Joseph Weinstein <[email protected]> wrote:
  The first thing you should do is to reduce the problem to the simplest
  form.
  Write a tiny standalone program that just uses the thin driver
  directly,
  and repeats the code you are trying to run. This will eliminateWebLogic
  from the equation and see if it's an Oracle-only bug.
  Joe
  Ruta wrote:
  Hi,
  I am trying to do multiple inserts in a table using the
  PreparedStatement
  of JDBC2.0.
  I am using a TxDataSource of Weblogic server with a thin driver
  oracle
  pool. I
  am using the driver classes that come with the weblogic.jar.
  The problem is as follows:
  I can manage to succesfully do the executeBatch a few
  times..Interestingly
  it
  executes as many no. of times as the Initial capacity(not even maxcapacity) of
  my connection pool.
  Then it gives me the following error:
  java.sql.SQLException: java.sql.SQLException: Missing IN or OUT
  parameter
  at index::
  1
  at
  weblogic.jdbc.rmi.SerialStatement.executeBatch(SerialStatement.java:394)
  atcom.equitable.acs.common.ACSCtrlBean.saveSDECData(ACSCtrlBean.java:147)
  atcom.equitable.acs.common.ACSCtrlBeanImpl.saveSDECData(ACSCtrlBeanImpl.java:1
  10)
  atcom.equitable.acs.common.ACSCtrlBeanEOImpl.saveSDECData(ACSCtrlBeanEOImpl.ja
  va:30)
  atcom.equitable.acs.common.ACSCtrlBeanEOImpl_WLSkel.invoke(ACSCtrlBeanEOImpl_W
  LSkel.java:133)
  atweblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:373)
  atweblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerRef.java
  :128)
  atweblogic.rmi.internal.BasicServerAdapter.invoke(BasicServerAdapter.java:237)
  atweblogic.rmi.internal.BasicRequestHandler.handleRequest(BasicRequestHandler.
  java:118)
  atweblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:1
  7)
  atweblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  This Oracle error has error code 17041.. I could not find more infoon it, even
  from the Oracle site.
  I conclude that the connections are not getting relesed.
  But i ahve written
  con.close(); even
  con=null; (out of desparation :) )
  but still the connection is not released.
  I am getting the connection in the saveSDECData method
  I need to fix thsi problem ASAP..Any Help/Comments will be
  appreciated..
  Finally the most interesting part is :
  executeBatch works perfectly fine with the Statement object..
  so probably the culprit is the PreparedStatement implementation ofOracle..Can
  anybody validate this pls
  Regards
  Ruta--
  PS: Folks: BEA WebLogic is expanding rapidly, with both entry andadvanced
  positions
  for people who want to work with Java, XML, SOAP and E-Commerceinfrastructure
  products.
  We have jobs at Nashua NH, Liberty Corner NJ, San Francisco and SanJose
  CA.
  Send resumes to [email protected]
  PS: Folks: BEA WebLogic is expanding rapidly, with both entry and advancedpositions
  for people who want to work with Java, XML, SOAP and E-Commerceinfrastructure products.
  We have jobs at Nashua NH, Liberty Corner NJ, San Francisco and San JoseCA.
  Send resumes to [email protected]

• JSTL 1.1 issue with Weblogic 9.2

  I am having tough time to make JSTL 1.1 work with Weblogic 9.2.Here the issue goes
  When i user JSTL core tags like out,forEach weblogic is unable to understand the EL and throwing a compile time exception saying can't read request time values.
  However the same page worked fine when i rolled back to JSTL 1.0 and weblogic 8.1.
  I couldnt able to understand why JSTL 1.1 is not working in Weblogic 9.2.I assume weblogic 9.2 comes with servlet 2.4 and JSP 1.2.So JSTL 1.2 should work fine.
  Am i ignoring anything involved with new JSP specs and JSTL
  OR
  Is this a bug with Weblogic 9.2 ?
  Any comments highly appreciated.
  Thanks,
  Mallik

  hey check the servlet spec version you're using in your web.xml. I think you want 2.3 not 2.4.

• Need CVS plug in with weblogic portal 10.3

  I tried to integrate the CVS plug in with Weblogic Portal 10.3 using software updates (Selecting Eclipse CVS Client 1.0.2.r33x), but getting the error - Weblogic Portal 10.3 requires feature "com.m7.nitrox(1.0.20)", or compatible
  Can someone help me in CVS plug ins with weblogic portal 10.3.

  ttam,
  This is a bug, 8185869 (Check in Metalink) . that has been fixed in the Sunshine Release. In the meantime, here's the workaround from the bug report:
  Download the plugin manually, and either 1) create an extension location on the file system from it and add that via Help|Software Updates|Manage Configuration, or 2) extract it to one of the workshop eclipse folders (i.e. tools/eclipse_pkgs/2.0/eclipse_3.3.2, tools/eclipse_pkgs/2.0/pkgs/eclipse, workshop_10.3/workshop4WP/eclipse, wlportal_10.3/eclipse).
  Additionally, you can comment out the com.* import lines in your %BEA_HOME%\wlportal_10.3\eclipse\features\com.bea.wlp_10.3.0\feature.xml, like this:
  <requires>
  <import plugin="org.eclipse.core.runtime" version="3.3" match="compatible"/>
  <import plugin="org.eclipse.ui" version="3.3" match="compatible"/>
  <!--
  <import feature="com.m7.nitrox" version="1.0.20" match="compatible"/>
  <import feature="com.bea.workshop.cmdline.feature" version="1.0.30" match="compatible"/>
  <import feature="com.bea.workshop.common.feature" version="1.1.40" match="compatible"/>
  <import feature="com.bea.workshop.upgrade81.feature" version="1.0.30" match="compatible"/>
  <import feature="com.bea.workshop.web.feature" version="1.0.20" match="compatible"/>
  <import feature="com.bea.workshop.wls.feature" version="1.1.30" match="compatible"/>
  <import feature="com.bea.workshop.xmlbeans.feature" version="1.0.30" match="compatible"/>
  -->
  </requires>
  Then restart Workshop.
  cheers
  vijay

• WLS with the HttpClusterServlet or Apache with proxy plug-in?

  I'm newbie with WebLogic Server cluster.
  Please tell me which is better for load balancing for WLS cluster? WLS with the HttpClusterServlet or Apache HTTP Server Plug-In? And which is recommended for production environment?
  Many thanks.

  Apache with plug-in, as this is easier configurable.
  For the HttpClusterServlet all the configuration goes into web.xml which has to be packaged as a war file and deployed to WebLogic.
  When any change is needed you have to edit the web.xml file, package it again and redeploy it.
  An example of the Apache plug-in set-up can be found here: http://middlewaremagic.com/weblogic/?p=7795 (the load balancing section)
  Or if you want to use the Oracle Web-Tier (which includes a precompiled Apache HTTP server): http://middlewaremagic.com/weblogic/?p=7819 (the load balancer section)

• Problems using 4096 bit SSL certificate with WebLogic Apache 2.2 plug-in

  Hi,
  'm using WebLogic 9.2 MP3 and Apache HTTP Server (version 2.2) Plug-In. For security reasons, I have SSL installed on both Apache and WebLogic. So Apache must communicate with WebLogic via https.
  I get the following error when attempting to access WebLogic via Apache:
  Internet Explorer cannot display the webpage
  These are the last lines in wlproxy log:
  Fri Feb 26 14:08:59 2010 <71212672221392> INFO: SSL is configured
  Fri Feb 26 14:08:59 2010 <71212672221392> SSL Main Context not set. Calling InitSSL
  Fri Feb 26 14:08:59 2010 <71212672221331> INFO: Initializing SSL library
  I've found that the problem is caused by using a 4096 bit intermediate cert. When I include this 4096 bit cert in the file referenced by plugin parameter "TrustedCAFile", it is unable to load it. I've tested 4096 bit certs from a few different certificate authorities, and consistently see this problem, so I know the problem is not related to the specific certificate. If I use a 2048 bit intermediate certificate, everything works perfectly fine.
  Do you know if there are limitations to the certificate length that the plug-in can use?

  Yes 4096 bit Certificates are not supported by the plugin.
  You can use up to 2048 bit.
  There is a Bug which clearly mentions it.
  I dont remember the Bug Number, but an Oracle Support person will be able to tell you.
  Hope this helps.
  Faisal Khan
  Edited by: Faisal Khan on Feb 27, 2010 2:08 PM

• IIS 6 Plug-in with Weblogic 8.1

  Hello there,
  I am just wondering if there is anyone out there, who got IIS 6 plug-in working
  with WebLogic 8.1. Plug-in perfectly works with IIS 5. When we upgraded W2K to
  W2003 plug-in didn't work with Weblogic. If there is anyone who knows how to get
  this up and running, your help will be appreciated.
  Thank you.

  Hi Vishwas,
  Thank you for the reply. I forgot to mention that Apache and WebLogic are on Solaris 9 platform.
  Accesing a webapp hosted on WebLogic through Apache->plug-in->WebLogic return 500 internal server error, but other webapps hosted on the same WebLogic domain works properly. Looking at the Response Hdrs from WebLogic shows that WLS returns transfer-encoding=chunked. The other webapps which work properly has content-length set and transfer-encoding is not chunked.
  So, the question is does Apache Plug-in for weblogic 8.1 SP5 read the chunked data properly?
  Thanks,
  Janani

• Error in configuring apache plug in with weblogic 8.1.5

  I tried to configure Apache 2.2 plugin with weblogic 8.1 SP 5 in Linux ES 4.0 . I am getting the following error while loading weblogic_module in httpd.conf file in Apache server (restarting apache server after putting entries in httpd.conf).. The error is httpd: Syntax error on line 414 of /usr/local/apache2/conf/httpd.conf: API module structure `weblogic_module' in file /usr/local/apache2/modules/mod_wl_20.so is garbled - perhaps this is not an Apache module DSO?
  Did anyone got this error before?

  The solution is for BEA to provide the plug-in. Probably a few minutes of a work for BEA developer. Weblogic 9.0 has it.
  Edited by muralive at 09/17/2007 10:08 PM

• WLS :: Will Vista web client work with Weblogic Server 8.1.6 over SSL?

  Hello,
  I have installed 51-2 bit SSL cert on weblogic 7 and found that the secure site doesn't work on Vista web client.
  Weblogic gives error in handshaking and says algorithm is not supported.
  Vista web client uses some algorithms which were not supported by weblogic 7.
  So would like to know if would Vista web client work with Weblogic Server 8.1.6 over SSL?
  Any information in this regard would be helpful.
  Thanks in Advance.

  can you use the following debug flags in the weblogic server as java_options and paste the complete ssl handshake exception here.
  -Dweblogic.StdoutDebugEnabled=true
  -Dssl.debug=true
  thanks,
  sandeep

• Deploy web application in jbuilder 9 with weblogic 7 problem

  when i create a web application and a servlet, and deploy it in jbuilder 9 with weblogic 7.0 ,jbuilder 9 showed me the error,please tell me why, when i choose "redeploy" ,it can be normally work..
  E:\bea\jdk131_02\bin\javaw -classpath E:\bea\weblogic700\server\lib\weblogic.jar;E:\bea\weblogic700\server\lib\webservices.jar;E:\bea\weblogic700\server\lib\weblogic_sp.jar; weblogic.Deployer -user system -adminurl http://localhost:7001 -password 12345678 -deploy -name firstWebApp -upload -source E:/J2EE/servlet/firstWebApp.war -targets myserver
  WebLogic Application Deployment Utility
  Usage: java weblogic.Deployer [options] [-activate|-deactivate|-remove|-unprepare|-cancel|-list] [files]
  where options include:
  -help Print this help message.
  -version Print version information.
  -adminurl <https://<server>:<port>> The URL of the administration server: default
  http://localhost:7001
  -user <user> A user other than the default of
  "installadministrator"
  -password <password> Specifies the password on the command line.
  If this option is absent the user is
  prompted.
  -verbose Displays additional status during the
  deployment process, including notifications
  when the application is prepared and
  activated on each target.
  -debug Displays debug level messages to the standard
  output.
  -examples Display example usage of this tool.
  -upload Causes the specified source file(s) to be
  transferred to the adminstration server. This
  is used when the Deployer tools is not being
  used on the same machine as the adminstration
  server and the user does not otherwise have
  access to place the targeted files on the
  adminstration server.
  -delete_files Causes the server to remove the files that
  are specified in the file list and leave the
  application activated. This option is valid
  only for unarchived web applications.
  -remote Signals that the tools is not runnning on the
  same machine as the adminstration server and
  that the source path should be made passed
  through unchanged as it represents the path
  on the remote server.
  -nostage Sets the stagingMethod attribute on the
  application mbean when it is created so that
  the application will not be staged and the
  original source is be used.
  -external_stage Sets the stagingMethod attribute on the
  application mbean when it is created so that
  the application will not be staged but the
  value of the staging path will be used when
  preparing the application.
  -stage Sets the stagingMethod staging attribute on
  the application when it is created so that
  the application will always be staged. This
  value will override the stagingMethod
  attribute on any targeted servers.
  -nowait Once the action is initiated the tool will
  print the task id and exit. This is used to
  initiate multiple tasks and then monitor them
  later using the -list action.
  -timeout <seconds> The maximum time in seconds to wait for the
  completion of the deployment task. When the
  time expires the current status is printed
  and the program exits.
  -source <archive file or directory> Location of the file or directory that
  represents the enterprise component or
  application tha is being (re)activated. If
  the source file is relative it is relative to
  the current directory, unless the -remote
  option is used. To specify individual files
  within an application for reployment or
  addition list them at the end of the command
  line.
  -name <application name> The name of the application being deployed.
  -targets <<server 1>,...<component>@<server N>> A comma separated list of the server and/or
  cluster names. Each target may be qualified
  with a J2EE component name. This enables
  different components of the archive to
  deployed on different servers.
  -id <task identifier> Optional client supplied unique identifier
  for the deployment task. The id is first
  specified to -activate, -deactivate,
  -unprepare or -remove. It is then used later
  as an argument to -cancel or -list.
  -activate (Re)activates the <source> application on the
  <targets> with the <name>.
  -deactivate Deactivates the application <name> on the
  <targets> leaving an staged application files
  in a state where the may be quickly
  reactivated.
  -unprepare Deactivates and unloads classes for the
  application <name> on the <targets> leaving
  an staged application files in a state where
  the may be quickly reloaded.
  -remove Deactivates the application <name> on the
  <target> and removes any files that were
  staged for this application. If there are no
  longer any targets for the application, the
  associated configuration is completely
  removed.
  -cancel Atempts to cancel the task <id> if it is has
  not yet completed.
  -list Lists the target status of each task <id>
  -deploy a convenient alias for activate.
  -undeploy a convenient alias for unprepare.
  Optionally a list of the specific files in the archive that are to be
  redeployed may be specified. If a directory is specified the entire subtree is
  redeployed.
  Full documentation on this tool is available at:
  http://edocs.beasys.com/wls/docs70/adminguide/utils.html#1138475
  No actions was specified. Please specify one and only one of:
  -activate, -deactivate, -cancel, -remove, -unprepare, or -list.
  Type java weblogic.Deployer -examples for example usage.

  you use "deploy" under DOS-Mode to deploy your web application?
  i found some differences between "deploy" and "redeploy" function in jbuilder 9.
  when i choose "deploy" ,jbuilder shows me the commond below:
  E:\bea\jdk131_02\bin\javaw -classpath E:\bea\weblogic700\server\lib\weblogic.jar;E:\bea\weblogic700\server\lib\webservices.jar;E:\bea\weblogic700\server\lib\weblogic_sp.jar; weblogic.Deployer -user system -adminurl http://localhost:7001 -password 12345678 -deploy -name firstWebApp -upload -source E:/J2EE/servlet/firstWebApp.war -targets myserver
  WebLogic Application Deployment Utility
  when i choose redeploy,it shows me: (the -deploy parameter has changed to -activate) ,maybe it's a bug.
  E:\bea\jdk131_02\bin\javaw -classpath E:\bea\weblogic700\server\lib\weblogic.jar;E:\bea\weblogic700\server\lib\webservices.jar;E:\bea\weblogic700\server\lib\weblogic_sp.jar; weblogic.Deployer -user system -adminurl http://localhost:7001 -password 12345678 -activate -name firstWebApp -upload -source E:/J2EE/servlet/firstWebApp.war -targets myserver
  WebLogic Application Deployment Utility

• Has anyone used JAAS with WebLogic?

  Has anyone used JAAS with Weblogic? I was looking at their example, and I have a bunch of questions about it. Here goes:
  Basically the problem is this: the plug-in LoginModule model of JAAS used in WebLogic (with EJB Servers) seems to allow clients to falsely authenticate.
  Let me give you a little background on what brought me to this. You can find the WebLogic JAAS example (to which I refer below) in the pdf: http://e-docs.bea.com/wls/docs61/pdf/security.pdf . (I believe you want pages 64-74) WebLogic, I believe goes about this all wrong. They allow the client to use their own LoginModules, as well as CallBackHandlers. This is dangerous, as it allows them to get a reference (in the module) to the LoginContext's Subject and authenticate themselves (i.e. associate a Principal with the subject). As we know from JAAS, the way AccessController checks permissions is by looking at the Principal in the Subject and seeing if that Principal is granted the permission in the "policy" file (or by checking with the Policy class). What it does NOT do, is see if that Subject
  has the right to hold that Principal. Rather, it assumes the Subject is authenticated.
  So a user who is allowed to use their own Module (as WebLogic's example shows) could do something like:
  //THEIR LOGIN MODULE (SOME CODE CUT-OUT FOR BREVITY)
  public class BasicModule implements LoginModule
  private NameCallback strName;
  private PasswordCallback strPass;
  private CallbackHandler myCB;
  private Subject subj;
           //INITIALIZE THIS MODULE
             public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
                    try
                         //SET SUBJECT
                           subj = subject;  //NOTE: THIS GIVES YOU REFERENCE
  TO LOGIN CONTEXT'S SUBJECT
                                                   // AND ALLOWS YOU TO PASS
  IT BACK TO THE LOGIN CONTEXT
                         //SET CALLBACKHANDLERS
                           strName = new NameCallback("Your Name: ");
                           strPass = new PasswordCallback("Password:", false);
                           Callback[] cb = { strName, strPass };
                         //HANDLE THE CALLBACKS
                           callbackHandler.handle(cb);
                    } catch (Exception e) { System.out.println(e); }
       //LOG THE USER IN
         public boolean login() throws LoginException
            //TEST TO SEE IF SUBJECT HOLDS ANYTHING YET
            System.out.println( "PRIOR TO AUTHENTICATION, SUBJECT HOLDS: " +
  subj.getPrincipals().size() + " Principals");
            //SUBJECT AUTHENTICATED - BECAUSE SUBJECT NOW HOLDS THE PRINCIPAL
             MyPrincipal m = new MyPrincipal("Admin");
             subj.getPrincipals().add(m);
             return true;
           public boolean commit() throws LoginException
                 return true;
      }(Sorry for all that code)
  I tested the above code, and it fully associates the Subject (and its principal) with the LoginContext. So my question is, where in the process (and code) can we put the LoginContext and Modules so that a client cannot
  do this? With the above example, there is no Security. (a call to: myLoginContext.getSubject().doAs(...) will work)
  I think the key here is to understand JAAS's plug-in security model to mean:
  (Below are my words)
  The point of JAAS is to allow an application to use different ways of authenticating without changing the application's code, but NOT to allow the user to authenticate however they want.
  In WebLogic's example, they unfortunately seem to have used the latter understanding, i.e. "allow the user to authenticate however they want."
  That, as I think I've shown, is not security. So how do we solve this? We need to put JAAS on the server side (with no direct JAAS client-side), and that includes the LoginModules as well as LoginContext. So for an EJB Server this means that the same internal permission
  checking code can be used regardless of whether a client connects through
  RMI/RMI-IIOP/JEREMIE (etc). It does NOT mean that the client gets to choose
  how they authenticate (except by choosing YOUR set ways).
  Before we even deal with a serialized subject, we need to see how JAAS can
  even be used on the back-end of an RMI (RMI-IIOP/JEREMIE) application.
  I think what needs to be done, is the client needs to have the stubs for our
  LoginModule, LoginContext, CallBackHandler, CallBacks. Then they can put
  their info into those, and everything is handled server-side. So they may
  not even need to send a Subject across anyways (but they may want to as
  well).
  Please let me know if anyone sees this problem too, or if I am just completely
  off track with this one. I think figuring out how to do JAAS as though
  everything were local, and then putting RMI (or whatever) on top is the
  first thing to tackle.

  Send this to:
  newsgroups.bea.com / security-group.