12 Replies Latest reply: Jan 20, 2012 3:49 AM by rathnam RSS

    ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef

    790477
      JDev version : 11.1.1.4
      WLS : 10.3.4

      Hi All,

      Recently we have migrated JDev from 11.1.1.3 to 11.1.1.4 and WLS from 10.3.3 to 10.3.4. We had security enabled in our application and use to work without any issues in our previous version (before migration). We are getting below error after migration and not able to access our application.

      Error 500--Internal Server Error
      oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef@d856cd' 'VIEW'.

      We get this exception as soon as log in is successful. We have tried with different users including administrator who has complete permissions but got same exception. Note that same application is working in previous version.
      Please help us in resolving this issue. Below I have mentioned complete stack trace.

      More details:

      Policy store : jaxz-data.xml
      Identity store : integrated WLS LDAP
      WLS : standalone WLS


      Error 500--Internal Server Error
      oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef@d856cd' 'VIEW'.
           at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:180)
           at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:160)
           at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:114)
           at oracle.adfinternal.controller.state.ControllerState.checkPermission(ControllerState.java:632)
           at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:669)
           at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:447)
           at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:46)
           at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:531)
           at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:120)
           at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:168)
           at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:124)
           at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:70)
           at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:53)
           at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:398)
           at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:185)
           at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
           at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
           at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
           at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
           at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
           at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
           at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
           at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
           at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)
           at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
           at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
           at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
           at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
           at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
           at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
           at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
           at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:175)
           at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
           at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
           at java.security.AccessController.doPrivileged(Native Method)
           at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
           at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
           at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
           at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
           at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
           at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
           at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
           at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
           at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
           at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
           at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
           at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
           at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
           at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
           at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
           at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
           at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
           at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
           at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
        • 1. Re: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef
          vinod_t_krishnan
          this exception will work only when there is no permission.. delete your system folder.. and try to assign the permission again in the jazn and see what happens
          • 2. Re: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef
            Dimitar Dimitrov
            Have a look within <tt>system-jazn-data.xml</tt> file of your new WLS instance (WLS 10.3.4 instance) in order to see if the security policy of your application has been migrated. Most probably it has not been.

            Dimitar
            • 3. Re: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef
              790477
              Hi Dimitar,

              As you rightly pointed non of my security policies are migrated to system-jazn-data.xml file. This was working in previous version (10.3.3) and all security policies are used to migrate automatically. Can you please tell us what additional configuration change we have to do with WLS 10.3.4 so that these security policies migrate automatically?

              Appreciate your help.

              Thanks,
              Ravindra
              • 4. Re: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef
                Dimitar Dimitrov
                Usually, the security policy of the application is bundled in the EAR file. When you deploy the application the security policy is automatically migrated (e.g. added) to domain's security policy repository (e.g. <tt>system-jazn-data.xml</tt> file, if neither LDAP or DB repository is used). Also when you undeploy an application its security policy is removed from domain's security policy repository.

                My practical experience says that both of these happen only if the application has been targetted to WLS domain's admin server (i.e. if the application is targetted only to managed servers but not to the admin server, then the security policy is neither migrated nor removed).

                The trick I apply is to do the following:

                (1) Target and deploy the application to the admin server (so the security policy is migrated into <tt>system-jazn-data.xml</tt>);
                (2) Copy the migrated application's policy section from <tt>system-jazn-data.xml</tt> to the clipboard;
                (3) Undeploy the application from the admin server (the security policy is removed from <tt>system-jazn-data.xml</tt> in result);
                (4) Paste the security section back into <tt>system-jazn-data.xml</tt> file and save it;
                (5) Deploy the application to managed servers;
                (6) Restart the servers.

                (It is not necessary to undeploy the application at step 3, it is enough to remove the admin server from application's targets).

                I am not sure that this is the right approach, but it works and I have not found anything in the documentation about this topic.

                One more thing - the automatic migration of the security policy that is included in the EAR is controlled by the following parameter in <tt>weblogic-application.xml</tt> file:
                <application-param>
                    <param-name>jps.policystore.migration</param-name>
                    <param-value>OVERWRITE</param-value>
                </application-param>
                The policy is not migrated if this parameter is not set.

                If you deploy the application from JDeveloper, it will not be necessary to set this parameter in <tt>weblogic-application.xml</tt> manually because JDeveloper will do it for you. Just open the Application Properties dialog in JDev, go to page "Deployment" and check the checkbox "Application Policies". Then JDeveloper will automatically add this parameter into <tt>weblogic-application.xml</tt> file within the EAR files generated from this time onwards (do not be confused that it will not be added to the file in the IDE).

                Dimitar
                • 5. Re: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef
                  Dimitar Dimitrov
                  JDeveloper's documentation says:

                  When you eventually deploy to a production environment, the migration settings in the weblogic-application.xml file are ignored; it would be considered a security vulnerability to allow existing policies and credentials to be overwritten.

                  However, I have used the step-by-step procedure described in my previous post in production WLS 10.3.2 and WLS 10.3.3 domains many times and I can confirm that it worked (e.g. the policy was migrated). Note, that in WLS 10.3.4 things may have changed.

                  Dimitar
                  • 6. Re: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef
                    790477
                    Hi Dimitar,

                    Thanks for your quick reply and valuable suggestions. I am running my application in admin server and my weblogic-application.xml has all required configurations (specified below). With all these in place security policies are not getting deployed.

                    weblogic-application.xml file contents:
                    <?xml version = '1.0' encoding = 'windows-1252'?>
                    <weblogic-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-application http://www.bea.com/ns/weblogic/weblogic-application/1.0/weblogic-application.xsd" xmlns="http://www.bea.com/ns/weblogic/weblogic-application">
                      <xml>
                        <parser-factory>
                          <saxparser-factory>oracle.xml.jaxp.JXSAXParserFactory</saxparser-factory>
                          <document-builder-factory>oracle.xml.jaxp.JXDocumentBuilderFactory</document-builder-factory>
                          <transformer-factory>oracle.xml.jaxp.JXSAXTransformerFactory</transformer-factory>
                        </parser-factory>
                      </xml>
                      <application-param>
                        <param-name>jps.credstore.migration</param-name>
                        <param-value>OVERWRITE</param-value>
                      </application-param>
                      <application-param>
                        <param-name>jps.policystore.migration</param-name>
                        <param-value>OVERWRITE</param-value>
                      </application-param>
                      <listener>
                          <listener-class>oracle.communications.brm.pdc.server.common.PricingApplicationLifeCycleListener</listener-class>
                      </listener>
                      <listener>
                        <listener-class>oracle.adf.share.weblogic.listeners.ADFApplicationLifecycleListener</listener-class>
                      </listener>
                      <listener>
                        <listener-class>oracle.mds.lcm.weblogic.WLLifecycleListener</listener-class>
                      </listener>
                      <listener>
                        <listener-class>oracle.security.jps.wls.listeners.JpsApplicationLifecycleListener</listener-class>
                      </listener>
                      <listener>
                        <listener-class>oracle.security.jps.wls.listeners.JpsAppVersionLifecycleListener</listener-class>
                      </listener>
                      <library-ref>
                        <library-name>adf.oracle.domain</library-name>
                      </library-ref>
                      <library-ref>
                        <library-name>oracle.jsp.next</library-name>
                      </library-ref>
                    </weblogic-application>
                    • 7. Re: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef
                      790477
                      any help on this... today I have enabled security freshly on Jdev 11.1.14 and added all access grants to jazn-data.xml and deployed the application in WLS 10.3.4. Again got same exception.
                      • 8. Re: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef
                        619224
                        Check the Release Notes for PS3:

                        http://www.oracleimg.com/technetwork/developer-tools/jdev/relnotes-14-jan-11-261400.html#security2

                        Section:
                        Migration of the jazn-data.xml File Fails With a Duplicate Permission Defined.


                        Previous Jdev versions were more fault tolerant on jazn-data.xml.


                        Thank you,

                        Florin
                        • 9. Re: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef
                          brimstony
                          I ran into this today as well. No migration, just a brand new application. Could not find any duplicates in the jazn-data.xml

                          JDev: 11.1.1.4
                          Adding a custom task flow:
                          oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef@f0245e' 'VIEW'.
                               at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:180)
                               at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:160)
                               at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:127)
                               at oracle.adfinternal.controller.activity.ViewActivityLogic.checkReadPermission(ViewActivityLogic.java:585)
                               at oracle.adfinternal.controller.activity.ViewActivityLogic.execute(ViewActivityLogic.java:129)
                               at oracle.adfinternal.controller.engine.ControlFlowEngine.executeActivity(ControlFlowEngine.java:989)
                               at oracle.adfinternal.controller.engine.ControlFlowEngine.doRouting(ControlFlowEngine.java:878)
                          ....
                          • 10. Re: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef
                            user1897085
                            Hi
                            I have the same problem when I use Jdev 11.1.1.x
                            The problem disapears when I use Jdev 11.1.2.0.0. Anyone knows why? I can't use Jdev 11.1.2.0.0 jet.
                            • 11. Re: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef
                              452071
                              I hit this issue recently and also was able to verify that is not longer present on 11.1.2.0. The workaround that I applied was on the Jazn-data.xml file:
                              Remove the definition of the anonymous-role (if you notice there isn't one for the authenticated role)
                              <app-role>
                              <name>anonymous-role</name>
                              <class>oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl</class>
                              <display-name>anonymous-role</display-name>
                              </app-role>

                              Also on the principal identity for the anonymous-role I change the JpsAnonymousRoleImpl for oracle.security.jps.service.policystore.ApplicationRole
                              <principals>
                              <principal>
                              <name>anonymous-role</name>
                              <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                              </principal>
                              </principals>

                              Let me know if this works.

                              Juan Camilo
                              • 12. Re: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef
                                rathnam
                                Was hitting the same issue. Working fine after removing jazn-data.xml file:

                                <app-role>
                                <name>anonymous-role</name>
                                <class>oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl</class>
                                <display-name>anonymous-role</display-name>
                                </app-role>