1 Reply Latest reply: Mar 12, 2012 9:46 AM by BradPosner RSS

    SecurityException

    728704
      Hi,
      I have a scenario in which we do not use Authentication.login() to authenticate a user.
      I am able to generate the UUP property sets using profileWrapper.getProperty(),
      but when am trying to use profileWrapper.setProperty() or profileWrapper.removeProperty(),
      it throws SecurityException. Below is the stacktrace am getting:

      java.rmi.RemoteException: EJB Exception: ; nested exception is:
      java.lang.SecurityException: User <anonymous> does not have permission to modify data for 60136. Users can only be modified by themselves, or by a member of the role [Admin, PortalSystemAdministrator].
      at weblogic.ejb.container.internal.EJBRuntimeUtils.throwRemoteException(EJBRuntimeUtils.java:103)
      at weblogic.ejb.container.internal.BaseRemoteObject.handleSystemException(BaseRemoteObject.java:868)
      at weblogic.ejb.container.internal.BaseRemoteObject.handleSystemException(BaseRemoteObject.java:809)
      at weblogic.ejb.container.internal.BaseRemoteObject.postInvoke1(BaseRemoteObject.java:514)
      at weblogic.ejb.container.internal.StatelessRemoteObject.postInvoke1(StatelessRemoteObject.java:60)
      at weblogic.ejb.container.internal.BaseRemoteObject.postInvokeTxRetry(BaseRemoteObject.java:441)
      at com.bea.p13n.usermgmt.profile.internal.UserProfileManager_mfa736_EOImpl.setProperty(UserProfileManager_mfa736_EOImpl.java:1168)
      at com.bea.p13n.usermgmt.profile.internal.PhantomProfileWrapperImpl.setProperty(PhantomProfileWrapperImpl.java:258)
      at com.adapter.UUPAdapter.updateProperty(UUPAdapter.java:379)
      at com.portal.login.dataBackingBeans.LoginFormDataBackingBean.updateProperty(LoginFormDataBackingBean.java:112)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at com.sun.el.parser.AstValue.invoke(AstValue.java:157)
      at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:283)
      at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)
      at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102)
      at javax.faces.component.UICommand.broadcast(UICommand.java:387)
      at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:475)
      at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:756)
      at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:82)
      at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
      at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
      at org.apache.myfaces.portlet.faces.bridge.BridgeImpl.doFacesRequest(BridgeImpl.java:319)
      at javax.portlet.faces.GenericFacesPortlet.doBridgeDispatch(GenericFacesPortlet.java:659)
      at javax.portlet.faces.GenericFacesPortlet.doActionDispatchInternal(GenericFacesPortlet.java:594)
      at javax.portlet.faces.GenericFacesPortlet.processAction(GenericFacesPortlet.java:262)
      at com.bea.portlet.container.PortletStub.doAction(PortletStub.java:899)
      at com.bea.portlet.container.FilterChainGenerator.runFilterChain(FilterChainGenerator.java:96)
      at com.bea.portlet.container.PortletStub.processAction(PortletStub.java:314)
      at com.bea.portlet.container.AppContainer.invokeProcessAction(AppContainer.java:678)
      at com.bea.netuix.servlets.controls.content.JavaPortletContent.fireProcessAction(JavaPortletContent.java:209)
      at com.bea.netuix.servlets.controls.portlet.JavaPortlet.fireProcessAction(JavaPortlet.java:1295)
      at com.bea.netuix.servlets.controls.portlet.JavaPortlet.raiseChangeEvents(JavaPortlet.java:801)
      at com.bea.netuix.nf.ControlLifecycle$4.postVisitRoot(ControlLifecycle.java:316)
      at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:341)
      at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:130)
      at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:399)
      at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361)
      at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:352)
      at com.bea.netuix.nf.Lifecycle.runInbound(Lifecycle.java:184)
      at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:159)
      at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:465)
      at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:291)
      at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:219)
      at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:275)
      at com.bea.netuix.servlets.manager.PortalServlet.service(PortalServlet.java:719)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
      at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
      at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
      at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
      at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
      at com.bea.portal.tools.servlet.http.HttpContextFilter.doFilter(HttpContextFilter.java:60)
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
      at com.bea.jsptools.servlet.PagedResultServiceFilter.doFilter(PagedResultServiceFilter.java:82)
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
      at com.bea.analytics.AnalyticsFilter.doFilter(AnalyticsFilter.java:68)
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
      at com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java:336)
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
      at com.bea.content.manager.servlets.ContentServletFilter.doFilter(ContentServletFilter.java:178)
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
      at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
      at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3592)
      at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
      at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
      at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2202)
      at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2108)
      at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1432)
      at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
      at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
      Caused by: java.lang.SecurityException: User <anonymous> does not have permission to modify data for 60136. Users can only be modified by themselves, or by a member of the role [Admin, PortalSystemAdministrator].
      at com.bea.p13n.usermgmt.profile.internal.UserProfileManagerImpl.authorizeModification(UserProfileManagerImpl.java:134)
      at com.bea.p13n.usermgmt.profile.internal.ProfileManagerImpl.setProperty(ProfileManagerImpl.java:567)
      at com.bea.p13n.usermgmt.profile.internal.UserProfileManager_mfa736_EOImpl.setProperty(UserProfileManager_mfa736_EOImpl.java:1154)
      ... 67 more

      Here '60136' is the unique id of the user.

      Edited by: Sanjeev Kumar on 15-Nov-2012 23:53
        • 1. Re: SecurityException
          BradPosner
          The exception is accurate. You cannot store properties about an anonymous user outside of the Tracked Anonymous User capability. To read more about this feature: http://docs.oracle.com/cd/E26806_01/wlp.1034/e14254/anonymous.htm#i1004942

          See the following Tip:

          Tip:
          To retrieve a user's profile using this programmatic technique, the user must be logged in and authenticated. If you call com.bea.p13n.security.Authentication.login() to perform the login, the user profile is automatically created. You can also call the WebLogic Server method weblogic.servlet.security.ServletAuthentication.login(); however, note that the user profile is only created after the next access (usually after the first page refresh). Before this subsequent access, you will receive a ProfileNotFound exception when you try to retrieve the user's profile.

          From section 5.2.2 of this document: http://docs.oracle.com/cd/E26806_01/wlp.1034/e14254/developuserprofiles.htm#i1021393

          Brad