1 Reply Latest reply: Oct 30, 2012 2:17 PM by Mohammed Rayan-Oracle RSS

    Security exception while trying to access a webservice

    611776
      Dear All,

      I am facing a SecurityException(exception trace is below) while trying to hit a webservice deployed in Oracle Weblogic 10.3.5 server(11GR1-SOA domain). The details are as follows,

      - I have a weblogic webservice application "ReferenceServices" developed and deployed in Oracle Weblogic 10GR3 server(10.3.0) which is working fine.
      - I test the ReferenceServices from SOAP UI tool which returns a SOAP response.
      - No security features have been configured for the above web service application. All the settings are set to default ones when the domain was created.
      - Now, I want to deploy the ReferenceServices application(ear) in another domain that is created based on Oracle Weblogic 10.3.5(basically a SOA domain).
      - I am able to deploy the ear without any issues and also tested it successfully within the weblogic test console.
      - When I try to hit the same services from SOAP UI client, I am getting the below SecurityException. I tried lot of things but unable to resolve the issue.
      - Briefly to mention, ReferenceServices application internally invokes a backend EJB application hosted on another server. Response from EJB is validated, resconstructed as a soap message and sent back to the client(SOAP UI). But I am getting the below error in 10.3.5 server only but not in 10.3.0 version.

      <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
      <env:Header/>
      <env:Body>
      <env:Fault>
      <faultcode>env:Server</faultcode>
      <faultstring>[Security:090398]Invalid Subject: principals=[Tksmau40u8AgV0Hx}7dfIUhmoVsWR1q1nLfj4AR0]</faultstring>
      <detail>
      <bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webservice/fault/1.0.0">java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[Tksmau40u8AgV0Hx}7dfIUhmoVsWR1q1nLfj4AR0]
           at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:833)
           at weblogic.security.service.IdentityUtility.authenticatedSubjectToIdentity(IdentityUtility.java:30)
           at weblogic.security.service.RoleManager.getRoles(RoleManager.java:183)
           at weblogic.security.service.AuthorizationManager.isAccessAllowed(AuthorizationManager.java:375)
           at weblogic.rmi.provider.WorkContextAccessController.checkAccess(WorkContextAccessController.java:62)
           at weblogic.workarea.spi.WorkContextAccessController.isAccessAllowed(WorkContextAccessController.java:38)
           at weblogic.workarea.WorkContextLocalMap$WorkContextKeys.next(WorkContextLocalMap.java:356)
           at weblogic.wsee.workarea.WorkAreaHandler.hasContext(WorkAreaHandler.java:39)
           at weblogic.wsee.workarea.WorkAreaServerHandler.handleResponse(WorkAreaServerHandler.java:40)
           at weblogic.wsee.handler.HandlerIterator.handleResponse(HandlerIterator.java:287)
           at weblogic.wsee.handler.HandlerIterator.handleResponse(HandlerIterator.java:271)
           at weblogic.wsee.ws.dispatch.server.ServerDispatcher.callHandleResponse(ServerDispatcher.java:341)
           at weblogic.wsee.ws.dispatch.server.ServerDispatcher.dispatch(ServerDispatcher.java:189)
           at weblogic.wsee.ws.WsSkel.invoke(WsSkel.java:80)
           at weblogic.wsee.server.servlet.SoapProcessor.handlePost(SoapProcessor.java:66)
           at weblogic.wsee.server.servlet.SoapProcessor.process(SoapProcessor.java:44)
           at weblogic.wsee.server.servlet.BaseWSServlet$AuthorizedInvoke.run(BaseWSServlet.java:285)
           at weblogic.wsee.server.servlet.BaseWSServlet.service(BaseWSServlet.java:169)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
           at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
           at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
           at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
           at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
           at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
           at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
           at java.security.AccessController.doPrivileged(Native Method)
           at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
           at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
           at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
           at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
           at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
           at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
           at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
           at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
           at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
           at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
           at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
           at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
           at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
           at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
           at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
           at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
           at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)</bea_fault:stacktrace>
      </detail>
      </env:Fault>
      </env:Body>
      </env:Envelope>

      Any help is greatly appreciated.

      Thanks,
      Satya.
        • 1. Re: Security exception while trying to access a webservice
          Mohammed Rayan-Oracle
          Hello Satya,

          Have you checked if the cross domain security between the domain WLS 10.3.5 and the backend server is enabled?


          Trust between domains is established so that principals in a Subject from one WebLogic domain can make calls in another domain. In previous releases of WebLogic Server, there was only one type of domain trust that is now referred to as Global Trust. WebLogic Server now supports a type of domain trust that is referred to as Cross Domain Security. The following sections explain how to configure each domain trust type:

          Enabling Cross Domain Security Between WebLogic Server Domains
          Enabling Global Trust

          http://docs.oracle.com/cd/E21764_01/web.1111/e13707/domain.htm#i1176046