0 Replies Latest reply: Nov 21, 2012 7:17 AM by JJWesterbeek RSS

    Weblogic 10.3.0 -  Security Violation when Group Membership Lookup enabled

    JJWesterbeek
      Dear Admins,

      We're running a Weblogic 10.3.0 cluster with our own software deployed.
      We're using SQL authentication (JDBC to Oracle DB) to authenticate users.


      Recently we've been tuning our WL cluster to improve performance, and have enabled Group Membership Lookup Hierarchy Caching.
      Sometimes users log into our application and get inssuficient rights (or some other error). This appears to happen at random. Most of the times they can log in without problems.
      We determined it's not something to do with the cluster, although it can happen on one node and the other node will work as normal.

      In the Managed server we see this error (with test user):

      Managed7Server.out00011:java.rmi.AccessException: [EJB:010160]Security Violation: User: 'test' has insufficient permission to access EJB: type=<ejb>, application=leanapps, module=process_general.jar, ejb=LaLifeProcessController,
      method=create, methodInterface=Home, signature={}.

      When we disable Group Membership Lookup Hierarchy Caching, this error never occurs.
      Our settings (Security Realms -> myrealm -> Providers -> SQL Authenticator -> Performance):

      Max Group Hierarchies In Cache: 5000 (we have approx. 2000 groups)
      Group Hierarchy Cache TTL: 3600

      provider specific settings :

      Group Membership Searching: unlimited
      Max Group Membership Search Level: 0

      Also in Myrealm -> Performance we have set :

      Enable WebLogic Principal Validator Cache
      Max WebLogic Principals In Cache: 5000


      If we put the TTL really low (default 60 seconds), the error hardly ever occurs. But we want to have cache that lasts longer then one minute.

      This might be a bug, as we have other clusters running on WL 10.3.5, 12c where we use the same cache settings. This issue does not occur there.

      I'm more then willing to provide more info or config files

      Edited by: user5974192 on 21-nov-2012 5:17