2 Replies Latest reply on Jul 8, 2004 2:08 PM by 3004

    Principle changed after JNDI lookip

    3004

      I have a portal app deployed on domain A using IPlantAuthenticator who connects
      to the corporate LDAP server, and an EJB service deployed on domain B using DefaultAuthenticator.
      The portal app needs to talk to the EJB service.

      A user/principle "liuj" logon to the portal and then calls a function that will
      invoke the EJB in domain B. The code does the JNDI lookup using a security principle
      (suv_user) in domain B. The JNDI and EJB service call are successful. The portal
      then forward to the JSP page to display the results. However, I got SecurityException
      -

      Servlet failed with Exception
      java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[suv_user]
           at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:682)
      at weblogic.security.service.RoleManager.getRoles(RoleManager.java:279)
           at com.bea.p13n.entitlements.Authorization.getRoles(Authorization.java:163)
           at com.bea.p13n.entitlements.Authorization.isAccessAllowed(Authorization.java:484)
           at com.bea.p13n.entitlements.Authorization.isAccessAllowed(Authorization.java:200)
           at com.bea.netuix.servlets.controls.EntitledUIControl.isCapable(EntitledUIControl.java:166)
           at com.bea.netuix.servlets.controls.window.Window.preRender(Window.java:293)
           at com.bea.netuix.servlets.controls.page.Page.preRender(Page.java:183)
           at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:388)
           at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:619)
           at...

      Of course it should fail since suv_user is not a valid user/principle in domain
      A. It appears to me that the principle ("liuj") associated with the current thread
      is changed to "suv_user" after the JNDI lookup. I hope I did not make silly mistakes
      here but I run out of ideas. Please help!


        • 1. Re: Principle changed after JNDI lookip
          3004
          I saw this once with an earlier version of WLS. I had to make sure to
          call close() on the Context when I was done calling the EJB I looked up
          in that Context.

          Greg

          Greg

          Jack Liu wrote:
          I have a portal app deployed on domain A using IPlantAuthenticator who connects
          to the corporate LDAP server, and an EJB service deployed on domain B using DefaultAuthenticator.
          The portal app needs to talk to the EJB service.

          A user/principle "liuj" logon to the portal and then calls a function that will
          invoke the EJB in domain B. The code does the JNDI lookup using a security principle
          (suv_user) in domain B. The JNDI and EJB service call are successful. The portal
          then forward to the JSP page to display the results. However, I got SecurityException
          -

          Servlet failed with Exception
          java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[suv_user]
               at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:682)
          at weblogic.security.service.RoleManager.getRoles(RoleManager.java:279)
               at com.bea.p13n.entitlements.Authorization.getRoles(Authorization.java:163)
               at com.bea.p13n.entitlements.Authorization.isAccessAllowed(Authorization.java:484)
               at com.bea.p13n.entitlements.Authorization.isAccessAllowed(Authorization.java:200)
               at com.bea.netuix.servlets.controls.EntitledUIControl.isCapable(EntitledUIControl.java:166)
               at com.bea.netuix.servlets.controls.window.Window.preRender(Window.java:293)
               at com.bea.netuix.servlets.controls.page.Page.preRender(Page.java:183)
               at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:388)
               at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:619)
               at...

          Of course it should fail since suv_user is not a valid user/principle in domain
          A. It appears to me that the principle ("liuj") associated with the current thread
          is changed to "suv_user" after the JNDI lookup. I hope I did not make silly mistakes
          here but I run out of ideas. Please help!

          • 2. Thanks!
            3004

            Thank you Greg. You saved my day.

            Gregory Smith <please@reply.to.group.com> wrote:
            I saw this once with an earlier version of WLS. I had to make sure to

            call close() on the Context when I was done calling the EJB I looked
            up
            in that Context.

            Greg

            Greg

            Jack Liu wrote:
            I have a portal app deployed on domain A using IPlantAuthenticator
            who connects
            to the corporate LDAP server, and an EJB service deployed on domain
            B using DefaultAuthenticator.
            The portal app needs to talk to the EJB service.

            A user/principle "liuj" logon to the portal and then calls a function
            that will
            invoke the EJB in domain B. The code does the JNDI lookup using a security
            principle
            (suv_user) in domain B. The JNDI and EJB service call are successful.
            The portal
            then forward to the JSP page to display the results. However, I got
            SecurityException
            -

            Servlet failed with Exception
            java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[suv_user]
                 at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:682)
            at weblogic.security.service.RoleManager.getRoles(RoleManager.java:279)
                 at com.bea.p13n.entitlements.Authorization.getRoles(Authorization.java:163)
                 at com.bea.p13n.entitlements.Authorization.isAccessAllowed(Authorization.java:484)
                 at com.bea.p13n.entitlements.Authorization.isAccessAllowed(Authorization.java:200)
                 at com.bea.netuix.servlets.controls.EntitledUIControl.isCapable(EntitledUIControl.java:166)
                 at com.bea.netuix.servlets.controls.window.Window.preRender(Window.java:293)
                 at com.bea.netuix.servlets.controls.page.Page.preRender(Page.java:183)
                 at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:388)
                 at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:619)
                 at...

            Of course it should fail since suv_user is not a valid user/principle
            in domain
            A. It appears to me that the principle ("liuj") associated with the
            current thread
            is changed to "suv_user" after the JNDI lookup. I hope I did not make
            silly mistakes
            here but I run out of ideas. Please help!