Google 網路論壇不再支援新的 Usenet 貼文或訂閱項目,但過往內容仍可供查看。
Dismiss

RDBMS Realm

瀏覽次數:2 次
跳到第一則未讀訊息

Andrew Spruce

未讀,
2001年11月15日 凌晨3:48:212001/11/15
收件者:
I am attempting to sew together a stronger RDBMSRealm with my
corporate single sign on server for authentication.

I have modified the schema slightly for the supplied RDBMSRealm to
support empty groups and empty acls.

I also took a look at the filerealm.properties file and tried to mimic
the properties it provided in my schema :

i.e.
--------------------------------------------------------------------------
filerealm.properties
--------------------------------------------------------------------------
#Tue Oct 23 16:38:59 GMT+00:00 2001
acl.unlockServer.weblogic.admin=Administrators
user.system=<encrypted_password>
acl.lockServer.weblogic.admin=Administrators
acl.unlockuser.weblogic.passwordpolicy=Administrators
acl.shutdown.weblogic.admin=Administrators
acl.boot.weblogic.server=Administrators,everyone
group.Administrators=system

--------------------------------------------------------------------------
Data in the schema :
--------------------------------------------------------------------------/*
insert wls_groups values ("Administrators")
go
insert wls_group_membership values ("Administrators","system")
go

insert wls_acls values ("weblogic.server")
go
insert wls_acls values ("weblogic.admin")
go
insert wls_acls values ("weblogic.passwordpolicy")
go

insert wls_aclentries values
("weblogic.server","Administrators","boot")
go
insert wls_aclentries values ("weblogic.server","everyone","boot")
go
insert wls_aclentries values
("weblogic.admin","Administrators","lockServer")
go
insert wls_aclentries values
("weblogic.admin","Administrators","unlockServer")
go
insert wls_aclentries values
("weblogic.admin","Administrators","shutdown")
go
insert wls_aclentries values
("weblogic.admin","Administrators","modify")
go
insert wls_aclentries values
("weblogic.passwordpolicy","Administrators","unlockuser")
go

insert wls_users values ("system","<encrypted password>")
go
--------------------------------------------------------------------------

The problem is the permissions, I have no idea what the permissions
should be.
Although in the filerealm.properties file they were in the form :

acl.unlockuser.weblogic.passwordpolicy=Administrators

in the console this was displayed as :

Name Permissions
---------------------------------------------
weblogic.passwordpolicy unlockuser


which when drilled into gave a list of grantees.

The upshot of all this is that the server no longer boots as it can't
check boot permissions for system :

C:\bea\wlserver6.1>"C:\bea\jdk131\bin\java" -hotspot -ms64m -mx64m
-classpath "L:\install\common\weblogic\CURRENT\Patches\CURRENT\xslt_properties;.;.\lib\weblogic_sp.jar;.\l
ib\weblogic.jar;C:/bea/wlserver6.1/config/examples/serverclasses"
-Dweblogic.Domain=fm66127domain -Dweblogic.Name=fm66127server
"-Dbea.home=C:\bea" -Dweblogic.management.pas
sword=adspruce -Dweblogic.ProductionModeEnabled=false
"-Djava.security.policy==C:\bea\wlserver6.1/lib/weblogic.policy"
weblogic.Server
Starting WebLogic Server ....
<15-Nov-01 08:30:50 GMT> <Notice> <Management> <Loading configuration
file .\config\fm66127domain\config.xml ...>
<15-Nov-01 08:30:51 GMT> <Info> <Logging> <FileLogger Opened.>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <loading realm
properties from the RDBMSRealmMBean.>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <driver is
com.sybase.jdbc.SybDriver>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <connecting to
jdbc:sybase:Tds:147.114.118.41:2050/workflow_dev>
<15-Nov-01 08:30:54 GMT> <Info> <RDBMSRealm> <Connected to database>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <preparing statements
from the RDBMSRealmMBean's SchemaProperties>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <getUser("everyone")>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <getGroup("everyone")>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <Calling getGroup>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <getUser("system")>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <getUser("guest")>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <getGroup("guest")>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <Calling getGroup>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm>
<getPermission("access")>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <getUser("system")>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <getUser("system")>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <getPermission("boot")>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm>
<getAcl("weblogic.server")>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <Acl Name from RDBS is
weblogic.admin>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm>
<getAcl("weblogic.server.fm66127server")>
<15-Nov-01 08:30:54 GMT> <Debug> <RDBMSRealm> <Acl Name from RDBS is
weblogic.admin>
<15-Nov-01 08:30:54 GMT> <Info> <Security> <Access failed (Thread =
Thread[main,5,main]), caused java.lang.SecurityException: User
"system" does not have Permission "boot" b
ased on ACL "weblogic.server.fm66127server".>
<15-Nov-01 08:30:54 GMT> <Emergency> <Server> <Unable to initialize
the server: 'Fatal initialization exception
Throwable: java.lang.SecurityException: User "system" does not have
Permission "boot" based on ACL "weblogic.server.fm66127server".
java.lang.SecurityException: User "system" does not have Permission
"boot" based on ACL "weblogic.server.fm66127server".
at weblogic.security.acl.Security.logAndThrow(Security.java:411)
at weblogic.security.acl.Security.checkPermission(Security.java:343)
at weblogic.security.acl.Security.checkPermission(Security.java:323)
at weblogic.security.SecurityService.initializeAuthorization(SecurityService.java:148)
at weblogic.security.SecurityService.initialize(SecurityService.java:119)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:390)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
at weblogic.Server.main(Server.java:35)
'>
***************************************************************************
The WebLogic Server did not start up properly.
Exception raised: java.lang.SecurityException: User "system" does not
have Permission "boot" based on ACL "weblogic.server.fm66127server".
java.lang.SecurityException: User "system" does not have Permission
"boot" based on ACL "weblogic.server.fm66127server".
at weblogic.security.acl.Security.logAndThrow(Security.java:411)
at weblogic.security.acl.Security.checkPermission(Security.java:343)
at weblogic.security.acl.Security.checkPermission(Security.java:323)
at weblogic.security.SecurityService.initializeAuthorization(SecurityService.java:148)
at weblogic.security.SecurityService.initialize(SecurityService.java:119)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:390)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
at weblogic.Server.main(Server.java:35)
Reason: Fatal initialization exception
***************************************************************************


***************************************************************************

can anyone shed some light on this or confirm that the acls are
entered in the correct format or better still come to London and debug
my code :-)

Also any thoughts on whether this is really worth it.
I figured granting and revoking user permissions would be easier in a
production environment if you could apply sql scripts rather than
replacing the filerealm.properites file. And we use a Sybase database
anyway for Message Bean durability and entity bean persistance.

Many thanks,

Andrew Spruce

0 則新訊息