dynamic connection pools created as system at startup, then fail as guest after
bruce
Hi,
I originally posted this to the jdbc newsgroup, but now I think it is a security problem.
The code is being executed as "system" during startup, but as "guest" after.
Thx.
-----
I have wired code to the server startup (weblogic.system.startupClass) to read a file for a list of connection pools to create. This works great, with the pools created by the user "system".
Fri Oct 06 14:24:53 EDT 2000:<I> <JDBC Pool> Creating connection pool testPool requested by user system
Delaying 1 seconds before making a testPool pool connection.
Fri Oct 06 14:24:55 EDT 2000:<I> <JDBC Pool> Connection for pool "testPool" created.
Delaying 1 seconds before making a testPool pool connection.
Fri Oct 06 14:24:56 EDT 2000:<I> <JDBC Pool> Connection for pool "testPool" created.
Immediately after I spawn a thread which periodically polls the file for changes, (executing the same code), and adds or deletes pools based on the list. These operations all fail, and are being run as user "guest" even though I set up the context as "system", same as before.
static private void setUpJdbcServices() throws Exception {
// Get the jdbc context.
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"weblogic.jndi.WLInitialContextFactory");
// URL for the WebLogic Server
env.put(Context.PROVIDER_URL, "http://localhost:80");
env.put(Context.SECURITY_PRINCIPAL, "system");
^^^^^^^^^
env.put(Context.SECURITY_CREDENTIALS, "xxx");
Context ctx = new InitialContext(env);
// Look up weblogic.jdbc.JdbcServices
_jdbc = (JdbcServices) ctx.lookup("weblogic.jdbc.JdbcServices");
// close the JNDI context
ctx.close();
}
I get the same failure if I run the code stand alone (from the console).
Fri Oct 06 14:25:11 EDT 2000:<I> <WebLogicServer> WebLogic Server started
Fri Oct 06 14:26:59 EDT 2000:<I> <JDBC Pool> Creating connection pool fooPool requested by user guest
Delaying 1 seconds before making a fooPool pool connection.
Fri Oct 06 14:27:00 EDT 2000:<I> <JDBC Pool> Connection for pool "fooPool" created.
Delaying 1 seconds before making a fooPool pool connection.
Fri Oct 06 14:27:02 EDT 2000:<I> <JDBC Pool> Connection for pool "fooPool" created.
Fri Oct 06 14:27:02 EDT 2000:<I> <Security> Access failed (Thread = Thread[Thread-0,5,main])
java.lang.SecurityException: User "guest" does not have Permission "list" based on ACL "weblogic.jndi.weblogic.jdbc.connectionPool".
at weblogic.security.acl.Security.logAndThrow(Security.java:372)
at weblogic.security.acl.Security.checkPermission(Security.java:254)
at weblogic.jndi.internal.NamingSecurityManagerImpl.checkPermission(NamingSecurityManagerImpl.java:98)
at weblogic.jndi.internal.NamingSecurityManagerImpl.checkList(NamingSecurityManagerImpl.java:41)
at weblogic.jndi.toolkit.BasicWLContext.list(BasicWLContext.java:384)
at weblogic.jndi.toolkit.BasicWLContext.list(BasicWLContext.java:592)
at weblogic.common.internal.ResourceAllocator.<init>(ResourceAllocator.java:428)
at weblogic.jdbc.common.internal.ConnectionPool.startup(ConnectionPool.java:330)
at weblogic.jdbc.common.internal.ConnectionPool.createPool(ConnectionPool.java:386)
at weblogic.jdbc.common.internal.ConnectionPool.createPool(ConnectionPool.java:368)
at com.centerstone.admin.ConnectionPoolManager.createPool(ConnectionPoolManager.java:92)
at com.centerstone.admin.ConnectionPoolManager.updatePools(ConnectionPoolManager.java:216)
at com.centerstone.admin.ConnectionPoolPollster.run(ConnectionPoolPollster.java:43)
Fri Oct 06 14:27:02 EDT 2000:<I> <Security> Access failed (Thread = Thread[Thread-0,5,main])
java.lang.SecurityException: User "guest" does not have Permission "modify" based on ACL "weblogic.jndi.weblogic.jdbc.connectionPool.fooPool".
at weblogic.security.acl.Security.logAndThrow(Security.java:372)
at weblogic.security.acl.Security.checkPermission(Security.java:254)
at weblogic.jndi.internal.NamingSecurityManagerImpl.checkPermission(NamingSecurityManagerImpl.java:98)
at weblogic.jndi.internal.NamingSecurityManagerImpl.checkModify(NamingSecurityManagerImpl.java:49)
at weblogic.jndi.toolkit.BasicWLContext.bind(BasicWLContext.java:183)
at weblogic.jndi.toolkit.ReplicatedWLContext.bind(ReplicatedWLContext.java:49)
at weblogic.jndi.toolkit.BasicWLContext.bind(BasicWLContext.java:577)
at weblogic.common.internal.ResourceAllocator.<init>(ResourceAllocator.java:441)
at weblogic.jdbc.common.internal.ConnectionPool.startup(ConnectionPool.java:330)
at weblogic.jdbc.common.internal.ConnectionPool.createPool(ConnectionPool.java:386)
at weblogic.jdbc.common.internal.ConnectionPool.createPool(ConnectionPool.java:368)
at com.centerstone.admin.ConnectionPoolManager.createPool(ConnectionPoolManager.java:92)
at com.centerstone.admin.ConnectionPoolManager.updatePools(ConnectionPoolManager.java:216)
at com.centerstone.admin.ConnectionPoolPollster.run(ConnectionPoolPollster.java:43)
I tried adding to the properties file:
weblogic.allow.list.weblogic.jdbc.connectionPool=guest
and as for the modify, the pool is dynamic so I don't have the name to put in the properties file.
A) Is the behavior different because it is executing after the server fully comes up?
B) Is it due to the fact it is in a different thread?
Thanks!
-bruce
Roman Stepanenko
I have exactly the same problem - in a manually created thread the
security context is lost when it comes to accessing connection pool...
Roman.
Dung Nguyen
yaodong Hu
I don't think that's a bug. During the startup the current thread is different,
and system is binding to that thread, so it is system to operate for that connectionpool
,
but later current Thread is binding to guest (supposely you open jndi context
and without credential) , so the caller principal got pass to the server.
Hope that helps
Yaodong Hu