After reading many many articles and playing around with various options I was
finally able to upgrade our 6.1 security realm to 8.1 using compatibility security.
Was able to view Users, Groups, and ACLS through the console and also to load
EJBs using 6.1 security. I am running into an exception thrown and do not know
how to solve it yet. The exception is mentioned below. TestUser is one of the
users configured in our Oracle database. I guess what I need to do is to allow
TestUser to user the RDBMSRealm but how? Any help is appreciated.
####....<The AccessDecision class weblogic.security.providers.realmadapter.AuthorizationProviderImpl"
returned an error: com.creekpath.server.security.weblogic.RDBMSException: realm
initialization failed, action 'mbean.getDatabasePassword', - with nested exception:
[weblogic.management.NoAccessRuntimeException: Access not allowed for subject:
principals=[TestUser], on ResourceType: RDBMSRealm Action: read, Target: DatabasePassword].
weblogic.management.NoAccessRuntimeException: Access not allowed for subject:
principals=[aimsystem], on ResourceType: RDBMSRealm Action: read, Target: DatabasePassword
at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.wlsRun(SecurityHelper.java:510)
at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.run(SecurityHelper.java:453)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
The NoAccessRuntimeException is being thrown because the current user
while trying to read the database password from the MBean is not in
the Admin role.
http://e-docs.bea.com/wls/docs81/secwlres/secroles.html#1219912
The RDBMSRealm should be getting the password to make the database
connection from another source or the RDBMSRealm must runAs() a
Subject with the proper privileges to obtain the password from the
MBean.
I believe that the password should be obtainable by the RDBMSRealm
from the MBean and cached when the RDBMSRealm is initialized during
server boot.
-Craig
The Database password must be an encrypted attribute. You must have admin
role to be able
to access the attribute. What is the rest of the call stack?
You will either need to cache the password at startup (when you are running
as kernel id),
or do a runas as a subject who has admin role before getting the password.
I'm hoping you can expand on your suggestion about 'caching' this password on startup. Can you please elaborate on exactly how to do that? I am not explicitely asking for this mbean attribute in my code, weblogic layer is. I am not calling 'runas' so I can't change it to call it as a user who has admin role.
thanks
Kelly
That sounds like a bug then. In 8.1, changes were made to ensure that
encrypted attributes could only be read
by admin. Please post the stack trace. You should probably also open a
support case.