Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Security upgrade from 6.1 to 8.1

1 view
Skip to first unread message

Mehrshad Setayesh

unread,
Nov 12, 2003, 6:19:36 PM11/12/03
to

All:

After reading many many articles and playing around with various options I was
finally able to upgrade our 6.1 security realm to 8.1 using compatibility security.
Was able to view Users, Groups, and ACLS through the console and also to load
EJBs using 6.1 security. I am running into an exception thrown and do not know
how to solve it yet. The exception is mentioned below. TestUser is one of the
users configured in our Oracle database. I guess what I need to do is to allow
TestUser to user the RDBMSRealm but how? Any help is appreciated.

####....<The AccessDecision class weblogic.security.providers.realmadapter.AuthorizationProviderImpl"
returned an error: com.creekpath.server.security.weblogic.RDBMSException: realm
initialization failed, action 'mbean.getDatabasePassword', - with nested exception:
[weblogic.management.NoAccessRuntimeException: Access not allowed for subject:
principals=[TestUser], on ResourceType: RDBMSRealm Action: read, Target: DatabasePassword].
weblogic.management.NoAccessRuntimeException: Access not allowed for subject:
principals=[aimsystem], on ResourceType: RDBMSRealm Action: read, Target: DatabasePassword
at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.wlsRun(SecurityHelper.java:510)
at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.run(SecurityHelper.java:453)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)

Craig

unread,
Nov 13, 2003, 7:12:56 PM11/13/03
to
"Mehrshad Setayesh" <mmeh...@netscape.net> wrote in message news:<3fb2ce18$1...@newsgroups.bea.com>...

> ####....<The AccessDecision class weblogic.security.providers.realmadapter.AuthorizationProviderImpl"
> returned an error: com.creekpath.server.security.weblogic.RDBMSException: realm
> initialization failed, action 'mbean.getDatabasePassword', - with nested exception:
> [weblogic.management.NoAccessRuntimeException: Access not allowed for subject:
> principals=[TestUser], on ResourceType: RDBMSRealm Action: read, Target: DatabasePassword].
> weblogic.management.NoAccessRuntimeException: Access not allowed for subject:
> principals=[aimsystem], on ResourceType: RDBMSRealm Action: read, Target: DatabasePassword
> at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.wlsRun(SecurityHelper.java:510)
> at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.run(SecurityHelper.java:453)
> at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
> at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)

The NoAccessRuntimeException is being thrown because the current user
while trying to read the database password from the MBean is not in
the Admin role.

http://e-docs.bea.com/wls/docs81/secwlres/secroles.html#1219912

The RDBMSRealm should be getting the password to make the database
connection from another source or the RDBMSRealm must runAs() a
Subject with the proper privileges to obtain the password from the
MBean.

I believe that the password should be obtainable by the RDBMSRealm
from the MBean and cached when the RDBMSRealm is initialized during
server boot.

-Craig

Peter

unread,
Nov 25, 2003, 8:32:12 PM11/25/03
to

"Mehrshad Setayesh" <mmeh...@netscape.net> wrote in message
news:3fb2ce18$1...@newsgroups.bea.com...
>
t.java:317) attri
> at
weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)

The Database password must be an encrypted attribute. You must have admin
role to be able
to access the attribute. What is the rest of the call stack?

You will either need to cache the password at startup (when you are running
as kernel id),
or do a runas as a subject who has admin role before getting the password.

Kelly Kingdon

unread,
Nov 26, 2003, 12:17:25 PM11/26/03
to
I just saw this same error yesterday running 8.1 in compatibility mode. We have been running on 8.1 for about 6 months and have never hit it until yesterday. Not sure why, just happened once.

I'm hoping you can expand on your suggestion about 'caching' this password on startup. Can you please elaborate on exactly how to do that? I am not explicitely asking for this mbean attribute in my code, weblogic layer is. I am not calling 'runas' so I can't change it to call it as a user who has admin role.

thanks

Kelly

Peter

unread,
Nov 30, 2003, 11:22:54 AM11/30/03
to

"Kelly Kingdon" <kkin...@fast-track.com> wrote in message
news:3fc4ee35$1...@newsgroups.bea.com...

That sounds like a bug then. In 8.1, changes were made to ensure that
encrypted attributes could only be read
by admin. Please post the stack trace. You should probably also open a
support case.

0 new messages