Error in OWSM after setting subject precedence (Context Switching) : Exception oracle.security. jps. service. credstore. Credential Access

I recently configured SAML Identiy Switching by setting subject.precedence=false in OWSM policy protecting Web Service . This post covers error encountered after configuring Context SwitchingSubject.Precedence) in OWSM policy.

For Identity Switching to work you must set permission for class oracle.wsm.security.WSIdentityPermission as described here

If you don’t set permisson you will see error like

___

access denied (oracle.wsm.security.WSIdentityPermission resource=<myApp> assert)
oracle.wsm.security.SecurityException: access denied (oracle.wsm.security.WSIdentityPermission resource=<myApp> assert)

___

 

  • You add permission either from EM or using WLST (grantPermission) for
    Permission Class – oracle.wsm.security.WSIdentityPermission
    Resource Name –  resource=<myApp>
    Permission Actions – assert 
  • This permsision gets added to codeBase file:${common.components.home}/  modules/  oracle.wsm.agent.common_11.1.1/ wsm-agent-core.jar in file $DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml
After setting this permision and on re-start of WebLogic Domain, I encountered following error (related to OWSM)

_____

<08-Jan-2014 19:52:20 o’clock GMT> <Error> <oracle.wsm.resources.policyaccess> <WSM-06303> <The method “registerListener” was not called with required permission “oracle.wsm.policyaccess” >

<08-Jan-2014 20:53:06 o’clock GMT> <Warning> <oracle.wsm.resources.enforcement> <WSM-07507> <Failure in Oracle WSM Agent, category= security, function=agent.function. client,  stage=request due to RuntimeException. java.security. AccessControlException: access denied (oracle.security. jps.service.credstore. CredentialAccess Permission context=SYSTEM,mapName=oracle. wsm.security, keyName=keystore-csf-key read)         at java.security.Access ControlContext. checkPermission (AccessControlContext.java:374)  javax.xml.ws. WebServiceException: oracle.fabric. common.PolicyEnforcement Exception: access denied (oracle.security. jps.service. credstore. CredentialAccessPermission context=SYSTEM,mapName=oracle.wsm.security,keyName=keystore-csf-key read)         at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:867)

Caused By: oracle.fabric.common.PolicyEnforcementException:  access denied (oracle.security.jps. service.credstore. CredentialAccessPermission context=SYSTEM,mapName=oracle.wsm.security,keyName=keystore-csf-key read)         at oracle.integration. platform.common. InterceptorChainImpl. createPolicyEnforcement Exception(InterceptorChainImpl.java:200)         at oracle.integration.platform.common. InterceptorChainImpl. processRequest (InterceptorChainImpl.java:136)

________

If you get error like above then this error means some of the permissions are missing in .

.

Note : Policy Store in Oracle Fusion Middleware could be in one of three locations and is defined in jps-config.xml  (under $DOMAIN_HOME/config/fmwconfig)

a) File Based in XML file :  $DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml

b) Database : Under OPSS schema . Note: Only supported database for Policy Store is Oracle Database.

c) LDAP ServerNote: Only supported LDAP Server for Policy Store is Oracle Internet Directory (OID)

In my case setting permission for oracle.wsm.security.WSIdentityPermission removed existing permission for codebase wsm-agent-core.jar, adding permission in bold under codebase wsm-agent-core.jar fixed this issue

 

_____

 <grant>
               <grantee>
                   <codesource>
                       <url>file:${common.components.home}/ modules/oracle.wsm.agent.common_11.1.1/ wsm-agent-core.jar</url>
                   </codesource>
               </grantee>
<permissions>
<permission>

<class>oracle.security.jps. service.credstore. CredentialAccessPermission</class>
<name>context=SYSTEM, mapName=oracle.wsm.security, keyName=*</name>
<actions>*</actions>
</permission>
<permission>
<class>java.util.PropertyPermission</class>
<name>*</name>
<actions>read</actions>
</permission>
<permission>
<class>java.util.PropertyPermission</class>
<name>osdt.useMTOM</name>
<actions>read,write</actions>
</permission>
<permission>
<class>oracle.security.jps.JpsPermission</class>
<name>IdentityAssertion</name>
</permission>
<permission>
<class>java.lang.RuntimePermission</class>
<name>accessDeclaredMembers</name>
</permission>
<permission>
<class>java.lang.reflect.ReflectPermission</class>
<name>suppressAccessChecks</name>
</permission>
<permission>
<class>java.io.FilePermission</class>
<name>-</name>
<actions>read</actions>
</permission>
<permission>
<class>java.lang.RuntimePermission</class>
<name>getProtectionDomain</name>
</permission>
<permission>
<class>java.lang.RuntimePermission</class>
<name>oracle.wsm.policyaccess</name>
</permission>
<permission>
<class>oracle.security.jps.service.attribute.AttributeAccessPermission</class>
<name>*</name>
<actions>get,set</actions>
</permission>

______

 

 

Related/Reference

  • 1485851.1 After an Upgrade, Error Message WSM-06303 : The method “registerListener” was not called with required permission “oracle.wsm.policyaccess”

About the Author Masroof Ahmad

Leave a Comment: