Protecting WebLogic Server application using Oracle Entitlement Server

This post talks about protecting a WebLogic server application using Oracle Entitlement Server. This means coarse grained access which is page level access based on user user roles. Though OES is meant for fine grained access, we will discuss how a basic WL app can be protected at first. Later if you want to provide ATN using OAM and ATZ using OES, you can follow this.

I will talk about installing a WebLogic SSM, configuring the SSM and protecting sample WL app using SSM.

Install WebLogic SSM: WL SSM is used only to protect weblogic apps.
Run the installer and provide the following details.

  1. Select BEA Home (You can install SSM either in the same Admin home or in a different location)
  2. Select only OES SM For WLS [Notice OES SM Common is also selected ]
  3. Enter the SCM name if you want to associate the WL SSM to an SCM (optional)
  4. Enter the administration url eg., https://admin_host_name:port/
  5. Select the JDK (select latest version available in WebLogic server installation)

After the installation is finished, click the Finish.

Applying Patch:The latest SSM patch available is CP3.
Extract the patch file and copy the patches folder to the $BEA_HOME/ales32-ssm
Edit the ApplySsmPatch.sh and provide jdk and ssm directory locations.
Run the patch as shown below. All OES servers has to be stopped before applying patch.

To check status: ./ApplySsmPatch.sh status
To upgrade SSM to CP3

We will proceed to next step assuming the WebLogic domain is already created.

Configure SSM: This step involves creating an WL SSM instance
Edit the file myssm_config.properties for the following params.
wls.domain.dir = weblogic_domain_directory
ssm.conf.id = wlsapp (you will see )
db.password = abcd1234 (oes database user password used while running DBConfigTool)
ales.admin.password = abcd1234 (OES admin password)
ssm.admin.name = weblogic (Weblogic domain username)
ssm.admin.password = abcd1234
arme.port = 8000
ales.organization.scope = wlsapp_org (since CP3, Application scope is replaced with Organizational scope )
ales.identity.dir =wlsapp_dir (identity directory where users for this application in OES are stored)
db.jdbc.url = jdbc:oracle:thin:@db_server:1521:db_sid
db.jdbc.driver = oracle.jdbc.driver.OracleDriver (uncomment this line)
scm.name = adminconfig

Run the ConfigTool as shown below.
To check everything works: ./ConfigTool.sh -check myssm_config.properties (Advisory to run this command as it checks if there are any conflicts). The WebLogic server should be stopped before running this command.
To process : ./ConfigTool.sh -process myssm_config.properties
This will create the the WL SSM instance, organization with wlsapp in OES and policies.

Open the OES EUI console and access the Resources. Traverse to the organization wlsapp->shared->server and create New AdminServer and map it as Resource. Distribute the policies. Policy distributed is crucial and missing this will not allow weblogic server to start (will throw Authentication failed at booting stage) .

Start the WebLogic server.
Access the WLS console and see the new realm created and marked as true (default realm). Check the providers, Database Authenticator where the OES will authenticate users against the DB using this Authenticator.

Deploy WebLogic Application:

Now deploy the weblogic application and test the application.

Lets assume the app simply consists of welcome.jsp with ales tags as mentioned below.

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”
“http://www.w3.org/TR/html4/loose.dtd”>
<%@ taglib prefix=”ales” uri=”http://www.bea.com/ales/tags”%>
<%@ page language=”java” contentType=”text/html; charset=ISO-8859-1″
pageEncoding=”ISO-8859-1″%>

<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=windows-1252″/>
<title>welcome OES user</title>
</head>
<ales:setSecurityContext value=”/check”>
<ales:attribute name=”foo” value=”1″/>
</ales:setSecurityContext>
<body>
<ales:isAccessAllowed resource=”/isAllowed” action=”view”>
<ales:then>You are allowed to see the secret text</ales:then>
<ales:else>DenyReason: You are not valid user </ales:else>
</ales:isAccessAllowed>

</body>
</html>

Discovery Mode:

The application has to be accessed by enabling discovery mode in weblogic server.

Discovery mode will disable all the securities applied for the application. That is authentication, authorization based on groups/roles etc., Hence the user will not be challenged with any authentication when he access the application.

To do so, stop the weblogic server and add/uncomment the following lines in set-wls-env.bat/sh


com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.discoverymode=true
com.bea.security.providers.authorization.asi.RoleProviderImpl.discoverymode=true


Then start the weblogic server and access the application once again.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

47 comments
jay says February 22, 2010

Hi,
Atul

I really need your help.
i am trying to clone a server. which 8i database & 11.5.9 application. & its os is windows 2000.
when i run adcfgclone on dbTier it shows me following error.

F:\applmgr\prddb\8.1.7\appsutil\clone\bin>perl adcfgclone.pl dbTier
Enter the APPS password [APPS]:
apps

First Creating a new context file for the cloned system.
The program is going to ask you for information about the new system:

..jrebinjava.exe: not found
..jlibxmlparserv2.zip: not found
..jlibclasses111.zip: not found
..jrelibrt.jar: not found
C:toolsMKSmksntetcperllib: not found
C:toolsMKSmksntetcperllibsite_perl: not found
ERROR: Could not open

plz help me body. bcause this cloning is very imp. for do some mejor R&D. so plz give any solution as soon as possible.

Reply
Atul Kumar says February 22, 2010

@ Jay,
Which cloning document you are following ? Did you run pre clone steps on source instance before copy to target ?

Reply
Alalasundaram Saravanan says February 23, 2010

Dear friend

Please mention which version of weblogic server you have used, also recommend where to get the SSM CP3 patch.

with warm regards and thanks

Alalasundaram Saravanan

Reply
Javier says February 23, 2010

Hi Atul

In the path of wlsapp->shared->server, “server” is a level more or is a resource, can you add images to the post please.

In Discovery Mode, how i can to import the policies once they was genereated in a domain home??

Regards and thank you for your post

Reply
Mahendra says February 24, 2010

Hi Saravanan,

I have used WebLogic Server 10.3.1 version. Having said, this version works though it’s not certified.

Here are the patch no.s that you need to download from the metalink.

Admin -CP3: 9171320
SSM-CP3: 9171016

Reply
Mahendra says February 24, 2010

Hi Javier,

I am actually in the process of updating the same post with more details. Something which I forgot to write up is that, after you create SSM instance using ConfigTool, you would need to create the resource AdminServer as Type Resource under wlsapp -> shared -> server. This is followed by save & Distribute and start the WLS SSM server. FYI, server is also a resource.

When you run SSM in discovery mode, files such as object, rule, role etc., gets created under the location weblogic domain directory. Infact the actual names that gets created are AuthorizationProviderImpl.role and you would need to rename them as role respectively. You would have to modify the load.conf present in ales32-admin folder and run the policyloader. After that restart the WLS server. Check the policies for wlsapp in OES consoles. Hope this helps.

Reply
Alalasundaram Saravanan says February 25, 2010

Dear Mahendra

Thanks for the response, after successfully creating the ssm instance and when I try to start the weblogic server I am facing below exception which prevents the Weblogic to start.

Is it familier issue to you?

Caused By: oracle.security.jps.JpsRuntimeException: No Default or LDAP Authenticator configured on WLS

Alalasundaram Saravanan

Reply
Mahendra says February 25, 2010

Hi Saravanan,

I want you to check few things.
First, after SSM instance is created, did you goto OES console and to resource structure weblogic_app/shared/svr and created AdminServer resource? It looks to me that Authenticator might not have been configured for the ssm realm.

So just to check that, goto config.xml and check the authenticator configured. If not, make myrealm as default and check the same.

HTH.

Mahendra.

Reply
Alalasundaram Saravanan says February 26, 2010

Dear Mahendra

1.Please find attached (sent in mail)the configtool.log which shows some error during instance creation yesterday.

Is it ok or I need to re create the ssm instance.

2. Find attached the config.xml the default realm has been set with out the steps you have mentioned, should I still need to do the steps?

with warm regards

AlalasundaramSaravanan

Reply
Mahendra says February 26, 2010

Hi Saravanan,

I have not received the log and config files through mail. Can you recheck that please?

Reply
Alalasundaram Saravanan says February 26, 2010

Dear Mahendra

I could not send the file through mail, please note the extract below.

Exceptions during ssm instanace creation

2010-02-25 18:33:22,656 [C:/DOCUME~1/L
ENOVO/LOCALS~1/Temp/AlesConfig.pe rformAlesChecks2885\
CheckPassword.bat] DEBUG com.bea.security.SsmConfigTool.Daemon – stderr:
… 44 more
Caused by: java.rmi.ConnectException: Destination unreachable; nested exception is:
java.net.ConnectException: Connection refused: connect; No available router to destination
at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:464)
at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:315)
at weblogic.rjvm.RJVMManager.findOrCreateRemoteInternal(RJVMManager.java:251)
at weblogic.rjvm.RJVMManager.findOrCreate(RJVMManager.java:194)
at weblogic.rjvm.RJVMFinder.findOrCreateRemoteServer(RJVMFinder.java:238)
2010-02-25 18:33:23,172 [C:/DOCUME~1/LENOVO/LOCAL
S~1/Temp/AlesConfig.performAlesChecks2885\CheckPassword
.bat] DEBUG com.bea.security.SsmConfigTool.Daemon – stdout: Server not running
Exception string: Error occured while performing connect : Er
ror getting the initial context. There is no server running at t3://localhost:7101
Use dumpStack() to view the full stacktrace

some exceptions during start of weblogic server

Caused By: oracle.security.jps.JpsRuntimeException: No Default or LDAP Authenticator configured on WLS
at oracle.security.jps.wls.internal.idstore.WlsLdap
IdStoreConfigProvider$WlsLdapIdStoreDescriptor.(WlsLdapIdStoreConfigProvider.java:87)
at oracle.security.jps.wls.internal.idstore.W
lsLdapIdStoreConfigProvider.getIdentityStoreConfig(WlsLdapIdStoreConfigProvider.java:74)
at oracle.security.jps.internal.idstore.ldap.LdapId
entityStoreProvider.getIdStoreConfig(LdapIdentityStoreProvider.java:217)
at oracle.security.jps.internal.idstore.ldap.LdapIdent
ityStoreProvider.getInstance(LdapIdentityStoreProvider.java:108)
at oracle.security.jps.internal.idstore.ldap.LdapIdentitySt
oreProvider.getInstance(LdapIdentityStoreProvider.java:59)
at oracle.security.jps.internal.core.runtime.ContextFactoryIm
pl.findServiceInstance(ContextFactoryImpl.java:139)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:170)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:191)
at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:129)
at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:124)
at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:628)
at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:622)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:622)
at oracle.security.jps.internal.policystore.PolicyDelegationController.(PolicyDelegationController.java:254)
at oracle.security.jps.internal.policystore.PolicyDelegationController.(PolicyDelegationController.java:248)
at oracle.security.jps.internal.policystore.JavaPolicyProvider.(JavaPolicyProvider.java:130)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImp
l.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1312)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initia
lize(CommonSecurityServiceManagerDelegateImpl.java:1018)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

with warm regards

AlalasundaramSaravanan

Reply
Mahendra says February 26, 2010

Hi Saravanan,

Is SSM located in seperate machine from Admin server? If so, is connectivity working. Please check if Admin and SCM are up and running. You can also check by accessing the consoles.
Is this the fresh instance creation soon after SSM install? Or something else is working fine?

Please remember while running ConfigTool, it is recommended to run this using -check first and then with -process. The option -check will not create SSM instance or policies, it just checks whether all the config details provided are fine or not.

Reply
Javier says March 1, 2010

Hi Mahendra

Hi again, i new in tecnology OES, this post it’s very helpful, but i have many questions about before and after of protecting weblogic.

Before of executing the config tool it’s necessary execute an enrollment and asi password??
After of executing the discovery mode when i modify the load.conf where i would modify the file load.conf in SSM instance or in OES instance?? I have two separated instances one contains a OES server and another have a SSM whith a weblogic, i don’t know where is necessary execute the policyloader??
i apologize for my poor english

Reply
Mahendra says March 1, 2010

Hi Javier,

You would need to run enroll.sh and asipassword.sh if you have SSM in different instance from Admin server, otherwise its not needed. The policy loader will be present in Admin server instance along with the load.conf.

Does it answer your question?

-Mahendra.

Reply
Javier says March 2, 2010

Hi Mahendra

Thank you for your answer and thank you for your patience. Your answer help me to understand better the process of protect the weblogic server.

Reply
Mahendra says March 2, 2010

You’re welcome Javier. Good Luck 🙂

Reply
Javier says March 5, 2010

Hi Mahendra

Can you help me to resolve an issue occurs when i run the policyloader.

When i execute ./policyloader.sh load.conf the log send me this error:

Start loading Rule, time is: vie mar 5 2010 12:24:16 EST
loading policy from file /u01/oracle/product/weblogi
c/ales32-admin/examples/policy/rule.1

Number of Authorization and Role Mapping Rules processed : 1, time is: vie mar 5 2010 12:24:16 EST
BLM Syntax Exception : privilege in action must be in DB://priv/RootOrg!ultraAppOrg!shared!reserve
———The input data = : grant(//priv/RootOrg!ultr
aAppOrg!shared!reserve,//app/policy/RootOrg/ultraAppOrg/shared/jd
bc/ConnectionPool/negocioDataSource,//role/Everyone) if true; : line No.1
BLM Syntax Exception : privilege in action must be in DB:
//priv/RootOrg!ultraAppOrg!shared!reserve
———The input data = : grant(//priv/RootOrg!ultr
aAppOrg!shared!reserve,//app/policy/RootOrg/ultraAppOrg/shared/j
dbc/ConnectionPool/negocioDataSource,//role/Everyone) if true; : line No.1

End loading Rule, time is: vie mar 5 2010 12:24:16 EST

Rollingback 1 BLM transactions due to an error.
The Policy loader transaction has been rolled back, please refer to the BLM Server logs for details.

The Policy loader transaction has been rolled back, please refer to the BLM Server logs for details.

ASI shutting down
disabling policy cache invalidator
PolicyCacheInvalidator thread is stopping
ASI shutdown complete
Policy Loader has terminated! Please check the log file to see if there is any error messages.

I generated a new resource shared>jdbc>ConectioPool>n
egocioDataSource but it don’t works, do you have any idea or suggestion for fix this issue.

Thank you in advance

Regards

Reply
Mahendra says March 6, 2010

Hi Javier,

First of all, you have to run policyloader.sh after you run the application in discovery mode. So when you run application (i mean weblogic server) in discovery mode, files such as policy, roles, rules, privileges etc., gets created under weblogic domain directory. You have to verify the files and remove unnecessary lines (you can make if anything is not pertaining to your application).

Then you have to copy all those files to a location and should specify that directory in load.conf file.

If you have followed the above said approach, then the author policies, roles, role policies, actions etc., gets created. (remember these are like basic policies that gets created)

Then you can add your actual policies etc., in OES console.

So in your case, you said you are trying to connection pool resource, so you have to ensure where exactly that resource should be.

You have to create that resource manually and should create policies etc., later on. What you are doing may not be possible in ideal scenarios. Therefore, first run policy loader to create all basic stuff, create connection pool, create policies..

HTH.

Mahendra.

Reply
Javier says March 16, 2010

Hi Mahendra

I have a new issue about the import policies.

I can import the policies and the log don’t send me any error but when i go to EUI Admin console the app not have rule or policy in the resource tab, I mean the org and app it’s fine but no have any policies or rule associated with the resources.

I don’t know if it’s right or i missing a step after or before.

I follow your tips and the install, configuration and discovery mode works fine but i can’t load the policies appropriately.

Do you have any recommendation??

Thanks

Reply
Mahendra says March 16, 2010

Hi Javier,

I presume you would have got policies in your file policy as //role/anyone etc., so that all resources should have that anyone access.

This means after you finish policy loading, you have to uncomment two lines added for discovery mode.

Looks like it seems fine to me.
After this, you manually add policies, roles in your OES console.

Makes sense ?

-M

Reply
Jay Bautista says March 23, 2010

Hi Mahendra,

we are facing issues on accessing an application deployed on the weblogic domain that is being protected by OES SSM (wls-ssm). when i access the application, a login popup window appears, and even if i login as weblogic it still shows that the page is forbidden.

how do we configure the resources of the application we want to protect in OES? and how is the mapping/binding being done from resources configured in OES to the actual resources deployed in the WLS server?

thanks,
jay

Reply
Mahendra says March 23, 2010

Hi Jay,

The behaviour appears as expected. This is because you may not have created any roles or policies in OES and assigned it to that specific resource. Is this true?

If not, please check the OES logs what does it say ?

-Mahendra

Reply
Mahendra says March 23, 2010

Hi Jay,

In order to login as weblogic, please check if that application/resource has authorization provided for weblogic user. If you have deployed the application using discovery mode, then you have to create roles, policies externally (if you have not defined them in files roles, policies etc., ). If you have not run weblogic app in discovery mode, then please do it. Please check for above chain for further details.

Does this help.

Reply
Jay Bautista says March 23, 2010

Hi Mahendra,

Thanks for your reply.

Are the roles and policies you are referring to, different to those that were created from the config tool?

After running the config tool, i have added AdminServer (resource) in wlsapp_org_190310_1 > shared > svr (resource). i have also created autorization policies for the “weblogic” user for wlsapp_org_190310_1, wlsapp_org_190310_1/shared, and wlsapp_org_190310_1/shared/svr/AdminServer resources. i also tried adding the application through the OES EUI but with no success.

after deploying the application in my wls domain, is there anything that i should do in OES admin? like, define the application resource in OES? I ask this because i am wondering on how i could define the level of security i can put in my application. How do i define the application resources in OES admin and how are they being mapped back to the actual application deployed in the wls domain? and do we need to define every single folder and jsp in OES manually?

below is the log from \ales32-ssm\wls-ssm\instance\wlsapp_inst_190310_1\log\system_console.log after i start my wls domain and try to access the web application:

====================
2010-03-23 18:00:11,609 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] ERROR com.bea.security.providers.authorization.asi.PatternClassLoader – Missing JAR file: C:\OES\OES_WLS1030_190310_1\ales32-ssm\wls-ssm\lib\providers\wls\v9\jdbc2_0-stdext.jar
2010-03-23 18:00:13,609 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] WARN com.bea.security.providers.authorization.asi.RbacAttributeRetriever – getAllSupportedAttributes(): Can not get IdentityQuery object. Make sure your metadirectory is properly configured.
2010-03-23 18:00:14,297 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] WARN com.bea.security.providers.authorization.asi.ARME.soap.PolicyUpdateService – no host specified in the ARME configuration, attempting to determine host name…
2010-03-23 18:00:16,109 [Thread-16] WARN com.bea.security.providers.authorization.asi.ARME.soap.PDClient – no host specified in the ARME configuration, attempting to determine host address…
2010-03-23 18:00:20,922 [Thread-16] WARN org.apache.axis.transport.http.HTTPSender – The headers do not contain element content-length.
2010-03-23 18:00:21,891 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] ERROR com.bea.security.providers.authorization.asi.PatternClassLoader – Missing JAR file: C:\OES\OES_WLS1030_190310_1\ales32-ssm\wls-ssm\lib\providers\wls\v9\jdbc2_0-stdext.jar
2010-03-23 18:00:22,266 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] WARN com.bea.security.providers.authorization.asi.RbacAttributeRetriever – getAllSupportedAttributes(): Can not get IdentityQuery object. Make sure your metadirectory is properly configured.
2010-03-23 18:00:25,266 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:00:25,266 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/svr/AdminServer
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/weblogic/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/Administrators/ //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Administrators //role/RootOrg!wlsapp_org_190310_1!shared!Admin //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Administrators
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/Administrators/
Constraints: NONE
Delegator: null

2. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Admin
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/Administrators/
Constraints: NONE
Delegator: null

3. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/svr/AdminServer
Subject: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/weblogic/
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:00:25,266 SGT) ==========

2010-03-23 18:01:43,094 [[STANDBY] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – Reource found: //app/policy/RootOrg/wlsapp_org_190310_1/shared/adm/Configuration
2010-03-23 18:01:43,094 [[STANDBY] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryRoles: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:01:43,94 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/adm/Configuration
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies: NONE
========== END Policy Evaluation (2010-03-23 18:01:43,94 SGT) ==========

2010-03-23 18:01:48,438 [[STANDBY] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:01:48,422 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:01:48,422 SGT) ==========

2010-03-23 18:01:48,438 [[STANDBY] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:01:48,438 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:01:48,438 SGT) ==========

2010-03-23 18:01:48,578 [[STANDBY] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:01:48,578 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:01:48,578 SGT) ==========

2010-03-23 18:02:48,469 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:02:48,469 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:02:48,469 SGT) ==========

2010-03-23 18:02:48,469 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:02:48,469 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:02:48,469 SGT) ==========

2010-03-23 18:02:48,469 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:02:48,469 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:02:48,469 SGT) ==========

2010-03-23 18:03:48,469 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,469 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,469 SGT) ==========

2010-03-23 18:03:48,469 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,469 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,469 SGT) ==========

2010-03-23 18:03:48,469 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,469 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,469 SGT) ==========

2010-03-23 18:03:48,594 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========

2010-03-23 18:03:48,594 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========

2010-03-23 18:03:48,594 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========

2010-03-23 18:03:48,609 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========

2010-03-23 18:03:48,609 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,609 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,609 SGT) ==========

2010-03-23 18:03:48,609 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,609 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,609 SGT) ==========

2010-03-23 18:04:48,609 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:04:48,609 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:04:48,609 SGT) ==========

2010-03-23 18:04:48,609 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:04:48,609 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:04:48,609 SGT) ==========

2010-03-23 18:04:48,625 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========

2010-03-23 18:04:48,625 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========

2010-03-23 18:04:48,625 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========

2010-03-23 18:04:48,625 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========

Reply
Jay Bautista says March 23, 2010

Hi Mahendra,

Thanks for your reply.

Are the roles and policies you are referring to different to those that were created from the config tool?

After running the config tool, i have added AdminServer (resource) in wlsapp_org_190310_1 > shared > svr (resource). i have also created autorization policies for the “weblogic” user for wlsapp_org_190310_1, wlsapp_org_190310_1/shared, and wlsapp_org_190310_1/shared/svr/AdminServer resources. i also tried adding the application in OES EUI but with no success.

after deploying the application in my wls domain, is there anything that i should do in OES admin? like, define the application resource in OES? I ask this because i am wondering on how i could define the level of security i can put in my application. How do i define the application resources in OES admin and how are they being mapped back to the actual application deployed in the wls domain? and do we need to define every single folder and jsp in OES manually?

below is the log from \ales32-ssm\wls-ssm\instance\wlsapp_inst_190310_1\log\system_console.log after i start my wls domain and try to access the web application:

====================
2010-03-23 18:00:11,609 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] ERROR com.bea.security.providers.authorization.asi.PatternClassLoader – Missing JAR file: C:\OES\OES_WLS1030_190310_1\ales32-ssm\wls-ssm\lib\providers\wls\v9\jdbc2_0-stdext.jar
2010-03-23 18:00:13,609 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] WARN com.bea.security.providers.authorization.asi.RbacAttributeRetriever – getAllSupportedAttributes(): Can not get IdentityQuery object. Make sure your metadirectory is properly configured.
2010-03-23 18:00:14,297 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] WARN com.bea.security.providers.authorization.asi.ARME.soap.PolicyUpdateService – no host specified in the ARME configuration, attempting to determine host name…
2010-03-23 18:00:16,109 [Thread-16] WARN com.bea.security.providers.authorization.asi.ARME.soap.PDClient – no host specified in the ARME configuration, attempting to determine host address…
2010-03-23 18:00:20,922 [Thread-16] WARN org.apache.axis.transport.http.HTTPSender – The headers do not contain element content-length.
2010-03-23 18:00:21,891 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] ERROR com.bea.security.providers.authorization.asi.PatternClassLoader – Missing JAR file: C:\OES\OES_WLS1030_190310_1\ales32-ssm\wls-ssm\lib\providers\wls\v9\jdbc2_0-stdext.jar
2010-03-23 18:00:22,266 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] WARN com.bea.security.providers.authorization.asi.RbacAttributeRetriever – getAllSupportedAttributes(): Can not get IdentityQuery object. Make sure your metadirectory is properly configured.
2010-03-23 18:00:25,266 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:00:25,266 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/svr/AdminServer
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/weblogic/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/Administrators/ //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Administrators //role/RootOrg!wlsapp_org_190310_1!shared!Admin //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Administrators
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/Administrators/
Constraints: NONE
Delegator: null

2. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Admin
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/Administrators/
Constraints: NONE
Delegator: null

3. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/svr/AdminServer
Subject: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/weblogic/
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:00:25,266 SGT) ==========

2010-03-23 18:01:43,094 [[STANDBY] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – Reource found: //app/policy/RootOrg/wlsapp_org_190310_1/shared/adm/Configuration
2010-03-23 18:01:43,094 [[STANDBY] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryRoles: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:01:43,94 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/adm/Configuration
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies: NONE
========== END Policy Evaluation (2010-03-23 18:01:43,94 SGT) ==========

2010-03-23 18:01:48,438 [[STANDBY] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:01:48,422 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:01:48,422 SGT) ==========

2010-03-23 18:01:48,438 [[STANDBY] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:01:48,438 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:01:48,438 SGT) ==========

2010-03-23 18:01:48,578 [[STANDBY] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:01:48,578 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:01:48,578 SGT) ==========

2010-03-23 18:02:48,469 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:02:48,469 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:02:48,469 SGT) ==========

2010-03-23 18:02:48,469 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:02:48,469 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:02:48,469 SGT) ==========

2010-03-23 18:02:48,469 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:02:48,469 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:02:48,469 SGT) ==========

2010-03-23 18:03:48,469 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,469 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,469 SGT) ==========

2010-03-23 18:03:48,469 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,469 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,469 SGT) ==========

2010-03-23 18:03:48,469 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,469 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,469 SGT) ==========

2010-03-23 18:03:48,594 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========

2010-03-23 18:03:48,594 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========

2010-03-23 18:03:48,594 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========

2010-03-23 18:03:48,609 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,594 SGT) ==========

2010-03-23 18:03:48,609 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,609 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,609 SGT) ==========

2010-03-23 18:03:48,609 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:03:48,609 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:03:48,609 SGT) ==========

2010-03-23 18:04:48,609 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:04:48,609 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:04:48,609 SGT) ==========

2010-03-23 18:04:48,609 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:04:48,609 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:04:48,609 SGT) ==========

2010-03-23 18:04:48,625 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========

2010-03-23 18:04:48,625 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========

2010-03-23 18:04:48,625 [[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========

2010-03-23 18:04:48,625 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] DEBUG com.wles.util.DebugStore – queryAccess: DebugStore:
========== BEGIN Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========
RequestResource is: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue
UserInfo:
Name: //user/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/anonymous/
Groups: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Resource Present: true
Roles Granted: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Role Mapping Policies:
1. Result: true; Policy Type: grant
Role: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared
Subject: //sgrp/RootOrg!wlsapp_org_190310_1!wlsapp_dir_190310_1/allusers/
Constraints: NONE
Delegator: null

ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: any
Resource: //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi
Subject: //role/RootOrg!wlsapp_org_190310_1!shared!Everyone
Constraints: NONE
Delegator: null

========== END Policy Evaluation (2010-03-23 18:04:48,625 SGT) ==========

Reply
Jay Bautista says March 23, 2010

Hi Mahendra,

Thanks for your reply.

Are the roles and policies you are referring to different to those that were created from the config tool?

After running the config tool, i have added AdminServer (resource) in wlsapp_org_190310_1 > shared > svr (resource). i have also created autorization policies for the “weblogic” user for wlsapp_org_190310_1, wlsapp_org_190310_1/shared, and wlsapp_org_190310_1/shared/svr/AdminServer resources. i also tried adding the application in OES EUI but with no success.

after deploying the application in my wls domain, is there anything that i should do in OES admin? like, define the application resource in OES? I ask this because i am wondering on how i could define the level of security i can put in my application. How do i define the application resources in OES admin and how are they being mapped back to the actual application deployed in the wls domain? and do we need to define every single folder and jsp in OES manually?

Reply
Jay Bautista says March 23, 2010

sorry for the flooding of my messages. i thought my post was unsuccessful due to some errors i found in my browser. 😛

Reply
Mahendra says March 23, 2010

Hi Jay,

After you deploy the app in WLS domain, you have run app in Discovery mode.Check this
http://fusionsecurity.blogspot.com/2010/01/oes-discovery-mode.html

Then you will see the resource structure in your OES console.

Also you would not need to perform this step as you said “i have also created autorization policies for the “weblogic” user for wlsapp_org_190310_1, wlsapp_org_190310_1/shared, and wlsapp_org_190310_1/shared/svr/AdminServer resources” .

Then you remove the discovery mode, restart WLS server, and then create your own roles and policies and assign it to resources.

This is till page level protected.

If you want data level protection, then create your specific privileges, actions etc. in OES console. and make specific code changes in your app using OES API.

Reply
Mahendra says March 23, 2010

Hi Jay,

Yes, the roles and policies are different from those that you see while running config tool.

I think you missing some steps.
Follow this.

Create SSM instance using config tool.
Start WLS domain
Add the AdminServer under shared/svr in OES console (as u did already)
Deploy application in WLS domain
Stop WLS Server, enable discovery mode.

You should see some files in domain directory.
Edit files and remove unwanted data except your application specific data.
Modify load.conf and run policy loader.
Start WLS Server.

You should be able to see some default policies with allow all for all the resources in OES console.
Now define your own roles.
Create atz policies and assign to the resources.

If you want to authenticate your app using any ldap server or so, then add the groups or specific users in OES identity directory.
If you want to protect data in ur page, then create specific actions in OES console.
Modify your code, and use OES API to protect your granular elements defined for a resource.

You should now be able to access your app protected by OES.

Does this help

Reply
Jay Bautista says March 23, 2010

Hi Mahendra,

I have modified the set-wls-env.bat and restarted WLS server, and I am now able to access the application in discovery mode and the following files were created in the WLS Domain folder:
providerdiscovery.RoleProviderImpl.decl
providerdiscovery.RoleProviderImpl.log
providerdiscovery.RoleProviderImpl.object
providerdiscovery.RoleProviderImpl.priv
providerdiscovery.RoleProviderImpl.privbinding
providerdiscovery.RoleProviderImpl.privgrp
providerdiscovery.RoleProviderImpl.role
providerdiscovery.RoleProviderImpl.rule
providerdiscovery.AuthorizationProviderImpl.decl
providerdiscovery.AuthorizationProviderImpl.log
providerdiscovery.AuthorizationProviderImpl.object
providerdiscovery.AuthorizationProviderImpl.priv
providerdiscovery.AuthorizationProviderImpl.privbinding
providerdiscovery.AuthorizationProviderImpl.privgrp
providerdiscovery.AuthorizationProviderImpl.role
providerdiscovery.AuthorizationProviderImpl.rule

however:
1. in your statement “Edit files and remove unwanted data except your application specific data.”, what do yo uactually mean by this? which files/data to remove?
i.e. in providerdiscovery.RoleProviderImpl.object:
//app/policy/RootOrg O
//app/policy/RootOrg/wlsapp_org_190310_1 O
//app/policy/RootOrg/wlsapp_org_190310_1/shared A
//app/policy/RootOrg/wlsapp_org_190310_1/shared/svr O
//app/policy/RootOrg/wlsapp_org_190310_1/shared/svr/AdminServer O
//app/policy/RootOrg/wlsapp_org_190310_1/shared/adm O
//app/policy/RootOrg/wlsapp_org_190310_1/shared/adm/Configuration O
//app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi O
//app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic O
//app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee O
//app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue O
//app/policy/RootOrg/wlsapp_org_190310_1/jsf-datavalidation A
//app/policy/RootOrg/wlsapp_org_190310_1/jsf-datavalidation/url O
//app/policy/RootOrg/wlsapp_org_190310_1/jsf-datavalidation/url/jsf-datavalidation O
//app/policy/RootOrg/wlsapp_org_190310_1/jsf-datavalidation/url/jsf-datavalidation/form.faces O
//app/policy/RootOrg/wlsapp_org_190310_1/jsf-datavalidation/url/jsf-datavalidation/styles.css O
— so i remove everything except for those with “jsf-datavalidation”?

how about for providerdiscovery.AuthorizationProviderImpl.rule:
#//priv/boot on //app/policy/RootOrg/wlsapp_org_190310_1/shared/svr/AdminServer with input attributes:
grant(//priv/boot,//app/policy/RootOrg/wlsapp_org_190310_1/shared/svr/AdminServer,//role/Everyone) if true;

#//priv/lookup on //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic with input attributes:
grant(//priv/lookup,//app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic,//role/Everyone) if true;

#//priv/lookup on //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee with input attributes:
grant(//priv/lookup,//app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee,//role/Everyone) if true;

#//priv/lookup on //app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue with input attributes:
grant(//priv/lookup,//app/policy/RootOrg/wlsapp_org_190310_1/shared/jndi/weblogic/wsee/DefaultQueue,//role/Everyone) if true;

#//priv/GET on //app/policy/RootOrg/wlsapp_org_190310_1/jsf-datavalidation/url/jsf-datavalidation/form.faces with input attributes:
grant(//priv/GET,//app/policy/RootOrg/wlsapp_org_190310_1/jsf-datavalidation/url/jsf-datavalidation/form.faces,//role/Everyone) if true;

#//priv/GET on //app/policy/RootOrg/wlsapp_org_190310_1/jsf-datavalidation/url/jsf-datavalidation/styles.css with input attributes:
grant(//priv/GET,//app/policy/RootOrg/wlsapp_org_190310_1/jsf-datavalidation/url/jsf-datavalidation/styles.css,//role/Everyone) if true;

2. i am not able to locate the load.conf in \ales32-admin\bin folder. i tried searching for it in the folder as well but there are lots of load.conf found and only 1 is under the ales32-admin (which is under the examples folder). am i looking at the wrong location? please avdice

thanks for all your help on this..

regards,
jay

Reply
Jay Bautista says March 24, 2010

Hi Mahendra,

I created the load.conf and executed policyloader but it seems that it was not able to read the files.

You mentioned that the files need to be renamed, what should be the new fielname format then?

I have sent you the load.conf and load-error.log via email.

Thanks,
Jay

Reply
arvind says April 13, 2010

Hi,

I need to know what are the changes required in oracle database as well as oracle application side if we change the domain name for a server(DNS change).

I’ve some idea as we need to re-configure the workflow but apart from that I’ve no idea.

please share your views.

Reply
Mahendra says April 13, 2010

Hi Arvind,

Is this question related to OES and WebLogic server integration?

Reply
arvind says April 14, 2010

I guess I’ve kept my concerns in a wrong catagory……Let me re-upload it to right catagory.

Reply
smanchikanti says April 30, 2010

Hi Mahinder,

After installation and configuration of SSM (CP2 installed) and protecting the weblogic server.

I am able to start the server and everything is fine.

I have deployed an web application to the secured domain and created a policy to page level to the weblogic user.

Now when i am able to hit the application, it was asking the Basic Authentication, and authentication is success for “weblogic” user.

How to remove the basic authentication. I have login page as the initial page which should be accessed by everyone. Also what other API should i use to protect the page level.

Appreciate for your kind help.

Thanks and Regards,
Sridhar

Reply
Mahendra says April 30, 2010

Hi Sridhar,

No need of API for protecting the page level. You can just specify the atz or role policies for your page in the resource structure. I presume that the authentication mechanism should work with the way make WLS app work with form login. So you can try making your app working with form login. In the OES resource structure, give access to anyone for the form login. I believe this should work.

Reply
smanchikanti says April 30, 2010

HI Mahender,

I have access to the login page as “everyone”, but i hit the application it still prompts me as

The server localhost at WebLogic Server requires a username and password.

“Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection).”

When i enter the credential it is alloswed.

Please advice.

Thanks and Regards,
sridhar

Reply
smanchikanti says April 30, 2010

HI Mahender,

I have give access to the login page as “everyone”, but i hit the application it still prompts me as

The server localhost at WebLogic Server requires a username and password.

“Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection).”

When i enter the credential it is alloswed.

Please advice.

Thanks and Regards,
sridhar

Reply
Mahendra says April 30, 2010

Sridhar,

Before configuring the WLS App in WLS SSM, were you able to test the app using form based authentication with login page and was it working fine?

Reply
smanchikanti says April 30, 2010

HI Mahendra,

Yes i have tested the application, It was working fine (i.e it does not prompt me for any authentication). Now when have configured in WLS SSM, it prompts me as since it is protected,

But as per ur advice i have given access to “Everyone” , but it still prompt me as
The server localhost at WebLogic Server requires a username and password.

“Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection).”

Any thing i am missing.

Regards,
Sridhar

Reply
smanchikanti says May 20, 2010

HI Mahendra,

We have resolved this issue by explicitly changing the web.xml for form based.

Regards,
Sridhar

Reply
omar says October 14, 2010

“Hi there Chris, I’ve already red the whole workarounds about the problem I’m facing, but I’m still stucked in the following error when I try to boot my WLS. I’d tried your solution too but it did’t work.I mean, I can boot the server if I change -Myapp- to -myrealm- and I make all the changes but it did’t work. I’m using OES 10.1.4.3 with patch 4, WLS 10.3.0 and SSM 10.1.4.3 with patches 2,3 and 4. I would really apreciate if you give me some light here. Thanks in advance

(2010-10-14 18:26:00,823 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] ERROR com.bea.security.providers.authorization.asi.AuthorizationProviderImpl – com.bea.security.providers.authorization.asi.InvocationException: ArmeNOTREADY Exception: Engine did not recieve initial policy


“)

Reply
omar says October 14, 2010

Sorry, for the name Mahendra, my mistake

Reply
Mahendra says October 19, 2010

Omar,

Did you see any errors while configuring WebLogic SSM? It appears to me that the policies are not distributed to the SSM while configuring it. So,login to OES administration console and try to distribute policies to the SSMs. If you see a negative value for id, then policies are not distributing properly. Is WebLogic Admin and SSM residing on different machines?

-Mahendra

Reply
Alan Flores says November 4, 2011

Hi Mahendra: I am new in this forum but it is grea. I have e problem with the OES and i hope you can help me, in one machine we have an application web in a server where we have a SSM module, in other machin we have the OESadmin, the application sometimes makes a connection to the OES through the API in order to registrer users in the OES, but we have the problem that sometimes the OES doesn´ t work and the application doesn´t work because it can not registrer users in the OES, the unique form to solve the problem is restaring the OESadmin and the OESSCM. Do you know what could be the problem.

Reply
Mahendra says November 5, 2011

Hi Alan,

Is there any firewall between those 2 machines? If not, I have not seen such problem arising.

-Mahendra.

Reply
Alan Flores says November 5, 2011

Hi Mahendra:
Yes, there is a firewall between the machines, but the strange is that sometime the conection between aplication web and OES admin is correct and sometimes the aplicattion web can not connect to the OES admin and restarting the OES all works fine.
Do you think that is about the firewalls, do you have an advaice for solve that problem??
A lot of thanks in advaice

Reply
Add Your Reply