java.lang.SecurityException: [Security:090398]Invalid Subject ... - Weblogic

This is a discussion on java.lang.SecurityException: [Security:090398]Invalid Subject ... - Weblogic ; Hi I am getting java.lang.SecurityException: [Security:090398]Invalid Subject unde the following scenario: - I have a simple dispatcher class which is starting a number of threads, every one of them sending messages to different Weblogic servers. - The dispatcher class is ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: java.lang.SecurityException: [Security:090398]Invalid Subject ...

  1. java.lang.SecurityException: [Security:090398]Invalid Subject ...

    Hi

    I am getting java.lang.SecurityException: [Security:090398]Invalid Subject unde the following scenario:

    - I have a simple dispatcher class which is starting a number of threads, every one of them sending messages to different Weblogic servers.
    - The dispatcher class is a simple Java class, running from outside of Weblogic server; the authentication is done using the JNDI login.
    - The message sender threads create an InitialContext for each message being sent and the context is closed after succesfully sending the message.

    With just one message sender thread running, everything is OK.
    The problems appear when at least two threads run at the same time. What happens is that one of the threads sends messages successfully while the other ones fail with:

    java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[user1, role1, role2, role3, role4]

    at weblogic.rjvm.BasicOutboundRequest.sendReceive(Bas icOutboundRequest.java:108)

    at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicR emoteRef.java:138)

    at weblogic.jms.dispatcher.DispatcherImpl_812_WLStub. dispatchSyncFuture(Unknown Source)

    at weblogic.jms.dispatcher.DispatcherWrapperState.dis patchSync(DispatcherWrapperState.java:339)

    at weblogic.jms.client.JMSConnection.createSessionInt ernal(JMSConnection.java:400)

    at weblogic.jms.client.JMSConnection.createTopicSessi on(JMSConnection.java:359)

    at com.delta.parser.test.TestMessageThread.sendMessag e(TestMessageThread.java:54)

    at com.delta.parser.test.TestMessageThread.run(TestMe ssageThread.java:34)

    Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[user1, role1, role2, role3, role4]

    at weblogic.security.service.SecurityServiceManager.s eal(SecurityServiceManager.java:682)

    at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgA bbrevInputStream.java:182)

    at weblogic.rmi.internal.BasicServerRef.acceptRequest (BasicServerRef.java:825)

    at weblogic.rmi.internal.BasicServerRef.dispatch(Basi cServerRef.java:300)

    at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.ja va:923)

    at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:844)

    at weblogic.rjvm.ConnectionManagerServer.handleRJVM(C onnectionManagerServer.java:222)

    at weblogic.rjvm.ConnectionManager.dispatch(Connectio nManager.java:794)

    at weblogic.rjvm.t3.T3JVMConnection.dispatch(T3JVMCon nection.java:570)

    at weblogic.socket.NTSocketMuxer.processSockets(NTSoc ketMuxer.java:105)

    at weblogic.socket.SocketReaderRequest.execute(Socket ReaderRequest.java:32)

    at weblogic.kernel.ExecuteThread.execute(ExecuteThrea d.java:197)

    at weblogic.kernel.ExecuteThread.run(ExecuteThread.ja va:170)


    The environment is Weblogic 8.1 (WebLogic Platform Developer license) running on Windows XP Professional.

    In the classpath I have the following weblogic jar files: weblogic.jar, wlclient.jar, wljmsclient.jar.

    The code that is generating the exceptions is:


    /****************** Dispatcher ************************/
    package test;

    public class TestThreadDispatcher {
    public TestThreadDispatcher() {
    }

    public static void main(String[] args) {
    TestThreadDispatcher instance = new TestThreadDispatcher();
    instance.doTest();
    }

    private void doTest() {
    TestMessageThread t1 = new TestMessageThread("weblogic.jndi.WLInitialContextFactory",
    "t3://pc10:7001",
    "user1",
    "passwd");
    t1.start();

    TestMessageThread t2 = new TestMessageThread("weblogic.jndi.WLInitialContextFactory",
    "t3://sjn:7001",
    "user1",
    "passwd");
    t2.start();

    TestMessageThread t3 = new TestMessageThread("weblogic.jndi.WLInitialContextFactory",
    "t3://pc99:7001",
    "user1",
    "passwd");
    t3.start();
    }
    }


    /****************** Message sender thread **************/
    package test;

    import java.util.*;
    import javax.jms.*;
    import javax.naming.*;
    import com.delta.parser.util.*;


    public class TestMessageThread extends Thread implements ParserConstants {
    private Hashtable environment;

    public TestMessageThread(String initialFactory,
    String url,
    String principal,
    String credentials) {

    Hashtable env = new Hashtable();

    env.put(Context.INITIAL_CONTEXT_FACTORY,
    initialFactory);
    env.put(Context.PROVIDER_URL,
    url);
    env.put(Context.SECURITY_PRINCIPAL,
    principal);
    env.put(Context.SECURITY_CREDENTIALS,
    credentials);

    environment = env;
    }

    public void run() {
    int cnt = 0;
    while(true) {
    sendMessage("" + cnt++);

    try {
    sleep(500);
    } catch (InterruptedException iex) {
    }
    }
    }

    private void sendMessage(String text) {

    try {

    Context ctx = new InitialContext(environment);

    TopicConnectionFactory factory = (TopicConnectionFactory)
    ctx.lookup("javax.jms.TopicConnectionFactory");

    TopicConnection connection = factory.createTopicConnection();

    TopicSession session = connection.createTopicSession(false,
    javax.jms.Session.AUTO_ACKNOWLEDGE);

    Topic topic = (Topic)ctx.lookup("FileTopic");

    TopicPublisher publisher = session.createPublisher(topic);

    TextMessage message = session.createTextMessage(text);

    publisher.publish(message);


    System.out.println("Message " + text + " sent to " +
    environment.get(Context.PROVIDER_URL));


    ctx.close();
    }
    catch (JMSException jmsex) {
    jmsex.printStackTrace();
    }
    catch (NamingException nex) {
    nex.printStackTrace();
    }
    catch (SecurityException scex) {
    scex.printStackTrace();
    }
    }

    }

    Any workarounds for this?
    BTW, I did try using weblogic.jndi.Environment to obtain an InitialContext and also wraping the code inside thread's run() into a Security.runAs(subject, new PrivilegedAction() { ....}

    Thanks in advance
    Mirel Rata

  2. Re: java.lang.SecurityException: [Security:090398]Invalid Subject ...

    Hello,

    Just to be clear, you have tested this with one thread and it works for any server that thread is configured for, so there is no problem the credentials you are supplying.

    Can you add some logging code to

    private void sendMessage(String text) method to log the environment settings and credentials for message before it is sent and post the output.

  3. Re: java.lang.SecurityException: [Security:090398]Invalid Subject ...

    Hi Hoos,

    Firstly, thank you for replying.

    > Just to be clear, you have tested this with one thread and it works for any server that thread is configured for, so there is no problem the credentials you are supplying.


    Yes, I have tested the code using just one thread, sending messages to each and every server. The messages are sent without problems to all the servers as long as there's only one thread running, so there's no problems with the credentials.
    More than that, the username/password are the same for all the servers.


    > Can you add some logging code to private void sendMessage(String text) method to log the environment settings and credentials for message before it is sent and post the output.


    Done. I synchronized sendMessage(String text) to have the log lines grouped for each thread. Here comes the log:

    ---------------- Thread 1 -----------------------------
    Context environment : {java.naming.provider.url=t3://pc10:7001, java.naming.factory.initial=weblogic.jndi.WLInitia lContextFactory, java.naming.factory.url.pkgs=weblogic.corba.j2ee.n aming.url:weblogic.corba.client.naming}

    Security principals : [user1, role1]

    Private credentials : [principals=[user1, role1]]
    Message 5 sent to t3://pc10:7001

    ---------------- Thread 2 -----------------------------
    Context environment : {java.naming.provider.url=t3://sjn:7001, java.naming.factory.initial=weblogic.jndi.WLInitia lContextFactory, java.naming.factory.url.pkgs=weblogic.corba.j2ee.n aming.url:weblogic.corba.client.naming}

    Security principals : [user1, role1, role2, role3, role4]

    Private credentials : [principals=[user1, role1, role2, role3, role4]]

    java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[user1, role1, role2, role3, role4]
    at weblogic.rjvm.BasicOutboundRequest.sendReceive(Bas icOutboundRequest.java:108)
    at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicR emoteRef.java:138)
    at weblogic.jms.dispatcher.DispatcherImpl_812_WLStub. dispatchSyncFuture(Unknown Source)
    at weblogic.jms.dispatcher.DispatcherWrapperState.dis patchSync(DispatcherWrapperState.java:339)
    at weblogic.jms.client.JMSConnection.createSessionInt ernal(JMSConnection.java:400)
    at weblogic.jms.client.JMSConnection.createTopicSessi on(JMSConnection.java:359)
    at com.delta.parser.test.TestMessageThread.sendMessag e(TestMessageThread.java:72)
    at com.delta.parser.test.TestMessageThread.run(TestMe ssageThread.java:47)
    Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[user1, role1, role2, role3, role4]
    at weblogic.security.service.SecurityServiceManager.s eal(SecurityServiceManager.java:682)
    at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgA bbrevInputStream.java:182)
    at weblogic.rmi.internal.BasicServerRef.acceptRequest (BasicServerRef.java:825)
    at weblogic.rmi.internal.BasicServerRef.dispatch(Basi cServerRef.java:300)
    at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.ja va:923)
    at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:844)
    at weblogic.rjvm.ConnectionManagerServer.handleRJVM(C onnectionManagerServer.java:222)
    at weblogic.rjvm.ConnectionManager.dispatch(Connectio nManager.java:794)
    at weblogic.rjvm.t3.T3JVMConnection.dispatch(T3JVMCon nection.java:570)
    at weblogic.socket.NTSocketMuxer.processSockets(NTSoc ketMuxer.java:105)
    at weblogic.socket.SocketReaderRequest.execute(Socket ReaderRequest.java:32)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThrea d.java:197)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.ja va:170)


    Any thoughts?

    Regards,
    Mirel Rata

  4. Re: java.lang.SecurityException: [Security:090398]Invalid Subject ...

    Mirel,

    Here is some code changes you can try:

    Set up your test message threads as memeber variables.

    package test;

    public class TestThreadDispatcher {

    TestMessageThread t1 = new TestMessageThread("weblogic.jndi.WLInitialContextFactory",
    "t3://pc10:7001",
    "user1",
    "passwd");

    TestMessageThread t2 = new TestMessageThread("weblogic.jndi.WLInitialContextFactory",
    "t3://sjn:7001",
    "user1",
    "passwd");

    TestMessageThread t3 = new TestMessageThread("weblogic.jndi.WLInitialContextFactory",
    "t3://pc99:7001",
    "user1",
    "passwd");

    public TestThreadDispatcher() {
    }

    public static void main(String[] args) {
    TestThreadDispatcher instance = new TestThreadDispatcher();
    instance.doTest();
    }

    private void doTest() {

    t1.start();

    t2.start();

    t3.start();
    }
    }


    And don't create a new context with every call to the run method:

    package test;

    import java.util.*;
    import javax.jms.*;
    import javax.naming.*;
    import com.delta.parser.util.*;


    public class TestMessageThread extends Thread implements ParserConstants {
    private Hashtable environment;

    public TestMessageThread(String initialFactory,
    String url,
    String principal,
    String credentials) {

    Hashtable env = new Hashtable();

    env.put(Context.INITIAL_CONTEXT_FACTORY,
    initialFactory);
    env.put(Context.PROVIDER_URL,
    url);
    env.put(Context.SECURITY_PRINCIPAL,
    principal);
    env.put(Context.SECURITY_CREDENTIALS,
    credentials);

    environment = env;
    }

    Context ctx = new InitialContext(environment);

    public void run() {
    int cnt = 0;
    while(true) {
    sendMessage("" + cnt++);

    try {
    sleep(500);
    } catch (InterruptedException iex) {
    }
    }
    }

    private void sendMessage(String text) {

    try {

    TopicConnectionFactory factory = (TopicConnectionFactory)
    ctx.lookup("javax.jms.TopicConnectionFactory");

    TopicConnection connection = factory.createTopicConnection();

    TopicSession session = connection.createTopicSession(false,
    javax.jms.Session.AUTO_ACKNOWLEDGE);

    Topic topic = (Topic)ctx.lookup("FileTopic");

    TopicPublisher publisher = session.createPublisher(topic);

    TextMessage message = session.createTextMessage(text);


    System.out.println("Sending " + text + " to " +
    environment.get(Context.PROVIDER_URL));

    publisher.publish(message);


    System.out.println("Message " + text + " sent to " +
    environment.get(Context.PROVIDER_URL));


    ctx.close();
    }
    catch (JMSException jmsex) {
    jmsex.printStackTrace();
    }
    catch (NamingException nex) {
    nex.printStackTrace();
    }
    catch (SecurityException scex) {
    scex.printStackTrace();
    }
    }

    }

    I added a bit more logging code as well.

  5. Re: java.lang.SecurityException: [Security:090398]Invalid Subject ...

    You can go further and do the lookup only once as well,

    package test;

    import java.util.*;
    import javax.jms.*;
    import javax.naming.*;
    import com.delta.parser.util.*;


    public class TestMessageThread extends Thread implements ParserConstants {
    private Hashtable environment;
    private Topic topic;
    private Context ctx;

    public TestMessageThread(String initialFactory,
    String url,
    String principal,
    String credentials) {

    Hashtable env = new Hashtable();

    env.put(Context.INITIAL_CONTEXT_FACTORY,
    initialFactory);
    env.put(Context.PROVIDER_URL,
    url);
    env.put(Context.SECURITY_PRINCIPAL,
    principal);
    env.put(Context.SECURITY_CREDENTIALS,
    credentials);

    environment = env;
    }

    try {

    ctx = new InitialContext(environment);
    topic = (Topic)ctx.lookup("FileTopic");
    } catch(Exception e) {
    e.printStackTrace();
    }

    public void run() {
    int cnt = 0;
    while(true) {
    sendMessage("" + cnt++);

    try {
    sleep(500);
    } catch (InterruptedException iex) {
    }
    }
    }

    private void sendMessage(String text) {

    try {

    TopicConnectionFactory factory = (TopicConnectionFactory)
    ctx.lookup("javax.jms.TopicConnectionFactory");

    TopicConnection connection = factory.createTopicConnection();

    TopicSession session = connection.createTopicSession(false,
    javax.jms.Session.AUTO_ACKNOWLEDGE);


    TopicPublisher publisher = session.createPublisher(topic);

    TextMessage message = session.createTextMessage(text);


    System.out.println("Sending " + text + " to " +
    environment.get(Context.PROVIDER_URL));

    publisher.publish(message);


    System.out.println("Message " + text + " sent to " +
    environment.get(Context.PROVIDER_URL));


    ctx.close();
    }
    catch (JMSException jmsex) {
    jmsex.printStackTrace();
    }
    catch (NamingException nex) {
    nex.printStackTrace();
    }
    catch (SecurityException scex) {
    scex.printStackTrace();
    }
    }

    }
    Please note I missed out try/catch blocks etc in the last post, I have not tried compiling the code posted here, they are just pointers!

    good Luck

  6. Re: java.lang.SecurityException: [Security:090398]Invalid Subject ...

    Hi Hoose,

    Thanks again for taking you time to reply.

    As you probably realized, the code I posted is overly simplified, with the sole purpose of reproducing the problem.

    In the real code (where I first encountered the problem), I create the InitialContext only once and I cache the connection factory, topic etc using an adaptation of service locator pattern.
    Initially I thought that maybe the problem lies somewhere inside the caching layer and is caused by some synchronization issues between threads and that's why I came up with this simple test classes.

    I also tried some suggestions I found on other related topics: using weblogic.jndi.Environment to get the InitialContext instead of using 'new InitialContext(environment)' and embedding the run() method of the thread into
    Security.runAs(subject, new PrivilegedAction() {
    public Object run() {
    ....
    }
    }
    where the subject was created using JAAS API and it has the right credentials.

    My guess is that somehow (in Weblogic's implementation) the context is not associated with the object that created it but with something else (maybe the class??).

    Regards,
    Mirel Rata

  7. Re: java.lang.SecurityException: [Security:090398]Invalid Subject ...

    In case someone's interested, the problem was caused by the fact that all the Weblogic servers I sent messages to had the same name.
    Looks like the InitialContext is associated with the server name and when you create a subsequential InitialContext for another server (residing on a different machine) the previous InitialContext gets overwritten.

    Cheers,
    Mirel Rata

  8. Re: java.lang.SecurityException: [Security:090398]Invalid Subject ...

    Thanks for posting the solution. It is good to learn of yet another side-effect of duplicating WL resource names.

    Please keep in mind that for a variety of other reasons, environments with WL servers that directly or indirectly communicate or that have clients that contact multiple WL servers MUST:

    ensure all domains are named uniquely
    ensure all WL servers are named uniquely
    ensure all JMS servers are named uniquely
    ensure all JMS stores are named uniquely

    The latter three requirements apply even if the resources are in different domains. (In the next release, 9.0, the plan is to simplify requirements so that only the first continues to be required.)

    Tom

  9. Re: java.lang.SecurityException: [Security:090398]Invalid Subject ...

    I still get this error even though the domain, server, and jms names are unique.

  10. Re: java.lang.SecurityException: [Security:090398]Invalid Subject ...

    Do you also have example code that reproduces the problem?

+ Reply to Thread