<security-role-assignment> error message on WLS 8.1 with CompatibilitySecurity - Weblogic

This is a discussion on <security-role-assignment> error message on WLS 8.1 with CompatibilitySecurity - Weblogic ; I have migrated a WLS 6.1 custom security realm to WLS 8.1 configured with compatibility security. This seems to work OK as theWLS 8.1 admin console includes a 'Compatibility Security' node in the left pane tree explorer. This seems to ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: <security-role-assignment> error message on WLS 8.1 with CompatibilitySecurity

  1. <security-role-assignment> error message on WLS 8.1 with CompatibilitySecurity



    I have migrated a WLS 6.1 custom security realm to WLS 8.1 configured with compatibility
    security. This seems to work OK as theWLS 8.1 admin console includes a 'Compatibility
    Security' node in the left pane tree explorer. This seems to be configured correctly,
    as when I click on 'Compatibility Security'-->Users or 'Compatibility Security'-->Groups
    all my Users (approx 300) and all my Groups (5) from the WLS 6.1 CustomRealm
    are displayed in the admin console's right pane.

    My problem is related to an error message that appears when I attempt to deploy
    a web app that works correctly in WLS 6.1 to my new WLS 8.1 instance. In the
    web app's weblogic.xml I have the following entries:


    read_only_user_role
    read-only-users


    trader_role
    traders



    mapping my CustomRealm GROUPs (read-only-users and traders) to the "read_only_user_role"
    and "trader_role" security roles. In the web app's web.xml descriptor I then
    use the j2ee tag to restrict authorized access to specific
    web app url patterns to only those that have been authenticated as executing in
    role="trader_role" (and other web app url patterns to only those that have been
    authenticated as execuitng in role="read_only_user_role").

    In WLS 8.1, at the time I deploy this web app, I get the following message in
    the boot stdout log file:


    references an invalid security-role: read_only_user_role.>
    references an invalid security-role: trader_role.>

    This message did not appear for this web app deployed to WLS 6.1, it only appears
    on WLS 8.1 with CompatibiltySecurity configured to reference my 6.1 CustomRealm.

    Does anyone know how I can eliminate this warning message when I deploy this web
    app to WLS 8.1 with CompatibilitySecurity turned on?

    I notice that WLS 8.1 weblogic.xml DTD includes a new sub-element, ,
    for ... but I have seen no documented examples of how
    this new tag should be used.

    Any help appreciated.

    Thanks,
    Ben


  2. Re: <security-role-assignment> error message on WLS 8.1 with CompatibilitySecurity

    Hmm...

    Does the web.xml have the appropriate role uses and role definitions?

    You might try reposting on weblogic.developer.interest.servlet.

    - Neil


    wrote in message
    news:3fff2e1e$1@newsgroups.bea.com...
    >
    >
    > I have migrated a WLS 6.1 custom security realm to WLS 8.1 configured with

    compatibility
    > security. This seems to work OK as theWLS 8.1 admin console includes a

    'Compatibility
    > Security' node in the left pane tree explorer. This seems to be

    configured correctly,
    > as when I click on 'Compatibility Security'-->Users or 'Compatibility

    Security'-->Groups
    > all my Users (approx 300) and all my Groups (5) from the WLS 6.1

    CustomRealm
    > are displayed in the admin console's right pane.
    >
    > My problem is related to an error message that appears when I attempt to

    deploy
    > a web app that works correctly in WLS 6.1 to my new WLS 8.1 instance. In

    the
    > web app's weblogic.xml I have the following

    entries:
    >
    >
    > read_only_user_role
    > read-only-users
    >

    >
    > trader_role
    > traders
    >

    >
    >
    > mapping my CustomRealm GROUPs (read-only-users and traders) to the

    "read_only_user_role"
    > and "trader_role" security roles. In the web app's web.xml descriptor I

    then
    > use the j2ee tag to restrict authorized access to

    specific
    > web app url patterns to only those that have been authenticated as

    executing in
    > role="trader_role" (and other web app url patterns to only those that have

    been
    > authenticated as execuitng in role="read_only_user_role").
    >
    > In WLS 8.1, at the time I deploy this web app, I get the following message

    in
    > the boot stdout log file:
    >
    >
    >
    security-role-assignment
    > references an invalid security-role: read_only_user_role.>
    >
    security-role-assignment
    > references an invalid security-role: trader_role.>
    >
    > This message did not appear for this web app deployed to WLS 6.1, it only

    appears
    > on WLS 8.1 with CompatibiltySecurity configured to reference my 6.1

    CustomRealm.
    >
    > Does anyone know how I can eliminate this warning message when I deploy

    this web
    > app to WLS 8.1 with CompatibilitySecurity turned on?
    >
    > I notice that WLS 8.1 weblogic.xml DTD includes a new sub-element,

    ,
    > for ... but I have seen no documented examples

    of how
    > this new tag should be used.
    >
    > Any help appreciated.
    >
    > Thanks,
    > Ben
    >




  3. Re: <security-role-assignment> error message on WLS 8.1 with CompatibilitySecurity


    Thanks for responding, Neil.

    Here is the relevant web.xml entry:

    ....


    everything
    /*


    read_only_user_role



    BASIC


    read_only_user_role

    ....

    This web.xml entry works fine in WLS 6.1 deployments, restricting access to all
    my servlet url to only those that have been authenticated as executing in the
    "read_only_user_role" role. I am not sure I know exactly what you meant in your
    question "Does the web.xml have the appropriate role uses and role definitions?"
    ... are there explicit web.xml tags that I am not using, but that are required
    to achieve this security-constraint deployment to WLS 8.1?

    I will also post to the HTTP servlet group, as you recommend.

    Thanks,
    Ben

    "Neil" wrote:
    >Hmm...
    >
    >Does the web.xml have the appropriate role uses and role definitions?
    >
    >You might try reposting on weblogic.developer.interest.servlet.
    >
    >- Neil
    >
    >
    > wrote in message
    >news:3fff2e1e$1@newsgroups.bea.com...
    >>
    >>
    >> I have migrated a WLS 6.1 custom security realm to WLS 8.1 configured

    >with
    >compatibility
    >> security. This seems to work OK as theWLS 8.1 admin console includes

    >a
    >'Compatibility
    >> Security' node in the left pane tree explorer. This seems to be

    >configured correctly,
    >> as when I click on 'Compatibility Security'-->Users or 'Compatibility

    >Security'-->Groups
    >> all my Users (approx 300) and all my Groups (5) from the WLS 6.1

    >CustomRealm
    >> are displayed in the admin console's right pane.
    >>
    >> My problem is related to an error message that appears when I attempt

    >to
    >deploy
    >> a web app that works correctly in WLS 6.1 to my new WLS 8.1 instance.

    > In
    >the
    >> web app's weblogic.xml I have the following

    >entries:
    >>
    >>
    >> read_only_user_role
    >> read-only-users
    >>

    >>
    >> trader_role
    >> traders
    >>

    >>
    >>
    >> mapping my CustomRealm GROUPs (read-only-users and traders) to the

    >"read_only_user_role"
    >> and "trader_role" security roles. In the web app's web.xml descriptor

    >I
    >then
    >> use the j2ee tag to restrict authorized access

    >to
    >specific
    >> web app url patterns to only those that have been authenticated as

    >executing in
    >> role="trader_role" (and other web app url patterns to only those that

    >have
    >been
    >> authenticated as execuitng in role="read_only_user_role").
    >>
    >> In WLS 8.1, at the time I deploy this web app, I get the following

    >message
    >in
    >> the boot stdout log file:
    >>
    >>
    >>
    >security-role-assignment
    >> references an invalid security-role: read_only_user_role.>
    >>
    >security-role-assignment
    >> references an invalid security-role: trader_role.>
    >>
    >> This message did not appear for this web app deployed to WLS 6.1, it

    >only
    >appears
    >> on WLS 8.1 with CompatibiltySecurity configured to reference my 6.1

    >CustomRealm.
    >>
    >> Does anyone know how I can eliminate this warning message when I deploy

    >this web
    >> app to WLS 8.1 with CompatibilitySecurity turned on?
    >>
    >> I notice that WLS 8.1 weblogic.xml DTD includes a new sub-element,

    >,
    >> for ... but I have seen no documented examples

    >of how
    >> this new tag should be used.
    >>
    >> Any help appreciated.
    >>
    >> Thanks,
    >> Ben
    >>

    >
    >



  4. Re: <security-role-assignment> error message on WLS 8.1 with CompatibilitySecurity

    I meant did you have the appropriate security-role tags. You have at least
    one of them so I can't understand what the problem is. I can come up with
    three hypothesis: 1) Our semantic checking got tighter from 6.x to 8.x and
    you had a close-but-not-quite-legal config in 6.x that is now being
    correctly discarded in 8.x, (2) we have a bug, (3) none of the above.
    Unfortunately, I don't know how to help you further.

    I would try weblogic.developer.interest.servlet or contact BEA customer
    support.

    - Neil


    wrote in message
    news:4002bc25$1@newsgroups.bea.com...
    >
    > Thanks for responding, Neil.
    >
    > Here is the relevant web.xml entry:
    >
    > ...
    >
    >
    > everything
    > /*
    >

    >
    > read_only_user_role
    >

    >

    >
    > BASIC
    >

    >
    > read_only_user_role
    >

    > ...
    >
    > This web.xml entry works fine in WLS 6.1 deployments, restricting access

    to all
    > my servlet url to only those that have been authenticated as executing in

    the
    > "read_only_user_role" role. I am not sure I know exactly what you meant

    in your
    > question "Does the web.xml have the appropriate role uses and role

    definitions?"
    > .. are there explicit web.xml tags that I am not using, but that are

    required
    > to achieve this security-constraint deployment to WLS 8.1?
    >
    > I will also post to the HTTP servlet group, as you recommend.
    >
    > Thanks,
    > Ben
    >
    > "Neil" wrote:
    > >Hmm...
    > >
    > >Does the web.xml have the appropriate role uses and role definitions?
    > >
    > >You might try reposting on weblogic.developer.interest.servlet.
    > >
    > >- Neil
    > >
    > >
    > > wrote in message
    > >news:3fff2e1e$1@newsgroups.bea.com...
    > >>
    > >>
    > >> I have migrated a WLS 6.1 custom security realm to WLS 8.1 configured

    > >with
    > >compatibility
    > >> security. This seems to work OK as theWLS 8.1 admin console includes

    > >a
    > >'Compatibility
    > >> Security' node in the left pane tree explorer. This seems to be

    > >configured correctly,
    > >> as when I click on 'Compatibility Security'-->Users or 'Compatibility

    > >Security'-->Groups
    > >> all my Users (approx 300) and all my Groups (5) from the WLS 6.1

    > >CustomRealm
    > >> are displayed in the admin console's right pane.
    > >>
    > >> My problem is related to an error message that appears when I attempt

    > >to
    > >deploy
    > >> a web app that works correctly in WLS 6.1 to my new WLS 8.1 instance.

    > > In
    > >the
    > >> web app's weblogic.xml I have the following

    > >entries:
    > >>
    > >>
    > >> read_only_user_role
    > >> read-only-users
    > >>

    > >>
    > >> trader_role
    > >> traders
    > >>

    > >>
    > >>
    > >> mapping my CustomRealm GROUPs (read-only-users and traders) to the

    > >"read_only_user_role"
    > >> and "trader_role" security roles. In the web app's web.xml descriptor

    > >I
    > >then
    > >> use the j2ee tag to restrict authorized access

    > >to
    > >specific
    > >> web app url patterns to only those that have been authenticated as

    > >executing in
    > >> role="trader_role" (and other web app url patterns to only those that

    > >have
    > >been
    > >> authenticated as execuitng in role="read_only_user_role").
    > >>
    > >> In WLS 8.1, at the time I deploy this web app, I get the following

    > >message
    > >in
    > >> the boot stdout log file:
    > >>
    > >>
    > >>
    > >security-role-assignment
    > >> references an invalid security-role: read_only_user_role.>
    > >>
    > >security-role-assignment
    > >> references an invalid security-role: trader_role.>
    > >>
    > >> This message did not appear for this web app deployed to WLS 6.1, it

    > >only
    > >appears
    > >> on WLS 8.1 with CompatibiltySecurity configured to reference my 6.1

    > >CustomRealm.
    > >>
    > >> Does anyone know how I can eliminate this warning message when I deploy

    > >this web
    > >> app to WLS 8.1 with CompatibilitySecurity turned on?
    > >>
    > >> I notice that WLS 8.1 weblogic.xml DTD includes a new sub-element,

    > >,
    > >> for ... but I have seen no documented

    examples
    > >of how
    > >> this new tag should be used.
    > >>
    > >> Any help appreciated.
    > >>
    > >> Thanks,
    > >> Ben
    > >>

    > >
    > >

    >




  5. Re: <security-role-assignment> error message on WLS 8.1 with CompatibilityS

    Hi,
    I am also seeing the same problem. Can you please let me know how did you resolve this issue.

    Thanks,
    Sandeep