Scribd Logo
Upload

Welcome to Scribd!

  • Document 1488602

    Uploaded by

    Joseph Lee
    5 views2 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    5 views2 pages

    Document 1488602

    Uploaded by

    Joseph Lee

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    Document 1488602.1 https://mosemp.us.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl...

    Copyright (c) 2022, Oracle. All rights reserved. Oracle Confidential.

    SecurityException: [Security:090398] Invalid Subject: principals=[{weblogic,system}]


    (Doc ID 1488602.1)

    In this Document

    Symptoms
    Changes
    Cause
    Solution
    References

    Created from SR 3-4868184641[This section is not visible to customers.]

    APPLIES TO:

    Oracle WebLogic Server - Version 10.3 and later


    Information in this document applies to any platform.

    SYMPTOMS

    WebLogic Server log shows a SecurityException regarding an Invalid Subject as noted in the logs by [Security:090398]Invalid Subject:
    principals=[{weblogic,system}]
    The Exception Error message which will appear similarly in the Weblogic Log file will be similar to the following:

    java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[{weblogic,system}]


    at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:835)
    at weblogic.security.service.IdentityUtility.authenticatedSubjectToIdentity(IdentityUtility.java:30)
    at weblogic.security.service.RoleManager.getRoles(RoleManager.java:183)
    at weblogic.security.service.AuthorizationManager.isAccessAllowed(AuthorizationManager.java:375)
    at weblogic.jndi.internal.ServerNamingNode.checkPermission(ServerNamingNode.java:442)
    at weblogic.jndi.internal.ServerNamingNode.checkLookup(ServerNamingNode.java:423)
    at weblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:180)
    at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:206)
    at weblogic.jndi.internal.WLEventContextImpl.lookup(WLEventContextImpl.java:254)
    at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:394)
    at javax.naming.InitialContext.lookup(InitialContext.java:392)

    CHANGES

    The Initial Context got closed before executing the code on the Object Reference.

    CAUSE

    This Error will happen when you try to perform an operation on a JNDI Resource from which you don't have the right permissions or you
    haven't provided the security credentials.

    When you create a JNDI context, the security scope is valid for the lifetime of the context. It is terminated when you invoke the close( )
    method on the Context object.
    The security context actually is associated with the thread running the code. This has important implications. Establishing a new context will
    replace any previous security context associated with the thread as well as closing the context will remove security context associated with
    the thread. Thus, you should not try to establish a nested context using differing security principals.

    In that case, all code will run using the most recently created context. If you close the Initial Context, all code in the same thread will lost the
    most recently created context and then will need to supply values for the SECURITY_PRINCIPAL and SECURITY_CREDENTIALS itself for
    authentication.

    So, if you are reading this note, it means you have already specified the credentials when created the Initial Context but you are seeing the
    exception above, so let's try to understand what might have happened.

    Usually you do the following:

    1. You create the initial Context

    2. You Use the Context to Look Up a Named Object

    3. You Use the Named Object to Get an Object Reference

    1 of 2 01/20/2022, 11:01 AM
    Document 1488602.1 https://mosemp.us.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl...

    4. You Close the Context

    The security context will be associated with the thread running the code until you close the Context if you close the Context before you
    use/call the Object Reference/JNDI Resource. Example: you get a connection from a datasource then you must pass the security credentials
    again since the security context has been removed from the thread when you closed the Context.

    So, if you are seeing this error and don't understand why since you have provided the security credentials when you created the Initial
    Context, you are probably closing the Initial Context before the JNDI/JMX transaction completes and not making sure the Object Reference
    has the right permissions to execute.

    SOLUTION

    There are two solutions to this issue:

    1. Supply values for the SECURITY_PRINCIPAL and SECURITY_CREDENTIALS environment properties when creating an initial context
    and DO NOT close() the context until the Object Reference you got from JNDI tree completes the transaction.
    2. If you need to close the InitialContext before using the Object Reference/JNDI Resource you will have to Supply values for the
    SECURITY_PRINCIPAL and SECURITY_CREDENTIALS on the JNDI Resource Again, since it won't be able to get it from the thread
    context because InitialContext was closed.

    Example code:

    public Connection getJNDIDBConnection() throws SQLException {


    Connection newConn = null;
    InitialContext ic = null;
    try {
    Hashtable ht = new Hashtable();
    ht.put(Context.SECURITY_PRINCIPAL, <jmx_user>);
    ht.put(Context.SECURITY_CREDENTIALS, <jmx_password>);

    ic = new InitialContext(ht);
    DataSource dataSource = (DataSource) ic.lookup("jdbc/MyDS"); //Got the Datasource Object Reference

    ic.close(); //Close the Initial Context, so thread security context is lost

    newConn = dataSource.getConnection(); //In this example This line will fail with
    java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[{weblogic,system}], if you don't
    close ic then this line should not fail with SecurityException
    newConn = dataSource.getConnection(<jmx_user>, <jmx_password>); //You need to pass credentials when you
    closed the context, This will work in this example

    } catch (Exception ex) {


    ex.printStackTrace();
    }
    return newConn;
    }

    If this solution does not apply to you, please visit Note 1450989.1 - JMX is Unable to update A User Stored On RDBMS Security Provider.

    REFERENCES

    NOTE:1450989.1 - JMX is Unable to update A User Stored On RDBMS Security Provider


    Didn't find what you are looking for?

    Document Attributes
    Author: JLOYOLA.CL; Status: PUBLISHED(EXTERNAL)
    Owner: NIMYNENI.US Publisher: LGOLDSZT.US
    Alias: Content Type: TEXT/X-HTML
    Distribution: EXTERNAL Visibility: EXTERNAL
    Created By: JLOYOLA.CL Created: Sep 4, 2012
    Modified By: JHEKIMIA.US Modified: Sep 13, 2021
    Reviewed By: ROAROKIA.IN Reviewed: Jan 20, 2022
    Source: AWIZ 3-4868184641 Exception: No
    Priority: 3

    2 of 2 01/20/2022, 11:01 AM

    You might also like