A Security Exception When Deploying Composites

As part of best practices, a deployer responsible for deploying composites should not need to have the roles a privileges of an administrator; instead, they should be limited to deploying composites.

Selecting the proper roles and privileges to grant deployment rights to this user is slightly confusing and involves changes to the user’s Oracle WebLogic Server enterprise role, as well as their Oracle SOA Suite application role. The following security exception will occur if and when the account used for deployments through JDeveloper lacks the appropriate roles and privileges to complete a deployment:

“Error finding SOA configured servers to deploy archive.
Deployment cannot continue.
Java.lang.SecurityException: MBean attribute access denied.
     MBean: EMDomain:Name=soa-infra,
EMTargetType=oracle_soainfra,type=EMIntegration,
Application=soa-infra
     Getter for attribute Server
     Detail: Access denied. Required roles: Admin, Operator, Monitor, Deployer, executing subject:   principals[testuser]”

Middleware 4272017

This error occurs because there is no default mapping of roles between Oracle WebLogic Server groups or users and Oracle Enterprise Manager Fusion Middleware Control.

Both the Oracle WebLogic Server enterprise role (for example, Oracle WebLogic Server Monitor) and the Oracle SOA Suite application role (for example, SOAMonitor) are required to use Oracle Enterprise Manager Fusion Middleware Control. If you have only one of these roles, Oracle Enterprise Manager Fusion Middleware Control does not work properly.

Solution:

The fix is simple and requires assigning the required role in WebLogic Security Realm:

  1. Login to WebLogic console as WebLogic or as any user with administrative privileges.
  2. Click on “Security Realm” and select “myrealm”.
  3. Select “Users and Groups” tab.
  4. Select the user which requires access and navigate to “Groups” tab.
  5. Assign the user to “Operators” group.

Assigning the required role in Enterprise Manager:

  1. Login to WebLogic console as WebLogic or as any user with administrative privileges.
  2. Right click on soa-infra and select “Security” -> “Application Roles
  3. Add the same user to “SOAOperator” role.
  4. Navigate to Application Policies (Right click on soa-infra -> “Security” -> “Application Policies”) and assign “oracle.fabric.permission.CompositePermission” to “SOAOperator” role.

The user will now have necessary privileges for deploying composites through Jdeveloper.

Tagged with: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*