Tuesday, December 13, 2016

OIM API: java.lang.SecurityException: [Security:090398]Invalid Subject: principals

Today I came across a very strange issue with OIM client code, where the oim client code to search users using a service account worked fine in standalone code but when the same code is deployed in a Single Sign-On (SSO) enabled fusion application (eg:webcenter, ESS) through OAM, received below error. 

Environment:-
  • OIM 11.1.2.3
  • RHEL 6
Error:-

Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at oracle.iam.platform.OIMClient.getServiceDelegate(OIMClient.java:274)
... 32 more
Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[testuser1, testrole1, testrole2]
at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
at weblogic.jndi.internal.ServerNamingNode_1036_WLStub.lookup(Unknown Source)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:424)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:412)
at javax.naming.InitialContext.lookup(InitialContext.java:411)
at org.springframework.jndi.JndiTemplate$1.doInContext(JndiTemplate.java:155)
at org.springframework.jndi.JndiTemplate.execute(JndiTemplate.java:88)
at org.springframework.jndi.JndiTemplate.lookup(JndiTemplate.java:153)
at org.springframework.jndi.JndiTemplate.lookup(JndiTemplate.java:178)
at oracle.iam.selfservice.self.selfmgmt.api.AuthenticatedSelfServiceDelegate.<init>(Unknown Source)
... 37 more
Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[testuser1, testrole1, testrole2]
at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:848)
at weblogic.security.service.SecurityServiceManager.getSealedSubjectFromWire(SecurityServiceManager.java:522)
at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:356)
at weblogic.rmi.internal.BasicServerRef.acceptRequest(BasicServerRef.java:953)
at weblogic.rmi.internal.BasicServerRef.dispatch(BasicServerRef.java:351)
at weblogic.rmi.cluster.ClusterableServerRef.dispatch(ClusterableServerRef.java:242)
at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.java:1173)
at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:1055)
at weblogic.rjvm.ConnectionManagerServer.handleRJVM(ConnectionManagerServer.java:240)
at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:888)
at weblogic.rjvm.MsgAbbrevJVMConnection.dispatch(MsgAbbrevJVMConnection.java:512)
at weblogic.rjvm.t3.MuxableSocketT3.dispatch(MuxableSocketT3.java:330)
at weblogic.socket.BaseAbstractMuxableSocket.dispatch(BaseAbstractMuxableSocket.java:394)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:960)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:897)
at weblogic.socket.PosixSocketMuxer.processSockets(PosixSocketMuxer.java:130)
at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:42)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)


Solution:-

Below highlighted code is added to fix the issue. 

//userName and password are credentials of service account
Hashtable oimEnv = new Hashtable();
oimEnv.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,OIMInitialContextFactory);
oimEnv.put(OIMClient.JAVA_NAMING_PROVIDER_URL, Url);
oimEnv.put(Context.SECURITY_PRINCIPAL, userName);
oimEnv.put(Context.SECURITY_CREDENTIALS,password);
OIMClient oimClient = new OIMClient(env);
oimClient.login(userName,passowrd);




Thanks for visiting.