XMLAccess fails with EJPXB0015E / SECJ0129E
You run XMLAccess and it fails with:
EJPXB0015E: Server response indicates an error.
The SystemOut.log contains:
WebCollaborat A SECJ0129E: Authorization failed for user wpsadmin:yourrealm while invoking POST on default_host:/wps/config/, Authorization failed, Not granted any of the required roles: All Role
Realms in the security.xml and wimconfig.xml files do not match.
Diagnosing the problem
First, rule out an actual role mapping problem as the root cause of SECJ0129E. Log in to the WebSphere Application Server (WAS) Integrated Solutions Console (ISC) and:
- Navigate to Applications > Enterprise Applications
- Locate the "wps" application and click on it
- Click "Security role to user/group mapping"
- Ensure that the following special subjects are mapped:
- Everyone role : Everyone
- All role : All Authenticated
Enable the following tracing:
Then recreate the problem. Inspect the traces and see if they contain messages like:
... WSCredentialI > getRealmName Entry
... WSCredentialI < getRealmName Exit
... WSAccessManag 3 checking authorization for a foreign user in realm: yourrealm: this realm is: defaultWIMFileBasedRealm
... WSAccessManag > isGrantedAnyRole Entry
Authorization Table contains [ 3 ] role assignments
Role Assignment [ ...
Role Name [ All Role ] ...
Role Assignment contains [ 1 ] special subjects
Subject [ ...
Name [ AllAuthenticatedUsers ]
Access ID [ AllAuthenticatedUsers ]
... WebCollaborat 3 checkAuthorization() failed, here is the message in the exception: Authorization failed, Not granted any of the required roles: All Role
... WebCollaborat A SECJ0129E: Authorization failed for user wpsadmin:yourrealm while invoking POST on default_host:/wps/config/, Authorization failed, Not granted any of the required roles: All Role
Confirm that this is a federated repository configuration. Compare the realm defined in security.xml with the default realm in wimconfig.xml.
<userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" ... realm="defaultWIMFileBasedRealm" ...
<config:realms delimiter="@" name="yourrealm" securityUse="active"> ...
If these do not match, implement the following solution
Resolving the problem
Back up security.xml and edit it to make the realm of WIMUserRegistry_1 match the default realm from wimconfig.xml. From the examples above, the result would be:
<userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" ... realm="yourrealm" ...
If clustered, synchronize. Then restart the server(s) to pick up this configuration change.
More support for:
Software version: 6.1, 7.0, 8.0
Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS
Reference #: 1628214
Modified date: 12 November 2014