XMLAccess fails with EJPXB0015E / SECJ0129E

Technote (troubleshooting)


Problem

You run XMLAccess and it fails with:

EJPXB0015E: Server response indicates an error.

The SystemOut.log contains:

WebCollaborat A   SECJ0129E: Authorization failed for user wpsadmin:yourrealm while invoking POST on default_host:/wps/config/, Authorization failed, Not granted any of the required roles: All Role



Cause

Realms in the security.xml and wimconfig.xml files do not match.

Diagnosing the problem

First, rule out an actual role mapping problem as the root cause of SECJ0129E. Log in to the WebSphere Application Server (WAS) Integrated Solutions Console (ISC) and:

  • Navigate to Applications > Enterprise Applications
  • Locate the "wps" application and click on it
  • Click "Security role to user/group mapping"
  • Ensure that the following special subjects are mapped:
    • Everyone role : Everyone
    • All role : All Authenticated

Enable the following tracing:

com.ibm.wps.command.xml.*=all:com.ibm.ws.security.*=all

Then recreate the problem. Inspect the traces and see if they contain messages like:

... WSCredentialI >  getRealmName Entry
... WSCredentialI <  getRealmName Exit
                                 yourrealm
... WSAccessManag 3   checking authorization for a foreign user in realm: yourrealm: this realm is: defaultWIMFileBasedRealm
... WSAccessManag >  isGrantedAnyRole Entry
...
  Authorization Table contains [ 3 ] role assignments
...
    Role Assignment   [ ...
        Role Name     [ All Role ] ...
        Role Assignment contains [ 1 ] special subjects
          Subject     [ ...
            Name      [ AllAuthenticatedUsers ]
            Access ID [ AllAuthenticatedUsers ]
...
... WebCollaborat 3   checkAuthorization() failed, here is the message in the exception: Authorization failed, Not granted any of the required roles: All Role
... WebCollaborat A   SECJ0129E: Authorization failed for user wpsadmin:yourrealm while invoking POST on default_host:/wps/config/, Authorization failed, Not granted any of the required roles: All Role


Confirm that this is a federated repository configuration. Compare the realm defined in security.xml with the default realm in wimconfig.xml.

<profile>/config/cells/<cell name>/security.xml:

<userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" ... realm="defaultWIMFileBasedRealm" ...


<profile>/config/cells/<cell name>/wim/config/wimconfig.xml:

   <config:realmConfiguration defaultRealm="yourrealm">
      <config:realms delimiter="@" name="yourrealm" securityUse="active"> ...


If these do not match, implement the following solution

Resolving the problem

Back up security.xml and edit it to make the realm of WIMUserRegistry_1 match the default realm from wimconfig.xml. From the examples above, the result would be:


<userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" ... realm="yourrealm" ...

If clustered, synchronize. Then restart the server(s) to pick up this configuration change.


Related information

Determining if you have a federated repository


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Portal

Software version:

6.1, 7.0, 8.0

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS, z/OS

Reference #:

1628214

Modified date:

2013-04-01

Translate my page

Machine Translation

Content navigation