Thursday, March 15, 2012

UCM 11g and Quirks with Security Providers

This is a forum post that I put out on the Yahoo! user forum for Content Server.  I had a couple of folks to tell me it was worth blogging, so here it is.

The original question came from a user passing a SOAP request with seemingly the correct credentials, but the request failing to return any content other than content accessible to anonymous users.  The poster noted that if they reordered their JPS user providers within WLS, the issue cleared up for some users, but now appeared for other users.  Depending on the order of appearance of the providers in WLS, the users were being dictated as to who could see more than publicly available content.

So the response:

This issue is a known issue with the WebLogic JPS user provider code. The first
listed provider will have all user data returned (like roles and groups, along
with extended attributes like email address). Any subsequent provider will only
validate the user login, and not return any extended data. Swapping the order
of the providers results in the new top listed provider correctly returning all
expected attributes (as you have noted).

OK, so what's the solution? There are several, all with certain pain involved.

1 - Invest in Oracle Virtual Directory (OVD). OVD can gather all of the roles,
groups, and extended attributes from disparate LDAP repositories like OID,
Active Directory, OpenLDAP, etc, and present the data to WLS in a single
provider. The pain here is additional cost, but this is the supposed "ultimate"

2 - If you are still reading this, the cost is a big pain point. If you are
running PS3 or later (and I would stress "later" here, because this fix in PS3
was not completely tested), you can emulate a similar OVD experience with a
relatively simple configuration change in Enterprise Manager
("virtualize=true"). Look here for the
details. (\
). The pain here comes if your domain contains a WebCenter
self-registration process. I've seen the self-register function fail with this
setting in place. Your mileage may vary.

3 - Still reading? The virtualize setting must be problematic.
-- Put the OID provider first, and create a new group called "Administrators"
in the OID role container that you defined in WLS.
-- Add any users that need admin access to this OID group. With the OID
provider listed first, it should "just work".

4 - Already have "Administrators" group created, but can't add the users due to
company policy? That's why you're still reading...
There is one more "trick" here. The pain here -- "Is this approach supported?"
and "I don't know if other WebCenter applications (BAM, SOA, etc) will still
complain with the mis-ordered provider." If this is a UCM only domain, you may
be ok.

-- Log into UCM, and go into User Manager.
-- Change the weblogic user from "external" to "local", and give the weblogic
user the appropriate roles and accounts in the applet.
-- List OID first in the provider list. Log in as "weblogic" anyway.
Surprisingly, since you've already "authenticated" in WLS, the "authorization"
for weblogic will now come from UCM.

5 - Least favorite option - disable the JPS user provider in UCM, and create a
10g style LDAP provider to OID. I'm not sure if that is possible with OID, but
is achievable with AD. Again, your mileage may vary.


  1. Hi William ,

    For virtualize=true when configured for ECM instances with AD users would see "No LDAP Connection available" error messages intermittently .

    For this there is a Bug raised with Development team and a one-off patch (JPSUserProvider.class) which need to be put in the server side .


    1. Thanks Srinath.

      At least there is some movement at the Content Server level. Make those guys roll that patch into the next release too!

      As mentioned, if the domain is solely a UCM domain, the patch should be the ticket. I just haven't seen enough of the entire WebCenter product in operation with the setting in place. I have seen the self-registration part for Spaces blow up with the virtualize setting in place, and I'm sure there will be other spots.

      it used to be so much easier... ;-)

  2. Carpet Cleaning Company in Hail
    The carpet in the villas is characterized by luxury and sophistication, giving the villa a wonderful and beautiful appearance.Therefore, it is necessary to pay attention to clean it up-to-date to maintain its wonderful appearanceشركة النجوم لخدمات التنظيف
    شركة تنظيف مجالس بالطائف
    شركة نقل عفش بالطائف
    شركة نقل اثاث بالطائف

  3. For me, the best learning assistant is the writing service. He never let me down, he always writing a research paper and did everything on time and everything was always anonymous.

  4. Hello! Our essay writing service produces academic texts absolutely from scratch. Given the uniquity of these papers, the flawless Turnitin pass is assured. Each text is profoundly analyzed, and each order is fulfilled in conformity with the client’s requirements.

  5. There is always something new at Foxwoods, most recently the arrival of Foxwoods Extreme Adventures. Adventure knows no limit as guests can zipline or race around on a European-style indoor karting track. Foxwoods Resort Casino truly is The Wonder Of It All, providing a personalized and exciting escape for everyone.

  6. These years have given us much experience in getting clients the quality of essays they want. We also offer clients essay help customer support to help clients get what they want in terms of our services. Some of the amazing attributes of our company include.

  7. There will be no problems writing my work, an assistant who makes any written work to order on this site, and most importantly for the student that at affordable prices for absolutely everyone and good statistics.

  8. As we know that technology is growing is so fast seems like AI (Artificial Intelligence), Well am here looking for the expert dissertation writers who write my dissertation at my low cost budget.