Problem(Abstract)
Some administrative actions (like mapping administrative users or groups to security roles) might not get activated immediately and require a restart of the JVM.
For example, you want to map the group called "wasadmins" to the Administrator role:
AdminTask.mapGroupsToAdminRole('[-roleName administrator -accessids [group:defaultWIMFileBasedRealm/cn=wasadmins,cn=groups,dc=mycompany,dc=com ] -groupids [wasadmins@defaultWIMFileBasedRealm ]]')
AdminConfig.save()
Symptom
Although the configuration change has been saved with AdminConfig.save() you cannot login immediately, although your user is member of the "wasadmins" group.
If you login to the AdminConsole with the primary administrative user and go to the "Administrative group roles" page, the new group mapping will be listed.
If you quit the Console again, you can login with a member of the newly mapped group.
Cause
Some changes of the WAS configuration require a restart of the JVM, or at least a refresh of the configuration for the running instances.
This refresh is done, when you go to the ISC "Administrative group roles" page.
Some administrative actions (like mapping administrative users or groups to security roles) might not get activated immediately and require a restart of the JVM.
For example, you want to map the group called "wasadmins" to the Administrator role:
AdminTask.mapGroupsToAdminRole('[-roleName administrator -accessids [group:defaultWIMFileBasedRealm/cn=wasadmins,cn=groups,dc=mycompany,dc=com ] -groupids [wasadmins@defaultWIMFileBasedRealm ]]')
AdminConfig.save()
Symptom
Although the configuration change has been saved with AdminConfig.save() you cannot login immediately, although your user is member of the "wasadmins" group.
If you login to the AdminConsole with the primary administrative user and go to the "Administrative group roles" page, the new group mapping will be listed.
If you quit the Console again, you can login with a member of the newly mapped group.
Cause
Some changes of the WAS configuration require a restart of the JVM, or at least a refresh of the configuration for the running instances.
This refresh is done, when you go to the ISC "Administrative group roles" page.
Resolving the problem
When the configuration changes are completed and saved, you can force a refresh of the security configuration with the AdminControl action "refreshAll":
authGrpMgr = AdminControl.completeObjectName('WebSphere:type=AuthorizationGroupManager,*')
AdminControl.invoke(authGrpMgr, 'refreshAll')
Now the login with a newly mapped user is possible.
When the configuration changes are completed and saved, you can force a refresh of the security configuration with the AdminControl action "refreshAll":
authGrpMgr = AdminControl.completeObjectName('WebSphere:type=AuthorizationGroupManager,*')
AdminControl.invoke(authGrpMgr, 'refreshAll')
Now the login with a newly mapped user is possible.
No comments:
Post a Comment