Solving java.lang.SecurityException Error in Weblogic

If you are seeing “java.lang.SecurityException:Security:090398Invalid Subject: principals=weblogic, Administrators” in weblogic logs while doing some operation like JMS connection or accessing admin console or activating some changes or connecting to some different domain, then follow below mentioned steps to fix the issue.

Usual Errors Seen in Weblogic Logs:(AdminServer Or/And Managed Server logs)

Error Type1: [ While Doing Some Operation in Weblogic Admin Console]

####<Sep 13, 2012 6:43:04 AM PST> <Error> <Console> <localhost> <myserver> <[ACTIVE] ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <system> <> <> <1378172584830> <BEA-240003> <Console encountered the following error java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[system, Administrators]
at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:234)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
at weblogic.jndi.internal.ServerNamingNode_1035_WLStub.lookup(Unknown Source)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:423)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:411)
at javax.naming.InitialContext.lookup(InitialContext.java:392)
at weblogic.management.remote.wlx.ClientProvider.findRMIServer(ClientProvider.java:131)
at weblogic.management.remote.wlx.ClientProvider.newJMXConnector(ClientProvider.java:98)
at javax.management.remote.JMXConnectorFactory.newJMXConnector(JMXConnectorFactory.java:338)
at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:247)
at com.bea.console.utils.MBeanUtils.lookupMBeanServerConnection(MBeanUtils.java:3387)
at com.bea.console.utils.MBeanUtils.getDomainRuntimeMBeanServerConnection(MBeanUtils.java:1812)
at com.bea.console.utils.MBeanUtils.getDomainRuntimeServiceMBean(MBeanUtils.java:1888)
at com.bea.console.utils.MBeanUtilsInitializer.initMBeanUtils(MBeanUtilsInitializer.java:70)
at com.bea.console.utils.MBeanUtilsInitializer.initMBean(MBeanUtilsInitializer.java:34)
at com.bea.console.internal.ConsolePageFlowRequestProcessor.processActionPerform(ConsolePageFlowRequestProcessor.java:214)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158)
at com.bea.console.internal.ConsoleActionServlet.process(ConsoleActionServlet.java:262)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at com.bea.console.internal.ConsoleActionServlet.doGet(ConsoleActionServlet.java:134)
at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1199)
at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:686)
at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.renderInternal(ScopedContentCommonSupport.java:266)
at com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.render(StrutsStubImpl.java:107)
at com.bea.netuix.servlets.controls.content.NetuiContent.preRender(NetuiContent.java:292)
at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:428)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:727)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:146)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361)
at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208)
at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162)
at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388)
at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258)
at com.bea.netuix.servlets.manager.UIServlet.doGet(UIServlet.java:211)
at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:196)
at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at com.bea.console.utils.MBeanUtilsInitSingleFileServlet.service(MBeanUtilsInitSingleFileServlet.java:47)
at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:130)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[system, Administrators]
at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:680)
at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:187)
at weblogic.rmi.internal.BasicServerRef.acceptRequest(BasicServerRef.java:827)
at weblogic.rmi.internal.BasicServerRef.dispatch(BasicServerRef.java:300)
at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.java:996)
at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:917)
at weblogic.rjvm.ConnectionManagerServer.handleRJVM(ConnectionManagerServer.java:225)
at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:794)
at weblogic.rjvm.t3.T3JVMConnection.dispatch(T3JVMConnection.java:742)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:682)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:628)
at weblogic.socket.PosixSocketMuxer.processSockets(PosixSocketMuxer.java:123)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)

Error Type2: [While Creating a RMI connection between domains]

<Warning> <HTTP> <sunfiore3> <fireser02> <[STANDBY] ExecuteThread: ‘5’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <> <> <> <1233914402218> <BEA-101162> <User defined listener org.springframework.web.context.ContextLoaderListener failed: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘jmsQueueContainer’ defined in ServletContext resource [/WEB-INF/applicationContext-weblogic.xml]: Invocation of init method failed; nested exception is java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[weblogic, Administrators].
org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘jmsQueueContainer’ defined in ServletContext resource [/WEB-INF/applicationContext-weblogic.xml]: Invocation of init method failed; nested exception is java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[weblogic, Administrators]

Error Type3: [ While making a service call to another domain]

2012-02-21 22:48:48,724 ERROR [[ACTIVE] ExecuteThread: ‘3’ for queue: ‘weblogic.kernel.Default (self-tuning)’][service.ServiceAccessor] ERROR on making a service call to com.retek.platform.service.CommandExecutionService on method executeCommand

java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[weblogic, Administrators]
at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:234)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
at com.retek.platform.service.impl.CommandExecutionService_so9cu5_HomeImpl_1033_WLStub.create(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.retek.platform.service.EjbServiceLocator.createBeanInstance(EjbServiceLocator.java:157)
at com.retek.platform.service.EjbServiceLocator.locate(EjbServiceLocator.java:112)
at com.retek.platform.service.ServiceFactory.getServicesImpl(ServiceFactory.java:253)
at com.retek.platform.service.ServiceFactory.getService(ServiceFactory.java:95)
at com.retek.platform.service.ServiceAccessor.getNamedService(ServiceAccessor.java:456)
at com.retek.platform.service.ServiceAccessor.callRemoteMethod(ServiceAccessor.java:294)
at com.retek.platform.service.ServiceAccessor.remoteTransaction(ServiceAccessor.java:485)
at com.retek.platform.service.ServiceAccessorProxy.invoke(ServiceAccessorProxy.java:52)
at $Proxy179.ping(Unknown Source)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:518)
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[weblogic, Administrators]
at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:835)
at weblogic.security.service.SecurityServiceManager.getSealedSubjectFromWire(SecurityServiceManager.java:524)
at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:351)
at weblogic.rmi.internal.BasicServerRef.acceptRequest(BasicServerRef.java:875)

 

Error Type 4: [During the discovery of the Managed Server]

Admin Server Side:

<Feb 21, 2012 2:21:56 PM PST> <Error> <Management> <BEA-141135> <The managed server discovery service could not be started on the admin server.weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[], on ResourceType: ServerRuntime Action: execute, Target: reconnectToAdminServer
at weblogic.rjvm.BasicOutboundRequest.sendReceive(BasicOutboundRequest.java:108)
at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:138)
at weblogic.management.internal.RemoteMBeanServerImpl_812_WLStub.invoke(Unknown Source)
at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:946)

Managed Server Side:

<Feb 21, 2012 2:21:56 PM PST> <Error> <Security> <BEA-090513> <ServerIdentity failed validation, downgrading to anonymous.>
<Feb 21, 2012 2:21:56 PM PST> <Warning> <RMI> <BEA-080003> <RuntimeException thrown by rmi server: weblogic.management.internal.RemoteMBeanServerImpl.invoke(Ljavax.management.ObjectName;Ljava.lang.String; [Ljava.lang.Object;[Ljava.lang.String;)
weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[], on ResourceType: ServerRuntime Action: execute, Target: reconnectToAdminServer.
weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[], on ResourceType: ServerRuntime Action: execute, Target: reconnectToAdminServer
at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.wlsRun(SecurityHelper.java:564)
at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.run(SecurityHelper.java:456)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)

 

The above errors comes generally when there is an issue in domain trust security settings. If two WebLogic instances belong to different WebLogic domains, the domain credential must be the same for both instances.

To solve the above issues we need to enable trust between two/more WebLogic Server domains and explicitly specify the same value for the credential in both WebLogic Server domains.

Please follow the steps to enable domain trust between two or more weblogic domains

OR

Enabling Trust Between WebLogic Server Domains

Few places you might see the Error Type 4 this usually happens when there is a cached password which does not match with the Admin Server password i.e if the domain credential is changed using the Admin Console and then the Admin Server is restarted without shutting down the Managed Server.

So after enabling domain trust or cross domain security make sure you shutdown all managed servers and then Admin Server and start it in reverse order, i.e Admin first and then all rest managed servers to avoid seeing these errors.

 

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.