Note 948970 caller j2 ee-guest not authorized, only role administrators

SAP Note 948970 - Caller J2EE_GUEST not authorized, only role administrators Note Language: English Version: 3 Validity: Valid Since 17.05.2006 Summary Symptom o You are getting Exceptions similar to: com.sap.engine.services.jmx.exception.JmxSecurityException: Caller J2EE_GUEST not authorized, only role administrators is allowed to access JMX at com.sap.engine.services.jmx.EngineAuthorization.checkMBeanPermission( EngineAuthorization.java:88) at com.sap.engine.services.jmx.auth.UmeAuthorization.checkMBeanPermissio n(UmeAuthorization.java:77) at com.sap.engine.services.jmx.JmxServerFrame.checkMBeanPermission(JmxSe rverFrame.java:98) at com.sap.engine.services.jmx.MBeanServerClusterConnectionSecurityWrapper .queryNames(MBeanServerClusterConnectionSecurityWrapper.java:211) at com.sap.engine.services.jmx.ClusterInterceptor.getMBeanCount(ClusterI nterceptor.java:621) at com.sap.engine.services.jmx.MBeanServerInterceptorInvoker.invokeMbs(M BeanServerInterceptorInvoker.java:93) at com.sap.engine.services.jmx.connector.p4.P4ConnectorServerImpl.invoke Mbs(P4ConnectorServerImpl.java:61) at com.sap.engine.services.jmx.connector.p4.P4ConnectorServerImplp4_Skel .dispatch(P4ConnectorServerImplp4_Skel.java:64) at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl .java:304) at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:193) at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4Se ssionProcessor.java:122) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessi onMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRu nner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.ja va:100) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170) o The security session expires every 27 hours and causes a security 02.07.2010 Page 1 of 3

SAP Note 948970 - Caller J2EE_GUEST not authorized, only role administrators exception similar to the one above Other terms security session expiration, J2EE_GUEST, Guest, JMX, 27, P4, RMI, Swing, AWT, SessionExpirationPeriod Reason and Prerequisites I. Session Expiration The security session of the J2EE Engine expires at fixed time which is calculated from the session creation moment and is not updated throughout the session usage. The timeout is configured in the property SessionExpirationPeriod of the security service - see also http://help.sap.com/saphelp_nw04/helpdata/en/d7/e08b17065b554ca57183a4c3a99 340/content.htm The default value is about 27 hours and when the timeout expires the session is closed regardless if it has been used recently or not. This design decision has been taken in order to prevent leakage of memory related to misimplemented RMI/P4 clients which do not close the obtained context after finishing the operations related to a specific session(and just call System.exit or obtain a new Context on next call). As a result threads meant to be long-running and using the session for more than SessionExpirationPeriod need to reauthenticate against the Engine and retry the last operation that failed. II. Multithreaded usage of javax.naming.Context (or its implementations) or objects obtained from the Context 1. The security context is bound to the thread, not to the Objects which are obtained from the Context. Therefore you cannot share the context or objects obtained from it among authenticated and non-authenticated threads. Thus you cannot get the Context, lookup some Objects and expose them as public variables or by means of getter methods for usage by other threads in the application. 2. Even if you are not starting threads explicitly, in case you are using Swing/AWT interface, then the AWT base uses threads internally and in case of RuntimeException being thrown in the rendering code (which can also include your business logic), a new thread is spawned which does not have the necessary security context and is therefore failing to use objects which require Administrative or other than default privileges. In such cases you should again reauthenticate and retry the operation. III. Wrong user You might be trying to access JMX or other resources requiring administrative privileges after having authenticated with user without administrative privileges or having not authenticated at all (default Guest). Solution 1. Typically this exception is caused by a forgotten session of a remote tool connecting to the Engine (e.g. Visual Administrator or Deploy Tool) which has eventually expired. In this case the exception can be ignored since it has informative rather than alerting purposes. 02.07.2010 Page 2 of 3

SAP Note 948970 - Caller J2EE_GUEST not authorized, only role administrators 2. If the exception appears regularly in the Engine traces (for example every 27 hours) but everything seems to work correctly, then most likely you are using an automated tool that monitors the system or obtains whatever information using P4 as protocol. That tool has been implemented properly to retry the operation that failed after having reauthenticated against the Engine. You can ignore the exception. 3. If the exception happens regularly at a fixed interval (provided there is one client) and a remote client doing whatever operations through RMI/P4 stops working, then you need to contact the respective developer and ask him/her to implement reathentication and retry of the operation. 4. If the exception happens at random intervals (probably close together), then you need to contact the respective developer and ask him/her to check if there is multithreaded usage of the context/objects obtained from the respective P4 connection. Such multithreaded usage should be eliminated or it must be assured that all threads accessing the objects are properly authenticated (using authenticated threads pool or else). 5. If the Exception is similar to "Caller MY_USER not authorized, only role administrators..." then make sure the user MY_USER has the required administrative privileges for the requested operation (configured using Visual Administrator). Header Data Release Status: Released for Customer Released on: 17.05.2006 12:16:20 Master Language: English Priority: Recommendations/additional info Category: Help for error analysis Primary Component: BC-JAS-SEC Security, User Management Secondary Components: BC-JAS-ADM-ADM-JMX JMX Valid Releases Software Component Release From To and Release Release Subsequent SAP-JEE 60 6.40 6.40 SAP-JEE 7.00 7.00 7.00 02.07.2010 Page 3 of 3

Note 948970 caller j2 ee-guest not authorized, only role administrators

by Donghoon Woo on Jul 02, 2010

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 3

Statistics

Note 948970 caller j2 ee-guest not authorized, only role administrators — Document Transcript