OBIEE 11g users still able to login even with invalid password

 

Scenario

I have OBIEE 11.1.1.6 installed on a windows 7 64 bit machine for a proof of concept using OID as the authentication source w/ groups being stored in an external database. I followed the directions EXACTLY as request on Oracle's Fusion Middleware Security Guide for OBIEE ( http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/privileges.htm#CJAJBIBG ) . The users are able to log into OBIEE and groups are correctly mapping to the OID users & weblogic application roles. BUT there is a problem:

When I log into OBIEE 11g answers with a VALID username but INVALID password , the system STILL alllows the user to log in.

For example:

user 'member1' has password 'abcd' and is a member of Application Role 'BIAuthor'

scenario 1)
I log into OBIEE 11g with the correct username/password , the user authenticates, the correct application role (BIAuthor) are assigned to the user and there are no issues.

scenario 2)
I log into OBIEE 11g with 'member1' as the username, and 'abcdefgh' as the password (invalid password). The user is able to access Answers, but the application role BIAuthor is not applied to the user (only the authenticated-role is). 

The following message is displayed on the bi_server1-diagnostic.log:

message 1:
Message ID OBI-SEC-00046 
Message Level 1 
WEBSERVICE_PORT.name SecurityServicePort 
J2EE_MODULE.name bimiddleware/security 
J2EE_APP.name bimiddleware_11.1.1 
WEBSERVICE.name SecurityService 
Relationship ID 0:1:1:8:11 

Component bi_server1 
Module oracle.bi.security.service 
Host 
Host IP Address 
User BISystemUser 
Thread ID [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)' 
ECID 2ac0a03caa926090:-77e91c0e:1397d8dc657:-8000-0000000000000029 


message 2: 

Aug 31, 2012 9:42:30 AM PDT (Warning) … /Farm_bifoundation_domain/bifoundation_domain/bi_server1/bimiddleware(11.1.1) (Application Deployment) 




Message Level 1 
WEBSERVICE_PORT.name SecurityServicePort 
J2EE_MODULE.name bimiddleware/security 
J2EE_APP.name bimiddleware_11.1.1 
WEBSERVICE.name SecurityService 
Relationship ID 0:1:1:6:1 
Component bi_server1 

Module oracle.j2ee.ws.common.jaxws.JAXWSMessages 
Host 
Host IP Address 
User BISystemUser 
Thread ID [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)' 
ECID 2ac0a03caa926090:-77e91c0e:1397d8dc657:-8000-0000000000000051 


Message Exception while executing the business logic: SecurityService::authenticateUserWithLanguage [OBI-SEC-00015] Unable to find user in identity store.


scenario 3)
If an invalid username and password is entered, access is denied (this is correct)._



Can anyone explain why this is happening (scenario 2) and how to resolve it?


my provider list is in the following order:


1) mysqlgroupprovider (control flag = optional)
2)myOIDDirectory (control flag = sufficient)
3)Defaultauthenticator (control flag = sufficient)

 

 

Solution：

that was the issue! I had an init block populating USER. When I removed the USER system variable went away.

來自 “ ITPUB部落格 ” ，連結：http://blog.itpub.net/10009036/viewspace-1249985/，如需轉載，請註明出處，否則將追究法律責任。