OPSS- WebLogic Security Patch 22248372 Breaks SSO, getting access denied

(Doc ID 2110266.1)

Last updated on JUNE 06, 2017

Applies to:

Oracle Platform Security for Java - Version 11.1.2.2.0 and later
Information in this document applies to any platform.

Symptoms

On : Oracle Platform Security for Java 11.1.1.9.0 version, Java Platform Security / from Oracle Adaptive Access Manager 11.1.2.2.0

WebLogic Security Patch 22248372 breaks SSO

After apply the WebLogic Security Patch to development environment, Start getting "Access Denied" Exception
The environment has SSO in place and custom servlet that allows users to log in with any of three attributes (employee ID, email, or network ID).

Observed Error

java.security.AccessControlException: access denied (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:OAM11gApplication Actions:getApplicationPolicy)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
at java.security.AccessController.checkPermission(AccessController.java:549)
at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:463)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:523)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:549)
at oracle.security.jps.internal.credstore.util.CsfU

Steps to reproduce


The issue can be reproduced at will with the following steps:
1. After apply the WebLogic Security Patch (22248372) and prerequisite patch (20780171)
2. After applying the patches, SSO failed with the following OAAM error:

java.security.AccessControlException: access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oaam,keyName=* read)

After start domain, using:

 ./startWeblogic.sh -Djps.auth.debug=true -Djps.auth.debug.verbose=true

Observing the next Check Permission [FAILED]

[JpsAuth] Check Permission
PolicyContext: [null]
Resource/Target: [context=APPLICATION,name=OAM11gApplication]
Action: [getApplicationPolicy]
Permission Class: [oracle.security.jps.service.policystore.PolicyStoreAccessPermission]
Result: [FAILED]
Evaluator: [ACC]
Failed ProtectionDomain:ClassLoader=sun.misc.Launcher$AppClassLoader@1049a24b
CodeSource=file:/apps/Oracle/Middleware/patch_wls1036/patch_jars/BUG20780171_1036012.jar
Principals=total 0 of principals<no principals>
Permissions=(
(oracle.security.jps.service.keystore.KeyStoreAccessPermission stripeName=system,keystoreName=trust,alias=* read)
(java.io.FilePermission /apps/Oracle/Middleware/patch_wls1036/patch_jars/BUG20780171_1036012.jar read)
....
)
Call Stack: java.security.AccessControlException: access denied (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:OAM11gApplication Actions:getApplicationPolicy)
java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)

 

Changes

Apply the WebLogic Security Patch (22248372) and prerequisite patch (20780171)

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms