BEA WebLogic Server uses its own security manager. For this reason the
appropriate policy file needs to be provided.
The policy file grants java.security.AllPermission, but wants to restrict
these to certain codeBase values. This leads to "access denied" messages.
Granting java.security.AllPermission without any codeBase value is fine,
however.

The problem is strictly reproducible but needs to install BEA WLS 9.1.

Here is a step-by-step description:

1. get WLS 9.1
--------------
 The file can be downloaded from http://commerce.bea.com/showallversions.jsp?family=WLS
 The file name is "server910_generic.jar".

2. Install WLS
--------------
 Install per default:
 Choose an already installed jdk 1.5.0 for installation:
 /jdk1.5.0_06/bin/java -jar server910_generic.jar

 BEA Home in /bea
 BEA Version 9.1 installed in /bea/weblogic91

 Make a default installation.

3. Create a domain via "Configuration Wizard"
---------------------------------------------
 cd /bea/weblogic91/common/bin
 ./config.sh

- Create a new Weblogic Domain supporting Weblogic Sever
- Username weblogic, Password weblogic
- choose JDK 1.5.0_06 at most; _07 and _08 won't work due to other reasons
- Development Mode
- no customization
- Domain name 'securityTest'
- Domain location '/bea/user_projects/domains'

4. Make the following changes
-----------------------------
 The files carrying modifications are attached to this bug report
 
# tar tvf files.tar
drwxr-xr-x 0/1 0 Aug 24 15:41 2006 bin/
-rwxr-xr-x 0/1 5637 Aug 24 15:10 2006 bin/startWebLogic.sh
-rwxr-xr-x 0/1 11414 Aug 24 15:11 2006 bin/setDomainEnv.sh
drwxr-xr-x 0/1 0 Aug 24 15:50 2006 security/
-rw-r--r-- 0/1 1025 Aug 24 15:50 2006 security/weblogic.policy
-rwxr-xr-x 0/1 351 Aug 24 15:10 2006 startWebLogic.sh
#


 Either copy the files over the corresponding files. Base directory is
 '/bea/user_projects/domains/securityTest'

 or make the changes manually.

4.1 add weblogic.policy to directory 'security'
 cp weblogic.policy /bea/user_projects/domains/securityTest/security

4.2 add two lines in /bea/user_projects/domains/securityTest/startWebLogic.sh

WLS_REDIRECT_LOG="${DOMAIN_HOME}/servers/AdminServer/logs/console.log"
export WLS_REDIRECT_LOG
 after line
DOMAIN_HOME="/bea/user_projects/domains/securityTest"


4.3 modify the following lines in
 /bea/user_projects/domains/securityTest/bin/startWebLogic.sh
 remove the parameter
 -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy
 from lines 179, 180 and 183

4.4 add/modify the following lines
 /bea/user_projects/domains/securityTest/bin/setDomainEnv.sh

 modify the line
  JAVA_PROPERTIES="${JAVA_PROPERTIES} ${EXTRA_JAVA_PROPERTIES}"
 into
  JAVA_PROPERTIES="${JAVA_PROPERTIES} ${EXTRA_JAVA_PROPERTIES} ${JAVA_SEC_PROPERITES} ${HVB_OPTIONS}"

 and include the following lines above the modified line:

JAVA_SEC_PROPERITES="-Djava.security.manager"
export JAVA_SEC_PROPERITES
JAVA_SEC_PROPERITES="${JAVA_SEC_PROPERITES} -Djava.security.policy==${LONG_DOMAIN_HOME}/security/weblogic.policy"
JAVA_SEC_PROPERITES="${JAVA_SEC_PROPERITES} -Djava.security.debug=access,failure"

HVB_OPTIONS=""
export HVB_OPTIONS
HVB_OPTIONS="${HVB_OPTIONS} -Dhvbinfo.weblogic.Name=AdminServer"
HVB_OPTIONS="${HVB_OPTIONS} -Dhvbinfo.weblogic.DomainHome=${LONG_DOMAIN_HOME}"
HVB_OPTIONS="${HVB_OPTIONS} -Dhvbinfo.weblogic.home=${WL_HOME}"
HVB_OPTIONS="${HVB_OPTIONS} -Dhvbinfo.java.home=${JAVA_HOME}"


5. Create directory
-------------------
 mkdir /bea/user_projects/domains/securityTest/servers/AdminServer/logs

6. Start WebLogic Server
------------------------
 /bea/user_projects/domains/securityTest/startWebLogic

7. start console
----------------
 start a browser and point it to URL http://<ip-address>:7001/console

 wait until you are fully logged in.

8. Inspecting console.log file
------------------------------
 stop the server by giving ^C and visit
 /bea/user_projects/domains/securityTest/servers/AdminServer/logs/console.log

# grep denied console91.log
access: access denied (javax.management.MBeanPermission -#-[-] queryMBeans)
access: access denied (javax.management.MBeanPermission -#-[-] queryMBeans)
access: access denied (javax.management.MBeanPermission weblogic.management.mbeanservers.edit.internal.EditServiceMBeanImpl#-[com.bea:Name=EditService,Type=weblogic.management.mbeanservers.edit.EditServiceMBean] getMBeanInfo)
<Aug 24, 2006 1:29:04 PM MEST> <Error> <Console> <BEA-240003> <Console encountered the following error java.security.AccessControlException: access denied (javax.management.MBeanPermission weblogic.management.mbeanservers.edit.internal.EditServiceMBeanImpl#-[com.bea:Name=EditService,Type=weblogic.management.mbeanservers.edit.EditServiceMBean] getMBeanInfo)
access: access denied (javax.management.MBeanPermission weblogic.management.mbeanservers.edit.internal.EditServiceMBeanImpl#-[com.bea:Name=EditService,Type=weblogic.management.mbeanservers.edit.EditServiceMBean] getMBeanInfo)
<Aug 24, 2006 1:29:04 PM MEST> <Error> <Console> <BEA-240003> <Console encountered the following error java.security.AccessControlException: access denied (javax.management.MBeanPermission weblogic.management.mbeanservers.edit.internal.EditServiceMBeanImpl#-[com.bea:Name=EditService,Type=weblogic.management.mbeanservers.edit.EditServiceMBean] getMBeanInfo)
access: access denied (javax.management.MBeanPermission weblogic.management.mbeanservers.edit.internal.EditServiceMBeanImpl#-[com.bea:Name=EditService,Type=weblogic.management.mbeanservers.edit.EditServiceMBean] getMBeanInfo)
<Aug 24, 2006 1:29:04 PM MEST> <Error> <Console> <BEA-240003> <Console encountered the following error java.security.AccessControlException: access denied (javax.management.MBeanPermission weblogic.management.mbeanservers.edit.internal.EditServiceMBeanImpl#-[com.bea:Name=EditService,Type=weblogic.management.mbeanservers.edit.EditServiceMBean] getMBeanInfo)
access: access denied (javax.management.MBeanPermission -#-[-] queryMBeans)
access: access denied (javax.management.MBeanPermission weblogic.management.mbeanservers.edit.internal.EditServiceMBeanImpl#-[com.bea:Name=EditService,Type=weblogic.management.mbeanservers.edit.EditServiceMBean] getMBeanInfo)
<Aug 24, 2006 1:29:04 PM MEST> <Error> <Console> <BEA-240003> <Console encountered the following error java.security.AccessControlException: access denied (javax.management.MBeanPermission weblogic.management.mbeanservers.edit.internal.EditServiceMBeanImpl#-[com.bea:Name=EditService,Type=weblogic.management.mbeanservers.edit.EditServiceMBean] getMBeanInfo)
access: access denied (javax.management.MBeanPermission weblogic.management.mbeanservers.runtime.internal.RuntimeServiceMBeanImpl#-[com.bea:Name=RuntimeService,Type=weblogic.management.mbeanservers.runtime.RuntimeServiceMBean] getMBeanInfo)
<Aug 24, 2006 1:29:07 PM MEST> <Error> <Console> <BEA-240003> <Console encountered the following error java.security.AccessControlException: access denied (javax.management.MBeanPermission weblogic.management.mbeanservers.runtime.internal.RuntimeServiceMBeanImpl#-[com.bea:Name=RuntimeService,Type=weblogic.management.mbeanservers.runtime.RuntimeServiceMBean] getMBeanInfo)
#

9. Workaround
-------------
 The "access denied" messages will disappear when granting additionally
 in the 'weblogic.policy' file:

grant
{ permission javax.management.MBeanPermission "*" , "*" ;};

 However this needs to be without codebase value.
 Trying to restrict it with a codeBase value will again produce the above
 given "access denied" messages.

10. java.security.AllPermission;
--------------------------------
 The problem is not reproducible if the only entry in 'weblogic.policy'
 file is:

grant { permission java.security.AllPermission; };

 However trying to restrict this to an (even most generic) codebase will
 bring the "access denied" messages back:
 Example:

grant codeBase "file:/-" {
        permission java.security.AllPermission;
};