Serious security bug in weblogic 6.0

when I use jaas authenticated to weblogic server 6.0. everything is beatiful. but
I easily bypass the jaas authentication and could login to weblogic server 6.0
as anybody with any credential. Think about it, if I login as system and with
wrong password, and I get in , and the caller will be system.
If anyone inside weblogic team is interested in talking about it, please give
me a email. I don't want to post the way how I did it right now

This potential vulnerability has been confirmed and has been fixed in BEA WebLogic
Server 6.0 Service Pack 1 (SP1). SP1 is currently available for download from
the BEA Download Center at
http://commerce.bea.com/downloads/weblogic_server.jsp#wls.
BEA advises every Service Pack be applied as they are released. Service Packs
include a roll up of all bug fixes for each version of the product, as well as
each of the previously released Service Packs.
BEA treats security issues with the highest degree of urgency and does everything
possible to ensure the security of all customer assets. As a policy, if there
are any security-related issues with any BEA product, BEA will distribute an advisory
and instructions with the appropriate course of action.
Because the security of your site, data, and code is
our highest priority, we are committed to communicating all
security-related issues clearly and openly.
BEA has established a permission-based emailing list specifically
targeted for product security advisories. As a policy, if a user has opted in
to our emailing list and there are any security issues with the BEA product(s)
he/she is using, BEA will distribute an advisory and instructions via email with
the appropriate course of action.
REPORTING SECURITY ISSUES
For immediate attention, BEA has established an email address to which you can
send reports of any possible security issues in BEA products.
These reports should be sent to: [email protected]
All correspondence to this address will be promptly reviewed and all necessary
actions taken to ensure the continued security of all customer assets.
SUBSCRIBE TO EMAIL ALERT
You may subscribe to the permission-based emailing list to receive alerts of security
advisories by registering with BEA at:
http://contact.beasys.com/bea/www/securityelogin.jsp.
Sincerely,
Marc Bishop
Security Product Manager
BEA WebLogic Server

Similar Messages

  • Security Bug in weblogic.httpd.enable

     

    Hi!
    When I set this "weblogic.httpd.enable=false". I will get UnmarshalException
    for WLStub at ejb client whenever I update my classes. Is this by design?
    When I comment out this, the error is gone.
    Regards
    Yew Yap
    "Vince" <[email protected]> wrote in message
    news:87f5ng$g7g$[email protected]..
    Hi all,
    I don't know whether you all know this or not, but I would feel guilty ifI
    didn't tell all of you. I found a bug in the properties file. WebLogic
    claimed that the httpd can be disabled for security purposes. However, I
    realized that no matter what boolean you assign to weblogic.httpd.enable,
    the httpd is still alive. The setting in the properties file has noeffect
    at all. For those of you who have to disable httpd for the security ofyour
    internal networks, this is really a problem. I have reported this to BEA
    and will see how they fix this. You can test this on your WebLogic server
    by setting the property to false and test to see if the clients canconnect
    to your server using http. I was be able to use a browser to connect tothe
    server and even more I could replace t3 with http in my java code toconnect
    to my EJBs after I disabled httpd.
    Vince

  • Is this a security bug in Windows 8.1?

    I think I have discovered a serious security bug in Windows 8.1.
    Today I was using my (non-Admin) user account and with Internet Explorer I saved a file in the default Downloads folder (under This PC). The file was saved, but when I went to that folder, the file was not there! Now, I was about to downloaded
    it again, using IE, same as before, when I noticed in the Save dialog box that the file had indeed been downloaded, and that it was there, in the Downloads folder under This PC. Frustrated, I went to that very folder, but the file was nowhere
    to be found. I was really puzzled.
    Then, by chance, while logged in another account (namely the Admin account), I happened to go to the Downloads folder, and there was the file that I had downloaded using the other account.
    Obviously, what I described above represents a security problem: firstly because my private files may get saved by mistake into another person's account without me even realizing it, and secondly because I was able to access another person account
    (i.e. the Admin account) via the IE's Save dialog box, seeing the list of the files there, and possibly even accessing them (I have not tried the latter, though).
    Has anyone experienced anything like the situation I described?
    I must also say that I later tried to replicate this abnormal behavior, but for some unknown reason I couldn't. Anyway, I am sure that what I described above is an accurate account of how things went.

    Hi,
    Since I cannot repro your issue on my own computer, it cannot be a bug.
    I suggest we try to use another user account to see if there is the same issue happened.
    Please make sure your location of download folder is right:
    Right click Downloads folder, and choose Properties.
    Make sure the location is right under your user profile.
    If not, please click Location and click Restore default.
    If we still fail to solve you issue, please run Process monitor at the end of the downloading process to capture the actions, and upload the save log here for further research.
    You can also check if there is any weird actions at the end of downloading process.
    Process Monitor v3.05
    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
    How to use, please refer to this article:
    Using Process Monitor to capture system events
    http://www.sophos.com/en-us/support/knowledgebase/119038.aspx
    Keep post.
    Kate Li
    TechNet Community Support

  • Signature Validation Bug in WebLogic 10.3

    I believe I have come across a bug in WebLogic 10.3. I send a signed soap message to the server, but it gets rejected because it fails validation. Fair enough... Took a look at the trace and here is what I found:
    &lt;Sep 23, 2008 9:41:03 AM EDT&gt; &lt;Info&gt; &lt;&gt; &lt;BEA-000000&gt; &lt;transformed data: [OctetData, as String in platform default encoding:&lt;soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-18724844"&gt;&lt;ser:deposit xmlns:ser="http://services/"&gt;
        &lt;arg0&gt;100&lt;/arg0&gt;
    &lt;/ser:deposit&gt;&lt;/soapenv:Body&gt;]&gt;
    &lt;Sep 23, 2008 9:41:03 AM EDT&gt; &lt;Info&gt; &lt;&gt; &lt;BEA-000000&gt; &lt;digest input: (as string, platform default encoding) &lt;soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-18724844"&gt;&lt;ser:deposit xmlns:ser="http://services/"&gt;
    &lt;arg0&gt;100&lt;/arg0&gt;
    &lt;/ser:deposit&gt;&lt;/soapenv:Body&gt;&gt;
    ReferenceImpl.ValidateResultImpl:
    refURI: #id-18724844
    status: false
    digestValue: 1B35E823E5137581751EF6A8AB8DD8943D21F024
    unmarshalledDigestValue: B3DAB5E81C128858C84DBB05B361C8736C972443
    The reason the digest does not match is because WebLogic is not receiving the correctly formatted soap message. For some reason, weblogic does not see the carriage return between &lt;/ser:deposit&gt; and &lt;/soapenv:Body&gt;. I send the same message to a WebLogic 10.0 server and it does not run into this problem. I use soapUI 2.0.2 as my client.

    instead of import weblogic.security.SubjectUtils; use import weblogic.security.spi.WLSUser; and get the username as below
    Set users = subject.getPrincipals(WLSUser.class);
              Iterator iter = users.iterator();
              while (iter.hasNext()){
                   userName = ((WLSUser)iter.next()).getName();
                   System.out.println(userName);
    this returns you the username

  • Setting secure flag on weblogic (5.1) session cookie.

    Hello All,
              I need to set secure flag on weblogic session cookie. I am not able to
              find any property in weblogic.properties file to set the secure flag for
              session cookie.
              Does anybody has any idea how to achieve this.?
              Thanks
              Nitin
              

    The best way to reduce GC is to change you application to use less memory. Serious.
    There are a number of JVM options for GC. I can't tell you what will work best
    for your application.
    25 seconds is way too long for a GC. Is the OS paging? You may wish to invest
    in additional memory.
    Mike Reiche
    vijendran <[email protected]> wrote:
    Hi,
    I am running a load test which will simulate 100 users. when i tried
    to simulate i found that GC is happening often even though i set the
    heap to 512 MB., and that too some time it takes upto 25 secs. for a
    GC to complete. Please advise on how to increase the performance for
    more number of users (without clustering weblogic) and to avoid GC happening
    often.
    Regards
    Vijendran

  • Another security bug??

    All,
    I am running Weblogic with SP3. In my web application configured to use
    form-based authentication. In the web.xml file I have:
    <servlet>
    <servlet-name>InfIIPSchedulerServlet</servlet-name>
    <servlet-class>examples.servlets.InfIIPSchedulerServlet</servlet-class>
    <load-on-startup>2</load-on-startup>
    </servlet>
    <servlet-mapping>
    <servlet-name>InfIIPSchedulerServlet</servlet-name>
    <url-pattern>InfIIPSchedulerServlet</url-pattern>
    </servlet-mapping>
    <servlet-name>InfIIPSchedulerServlet</servlet-name>
    <url-pattern>jsp/InfIIPSchedulerServlet</url-pattern>
    </servlet-mapping>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>iip</web-resource-name>
    <description>Informatica Information Platform (IIP)</description>
    <url-pattern>/jsp/*</url-pattern>
    </web-resource-collection>
    </security-constraint>
    <login-config>
    <auth-method>FORM</auth-method>
    </login-config>
    public class InfIIPSchedulerServlet {
    public void service(HttpServletRequest req, HttpServletResponse res)
    throws ServletException, IOException
    HttpSession session = req.getSession(false);
    res.setContentType("text/plain");
    ServletOutputStream out = res.getOutputStream();
    try {
    if (session == null) {
    out.println("Session is null");
    } else {
    out.println("Session is " + session.toString());
    InfIIPSession ss =
    (InfIIPSession)session.getAttribute(com.informatica.viewer.util.InfHttpSessi
    onNames.USER_IIPSESSION );
    Context context = ss.getContext();
    out.println("<BR>Remote user is ");
    out.println(req.getRemoteUser());
    out.println("<BR>Principal is ");
    out.println(req.getUserPrincipal().getName());
    out.println("<BR>Principal in Context is ");
    out.println((String)context.getEnvironment().get(Context.SECURITY_PRINCIPAL)
    } catch (NamingException ne) {
    throw new ServletException(ne.getMessage());
    After loged in successfully, a welcome page came up. I got the following
    output when invoking the servlet with url
    http://localhost:7001/iip/InfIIPSchedulerServlet
    Session is weblogic.servlet.internal.session.MemorySession@69abf940
    <BR>Remote user is
    dtseng
    <BR>Principal is
    guest
    <BR>Principal in Context is
    dtseng
    With url http://localhost:7001/iip/jsp/InfIIPSchedulerServlet the output
    become
    Session is weblogic.servlet.internal.session.MemorySession@69abf940
    <BR>Remote user is
    dtseng
    <BR>Principal is
    dtseng
    <BR>Principal in Context is
    dtseng
    The difference is that the first url is not a protected resource, while
    the second is. Why req.getUserPrincipal().getName() returns different values
    depending on the context in which is is executed? Is this a security bug?

    I would like to see this feature of the phone given a significant overhaul. Instead of just displaying the dail pad, I'd like to have the choice of programming in certain numbers which could offered for dialing in place of the dial pad being shown for the Emergency call feature. Perhaps upto 10 numbers could be programmed in, so you could add the emergency numbers for your area and any other numbers you think would be useful. Of course, this should be optional so that the user has the choice of only allowing calls to the pre-registered numbers, the display of the numpad or both.
    That way, everyone would be happy, no?

  • Ongoing fatal crash and security bug related to connecting external display

    The infrastructures in OS X to resume from sleep, to authenticate, and to change displays is fundamentally not working.
    The security bug I have encountered has to do with connecting a cinema display exclusively to a MacBook Pro. This is a specific situation, but please note that I have experienced the same problem on no fewer than three independent laptop. Plus, the Genius in the Apple Retail Store was convinced of the general instability of this infrastructure. The security problem is that hot corners no longer function if I transition between two states in the same reboot. The first state is where I have the laptop powered on and using its own internal display exclusively (when I'm on the road). The second state is when I have the laptop displaying its output exclusively on an external display (when I'm at home). What happens is that an attempt to use hot corners fails. There is no response. I even added configuration on all four corners (whereas I originally had settings only for the rightmost corners), and even then, the hot corner action (of sleeping the display or entering locked screen saver mode) does not commence. This prevents the user from being able to secure the display on demand using standard methods that are supposed to work.
    The instability level related to connecting the external display exclusively is high. Again, I've experienced this on no fewer than three independent laptops, and the Apple Genius at the Retail Store confirmed that this aspect of OS X did not work consistently. When I want to connect the cinema display to the laptop in such a way that the laptop's own display is not part of the active screen, the process I use succeeds about half the time. Supposing I have been on the road, where I am using the laptop display exclusively. I then put the laptop to sleep. When I return home with the lid open, I connect first the USB (power) from the cinema display to the laptop, and then I connect the Mini DisplayPort. When that step works, what happens is that the login screen shows on the cinema display despite the fact that my laptop lid is closed. This is good, and is what I want. At that point, I open the laptop lid and quickly log in.
    With Apple being a mobile device company, I rely on the laptop for tasks that one traditionally may use a desktop for. This simply points to the versatility of the laptop. But I'd like the bugs resolved, so that I do not have to hesitate to make use of the inherent flexibility possible with the MacBook Pro.
    Here's what happens when the process (of connecting the external display in a way that establishes itself as the only screen in use by OS X) fails. Firstly, when I connect the external display via Mini DisplayPort, the laptop doesn't even respond. Instead, it remains asleep. So to work around it I have to repeatedly disconnect and reconnect the Mini DisplayPort so that the asleep MacBook Pro will see that there is a display connected to it. Also, sometimes that isn't even enough and I have to open the laptop lid, and put it to sleep again so as to trigger whatever actions are necessary to recognise the external display (presumably by having the laptop recently awake). Around half the time, I have to play this game of disconnecting and reconnecting until it actually works. This high level of reproducibility (confirmed by the Apple Genius representative's confidence that this part of the system doesn't actually work) should make it easy for an engineer to look into the problem.
    Fatally, and recently, OS X has completely crashed when I have attempted to connect the external display. The external display has gone completely blue, and after a half a minute, it blanked out and my entire laptop became unresponsive. I called Apple Support and was given a case number. I also took the laptop into the retail store to see if I could recover my current session without rebooting. There was no process suggested to make that happen and I was told to reboot the machine. I've had this happen before on other laptops, and it is frustrating that the kernel reaches such a state that it cannot be used. As I see it, this problem is not too unrelated to the way that I need to play a game in order to get the external display connected exclusively. Here are some workarounds that could be added:
    Firstly, whenever I connect an external display, I'd like the laptop to see that this has happened, and to take action accordingly (such as resuming from sleep). Secondly, If I connect an external keyboard, and press a key on it, I'd like this to wake the laptop too (in the event that the first method fails for some unforeseen reason). I'd also like the connection of the cinema display's USB power not to cause the laptop to enter into a confused state between asleep and awake. Sometimes I need to disconnect and reconnect USB power in order to trigger the laptop into waking, but that's only because it's not doing it on its own properly. On the other hand, I also ensure that the laptop doesn't have the Mini DisplayPort connected without also having the cinema display USB power connected, because that also is an unsupported configuration.
    I've also gotten the laptop to become confused about whether it is asleep or awake. When I open the lid, it seems to enter into sleep mode, but closing it seems to bring it into an active state.
    Also, I've successfully logged on and authenticated with the screen showing exclusively on the external display. But just ten seconds after I start using the system, the laptop falls asleep--with the lid open! Whatever triggers that action doesn't seem to be on track. The laptop is open, there are incoming events such as mouse movements and key presses, and the external display is on and is in use. And then the laptop falls asleep! This has happened numerous times. Not only should this not happen; the instances where it does happen can cause further instability and put my system at risk of fatally crashing.
    Also, the authentication system itself is highly buggy--far more than it should be. At times I have opened the laptop lid and caught a glimpse of a window before I have begun the login process. Also, an external authentication application that asks for Kerberos/AFS login credentials has been able to overlay itself on top of the primary authentication (whereas I should only see a single login dialog when I need to authenticate to the system). Also, I've had several of these authentication screens overlay on top of one another, although it's been months since I've experienced that one (so it may have been fixed). Also, around a third of the time, the window that authenticates me (on the black background) somehow transfers itself into the background (even though there's only one window!). What that means is what I begin to type my password, and now the laptop starts beeping at me and I need to manually click on the password field and begin entering my password again. This really shouldn't happen, and indicates too much complexity in this authentication process (such as, more OS X code is involved than is strictly necessary, which is likely to make the authentication system more difficult to test). Also, at times, I have been using too much CPU, such that the authentication screen takes too long to emerge. That also means that I'm not able to logon until I uncleanly shutdown the laptop. If the laptop has been asleep, and is revived in preparation for login, then that login screen should be given highest priority, even if there are other heavy CPU or I/O intensive tasks running in the background. And maybe the login dialog shouldn't disappear when the user is legitimately attempting to log in. So even if there is a possibility that the system is under heavy resource use (or there is a stall or minor deadlock), it shouldn't prevent the user from logging in altogether.
    At the moment, the very fact that the system shut down uncleanly means that the full disk encryption suite that I used has entered into an undetermined state, suggesting I may lose access to all my data. It's my hope that I can rely on Apple's products to interoperate in a way that won't cause me to be fearful and restrictive in my use, so that I can freely connect an external display at times, and at other times carry the laptop on the road.

    Ive got the same problem with Samsung UE225010 monitor too, its full hd but it looks terrible, could it be Displayport adapter issue, because couple month ago Ive tryed with some IPS display, and it looked same bad.

  • How to use security roles in Weblogic server?

    Hello Gurus,
    I am new to Weblogic server and I am trying to investigate how to make
    use of security roles in weblogic server (5.1.0). Can anyone point me
    to some documentation. Specifically, I am looking for instance level,
    and method level security and how to use it.
    Thanks for taking your time to read this e-mail.
    Thank You all in advance,
    Hari.

    You should read the security information in the Servlet 2.2 specification
    that WL 5.1 implements:
    http://java.sun.com/products/servlet/download.html
    Chapter 11 deals with declarative and programmatic security, and includes a
    section on roles:
    11.4 Roles
    A role is an abstract logical grouping of users that is defined by the
    Application Developer or
    Assembler. When the application is deployed, these roles are mapped by a
    Deployer to security
    identities, such as principals or groups, in the runtime environment.
    A servlet container enforces declarative or programmatic security for the
    principal associated with
    an incoming request based on the security attributes of that calling
    principal. For example,
    1. When a deployer has mapped a security role to a user group in the
    operational environment. The
    user group to which the calling principal belongs is retrieved from its
    security attributes. If the
    principal's user group matches the user group in the operational environment
    that the security
    role has been mapped to, the principal is in the security role.
    2. When a deployer has mapped a security role to a principal name in a
    security policy domain, the
    principal name of the calling principal is retrieved from its security
    attributes. If the principal is
    the same as the principal to which the security role was mapped, the calling
    principal is in the
    security role.
    Cameron Purdy
    http://www.tangosol.com
    "Hari" <[email protected]> wrote in message
    news:[email protected]..
    Hello Gurus,
    I am new to Weblogic server and I am trying to investigate how to make
    use of security roles in weblogic server (5.1.0). Can anyone point me
    to some documentation. Specifically, I am looking for instance level,
    and method level security and how to use it.
    Thanks for taking your time to read this e-mail.
    Thank You all in advance,
    Hari.

  • Need to solve serious security problem with Oracle Reports URL

    As mentioned repeatedly on this forum, Oracle Reports allows serious security breaches that allow users to see reports that they did not generate -- it's easy to guess a legal URL by changing the getjobid parameter.
    I've reviewed the JavaDocs to part of the rwrun.jar file and reviewed some of the example report plugins. This shows promise in helping to solve this security problem but critical pieces are missing.
    1) The javadocs are accurate for only 10g (9.0.4) but not correct for 10g (10.1.2+), which we are currently using. I need access to the updated version of this javadoc.
    2) Even with the updated version of the JavaDoc, I haven't found a class from which to inherit that would give me the opportunity to generate random jobid values, which then would effectively prevent users from guessing other jobid values, and thereby gaining access to other's reports (which in our cases, may contain sensitive information.
    3) We have found that we can send the parameter=value of EXPIRATION=1 which helps protect such information, but this requires that every program which invokes a report be modified to add this parameter. It would be far better for the report server to be configured to use a java class we write that inherits from some rwrun.jar class that would by default, add the EXPIRATION=1 parameter.

    Hi,
    Thanks for our replies. I will ask to an administrator about this security problem, now I know it depends of a security parameter.
    But I would know if it could be possible to hide the technical name of the query in the url. It could improve the security level of our reports in a first time in this way.
    Thanks a lot,
    JW.

  • Create , delete "security roles" in weblogic console - sample Security providers

    Hi Everyone:
    Weblogic gave out sample Security Providers for version 7.0 and 8.1. In
    those sample Security Provider , the author of codes used property files as
    Security Providers Database, however he/she didn't show how to create a
    Manageable Sample Role Mapping Provider or Manageable Sample Authentication
    Provider, so Administrator of weblogic console can create and delete
    "security roles" in weblogic console.
    Have anyone known how to do that?
    Ming Qin

    "ming qin" <[email protected]> wrote in message news:[email protected]..
    Hi Everyone:
    Weblogic gave out sample Security Providers for version 7.0 and 8.1.In
    those sample Security Provider , the author of codes used property filesas
    Security Providers Database, however he/she didn't show how to create a
    Manageable Sample Role Mapping Provider or Manageable SampleAuthentication
    Provider, so Administrator of weblogic console can create and delete
    "security roles" in weblogic console.
    Have anyone known how to do that?
    I would ask in the weblogic.developer.interest.management.console newsgroup.
    >
    Ming Qin

  • Optimistic Locking - Possible bug with Weblogic

    After extensive testing of a j2ee application Im involved with, it would appear their exists a problem with using Weblogic's Optimistic Concurrency (OL) mechanism.
    The exact problem is as follows:
    The ejbCreate and ejbRemove methods of a particular entity bean are as follows:
    public abstract class ProductBean implements javax.ejb.EntityBean {
    ejbCreate(){
    FolderEntityHome folderEH = FolderComponent.getFolderEntityHome();
    folderEH.create(getId());
    ejbRemove(){
    FolderEntityHome folderEH = FolderComponent.getFolderEntityHome();
    try {
    FolderBean folderEH.findByProductId(getId());
    catch(InvalidAccessRightsException iare)
    throw new RemoveException();
    Previously before OL was added when a RemoveException was thrown, this would cause the ejbRemove exception to fail, thus both the product and folder would still exist.
    After adding OL, when an InvalidAccessRightsException occurs giving rise to a RemoveException being thrown, weblogic simply ignores the RemoveException and deletes the Product even though the Folder could not be deleted. This causes system errors when users try to access the folder which contains a link to a product which no longer exists!
    Is anyone aware of this particular problem? Is it indeed a bug with Weblogic? For clarity, I believe I am using version 8.1 and the way in which I have implemented OL is to use an additional version column in the underlying tables for all entity beans.

    In case anyone's interested, it appears from further testing that the problem I've been having in the way the RemoveException behaves is down to the difference in which version 6.0 treats this exception compared to version 8.1!
    In version 6.0, if you threw a RemoteException at any point in the ejbRemove(), the entity would not be removed!
    In version 8.1, something wierd happens. If a RemoteException() is thrown in the ejbRemove() and sometime during the same transaction at the point of commit, the entity on which the exception is thrown is attempted to be accessed (through a finder), then the entity continues to be deleted! If on the other hand, a RemoveException is thrown and no access/modification is attempted on that entity within the same transaction, then at the point of commit, the entity is not removed!
    Seems this is indeed a problem which needs to be addressed in future releases.
    Message was edited by:
    rotan_imretxe
    Message was edited by:
    rotan_imretxe

  • Serious security flaw found in IE

    *Important Information*
    A  serious  security flaw is found in Internet Explorer today and everybody is  been  advised  by  'MICROSOFT'  not  to  use  Internet Explorer for any confidential banking transactions until the new patch is released.
    The  new  patch  would  be  released  at the earliest and Microsoft advices everybody to use the browser from their rivals until the patch is released.
    Click on the below link to read:
    http://news.bbc.co.uk/2/hi/technology/7784908.stm

    I advise everybody to use the browser from their rivals, even after the the patch is released!
    I couldn´t agree more
    Maybe the browser was patched now so the data is not stolen by "someone" but to Microsoft instead when surfing MSDN
    </cynism>
    Markus

  • Conf. a Win2K Security Realm on WebLogic

         Hi! I'm having some problems configuring a security realm in WebLogic
    server 6.0sp1.
         I'd like that WebLogic use the Windows2000 security realm as the
    default security (it can be used as the secondary security realm
    if it's the only way).     
    We've been trying to make it work for the last two (business) days
    with no hope of being successfull at all.
         We are using the BEA documentation 'Managing Security' as reference,
    and we have some doubts about what's in there.
    First doubt:     The documentation says that we need to create new
    security realm of the type Windows NT. OK, we did it. But we are
    not sure about how to fill the filed Primary Domain. The documentation
    says to put the host and port of the computer where User and Groups
    are defined for the NT domain. I'm using the same computer for
    both (NT domain and Web Logic), so I put the host name (babalu).
    Wich port should I put?
    Second doubt:     The documentation says to create a systerm user on
    the NT domain using NT administrative tools, names it 'system'
    and set some stuff for it. But windows 2000 already has a user
    with that name (SYSTE, but capitalized) and the property that I
    should set on it doesn't exist! By the way, on the system user
    user that windows2000 has I wasn't able to set any property.
    Last doubt (maybe should be the first one) : Does WebLogic 6.0sp1
    support Security Realms from Windows 2000? Or I need to download
    another plugin or somethign like that?
         Thanks for Reading and (hope) Answering my qusetions!
    Roberto Giordano Barra

    Hi! Thanks for the answer. I'll try to run WebLogic as a service.
    In fact, I tried it before but I wasn't able to. I started the
    service by hand, but I wasn't able to access the server. So, I
    click on the 'remove web logic as service'(something like that)
    in the WebLogic program group. Ok, it was removed. But when I tried
    to put it back I didn't find no funny button to help me! Could
    you help me with that?
    Another thing. If I use NT Realm as a Caching Realm I'll be
    able to see the NT user and users groups with the Web Logic management
    GUI ?
    Thanks once again,
    Roberto Giordano Barra
    "arthur" <[email protected]> wrote:
    >
    Hi,
    By saying win2k I am assuming you mean creating an NT
    realm.
    Do not bother specifying a port, just put the server name.
    You have to ensure that you are running the weblogic server
    as
    a NT service if you want to use the NTrealm.
    Make sure under Caching Realm you specify the NTrealm.
    That should be it.
    Hope this helps.
    Regards,
    -Arthur
    "Roberto Giordano Barra" <[email protected]> wrote:
         Hi! I'm having some problems configuring a security
    realm in WebLogic
    server 6.0sp1.
         I'd like that WebLogic use the Windows2000 securityrealm
    as the
    default security (it can be used as the secondary security
    realm
    if it's the only way).     
    We've been trying to make it work for the last two (business)
    days
    with no hope of being successfull at all.
         We are using the BEA documentation 'Managing Security'
    as reference,
    and we have some doubts about what's in there.
    First doubt:     The documentation says that we need to create
    new
    security realm of the type Windows NT. OK, we did it.
    But we are
    not sure about how to fill the filed Primary Domain.The
    documentation
    says to put the host and port of the computer where User
    and Groups
    are defined for the NT domain. I'm using the same computer
    for
    both (NT domain and Web Logic), so I put the host name
    (babalu).
    Wich port should I put?
    Second doubt:     The documentation says to create a systerm
    user on
    the NT domain using NT administrative tools, names it
    'system'
    and set some stuff for it. But windows 2000 already has
    a user
    with that name (SYSTE, but capitalized) and the property
    that I
    should set on it doesn't exist! By the way, on the system
    user
    user that windows2000 has I wasn't able to set any property.
    Last doubt (maybe should be the first one) : Does WebLogic
    6.0sp1
    support Security Realms from Windows 2000? Or I needto
    download
    another plugin or somethign like that?
         Thanks for Reading and (hope) Answering my qusetions!
    Roberto Giordano Barra

  • Secure JSESSIONID for Weblogic running HTTP behind load balancers

    We run multiple Weblogic application servers behind a load balancer. We use an SSL accelerator to avoid encrypt/decrypt functions on the CPUs hosting Weblogic. Our Weblogic servers are running version 10.3.
    Here is my conundrum:
    1) For security purposes, we want the cookie JSESSIONDID to be secure.
    2) Weblogic doesn't seem to want to allow me to set this secure flag as there is no HTTPS on Weblogic.
    3) Network performance dictates that we don't want to run weblogic using https.
    Any suggestions to get JSESSIONID set as secure and http-only on a Weblogic server that is not running https?
    Thanks.

    We run multiple Weblogic application servers behind a load balancer. We use an SSL accelerator to avoid encrypt/decrypt functions on the CPUs hosting Weblogic. Our Weblogic servers are running version 10.3.
    Here is my conundrum:
    1) For security purposes, we want the cookie JSESSIONDID to be secure.
    2) Weblogic doesn't seem to want to allow me to set this secure flag as there is no HTTPS on Weblogic.
    3) Network performance dictates that we don't want to run weblogic using https.
    Any suggestions to get JSESSIONID set as secure and http-only on a Weblogic server that is not running https?
    Thanks.

  • Serious security concern: PDF dropped encryption & unable to re-encrypt. Get error 18

    Hi,
    I am really hoping that someone can help since this is a serious security issue for us.
    We had a document encrypted with a password (required to open it). However, along the way of several rounds of comments and reviews (which includes adding blank pages for lengthy comments), somewhere along the line, the PDF "dropped encryption." It has recently been noted that the PDF opens without password. So, I tried to re-encrypt but it gives the following error: "The document could not be saved. There was a problem reading this document (18)." Considering that there could be a disk I/O issue, I have copied this file to different disks and yet the error remains.
    Is there any way, regardless of how user-unfriendly it might be, to encrypt this file? Adding password to the file outside of PDF (e.g. zipping/compressing it with password) is not an option. I am on Acrobat 10.1.7 on  MS Windows 7 Professional.
    Please help!
    Thanks,
    Suny

    If you applied a user password (required for opening the file) but didn't also set an author password (required to change permissions) then anyone who opens the file in Acrobat can easily remove the encryption, as once past the initial prompt they have total control.
    Unlike with an author password, the user password on a PDF file encrypts the entire file stream; so any bit-level corruption during save or transfer cannot remove it - the encrypted stream would be altered (damaging the file contents) but it would not suddenly become plain; any more than a random bit change would turn English into French.
    You could try a low-level Preflight repair, but once a file has been corrupted it's very unlikely that you can continue to work with it. One option would be to export the annotations to a datafile (via the options menu on the Comments Panel), re-create the underlying document from source, then re-import the annotations.

Maybe you are looking for

  • Voice Memos is not working properly

    This App's been behaving strange... That "bar" where we supposed to drag foward and rewind in the recorded memo isnt working anymore. So when I want to rewind I cant, I need to stop, and start all over again from the beginning. And now, It just doesn

  • HP OfficeJet 6310 All-In-One printer won't print in color with new cartridge

    HP OfficeJet 6310 All-In-One printer  on a iMAC  OSX version 10.9.5 system Hello, As I don't print in color much but had need to I discovered my printer not printing in color.  I trouble shooted and even replaced with an new HP95 new from Office Depo

  • Go public using AEBS

    I'm green when it comes to server setup but my objective is to host my website for public viewing. My setup is as follows: Mountain Lion veersion 10.8.1 Mountain Lion OS X server Airport Extreme Base Station 2nd generation AEBS has a static IP addres

  • New field does not reflect in Table control

    Dear Experts, There is a requirement to add a new field in a table and gets it displayed in already created table control (with wizard). I have added a new field, I can see that in the final internal table (debugger). But the field is not getting ref

  • Step Type when executing mapping

    Hi am a newbee here. I would like to know what are step types when we execute the mapping and if I have a simple map then which one would be the best option? We have many options (Row Based, Set Based..etc) Thanks, Kriti