Using J2EE Security Correctly

Similar Messages

• Securing a 1.5 web service using J2EE security and JDev 11g

  Hello,
  I'm looking for a tutorial or similar that will help me create a secure (1.5 EE with annotations) web service. I'm interested in just the development view at this point - xml file mods, etc.
  I did find a good resource on how to do this in 10.1:
  http://www.oracle.com/technology/products/jdev/101/howtos/securews/index.html
  and am wondering if it has been updated (even beta!) or in another form.
  Thanks

  Steve,
  The WSDLBaseURL property just prepends a string to the WSDL URL property so that you can abstract out the protocol, server and port values separately depending on the target system you wish to hit for the service call.
  Regards,
  Sam

• Using dynamic groups for j2ee security

  Hi all,
  I have my realm setup in server.xml and my standard and sun-specific deployment descriptors setup for j2ee security.
  Everything seems to work fine for groups defined via uniquemember attributes (all users are specified), but I'm having trouble with dynamic groups (defined with the memberurl attribute)
  How do I configure my realm in my server.xml to get this working?

  Hi,
  I got an official answer from SUN.
  "Dynamic Groups" are not (longer) supported with SJS AS 7!
  It will probably be supported with SJS AS 8 SE.
  If you have a iPlanet 6.5 application that is running with dynamic groups, just wait a little bit before you migrate.

• How to use ADF Security policies in OID Ldap

  Hello
  My application uses ADF security policies created by Jdeveloper ADF Security Wizard and page definition Edit Authorization menu. The application runs as expected using file based system-jazn-data.xml. I used the JAZNMigrationTool in order to migrate XML based policies to LDAP based policies. LDIF file was generated by the tool and then using the LDAPModify command the file was uploaded to the OID. No errors were generated during this process.
  I used Oracle Directory Manager in order to examine the migration result, and compare the output to that described by
  Introduction to ADF Security in JDeveloper 10.1.3.2
  An Oracle JDeveloper Article
  Written by Frank Nimphius, Oracle Corporation
  February, 2007
  I was expecting to find Read, Update privileges in the orcljaznpermissionaction and the attribute name in the orcljaznpermissiontarget as shown in Fig 15 ADF security entry in OID.
  to narrow down the source of the issue, we examine the LDIF file, and there was no reference to these entries. Below is one example entry from the LDIF file
  dn: orclguid=EF37EAA603C611DDBFAE635A1BB60EE0,cn=Permissions,cn=Policy,cn=JAZNContext,cn=Products,cn=OracleContext,dc=realsoft,dc=com
  changetype: add
  objectclass: orcljaznpermission
  objectclass: groupofuniquenames
  objectclass: top
  cn: EF37EAA603C611DDBFAE635A1BB60EE0
  orclGuid: EF37EAA603C611DDBFAE635A1BB60EE0
  orcljaznjavaclass: java.security.UnresolvedPermission
  orcljaznpermissiontarget: oracle.adf.share.security.authorization.AttributePermission
  orcljaznpermissionactions:
  uniquemember: orclguid=EF37EAA203C611DDBFAE635A1BB60EE0,cn=Grantees,cn=Policy,cn=JAZNContext,cn=Products,cn=OracleContext,dc=realsoft,dc=com
  Note that the orcljazpermissionactions is empty and orcljaznpermissiontarget does not really specify the actual attribute name.
  The system-jazn-data.xml includes all entries correctly.
  rgds

  Eurika
  finally solved,
  runing the JAZNMigrationTool requires setting the correct classpath,
  Setting the classpath to the following
  C:\>Set CLASSPATH=d:\jdevstudio10132\j2ee\home\jazn.jar
  allows you to run the Jaznmigrationtool successfully, however you will find that the generated LDIF file does not include the premission actions (Read, Update ...)
  if however, you add the adfshare.jar to the classpath
  C:\>Set CLASSPATH=d:\jdevstudio10132\j2ee\home\jazn.jar;d:\jdevstudio10132\BC4J\lib\adfshare.jar
  now the tool will migrate the permission policies , the following shows an extract from the LDIF file
  dn: orclguid=A5E662E204D411DDBF8807BC4864C5C2,cn=Permissions,cn=Policy,cn=JAZNContext,cn=Products,cn=OracleContext,dc=realsoft,dc=com
  changetype: add
  objectclass: orcljaznpermission
  objectclass: groupofuniquenames
  objectclass: top
  cn: A5E662E204D411DDBF8807BC4864C5C2
  orclGuid: A5E662E204D411DDBF8807BC4864C5C2
  orcljaznjavaclass: oracle.adf.share.security.authorization.AttributePermission
  orcljaznpermissiontarget: AppModuleDataControl.VRoleAuthorrizationsView1.RanDateTo
  orcljaznpermissionactions: read,update
  uniquemember: orclguid=A5E662E104D411DDBF8807BC4864C5C2,cn=Grantees,cn=Policy,cn=JAZNContext,cn=Products,cn=OracleContext,dc=realsoft,dc=com
  Ammar Sajdi
  www.e-ammar.com/Oracle.html

• Custom Policy vs. J2EE Security

  Hi there, Java Security architecture gurus,
  I am currently trying to find the best architecture for the new security framework for our company's application. The system requires instance based security. ACLs are stored in a database. JAAS's authentication is just fine, but its file based authorization is not sufficient for our needs. Access rights change during runtime and they should not be refreshed that inefficient way with Policy.refresh().
  The solution I would like to establish should cope with changing environments without the need to change the code that is using security checks. E.g. the app should be able to run as a stand-alone application or within J2EE application servers or servlet engines.
  I have looked at the Java 2 Security API and found out that implementing a customized version of the JAAS Policy class can be one approach. A good benefit is the tight integration with the Java Security framework and that it not necessary to reimplement things like the AccessController and privileged actions.
  Now, I have the following questions:
  - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
  - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
  The alternative approach would probably be J2EE security with the cost of restricting the app to the J2EE environment. To me it seems to be impossible to implement instance based security with role based descriptive J2EE security. With programatic EJB security, I would need to make isPrincipalInRole() completely dynamic to support it.
  I looked through the forum for quite a while without success but if you already discussed this topic I would really appreciate a pointer.
  Thanks,
  Christoph

  Chris,
  There is a very good article from IBM that implements the same thing you are trying to implement i.e. instance base security and also custom Policy(u may need this).
  http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442
  Now, I have the following questions:
  - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
  Custom policy is required primarily if you are going away from the default policy format that sun recommends. If you want to read your permissions from a database you may need to implement a custom Policy class.
  - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
  This is recommended by Sun. You may have to delegate the Permission checks that you know you cannot handle to default policy class.
  In your CustomPolicy.java getPermissions() method, the following code will code to the end of the function
  // If the permission is not found here then delegate it
  // to the standard java Policy class instance.
  java.security.Policy policy = java.security.Policy.getPolicy();
  return policy.getPermissions(codeSource);
  Hope this helps.

• How to find solution for avoiding WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product

  HI All,
  We are using Oc4j version 10g 10.1.3 , and while starting conatiner  getting below warning , let me know if anyone have solution for this,.
  14/01/10 01:01:29 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product!
  Please take the appropriate actions to migrate to an alternative strategy! **********
  2014-01-10 01:01:29.833 WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release
  of this product!

  I just checked my BIOS and my current setting is set at IDE although it also mentions that the default should be AHCI. Currently I have a dual boot of Windows 7 (need it for Tax software) and Arch
  So I guess, when I get the new HDD, I will first set it to AHCI and then install the OSes on it. See if NCQ helps any, and if not I will turn it back and re-install (if I have to). I am planning to have Windows only in virtualbox in the new drive.
  Anyhoo, while I was in the BIOS I found two things which I had questions about :
  1) Under Onboard Devices --> Integrated NIC , my setting is currently set at "On w/PXE" and it says the default should be just "On". Would it be ok to change it back to On since its a single machine and its not booting an OS on any server. I just don't want to have to re-install anything now since I will be doing that in the new HDD.
  2) How would I know whether my BIOS would support a 64 bit OS in Virtualbox? I checked some setting under Virtualization, but they weren't very clear.
  I will edit this post and let you know exactly what settings were present under the Virtualization sub-section.

• J2EE Security

  Hi! I'm starting developing my first j2ee application and i'm using weblogic server 6.1 as a j2ee application server.
  My application will consist in jsp pages in the presentation tier and enterprise java beans in the business tier.
  I would like to know how to implement secutiry in my application.
  Should i use the security provided by the weblogic, or it is better to implement a security system using for example sessions?
  Best Regards
  Joao Seixas.

  Hi! I'm starting developing my first j2ee application
  and i'm using weblogic server 6.1 as a j2ee
  application server.
  My application will consist in jsp pages in the
  presentation tier and enterprise java beans in the
  business tier.
  I would like to know how to implement secutiry in my
  application.You should follow the security mechanism provided by J2EE.
  This will mean that your application is portable across containers.
  You can find a good tutorial at the following location:
  http://java.sun.com/j2ee/1.4/docs/tutorial/doc/index.html
  Should i use the security provided by the weblogic, or
  it is better to implement a security system using for
  example sessions?
  Best Regards
  Joao Seixas.

• ADF Mobile - Security. Serving custom, non-j2ee security policies.

  We are trying to achieve session management across our ADF Mobile app.
  We were hoping to use the ADF Mobile inbuilt security framework.
  However our Mobile App is simply a UI interface to a large Enterprise App which already has a custom security framework(entirely database based) in place.
  The enterprise app exposes RESTful interfaces(JAX-RS-Jersey) for functionality which the mobile app consumes.
  This question has broadly 2 parts to it.
  1. Does ADF Mobile inbuilt security work ONLY with J2ee container managed security realm service?
  2. Can ADF Mobile inbuilt security be made to work with a custom application security framework?
  Following are the challenges we face in dealing with the 2nd question,
  2a. We need to extricate the Username and Password from the request as sent by the ADF Mobile default login page
  2b. Based on the authenticated state(using custom security framework) assign Roles to the user and set the response.
  2c. In the Mobile app use the custom roles to drive UI.
  2d. One of the statements in the documentation says that irrespective of successful or failed login the Springboard will be visible. Can this be prevented?
  2e. Can we maintain session while achieving the last 4?
  Using the following JAX-RS annotations it has been impossible to retrieve any user credentials at our webservice end.
  @Context SecurityContext, @Context HttpServletRequest, @CookieParams,  @HeaderParam

  Hi,
  here's how you do it
  - application roles are defined in jazn-data.xml
  - Write a custom JAAS LoginModule that authenticates against the database
  - Create WLS authentication provider for your JAAS LoginModule and configure it in WLS
  - LoginModule returns principal for user and the user group memberships
  - User logs in via login.jspx
  - WLS authenticates user
  - Security context is updated with user and user roles
  Frank

• Connecting to 802.11a AP using WPA security - no go

  I have an AP that is set to 802.11a (5GHz) using WPA security and is set to hide its SSID. My iMac is connecting to this AP without any problems whatever frequency i set on AP, hide/show SSID. The problem is - Macbook does not show this AP in AP list when requested, if i select other and enter correct settings (ssid and WPA passkey) it says - connection timed out, AP does not show any signs that something even tried to connect to AP.
  the only resort is to use 802.11g when i can connect to AP without any problems.
  in Network utilities it shoes that it supports 802.11a/b/g/n
  hope i gave enough details.
  later today i will try to set WPA2 instead of WPA, also will try to set no security settings at all.
  any thoughts how to force it to connect to 5GHz AP?
  edit:
  forgot to say why i want to switch to 5GHz - the problem is - lately many 2.4GHz b/g APs popped up in neighborhood and started to cause latency/interference as some manage to follow me over frequencies i set up.
  Message was edited by: janiskr

  ok, setting to WPA2 solved the issue, because still, with WPA configuration i was not able to connect. allowing TKIP and WPA2 allowed macbook to connect. Also iMac changed the settings to WPA2 and it didn't matter that it had correct settings fot WPA.
  weird.
  maybe someone could point out how to set these things explicitly, so i can choose what settings are in use.

• Certificate Issue in web services Using j2ee in oracle apps 11i

  Hi all,
  I am working with web services integration in oracle apps 11i. I used j2ee technology. I installed j2eesdk-1_4_03 and test with j2eetutorial. I have to integrate third party payment system with web services in oracle apps 11i. I run following commands in putty
  build: asant build
  packing: asant create-war
  deploy: asant deploy-war
  client java:
  compile: asant build
  run: asant run
  While i run the "asant run" command, i got below the error
  sun.security.validator.ValidatorException: No trusted certificate found
  I added third party certification but i got same error which i mentioned above.
  Is any certification or settings need for run the web services in ebs.
  Thanks
  Edited by: 910361 on Nov 1, 2012 7:09 AM

  Hi,
  I do the settings according to your advice, i got below error when i run below command to add certificate to keystore.
  command:
  keytool -import -keystore /usr/j2ee/jdk/jre/lib/security/cacerts -file /usr/Class3G2.cer
  Error:
  keytool error: java.lang.Exception: Input not an X.509 certificate
  Thanks
  Edited by: 910361 on Jan 27, 2012 4:38 AM
  Edited by: 910361 on Jan 27, 2012 4:39 AM
  Edited by: 910361 on Jan 27, 2012 4:39 AM
  Edited by: 910361 on Jan 27, 2012 5:29 AM
  Edited by: 910361 on Nov 1, 2012 7:09 AM

• SOAP and J2EE security

  We have deployed several SOAP services (Apache SOAP) on a WLS6.1
  server. Since there are more and more services are being deployed
  people are getting worried about security. I was wondering what the
  best solution was to to authentication and authorization on EJB and
  method level for SOAP clients ? I was thinking about the following
  solution: use the standard J2EE security by defining security
  constrainst in the ejb-jar.xml file. Therefor every client needs to
  provide credentials to use the EJB's (this should work for both
  RMI/IIOP and SOAP clients).
  What are your ideas and opinions about this solution ?
  If you post a reply please CC to [email protected]

  Hi,
  Let me know if you find answer of your question.
  thanks

• Use of security in web service

  Hi,
  I have tried to use security from the example jaas-sample of jwsdp 1.5 .
  I just want to secure my web service with a username/password.
  When I called my service from the client...I see the xml flow :
  <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  <env:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
  <wsse:UsernameToken>
  <wsse:Username>Ron</wsse:Username>
  <wsse:Password>****</wsse:Password>
  <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">3k18Sv+DMhcO3aoq6YWLB4xa</wsse:Nonce>
  <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2005-03-01T15:26:05Z</wsu:Created>
  </wsse:UsernameToken>
  </wsse:Security>
  </env:Header>
  <env:Body>
  <ns0:getInformations/>
  </env:Body>
  </env:Envelope>
  it seems to be correct but I have an exception :
  Thread : main at 01 mars 2005 16:10:06,593 ERROR Error occured during retrieving informations
  java.rmi.ServerException: JAXRPCSERVLET28 : Informations sur le port manquant
       at com.sun.xml.rpc.client.StreamingSender._raiseFault(StreamingSender.java:497)
       at com.sun.xml.rpc.client.StreamingSender._send(StreamingSender.java:294)
  It works when I not use the security option (in wscompile) ...
  Have you any idea for a solution?

  Hi,
  I tried the xws-security samples and everything worked fine.
  After editing the "java.security" according to the manual with:
  security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
  After that change and a restart of the application server I get the same error message.
  I copied the jar file "bcprov-jdk14-127.jar" from bouncycastle to the jre/lib/ext folder.
  I will check further.
  br
  Dieter

• Use Adf Security In jspx page

  Hi guys,
  Currently I am using default adf security.is there any way to use same security on my login jspx page.
  Thanks,
  Raul

  hi user,
  i hope that you are looking for
  http://www.fireboxtraining.com/blog/2012/02/09/oracle-adf-11g-authentication-using-custom-adf-login-form/
  http://docs.oracle.com/cd/E26098_01/web.1112/e16182/adding_security.htm
  please see the if you want custom login.
  Figure 35-3 Using the Configure ADF Security Wizard to Generate a Simple Login Page
  there is lot of youtube videos. just google it out.
  this is to timo:
  What do you mean by  '...I am using default adf security...'
  if i am understood correctly. while creating new fusion web apps while configuring adf-security HTTP Basic Authentication is comes as default option. he mentioning in that way.
  do You want to secure the login page itself? This doesn't make sense as you need to login to get to the login page.
  i hope he is not asking like as you mentioned.
  from my experience i will interpret like this
  "Currently I am using default adf security".
  he is currently using default adf security(HTTP Basic Authentication).
  is there any way to use same security on my login jspx page.
  he need use the same adf-security concept on custom login page.
  Thanks

• J2ee Security methods in JSF

  Is it possible to bind to J2ee Security methods in JSF pages, like request.getUserPrincipal() or request.isUserInRole("rolename)?

  Hi,
  actually you can use EL if you create a method in a managed bean to check for a specific role membership. Reference the method - which returns true or false - from EL. Note that EL cannot have arguments and for this reason you cannot directly pass in role names as argumens
  Frank

• JAAS or regular J2EE Security?

  Hi, can some offer me some examples of why I should prefer JAAS (and vice versa) over J2EE security via constraints and roles in web.xml? I'm just not sure which to use...
  Thanks...

  hi,
  you should have a look towards jGuard to use JAAS in j2ee in an easy way:
  homepage:
  http://jguard.sourceforge.net/
  sourceforge page:
  http://sourceforge.net/projects/jguard
  it hides the JAAS complexity , and enable dynamic configuration, and great flexibility!
  sincerly yours,
  Charles(jguard team).