Using J2EE Security Correctly
Regrettably my job consists of "working by the seat of my pants" on a continual basis. As such, I sometimes feel that although I can design a solution that "works", I often know there is a better design out there, its only my limitations of knowledge and experience that keeps me from it. With that said, here is my question:
I have been working on a system that entails multiple groups of users. Let's say Group A and Group B for argument sake. For security's sake (and by strict direction from my up-line managers) it was decided to store information for each group in its own set of tables (e.g. message tables would be split as Group1Messages Group2Messages) with entity beans for each (Group1MessageBean and Group2MessageBean) to enhance security.
Group1 would have full access to its respective beans and Group2 would have full access to its respective beans. Now here's the rub. There are some methods that Group2 will be able to access of Group1's bean. As the Group1 bean uses a database connection using it's own database user (e.g. a group1 database user), when Group2 is accessing Group1's bean, how can the database know which group is accessing/updating the information? Can the database know which group/role had accessed the bean for recording into the database? Can the bean use a different user/pwd authentication to the dbase depending on which group/role is accessing the bean for data?
If anyone has any suggestions here or resources to point me to I would greatly appreciate it.
Thanks for the answer. Indeed I had this </login-config>login-config> in code but after I made the correct changes I get the same error as before, j_security_check redirects to the error page as if the credentials would be wrong.
Another problem that I'd like to point is that I can't view any error message at console. How can I view in Console some errors from j_security_check?
Any other ideea will be helpful for me.
Tkans
Similar Messages
-
Securing a 1.5 web service using J2EE security and JDev 11g
Hello,
I'm looking for a tutorial or similar that will help me create a secure (1.5 EE with annotations) web service. I'm interested in just the development view at this point - xml file mods, etc.
I did find a good resource on how to do this in 10.1:
http://www.oracle.com/technology/products/jdev/101/howtos/securews/index.html
and am wondering if it has been updated (even beta!) or in another form.
ThanksSteve,
The WSDLBaseURL property just prepends a string to the WSDL URL property so that you can abstract out the protocol, server and port values separately depending on the target system you wish to hit for the service call.
Regards,
Sam -
Using dynamic groups for j2ee security
Hi all,
I have my realm setup in server.xml and my standard and sun-specific deployment descriptors setup for j2ee security.
Everything seems to work fine for groups defined via uniquemember attributes (all users are specified), but I'm having trouble with dynamic groups (defined with the memberurl attribute)
How do I configure my realm in my server.xml to get this working?Hi,
I got an official answer from SUN.
"Dynamic Groups" are not (longer) supported with SJS AS 7!
It will probably be supported with SJS AS 8 SE.
If you have a iPlanet 6.5 application that is running with dynamic groups, just wait a little bit before you migrate. -
How to use ADF Security policies in OID Ldap
Hello
My application uses ADF security policies created by Jdeveloper ADF Security Wizard and page definition Edit Authorization menu. The application runs as expected using file based system-jazn-data.xml. I used the JAZNMigrationTool in order to migrate XML based policies to LDAP based policies. LDIF file was generated by the tool and then using the LDAPModify command the file was uploaded to the OID. No errors were generated during this process.
I used Oracle Directory Manager in order to examine the migration result, and compare the output to that described by
Introduction to ADF Security in JDeveloper 10.1.3.2
An Oracle JDeveloper Article
Written by Frank Nimphius, Oracle Corporation
February, 2007
I was expecting to find Read, Update privileges in the orcljaznpermissionaction and the attribute name in the orcljaznpermissiontarget as shown in Fig 15 ADF security entry in OID.
to narrow down the source of the issue, we examine the LDIF file, and there was no reference to these entries. Below is one example entry from the LDIF file
dn: orclguid=EF37EAA603C611DDBFAE635A1BB60EE0,cn=Permissions,cn=Policy,cn=JAZNContext,cn=Products,cn=OracleContext,dc=realsoft,dc=com
changetype: add
objectclass: orcljaznpermission
objectclass: groupofuniquenames
objectclass: top
cn: EF37EAA603C611DDBFAE635A1BB60EE0
orclGuid: EF37EAA603C611DDBFAE635A1BB60EE0
orcljaznjavaclass: java.security.UnresolvedPermission
orcljaznpermissiontarget: oracle.adf.share.security.authorization.AttributePermission
orcljaznpermissionactions:
uniquemember: orclguid=EF37EAA203C611DDBFAE635A1BB60EE0,cn=Grantees,cn=Policy,cn=JAZNContext,cn=Products,cn=OracleContext,dc=realsoft,dc=com
Note that the orcljazpermissionactions is empty and orcljaznpermissiontarget does not really specify the actual attribute name.
The system-jazn-data.xml includes all entries correctly.
rgdsEurika
finally solved,
runing the JAZNMigrationTool requires setting the correct classpath,
Setting the classpath to the following
C:\>Set CLASSPATH=d:\jdevstudio10132\j2ee\home\jazn.jar
allows you to run the Jaznmigrationtool successfully, however you will find that the generated LDIF file does not include the premission actions (Read, Update ...)
if however, you add the adfshare.jar to the classpath
C:\>Set CLASSPATH=d:\jdevstudio10132\j2ee\home\jazn.jar;d:\jdevstudio10132\BC4J\lib\adfshare.jar
now the tool will migrate the permission policies , the following shows an extract from the LDIF file
dn: orclguid=A5E662E204D411DDBF8807BC4864C5C2,cn=Permissions,cn=Policy,cn=JAZNContext,cn=Products,cn=OracleContext,dc=realsoft,dc=com
changetype: add
objectclass: orcljaznpermission
objectclass: groupofuniquenames
objectclass: top
cn: A5E662E204D411DDBF8807BC4864C5C2
orclGuid: A5E662E204D411DDBF8807BC4864C5C2
orcljaznjavaclass: oracle.adf.share.security.authorization.AttributePermission
orcljaznpermissiontarget: AppModuleDataControl.VRoleAuthorrizationsView1.RanDateTo
orcljaznpermissionactions: read,update
uniquemember: orclguid=A5E662E104D411DDBF8807BC4864C5C2,cn=Grantees,cn=Policy,cn=JAZNContext,cn=Products,cn=OracleContext,dc=realsoft,dc=com
Ammar Sajdi
www.e-ammar.com/Oracle.html -
Custom Policy vs. J2EE Security
Hi there, Java Security architecture gurus,
I am currently trying to find the best architecture for the new security framework for our company's application. The system requires instance based security. ACLs are stored in a database. JAAS's authentication is just fine, but its file based authorization is not sufficient for our needs. Access rights change during runtime and they should not be refreshed that inefficient way with Policy.refresh().
The solution I would like to establish should cope with changing environments without the need to change the code that is using security checks. E.g. the app should be able to run as a stand-alone application or within J2EE application servers or servlet engines.
I have looked at the Java 2 Security API and found out that implementing a customized version of the JAAS Policy class can be one approach. A good benefit is the tight integration with the Java Security framework and that it not necessary to reimplement things like the AccessController and privileged actions.
Now, I have the following questions:
- Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
- Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
The alternative approach would probably be J2EE security with the cost of restricting the app to the J2EE environment. To me it seems to be impossible to implement instance based security with role based descriptive J2EE security. With programatic EJB security, I would need to make isPrincipalInRole() completely dynamic to support it.
I looked through the forum for quite a while without success but if you already discussed this topic I would really appreciate a pointer.
Thanks,
ChristophChris,
There is a very good article from IBM that implements the same thing you are trying to implement i.e. instance base security and also custom Policy(u may need this).
http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442
Now, I have the following questions:
- Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
Custom policy is required primarily if you are going away from the default policy format that sun recommends. If you want to read your permissions from a database you may need to implement a custom Policy class.
- Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
This is recommended by Sun. You may have to delegate the Permission checks that you know you cannot handle to default policy class.
In your CustomPolicy.java getPermissions() method, the following code will code to the end of the function
// If the permission is not found here then delegate it
// to the standard java Policy class instance.
java.security.Policy policy = java.security.Policy.getPolicy();
return policy.getPermissions(codeSource);
Hope this helps. -
HI All,
We are using Oc4j version 10g 10.1.3 , and while starting conatiner getting below warning , let me know if anyone have solution for this,.
14/01/10 01:01:29 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product!
Please take the appropriate actions to migrate to an alternative strategy! **********
2014-01-10 01:01:29.833 WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release
of this product!I just checked my BIOS and my current setting is set at IDE although it also mentions that the default should be AHCI. Currently I have a dual boot of Windows 7 (need it for Tax software) and Arch
So I guess, when I get the new HDD, I will first set it to AHCI and then install the OSes on it. See if NCQ helps any, and if not I will turn it back and re-install (if I have to). I am planning to have Windows only in virtualbox in the new drive.
Anyhoo, while I was in the BIOS I found two things which I had questions about :
1) Under Onboard Devices --> Integrated NIC , my setting is currently set at "On w/PXE" and it says the default should be just "On". Would it be ok to change it back to On since its a single machine and its not booting an OS on any server. I just don't want to have to re-install anything now since I will be doing that in the new HDD.
2) How would I know whether my BIOS would support a 64 bit OS in Virtualbox? I checked some setting under Virtualization, but they weren't very clear.
I will edit this post and let you know exactly what settings were present under the Virtualization sub-section. -
Hi! I'm starting developing my first j2ee application and i'm using weblogic server 6.1 as a j2ee application server.
My application will consist in jsp pages in the presentation tier and enterprise java beans in the business tier.
I would like to know how to implement secutiry in my application.
Should i use the security provided by the weblogic, or it is better to implement a security system using for example sessions?
Best Regards
Joao Seixas.Hi! I'm starting developing my first j2ee application
and i'm using weblogic server 6.1 as a j2ee
application server.
My application will consist in jsp pages in the
presentation tier and enterprise java beans in the
business tier.
I would like to know how to implement secutiry in my
application.You should follow the security mechanism provided by J2EE.
This will mean that your application is portable across containers.
You can find a good tutorial at the following location:
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/index.html
Should i use the security provided by the weblogic, or
it is better to implement a security system using for
example sessions?
Best Regards
Joao Seixas. -
ADF Mobile - Security. Serving custom, non-j2ee security policies.
We are trying to achieve session management across our ADF Mobile app.
We were hoping to use the ADF Mobile inbuilt security framework.
However our Mobile App is simply a UI interface to a large Enterprise App which already has a custom security framework(entirely database based) in place.
The enterprise app exposes RESTful interfaces(JAX-RS-Jersey) for functionality which the mobile app consumes.
This question has broadly 2 parts to it.
1. Does ADF Mobile inbuilt security work ONLY with J2ee container managed security realm service?
2. Can ADF Mobile inbuilt security be made to work with a custom application security framework?
Following are the challenges we face in dealing with the 2nd question,
2a. We need to extricate the Username and Password from the request as sent by the ADF Mobile default login page
2b. Based on the authenticated state(using custom security framework) assign Roles to the user and set the response.
2c. In the Mobile app use the custom roles to drive UI.
2d. One of the statements in the documentation says that irrespective of successful or failed login the Springboard will be visible. Can this be prevented?
2e. Can we maintain session while achieving the last 4?
Using the following JAX-RS annotations it has been impossible to retrieve any user credentials at our webservice end.
@Context SecurityContext, @Context HttpServletRequest, @CookieParams, @HeaderParamHi,
here's how you do it
- application roles are defined in jazn-data.xml
- Write a custom JAAS LoginModule that authenticates against the database
- Create WLS authentication provider for your JAAS LoginModule and configure it in WLS
- LoginModule returns principal for user and the user group memberships
- User logs in via login.jspx
- WLS authenticates user
- Security context is updated with user and user roles
Frank -
Connecting to 802.11a AP using WPA security - no go
I have an AP that is set to 802.11a (5GHz) using WPA security and is set to hide its SSID. My iMac is connecting to this AP without any problems whatever frequency i set on AP, hide/show SSID. The problem is - Macbook does not show this AP in AP list when requested, if i select other and enter correct settings (ssid and WPA passkey) it says - connection timed out, AP does not show any signs that something even tried to connect to AP.
the only resort is to use 802.11g when i can connect to AP without any problems.
in Network utilities it shoes that it supports 802.11a/b/g/n
hope i gave enough details.
later today i will try to set WPA2 instead of WPA, also will try to set no security settings at all.
any thoughts how to force it to connect to 5GHz AP?
edit:
forgot to say why i want to switch to 5GHz - the problem is - lately many 2.4GHz b/g APs popped up in neighborhood and started to cause latency/interference as some manage to follow me over frequencies i set up.
Message was edited by: janiskrok, setting to WPA2 solved the issue, because still, with WPA configuration i was not able to connect. allowing TKIP and WPA2 allowed macbook to connect. Also iMac changed the settings to WPA2 and it didn't matter that it had correct settings fot WPA.
weird.
maybe someone could point out how to set these things explicitly, so i can choose what settings are in use. -
Certificate Issue in web services Using j2ee in oracle apps 11i
Hi all,
I am working with web services integration in oracle apps 11i. I used j2ee technology. I installed j2eesdk-1_4_03 and test with j2eetutorial. I have to integrate third party payment system with web services in oracle apps 11i. I run following commands in putty
build: asant build
packing: asant create-war
deploy: asant deploy-war
client java:
compile: asant build
run: asant run
While i run the "asant run" command, i got below the error
sun.security.validator.ValidatorException: No trusted certificate found
I added third party certification but i got same error which i mentioned above.
Is any certification or settings need for run the web services in ebs.
Thanks
Edited by: 910361 on Nov 1, 2012 7:09 AMHi,
I do the settings according to your advice, i got below error when i run below command to add certificate to keystore.
command:
keytool -import -keystore /usr/j2ee/jdk/jre/lib/security/cacerts -file /usr/Class3G2.cer
Error:
keytool error: java.lang.Exception: Input not an X.509 certificate
Thanks
Edited by: 910361 on Jan 27, 2012 4:38 AM
Edited by: 910361 on Jan 27, 2012 4:39 AM
Edited by: 910361 on Jan 27, 2012 4:39 AM
Edited by: 910361 on Jan 27, 2012 5:29 AM
Edited by: 910361 on Nov 1, 2012 7:09 AM -
We have deployed several SOAP services (Apache SOAP) on a WLS6.1
server. Since there are more and more services are being deployed
people are getting worried about security. I was wondering what the
best solution was to to authentication and authorization on EJB and
method level for SOAP clients ? I was thinking about the following
solution: use the standard J2EE security by defining security
constrainst in the ejb-jar.xml file. Therefor every client needs to
provide credentials to use the EJB's (this should work for both
RMI/IIOP and SOAP clients).
What are your ideas and opinions about this solution ?
If you post a reply please CC to [email protected]Hi,
Let me know if you find answer of your question.
thanks -
Use of security in web service
Hi,
I have tried to use security from the example jaas-sample of jwsdp 1.5 .
I just want to secure my web service with a username/password.
When I called my service from the client...I see the xml flow :
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<wsse:UsernameToken>
<wsse:Username>Ron</wsse:Username>
<wsse:Password>****</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">3k18Sv+DMhcO3aoq6YWLB4xa</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2005-03-01T15:26:05Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</env:Header>
<env:Body>
<ns0:getInformations/>
</env:Body>
</env:Envelope>
it seems to be correct but I have an exception :
Thread : main at 01 mars 2005 16:10:06,593 ERROR Error occured during retrieving informations
java.rmi.ServerException: JAXRPCSERVLET28 : Informations sur le port manquant
at com.sun.xml.rpc.client.StreamingSender._raiseFault(StreamingSender.java:497)
at com.sun.xml.rpc.client.StreamingSender._send(StreamingSender.java:294)
It works when I not use the security option (in wscompile) ...
Have you any idea for a solution?Hi,
I tried the xws-security samples and everything worked fine.
After editing the "java.security" according to the manual with:
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
After that change and a restart of the application server I get the same error message.
I copied the jar file "bcprov-jdk14-127.jar" from bouncycastle to the jre/lib/ext folder.
I will check further.
br
Dieter -
Hi guys,
Currently I am using default adf security.is there any way to use same security on my login jspx page.
Thanks,
Raulhi user,
i hope that you are looking for
http://www.fireboxtraining.com/blog/2012/02/09/oracle-adf-11g-authentication-using-custom-adf-login-form/
http://docs.oracle.com/cd/E26098_01/web.1112/e16182/adding_security.htm
please see the if you want custom login.
Figure 35-3 Using the Configure ADF Security Wizard to Generate a Simple Login Page
there is lot of youtube videos. just google it out.
this is to timo:
What do you mean by '...I am using default adf security...'
if i am understood correctly. while creating new fusion web apps while configuring adf-security HTTP Basic Authentication is comes as default option. he mentioning in that way.
do You want to secure the login page itself? This doesn't make sense as you need to login to get to the login page.
i hope he is not asking like as you mentioned.
from my experience i will interpret like this
"Currently I am using default adf security".
he is currently using default adf security(HTTP Basic Authentication).
is there any way to use same security on my login jspx page.
he need use the same adf-security concept on custom login page.
Thanks -
Is it possible to bind to J2ee Security methods in JSF pages, like request.getUserPrincipal() or request.isUserInRole("rolename)?
Hi,
actually you can use EL if you create a method in a managed bean to check for a specific role membership. Reference the method - which returns true or false - from EL. Note that EL cannot have arguments and for this reason you cannot directly pass in role names as argumens
Frank -
JAAS or regular J2EE Security?
Hi, can some offer me some examples of why I should prefer JAAS (and vice versa) over J2EE security via constraints and roles in web.xml? I'm just not sure which to use...
Thanks...hi,
you should have a look towards jGuard to use JAAS in j2ee in an easy way:
homepage:
http://jguard.sourceforge.net/
sourceforge page:
http://sourceforge.net/projects/jguard
it hides the JAAS complexity , and enable dynamic configuration, and great flexibility!
sincerly yours,
Charles(jguard team).
Maybe you are looking for
-
Solaris 9 remote login (ssh) drops connection
Hello All, I wonder if you can help me... Let me give you some set-up details before I ask you the question. I have Ultra-60 at home with Solaris 9 and recommended patch cluster installed. The machine is connected to a Linksys WAG54G ADSL router/mode
-
my iphone has a itunes logo and usb cable picture on the screen....what can I do to get it to work
-
Album Art Mysteriously Disappearing
Once in a while I'll open iTunes or turn on my iPod and find that an album has lost its artwork. I replace the image with no problem, (takes 2 seconds with google images lol), and after that I save the image in an album artwork folder if it isn't alr
-
From Recruitment to Retirement
Dear Experts, Client assigned me to give a presentation on SAP HR from recruitment to retirement completely with SAP screen shots. Please give me your valuable suggestion on this. Kindly help me in this regard. Edited by: sivakpt on May 10, 2011 5:39
-
"Program Error" in PS/CS6 does not allow me to save in any format.
"Program Error" in PS/CS6 does not allow me to save in any format. I can't save as psd, jpg, tiff, large document format, etc. My only option is to quit without saving an hour's work. This has happened a dozen times sporadically.