App Security

Similar Messages

• IOS 7 mail app security concerns

  I just witnessed something that made me very concerned about the iOS 7 Mail App security. I was changing my mail account password. (I am still stuck with a Hotmail account.) So after I changed my Hotmail account password in a desktop web browser, I was expecting to do the same on my iPhone. But, what I observed totally shocked me -- I was still able to receive and send emails from my iPhone using the Apple Mail App (that still had my old password!) for some time before the Mail app crashed and only when I restarted it, it then prompted me for a password.
  Now picture a more dire situation. Someone steals my iPhone. I immediately log in to Hotmail and change my password. But the thief with my iPhone can still send and receive emails from my Hotmail account. I don't need to go any further with what this can lead to, right!

  TJBUSMC1973 wrote:
  Den B. wrote:
  I just witnessed something that made me very concerned about the iOS 7 Mail App security. I was changing my mail account password. (I am still stuck with a Hotmail account.) So after I changed my Hotmail account password in a desktop web browser, I was expecting to do the same on my iPhone. But, what I observed totally shocked me -- I was still able to receive and send emails from my iPhone using the Apple Mail App (that still had my old password!) for some time before the Mail app crashed and only when I restarted it, it then prompted me for a password.
  Now picture a more dire situation. Someone steals my iPhone. I immediately log in to Hotmail and change my password. But the thief with my iPhone can still send and receive emails from my Hotmail account. I don't need to go any further with what this can lead to, right!
  If a thief steals your phone, then hopefully you put a passcode lock on your phone, and are also using Find My iPhone.
  Guys, don't lead it in the wrong direction. This is not about setting up the passcode. Obviously that is the way to protect your data. But as you probably heard from Apple themselves about half of people who use iOS devices don't have passlocks set up. At this point I'm concerned why the Mail App lets me send and receive emails with the old password?

• HT1937 I forger my app security questions what I have to do please ?

  I forger my app security questions what I have to do please ?

  You need to ask Apple to reset your security questions; ways of contacting them include clicking here and picking a method for your country, phoning AppleCare and asking for the Account Security team, and filling out and submitting this form.
  (100820)

• Web app security not working

  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basic secure web
  app.
  I created an App and created a web project. In it, I deleted the controller, etc
  and just have index. jsp. All the index.jsp does is: <%= request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>
  When I run the app, it just renders the JSP and does not challenge me to login.
  Can you please help what is that I am doing wrong here?
  Thanks,
  John

  "john hryn" <[email protected]> wrote in message
  news:3fce2551$[email protected]..
  >
  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
  app.
  I created an App and created a web project. In it, I deleted thecontroller, etc
  and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>I think you should have dealers instead of *
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>And here too.
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>

• Web app security + JAAS

  I'm working on the authentication/authorisation aspects of a fairly
  large web application using WLS 6.0 (ie allowing users to login and
  access resources based on role etc).
  Its a standard JSP/Servlet/EJB type architecture and so far it seems
  the FORM-based authentication will serve our needs well. However, I've
  been instructed (by higher powers) to investigate JAAS authentication.
  It looks far more complex to implement so my question is, does it
  offer any significant advantages that justify the extra work?
  Thanks for your time.

  "john hryn" <[email protected]> wrote in message
  news:3fce2551$[email protected]..
  >
  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
  app.
  I created an App and created a web project. In it, I deleted thecontroller, etc
  and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>I think you should have dealers instead of *
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>And here too.
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>

• Web app security question

  Hi,
  I have a basic question about securing web applications. In our app, we have myRealm
  pointing to an LDAP store. The store has (lets say) a group called 'dealers' and
  it has a user 'dealer1'.
  Now, in WEB-INF/weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>
  Does the role name in weblogic.xml map to the groups called dealers in LDAP? I
  have no specific roles configured in myRealm.
  Thanks,
  John

  "John Hryn" <[email protected]> wrote in message
  news:3fce2328$[email protected]..
  >
  Hi,
  I have a basic question about securing web applications. In our app, wehave myRealm
  pointing to an LDAP store. The store has (lets say) a group called'dealers' and
  it has a user 'dealer1'.
  Now, in WEB-INF/weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>
  Does the role name in weblogic.xml map to the groups called dealers inLDAP? I
  have no specific roles configured in myRealm.
  Yes. http://e-docs.bea.com/wls/docs70/webapp/weblogic_xml.html#1036790
  You can specify groups or individual usernames.

• Web app security exception: Bad URLMatchMap

  Can anyone help me diagnose an error? I am simply trying to place a security constraint
  on a servlet within an ear-deployed web-application.
  The exception occurs as the first POST comes to the servlet I am trying to protect:
  <Apr 16, 2001 12:40:09 PM EDT> <Error> <Kernel> <ExecuteRequest failed
  java.lang.IllegalArgumentException: bad URLMatchMap path: 'version="1.0"'
  at weblogic.servlet.utils.URLMatchMap.get(URLMatchMap.java:196)
  at weblogic.servlet.security.internal.WebAppSecurity.getConstraint(WebAp
  pSecurity.java:135)
  at weblogic.servlet.security.internal.SecurityModule.checkTransport(Secu
  rityModule.java:177)
  at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSe
  curityModule.java:48)
  at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess
  (ServletSecurityManager.java:150)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe
  rvletContext.java:1250)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm
  pl.java:1622)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  >
  <?xml version="1.0" ?>
  <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN'
  'http://java.sun.com/j2ee/dtds/web-app_2.2.dtd'>
  <web-app>
  <display-name>ANSWeb</display-name>
  <description>no description</description>
  <servlet>
  <servlet-name>UPMessageServlet</servlet-name>
  <display-name>UPMessageServlet</display-name>
  <description>no description</description>
  <servlet-class>com.aether.ans.gateway.up.UPMessageServlet</servlet-class>
  </servlet>
  <servlet>
  <servlet-name>ANSServlet</servlet-name>
  <display-name>ANSServlet</display-name>
  <description>no description</description>
  <servlet-class>com.aether.ans.server.ANSServlet</servlet-class>
  <load-on-startup />
  </servlet>
  <servlet>
  <servlet-name>WCTPServlet</servlet-name>
  <display-name>WCTPServlet</display-name>
  <description>no description</description>
  <servlet-class>com.aether.ans.gateway.wctp.WCTPServlet</servlet-class>
  </servlet>
  <servlet-mapping>
  <servlet-name>UPMessageServlet</servlet-name>
  <url-pattern>/UPMessage</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>ANSServlet</servlet-name>
  <url-pattern>/Server</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>WCTPServlet</servlet-name>
  <url-pattern>/WCTPCallback</url-pattern>
  </servlet-mapping>
  <session-config>
  <session-timeout>30</session-timeout>
  </session-config>
  <resource-ref>
  <description>no description</description>
  <res-ref-name>url/ANS.dtd</res-ref-name>
  <res-type>java.net.URL</res-type>
  <res-auth>Container</res-auth>
  </resource-ref>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Protected Server</web-resource-name>
  <url-pattern>/Server</url-pattern>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>Client</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  </login-config>
  <security-role>
  <role-name>Client</role-name>
  </security-role>
  <ejb-ref>
  <description>no description</description>
  <ejb-ref-name>ejb/ANSServer</ejb-ref-name>
  <ejb-ref-type>Session</ejb-ref-type>
  <home>com.aether.ans.server.ANSServerHome</home>
  <remote>com.aether.ans.server.ANSServer</remote>
  </ejb-ref>
  <ejb-ref>
  <description>no description</description>
  <ejb-ref-name>ejb/Alert</ejb-ref-name>
  <ejb-ref-type>Entity</ejb-ref-type>
  <home>com.aether.ans.entity.AlertHome</home>
  <remote>com.aether.ans.entity.Alert</remote>
  </ejb-ref>
  </web-app>
  <?xml version="1.0" ?>
  <!DOCTYPE weblogic-web-app PUBLIC '-//BEA Systems, Inc.//DTD Web Application 6.0//EN'
  'http://www.beasys.com/servers/wls600/dtd/weblogic-web-jar.dtd'>
  <weblogic-web-app>
  <description>no description</description>
  <security-role-assignment>
  <role-name>Client</role-name>
  <principal-name>Client</principal-name>
  </security-role-assignment>
  <reference-descriptor>
  <resource-description>
  <res-ref-name>url/ANS.dtd</res-ref-name>
  <jndi-name>ans.url.dtd</jndi-name>
  </resource-description>
  <ejb-reference-description>
  <ejb-ref-name>ejb/Alert</ejb-ref-name>
  <jndi-name>ejb.Alert</jndi-name>
  </ejb-reference-description>
  <ejb-reference-description>
  <ejb-ref-name>ejb/ANSServer</ejb-ref-name>
  <jndi-name>ejb.ANSServer</jndi-name>
  </ejb-reference-description>
  </reference-descriptor>
  </weblogic-web-app>

  Hi Andrew,
  Even without moderation enabled, any submission made through the BC platform is filtered through our protection engine to prevent XSS. Any type of potentially malicious code is immediately stripped from the submission, and this is not done at a client-side level.
  Kind Regards,
  Alex

• Web app security ... i don't get it

  I do not get it how do one configure web.xml
  I want every page to be protected against unlogged user and some pages only to some of them
  From what I read it's only necessary to have only one root role that every user is part of and then any sub-role is recognized
  My use case:
  every page should be protected against unauthorized user
  <security-constraint>
          <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
          <web-resource-collection>
              <web-resource-name>JSF Pages</web-resource-name>
              <url-pattern>/faces/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
              <role-name>fullaccess</role-name>
          </auth-constraint>
          <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
      </security-constraint>and I want that managers only to have access to /managers so I guess that a new </security-constraint> must be issued to allow the users that have managers role to access the resource.
  <security-constraint>
          <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
          <web-resource-collection>
              <web-resource-name>JSF Pages</web-resource-name>
              <url-pattern>/faces/manager/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
              <role-name>managers</role-name> ????
          </auth-constraint>
          <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
      </security-constraint> What are the roles that must be declared in web.xml knowing that
  <security-role-assignment>
           <role-name>fullaccess</role-name>
           <principal-name>public</principal-name>
       </security-role-assignment>
  </weblogic-web-app> and in the realm public group has a member 'managers' (that in my opp must not be mapped)?
  ..on the moment there is only
    <security-role>
          <description>acces pe toate paginile web</description>
          <role-name>fullaccess</role-name>
      </security-role>thanks, Florin POP

  Hi guys.
  A username and password info to connect to BC is the following:
  Username - Your adobe ID email
  Password - Your password.
  To connect to SFTP its...
  Server: Just the address (yoursite.businesscatalyst.com)
  username - yoursite.businesscatalyst.com/[email protected]
  Password - your password.

• Web app security & IIS?

  I'm trying to get the security working for a web app. I'm using JAAS and the BASIC
  authentication. I don't want to use FORM because the original Perl app (from which
  my web app is derived) also used BASIC and I don't want the interface to change.
  I've found that the security works great if I go directly to the weblogic server,
  so it looks like the problem is with IIS (we're fowarding requests from IIS to
  WebLogic). I think the problem lies in my web.xml. It has this in it:
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>MLV Users Only</realm-name>
  </login-config>
  From what I can tell, weblogic just uses the realm-name as a label in the dialog
  box that pops up, and for nothing else. My guess is that IIS is really trying
  to use this as a security realm.
  Am I on the right track? Anyone got any hints?
  Gary

  "john hryn" <[email protected]> wrote in message
  news:3fce2551$[email protected]..
  >
  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
  app.
  I created an App and created a web project. In it, I deleted thecontroller, etc
  and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>I think you should have dealers instead of *
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>And here too.
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>

• Adobe Connect Mobile App Security Setting?

  Every time I try to log onto a meeting with my iPhone it tells me there is a Network Error. From what I have read on other fourms there is a "Secure Login" setting which must be unchecked in order to stop this error. What I need to know is where this setting is? Does the host have to change this setting or is it in the App? Where? No one seems to be saying where the setting actually is.

  The secure login applies if you have SSL enabled on your server. If you do not use SSL, then you would not use that setting.
  That check box appears on the main login screen when you choose "Member" login. It does not appear for the "Guest" login.

• Testing oracle apps security in reports

  Hi,
  I have a report which is running fine in Report builder 6i and also in Oracle apps(this is a customized report for oracle apps).
  Now I need to test the security in Oracle apps. As per the advice provided in metalink I added
  1) added a user parameter P_CONC_REQUEST_ID
  2) added "srw.user_exit('FND SRWINIT');" to the BeforeReport trigger
  3) added "srw.user_exit('FND SRWEXIT');" to the AfterReport trigger
  But now when I try to run in Oracle apps it gives below error
  REP-1416: 'beforereport': User exit 'FND'. IAF GET: unknown column 'P_CONC_REQUEST_ID'.
  Please help on how to solve this issue. Any help is appreciated

  Thanks for the reply. The problem still persists.
  The same metalink gives another solution as below but when I add the below to the report I couldn't compile. It gives "identifier hr_standard.event must be declared". Anyone used this before, if so how to use the same.
  3. If the issue is not resolved try placing the calls mentioned in 2 with
  hr_standard.event('BEFORE REPORT');
  hr_standard.event('AFTER REPORT');
  Metalink is
  How To Enable Hr Security on Custom Reports? [ID 369345.1]

• Mapping Apps security profiles in Discoverer

  Hello
  We wish to implement a 2-tiered security architecture. We already have the 1st tier in place in Disco Admin by assigning specific Business Areas to responsibilities.
  However, we also want to use the Apps custom Security Profiles to restrict access to tables and views through Discoverer Admin.
  How can this be implemented? Any examples would be most welcome.
  Thanks
  Sanjib Manna
  Oracle Practice
  IBM Business Consulting

  You can use the following query to look for all the security profiles. You can join the hr_operating_units to fnd_profile_option_values.level_value to get the desired result.
  SELECT psp.security_profile_name,
         psp.security_profile_id,
         hou.NAME,
         hou.organization_id
    FROM per_security_profiles psp,
         per_security_organizations pso,
         hr_operating_units hou
  WHERE pso.security_profile_id = psp.security_profile_id
     AND pso.organization_id = hou.organization_id;Additionally, you can also have a look at the below MOS docs.
  How To Check If a Profile Option Is Set In Oracle Applications? [ID 470102.1]
  How to Search all of the Profile Options for a Specific Value [ID 282382.1]
  How To List E-Business Suite Profile Option Values For All Levels Using SQLPlus [ID 201945.1]
  Script To List The Values Of A Profile Option At All Levels [ID 803587.1]
  How to Search all of the Profile Options for a Specific Value [ID 282382.1]
  How To Find All Users With A Particular Profile Option Set? [ID 367926.1]
  How to Change Profile Option Value Without Forms? [ID 943710.1]
  Cheers,
  ND
  Use the "helpful" or "correct" buttons to award points to replies.

• Oracle Apps secure code review

  Is any documentation available (either Oracle or third party based) to guide secure code reviews for Oracle Apps (or more specifically, Oracle Application Framework)?
  I'm aware of the usual sql injection bad practices (as related to JDBC and PLSQL). I'm curious about API abuse, as related to:
  - cross-site scripting concerns
  - client-side trust issues (e.g., hidden field values)
  - improper or inconsistent input validation
  - improper error handling
  - improper session management
  - inappropriate access control
  Thanks.

  Thanks... I looked at that and didn't think it was all in there, but I looked again after I got your reply and it appears to be what we are looking for (at least a starting point).

• Can VPD Virtual Private DB in 10g replace Oracle Apps security rules?

  I read the recent article in Oracle Magazine called 'Testing Database Security', especially the section on Virtual Private Database (VPD), caught my attention. Can this feature of the 10g database be used by the Oracle Apps to restrict access to data through the apps login? We just moved to 10g.
  Our current data security is enabled by leveraging security rules attached to responsibilities. Our security rules restrict by operating unit, of which there are 89. It would be great if VPD could be used, as it might replace the need to create 89 separate security rules. We would maintain just one set of policies.
  Does anyone know if this can be used on the applications level? If anyone has done this, do you know of a documentation link that would help?
  Thanks for your insight.

  Sebes,
  Thanks for the link...it sounds like it may be part of the Oracle future landscape, but for now, we will have to live with security rules.
  Sincerely,
  Brenda

• App security level

  How do I set the security level of an app so it will run with admin privilege at startup?

  johnsankey wrote:
  I don't know why that should matter... Anyway, the app is Psst because I don't want to have to remember to run it every time I use the computer. I get up at sunrise, the rest of the household doesn't, and cutting that startup roar of sound is not an option here.
  The reason is because without knowing which app you are talking about there is no way to answer your question.
  In the case of Psst, you are most likely going to have to talk to the developer who wrote it. He is probably doing something that requires additional premissions.

• LinksysSmartWiFi app Security Issue

  I recently installed an EA6700.  Other than overheating, the router works great.  I also installed the LinksysSmartWiFi app on my iPad 2.  I’m concerned that when I turn on my iPad and click on the SmartWiFi app, I can view the router password as well as both networks passcode.  I can change any router setting without any security.  I was not signed on the router through the LinksysSmartWiFi web browser version.  Is there a way to require a password before accessing the network through this app?       
  Solved!
  Go to Solution.

  Linksys Smart Wifi App is intended to be installed on a personal mobile phone or tablet for easy access and easy network administration. It won't require any password once done providing the network credentials on its first run.
  If everyone needs to believe in something, I believe I'll have another beer..