Application security/access management

Hi folks,
I'm building a simple app and I want to be able to control access/passwords etc within the app (ie not have to go out to the full Workspace to reset passwords etc). I assume this is possible and I'm just failing to understand the many options APEX provices for access/authorisation.
Any advice/insight/info would be greatly appreciated.
Regards,
IanM

You need to create a custom authentication scheme. Check out Apex 4.1 or Apex 4.0 (the XE DB contains Apex 4.0), the sample application there contains a custom authentication scheme so you can learn there how they did it.
Also check out the folowing blog on a step by step guide on how to set it up.
http://djmein.blogspot.be/2007/07/custom-authentication-authorisation.html
There is little difference in Apex versions, exept I noticed you need to create an additional application item in Apex 4.2 called AI_LOGIN_MESSAGE.

Similar Messages

Application security /access by only designated users

Hi All,
I am very new to this great application, so please help.
I am using HTML DB 2.1 .
I have multiple application in a schema. A end user of one application can access all the other applications of the same schema by just changing the application ID in the URL, How can I prevent it.
Thank in advance.

Create user groups and assign your groups to your users depending on what they should or shouldn't access.
On your login page (101) create a validation on submit using the following code - PL/SQL Function returning Boolean:
DECLARE
   v_group   VARCHAR2 (400) DEFAULT NULL;
BEGIN
   SELECT HTMLDB_UTIL.get_groups_user_belongs_to (UPPER(:P101_USERNAME))
     INTO v_group
     FROM DUAL;
   IF INSTR ( v_group, 'YOUR_GROUP_1') > 0
   THEN
      RETURN TRUE;
   ELSE
      RETURN FALSE;
   END IF;
END;Denes Kubicek
http://deneskubicek.blogspot.com/
http://www.opal-consulting.de/training
http://apex.oracle.com/pls/otn/f?p=31517:1
-------------------------------------------------------------------

Configure security realm for external Access Manager in App server 8.1

Hi All,
I would like to protect my j2ee application using access manager running on an external host.
I would like to configure the security realm in Sun app Server 8.1 for the external Access Manager
external host & port of AM is:
http://svrd234d.dnn.com.au:58765
Please verify if these are the correct settings for the agentRealm configuration on Sun App server 8.1.
classname="com.sun.amagent.as.realm.AgentRealm"
property name="jaas-context" value="agentRealm"
property name="base-dn" value="ou=People,dc=dnn,dc=com,dc=au"
property name="hostURL " value="http://svrd234d.dnn.com.au:58765"

Did you download AS8.1 agent under http://www.sun.com/download/products.xml?id=4266924d?
If you can unjar am_as81_agent_2_1.jar after installing the J2EE agent, you will find AgentRealm.class under com.sun.amagent.as.realm.
Please also note that page 161 of J2EE agent guide shows how to disable AgentRealm to better fit your agent policy mode. Check it out http://docs-pdf.sun.com/816-6884-10/816-6884-10.pdf
Jerry

OAM : Access management of Print Server and Shares

Hi Experts !
Our customer is providing our user printing and storage facilities in their windows accounts besides many web based applications. We are planning to evaluate OAM for this environment as an access management solution.
Web based application's access management is totally understood as explained in OAM documentation
Can someone enlighten if we can control access of network printers and shares (SAN / NAS) using OAM? Can access Gate be utilized for this ?
Really appreciate your response.
Regards

Install the 3 part hpijs:
http://www.linuxfoundation.org/collaborate/workgroups/openprinting/macosx/hpijs
Then use the protocol that the print server manual recommends, remembering that LPD and IPP use queue name, but HP Jetdirect (raw port 9100) doesn't. If there's a section in the manual for unix/linux, that's usually more productive than the Windows instructions.

Deploying Access manager on Akamai Edge platform

We use akamai edge platform to deply our j2ee applications . Akamai edge platform is based on Websphere app server.
If we want to deploy access manager along with our application, will access manager be just a part of our WAR file ? Will Websphere access manager agent will be a part of that WAR file ?
We can not "install" anyting on the akamai edge except WAR file. So if it is possible to include in WAR file, we can save having our own web server just for the purpose of policy manager.
Thanks

We use akamai edge platform to deply our j2ee applications . Akamai edge platform is based on Websphere app server.
If we want to deploy access manager along with our application, will access manager be just a part of our WAR file ? Will Websphere access manager agent will be a part of that WAR file ?
We can not "install" anyting on the akamai edge except WAR file. So if it is possible to include in WAR file, we can save having our own web server just for the purpose of policy manager.
Thanks

Oracle Access Manager (IDM suite) And Jdev

We plan to use Access manager et the front end of Jdev ADFBC JSF web application ..
How can we integrate our java application with Access Manager
We can't find any code or application sample about that...
Any extention planned for Access Manager like portlet extention ?
(is true forum here ?)
Thanks for your help....

repost...

Oracle Access Manager AND Jdev

We plan to use Access manager et the front end of Jdev ADFBC JSF web application ..
How can we integrate our java application with Access Manager
We can't find any code or application sample about that...
Any extention planned for Access Manager like portlet extention ?
(is true forum here ?)
Thanks for your help....

I am assuming you are trying to use CoreID's Access Manager API?
If so....
In order to use the access manager API from within Java you must do the following:
1) Intall the Access Server SDK on the machine that you will be doing your development on ( This is a sepperate executeable form the CoreID Installer )
2) Configure an Access Gate on your Access Server for this development machine
3) Run the Access Gate Configuration Tools on the development machine.
(Chapter 5 of the Development Guide [NetPoint70B_Developer_Guide goes through this in more detail)

Securing web services with Sun Access Manager

Hi!
I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
My questions are:
1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
2) Are there any documentation/tutorials/etc?
Thanks in advance :-)
Anders

what you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
So.. having said that. here's what I'd recommend.
1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
2. configure it to use your access manager instance for authentication.
3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
4. voila... your webservices are not "protected" by acces manager ;-)

Oracle Access Manager 11gR2 Web application: "oam" failed to preload

Any pointers for troubleshooting this error?
Managed Server starts up but fails to start-up "oam" deployment.
weblogic.application.ModuleException: [HTTP:101216]Servlet: "AMInitServlet" failed to preload on startup in Web application: "oam".
java.lang.ExceptionInInitializerError
        at oracle.security.am.pbl.transport.http.AMInitServlet.initializeAmServer(AMInitServlet.java:113)
        at oracle.security.am.pbl.transport.http.AMInitServlet.init(AMInitServlet.java:79)
        at weblogic.servlet.internal.StubSecurityHelper$ServletInitAction.run(StubSecurityHelper.java:283)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
        at weblogic.servlet.internal.StubSecurityHelper.createServlet(StubSecurityHelper.java:64)
        at weblogic.servlet.internal.StubLifecycleHelper.createOneInstance(StubLifecycleHelper.java:58)
        at weblogic.servlet.internal.StubLifecycleHelper.<init>(StubLifecycleHelper.java:48)
        at weblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.java:539)
        at weblogic.servlet.internal.WebAppServletContext.preloadServlet(WebAppServletContext.java:1981)
        at weblogic.servlet.internal.WebAppServletContext.loadServletsOnStartup(WebAppServletContext.java:1955)
        at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1874)
        at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3154)
        at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1518)
        at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
        at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
        at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
        at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
        at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)
        at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247)
        at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
        at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
        at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
        at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27)
        at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:671)
        at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
        at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:212)
        at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:59)
        at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
        at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
        at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:569)
        at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:150)
        at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:116)
        at weblogic.deploy.internal.targetserver.operations.StartOperation.doCommit(StartOperation.java:149)
        at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:323)
        at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844)
        at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253)
        at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440)
        at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:163)
        at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195)
        at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13)
        at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:68)
        at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: java.lang.NullPointerException
        at oracle.security.am.pbl.diagnostic.DiagnosticUtil.<init>(DiagnosticUtil.java:80)
        at oracle.security.am.pbl.diagnostic.DiagnosticUtil.<clinit>(DiagnosticUtil.java:65)
        ... 45 more
        at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1520)
        at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
        at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
        at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
        at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
        Truncated. see log file for complete stacktrace
Caused By: java.lang.NullPointerException
        at oracle.security.am.pbl.diagnostic.DiagnosticUtil.<init>(DiagnosticUtil.java:80)
        at oracle.security.am.pbl.diagnostic.DiagnosticUtil.<clinit>(DiagnosticUtil.java:65)
        at oracle.security.am.pbl.transport.http.AMInitServlet.initializeAmServer(AMInitServlet.java:113)
        at oracle.security.am.pbl.transport.http.AMInitServlet.init(AMInitServlet.java:79)
        at weblogic.servlet.internal.StubSecurityHelper$ServletInitAction.run(StubSecurityHelper.java:283)

SOA is not required. WebGate is a separate installation, separate from where you install the Oracle Access Manager.
Oracle Access Manager is like the management station, WebGate would typically be installed on a host where a Web Server is running. So WebGate running on the WebServer host would be used to provide access control functions for web pages hosted on Web Server. You will have to do the configuration of WebGate separately after Access Manager has been installed. Please mark answer helpful/correct if helpful.

Using IBM Tivoli Access Manager to Secure Tuxedo Services

Wondering if anybody has any experience using 'IBM Tivoli Access Manager for e-business' to perform tuxedo service authorization ?
Is there an out-of-the-box integrated solution available or does one have to basically build a security service that use the Tivoli Access Manager APIs to determine if the user is authorized to invoke service?
Thanks,

Hi,
I followed the steps of establishing SSO using TAM for OBIEE application.
Below is the piece of code that i had inserted in the "instanceconfig.xml" to enable SSO:
<Listener>

</Listener>
<CredentialStore>
<CredentialStorage type="file" path="<OracleBIData>/web/config/credentialstore.xml" passphrase="another"/> </CredentialStore>

<Auth>
<SSO enabled="true">
<ParamList>

<Param name="IMPERSONATE"
source="httpHeader" nameInSource="iv-user"/>
</ParamList> 
<LogonUrl>http://pkmslogin</LogonUrl>
<LogoffUrl>http://pkmslogout</LogoffUrl>
</SSO>
</Auth>
My credential store file look Like on below
<sawcs:credential type="usernamePassword" alias="impersonation">
<sawcs:username>USER</sawcs:username>
<sawcs:password>password</sawcs:password>
</sawcs:credential>
In the above code i am trying to get the userID of a User through the header of the application's URL, who has been already been authenticated by Windows desktop Authentication mechanism .
but then i try creating a junction using TAM and access the application through the junction i still get the logon page of OBIEE application...
Can any one help me out in this issue..
Thanks in Advance...

Help please: "Access denied by Application security check"

I am very new for using Application express 2.2.
I create a demon application, and want to creat a end user right now.
The end user has no-dev and no-admin privileges. However when I tried to logon I got error message "Access denied by Application security check", and only option is to log-out.
What I have done wrong?
Thanks,

See http://download-east.oracle.com/docs/cd/B31036_01/doc/appdev.22/b28550/sec.htm#BABBCIEE
When you create users in the Apex repository (using an Admin account in the workspace), and give them neither Dev nor Admin privilege, they are not meant to login to the Application Builder. You would use the link above to create an authentication scheme in applications you develop.
[Read that Chapter 11 Managing Application Security from start to finish]

Access denied by Application security check

I see that others have gotten this error when logging in but I'm getting this during an application install.
I have an application in workspace A that I exported. I created workspace B, using the same parsing schema and the same workspace the schema assignments. In workspace A, I exported as user ADMIN who has Administrator and Developer rights. The same user with the same rights was used to import and install the application into workspace B. The import into workspace B is successful. For the import, I use the same parsing schema assignment and I let the install utility assign a new application ID. It apparently chose app ID 115 because after a few minutes into the install I get the "Access denied by Application security check" and at the top of the page it says "Application 115 installed".
To make matters worse, when I log back into workspace A, I see that application 115 has just been installed into THAT workspace.

Lloyd,
That's weird. What version of Application Express? I would suggest using a different user (not ADMIN) for export and import, as I'm sure what you experienced is due to a bug related to the privileges of the ADMIN user.
Scott

The application has accessed a fund managements or cash mgt module with par

When I am trying to post a entry Mesage appears F1030
The application has accessed a fund managements or cash mgt module with parameters missinfg or defective
Please solve

Hi,
This error occurs when you post data which is not related to that specific company code.
post the correct data and check.If the problem still exits.Please clearly explain the problem.
Thanks
micheal

Network Error: Clean Access Server could not establish a secure connection to Clean Access Manager

Hello everyone
I am implementing a failover solution of NAC in OOB VG version 4.8, I have 2 CAS and 2 CAM.
The Error I am getting is when I connect to both IP address and the FQDN of the CAS.
===========
Network Error:
Clean Access Server could not establish a secure connection to Clean Access Manager at camsrv3.cadivi.gob.ve.
This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
Please report this to your network administrator.
==========
For the CAM's I use this names camsrv1 and camsrv2. then generate a CSR in the camsrv1 with the name camsrv3.mycompany.com corresponding to virtual ip and it exported to camsrv2, Install the CA certificate of the company and everything works perfect.
This is the failover configuration
CAM:
Primary:     10.1.206.248 camsrv1.mycompany.com
Secondary: 10.1.206.249 camsrv2.mycompany.com
Virtual:       10.1.206.250 camsrv3.mycompany.com
Then I do exactly the same steps for the CAS's and this is the failover configuration:
Primary:     10.1.216.248 cassrv1.mycompany.com
Secondary: 10.1.216.249 cassrv2.mycompany.com
Virtual:       10.1.216.250 cassrv3.mycompany.com
Then I add the certificate of CAM in the CAS on the tab "Trusted Certificate Authorities" and vice versa.
The communication between all the CAM´s and CAS´s is correct (Primary, Secondary and Virtual). I can ping the IP and the FQDN and I can also manage the CAS through the CAM.
I verify that the time was right in the CAM and the CAS and all good up there.
Appreciate your help
Eduardo Navas

Eduardo,
Bump up the CAS/CAS communications logging on both the CAS and CAMs, and then look in the log files for clues.
On CAM they live in /perfigo/control/tomcat/logs and on CAS in /perfigo/access/tomcat/logs
HTH,
Faisal
If you find this post helpful, please rate so others can find the answer easily

Network Access Manager - Service (Secure Mobility Client)

We are currently working on Deploying the Secure Mobility Client.
1. We are looking at the ability to stop the Network Acess Manager without Admin rights, According to the Cisco Documentation on this:
"Stopping and Starting the Network Access Manager"
Users with local administrator privileges can start and stop the Network Access Manager. Users without local administrator privileges cannot start and stop the Network Access Manager without using the service password defined in the Authentication panel of the profile editor.
Question: I am unable to find the said option in the Authentication panel in the profile editor
2. Since we will be using NAM for all of our computers, and since some users will not be using the VPN, we will need to push out profiles to the users (This is easy however we are concerned about updates and getting those pushed). A collegue shared that he head at Cisco Live2011 that there is an option in NAM to update it's profiles by connecting to the VPN-Headend without actually authenticating and logging into the VPN.
I know if a user connects to the VPN Headend we can update the profiles on NAM/VPN etc... however without them connecting I'm not sure if there is any way to do so?

Hi Alwin,
There is nothing to be done with your anyconnnect client.... if needed changes needs to ne done at VPN FW/Router where your anyconnect connection is established..... here i guess your corporate office is having this VPN server.....
They have configured it as tunnel all mode... means all traffic will be taken through VPN... see from your output preferred default route is pointed to 192.168.0.101, which is a vpn gateway....
If needed anyconnect vpn configuration needs to be changed from tunnel all to split-tunnel....
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.101 20
0.0.0.0 0.0.0.0 146.236.12.1 146.236.12.73 2
Regards
Karthik

Application security/access management

Similar Messages

Maybe you are looking for