[ask] ucm security model case study

hi fellow stellent users,
i have a question to ask about
this case study, that im trying to solve.
the case study is,
suppose a corporate named acme
then i create security groups (public, internal, sensitive, secret),
semantically a clearance level.
then i create hierarchical accounts based on acme's divisions:
acme/finance
acme/acct
acme/marketing
then i create this virtual folders (primarily used in webdav integration)
/finance: account: acme/finance
/acct: account: acme/acct
/marketing: account: acme/marketing
this seems ok, so all users in the finance dept
can only view/access/edit the /finance folder (and its contents)
but there are new requirements:
-suppose finance users want to create subfolder in the /finance
eg: /finance/shared
but they want to share this folder so that it can be accessible to
acct and marketing users.
so how can i do this ?
i already tried creating new account acme/finance/shared
assign that to the /finance/shared folder,
and adding that account to all users that need to access that folder
but, there seems a problem,
when i browse ucm with Windows Explorer (webdav) with a marketing user id.
i cant see the /finance/shared folder.
maybe because the parent /finance folder is hidden/not permissible to them (marketing guys).
but then, what is the workaround for this problem? can a user
create a folder that can be shared to other accounts ? with a parent
folder that is not shared.
what's the best practice in ucm to accomplish this scenario,
especially for working in windows/webdav environment.
is there any changes that i must make to my current security model ??
thanks,
your answers will be very appreciated. :)

Sapan, Yes I understand that and I have read it also. The problem is we would rather take care of the ROLES within UCM, such that subadmins should be allowed to create roles etc with UCM who have no access to LDAP. Basically we would like to give access of role creation to a subadmin rather then set it up in LDAP, but at the same time we would like users to get authenticated via LDAP, because we want to use Single Sign On.
So basically the solution that I am looking for is following:
1) Users get Authenticated ONLY via LDAP. No group mappings or filtering needs to be done (Use Group Filtering/Use Full Group Names in LDAP provider are NOT checked)
2) Setup user's roles/groups within UCM by a Sub Admin.
Basically what I would like to do is that we can have several websites in our UCM and each website can have Subadmins who can give/remove permission for users that reside in UCM (External/Internal anyone). Moreover I would like to give subadmins only rights to there OWN Website and they should not be allowed to do any administration work for other websites that they are not sub admin for. Also, none of the users/subadmins can see any search results from any other website data that they do not have permission for.
This is a little complex requirement, first I do not know if UCM is capable of this, second I am a newbie with UCM, I have worked with Documentum in the past, so any suggestion is very welcome. Thanks!

Similar Messages

  • UCM security modeling

    Hi,
    The use case is like this
    OID
    1. I have different groups in OID say Group1, Group2,...... 1000+ groups
    2. I have other groups (apart from the 1 mentioned above) as well in OID say OtherGroup1, OtherGroup2,...... 1000+ groups
    Please NOTE: The users presnt in Group1, Group2,.... and OtherGroup1, OtherGroup2,.... are completely different users
    Also all the groups mentioned above are already repsenr and I cannot modify the existing groups as they are used for some other purposes as well.
    I can just use the existing groups.
    In my webcenter application I crate a object say "Sales"
    And I want to create a folder in UCM by same name called as "Sales" and the contents inside this "Sales" folder should have the security as mentioned below
    1. "Content1"
         - "Group1" should have R, "Group2" should have RW, "Group3" should have RWD
         - "OtherGroup1" should have R, "OtherGroup2" should have RW, "OtherGroup3" should have RWD (This group might remain same for all contents)
    2. "Content2"
         - "Group4" should have RWD, "Group5" should have RW, "Group6" should have R
         - "OtherGroup1" should have R, "OtherGroup2" should have RW, "OtherGroup3" should have RWD (This group might remain same for all contents)
    and so on..
    So please suggest how can I achieve this type of security model in UCM.
    Thanks in advance.

    which account am I suppose to add on "Contnent1"The account will be Content1. @Content1_R is the name of a group in LDAP, which grants its members R permission to the Content1 account.
    And also what should be the "SecurityGroup" for "Content1" since "SecurityGroup" is mandatory for a content item check in. You may have to create a generic group where all users have RWD permissions - resulting permission are intersection of those from SG and accounts.
    Also once the account is added I cannot change the permission for a particular user, so the option left with me will be to assign him to different account which has desired permission for given content (that too if I can add multiple accounts).Account is a setting on a content item, and it is expected to be changed only exceptionally. What you can change, though, is membership of users in your created groups - thus, granting/revoking permissions of users to particular accounts. This can be as dynamic as you need.

  • Extending/modifying UCM security

    Hi!
    Does anyone know whether it is possible to extend the UCM security model, to limit retrieved content based on other metadata than security group or account?
    Example 1:
    Confidentiality field: if the flag is set, certain roles must not be able to retrieve the content
    Example 2:
    document type and subtype: these are linked lists. Customer role may only access a limited set of subtypes.
    Regards,
    Jeroen van Veldhuizen
    Redora B.V.

    Hi
    I think that you can achieve this functionality by using NeedToKnow component which is designed exactly for the very purpose of extending the security of the CS by adding the flags and such features.
    You can get the component from http://www.oracle.com/technology/software/products/content-management/index.html
    Brief about the component functianlity:
    This component supports multiple ways to customization Content Server security. The areas of customization supported in this component are:
    * Content Security -- access to content items
    * Hit List Roles -- altering user credentials on query and check in pages
    * Search Results -- altering the appearance of search results
    * Where Clause Calculation -- altering the where clause on searches
    * Content Meta Change Security -- meta data change of content items
    Hope this helps.
    Thanks
    Srinath

  • UCM Folders custom alternate security model

    Hi All,
    Im working on a Proof of Concept using UCM 10GR3 and we need help from you guys.
    The content will be categorized using the Folders structure from the Oracle Folders Component.
    Let’s look this example:
    1. The user DANIEL creates the folder A and sets who will have access (R,RW,RWD,RWDA);
    2. DENIS another user from UCM get permission to access the folder A and starts to create his own Folders (A1, A2, A3) and defines who will access these Folders and their permissions but if he doesn’t set access permission to DANIEL he (DANIEL) won’t be capable to see these Folders content .
    So, this security model is defined for each Folder and won’t be hierarchical.
    I`ve already explained for the customer about possible problems with inappropriate content stored inside some users Folders and the lack of permission from their superiors to control this.
    But they don’t want to go another way.
    This customer didn’t like UCM Collaboration Manager concept of Projects, Dashboards and so on.
    They prefer Folders with this ‘ Custom’’ security model because simplicity and not hierarchical security model are crucial points.
    Is there any case about the use of this security model or some ideas about how do that for Oracle Folders?
    Best Regards
    Daniel

    I think accounts can do the trick. You'll have to write a component that automaticcly creates account if someone adds a folder.
    With accounts you can give someone permission in a hierarchical way. You define for example an account A/1 A/2 A/3
    If Daniel creates a folder your component can automaticlly create an account A
    If Denis creates a folder A/1 your component would create A/1
    If daniel grants denis the A account he gets permission to the A folder
    if Denis don't grant daniel the A/1 account. he doesn't have acces to that folder. Is that what you wnat?
    There is a small problem with this construction and that is that a user normally can't grant, revoke accounts. It's done in the user admin applet so you're component would normally add some functionallity so users could add delete accounts but that't kinda tricky...

  • Migrate to the Java 2 security model

    Hi, I've tried to use signed applets but I always get the following message:
    Java (TM) Plug-in: Version 1.3.1_02
    Netscape security model is no longer supported.
    Please migrate to the Java 2 security model instead.
    Netscape security model is no longer supported.
    Please migrate to the Java 2 security model instead.
    Netscape security model is no longer supported.
    Please migrate to the Java 2 security model instead.
    Netscape security model is no longer supported.
    Please migrate to the Java 2 security model instead.
    Netscape security model is no longer supported.
    Please migrate to the Java 2 security model instead.
    I'm using IExplorer 5.5 with the Java Plug-In 1.3.1_02.
    What does it mean 'migrate to the Java 2 security model'?
    How can I migrate?
    thanks in advance.

    So you mean your applet is working in Netscape 6.2 after editing prefs.js. In that case, one possible solution is take away the support of netscape.security.* in your applet . Because netscape.* packages 'might' use the Netscape Security model, which is no longer supported(check out). Hence the system asks you to migrate to the current java security model. Even if you remove the netscape.* support, your applet will work, if you have signed it properly. In that case, you don't have to touch prefs.js or java.policy or anything from your client machine.(provided you use standard certificates like verisign).
    Since you have only class file of the applet and not the source, decompile the class file and make the alteration and compile it back. A decompiler Jad is available here http://midlet.org/jsp/category.jsp?parentLevel=137.
    Let me know if this has helped you.
    Rajesh

  • Small Case Study

    I have one small case study that I am trying to solve to understand the dimensioanl data modeling concept better.
    We deal with lots of small securities (loans) everyday. We generate Time Series reports from this data, most of the times we look at Market Values and Duration of the securities at aggregated level.
    Everyday we get thousands of securities, each having a type, category, coupon and an amount. E.g.
    Sec Id Type Category Coupon Amount Date
    100 Arm SF_ARMS 5.0 $1200 04/27/05
    101 Arm SF_ARMS_TREASURY5.5 $2000 04/27/05
    102 Fixed SHORT_TERM 5.5 $1800 04/27/05
    103 Fixed LONG_TERM 6.0 $1000 04/27/05
    Sec Id Market_Value Duration Market Calc Batch Date
    100 1350 3.12 M1 C1 B1 04/28/05
    101 2100 2.5 M2 C1 B1 04/28/05
    102 1900 3.0 M1 C1 B1 04/28/05
    103 1100 2.7 M1 C1 B1 04/28/05
    I have to produce a report like this:
    Market Value Duration
    Arm
    SF_ARMS X X
    SF_ARMS_TREASURY X X
    Fixed
    SHORT_TERM X X
    LONG_TERM X X
    My questions are:
    1) Dimensions I have identified are: Securities, Market, Calculator, Batch, Time.
    2) Do we need two separate fact tables for Market value and Duration ? Or they can be in one ?
    3) Should Amount and coupon be security attributes or sit in a separate fact table. According to one book any numerical values should go into a fact table.
    4) What about Type and Category, are these attributes of Security Dimension.
    Any guidance in this direction will be highly appreciated.
    Shalu

    Shalu, here are a few more items to consider. I'll take a stab at these because I'm currently working on a similar investments cube (though with a lot more dimensions)
    - Market value and duration can go into a single fact table if they share the same dimensionality (as noted). Not sure of your application, but are you trying to do any market rate scenario analysis (i.e. what happens if the yield curve shifts up 50 b.p. or down 50 b.p.)? If so, then some variables (duration, avg life, convexity) will need to be dimensioned by scenario, while others (book value, for instance) do not fluctuate based on the scenario and therefore would be in a different cube.
    - Amount and Coupon rate should probably not be stored in the fact table. Having said this, you have several options:
    1) store as attributes in the securities dimension
    Pros: easy for users to select all securities that match a given amount or coupon rate
    Cons: Difficult to band these together on a report or to aggregate the totals (i.e. total market value of all securities in the 4.00 - 4.99% coupon rate band)
    2) store as hierarchies in the securities dimension
    Pros: both amt and coupon could be banded and summarized over the hierarchy, making banding reports very easy to do
    Cons: Difficult to impossible to easily show BOTH amount bands and coupon bands on a single report, since one OLAP query will only allow one hierarchy to be selected
    3) store as separate dimensions outside of securities
    Pros: easy to band, can show both bands simultaneously on a report
    Cons: creates 2 more dimensions that increases cube size (although you will find the new "compressed composites" in 10g work wonders on this)
    Note that all these points also apply to your #4 re: type and category.
    Just because I'm curious, what information do your dimensions "calculator", "batch", and "time" provide?
    Thanks,
    Scott

  • BIP: Upload error (Invalid BI Publisher Security model SBL-RPT-50532)

    Hi, We have Siebel 8.1.1.5 running and having trouble integrating with BI Publisher 10.1.3.4.2 . I have setup and configure BIP as per the instructions.
    When we try to upload reports from Reports - Standard Templates View, getting the following error messages:
    Invalid BI Publisher Security Model Setting (SBL-RPT-50532) && Error (null) invoking method (null) for business service (null).
    I have setup the security model to siebel in BIP and able to login tot he console using SADMIN/SADMIN. All the required components are also online and updated the params as per the instructions.
    Any help would be greatly appreciated. Thanks in advance!

    Hi Hakan,
    Please check whether your EAI Object manager is using different srf to one that application set to. In that case try to
    set the EAI to same srf Or compile report stuff to that particular srf. And befiore that have you declared the Siebel securiy model setting in BIP.
    Please reach me at [email protected] for any issues.
    Thanks,
    Ravi

  • Java Security Model: Java Protection Domains

    1.     Policy Configuration
    Until now, security policy was hard-coded in the security manager used by Java applications. This gives us the effective but rigid Java sandbox for applets.A major enhancement to the Java sandbox is the separation of policy from mechanism. Policy is now expressed in a separate, persistent format. The policy is represented in simple ascii, and can be modified and displayed by any tools that support the policy syntax specification. This allows:
    o     Configurable policies -- no longer is the security policy hard-coded into the application.
    o     Flexible policies -- Since the policy is configurable, system administrators can enforce global polices for the enterprise. If permitted by the enterprise's global policy, end-users can refine the policy for their desktop.
    o     Fine-grain policies -- The policy configuration file uses a simple, extensible syntax that allows you to specify access on specific files or to particular network hosts. Access to resources can be granted only to code signed by trusted principals.
    o     Application policies -- The sandbox is generalized so that applications of any stripe can use the policy mechanism. Previously, to establish a security policy for an application, an developer needed to implement a subclass of the SecurityManager, and hard-code the application's policies in that subclass. Now, the application can make use of the policy file and the extensible Permission object to build an application whose policy is separate from the implementation of the application.
    o     Extensible policies -- Application developers can choose to define new resource types that require fine-grain access control. They need only define a new Permission object and a method that the system invokes to make access decisions. The policy configuration file and policy tools automatically support application-defined permissions. For example, an application could define a CheckBook object and a CheckBookPermission.
    2.     X.509v3 Certificate APIs
    Public-key cryptography is an effective tool for associating an identity with a piece of code. JavaSoft is introducing API support in the core APIs for X.509v3 certificates. This allows system administrators to use certificates from enterprise Certificate Authorities (CAs), as well as trusted third-party CAs, to cryptographically establish identities.
    3.     Protection Domains
    The central architectural feature of the Java security model is its concept of a Protection Domain. The Java sandbox is an example of a Protection Domain that places tight controls around the execution of downloaded code. This concept is generalized so that each Java class executes within one and only one Protection Domain, with associated permissions.
    When code is loaded, its Protection Domain comes into existence. The Protection Domain has two attributes - a signer and a location. The signer could be null if the code is not signed by anyone. The location is the URL where the Java classes reside. The system consults the global policy on behalf of the new Protection Domain. It derives the set of permissions for the Protection Domain based on its signer/location attributes. Those permissions are put into the Protection Domain's bag of permissions.
    4.     Access Decisions
    Access decisions are straightforward. When code tries to access a protected resource, it creates an access request. If the request matches a permission contained in the bag of permissions, then access is granted. Otherwise, access is denied. This simple way of making access decisions extends easily to application-defined resources and access control. For example, the banking application allows access to the CheckBook only when the executing code holds the appropriate CheckBookPermission.
    Sandbox model for Security
    Java is supported in applications and applets, small programs that spurred Java's early growth and are executable in a browser environment. The applet code is downloaded at runtime and executes in the context of a JVM hosted by the browser. An applet's code can be downloaded from anywhere in the network, so Java's early designers thought such code should not be given unlimited access to the target system. That led to the sandbox model -- the security model introduced with JDK 1.0.
    The sandbox model deems all code downloaded from the network untrustworthy, and confines the code to a limited area of the browser -- the sandbox. For instance, code downloaded from the network could not update the local file system. It's probably more accurate to call this a "fenced-in" model, since a sandbox does not connote strict confinement.
    While this may seem a very secure approach, there are inherent problems. First, it dictates a rigid policy that is closely tied to the implementation. Second, it's seldom a good idea to put all one's eggs in one basket -- that is, it's unwise to rely entirely on one approach to provide overall system security.
    Security needs to be layered for depth of defense and flexible enough to accommodate different policies -- the sandbox model is neither.
    java.security.ProtectionDomain
    This class represents a unit of protection within the Java application environment, and is typically associated with a concept of "principal," where a principal is an entity in the computer system to which permissions (and as a result, accountability) are granted.
    A domain conceptually encloses a set of classes whose instances are granted the same set of permissions. Currently, a domain is uniquely identified by a CodeSource, which encapsulates two characteristics of the code running inside the domain: the codebase (java.net.URL), and a set of certificates (of type java.security.cert.Certificate) for public keys that correspond to the private keys that signed all code in this domain. Thus, classes signed by the same keys and from the same URL are placed in the same domain.
    A domain also encompasses the permissions granted to code in the domain, as determined by the security policy currently in effect.
    Classes that have the same permissions but are from different code sources belong to different domains.
    A class belongs to one and only one ProtectionDomain.
    Note that currently in Java 2 SDK, v 1.2, protection domains are created "on demand" as a result of class loading. The getProtectionDomain method in java.lang.Class can be used to look up the protection domain that is associated with a given class. Note that one must have the appropriate permission (the RuntimePermission "getProtectionDomain") to successfully invoke this method.
    Today all code shipped as part of the Java 2 SDK is considered system code and run inside the unique system domain. Each applet or application runs in its appropriate domain, determined by its code source.
    It is possible to ensure that objects in any non-system domain cannot automatically discover objects in another non-system domain. This partition can be achieved by careful class resolution and loading, for example, using different classloaders for different domains. However, SecureClassLoader (or its subclasses) can, at its choice, load classes from different domains, thus allowing these classes to co-exist within the same name space (as partitioned by a classloader).
    jarsigner and keytool
    example : cd D:\EicherProject\EicherWEB\Web Content jarsigner -keystore eicher.store source.jar eichercert
    The javakey tool from JDK 1.1 has been replaced by two tools in Java 2.
    One tool manages keys and certificates in a database. The other is responsible for signing and verifying JAR files. Both tools require access to a keystore that contains certificate and key information to operate. The keystore replaces the identitydb.obj from JDK 1.1. New to Java 2 is the notion of policy, which controls what resources applets are granted access to outside of the sandbox (see Chapter 3).
    The javakey replacement tools are both command-line driven, and neither requires the use of the awkward directive files required in JDK 1.1.x. Management of keystores, and the generation of keys and certificates, is carried out by keytool. jarsigner uses certificates to sign JAR files and to verify the signatures found on signed JAR files.
    Here we list simple steps of doing the signing. We assume that JDK 1.3 is installed and the tools jarsigner and keytool that are part of JDK are in the execution PATH. Following are Unix commands, however with proper changes, these could be used in Windows as well.
    1. First generate a key pair for our Certificate:
    keytool -genkey -keyalg rsa -alias AppletCert
    2. Generate a certification-signing request.
    keytool -certreq -alias AppletCert > CertReq.pem
    3. Send this CertReq.pem to VeriSign/Thawte webform. Let the signed reply from them be SignedCert.pem.
    4. Import the chain into keystore:
    keytool -import -alias AppletCert -file SignedCert.pem
    5. Sign the CyberVote archive �TeleVote.jar�:
    jarsigner TeleVote.jar AppletCert
    This signed applet TeleVote.jar can now be made available to the web server. For testing purpose we can have our own test root CA. Following are the steps to generate a root CA by using openssl.
    1. Generate a key pair for root CA:
    openssl genrsa -des3 -out CyberVoteCA.key 1024
    2. Generate an x509 certificate using the above keypair:
    openssl req -new -x509 -days key CyberVoteCA.key -out CyberVoteCA.crt
    3. Import the Certificate to keystore.
    keytool -import -alias CyberVoteRoot -file CyberVoteCA.crt
    Now, in the step 3 of jar signing above, instead of sending the request certificate to VeriSign/Thawte webform for signing, we 365 - can sign using our newly created root CA using this command:
    openssl x509 -req -CA CyberVoteCA.crt -CAkey CyberVoteCA.key -days 365 -in CertReq.pem -out SignedCert.pem �Cacreateserial
    However, our test root CA has to be imported to the keystore of voter�s web browser in some way. [This was not investigated. We used some manual importing procedure which is not recommended way]
    The Important Classes
    The MessageDigest class, which is used in current CyberVote mockup system (see section 2), is an engine class designed to provide the functionality of cryptographically secure message digests such as SHA-1 or MD5. A cryptographically secure message digest takes arbitrary-sized input (a byte array), and generates a fixed-size output, called a digest or hash. A digest has the following properties:
    � It should be computationally infeasible to find two messages that hashed to the same value.
    � The digest does not reveal anything about the input that was used to generate it.
    Message digests are used to produce unique and reliable identifiers of data. They are sometimes called the "digital fingerprints" of data.
    The (Digital)Signature class is an engine class designed to provide the functionality of a cryptographic digital signature algorithm such as DSA or RSA with MD5. A cryptographically secure signature algorithm takes arbitrary-sized input and a private key and generates a relatively short (often fixed-size) string of bytes, called the signature, with the following properties:
    � Given the public key corresponding to the private key used to generate the signature, it should be possible to verify the authenticity and integrity of the input.
    � The signature and the public key do not reveal anything about the private key.
    A Signature object can be used to sign data. It can also be used to verify whether or not an alleged signature is in fact the authentic signature of the data associated with it.
    ----Cheers
    ---- Dinesh Vishwakarma

    Hi,
    these concepts are used and implemented in jGuard(www.jguard.net) which enable easy JAAS integration into j2ee webapps across application servers.
    cheers,
    Charles(jGuard team).

  • Error during JNDI lookup Accessing Remote EJB (access to web service restricted using declarative security model)

    Hello everyone,
    I developed a Web Service prototype accessing remote EJB using the EJB
    control with special syntax in the jndi-name attribute: @jws:ejb
    home-jndi-name="t3://10.10.245.70:7131/AccountDelegatorEJB"
    Everything works fine, but I get an error when I restrict access to my web
    service with a declarative security model by implementing steps provided in
    help doc:
    - Define the web resource you wish to protect
    - Define which security role is required to access the web resource
    - Define which users are granted the required security role
    - Configure WebLogic Server security for my web service(Compatibility
    Security/Users)
    I launch the service by entering the address in a web browser. When prompted
    to accept the digital certificate, click Yes, when prompted for network
    authentication information, enter username and password, navigate to the
    Test Form tab of Test View, invoke the method by clicking the button and I
    get the following exception:
    <error>
    <faultcode>JWSError</faultcode>
    <faultstring>Error during JNDI lookup from
    jndi:t3://10.10.245.70:7131/AccountDelegatorEJB[Lookup failed for
    name:t3://10.10.245.70:7131/AccountDelegatorEJB]</faultstring>
    <detail>
    <jwErrorDetail> weblogic.jws.control.ControlException: Error during JNDI
    lookup from jndi:t3://10.10.245.70:7131/AccountDelegatorEJB[Lookup failed
    for name:t3://10.10.245.70:7131/AccountDelegatorEJB] at
    weblogic.knex.control.EJBControlImpl.acquireResources(EJBControlImpl.java:27
    8) at
    weblogic.knex.context.JwsInternalContext.acquireResources(JwsInternalContext
    .java:220) at
    weblogic.knex.control.ControlHandler.invoke(ControlHandler.java:260) at
    ibas.AccountControl.getTransactionHistory(AccountControl.ctrl) at
    ibas.GetSecure.retrieveVisaHistoryTxn(GetSecure.jws:64) </jwErrorDetail>
    </detail>
    </error>
    I have a simple Hello method as well in my WebService (which is also
    restricted) and it works fine, but remote EJB access doesn't. I tested my
    prototype on Weblogic 7.2 and 8.1 platforms - same result.
    Is that a bug or I am missing some additional configuration in order to get
    that working. Has anyone seen similar behavior? Is there a known resolution?
    Or a suggested way to work around the problem?
    Thank you.
    Andre

    Andre,
    It would be best if this issue is handled as an Eval Support case. Please
    BEA Customer Support at http://support.beasys.com along with the required
    files, and request that an Eval support case be created for this issue.
    Thanks
    Raj Alagumalai
    WebLogic Workshop Support
    "Andre Shergin" <[email protected]> wrote in message
    news:[email protected]...
    Anurag,
    I removed "t3", still get an error but a different one (Unable to create
    InitialContext:null):
    <error>
    <faultcode>JWSError</faultcode>
    <faultstring>Error during JNDI lookup from
    jndi://secuser1:[email protected]:7131/AccountDelegatorEJB[Unable to
    create InitialContext:null]</faultstring>
    <detail>
    <jwErrorDetail> weblogic.jws.control.ControlException: Error during JNDI
    lookup from
    jndi://secuser1:[email protected]:7131/AccountDelegatorEJB[Unable to
    create InitialContext:null] at
    weblogic.knex.control.EJBControlImpl.acquireResources(EJBControlImpl.java:27
    8) at
    weblogic.knex.context.JwsInternalContext.acquireResources(JwsInternalContext
    .java:220) at
    weblogic.knex.control.ControlHandler.invoke(ControlHandler.java:260) at
    ibas.AccountControl.getTransactionHistory(AccountControl.ctrl) at
    ibas.GetVisaHistoryTransactions.getVisaHistoryTxn(GetVisaHistoryTransactions
    .jws:67) </jwErrorDetail>
    </detail>
    </error>
    Note: inter-domain communication is configured properly. The Web Service to
    remote EJB works fine without a declarative security.
    Any other ideas?
    Thank you for your help.
    Andre
    "Anurag" <[email protected]> wrote in message
    news:[email protected]...
    Andre,
    It seems you are using the URL
    jndi:t3://secuser1:[email protected]:7131/AccountDelegatorEJB
    whereas you should not be specifying the "t3:" protocol.
    The URL should be like
    jndi://secuser1:[email protected]:7131/AccountDelegatorEJB
    Please do let me know if you see any issues with this.
    Note that this will only allow you to access remote EJBs in the same WLS
    domain. For accessing EJBs on another domain, you need to configure
    inter-domain communication by
    following a few simple steps as mentioned at
    http://e-docs.bea.com/wls/docs81/ConsoleHelp/jta.html#1106135. This link has
    been provided in the EJB Control Workshop documentation.
    Regards,
    Anurag
    "Andre Shergin" <[email protected]> wrote in message
    news:[email protected]...
    Raj,
    I tried that before, it didn't help. I got similar error message:
    <error>
    <faultcode>JWSError</faultcode>
    <faultstring>Error during JNDI lookup from
    jndi:t3://secuser1:[email protected]:7131/AccountDelegatorEJB[Lookup
    failed for
    name:t3://secuser1:[email protected]:7131/AccountDelegatorEJB]</faultstr
    ing>
    <detail>
    <jwErrorDetail> weblogic.jws.control.ControlException: Error during JNDI
    lookup from
    jndi:t3://secuser1:[email protected]:7131/AccountDelegatorEJB[Lookup
    failed for
    name:t3://secuser1:[email protected]:7131/AccountDelegatorEJB] at
    weblogic.knex.control.EJBControlImpl.acquireResources(EJBControlImpl.java:27
    8) at
    weblogic.knex.context.JwsInternalContext.acquireResources(JwsInternalContext
    .java:220) at
    weblogic.knex.control.ControlHandler.invoke(ControlHandler.java:260) at
    ibas.AccountControl.getTransactionHistory(AccountControl.ctrl) at
    ibas.GetSecure.retrieveVisaHistoryTxn(GetSecure.jws:64) </jwErrorDetail>
    </detail>
    </error>
    Anything else should I try?
    P.S. AccountDelegatorEJB, the remote EJB my Web Service calls is NOTaccess
    restricted.
    I hope there is a solution.
    Thanks,
    Andre
    "Raj Alagumalai" <[email protected]> wrote in message
    news:[email protected]...
    Andre,
    Can you try using the following url with username and password
    jndi://username:password@host:7001/my.resource.jndi.object ?
    once you add webapp level security, the authenticated is the user who
    invokes the EJB.
    http://e-docs.bea.com/workshop/docs81/doc/en/workshop/guide/controls/ejb/con
    CreatingANewEJBControl.html?skipReload=true
    has more info on using remote EJB's.
    Hope this helps.
    Thanks
    Raj Alagumalai
    WebLogic Workshop Support
    "Alla Resnik" <[email protected]> wrote in message
    news:[email protected]...
    Hello everyone,
    I developed a Web Service prototype accessing remote EJB using the EJB
    control with special syntax in the jndi-name attribute: @jws:ejb
    home-jndi-name="t3://10.10.245.70:7131/AccountDelegatorEJB"
    Everything works fine, but I get an error when I restrict access to my
    web
    service with a declarative security model by implementing steps
    provided
    in
    help doc:
    - Define the web resource you wish to protect
    - Define which security role is required to access the web resource
    - Define which users are granted the required security role
    - Configure WebLogic Server security for my web service(Compatibility
    Security/Users)
    I launch the service by entering the address in a web browser. Whenprompted
    to accept the digital certificate, click Yes, when prompted for
    network
    authentication information, enter username and password, navigate tothe
    Test Form tab of Test View, invoke the method by clicking the buttonand
    I
    get the following exception:
    <error>
    <faultcode>JWSError</faultcode>
    <faultstring>Error during JNDI lookup from
    jndi:t3://10.10.245.70:7131/AccountDelegatorEJB[Lookup failed for
    name:t3://10.10.245.70:7131/AccountDelegatorEJB]</faultstring>
    <detail>
    <jwErrorDetail> weblogic.jws.control.ControlException: Error during
    JNDI
    lookup from jndi:t3://10.10.245.70:7131/AccountDelegatorEJB[Lookupfailed
    for name:t3://10.10.245.70:7131/AccountDelegatorEJB] at
    weblogic.knex.control.EJBControlImpl.acquireResources(EJBControlImpl.java:27
    8) at
    weblogic.knex.context.JwsInternalContext.acquireResources(JwsInternalContext
    .java:220) at
    weblogic.knex.control.ControlHandler.invoke(ControlHandler.java:260)at
    ibas.AccountControl.getTransactionHistory(AccountControl.ctrl) at
    ibas.GetSecure.retrieveVisaHistoryTxn(GetSecure.jws:64)</jwErrorDetail>
    </detail>
    </error>
    I have a simple Hello method as well in my WebService (which is also
    restricted) and it works fine, but remote EJB access doesn't. I testedmy
    prototype on Weblogic 7.2 and 8.1 platforms - same result.
    Is that a bug or I am missing some additional configuration in order
    to
    get
    that working. Has anyone seen similar behavior? Is there a knownresolution?
    Or a suggested way to work around the problem?
    Thank you.
    Andre

  • Flash security model; completely confused

    Really, does anybody understand it? Every article I read that
    allows comments, litterelly each comment is one person saying how
    the the previous person(s) are wrong in there interpretation of the
    security model.
    Flash 8 has been out for awhile now, and I've fully read
    dozens of articles and every page in the user reference under AS2.0
    > Learning AS2.0 > Understanding security, and I am still
    utterly confused. Granted, I'm a bit slow with abstract
    comprehension, but I'm getting nowehere. I'm trying to send POST
    data to a remote server. Not trying to receive anything, just
    sending POST. Can't seem to get it to work on a server. What do I
    need to do?
    What I really need is a detailed and concise XYZ list: if you
    want to do X, you have to do ABCD, if you want to do Y, you have to
    do AD, if you want to to Z, you have to do CBA, ect. In that way I
    could at least figure out what it is I have to do, research how to
    do that, and get somewhere. Instead I'm confronted with numerous
    ways of handling security(allowScriptAccess,
    System.security.allowDomain, ExternalInterface, superdomain
    matching rules, creating serverside permission files, creating
    local registration files, different behavior in different SWF
    versions AND different behavior in different SWF Players! And much,
    much more!) And can't figure out what I need to do.
    (Sorry, got a bit ranty there... not blaming MM, it's not
    their fault they had to incorperate security measure)
    All I know is my SWF is not working. I want to be able to
    send some POST data to a remote server, compatable with Flash
    Player 6,7,and 8; I do not need to load any data. What must I do to
    allow this?
    Thanks for any guidence, it is much needed!

    In my case, there was no receiving SWF, only a sending SWF to
    a serverside page(.php or .asp or something, I don't remember).
    I don't even remember what I did to get it to work(my OP was
    5 months ago... clearly someone has been searching for answers on
    Flash security, and, like me 5 months ago, have mostly found
    unsolved/unhelpful questions :-) )... I think I created a
    crossdomain.xml file. In the end, everything was deployed on the
    same domain, I believe the same subdomain as well.
    That is still a helpful tip, though... I'll try my best to
    remember allowDomain() if I ever need cross-domain SWF-to-SWF
    interaction.

  • Case study: "Large?" labview programs flooded with different VIT's

    Case study: "Large?" labview programs flooded
    with different VIT's
    Type of application:
    Computer with loads of individual hardware connected or other software (either
    onsite (different buses) or offsite (Satelite/GSM/GPRS/radio etc.).
    Hardware
    description: little data "RPM" but communications to all devices are intact.
    More "RPM" when many VITs are involved.
    Size: 1000+
    VITS in memory (goal). Total software has been tested and simulated with 400.
    I'm posting
    this post after reading this thread (and actually I cant sleep and am bored as
    hell).
    Note: I do
    not use LVOOP (but sure post OOP examples, am starting to learn more and more
    by the day.)
    Things I
    will discuss are:
    Case 1: Memory usage using a plugin
    architecture
    CASE 2: memory usage using VITs (!)
    CASE 3: updating datastructures:
    CASE 4: shutdown of the whole system
    CASE 5: stability & heath monitoring
    CASE 6: Inifiles
    CASE 7: When the hardware is getting crappy
    Total
    application overview:
    We have a
    main application. This main application is mainly empty as hell, and only holds
    a plugin functionality (to register and administer plugins) and holds an
    architecture that holds the following items:
    Queue state
    machine for main application error handling
    Queue state
    machine for status messages
    Queue state
    machine for updating virtual variables
    Event state
    machine for GUI
    Some other
    stuff
    Other
    global functionality is:
    User
    logins, user configurations and unique access levels
    Different
    nice tools like the good old BootP and other juicy stuff
    Supervision
    of variables (like the NI tag engine, but here we have our own datastructures)
    Generation
    of virtual variables (so that the user can configure easy mathematical
    functions and combining existing tags)
    Licensing
    of plugins (hell we free-lance programmers need some money to don't we?)
    Handles
    all communication between plugins themselves, or directly to a plugin or vice
    versus.
    And now we don't
    talk about that (or marketing) the main application .
    Message Edited by Corny on 01-20-2010 08:52 AM

    CASE 3: updating datastructures:
     As we do NOT use clusters here (that would
    just be consuming) we only use an 1D array of data that needs to be updated in
    different functional globals. If the the number of VITS exceeds so that the
    updating of this datastructures becomes the bottleneck, this would cause
    delays. And since in this example we use 250 serial interfaces (lol) we do not
    want to disrupt that by any delays. When this happends, does anyone know a good
    solution to transfer data?
    A thought:
    perhaps sending it down to the plugin and let the plugin handle it, this should
    save some time, but then again if more VITs are added again this would become a
    bottleneck and the queue would fill up after a while unable to process it fast
    enough. Any opinions?
    CASE 4: shutdown of the whole system
    Lets say we
    want to close it all down, but the VITs need perhaps to do some shutdown
    procedure towards the hardware, that can be heavy.
    If we ask
    them to shutdown all together we can use an natofier or userevent to do this
    job. Well, what happends next is that the CPU will jump to the roof, and well
    that can only cause dataloss and trouble. The solution here was to let the
    plugin shut them all down one by one, when one has been shutdown, begin at the
    next. Pro; CPU will not jump to the moon. Con's: shutdown is going to take a
    while. Be ready with a cup of coffee.
    Also we
    want the main application not to exit before we exit. The solution above solved
    this as the plugin knows when all have been shut down, and can then shut itself
    down. When all plugins are shutdown - the application ends.
    Another
    solution is to use rendovous (arg cant spell it) and only shut the system down
    when all rendezvous have met.
    CASE 5: stability & heath monitoring
    This IS
    using a lot of memory. How to get it down. And has anyone experienced any
    difficulties with labview using A LOT of memory? I want to know if something
    gets corrupt. The VITs send out error information in case, but what if
    something weird happens, how can I surveillance all the VIT's in memory to know
    one is malfunctioning in an effective way/code (as backup
    solution  so the application knows
    something is wrong?
    CASE 6: Inifiles
    Well, we
    all like them. Even if XML is perhaps more fahionally. Now Ive runned some
    tests on large inifiles. And the labview Inifile functions use ages to parsing
    all this information. Perhaps an own file structure in binary format or
    something would be better? (and rather create an configuration program)?
    CASE 7: When the hardware is getting crappy:
    Now what if
    the system is hitting the limit and gradually exceeds the hardware req. of the
    software. What to do then (thinking mostly of memory usage)? Needing to install
    it on more servers or something and splitting configurations? Is that the best
    way to solve this? Any opinions?
    Wow.  Time for a coffee cup. Impressive if someone
    actually read all of this. My goal is to reach the 1000 VIT mark.. someday.. so
    any opinions, and just ask if something unclear or other stuff, Im open for all
    stuff, since I see the software will hit a memory barrier someday if I want to
    reach that 1000 mark hehe

  • Talk21 - moving to security model of Yahoo

    Hi there,
    I wonder if anyone can advise on this.  I have an older Talk21 e-mail account which has been transferred to Yahoo.  I've had this for over 10 years.
    I notice when new customers sign up to Yahoo, there are now more advanced security options such as special characters in password, customised secret questions, credit card verification for password recovery and Log-in Activity.
    I'd be interested to improve the security of my account using these methods.
    Is there any way I can get these on my talk21 account, or is there a possibility of moving my talk21 account to the new security model of Yahoo?
    Thanks

    jonmale wrote:
    Hi there,
    I still haven't had a response on this.
    Is there a way to check this?
    Thanks,
    Jon
    Hi Jon.
    Not sure if this is applicable to BTinternet/Talk21 email addresses, as opposed to actual Yahoo! ones.
    However in case you were unaware, Talk21 email addresses can be accessed as a BTinternet email address as follows.
    If you append .t21 (including the dot) after the bit of the Talk21 email address before the @, and then added @btinternet.com at the end, it will be treated as a BTinternet email address.
    http://www.andyweb.co.uk/shortcuts
    http://www.andyweb.co.uk/pictures

  • "Closed" security model in BOXI 3.0

    Hello,
    Is it possible to create a closed security model in BOXI 3.0? In BOXI R2 we simply set the everyone group to no access in the settings area. I do not see the same functionality in 3.0. Am I missing something?
    Thanks

    Mark... I was in the middle of clarifying my answer when you replied.... This answer overrides the one above... And yes,
    So any folder in the root would also be seen unless you removed access on each folder individually
    Let's say you have a folder at the root level showing California Orders. And you want only users of the California group to see (the folder) California Orders. And you don't want them to see say, the New York Orders folder.
    You turn off access to the Everyone group at the root. Then you create a group called California and assign users to the Califonia group. Then you assign view to the California group at the root level. Then specifically on the California Orders folder, assign whatever other rights (schedule, VOD, Full)...
    You're right when you say
    This means anytime you add a folder to the root level everyone can see it be default. You then have to turn off access manually for each new folder.
    In this example, you'd have to assign No Access to the New York group on the California Orders folder. The best way to handle this is to create a hierarchy of parent-child groups. So in this case, if we had say Asian & European Customers, we'd start assigning View privilege at the root by rolling up the California, New York etc.. in a US Customers group - and that way not have to set too many No Access'...

  • Security models available in Portal

    We are doing some investigation working with Oracle Portal and the client had come back asking about using security models in Portal. I have been trying to gather information on this but not much seems to be available. Any sort of info would be helpful as we are really running short on time. Thanx a lot!
    Karthik

    Thank you for your reply. The logical server name is dbfpdm01.
    I have tried to use the Powershell commands to downgrade, using the commands shown
    HERE
    (using S2 as serviceobjective, because S3 was not available apparently, and using the -Edition Standard, instead of Premium)
    But I'm not sure if this worked. The command
    Get-AzureSqlDatabase -ServerName "dbfpdm01" -DatabaseName "dbfpdm01"
    does not return. (read: it hangs my powershell session)
    Regards,
    Tim

  • Is there any difference in upgrade for position based security model

    Hello Gurus,
    I am working on a Upgrade project from 4.6c to ECC6.0 , In 4.6C R/3 system position based security concept is used.
    Are there any extra precautions need to be taken while upgrading in a position based security model ?
    Or
    Is it the same procedure either it is a role based security model or a postion based security model.
    iam new to this upgrade stuff, please kindly direct me in the right direction.
    Also please provide if any documents are available.
    Thanks,
    Sanketh.

    Hi,
    Already there are many document posted on SDN on same . Security upgrade is standard and mostly deal with role modification and can you elaborate more on Position based. Positiong related assignment also taken care with respective functional team  for ex :HR and technical team Workflow if there are any issues.
    Better you go throug the upgrade document .see post already available in forum before starting with upgrade.
    Experts correct me in case of correction.

Maybe you are looking for