Authorization with LCDS
I have a flex application and LCDS running on CF8 running on JRun4 on the server.
The flex application authenticates users with LCDS security that in term uses custom-authentication together with Jrun-security to authenticate against a MySQL DB.
I use various data services in LCDS that work together with CFC's to get and set data in my DB.
I would like to do server-side authorization (not authentication) to restrict users based on - for example - their role(s). What would be the best strategy in this setup?
Kind regards.
Alexandro
Hello -
Since you're using CFCs on the backend (server side) you can secure the app there. Maybe you've already solved this but incase you didn't implement anything yet you can take a look at this link. You should get familiar with cflogin,
cfloginuser, cflogout, GetAuthUser, IsUserInRole, Securing Applications in Developing ColdFusion MX Applications.
HTH,
Bill Sahlas
LCDS QE
Similar Messages
-
How to handle and manage a multi Database access in runtime with LCDS?
Hello there
I got several customer working with the same application and I wonder how, with LCDS, to manage in a runtime a multi dataBase access; without creating a configuration "mxl" file in
the folder catalina for each database.
Indeed, each customer have their own dataBase, and so far, I did not find out how to avoid creating a config xml file in catalina for every single database; which force me to create as well for each customer a folder application, since the name of the config file in catalina require a folder application to be ran under tomcat....
Thus, my question is :
Is there anyway to create only one configuration mxl file in catalina (in the server side) and then from the client side (application) let the user select its environment (meaning its database) to run the application.... this technic can be also used for multi database environment such as : Dev / Test / Prod environment (or database) where the same application can access to.
Please if any one have an idea or already delt with; just let me know, because I'm entering in a bootle neck and the situation is getting serioulsy critical....
RegardsHello Ulrich,
with compact and repair I mean the MSAccess function "Compact and Repair".
Please follow the link below for more details:
http://office.microsoft.com/en-us/access-help/compact-and-repair-an-access-file-HP005187449.aspx
Normally you can execute this function directly in Access or with the Windows ODBC Data Sources Administrator => "Control Panel" => "Administrative Tools" => "Data Sources (ODBC)"...
I want to execute this function via cvi code and not by hand ;-).
Thank you for your support.
Frank -
How to handle and Manage Multi DataBase access with LCDS in runtime ?
Hello there
I got several customer working with the same application and I wonder how, with LCDS, to manage in a runtime a multi dataBase access; without creating a configuration "mxl" file in
the folder catalina for each database.
Indeed, each customer have their own dataBase, and so far, I did not find out how to avoid creating a config xml file in catalina for every single database; which force me to create as well for each customer a folder application, since the name of the config file in catalina require a folder application to be ran under tomcat....
Thus, my question is :
Is there anyway to create only one configuration mxl file in catalina (in the server side) and then from the client side (application) let the user select its environment (meaning its database) to run the application.... this technic can be also used for multi database environment such as : Dev / Test / Prod environment (or database) where the same application can access to.
Please if any one have an idea or already delt with; just let me know, because I'm entering in a bootle neck and the situation is getting serioulsy critical....
RegardsHello Ulrich,
with compact and repair I mean the MSAccess function "Compact and Repair".
Please follow the link below for more details:
http://office.microsoft.com/en-us/access-help/compact-and-repair-an-access-file-HP005187449.aspx
Normally you can execute this function directly in Access or with the Windows ODBC Data Sources Administrator => "Control Panel" => "Administrative Tools" => "Data Sources (ODBC)"...
I want to execute this function via cvi code and not by hand ;-).
Thank you for your support.
Frank -
Any one is using K8N Neo MS-7030 with 6600/6800 series with LCD monitor ?
any one is using K8N Neo MS-7030 with 6600/6800 series with LCD monitor and his card is connected through the DVI cable without problems ?
yup, no problems here! connected to a 19" AGNeovo F-419 TFT LCD, using DVI cable. nice picture!
-
If I have additional music on my second computer that I authorize with iTunes Match, How do I upload it to iCloud?
check out this post by Zevoneer.
-
Transport roles and analysis authorization with user assigned
Hi expert,
I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
Thanks for your time,
LuisHi,
In role administration, you have the following options for transporting roles:
You can download the roles from one system and upload them into another
You can import the role from a remote system using RFC
You can transport the roles with the transport function.
Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
Transporting Roles with the Role Transport Function
1. Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
2. Enter the role to be transported and choose Transport Role.
The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
For more information go thrpugh the below link
http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
Regards,
Marasa. -
How can I authenticate and authorize with Web Service on ESB ?
Hello,
I want to authenticate and authorize client with Web Service published
by HTTP/SOAP BC.
Simply if it is an Web Service as J2EE application, I will use
Basic Authentication with JAX-RPC and Realm.
But I think that Web Service published by HTTP/SOAP BC is not belong
to J2EE Application. Threre is no place to describe security role mapping
(like web.xml).
JBI 1.0 the section "5.5.1.1.3 Normalized Message Properties" comments
JAAS Subject is given in the NM Properties. Really in this package
com.sun.jbi.internal.security.*
implements JAAS autentication and authorization (at JaasAuthenticator).
But I can't see how to configure my Service to use this.
How can I authenticate and authorize with Web Service on ESB ?
I referred to the resources.
Mutual Authentication for Web Services: A Live Example
http://developers.sun.com/prodtech/appserver/reference/techart/mutual_auth.html
XML and Web Services Security
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security7.html
JAAS Authentication Tutorial
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html
Thanks,
Takurou
- environment ---------------------------------------------
OpenESB : Project Open ESB Starter Kit
AppServer : Sun Java Systems Application Server 9.0 PE
OS : Windows XP
I don't assume to use SSL (if It's necessary I will try).
User information is stored in a LDAP Server.
-----------------------------------------------------------Hello,
I read this resource.
SecurityDesign
http://www.glassfishwiki.org/jbiwiki/Wiki.jsp?page=SecurityDesign
Then I think [non-ssl and ssl/tls and so on] securing by basic authentication is ongoing feature at this time.
But I can't see well why this page comments 'HTTP over SSL, TLS'.
HTTP/SOAP Binding Component Overview
http://download.java.net/general/open-esb/docs/jbi-components/httpsoap-bc.html
Does BC support only "SSL server authentication" ?
Doesn't BC support "SSL client authentication" by username/password ?
Thanks,
Takurou -
Configuring Cisco ISE for Authorization with External Radius Server attribute
Hi,
I'm trying to integrate an external radius server with Cisco ISE.
I created an External Identity Store>Radius Token Server.
I created a Identity Store sequence with just one identity store just as creadted above.
And I was able to authenticate successfully.
But when it comes to authorization.
I observed we just have one tab named Authorization while creating Radius Token server.
And it always refers to ACS:attribute_name.
If I want to define a IETF radius attribute, (lets say class with attribute id as 25), how could I do it.
In Cisco ACS we have a direct entry option in authorization tab where we can define the radius (IETF) attribute within Radius token server creation (within radius token server>Directory attribute tab).
How ever I try to define the IETF attribute here (class,IETF:Class) I am not able to authorize with this attribute value.
I tried with just one single authorization rule where it could hit.But observed it to go the default(as none of the rules defined matches the condition).
Can anyone guide me how can we define a IETF radius attribute for authorization within Cisco ISE and what policy could we set it to work as authorization.
Thanks in advance
Senthil KThis is the step of Creating and Editing RADIUS Vendors
To create and edit a RADIUS vendor, complete the following steps:
Step 1 From the Administration mega menu, choose Resources > RADIUS Vendors.
The RADIUS Vendors page appears with a list of RADIUS vendors that ISE supports.
Step 2 Click Create to create a new RADIUS vendor or click the radio button next to the RADIUS vendor that
you want to edit and click Edit.
Step 3 Enter the following information:
• Name—(Required) Name of the RADIUS vendor.
• Description—An optional description for the vendor.
• Vendor ID—(Required) The Internet Assigned Numbers Authority (IANA)-approved ID for the
vendor.
• Vendor Attribute Type Field Length—(Required) The number of bytes taken from the attribute value
to be used to specify the attribute type. Valid values are 1, 2, and 4. The default value is 1.
• Vendor Attribute Size Field Length—(Required) The number of bytes taken from the attribute value
to be used to specify the attribute length. Valid values are 0 and 1. The default value is 1.
Step 4 Click Submit to save the RADIUS vendor. -
LDAP (openldap) authorization with DAP (dymamic access policy)
Hello,
We have a asa 5520 and we try to make a ldap (openLdap) authorization with DAP (Dynamic Access Policy). We have problem with logical expression. We need more example of logical expression and we need to know how debug logical expression. We try to use de Debug dap trace and debug dap error but we need more debug informations.Hi
I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).
Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead
Hth
Herbert
Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know. -
Hi can anyone help me please this is driving me crazy ! I download and install Abode Digital Editions and when I try to Authorize with my Abode ID information I get the message " Activation Server Problem - check connection to the internet when I clearly am connected to the internet ?
<moved from Downloading, Installing, Setting Up to Adobe Digital Editions>
-
Structural Authorizations with Training & Event Management
We have implemented TEM in R/3 4.72. We also use structural authorizations with our decentralized HR functions. Our problem is that if a user has one of the profiles assigned, they can get all the way to booking the class and then receive an error that they have no authorization to edit attendances. If the user has NO profile, they are able to book a class with no problems. If I add the P-E evaluation path in the profile, it fixes the problem with booking a class, but then gives the users global access (which is what we are trying to avoid). I know there must be a key somewhere to making this work. If anyone knows what it is, I would appreciate finding out.
In the profile, I have given access to objects D, E, F, G, L, R and P with the P-E and P-S-O evaluation paths (using RH_GET_MANAGER_ASSIGNMENT) function.
Thanks.Hello Michelle,
I think you could solve this issue by using Context Sensitive Authorizations. It is available from 4.7 and above.
Regards,
Ahmad -
Hierarchy authorization with variables of type exit
Hi all,
I am trying to implement hierarchy based authorizations with variables. After collecting information from the SAP documentation and this forum, I think I know more or less how to do it, but it's not working and it has me very confused.
These are the steps I have followed:
- From RSSM, I have created a hierarchy authorization object including my characteristic and 0TCTAUTHH
- From RSSM again, I have created a hierarchy authorization pointing to the node $ZG_V_008
- From the Query designer, I have created a hierarchy node variable of processing type customer exit ZG_V_008 (are any special settings needed here?)
- From the Query designer, I have created <b>another</b> hierarchy node variable of processing type authorization, and I have used this variable to restrict the hierarchy for my characteristic
- I have edited the EXIT_SAPLRRS0_001 to watch for I_STEP = 0 and give values to ZG_V_008 (we'll get to my code later in case we solve this issue first
It is my understanding that with this setup, the user exit will be called to process the value of ZG_V_008 in I_STEP = 0, however, when debugging, I don't see any calls for the function with I_STEP = 0.
What have I done wrong?
Thanks a lot in advance.
GuillermoThanks, Jimmy, but that does not help much: my problem is that my user exit is not evaluated with I_STEP=0, but there are no error messages or anything like that.
I have created a test user <b>without</b> a developer role to see if that could have any impact, but it's still not working.
Any ideas? -
Authorization with JAAS in JSF with facelets
hi,
can u please hint me where i did mistake.. i clearly mention what i did and what i getting ..i did this in jsf1.2,tomcat6.x
i did JAAS authentication in jsf with facelets.but i am unable to do the authorization with JAAS in jsf
after getting authentication i put the subject in session. if i print the values in suject i got the following out put
Subject:
Principal: TypedPrincipal: hari [USER] // user name
Principal: TypedPrincipal: admin [GROUP] // user role.
now i want to authorization based on the role.
for this i wrote policy file --principal.policy like this
grant Principal com.alw.reports.jaas.TypedPrincipal "admin" {
permission com.alw.reports.jaas.ViewIdPermission "*";
grant Principal com.alw.reports.jaas.TypedPrincipal "hari" {
permission com.alw.reports.jaas.ViewIdPermission "*";
grant Principal com.alw.reports.jaas.TypedPrincipal "user" {
permission com.alw.reports.jaas.ViewIdPermission "/contents.jsp";
};and i set the path for this policy file like
System.setProperty("java.security.policy", "policy file location" );when i run my application i am getting login page after that i gave username and passwed. it is getting authentication .. but not able to displaying next page that is /pages/welcome.xhtml but directly it is showin /pages/error.xhtml
i am getting following error
java.security.AccessControlException: access denied (com.alw.reports.jaas.ViewIdPermission /pages/welcome.xhtml)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at com.alw.reports.jaas.JAASHelper$1.run(JAASHelper.java:87)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Unknown Source)
at com.alw.reports.jaas.JAASHelper.permitionToAccessViewId(JAASHelper.java:83)
at com.alw.reports.jaas.JAASActionListener.processAction(JAASActionListener.java:65)
at javax.faces.component.UICommand.broadcast(UICommand.java:106)
at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:184)
at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:162)
at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:350)
at org.apache.myfaces.lifecycle.LifecycleImpl.invokeApplication(LifecycleImpl.java:316)
at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:86)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:106)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:141)
at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:281)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Unknown Source)
my faces-config.xml
<navigation-rule>
<display-name>pages/login</display-name>
<from-view-id>/pages/login.xhtml</from-view-id>
<navigation-case>
<from-outcome>loginSuccess</from-outcome>
<to-view-id>/pages/welcome.xhtml</to-view-id>
</navigation-case>
</navigation-rule>
<navigation-case>
<from-outcome>errorpage</from-outcome>
<to-view-id>
/pages/error.xhtml
</to-view-id>
</navigation-case>my command button in login.xhtml
<td align="center" colspan="2">
<h:commandButton value="Reset" type="reset"/>
<h:commandButton action="loginSuccess"
id="login" value="Login" />
</td>my actionlister
package com.alw.reports.jaas;
import javax.faces.component.UIOutput;
import javax.faces.context.FacesContext;
import javax.faces.event.AbortProcessingException;
import javax.faces.event.ActionEvent;
import javax.faces.event.ActionListener;
import javax.security.auth.Subject;
public class JAASActionListener implements ActionListener {
private ActionListener parent = null;
public JAASActionListener(javax.faces.event.ActionListener parent) {
System.out.println("-------------- in JAASActionListener ;");
this.parent = parent;
public void processAction(ActionEvent event)
throws AbortProcessingException {
System.out.println("-------------- in processAction ;");
FacesContext context = FacesContext.getCurrentInstance();
UIOutput comp = null;
String userid = null, password = null;
JAASHelper jaasHelper = new JAASHelper();
// Check to see if they are on the login page.
boolean onLoginPage = (-1 != context.getViewRoot().getViewId().lastIndexOf("login")) ? true : false;
if (onLoginPage) {
if (null != (comp = (UIOutput)
context.getViewRoot().findComponent("helloForm:username"))) {
userid = (String) comp.getValue();
if (null != (comp = (UIOutput)
context.getViewRoot().findComponent("helloForm:password"))) {
password = (String) comp.getValue();
// If JAAS authentication failed
if (!jaasHelper.authenticate(userid, password)) {
context.getApplication().getNavigationHandler().handleNavigation(context, null, "login");
return;
else {
// Subject must not be null, since authentication succeeded
System.out.println("----------- setting the subjects in context in ActionListner ");
assert(null != jaasHelper.getSubject());
// Put the authenticated subject in the session.
System.out.println("---- putting the authenicated subject in the seesion ");
context.getExternalContext().getSessionMap().put("JAASSubject",jaasHelper.getSubject());
parent.processAction(event);
Subject subject=(Subject)context.getExternalContext().getSessionMap().get("JAASSubject");
System.out.println("subject after parent process action>>>>>>>>>>>>>>>>>>>>>"+subject);
assert(null != subject);
if(!jaasHelper.permitionToAccessViewId(subject,context,context.getViewRoot().getViewId())){
context.getApplication().getNavigationHandler().handleNavigation(context, null, "errorpage");
}can u please hint me where i did mistake
thanks in advancegbabu wrote:
My doubt is based on that subject , how to write policy file and how to call doAsPrivileged() mehod on that Subject in order to navigate web pages.how to provide web pages permission for particular role in policy file..
For example i have three pages login.xhtml,user.xhtml,admin.xhtml.
1> if the logged in person is admin, then we want to display admin.xhtml
2> if the loggend is person is user , then we want to display user.xhtml
untill now i did and found who is logged in and what are his type( admin or user) .now i want configure the web.xml and faces-config.xml based on policy fileTo the best of my knowledge, there is nothing in the standard NavigationHandler which accounts for JAAS security. If you wanted, you could create a custom NavigationHandler to do this. If you think the idea is worthy enough, you could issue an enhancement request to the specification ([https://javaserverfaces-spec-public.dev.java.net/]). -
Cockpit - authorizations with hierarchy
Hello,
I have a problem in a cockpit, and it is relating to authorizations with hierarchy.
I have an object of authorization already defined with certain criteria (bucket and node of the jerarquiaa that only I want that agrege deposit a user) this object in a rol, unitedly with a profile of visualizing the cockpit. When I enter with the user to visualize the cockpit I enter to all the nodes, my question is: Why not respecting my authorization for the node of the hierarchy that alone I want to show?
thank you.
Mikelisto ya quedo
-
Aaa authorization with Tacacs+
Hello All,
I am trying to figure out how aaa authorization with tacacs+ works.
I am totally comfortable with aaa authentication..But am not able to understand how it works...How diff priv levels are assigned to diff users?..
I am totally freaked out...The device side side setup is pretty simple. You just use the aaa authorization command set. A good bit of the setup is on the ACS server end.
Cisco has a pretty thorough configuration example posted here.
Maybe you are looking for
-
Cannot view PDF files in a Web Browser
When I click on a link in IE 7 it's supposed to open a PDF page but I keep getting error message: "The adobe acrobat/reader that is running can not be used to view PDF files in a web browser. Adobe Acrobat/Reader version 8 or 9 is required. Please e
-
I recently got the Canon xsi dSLR. I was pleased to see that Apple has an update to open the raw files in iphoto. I was unhappy to then find out it's only for iphoto 8, not iphoto 6. Does Apple usually stop supporting the previous generation of iphot
-
Mail.app making excessive number of connections
I have had (as have many other folks I know) this annoying issue of Mail.app suddenly throwing up a dialog asking for my password for a mailserver. For unknown reasons (until now) sooner or later the behavior would self-correct and the password reque
-
Firefox is locking me out of BT.yahoo mail when I try to log in
As indicated, when I use FF to log into my email address I get an error message, as follows: "This Connection is Untrusted You have asked Firefox to connect securely to login.yahoo.com, but we can't confirm that your connection is secure. Normally, w
-
How to backup i photo after reinstall pls
how to backup i photo after reinstall pls