Bug in bundled Application Server prohibits Acegi security integration

Similar Messages

• JDev Application Server Connection using secured HTTP

  Is there a way to create an Oracle 10.1.2 application server connection in JDev (10.1.3.1) when the App Server's enterprise manager is under secured http?

  Hi,
  if the hhtp server is secured then deployment shouldn't be impacted because its using ORMI
  Frank

• Possible bug in JEE Application Server Library MP?

  The Beanspy Alert monitor reports alerts with missing data. See example below, specifically the {} returned parameters appear empty/incorrect.
  Application server connection lost
  Alert Description
  Source:
  Full Path Name:
  Alert Monitor:
  BeanSpy
  Created:
  The Health Service lost the connection to BeanSpy on port {2} to the machine {1} for the application server ID '{0}'.

  So the next step I took was taking a deep dive into the JBoss.Monitored.Configuration.Discovery scripts and I found that the script tries to find and/or create registry keys about its discovered Jboss instances.
  The key being created is: HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Modules\{GUID}\.\Script\PersistedDiscovery
  In that key, values are stored called HTTP and HTTPS.
  The persistedDiscovery key is deleted and recreated when you stop the Microsoft Monitoring Agent service and/or flush the health state cache. Thus manually adding the values is no use.
  The HTTP and HTTPS values in a Jboss7 instance running domain mode cannot be retrieved because the port configuration is done at the Jboss domain controller and 'streamed' to the Jboss domain hosts.
  In JBoss 5 instance however I see HTTP and HTTPS values being inserted into the registry. In a few cases incorrect information about ports is found and added to the registry.
  In the Jboss discovery vbs I found the pieces for Jboss5:
  ' Get the HTTP & HTTPS ports of the JBoss 5 installation that runs a specific configuration 
  ' Do this by adding the offset for the port binding to the base ports found in the XML file 
  ' bindings-jboss-beans.xml located in <configuration>\conf\bindingservice.beans\META-INF\
  Apparantly what is written in this file does not actually reflect the running config.
  For Jboss7 it appears quite a bit more complex (especially running domain mode):
  Step1:
  ' Get the HTTP and HTTPS ports for a JBoss 7 or Wildfly installation that is running in domain mode 
  ' In order to get the HTTP Ports we must first retrieve the group that the server belongs too, as well as the port offset for each server 
  ' These values both resiode within the host.xml file
  Step2:
  ' We then look within domain.xml to find the profile reference based on the group name that we retrieved from host.xml 
  ' After the profile reference we then can find the socket-bindings for http and https ports
  While the information is there, these values are not added to the registry.
  Thus, so far the script is looking in the right place to find the used ports for that particular Jboss7 Service, yet the monitor for the BeanSpy is not using that port to contact the BeanSpy.
  My investigation continues...

• Solaris 10 bundle application server

  My workstation is SUN Blade 100 Sparc
  I used solaris 10 bundle appserver and try to start the server.
  I could create the domain by
  #asadm create-domain adminport 123 adminuser root mydomain
  when I delete the domain by
  #asadm
  it shows "/usr/bin/imqbrokerd: not found"
  when I start the domain by
  #asadm start-domain mydomain
  The server doesn't start and log following error:
  [#|2004-12-01T16:32:53.767+0800|INFO|sun-appserver-pe8.0.0_01|javax.enterprise.system.tools.admin|_ThreadID=10;|ADM0020:Following is the information about the JMX MBeanServer used:|#]
  [#|2004-12-01T16:32:54.469+0800|INFO|sun-appserver-pe8.0.0_01|javax.enterprise.system.tools.admin|_ThreadID=10;|ADM0001:MBeanServer initialized successfully|#]
  [#|2004-12-01T16:32:55.320+0800|INFO|sun-appserver-pe8.0.0_01|javax.enterprise.resource.jms|_ThreadID=10;|JMS5034: Could not start the JMS service broker process.|#]
  [#|2004-12-01T16:32:55.322+0800|INFO|sun-appserver-pe8.0.0_01|javax.enterprise.resource.jms|_ThreadID=10;|JMS5036: More details may be available in the log file for the JMS service broker instance imqbroker. Please refer to the JMS provider documentation for the exact location of this log file.|#]
  [#|2004-12-01T16:32:55.324+0800|SEVERE|sun-appserver-pe8.0.0_01|javax.enterprise.resource.jms|_ThreadID=10;|JMS5024: JMS service startup failed.|#]
  [#|2004-12-01T16:32:55.343+0800|SEVERE|sun-appserver-pe8.0.0_01|javax.enterprise.system.core|_ThreadID=10;|Service com.sun.enterprise.jms.JmsProviderLifecycle@1d381d2 cannot be initialized! : com.sun.appserv.server.ServerLifecycleException: /usr/bin/imqbrokerd: not found|#]
  [#|2004-12-01T16:32:55.345+0800|SEVERE|sun-appserver-pe8.0.0_01|javax.enterprise.system.core|_ThreadID=10;|CORE5071: An error occured during initialization
  com.sun.appserv.server.ServerLifecycleException: /usr/bin/imqbrokerd: not found
       at com.sun.enterprise.jms.JmsProviderLifecycle.onInitialization(JmsProviderLifecycle.java:278)
       at com.sun.enterprise.server.ApplicationServer.onInitialization(ApplicationServer.java:220)
       at com.sun.enterprise.server.PEMain.run(PEMain.java:210)
       at com.sun.enterprise.server.PEMain.main(PEMain.java:172)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at org.apache.commons.launcher.ChildMain.run(ChildMain.java:269)
  Caused by: com.sun.appserv.server.ServerLifecycleException: /usr/bin/imqbrokerd: not found
       at com.sun.enterprise.jms.JmsProviderLifecycle.onInitialization(JmsProviderLifecycle.java:265)
       ... 8 more
  Caused by: java.io.IOException: /usr/bin/imqbrokerd: not found
       at java.lang.UNIXProcess.forkAndExec(Native Method)
       at java.lang.UNIXProcess.<init>(UNIXProcess.java:52)
       at java.lang.Runtime.execInternal(Native Method)
       at java.lang.Runtime.exec(Runtime.java:566)
       at java.lang.Runtime.exec(Runtime.java:491)
       at java.lang.Runtime.exec(Runtime.java:457)
       at com.sun.messaging.jmq.admin.jmsspi.JMSAdminImpl.startProvider(JMSAdminImpl.java:720)
       at com.sun.enterprise.jms.JmsProviderLifecycle.onInitialization(JmsProviderLifecycle.java:258)
       ... 8 more
  |#]
  [#|2004-12-01T16:32:55.353+0800|SEVERE|sun-appserver-pe8.0.0_01|javax.enterprise.system.core|_ThreadID=10;|Server Startup failed. Exiting...|#]
  [#|2004-12-01T16:32:55.354+0800|INFO|sun-appserver-pe8.0.0_01|javax.enterprise.system.core|_ThreadID=10;|Server shutdown in progress...|#]
  [#|2004-12-01T16:32:55.502+0800|WARNING|sun-appserver-pe8.0.0_01|javax.enterprise.system.core|_ThreadID=10;|CORE5061: Exception :
  java.lang.NullPointerException
       at com.sun.enterprise.jms.JmsProviderLifecycle.checkProviderStartup(JmsProviderLifecycle.java:377)
       at com.sun.enterprise.jms.JmsProviderLifecycle.onShutdown(JmsProviderLifecycle.java:433)
       at com.sun.enterprise.server.ApplicationServer.onShutdown(ApplicationServer.java:400)
       at com.sun.enterprise.server.PEMain.run(PEMain.java:233)
       at com.sun.enterprise.server.PEMain.main(PEMain.java:172)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at org.apache.commons.launcher.ChildMain.run(ChildMain.java:269)
  |#]
  [#|2004-12-01T16:32:55.664+0800|WARNING|sun-appserver-pe8.0.0_01|javax.enterprise.system.tools.admin|_ThreadID=10;|core.tmp_folder_deletion_failed|#]
  [#|2004-12-01T16:32:55.670+0800|SEVERE|sun-appserver-pe8.0.0_01|javax.enterprise.system.core|_ThreadID=10;|Server stopped due to Server startup failure.|#]

  Based on the info you supplied it looks like the /usr/bin/imqbrokerd program could not be found. Does this path exist? If not it looks like the appserver may be configged incorrectly. IMQ may be installed in a different location. Can you find the imqbrokerd program on your system? Once you locate it could you look in your config/asenv.conf file and check the AS_IMQ_LIB and AS_IMQ_BIN properties to make sure they are pointing to appropriate paths. Post back what you find.

• Sun Java System Application Server for Mac OS X ?

  hi everybody.
  does anybody know if (any given date ?) sun is planning to offer a distribution of its sun java system application server for mac os x ? or even better: any ideas on how to install a currently available version on mac os x 10.4 ? the linux bin seems not to be readable.
  thank you very much in advance, folks.
  and have a nice day
  andre from berlin, germany

  As you noticed, standalone MacOS distribution of application server is currently not available, but what you can do is to download NetBeans with J2EE bundle or Creator (for free) and install bundled Application Server on this platform. Download URLs are:
  http://www.netbeans.info/downloads/download.php?type=4.1
  (NetBeans/J2EE cobundle)
  http://developers.sun.com/prodtech/devtools/free/
  (Creator)
  Also, you can install and run Glassfish (which is open-source version of upcoming Application Server 9.0) on MacOS X:
  http://java.sun.com/javaee/glassfish/getit.jsp

• Weblogic - Acegi Security

  Hi,
  My application was using acegi security for basic authentication and now I am trying to deploy it under weblogic9.2. I am facing a problem that I need to define the users in weblogic security also to get it authenticated and so browser asks user/password twice, once for weblogic and once for acegi. Can anybody where I might be making mistake.
  My web.xml has this,
       <filter>
            <filter-name>Acegi Filter</filter-name>
            <filter-class>
                 org.acegisecurity.util.FilterToBeanProxy
            </filter-class>
            <init-param>
                 <param-name>targetClass</param-name>
                 <param-value>
                      org.acegisecurity.util.FilterChainProxy
                 </param-value>
            </init-param>
       </filter>
       <filter-mapping>
            <filter-name>Acegi Filter</filter-name>
            <url-pattern>/*</url-pattern>
       </filter-mapping>
  Please inform me about the problem,
  Best regards,
  mik

  Hi,
            Did you try to deploy the Spring app in exploded format ?
            Regards
            Anilkumar kari

• To run samples on Sun Application server

  I had installed Sun Java System Application Server Platform Edition 9.0 and then installed the WSDP. WSDP recognized the application server and I believe integrated them.
  However, when I wanted to run the examples on the http://localhost:8080/JWSDP.html page:
  SAAJ Simple Sample
  SAAJ book Sample
  SAAJ translator Sample
  I got Page not found.
  previously I was running tomcat with WSDP and I was able to run those examples. Could that be that prevented me from running it on the Sun Application server. I uninstalled the WSDP before i installed the Sun Application server.
  what do I need to do to be able to run them?
  Thanks for your help.

  Permissions need to be opened up for BlazeDS on the application server. You can either do this at the JRE level (jre/lib/security/java.policy) or in the application server.

• Flex on Oracle Application Server 10g - security problems

  Hi,
  I'm working with Flex components (swf files), I'm trying to view them in a browser and i'm facing some security problems.
  The server i'm trying to run the files on is: Oracle application server 10g on Unix server.
  Please help me with the server's configuration to allow running swf files on it.
  In the relation of Flex, there is a file that must be on the server's root named: "crossdomain.xml". This file defines which IPs can the swf object can take/get data from. Maybe there are configurations to that file that needs to be done on the server?
  Thank you,
  Inbal

  No. Not only it isn't certified, but it is also impossible to run forms compiled with the 11g compiler with the 10g runtime. For 11g there is a install bundle for the developer suite / application server.
  cheers

• Secure Ciphers with application server 9.0.4 not working

  Have ssl configured and working on Oracle Application Server 10g version 9.0.4. Currently have this in the ssl.conf and it does work and has been for some time.
  SSLCipherSuite ALL
  Want to change it to this for security purposes.
  SSLProtocol -ALL +SSLv3
  SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
  When I make the change and restart http and web cache the services start and take the change. But when I try and hit the webpage I get a oracle application server error page. Looks like web cache is for some reason now blocking me from viewing it.
  I have applied this to another server running the same version of oracle application server and it worked. The difference is that the one that isnt working has web cache and the one that works does not.
  Any help as to why this is happening?

  1. It is currently NOT possible to set the actual SSLCipherSuite within Webcache. The following Enhancement Request was raised for this issue:
  Bug 4340210 ADD ABILITY TO SET THE SSL CIPHERSUITES IN WEBCACHE
  The only thing it is possible to do is prevent access with Anonymous Ciphers
  See Note 453079.1 Restricting Anonymous Ciphers in SSL (HTTPS) Processing
  2. For the SSL Protocol it is only possible to set the following values:
  SSLV3_V2H: Allows SSLv2.0 (Client Hello only, won't allow a full SSLV2 session), and SSLv3.0
  SSL: Allows: SSLv2, SSLv3 and TLSv1
  Enhancement Request Bug 5841589 PROVIDE SETTING IN WEBCACHE TO RESTRICT SSL PROTOCOLS TO SSLV3 AND TLS1.0, has been raised for this issue
  If you want to change Webcache from the default (SSLV3_2H) to allow full SSLv2.0 or TLSv1.0 then edit the $ORACLE_HOME/webcache/webcache.xml
  For the SSL Listen entry e.g:
  <LISTEN IPADDR="ANY" PORT="443" SSLENABLED="SSLV3_V2H" PORTTYPE="NORM">
  Change:
  "SSLV3_V2H"
  to
  "SSL"
  Regards

• Saving file on application server based on employee Area ,with all security

  We have one discussion going on !! I just want a suggestion about that . We are using Open data set logic to open the file for read and write , Now we have different companies and we want that file should be saved on the basis of company code in that person area. Which represent a folder on application server in AL11? Can you guys suggest me how we can deal with this matter?
  I mean employee # 123 run report or interface  ( from ABC company )
  On the selection screen  ( it says /USR/ABC/interface/save/
  I mean employee # 3 run report or interface  ( from DUMMY company )
  On the selection screen  ( it says /USR/DUMMY/interface/save/
  <b>Note : it wont allowed them to save the file which is not belong to their company area, and authorization should be strict .</b>
  Cheers
  usman

  Well as far as person area .. company code is concern . SAP standard authorization objects control them . you don’t need to do it . The object is P_ORGIN , which has these values. But you don’t need to worry about that . I am 100 % sure , Your security group already implement that . If that specific user has the roles , he can  access the company code and personal areas ..
  FYI: you can also see its values in Table AGR_1251 against roles and user.
  In addition, AL11 use the auth object S_ADMI_FCD
  and See the Fm in AL11 program ( RSWATCH0 )
  auth_check_filename = path_name.
      call function 'AUTHORITY_CHECK_DATASET'
        exporting
    PROGRAM                =
          activity               = 'READ'
          filename               = auth_check_filename
        exceptions
         no_authority           = 1
         activity_unknown       = 2
         others                 = 3.
      if sy-subrc = 1.
        message id '00' type 'E' number '149'
                with path_name.
  In above Fm you`ll see differnt activity types like
  hen sabc_act_read.               l_actvt = '33'.
                                        openmode = 'R'.
      when sabc_act_write.              l_actvt = '34'.
                                        openmode = 'W'.
      when sabc_act_read_with_filter.   l_actvt = 'A6'.
                                        openmode = 'R'.
      when sabc_act_write_with_filter.  l_actvt = 'A7'.
                                        openmode = 'W'.
      when sabc_act_delete.             l_actvt = '06'.
                                        openmode = 'D'.
  with Auth check in place
  <b> authority-check object 'S_DATASET'
      id 'PROGRAM'  field program
      id 'ACTVT'    field l_actvt
      id 'FILENAME' field filename.  </b>
  <i><b>You can also define a role in which you put Auth object = S_DATASET and with Activity </b></i>
  06     Delete
  33     Read
  34     Write
  A6     Read with filter
  A7     Write with filter
  with object = S_DATASET
  you can give filename  = /usr/dumyy/inter* ( for one compnay code  ( <b>just chage this value for every one</b> )
  with object = S_DATASET
  program = ZP* ( program name )
  ref:<b> authority-check object 'S_DATASET'
      id 'PROGRAM'  field program
      id 'ACTVT'    field l_actvt
      id 'FILENAME' field filename.  </b>
  Hope it`ll help you !!
  Thanks
  Saquib Khan
  Message was edited by: Saquib Khan

• How to find solution for avoiding WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product

  HI All,
  We are using Oc4j version 10g 10.1.3 , and while starting conatiner  getting below warning , let me know if anyone have solution for this,.
  14/01/10 01:01:29 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product!
  Please take the appropriate actions to migrate to an alternative strategy! **********
  2014-01-10 01:01:29.833 WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release
  of this product!

  I just checked my BIOS and my current setting is set at IDE although it also mentions that the default should be AHCI. Currently I have a dual boot of Windows 7 (need it for Tax software) and Arch
  So I guess, when I get the new HDD, I will first set it to AHCI and then install the OSes on it. See if NCQ helps any, and if not I will turn it back and re-install (if I have to). I am planning to have Windows only in virtualbox in the new drive.
  Anyhoo, while I was in the BIOS I found two things which I had questions about :
  1) Under Onboard Devices --> Integrated NIC , my setting is currently set at "On w/PXE" and it says the default should be just "On". Would it be ok to change it back to On since its a single machine and its not booting an OS on any server. I just don't want to have to re-install anything now since I will be doing that in the new HDD.
  2) How would I know whether my BIOS would support a 64 bit OS in Virtualbox? I checked some setting under Virtualization, but they weren't very clear.
  I will edit this post and let you know exactly what settings were present under the Virtualization sub-section.

• How deploy the EJB in security on the Sun Java System Application Server 9?

  I hava deploied a simple Hello EJB Object on PE 9(Sun Java System Application Server Platform Edition 9). I can use this EJB object without user name an password On any client. See the following code section:
       public static void main(String[] args) {
            try{
                 Properties props = System.getProperties();
                 props.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.enterprise.naming.SerialInitContextFactory");
                 props.put(Context.PROVIDER_URL,"iiop://localhost:3700");
                 Context ctx = new InitialContext(props);
                 Hello h = (Hello) ctx.lookup("ejb/test/Hello");
                 System.out.println(h.sayHello());
            }catch(Exception e){
                 e.printStackTrace();
  Please tell me how deploy the EJB in security on the Sun Java System Application Server 9? So that, The client must set the user name and password when lookup the ejb object. Like the following:
  props.put(Context.SECURITY_PRINCIPAL,"admin")
  props.put(Context.SECURITY_CREDENTIALS,"1234");

  Guys,
  I too have the same issue. If anyone has an answer, please let me know.
  Is this GlassFish problem? or Prgram issue?
  Find below the source code
  package TransactionSecurity.bean;
  import javax.annotation.Resource;
  import javax.annotation.security.DeclareRoles;
  import javax.annotation.security.PermitAll;
  import javax.annotation.security.RolesAllowed;
  import javax.ejb.Remote;
  import javax.ejb.SessionContext;
  import javax.ejb.Stateless;
  import javax.ejb.TransactionAttribute;
  import javax.ejb.TransactionAttributeType;
  @Stateless
  @Remote(TSCalculator.class)
  @DeclareRoles({"student", "teacher"})
  public class TSCalculatorBean implements TSCalculator {
       private @Resource SessionContext ctx;
       @PermitAll
  //     @TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
       public int add(int x, int y) {
            System.out.println("CalculatorBean.add  Caller Principal:" + ctx.getCallerPrincipal().getName());
            return x + y;
       @RolesAllowed( { "student" })
       public int subtract(int x, int y) {
            System.out.println("CalculatorBean.subtract  Caller Principal:" + ctx.getCallerPrincipal().getName());
            System.out.println("CalculatorBean.subtract  isCallerInRole:" + ctx.isCallerInRole("student"));
            return x - y;
       @RolesAllowed( { "teacher" })
       public int divide(int x, int y) {
            System.out.println("CalculatorBean.divide  Caller Principal:" + ctx.getCallerPrincipal().getName());
            System.out.println("CalculatorBean.divide  isCallerInRole:" + ctx.isCallerInRole("teacher"));
            return x / y;
  package TransactionSecurity.bean;
  import javax.ejb.Remote;
  @Remote
  public interface TSCalculator {
          public int add(int x, int y);
          public int subtract(int x, int y);
          public int divide(int x, int y);
  package TransactionSecurity.client;
  import java.util.Properties;
  import javax.ejb.EJBAccessException;
  import javax.naming.Context;
  import javax.naming.InitialContext;
  import TransactionSecurity.bean.TSCalculator;
  public class TSCalculatorClient {
       public static void main(String[] args) throws Exception {
            // Establish the proxy with an incorrect security identity
            Properties env = new Properties();
            env.setProperty(Context.SECURITY_PRINCIPAL, "kabir");
            env.setProperty(Context.SECURITY_CREDENTIALS, "validpassword");
          env.setProperty(Context.INITIAL_CONTEXT_FACTORY,"com.sun.appserv.naming.S1ASCtxFactory");
          env.setProperty(Context.PROVIDER_URL,"iiop://127.0.0.1:3700");
          env.setProperty("java.naming.factory.initial","com.sun.enterprise.naming.SerialInitContextFactory");
          env.setProperty("java.naming.factory.url.pkgs","com.sun.enterprise.naming");
          env.setProperty("java.naming.factory.state","com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl");
          env.setProperty("org.omg.CORBA.ORBInitialHost", "127.0.0.1");
          env.setProperty("org.omg.CORBA.ORBInitialPort", "3700");
            InitialContext ctx = new InitialContext(env);
            TSCalculator calculator = null;
            try {
                 calculator = (TSCalculator) ctx.lookup(TSCalculator.class.getName());
            } catch (Exception e) {
                 System.out.println ("Error in Lookup");
                 e.printStackTrace();
                 System.exit(1);
            System.out.println("Kabir is a student.");
            System.out.println("Kabir types in the wrong password");
            try {
                 System.out.println("1 + 1 = " + calculator.add(1, 1));
            } catch (EJBAccessException ex) {
                 System.out.println("Saw expected SecurityException: "
                           + ex.getMessage());
            System.out.println("Kabir types in correct password.");
            System.out.println("Kabir does unchecked addition.");
            // Re-establish the proxy with the correct security identity
            env.setProperty(Context.SECURITY_CREDENTIALS, "validpassword");
            ctx = new InitialContext(env);
            calculator = (TSCalculator) ctx.lookup(TSCalculator.class.getName());
            System.out.println("1 + 1 = " + calculator.add(1, 1));
            System.out.println("Kabir is not a teacher so he cannot do division");
            try {
                 calculator.divide(16, 4);
            } catch (javax.ejb.EJBAccessException ex) {
                 System.out.println(ex.getMessage());
            System.out.println("Students are allowed to do subtraction");
            System.out.println("1 - 1 = " + calculator.subtract(1, 1));
  }The user kabir is created in the server and this user belongs to the group student.
  Also, I have enabled the "Default Principal To Role Mapping"
  BTW, I'm able to run other EJB3 examples [that does'nt involve any
  security features] without any problems.
  Below is the ERROR
  Error in Lookupjavax.naming.NamingException: ejb ref resolution error for remote business interfaceTransactionSecurity.bean.TSCalculator [Root exception is java.rmi.AccessException: CORBA NO_PERMISSION 0 No; nested exception is:
       org.omg.CORBA.NO_PERMISSION: ----------BEGIN server-side stack trace----------
  org.omg.CORBA.NO_PERMISSION:   vmcid: 0x0  minor code: 0  completed: No
       at com.sun.enterprise.iiop.security.SecServerRequestInterceptor.handle_null_service_context(SecServerRequestInterceptor.java:407)
       at com.sun.enterprise.iiop.security.SecServerRequestInterceptor.receive_request(SecServerRequestInterceptor.java:429)
       at com.sun.corba.ee.impl.interceptors.InterceptorInvoker.invokeServerInterceptorIntermediatePoint(InterceptorInvoker.java:627)
       at com.sun.corba.ee.impl.interceptors.PIHandlerImpl.invokeServerPIIntermediatePoint(PIHandlerImpl.java:530)
       at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.getServantWithPI(CorbaServerRequestDispatcherImpl.java:406)
       at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.dispatch(CorbaServerRequestDispatcherImpl.java:224)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequestRequest(CorbaMessageMediatorImpl.java:1846)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:1706)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleInput(CorbaMessageMediatorImpl.java:1088)
       at com.sun.corba.ee.impl.protocol.giopmsgheaders.RequestMessage_1_2.callback(RequestMessage_1_2.java:223)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:806)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.dispatch(CorbaMessageMediatorImpl.java:563)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.doWork(CorbaMessageMediatorImpl.java:2567)
       at com.sun.corba.ee.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread.run(ThreadPoolImpl.java:555)
  ----------END server-side stack trace----------  vmcid: 0x0  minor code: 0  completed: No]
       at com.sun.ejb.EJBUtils.lookupRemote30BusinessObject(EJBUtils.java:425)
       at com.sun.ejb.containers.RemoteBusinessObjectFactory.getObjectInstance(RemoteBusinessObjectFactory.java:74)
       at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304)
       at com.sun.enterprise.naming.SerialContext.lookup(SerialContext.java:403)
       at javax.naming.InitialContext.lookup(InitialContext.java:351)
       at TransactionSecurity.client.TSCalculatorClient.main(TSCalculatorClient.java:35)
  Caused by: java.rmi.AccessException: CORBA NO_PERMISSION 0 No; nested exception is:
       org.omg.CORBA.NO_PERMISSION: ----------BEGIN server-side stack trace----------
  org.omg.CORBA.NO_PERMISSION:   vmcid: 0x0  minor code: 0  completed: No
       at com.sun.enterprise.iiop.security.SecServerRequestInterceptor.handle_null_service_context(SecServerRequestInterceptor.java:407)
       at com.sun.enterprise.iiop.security.SecServerRequestInterceptor.receive_request(SecServerRequestInterceptor.java:429)
       at com.sun.corba.ee.impl.interceptors.InterceptorInvoker.invokeServerInterceptorIntermediatePoint(InterceptorInvoker.java:627)
       at com.sun.corba.ee.impl.interceptors.PIHandlerImpl.invokeServerPIIntermediatePoint(PIHandlerImpl.java:530)
       at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.getServantWithPI(CorbaServerRequestDispatcherImpl.java:406)
       at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.dispatch(CorbaServerRequestDispatcherImpl.java:224)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequestRequest(CorbaMessageMediatorImpl.java:1846)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:1706)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleInput(CorbaMessageMediatorImpl.java:1088)
       at com.sun.corba.ee.impl.protocol.giopmsgheaders.RequestMessage_1_2.callback(RequestMessage_1_2.java:223)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:806)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.dispatch(CorbaMessageMediatorImpl.java:563)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.doWork(CorbaMessageMediatorImpl.java:2567)
       at com.sun.corba.ee.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread.run(ThreadPoolImpl.java:555)
  ----------END server-side stack trace----------  vmcid: 0x0  minor code: 0  completed: No
       at com.sun.corba.ee.impl.javax.rmi.CORBA.Util.mapSystemException(Util.java:277)
       at com.sun.corba.ee.impl.presentation.rmi.StubInvocationHandlerImpl.privateInvoke(StubInvocationHandlerImpl.java:205)
       at com.sun.corba.ee.impl.presentation.rmi.StubInvocationHandlerImpl.invoke(StubInvocationHandlerImpl.java:152)
       at com.sun.corba.ee.impl.presentation.rmi.bcel.BCELStubBase.invoke(BCELStubBase.java:225)
       at com.sun.ejb.codegen._GenericEJBHome_Generated_DynamicStub.create(com/sun/ejb/codegen/_GenericEJBHome_Generated_DynamicStub.java)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.sun.ejb.EJBUtils.lookupRemote30BusinessObject(EJBUtils.java:372)
       ... 5 more
  Caused by: org.omg.CORBA.NO_PERMISSION: ----------BEGIN server-side stack trace----------
  org.omg.CORBA.NO_PERMISSION:   vmcid: 0x0  minor code: 0  completed: No
       at com.sun.enterprise.iiop.security.SecServerRequestInterceptor.handle_null_service_context(SecServerRequestInterceptor.java:407)
       at com.sun.enterprise.iiop.security.SecServerRequestInterceptor.receive_request(SecServerRequestInterceptor.java:429)
       at com.sun.corba.ee.impl.interceptors.InterceptorInvoker.invokeServerInterceptorIntermediatePoint(InterceptorInvoker.java:627)
       at com.sun.corba.ee.impl.interceptors.PIHandlerImpl.invokeServerPIIntermediatePoint(PIHandlerImpl.java:530)
       at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.getServantWithPI(CorbaServerRequestDispatcherImpl.java:406)
       at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.dispatch(CorbaServerRequestDispatcherImpl.java:224)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequestRequest(CorbaMessageMediatorImpl.java:1846)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:1706)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleInput(CorbaMessageMediatorImpl.java:1088)
       at com.sun.corba.ee.impl.protocol.giopmsgheaders.RequestMessage_1_2.callback(RequestMessage_1_2.java:223)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:806)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.dispatch(CorbaMessageMediatorImpl.java:563)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.doWork(CorbaMessageMediatorImpl.java:2567)
       at com.sun.corba.ee.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread.run(ThreadPoolImpl.java:555)
  ----------END server-side stack trace----------  vmcid: 0x0  minor code: 0  completed: No
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
       at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
       at com.sun.corba.ee.impl.protocol.giopmsgheaders.MessageBase.getSystemException(MessageBase.java:913)
       at com.sun.corba.ee.impl.protocol.giopmsgheaders.ReplyMessage_1_2.getSystemException(ReplyMessage_1_2.java:131)
       at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.getSystemExceptionReply(CorbaMessageMediatorImpl.java:685)
       at com.sun.corba.ee.impl.protocol.CorbaClientRequestDispatcherImpl.processResponse(CorbaClientRequestDispatcherImpl.java:472)
       at com.sun.corba.ee.impl.protocol.CorbaClientRequestDispatcherImpl.marshalingComplete(CorbaClientRequestDispatcherImpl.java:363)
       at com.sun.corba.ee.impl.protocol.CorbaClientDelegateImpl.invoke(CorbaClientDelegateImpl.java:219)
       at com.sun.corba.ee.impl.presentation.rmi.StubInvocationHandlerImpl.privateInvoke(StubInvocationHandlerImpl.java:192)
       ... 13 moreAny help is appreciated.
  Regards!
  Nithi.
  Edited by: EJB3 on Aug 17, 2008 8:17 PM

• Security Evaluation of Oracle Application Server

  Are there any published documents on security evaluation of Oracle Application Server?
  Is it secure as a tool against some attacks, for example, are following vulnerabilities when applicable to the server dealt with or should be handled by application? :
  failure to restrict url access,
  broken authentication and session management
  insecure cryptographic storage,
  injection flaws
  failure to restrict directory browsing
  Are there available document that we can refer to on these issues?
  Regards
  Farbod

  Thank you again.
  Can you advise on this part of my message also?
  "Also I see in oracle recommended architectures that there is a firewall between each http server and application server. Does the built in OHS in OAS provide the firewall? or I need to install another firewall?"
  I am going to explain it but I think it is completely inconsistent with the thread title which I got some of my answers in, so let me start a new thread here:
  Application Server Recommended Deployment Architectures, How to?
  Thanks for your useful inputs.
  Best Regards,
  Farbod

• Running FlexUnit in Security Application Server environments

  Hi all,
  our flex client is running/provided in a application server context with basic authentification. that mean when the user request our flex client he is running into a authentification dialog box inputs username and password and then after validation our flex clients website would be loaded.
  for complex end2end tests we are using flexunit and integrate doing such tests via continous integration with ant. so we have a scenario that we start would start our application server, after start complete we call ant-flexunit with the flex client given url to run our tests after that we shutdown the hole orchestra.
  the problem we are currently facing is the security authentification flow which we are not simply abe to disable this only for testing.
  so the hole automatically testflow is hanging on this authentification dialog popup where we first have to enter our username/pwd. so is there a way from flexunit to trigger the url request with username/pwd as a kind of params automaticly to the server or something else? or whats best practice testing flex apps using flexunit which are hosted under security restrictions? with JUnit i read its possible the manipulate the http request header injecting username/password into the request...
  thanks
  dan

  I am using Oracle 10g9.0.4 or 10.1.2 ? There are small differences between them, so it could be helpful to know the exact version.
  or it does nothing.For the moment don't use forms with parameter list, to avoid one more possible cause. Did you check sensitivity ? For example, if a form is called with name 'My_Form.fmx', and its name, on disk, is my_form.fmx or MY_FORM.fmx. or anything different, then it won't work.
  On form property page activate console window, to see errors, if any.
  Of course I'm assuming that test form works correctly....

• Security Error while trying to deploy my project to the application server from jDeve

  Dear All,
  I'm trying to deploy my project to the application server from jDeveloer but i got the following error :
  Invoking Oracle9iAS admin tool...
  D:\Oracle\OUIHome\jdk\jre\bin\javaw.exe -jar D:\Oracle\OUIHome\j2ee\home\admin.jar ormi://M-AMIN:3101/ admin **** -deploy -file D:\Oracle\OUIHome\jdev\mywork\Portal\UserManager\userRegister.ear -deploymentName userRegister
  Security error: This operation was denied. The admin.jar utility can not be used to perform operations against OPMN managed OC4J instnaces. Please use Enterprise Manager or dcmctl instead. Refer to the Oracle9iAS Admin Guide or the OC4J User's Guide for more details.
  Exit status of Oracle9iAS admin tool (-deploy): 1
  #### Deployment incomplete. #### Sep 10, 2002 4:16:53 PM
  Any help will be appreciated
  Regards,
  Mohammed Amin

  In JDev 9.0.2, to deploy to the full 9iAS server (instead of just Oracle9iAS Containers for J2EE [OC4J]), you have to use Enterprise Manager or DCM to deploy your application.
  In JDev 9.0.3 Preview, there is a way to have JDev perform a deployment via DCM for you, if you install a DCM Servlet into 9iAS that comes with JDeveloper.
  By JDev 9.0.3 Production, if you also use Oracle9iAS 9.0.3 Production, it should be possible to deploy to iAS 9.0.3 out-of-the-box.