Bw related security and authorizations

Similar Messages

• HT1933 I have old email address's I used for iTune music purchases and cannot change password on several old accounts. Now some of the music I purchased I can not download and authorize it on my device. What can I do password security does not match my bi

  I have old email address's I used for iTune music purchases and cannot change password on several old accounts. Now some of the music I purchased I can not download and authorize it on my device. What can I do password security does not match my birthdate on two of the accounts. Apple can not send me email with a password authorization on several current accounts that I have with them. How can I contact Apple with this annoying problem I can not fix.

  settings - app/iTunes store - sign out and sign back in with your new id.
  Note - if your older apps needs an update it will use your old apple id and password, as Apps are tied to the apple id that was used to purchase it.
  You can't merge apple id.

• Difference between SAP CRM Security and SAP ECC 6.0 security

  Hi
  I have extensively worked on SAP ECC security but haven't have chance to work on CRM Security.
  Can anyone please let me know the difference between CRM security compared to  ECC security.
  Thanks...

  I am sorry to say, but instead of giving the guy a decent answer you are starting a fight or discussion about stupid forum points...
  really sad.....
  The big  difference between SAP ECC and SAP CRM Security (up to release 5.0) was the following:
  1) For sure there are very different transaction codes in SAP CRM as compared to SAP ECC in the first place
  2)  If you are familiar with R/3 or ECC authorizations; then you know that already on transaction code level, the 'allowed activity' is controlled on tcode level , whereas in SAP CRM , in most cases the 'allowed activity is not controlled by the Transaction code, but on authorization object level....
  E.g. transaction code BP allows you to create/change/display  any type of Business Partner (e.g; sold-to/ship-to/contact person/employee/customer) which is based on the business partner ROLE concept.... anyway...you can control the allowed activity based on different authorization objects.....
  another example is business transaction processing...which can be launched by:
  a very generic transaction code: CRMD_ORDER
  transaction category related transaction codes :e.g.
        > CRMD_BUS2000126 for activity management
        > CRMD_BUS200115 for Sales processes
  Again...allowed activity is not controlled by the tcode, but on authorization object level...
  3) As of the new WEBCLIENT UI (which is valid as of release CRM2006s/CRM2007/CRM7.0) SAP also invented an extra authorization layer, which is UI COMPONENT LEVEL and logical links....  controlled by object UIU_COMP.
  However, they also introduced the BUSINESS ROLE Concept (e.g; SALESPRO/MARKETINGPRO/...) which defines actually the functionalities, navigation bar, screen configuration, logical links you can use/see within the new WEBclient UI.
  Another thing is that instead of using TRANSACTION CODES, as of these new releases, you are actually using 'external services'....so you do not authorize on tcodes basically....but the logic between tcodes and external services in relation to the authorization objects that are checked is more or less the same....
  STANDARD authorization setup in the new WEBUI client is therefore controlled by both backend authorizations (not UIU component related) and the UIU_COMP (restricting access to workcenters/logical links/...)
  4) Additionally SAP also provides a concept called ACE (which stand for ACCES CONTROL ENGINE)....
  This requires a bit of customizing...and the rest is more or less pure customer development, as you will create your own methods where you'll define a logic which dynamically will verify what kind of access you have for an object....
  You should now that ACE is actually implemented on top of your 'normal' sap crm security setup....
  cheers
  Davy Pelssers

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• Security and authorisations

  hi sapgurus,
           Can anybody enlighten me about authorisations and security .
  I would be very happy if ome one send s some documents based on them to my mail id:
    [email protected]
  thanks in advance

  Hi,
  <b>Authorization group</b>
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
  The table that contains all authorization objects is TOBJ.
  The table that contains all activities is TACT.
  The table that contains definition of all authorization groups is TBRG.
  TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
  Please also refer to foll links
  http://help.sap.com/saphelp_nw04s/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/content.htm
  http://help.sap.com/saphelp_apo/helpdata/en/35/26b17fafab52b9e10000009b38f974/content.htm
  http://help.sap.com/saphelp_bw33/helpdata/en/be/076f3b6c980c3be10000000a11402f/frameset.htm
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/39f29890-0201-0010-1197-f0ed3a0d279f
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/adeac294-0501-0010-5a97-9ac5d562b1be
  Please reward for the same.

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• Problem with ADF security and task flow calls

  Hi.
  I am using JDeveloper 11.1.2.0.0.
  I encountered a problem when tried to apply ADF security to my application.
  The way to reproduce the problem:
  1. Create new Fusion Web Application;
  2. Import Business Components from Tables from any existing schema and add at least one table to the ApplicationModule.
  3. Create "welcome page" (for instance, welcome.jsf). Add a button with fixed action outcome "test".
  4. Create test page, for instance, test.jsf. Drag and drop any view object from Data Controls onto the page and create a form with navigation controls. Add a button with fixed action outcome "return".
  5. Create bounded task flow, name it "test", drag and drop our test page on it - the page will be the default activity. Add a task flow return activity. Add a control flow case from the default view activity to the return activity, set From Outcome property to "return". So our return button should cause the task flow to exit.
  6. Open adfc-config.xml in diagram mode and place our welcome page on it. Then drag and drop the test task flow to create a task flow call activity. Add a control flow case from welcome page to task flow call activity, set the From Outcome property to "test". So our test button should call the test task flow.
  7. Configure application to run the unbounded task flow starting with Welcome view activity.
  At this point all works as expected: when application runs, the welcome page is displayed with test button. Pressing the test button results in displaying the test page, return button leads back to the welcome page.
  Now let's configure ADF Security.
  Run the ADF Security configuration wizard, choose ADF Authentication and Authorization.
  On the second page select Form-Based Authentication, check the Generate Default Pages flag.
  On the third page choose No Automatic Grants.
  On the next page keep the Redirect Upon Successful Authentication unchecked. Press Finish.
  Open jazn-data.xml to configure roles, users and resource grants:
  1. Create application role test-role.
  2. Grant the test-role privileges to view the test task flow.
  3. Create user and grant him the test-role.
  Now we have the public available welcome page and the test page with restricted access.
  When application runs, the welcome page is displayed as expected. Pressing the test button redirect us to auto-generated login page. After successful authorization the test page is displayed. But nothing happens if we click now the return button for the first time. When we click the return button once more, the application crushes with Error-500 and message "Target Unreachable, identifier 'bindings' resolved to null". The exact error trace depends on UI control bindings, but looks like this:
  javax.el.PropertyNotFoundException: //C:/Users/DUDKIN/AppData/Roaming/JDeveloper/system11.1.2.0.38.60.17/o.j2ee/drs/Test1/ViewControllerWebApp.war/test.jsf @10,120 value="#{bindings.Id.inputValue}": Target Unreachable, identifier 'bindings' resolved to null
       at com.sun.faces.facelets.el.TagValueExpression.isReadOnly(TagValueExpression.java:122)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer._getUncachedReadOnly(EditableValueRenderer.java:476)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.getReadOnly(EditableValueRenderer.java:390)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.wasSubmitted(EditableValueRenderer.java:345)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.decodeInternal(EditableValueRenderer.java:116)
       at oracle.adfinternal.view.faces.renderkit.rich.LabeledInputRenderer.decodeInternal(LabeledInputRenderer.java:56)
       at oracle.adf.view.rich.render.RichRenderer.decode(RichRenderer.java:342)
       at org.apache.myfaces.trinidad.render.CoreRenderer.decode(CoreRenderer.java:274)
       at org.apache.myfaces.trinidad.component.UIXComponentBase.__rendererDecode(UIXComponentBase.java:1324)
  (the rest of lines skipped).
  Any suggestions?
  Edited by: user13307311 on Apr 16, 2013 11:39 PM

  @Lovin_JV_941794
  The welcome page is public available since it does not have appropriate PageDef file.
  Login page comes not from the welcome page, it comes after attempt to access the test page. So after the login succeeded the test page appears, because redirect to welcome page after successful login is not configured. I do not need to return the welcome page at this moment, I need to go to the test page.
  It seems the task flow call stack to be destroyed after redirect to login page.
  Edited by: user13307311 on Apr 17, 2013 12:45 AM

• Any ideas for security and parental control software yet???

  Just received two of the touchpads from the fire sale and gave them to my kids, both under 10.  I am very interested in limiting the sites that can be accessed through the browser, as well as a few other things.  Has anyone found a practical means of doing this?  I'd hate to give up on this and switch it over to Android, especially since there is only Gingerbread available.  But, I just don't know what else I can do about these.  Any ideas? 
  Thanks!
  Post relates to: HP TouchPad (WiFi)

  Please take this post with a grain of salt. I don't claim to be a security and parental control software expert, but I have researched these solutions and have some personal experience with them. That being said, here's some ideas to get you started.
  As speedtouch mentioned, OpenDNS is a fantastic solution for website filtering. They have a great set of filters that can be customized and are one of the easiest systems to set up. Simply install an updater app on one of your desktop computers (or directly on your router if it's supported), configure your router to use their DNS servers, and you're good to go. I personally use this system mysefl and it works really well. The only downside in my experience is that there is not a temporary override system (at least, not in the free version that I use). An example of when this might be handy: my wife goes clothes shopping and looking at new bras. Every once in a while, a perfectly legitimate site might get blocked (in this case, probably something I don't want my kid looking at but perfectly fine for my wife). The option to "temporarily override the block" or "temporarily allow" the site would be nice, but it doesn't exist.
  Another FANTASTIC solution that I've used in the past is the Astaro Security Gateway. They have a free home version of their "Software Appliance" that goes above and beyond OpenDNS. I haven't used it in a while, but when I did it was able to not only filter web sites but also monitor Instant Messaging and other online activites. It's a bit more involved as you need your own hardware (I used an old computer with 2 network cards and stuck it in between my router and my broadband modem), but the results are pretty powerful.
  The downside to all these solutions, however, is that they will only work when the TouchPad is on your network. If they connect to a neighbors network of if the go to a friends house, all of these systems will be moot because they are completely bypassed. The only way to monitor that content from ANY network would be to install an application on the device itself and to my knowledge, none exist.

• Error in Form.  - Security and or filtering has resulted in a Required dim

  Hi,
  When some of our users are trying to access forms, they are getting the error"Security and or filtering has resulted in a Required dimension not being represented on this data form'. How Do i resolve this issue. Do I need to go to the organization dimension and asign secuWe are on Hyperion planning 11.1.1.1.
  Prasad

  It sounds like the issue isn't related to provisioning. Instead, it sounds like a dimensional security issue (security assigned to individual members in your hierarchies). For example, perhaps the user doesn't have access to a particular scenario or entity?
  To edit dimensional security, sign into your Planning app as an administrator. Select <Administration>, <Dimensions>. Click on a member and select the "Assign Access" button. If that button isn't available, it means that security is not turned on for that dimension. To turn security on or off for a given dimension, select that dimension and press the "View" button. You should see a check box to "Apply Security".
  When I'm trying to debug this type of issue, I typically use the native Essbase spreadsheet add-in and Styles. Try to recreate your form in the spreadsheet add-in. Use the exact same members. (make sure you're signed in as the user who is having trouble with the form)
  In your Essbase options, select "Use Styles" in the display tab. Then select different styles for read only and read/write. It will quickly become apparent where you have security assigned. Then you go update your security in Planning, refresh, and your user should be able to access the form.
  Hope this helps,
  - Jake
  http://plandemonium.wordpress.com/

• How to get ADF authentication and authorization working on server

  I am having an issue with deployment & ADF authentication and authorization.
  From the below testing results, you can see that I am unable to log in when I have deployed my app to my standalone server with both ADF security authentication and authorization turned on. I have included web.xml, jazn-data.xml and the page/server error I am receiving.
  When making an attempt to log in I get the following results:
  Running Locally with ADF Authentication:                                           Works Fine
  Running Locally with ADF Authentication & Authorization:         Works Fine
  Deployed to server with ADF Authentication:                                    Works Fine
  Deployed to server with ADF Authentication & Authorization:  Doesn’t Work
  What I have already tried: Removed all anonymous grants, using the same database credentials as the app user, deploying app twice (on the redeploy not including the login credentials & app policies at the application properties). Various modifications to web.xml e.g. welcomefilelist etc
  JDeveloper Version: 11.1.2.4
  Server Web Logic: 10.3.6
  Server ADF: 11.1.1.16
  Page Error when trying to log in:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
  Server error when trying to log in:
  Servlet failed with Exception oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'wpd.mobility.view.pageDefs.homePagePageDef' 'VIEW'.
  at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:182)
          at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:162)
          at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:116)
          at oracle.adfinternal.controller.state.ControllerState.checkPermission(ControllerState.java:663)
          at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:700)
          at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:531)
          at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:59)
          at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:530)
          at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:120)
          at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:168)
          at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:131)
          at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:74)
          at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:53)
          at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:447)
          at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:202)
          at javax.faces.webapp.FacesServlet.service(FacesServlet.java:508)
          at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
          at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
          at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
          at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:125)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
          at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:293)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:199)
          at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
          at java.security.AccessController.doPrivileged(Native Method)
          at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
          at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
          at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
          at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
          at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
          at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
          at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
          at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
          at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
          at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
          at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
          at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
          at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
  Web.xml
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
           version="2.5">
    <context-param>
      <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
      <param-value>client</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
      <param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
      <param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <description>Security precaution to prevent clickjacking: bust frames if the ancestor window domain(protocol, host, and port) and the frame domain are different. Another options for this parameter are always and never.</description>
      <param-name>org.apache.myfaces.trinidad.security.FRAME_BUSTING</param-name>
      <param-value>differentOrigin</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_SKIP_XML_INSTRUCTIONS</param-name>
      <param-value>true</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
      <param-value>true</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_DECORATORS</param-name>
      <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfTagDecorator</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
      <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfFaceletsResourceResolver</param-value>
    </context-param>
    <filter>
      <filter-name>JpsFilter</filter-name>
      <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
    </filter>
    <filter>
      <filter-name>trinidad</filter-name>
      <filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
    </filter>
    <filter>
      <filter-name>adfBindings</filter-name>
      <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>JpsFilter</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>INCLUDE</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>trinidad</filter-name>
      <servlet-name>Faces Servlet</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>ERROR</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>adfBindings</filter-name>
      <servlet-name>Faces Servlet</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>adfBindings</filter-name>
      <servlet-name>adfAuthentication</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <listener>
      <listener-class>oracle.adf.mbean.share.connection.ADFConnectionLifeCycleCallBack</listener-class>
    </listener>
    <listener>
      <listener-class>oracle.adf.mbean.share.config.ADFConfigLifeCycleCallBack</listener-class>
    </listener>
    <listener>
      <listener-class>oracle.bc4j.mbean.BC4JConfigLifeCycleCallBack</listener-class>
    </listener>
    <servlet>
      <servlet-name>Faces Servlet</servlet-name>
      <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
      <servlet-name>resources</servlet-name>
      <servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>BIGRAPHSERVLET</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.GraphServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>BIGAUGESERVLET</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.GaugeServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>MapProxyServlet</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.MapProxyServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>adfAuthentication</servlet-name>
      <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
      <init-param>
        <param-name>success_url</param-name>
        <param-value>/faces/Pages/homePage.jspx</param-value>
      </init-param>
      <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
      <servlet-name>Faces Servlet</servlet-name>
      <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/adf/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/afr/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>BIGRAPHSERVLET</servlet-name>
      <url-pattern>/servlet/GraphServlet/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>BIGAUGESERVLET</servlet-name>
      <url-pattern>/servlet/GaugeServlet/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>MapProxyServlet</servlet-name>
      <url-pattern>/mapproxy/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/bi/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>adfAuthentication</servlet-name>
      <url-pattern>/adfAuthentication</url-pattern>
    </servlet-mapping>
    <mime-mapping>
      <extension>swf</extension>
      <mime-type>application/x-shockwave-flash</mime-type>
    </mime-mapping>
    <mime-mapping>
      <extension>amf</extension>
      <mime-type>application/x-amf</mime-type>
    </mime-mapping>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>test</web-resource-name>
        <url-pattern>/faces/pages/*.</url-pattern>
        <url-pattern>/faces/*.</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>valid-users</role-name>
      </auth-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>adfAuthentication</web-resource-name>
        <url-pattern>/adfAuthentication</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>valid-users</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
        <form-login-page>/login.html</form-login-page>
        <form-error-page>/error.html</form-error-page>
      </form-login-config>
    </login-config>
    <security-role>
      <role-name>valid-users</role-name>
    </security-role>
  </web-app>
  Jazn-data.xml
  <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
  <jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data.xsd">
    <jazn-realm default="jazn.com">
      <realm>
        <name>jazn.com</name>
        <users>
          <user>
            <name>*****</name>
            <display-name>*******</display-name>
            <description>******</description>
            <credentials>********<credentials>
          </user>
        </users>
        <roles>
          <role>
            <name>support</name>
            <display-name>support</display-name>
            <members>
              <member>
                <type>user</type>
                <name>mobile</name>
              </member>
            </members>
          </role>
        </roles>
      </realm>
    </jazn-realm>
    <policy-store>
      <applications>
        <application>
          <name> myapp </name>
          <app-roles>
            <app-role>
              <name>mob_mobile_support</name>
              <class>oracle.security.jps.service.policystore.ApplicationRole</class>
              <display-name>mob_mobile_support</display-name>
              <description>support role</description>
              <members>
                <member>
                  <name>mobile</name>
                  <class>oracle.security.jps.internal.core.principals.JpsXmlUserImpl</class>
                </member>
              </members>
            </app-role>
          </app-roles>
          <jazn-policy>
            <grant>
              <grantee>
                <principals>
                  <principal>
                    <name>SUPPORT</name>
                    <class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
                  </principal>
                </principals>
              </grantee>
              <permissions>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.*</name>
                  <actions>view</actions>
                </permission>
              </permissions>
            </grant>
            <grant>
              <grantee>
                <principals>
                  <principal>
                    <name>mob_mobile_support</name>
                    <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                  </principal>
                </principals>
              </grantee>
              <permissions>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.addapplicationPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name>Pages.addappmsgtypPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name>Pages.addoperationPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.homePagePageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.loggingSearchPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name>myapp.view.pageDefs.workHistoryPageDef</name>
                  <actions>view</actions>
                </permission>
              </permissions>
            </grant>
          </jazn-policy>
        </application>
      </applications>
    </policy-store>
  </jazn-data>

  Read Frank's article http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html
  Then you have to check if the user use use to login are defined in the stand alone server. If you server is running in production mode there is no automatic user or role migration. You have to to this by yourself.
  Once you have check that the users are present, you have to check if the enterprise roles are mapped to the corresponding application roles.
  Timo

• Authentication and Authorization question.

  Hi All,
  I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
  Authentication.
  1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
  2. The end result of this process is true/false.
  Authorization.
  1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
  2. The end result of this process is true/false.
  Role mapping.
  1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
  2. The end result is list of roles for a user.
  Security policy configuration.
  Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
  Thanks,
  Prashanth Bhat.

  The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
  The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
  The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
  My question is whether thess(DAs and VEs) can also be put
  our datastore for access rights??
  Thanks,
  Prashanth Bhat.

• ADF BC entitiy object security and Tomcat 5.5

  Hello all,
  I have set up ADF BC security in Jdev 10.1.3.3 and it works fine when I test the app module in JDev.
  However, when I deploy the application to Tomcat 5.5, I get
  oracle.security.jazn.JAZNRuntimeException: Configuration file does not exist. Check your JAAS configuration settings
  It seems like oracle.security.jazn is used although I have configured the app module (configurations) parameters:
  jbo.security.config - from default to my config file
  jbo.security.context - to Tomcat implementation of JAAS
  jbo.security.loginmodule - to Frank and Duncan's module (see article "Declarative J2EE authentication and authorization with JAAS).
  Container managed security using JAAS in Tomcat is working fine.
  I am wondering whether it is possible at all to use ADF BC security in any container other than OC4J and if the answer is positive, how it is done (configured).
  Many thanks in advance.
  Best regards,
  Boris

  Hi,
  JAZN as a security platform isn't portable and thus wont work on Tomcat.
  Frank

• Authentication and authorization capability in weblogic application server

  Hi,
  Need input from architecture point of view -
  Requirement is typical - have to build a web center portal application with authentication and authorization capability.
  I can think of three architecture options:
  1. weblogic server (where webcenter portal application will be deployed) with oracle IDM (or any other full blown IDM suite)...
  2. weblogic server with Active Directory (or any other LDAP directory), and a LDAP authenticator is configured in weblogic...
  3. only weblogic server (users created in weblogic admin console)...
  Obviously 1st one is costliest option (product cost, infrastructure cost, maintenance cost) and most flexible. However I am discarding it purely because of cost.
  Confused between 2nd and 3rd.
  2nd option - separate user store, user can be added/deleted without touching application server, cost wise - 1 extra server and 1 LDAP directory product (or open source LDAP server)...
  3rd option - application server becomes very 'heavy' with all users information, you need to access server to add/delete users, probably cheapest option money wise... However it might affect application performance if users grow large...
  Please let me know if I should consider more parameters/points before deciding. Is there any important thing I am missing? Your input appreciated.
  Thanks.

  Hi,
  You are right your first requirement make more costly and complex environment.
  I would recommend to go with Second option instead of the third one.
  In cause in future if you want to use different server also you will have option to use external AD.
  Well now you will think why I recommend you second option instead of the third option.
  external LDAP is more secure than internal one.
  If you have any further query let me know.
  Regards,
  Kal

• Use of default XACML with custom role mapper and authorization provider

  Hi,
  Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
  My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
  Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?

  I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
  Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
  The chosen approach depends on where you're getting the role information from.

• R/3 reports related to structural authorization

  Can anyone advise which standard reports/transcation codes in R/3 relate to structural authorization? are some better than others? I am interested in viewing allowable objects etc,.
  Thank you,
  Meghan

  Hi Jim,
  As you have mentioned you have worked a lot on structural authorizations,
  I would request you to kindly help us on the below mentioned scenerio..
  Issue : (Scenario)
  C directly reports to B, and B Reports to A.
  In the above scenario we have logged as B and did the compensation planning for C. A is the approver for the C’s compensation planning.
  As C is HOD for HR Org unit. He will submit compensation plans of his subordinates to B for approval. That means B has to have approval authorization for C’s subordinates and he should not have approval authorization for his direct reporting employees.
  In our scenario, B is able to perform the compensation planning as well as able to approve the same for his direct reporting employees. This shouldn’t happen in our process.
  How can achieve this, Please advice
  Regards
  Raghav