Cookie with a Secure Falg

Similar Messages

• How to integrate a SSO based in cookie with ADF Security

  At work they asked me to integrate a existing SSO based in cookie with the new ADF + Jdeveloper 11g + WLS. After google for days and read a lot of blogs and official documentation I've made a custom LoginModule. I made it very simple, it's just an "if" inside the login() function with the username, if the username is "john" I put to the Subject some Principals. My steps are:
  1- Create a new app based on "Fusion application" template.
  2- Make a new ADF Taskflow with only one view inside (the entry point of the taskflow). The jspx only contains a welcome message.
  3- Run the ADF Security wizard, all the steps with the default option, I don't change anything.
  4- Put some users and some roles in jazn-data.xml, and maping them to an application role. Then I grant permissions to the application role to view the previous task flow.
  At this point everything is ok. I run the taskflow and a basic login popup prompts me to write my username and password. Now I try to remove everything useless for me, like idstore, credentials, anonymous, etc. I only want a LoginModule that get the HttpRequest and passes it to an already done class that returns a true/false depending if the cookie is correct or not but, as I said before, my LoginModule is so simple now and even didn't try to do something more complicated than an if. The steps I try are:
  in jps-config.xml
  5- Remove idstore.xml and credentials.
  6- (loginmodule tab) Make a new login module, and put here my class. The class is in the ViewController project and JDeveloper find it navigating through the heriarchy, so I have visibility. I put REQUIRE flag, add all roles and debug mode.
  7- In the security context unmark the idstore.loginmodule and mark myLoginModule. Also delete the anonymous security context.
  All that I got until now is a 500 error (Internal server error - Authorization Exception). Sometimes (the close i've ever been to do something correct) the browser ask me for user/password but then only recognizes the users that already are in WLS (idstore from previous tests), but NOT the "john" user that is inside my custom LoginModule. Even more, if I run the WLS from JDeveloper 11g in debug mode, the runtime never stops at breakpoints inside my custom login module. It seems that my LoginModule isn't deployed or I made some error maping the roles.
  So, my questions are:
  - I'm in the good way? If I want an authentication based in cookie/httprequest I have to do a custom LoginModule? My goal is to do a re-usable code, and re-use the code that my co-workers have done. They have a class that with only the HttpRequest determines if a user is logged or not.
  - If I'm in the good way... how can I put my custom LoginModule in the WLS? I tried to search something in the Administration Panel (localhost:7101/console) but I did'nt find nothing.
  - In case I'd got the custom LoginModule working fine in WLS... how can I get a HttpRequest from a LoginModule and avoid the username/password dialog? I've to make a filter and pass it to the my LoginModule? If it's correct... how?
  I don't post my code because is so simple, it's based on DBTableLoginModule but without all the database access code.
  Thanks to all!
  P.D.: If this message isn't in the correct forum, I'm sorry. Feel free to move it.
  P.D.2: Sorry about my english, I'm spanish. I know i've to practise a lot :)

  Hi Frank,
  Thanks a lot for your answer. Just one more easy question: what I need to do is a custom Authentication Module (which will read the cookie)? If only you can point me to the correct chapter of the WLS documentation I'll be very pleased.
  In future releases of JDeveloper will be easier to do this kind of things related to security?
  Riveck

• Create the JSESSIONID cookie with the secure flag

  Hello,
  I wonder if it is possible, through UCM or Weblogic configurations, to automatically create the JSESSIONID cookie used when a user is logged on with the secure flag?
  I have not found any parameters so far that could allow this.
  Thanks in advance!

  We have public Websites running on UCM/SiteStudio which are only accessible through SSL by visitors. The aim is that every cookies should be secure to be sure that they are not transmitted in plain text to our server.
  We thus would like to find a way to put the secure flag on JSESSIONID to avoid any case of session hijacking.
  Thanks.
  Edited by: Leo-G on 17 juil. 2012 23:57

• Problem with some secure websites - banking and Paypal

  As of yesterday when I try Paypal and banking sites (secure sites) with Firefox I get an error "You are using a browser that has not been certified with this online banking product. You can't continue to use this browser. You should use
  Internet Explorer (6 or above)." The sites work ok with Internet Explorer and Google Chrome. My feeling is that it is some sort of certificate or Javascript problem with Firefox. I've tried deleting the cache and all cookies with no improvement. I then deleted Firefox (I had the latest Version 3.x) and then installed Firefox 4 and am still getting the same result. I have checked the computer with two different virus / malware scanners with no issue. The paypal site view code shows javascript that produces the error response - I'm not quite sure what triggers the code - it seems to look for msie or opera user agents.

  All the sites you mention open instantly for me with no error messages.
  Something is wrong with your settings. Try this:
  The following usually works on both Tiger and Leopard:
  (First, if yours is an Intel Mac, check that Safari is not running in Rosetta, which is enough to slow it to a crawl.)
  Empty Safari's cache (from the Safari menu), then close Safari.
  Go to Home/Library/Safari and delete the following files:
  form values
  download.plist
  Then go to Home/Library/Preferences and delete
  com.apple.Safari.plist
  Repair permissions (in Disk Utility).
  Start up Safari again, and things should have improved.
  If not, MacFixit have published a very detailed (very!) article on speeding up a slow Safari, here:
  http://www.macfixit.com/article.php?story=20070416000657464
  Many, including me, have also followed the advice given by others here to add DNS codes to their Network Settings, with good results in terms of speed-up:
  Open System Preferences/Network. Double click on your connection type, or select it in the drop-down menu. Click on TCP/IP and in the box marked 'DNS Servers' enter the following two numbers:
  208.67.222.220
  208.67.220.222
  Click on Apply Now and close the window.
  Restart Safari, and repair permissions.

• Using cookie with DII

  Here is an example to use cookie with static web service call:
  http://download.oracle.com/docs/cd/B32110_01/web.1013/b28974/j2sewsclient.htm#DAFDHCFA
  could some one give an example using cookie with dynamic invocation interdace to inva=oke web service?
  Thanks

  Dear net pas,
  Hope you are doing good.
  You have raised a very valid issue.
  Please do have a look at the SAP NOTE: 1144722-Global configuration of session cookies and attributes
  Also:
  Protecting Sessions Security
  http://help.sap.com/saphelp_nw70/helpdata/en/44/691ccdce2a3675e10000000a114a6b/frameset.htm
  Here pay special attention at:
  cookies named JSESSIONID (in accordance with the JavaÔ Servlet 2.3 specification) for tracking Web browser sessions.
  For this purpose, make sure that the value of SystemCookiesDataProtection and SystemCookieHTTPProtection properties of the HTTP Provider Service on the server nodes is set to true:
  More info at:
  http://help.sap.com/saphelp_nw70ehp2/Helpdata/EN/44/691ccdce2a3675e10000000a114a6b/content.htm
  Thank you and have a nice day :).
  Kind Regards,
  Hemanth
  SAP AGS

• Problem with socket security

  Hi,
  I'm trying to make socket connection from within air application, but no way. I'm browsing google for almost 2 days, follow all possible solutions, but avidently I dont understund somthing cause I'm not able to do anything.
  Every time sandbox security violation.....  I need make some simple socket data exchange between my air, and OS. I do not have any web server and no any other kind of network ability. I write down stupid socket server, which is waiting for policy request, and for my other requests (it function 100%, tested with Telnet, so no way to have problem on my socket server side).
  The strange thing is that my application do not produce any request for socket policy file, neither at 843 port (for default), neither at my custom location with namual
  Security.loadPolicyFile("xmlsocket://ip:port"); call
  This is my primitive code:
  <?xml version="1.0" encoding="utf-8"?>
  <mx:WindowedApplication xmlns:mx="http://www.adobe.com/2006/mxml"
      layout="vertical">
      <mx:Script>
          <![CDATA[
              private var s:XMLSocket = null;
              private function test():void{
                  Security.loadPolicyFile("xmlsocket://127.0.0.1:25013");
                  if(!s){
                      s = new XMLSocket();
                      s.addEventListener(DataEvent.DATA, onData);
                      s.addEventListener(Event.ACTIVATE, onActivate);
                      s.addEventListener(Event.CONNECT, onConnect);
                      s.addEventListener(Event.DEACTIVATE, onDeactivate);
                      s.addEventListener(IOErrorEvent.IO_ERROR, onError);
                      s.addEventListener(SecurityErrorEvent.SECURITY_ERROR, onSecurity);
                  s.connect("127.0.0.1", 25013);
              private function onActivate(e:Event):void{
                  debug.text += "Activated\r";
              private function onConnect(e:Event):void{
                  debug.text += "Connected\r";
                  var o:XML = <request cmd="10"/>;
                  s.send(o);
              private function onDeactivate(e:Event):void{
                  debug.text += "Deactivated\r";
              private function onError(e:IOErrorEvent):void{
                  debug.text += e.text + "\r";
              private function onSecurity(e:SecurityErrorEvent):void{
                  debug.text += e.text + "\r";
              private function onData(e:DataEvent):void{
                  debug.text += e.data;
                  s.close();
          ]]>
      </mx:Script>
      <mx:Button label="Test" click="test()"/>
      <mx:TextArea id="debug" width="100%" height="100%"/>
  </mx:WindowedApplication>
  Any help will be apresciated.
  Ladislav.

  Hi,
  It pass some time but if i remember well, my problem was that i did
  not terminate stream output form my server vs air application, and it
  returns this security error.
  When I send  '\0' at the end of my message it work correctly. Yes the
  server was my own written socket server (c++ using boost libraries).
  Laco.
  Sorry late response I'm on hollydays
  Staney G ha scritto:
  So, how did you walk around the problem?  Did you have a control on how server responds?
  My test case failed similarly.  However, the target server is a public web service.
  Will appreciate your answers!
  >

• Error on running reports with filters/security

  Post Author: mishel
  CA Forum: Publishing
  Hi,    I am trying to run a report with filters/security defined via Business View.  When I run the report as administrator, I am able to view successfully.  However, when I login as test/dummy account which filters my parameters, I am getting such error - "A request was cancelled.  The necessary security privileges could not be verified.  This indicates a problem with the security server."  Appreciate all the help I can get.Thank you,Michelle

  Hi onizga,
  According to your description that you are migrating SSRS 2008 R2 reports to SSRS 2012 SP2, after migration you got some error like “The Uri string is too long” which only occurred when accessing the drill-through actions, right?
  Usually, the issue can be caused when you try to pass some parameters that cause the URL length to exceed 65,520 characters for a Microsoft SQL Server 2012 Reporting Services (SSRS 2012), you cannot render the report, and you may receive the following error
  message:
  The value of parameter 'param' is not valid. (rsInvalidParameter).Invalid URI: The Uri string is too long.
  This is an known issue and already have the hotfix SQL Server 2012 Service Pack1 Cumulative Update 9 (CU9) as you know, you can try to reinstall this hotfix to fixed this issue:
  http://support.microsoft.com/kb/2916827 .Any issue after applying the update, please post it on the following thread or you can submit an feedback:
  http://connect.microsoft.com/SQLServer/feedback/details/788964/ssrs-2012-invalid-uri-the-uri-string-is-too-long 
  Similar threads for your reference:
  SSRS - The value of parameter 'param' is
  not valid. ---> System.UriFormatException: Invalid URI: The Uri string is too long.
  Microsoft.ReportingServices.Diagnostics.Utilities.InvalidParameterException:
  The value of parameter 'pSetOfScopes' is not valid. ---> System.UriFormatException: Invalid URI: The Uri string is too long
  If you still have any question, please feel free to ask
  Regards
  Vicky Liu
  If you have any feedback on our support, please click here

• There is a problem with the security certificate of the proxy server. Error code 18 and 38.

  Hi All,
  After several hours and a short night of sleep I'm out of ideas and hopefully someone here can help me trying to solve this one. First of all the situation:
  Exchange 2013 on a remote location with a CA-certificate.
  Outlook 2010 and 2013 on different locations, locally installed and on RDS.
  When I open Outlook on my laptop all is fine, no errors, good sync, no problem. But when I open Outlook on our Remote Desktop Servers with Outlook 2013 I'm getting errors like "There is a problem with the security certificate of the proxy server. The
  name on the security certificate is invalid or does not match the name of the site. Outlook is unable to connect to this server. (Error code 18)". Opening Outlook 2010 the message is the same, but the error code now is 38.
  After this Outlook opens and is working, there's one more error though. After a while an security warning pops up with the message: "Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the
  site's security certificate. * The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority. * The security certificate is valid. * The name on the security
  certificate is invalid or does not match the name of the site."
  Strangest thing is, it is the certificate of my RDS! It isn't my valid en officially bought certificate from my mailserver. What's going on? I'm out of options, what I've tried so far (in random order):
  - restarting mailserver and AD;
  - restarting switches;
  - restarting routers;
  - restarting RDS, AD and all other servers;
  - bypassed proxyserver for RDS;
  - created a new profile;
  - checked recently installed updates;
  - checked certificate on mailserver;
  - checked RDS on a different location, working fine.
  Nothing helped, what can I do next? Please advice.
  Regards.

  Found a thread that solves half my problem (https://social.technet.microsoft.com/Forums/office/en-US/70d18244-889a-4d95-ac3f-e234672a82b2/there-is-a-problem-with-the-proxy-servers-security-certificate-error-when-starting-outlook?forum=exchangesvrclients).
  The first message can be suppressed by adding this to the Exchange config:
  set-outlookprovider -Identity EXCH -CertprincipalName msstd:webmail.domain.tld
  set-outlookprovider -Identity EXPR -CertprincipalName msstd:webmail.domain.tld
  Giving the command get-outlookprovider, gives me empty information regarding the certprinipalname. Filled
  this and after recreating the profile or deleting the ost-file I still have the second alert with the local certificate of my RDS.
  Not completely where I want to be, any help regarding the second alert is greatly appreciated!

• How can we handle browser settings while dealing with the security ?

  Hi ,
  how can we handle browser settings while dealing with the security ?When we configured security in web.xml , during the first request the container is asking for the authentication credentials once they are provided it go's on. but when the user gives a fresh request from the second window within the same browser that time it is not asking for authentication. How can we overcome this.Is there anything to do with server configurations?
  How can we make the container no to keep the things or act like session?

  Ya... I am taking a small example need not happen always but a kind of possibility i am thinking off.
  once the user sign out and just left without closing the browser and a friend (suppose not a good friend ... just kidding...) of that user may open the same jsp or file .This time the security is breached. If that feature or property exists....
  I know what you might say ... the user will log-out before leaving where a programer might invalidate the session at the time of log out.
  Consider the case of a bad Programing or just a programer might forget to invalidate,At that time as a application administrator how can he solve that issue.
  Thanks.......
  Edited by: user8483670 on Jun 6, 2011 1:08 AM
  Edited by: user8483670 on Jun 6, 2011 1:09 AM

• SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has be

  Hello, I have a sql 2005 server, and I am a developer, with the database on my own machine.  It alwayws works for me but after some minutes the other developer cant work in the application
  He got this error
  Login failed for user ''. The user is not associated with a trusted SQL Server connection. [CLIENT: 192.168.1.140]
  and When I see the log event after that error, it comes with another error.
  SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: 192.168.1.140]
  He has IIS5 and me too.
  I created a user on the domain called ASPSYS with password, then in the IIS on anonymous authentication I put that user with that password, and it works, on both machines.
  and in the connection string I have.
  <add key="sqlconn" value="Data Source=ESTACION15;Initial Catalog=GescomDefinitiva;Integrated Security=SSPI; Trusted_Connection=true"/>
  I go to the profiler, and I see that when he browses a page, the database is accesed with user ASPSYS, but when I browse a page, the database is accesed with user SE\levalencia.
  Thats strange.
  The only way that the other developer can work again on the project is to restart the whole machine. He has windows xp profession, I have windows 2000.
  If you want me to send logs please tellme

  Well here's my problem, maybe you can help. Intermittenly I get a login failed when connecting to a db engine through Server Management Studio using Windows authentication. When this happens the following entries are generated on the server's application event log:
  Event Type:        Error
  Event Source:    MSSQLSERVER
  Event Category:                (4)
  Event ID:              17806
  Date:                     1/14/2009
  Time:                     10:41:31 AM
  User:                     N/A
  Computer:          <server name>
  Description:
  SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: <ip address>]
  Event Type:        Failure Audit
  Event Source:    MSSQLSERVER
  Event Category:                (4)
  Event ID:              18452
  Date:                     1/14/2009
  Time:                     10:41:31 AM
  User:                     N/A
  Computer:          <server name>
  Description:
  Login failed for user ''. The user is not associated with a trusted SQL Server connection. [CLIENT: <ip address>]
  I've already ensured that the server is set to mixed authentication mode. Oddly enough, the workaround that I've found is that if I remote desktop into the server, log in and then log back out, Management Studio is suddenly able to connect again. No idea why it works. 
  As I said before, it is intermitten. Some days it errors on login, other days it doesn't and there are no configuration changes between them. Also, both client and server are in the same domain and same site so there is no VPN or anything in between. I'm really quite stumped. Any help would be great, or if you can point me in the right direction of where to look. Thank you in advance!

• Cannot see Cookies with new update of firefox. I recently updated firefox, but when I look on the PRIVACY window, where websites store cookies, I am no longer a

  Cannot see Cookies with new update of firefox.<br />
  I recently updated firefox, but when I look on the PRIVACY window, where<br />
  websites store cookies, I am no longer able to see any cookies that<br />
  are being stored, and I am not able to delete the cookies as soon as I leave<br />
  their site, as I had been doing for a long time prior to updating.<br />
  So I am wondering where the heck are the cookies being stored now, with the<br />
  new update? I like to be able to delete their cookies immediately, and<br />
  I also wonder why firefox does not make it much easier for us to see<br />
  all the cookies and delete them with one click, instead of having to <br />
  use the &lt;&lt;TOOLS&lt;&lt;OPTIONS&lt;&lt;PRIVACY way of looking at and deleting cookies.<br />
  The option to delete the cookies when firefox closes is not as efficient<br />
  and I will get tracked until I close firefox, and I prefer to not be tracked<br />
  so I like to just delete their cookies as soon as I am no longer using their<br />
  site anymore.

  (my question was not fully showing so I added this here)
  way of looking at and deleting cookies.
  The option to delete the cookies when firefox closes is not as efficient
  and I will get tracked until I close firefox, and I prefer to not be tracked
  so I like to just delete their cookies as soon as I am no longer using their
  site anymore. So I need to know how to make the cookies visible again, so I can immediately delete them. thank you

• I have 2 ipod touch 3rd gen. Cannot connect to my wifi.  One will connect with neighbor's unsecure network..neither connect with my secured network

  I have 2 ipod touch 3rd generation.   Cannot connect to my wifi.   One will connect on and off to my neighbor's unsecure wifi but neither will connect to my secured wifi.   All my wireless computers connect plus my Ipad connects.    They did connect at one time but haven't used them for anything but audio books which connect through Itunes on my computer.   It shows my secured network name.   When I originally connected them it was another rather with other security but since then I have bought new equipment.   My Ipad and my printers just automatically connect.    I have put in the Ip information plus but still no luck.

  Try :                 
  - Reset the iOS device. Nothing will be lost
  Reset iOS device: Hold down the On/Off button and the Home button at the same time for at
  least ten seconds, until the Apple logo appears.
  - Power off and then back on the router
  - Reset network settings: Settings>General>Reset>Reset Network Settings
  - iOS: Troubleshooting Wi-Fi networks and connections
  - Wi-Fi: Unable to connect to an 802.11n Wi-Fi network
  - iOS: Recommended settings for Wi-Fi routers and access points
  - Restore from backup. See:
  iOS: How to back up
  - Restore to factory settings/new iOS device.
  If still problem make an appointment at the Genius Bar of an Apple store since it appears you have a hardware problem.
  Apple Retail Store - Genius Bar

• Can't get Google CAL to work with iCAL "Server with a secure communication unavailable"

  I can't add my google account to iCal...
  Error message:
  "Server with a secure communication unavailable"
  "Your calendar acct isn't on a server that can receive your calendar information securely.."
  I have had this work just fine in the past, had to remove my accounts a while back, decided to add them back, and this error keeps popping up...
  Can anyone help??
  Googled and Searched this forum with no success. Found some suggestions but nothing worked.
  Thanks,

  I have used the CalDAV option from the pop list and the server option is : https://www.google.com/calendar/dav/[email protected]/user    , replace with your email the underlined
  I've found this here .

• .pdf with no security settings won't place in InDesign

  A received .pdf file with no security settings will not place in InDesign.  I receive a "This PDF document was saved with security settings which prevents its pages from being placed."  Even when I save it as a new .pdf with no security settings, it won't place.  I'm currently using Acrobat Pro X.  Please advise.  Thanks!

  It could be you need to restore your InDesign preferences. Follow these directions:
  http://pfl.com/trb

• Can I make an image display instead of flash slideshow on explorer with high security?

  I am a total flash beginner.  I created a simple flash slideshow that I want to appear on my website.  It works fine in firefox., but when viewed in explorer with high security, nothing displays unless the viewer specifically allows it. The slideshow is very prominent, and the site looks very bad when only an x shows up.   Is it possible to have a static image display in place of the slideshow, and then have the slideshow start if the viewer allows it? Is there any other way to get around this? 
  Thank you for any assistance.
  EJ

  Have you tested it with IE online or only locally?  Locally IE will usually prohibit displaying Flash content.