CSML:Multiuser security handler plug-in

Similar Messages

• Security Handler to use Adobe's Standard to Encypt and Decrypt File

  Hello,
  I am trying to write an Adobe Acrobat Security Handler plug-in based on the sample provided by Adobe.
  Within the plugin source code - a CRYPT_KEY of 'Mickey' is used to encrypt/decrypt the document once the security handler is placed on the document.
  Is there a way to use Adobe's CRYPT_KEY? Or what do I pass back from the callback function NewCryptDataExProc - so that a document with Adobe's encryption/decryption is used on the file?
  The main goal is such that the document needs my security handler plugin to open/view the document. Please note that we know the open password and the owner password that we set on the file.
  Thanks in advance for any advice and information anyone can provide.

  We are trying require the user to have our plugin to open the PDFs that we supply them. If we use Adobe security - then anyone who know's the password can open the files. Now, there isn't anything to prevent them from sending along the plugin also - but that is another issue.
  We would like to use the plugin to set the security on the file before the user gets the file - but the file is coming from another division and they are currenty unable to spend the time to update their process to include the that step. But, the files are set with Standard Adobe security. We are however able to tweek the PDF file, in the trailer, to recognize that our Security Handler is to be used.
  So, when our security handler kicks in - it doesn't send back the appropriate 'key' to Acrobat and all the pages come up blank.
  This is a temporary messure. We are currently getting a plan together to use Adobe Life Cycle (DRM), but the hardware acquision and other beauracy is keeping that from materializing for a few months and we need something yesterday (as my boss says).
  If you have any guidance or suggestions - that would be welcome.

• Setting own security handler with JavaScript

  Hi,
  I build the security handler plugin example (SecurityHandler.api) and installed it. Then I wanted to set this handler via JavaScript to a document but I have no access to it. If I list all handlers (security.handlers) in a trusted function only the standard handler occur. If I change the security settings via Adobe I have the handler listed in the drop down box. I am using Acrobat 8 Professional.
  Many thanks for your advice in advance!
  Regards
  Jörg

  Ian,
  As a general statement, wireless networks are inherently insecure.
  "I have now switched off the broadcasting of the name.
  What level of security is this?
  If this is all you have done, roughly speaking, your network is just as
  (in)secure as it was when you plugged in the router.
  Do you have file or printer sharing turned on? Are your Mac firewalls
  stealthed and refusing UDP packets? Will the router accept any inbound
  request for an internet connection? Have you changed the default password
  on the router?
  The answers to these questions speak to the relative (in)security of your
  Macs.
  Is your son using any form of encryption, say, WEP, or, preferably, WPA?
  If not, your network is less secure.
  "We live in a quiet cul-de-sac where any strange people or cars would be noticed immediately, so we are probably not so vulnerable to wireless-hackers as others might be. Or am I living in a "fool's paradise"?"
  Yes, and here's why.
  "Does anyone know where I might be able to get hold of some reasonably simple, step by step instructions."
  I was going to suggest reading the router's manual, but it is pure and utter
  fertilizer. Looks as though a marketroid (who knows some buzzwords but
  not their meanings) patched that monstrosity together using the user
  menu storyboard walk-through and a lot buzzword-laden filler "lifted"
  from the Web.
  Would it be humanly possible to run an ethernet cable from your router to
  where your son computes and turn off the wireless?
  Since I don't own one, I can't help with a primer on securing it. Sorry.
  -Wayne

• Automatic security handling doesn't work at all

  Hi all,
  I'm just discovering that the automatic security handling of LV DSC 7.0 doesn't work! That means if I set security options for a control, they won't be applied. Even the VI's in example\lvdsc\security don't work as supposed (and as they did in LV DSC 6.1)!
  Does anyone out there experience the same problems?

  Since logging off and then back on seems to fix the problem it would seem that when LabVIEW is starting it is automatically logging you into an account with access priviledges. You can check what account is automatically logged into by launching LabVIEW and going to Tools>>DSC Module>>Security>>User Info.... You can also set this behavior by logging in as an Administrator and then going to Tools>>DSC Module>>Options and then the Security Preferences button on the Advanced tab.
  Regards,
  JR A.

• The file "Filter/CSML:MultiUser:" is missing.

  I have a Powerbook G4 which I have just upgraded from Panther 10.3 to Leopard 10.5. Before the upgrade I was able open the PDF files of a windows application Landrover workshop manual disc, after the upgrade I get a message "Filter/CSML:MultiUser;" are missing. I think it was also being opened with Adobe 4 which is on the disk and won't open either.

  This is the Encore forum. Did you mean to post this in the Acrobat forum?

• Can any bady send the WDJ application on event handler & plug  parameters?

  Hi,
  Experts,
  I have no idea no WDJ Event handler and plug parameters usage if any bady can send me few WDJ application or scenarios which is based on event handler parameters and plug parameters and method parameters. 
  Thans in advance,
  Shaber Ahmed.

  Hi
  Use this pdf(Example) for event handler
  http://www.sappro.com/downloads/WebDynproJava.pdf
  for plug parameters usage
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/91b6ad90-0201-0010-efa3-9626d2685b6e?overridelayout=true
  Thanks

• How security is handled in HR-BW reporting? Specially for Payroll data.

  Hi,
  how security is handled in HR-BW reporting?
  Specially for Payroll data, how security handled?
  any Idea will be appriciated.
  Thanks
  Ali

  Hi Guys,
  any body has an Idea ! How security is handled in HR-BW reporting?
  Specially for Payroll data.
  any documentation etc....
  Thanks
  Ali

• 3rd party signature handler set in Adobe Acrobat 9 Professional Extended gets reset

  Hi All,
  I have got a 3rd party digital signature creating plug-in i.e. MySign . I have set it inside 'Preference > Security > Advanced Preferences > Creation > Default Method to Use when Signing and Encrypting Documents' > MySign. If I restart Adobe Acrobat that setting is lost and the Adobe Default Security handler is then used.
  I don't want to set handler manually every time I restart Adobe Acrobat. I have figured out that Adobe Acrobat is creating a registry entry named aPrivKey against that inside cHandlers BUT it gets removed on Adobe restart if I set MySign as the handler in the first place.
  Similarly I want the same handler to verify signatures. For that I have set 'Preferences > Security > Advanced Preferences > Verification > Always use the default method (overrides the document-specified method)' along with the name of handler i.e MySign but on restart of Adobe, this is also gets reset.
  Any idea how to set my handler as default to sign & verify without getting it reset?
  Regards,
  Wahaj

  Hi All,
  I checked with Adobe X and this issue is not present there.
  Regards,
  Wahaj

• Improving Acrobat Security ?

  Acrobat provides an easy means for the password protection of PDF documents. The approach is advantageous in that the documents can be read with the freely available Adobe Reader with usage of the appropriate passwords. Unfortunately, as is well known, this protection is easily circumvented.
  My question is this. Is there any way to improve the present Adobe PDF security or does anyone know of a program that will generate an Adobe Reader compatible file after an original PDF file has been encrypted and decrypted by a "third party" program.
  We tried this appraoch with the Dlock version of MPJ, which is a military grade encryption system. A PDF file was encrypted and then decrypted by MPJ. Unfortunately, Adobe Reader could not read the resultant decrypted file.The MPJ encryption/decryption process functions properly with other files.
  Thank you very much for your assistance.

  Hi Dave,
  I did find this on the Adobe Acrobat developer site. The SDK does have encryption capability as follows. I still don't know if this can also be accomplished by using a command line option with acrobat.exe.
  QUOTE
  Encryption is controlled by an encryption dictionary in the PDF file. The Acrobat  core API uses RC4 (a proprietary algorithm provided by RSA Data  Security, Inc.) to encrypt document data, and a standard (proprietary)  method to encrypt, decrypt, and verify user passwords to determine  whether or not a user is authorized to open a document.
  Each stream or string object in a PDF file is individually encrypted. This level of encryption improves performance  because objects can be individually decrypted as needed rather than  decrypting an entire file. All objects, except for the encryption  dictionary (which contains the security handler’s private data), are  encrypted using the RC4 algorithm Adobe licenses from RSA Data Security,  Inc. A plug-in may not substitute another encryption scheme for RC4.
  A plug-in that implements a security handler is responsible for encrypting the values it places into the encryption  dictionary, and it may use any encryption scheme. If the security  handler does not encrypt the values it places into the encryption  dictionary, the values are in plain text.
  The core API provides two Cos layer methods to encrypt and decrypt data using the RC4 algorithm. These methods are CosEncryptData and CosDecryptData. (See the Acrobat and PDF Library API Reference.)
  Security handlers may use these methods to encrypt data they want to put into the PDF file’s encryption dictionary  and decrypt data when it is read from the dictionary. Security handlers  may instead choose to ignore these methods and use their own encryption  algorithms.
  END QUOTE
  Best regards,
  Robbie

• Loading dynamic plug-ins(SWF) in OSMF

  I am working on an OSMF player  which needs to load plugin from a URL and is in the form of SWF. How can  I load this into the mediaFactory?
  I have checked over the internet and I was able to figure out way to load the SWF plug-in but it always  returns error. No request is sent to the server for loadin the SWF.

  I have downloaded the latest one from sourceforge.
  an excerpt from the code
  package
      import flash.display.Sprite;
      import org.osmf.media.MediaFactory;
      import org.osmf.media.URLResource;
      import org.osmf.utils.URL;
      import org.osmf.events.MediaFactoryEvent;
      public class MediaFactoryExample extends Sprite
          public function MediaFactoryExample()
              // Construct a media factory, and listen to its plug-in related events:
              var factory:MediaFactory = new MediaFactory();
              factory.addEventListener(MediaFactoryEvent.PLUGIN_LOAD, onPluginLoaded);
              factory.addEventListener(MediaFactoryEvent.PLUGIN_LOAD_ERROR, onPluginLoadError);
              // Instruct the factory to load the plug-in at the given url:
              factory.loadPlugin(new URLResource("http://objects.tremormedia.com/embed/swf/osmfacudeoplugin.swf"));
          private function onPluginLoaded(event:MediaFactoryEvent):void
              // Use the factory to create a media-element related to the plugin:
              var factory:MediaFactory = event.target as MediaFactory;
              factory.createMediaElement(new URLResource("http://mediapm.edgesuite.net/strobe/content/test/AFaerysTale_sylviaApostol_640_500_short.flv"));
          private function onPluginLoadError(event:MediaFactoryEvent):void
              // Handle plug-in loading failure:
              trace("Plugin failed to load.");   

• Strange error when try to open secured doc using PDDocOpen

  Aandi and Leo,
  I have a secured PDF file. When I try to open it using the below code I am getting an error like below as message box.
  //error
  Unknown error
  Support Information: CRecipientList-666
  //error
  I would like to know why this is coming and how to suppress this error message box. I need to show my own message box.
  //code
  PDDoc pdSEcDoc = PDDocOpen( asPath , ASGetDefaultFileSys(), IfEncr , true);
  //code
  Please suggest a good solution.
  thanks,
  -peri

  The only thing I can GUESS (since I don't have the actual PDF) is that the file is encrypted with a custom security handler that is being invoked during the open process and choosing to bring up UI.
  Leonard

• Sample with Securing Identity Web Services using jee sdk update 3 fails!!

  Hi,
  following the sample from identy enabled webServices as described in :
  ../blueprints/ws-security/identityWebServices-jaxws/index.html
  results in an error message:
  [#|2007-11-14T10:06:57.252+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|11/14/2007 10:06:57:252 AM CET: Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
  ERROR: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
  Check AMConfig.properties for the following properties
       com.sun.identity.agents.app.username
       com.iplanet.am.service.password
  I tried both building/deployiny using ant and netbeans (after importing to NB).
  Using Java EE 5 SDK Update 3 with Tools on windows.
  Has someone successfully used deployed/run this sample?
  cheers
  Additional error messages:
  [#|2007-11-14T10:06:56.481+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|11/14/2007 10:06:56:481 AM CET: Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
  could not create SSOToken from HttpRequest
  com.iplanet.dpro.session.SessionException: Invalid session ID.
       at com.iplanet.dpro.session.Session.getSession(Session.java:785)
       at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:100)
       at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:242)
       at com.sun.identity.wss.security.handler.HTTPRequestHandler.setTokenInSubject(HTTPRequestHandler.java:169)
       at com.sun.identity.wss.security.handler.HTTPRequestHandler.shouldAuthenticate(HTTPRequestHandler.java:116)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.sun.identity.agents.jsr196.as9soap.AMHttpAuthModule.validateRequest(AMHttpAuthModule.java:195)
       at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1179)
       at com.sun.web.security.RealmAdapter.validate(RealmAdapter.java:1261)
       at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1143)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:627)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:609)
       at org.apache.catalina.core.StandardPipeline.doChainInvoke(StandardPipeline.java:583)
       at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:92)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
       at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnificationPipeline.java:361)
       at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
       at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
  |#]
  [#|2007-11-14T10:06:56.481+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|11/14/2007 10:06:56:481 AM CET: Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
  HTTPRequestHandler.setTokenInSubject: Invalid SSOToken
  |#]
  [#|2007-11-14T10:06:56.491+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=Thread-85;|11/14/2007 10:06:56:481 AM CET: Thread[Thread-85,10,Grizzly]
  Session Cache Cleaner started
  |#]
  [#|2007-11-14T10:06:56.541+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|11/14/2007 10:06:56:541 AM CET: Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
  DataLayer: number of retry = 3
  |#]
  [#|2007-11-14T10:06:56.541+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|11/14/2007 10:06:56:541 AM CET: Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
  DataLayer: retry interval = 1000
  |#]
  [#|2007-11-14T10:06:56.541+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|11/14/2007 10:06:56:541 AM CET: Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
  DataLayer: retry error codes = []
  |#]
  [#|2007-11-14T10:06:56.551+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|11/14/2007 10:06:56:551 AM CET: Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
  WARNING: DSConfigMgr.getDSConfigMgr: serverconfig.xml probably missing. May be running in client mode
  java.io.FileNotFoundException: null\serverconfig.xml (Das System kann den angegebenen Pfad nicht finden)
       at java.io.FileInputStream.open(Native Method)
       at java.io.FileInputStream.<init>(FileInputStream.java:106)
       at java.io.FileInputStream.<init>(FileInputStream.java:66)
       at com.iplanet.services.ldap.DSConfigMgr.getDSConfigMgr(DSConfigMgr.java:173)
       at com.iplanet.am.util.AdminUtils.<clinit>(AdminUtils.java:76)
       at com.sun.identity.security.AdminTokenAction.getSSOToken(AdminTokenAction.java:263)
       at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:174)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sun.identity.wss.provider.ProviderConfig.getAdminToken(ProviderConfig.java:617)
       at com.sun.identity.wss.provider.ProviderConfig.getProvider(ProviderConfig.java:505)
       at com.sun.identity.wss.security.handler.HTTPRequestHandler.shouldAuthenticate(HTTPRequestHandler.java:132)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.sun.identity.agents.jsr196.as9soap.AMHttpAuthModule.validateRequest(AMHttpAuthModule.java:195)
       at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1179)
       at com.sun.web.security.RealmAdapter.validate(RealmAdapter.java:1261)
       at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1143)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:627)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:609)
       at org.apache.catalina.core.StandardPipeline.doChainInvoke(StandardPipeline.java:583)
       at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:92)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
       at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnificationPipeline.java:361)
       at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
       at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
  |#]
  [#|2007-11-14T10:06:56.551+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|11/14/2007 10:06:56:551 AM CET: Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
  AdminUtils: Could not initialize admin info message: Got LDAPServiceException code=19
  |#]
  [#|2007-11-14T10:06:56.551+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|11/14/2007 10:06:56:551 AM CET: Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
  Crypt.static{}: Encryptor class= com.iplanet.services.util.JSSEncryption
  |#]
  [#|2007-11-14T10:06:57.252+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|11/14/2007 10:06:57:252 AM CET: Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
  AdminTokenAction::getSSOToken Not found AdminDN and AdminPassword.
  java.lang.NoClassDefFoundError: org/mozilla/jss/crypto/KeyGenAlgorithm
       at java.lang.Class.forName0(Native Method)
       at java.lang.Class.forName(Class.java:169)
       at com.iplanet.services.util.Crypt.createInstance(Crypt.java:133)
       at com.iplanet.services.util.Crypt.<clinit>(Crypt.java:103)
       at com.iplanet.am.util.AdminUtils.getAdminPassword(AdminUtils.java:132)
       at com.sun.identity.security.AdminTokenAction.getSSOToken(AdminTokenAction.java:263)
       at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:174)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sun.identity.wss.provider.ProviderConfig.getAdminToken(ProviderConfig.java:617)
       at com.sun.identity.wss.provider.ProviderConfig.getProvider(ProviderConfig.java:505)
       at com.sun.identity.wss.security.handler.HTTPRequestHandler.shouldAuthenticate(HTTPRequestHandler.java:132)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.sun.identity.agents.jsr196.as9soap.AMHttpAuthModule.validateRequest(AMHttpAuthModule.java:195)
       at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1179)
       at com.sun.web.security.RealmAdapter.validate(RealmAdapter.java:1261)
       at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1143)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:627)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:609)
       at org.apache.catalina.core.StandardPipeline.doChainInvoke(StandardPipeline.java:583)
       at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:92)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
       at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnificationPipeline.java:361)
       at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
       at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
  |#]
  [#|2007-11-14T10:06:57.252+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|11/14/2007 10:06:57:252 AM CET: Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
  AdminTokenAction::run Unable to get SSOToken from serverconfig.xml
  |#]
  [#|2007-11-14T10:06:57.252+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|11/14/2007 10:06:57:252 AM CET: Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
  AdminTokenAction: App user name or password is empty
  |#]
  [#|2007-11-14T10:06:57.252+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|11/14/2007 10:06:57:252 AM CET: Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
  ERROR: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
  Check AMConfig.properties for the following properties
       com.sun.identity.agents.app.username
       com.iplanet.am.service.password
  |#]

  The problem is that the AMclient does not find its AMConfig.properties. In my install this file is at
  /Applications/SUNWappserver/domains/domain1/config. Simply add this path to the server classpath and it will work.
  S.

• I accessed the page protected by ADF security using direct url access attac

  hi,
  I played with my application which is based on SRDemo code (with added ADF security handling protection of resources) using direct url access scenarios. I was able to access a protected page as authenticated but not authorized user. I'll try to explain what I did.
  There are two folders/web resources in my application, faces/folderA/* and faces/folderB/*.
  roleA only is configured to access first web resource and the roleB is configured to access the second resource.
  I used ADF security to authorize only roleA for page in folderA and to authorize only roleB for page in folderB.
  I configured error pages in web.xml:
  <error-page>
  <error-code>400</error-code>
  <location>faces/error/error400.jspx</location>
  </error-page>
  <error-page>
  <error-code>401</error-code>
  <location>faces/error/error401.jspx</location>
  </error-page>
  <error-page>
  <error-code>403</error-code>
  <location>faces/error/error403.jspx</location>
  </error-page>
  <error-page>
  <error-code>404</error-code>
  <location>faces/error/error404.jspx</location>
  </error-page>
  <error-page>
  <exception-type>java.lang.Throwable</exception-type>
  <location>faces/error/error500.jspx</location>
  </error-page>
  Other config params are:
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>infrastructure/ABLogin.jspx</form-login-page>
  <form-error-page>faces/error/error401.jspx</form-error-page>
  </form-login-config>
  </login-config>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AB Prototype</web-resource-name>
  <url-pattern>faces/ABAbout.jspx</url-pattern>
  <url-pattern>faces/ABHelp.jspx</url-pattern>
  <url-pattern>faces/ABLogout.jspx</url-pattern>
  <url-pattern>faces/ABWelcome.jspx</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>A</role-name>
  <role-name>B</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AZone</web-resource-name>
  <url-pattern>faces/folderA/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>A</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>BZone</web-resource-name>
  <url-pattern>faces/folderB/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>B</role-name>
  </auth-constraint>
  </security-constraint>
  <filter>
  <filter-name>adfBindings</filter-name>
  <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
  <init-param>
  <param-name>unauthorizedErrorPage</param-name>
  <param-value>faces/error/error401.jspx</param-value>
  </init-param>
  </filter>
  <filter>
  <filter-name>adfFaces</filter-name>
  <filter-class>oracle.adf.view.faces.webapp.AdfFacesFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>adfBindings</filter-name>
  <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfBindings</filter-name>
  <url-pattern>*.jspx</url-pattern>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfFaces</filter-name>
  <url-pattern>*.jsp</url-pattern>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>ERROR</dispatcher>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfFaces</filter-name>
  <url-pattern>*.jspx</url-pattern>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>ERROR</dispatcher>
  </filter-mapping>
  <servlet>
  <servlet-name>Faces Servlet</servlet-name>
  <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
  <servlet-name>resources</servlet-name>
  <servlet-class>oracle.adf.view.faces.webapp.ResourceServlet</servlet-class>
  </servlet>
  <servlet>
  <servlet-name>adfAuthentication</servlet-name>
  <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
  <load-on-startup>2</load-on-startup>
  </servlet>
  <servlet-mapping>
  <servlet-name>Faces Servlet</servlet-name>
  <url-pattern>/faces/*</url-pattern>
  </servlet-mapping>
  Once I authenticated as user in roleA I was trying to directly access URLs accessible only by users in roleB. In the beginning everything worked OK: I was dispatched to error401.jspx page with message Not authorized... etc.
  But I kept trying to access different URLs, like http://localhost:8988/AB/faces, http://localhost:8988/AB/faces/folderB, http://localhost:8988/AB/faces/folderB/pageB.jspx, http://localhost:8988/AB
  (not necessarily in that order, I played for a couple of minutes and the system would always dispatch to error401.jspx page if unauthorized attempt. But all of sudden, to my surprise, I got the pageB.jspx page while logged in as user belonging to roleA!)
  Not sure how that happened but the connectedUser on pageB (#{userInfo.authenticated}) shows that I am logged in as user whose role is A.
  I checked Authorization in ADF security and it is still correct: pageB is only accessible to roleB and pageA is only accessible to roleA.
  I hope I made some stupid mistake in my configuration?

  Hi,
  ADF Security is JAAS permission based and not container managed. Note that unless you explicitly configured ADF Security you don't use ADF Security but container managed security, which is all that I can see in your configurations.
  Not sure which version fo JDeveloper you use, but if you could change the following setting
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AZone</web-resource-name>
  <url-pattern>faces/folderA/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>A</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>BZone</web-resource-name>
  <url-pattern>faces/folderB/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>B</role-name>
  </auth-constraint>
  </security-constraint>
  to contain jspx file references instead of wildcards like in faces/folderB/* then what you see should no longer be possible. There was a known issue with the security settings in SRDemo that was caused by a defect in OC4J container managed security. I would expect this issue to be fixed in a more recent version of OC4J.
  However, the work around until then is to protect all JSPX files in a directory instead of using wild card matches
  Frank

• Web application security best practice?

  Hi guys,
  I am developing web app using JSF + Spring + Hibernate. I got a user backing bean which handling user login and logout session. Hence if user sign-in successfully, I will just set userLogIn=true in the userBean.java. I really don;t know if this is the best practice for handling user login session. Any security probelm here? Please advice, Thanks !
  regards,
  kmthien

  hi
  you can also find a lot of info about security handling and JSF if you search the forum.
  thanks.

• Securing Web Services with Access Manager

  Hello All
  I have installed the java_app_platform_sdk-5_04-windows.exe that comes with Acces Manager 7.1.
  I want to secure a webservice, so I have created a webapplication (with netbeans 6) with a webservice inside. I have also create a web client application that calls the webservice. The providers are configured in the server and I have enabled the soap security .
  When I use anonymous authentication everything works fine, but if I used any other security method the following exception arises:
  [#|2008-04-29T09:41:07.343+0200|SEVERE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=21;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=1a997eb3-6287-41f4-a540-0b9c86841683;|AMServerAuthModule.validateRequest: Failed in Securing the Request.|#]
  [#|2008-04-29T09:41:07.375+0200|WARNING|sun-appserver9.1|javax.enterprise.system.stream.err|_ThreadID=21;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=1a997eb3-6287-41f4-a540-0b9c86841683;|java.lang.reflect.InvocationTargetException
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule.validateRequest(AMServerAuthModule.java:173)
       at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1179)
       at com.sun.enterprise.webservice.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:168)
       at com.sun.enterprise.webservice.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:129)
       at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
       at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
       at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
       at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
       at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
       at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243)
       at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444)
       at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244)
       at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135)
       at com.sun.enterprise.webservice.JAXWSServlet.doPost(JAXWSServlet.java:159)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:738)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
       at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:290)
       at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:272)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:263)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:214)
       at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
       at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
  Caused by: com.sun.identity.wss.security.SecurityException: Unsupported security mechanism.
       at com.sun.identity.wss.security.handler.SOAPRequestHandler.validateRequest(SOAPRequestHandler.java:232)
       ... 46 more
  |#]
  [#|2008-04-29T09:41:07.390+0200|SEVERE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=21;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=1a997eb3-6287-41f4-a540-0b9c86841683;|SEC2002: Container-auth: wss: Error validating request
  com.sun.enterprise.security.jauth.AuthException: Validating Request failed
       at com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule.validateRequest(AMServerAuthModule.java:188)
       at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1179)
       at com.sun.enterprise.webservice.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:168)
       at com.sun.enterprise.webservice.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:129)
       at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
       at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
       at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
       at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
       at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
       at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243)
       at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444)
       at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244)
       at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135)
       at com.sun.enterprise.webservice.JAXWSServlet.doPost(JAXWSServlet.java:159)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:738)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
       at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:290)
       at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:272)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:263)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:214)
       at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
       at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
  Caused by: java.lang.reflect.InvocationTargetException
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule.validateRequest(AMServerAuthModule.java:173)
       ... 41 more
  Caused by: com.sun.identity.wss.security.SecurityException: Unsupported security mechanism.
       at com.sun.identity.wss.security.handler.SOAPRequestHandler.validateRequest(SOAPRequestHandler.java:232)
       ... 46 more
  |#]
  It�s says something about th security mechanism is not supported. But I don�t know why. �Any idea?
  Thank you

  Hello again,
  I am not using ssl. I am using the usernametoken or de saml-voucer mechanish and It happens in both. But with the anonymous mechanism doesnt happen.
  ...