Custom Policy Step calling EJB

Similar Messages

• OWSM - Logging in Custom Policy Step

  I'm trying to implement a custom policy step for Oracle Web Service Management.
  For debugging purposes, I need to write a diagnostic log file (like gateway.log, policymanager.log, ccore.log...) with the behavior of my step. I have to use log4j library...
  Could you help me with OWSM log configuration?
  Thanks!

  I have been reading more about this issue but I have doubts yet...
  Now, I know that I must use the package "com.cfluent.ccore.util.logging" in my code. For example:
  ILogger logger = LogManager.getLogger(...);
  logger.log(Level.INFO, "..");
  In which owsm log file does this information appear?
  Thanks!

• Custom Policy Step and the WS-Security header attibute "mustUnderstand"

  Hi there,
  I have some issues testing the custom policy step that comes with OWSM (CustomAuthenticationStep), which i describe next.
  I manage to compile/deploy the custom step successfully. I also restart the server and add the brand new step into the request pipeline. The pipeline only has two steps, a log step and a custom authentication step.
  I develop a client for the gateway service which use the "Username to Authenticate" option of the Proxy Security. The other options (inbound/outbound integrity/encryption) are all unchecked.
  When I test the client, the following SOAP message is produced:
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:ns0="http://agesic.entidad/types/"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <env:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
  env:mustUnderstand="1">
  <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:Username>test</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </env:Header>
  <env:Body>
  <ns0:reverseElement>
  <ns0:aString>Holas!</ns0:aString>
  </ns0:reverseElement>
  </env:Body>
  </env:Envelope>
  Which looks just fine. However I get the following exception:
  javax.xml.rpc.soap.SOAPFaultException: SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
       at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
       at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
       at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
       at agesic.cliente.gateway.proxy.runtime.EchoReverseSoapHttp_Stub.reverse(EchoReverseSoapHttp_Stub.java:78)
       at agesic.cliente.gateway.proxy.EchoReverseSoapHttpPortClient.reverse(EchoReverseSoapHttpPortClient.java:44)
       at agesic.cliente.gateway.proxy.EchoReverseSoapHttpPortClient.main(EchoReverseSoapHttpPortClient.java:33)
  If i look at the log produced by the custom step, it looks like the step was successfully passed.
  ********** Entering Custom Authentication execute method **********
  Processing stage is Request
  Request SOAP message is <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="h
  ttp://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-ins
  tance" xmlns:ns0="http://agesic.entidad/types/" xmlns:wsu="http://docs.oasis-ope
  n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><env:Header><wsse
  :Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004
  /01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.or
  g/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://sche
  mas.xmlsoap.org/soap/envelope/"><wsse:UsernameToken xmlns:wsse="http://docs.oasi
  s-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http:/
  /docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ws
  se:Username>test</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/
  wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse
  :Password></wsse:UsernameToken></wsse:Security></env:Header><env:Body><ns0:rever
  seElement><ns0:aString>Holas!</ns0:aString></ns0:reverseElement></env:Body></env
  :Envelope>
  User locale is English
  Client ip address is rhel4.tecinfo.com.uy:7777
  Verified user is test
  The problems is with the mustUnderstand attribute. It looks like no step tells the OWSM that he understands the header, so the OWSM pass through the pipeline and when it ends it thinks that that header was not processed properly.
  I try to find documentation on this issue but I didn't find any.
  Any ideas? Is there any way to specify that the step actually understands the ws-security header?
  Thanks!
  Leo

  Ok. Thanks. The problem here is a little bit different. At the client side, we have the following:
  <?xml version="1.0" encoding="UTF-8"?>
  <oracle-webservice-clients xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:noNamespaceSchemaLocation='http://xmlns.oracle.com/oracleas/schema/oracle-webservices-client-10_0.xsd'>
  <webservice-client>
  <service-qname namespaceURI="http://agesic.entidad/" localpart="EchoReverse"/>
  <port-info>
  <wsdl-port namespaceURI="http://agesic.entidad/" localpart="EchoReverseSoapHttpPort"/>
  <runtime enabled="security">
  <security>
  <inbound/>
  <outbound>
  <username-token password-type="PLAINTEXT" add-nonce="false" add-created="false"/>
  </outbound>
  </security>
  </runtime>
  <operations>
  <operation name='reverse'>
  </operation>
  </operations>
  </port-info>
  </webservice-client>
  </oracle-webservice-clients>
  The <outbound> here is requered in order to use the WSS UserName token profile. I try to remove the <inbound/> to check if it was a problem like yours, but we still have the same exception.
  The problem seems to be with the gateway at the server side.
  Intercepting the communication between the client and the server, we are getting the following response:
  <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:ns0="http://agesic.entidad/types/">
  <env:Body>
  <env:Fault>
  <faultcode>env:MustUnderstand</faultcode>
  <faultstring>SOAP must understand error:
  {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security</faultstring>
  </env:Fault>
  </env:Body>
  </env:Envelope>
  We need a way to instruct the gateway that he actually understands the wss header.
  Any ideas?
  Thanks!
  Leo

• Custom Policy steps in OWSM

  I am currenly implementing an integration systems between our systems and a third party system. There is a requirement for all messages sent across the interface to be acknowldeged by the other system. The transactions are synchronous so we have hand off approach where the receiving system must acknowledge message receipt by sending a synchronous response message back. This acknowledgement message will contain a boolean flag that either says true or false depending on whether they are receiving or rejecting the message. Messages could be rejected because they have an invalid digital certificate or failed message integrity. Is it possible to create custom policy step in the OWSM that allows me to send these acknoledgement messages. the message structure will contain only 3 elements:
  successfulDelivery (boolean)
  RejectedCode (Rejection ErrorCode)
  RejectedReason (Rejected Error Reason)
  Can any one help? I am still new to the OWSM.

  Here's an example on how to add a custom SOAP header to the request message inside a custom step.
  public IResult execute(IMessageContext messageContext) throws Fault {
  MessageContext msgCtxt = (MessageContext) messageContext;
  SOAPEnvelope senv = msgCtxt.getRequest().getAxisMessage().getSOAPEnvelope();
  ((org.apache.axis.message.SOAPEnvelope)senv).setDirty(true);
  Name header = factory.createName("CustomHeader", "http://foo.com/custom/header");
  SOAPHeaderElement headerElement = senv.getHeader().addHeaderElement(header);
  headerElement.addTextNode("My custom header data");
  OWSM uses AXIS implementation internally to represent the SOAP message.
  Cheers,
  Vikas Jain

• Extend OWSM with Custom Policy Step: MessageContext.setResponseMessage()?

  Hi,
  I intend to create a custom policy step for OWSM.
  In the execute method of my step (that extends AbstractStep) I want to set the Response Message using the setResponseMessage() method. According to the Extensibility Guide, this method should be passed a com.cfluent.ccore.message.SOAPMessage object as parameter.
  Basically, the code looks something like this:
  public IResult execute(IMessageContext messageContext) throws Fault {
  MessageContext msgCtxt = (MessageContext)messageContext;
  Result result = new Result();
  msgCtxt.setResponseMessage(msgCtxt.getRequestMessage());
  result.setStatus(IResult.SUCCEEDED);
  return result;
  At compile time however, JDeveloper throws the following error:
  SOAPMessage not found in class nl.amis.soa.CustomStep
  and points to the line
  msgCtxt.setResponseMessage(msgCtxt.getRequestMessage());
  Should I use AXIS SOAP objects (knowing OWSM is based on AXIS or uses it)? Or a MessageFactory? Or ... ?
  Any tips and preferably a code sample is much appreciated!
  Thanks, Sjoerd

  Hi Sjoerd ,
  Looks like documentation error. Are you importing the om.cfluent.ccore.message.SOAPMessage class? Try compiling without the import. I was able to compile your code with no issues. All I have is coresv-4.0.jar added to my jDev project.
  FYI MessageContext.get/setRequestMessage() really takes javax.xml.soap.SOAPMessage as parameter.
  Here is the code I can compile:
  package com.junk.wsm;
  import com.cfluent.pipelineengine.container.MessageContext;
  import com.cfluent.policysteps.sdk.AbstractStep;
  import com.cfluent.policysteps.sdk.IMessageContext;
  import com.cfluent.policysteps.sdk.IResult;
  import com.cfluent.policysteps.sdk.Result;
  public class junkStep extends AbstractStep {
  public junkStep() {
  public IResult execute(IMessageContext messageContext) {
  MessageContext msgCtxt = (MessageContext)messageContext;
  Result result = new Result();
  msgCtxt.setResponseMessage(msgCtxt.getRequestMessage());
  result.setStatus(IResult.SUCCEEDED);
  return result;
  Regards,
  Rajesh

• OWSM Custom Policy Step: use of the setProcessingStage() method?

  Hello,
  When creating a Custom Policy Step for use in an OWSM pipeline the API provides the option to set the processing stage. Possible values are STAGE_PREREQUEST, STAGE_REQUEST, STAGE_RESPONSE and so on.
  Can anyone tell me the use of setting the processing stage. Would it allow me to literally take the message request to a different stagewhat, e.g. what should happen when in the Request Stage I set it to STAGE_RESPONSE?
  I have tried this and cannot see any effect.
  Thanks, Sjoerd

  Hi Vikas,
  Thanks for the reply.
  I suspect that the "fiddling with the Outgoing Transport Protocol that is between OWSM Gateway and actual service" as mentioned in my original post is probably the same as "creating a custom transport messenger between gateway and service" as mentioned by you.
  Any pointers to get me going, e.g. what interfaces te implement, classes to extend, how to register and manage with OWSM?
  Thanks and best regards,
  Sjoerd

• Retrieve Client IP Address in a Oracle WebServices Manager Custom Policy

  Hi everybody,
  For some reasons i had to implement a custom policy in the OWSM, to restrict the access to webservices by Client IP Addresses. I´ve been following the examples for custom policies mentioned in the books: "Oracle Web Services Manager, Oracle Web Services Manager" by Sitaraman Lakshminarayanan, and the "Oracle® Web Services Manager Extensibility Guide 10g (10.1.3.3.0)" by Oracle. I followed the examples mentioned in those books to implement my Custom policy, the policy is successfully deployed to OWSM and it works, only by the issue that when i want to retrieve the Client Ip address it returns null, and following the example by the Oracle Guide, the HttpServletRequest its also returns null, im desperated because in every site that i finally find some info about it, quotes any of these 2 examples in those books, and mine doesnt work! this is the code of the custom policy, i´ve combined the 2 aproaches:
  package project1;
  import com.cfluent.ccore.util.logging.ILogger;
  import com.cfluent.ccore.util.logging.Level;
  import com.cfluent.ccore.util.logging.LogManager;
  import com.cfluent.pipelineengine.container.MessageContext;
  import com.cfluent.policysteps.sdk.AbstractStep;
  import com.cfluent.policysteps.sdk.Fault;
  import com.cfluent.policysteps.sdk.IMessageContext;
  import com.cfluent.policysteps.sdk.IResult;
  import com.cfluent.policysteps.sdk.InvocationStatus;
  import com.cfluent.policysteps.sdk.Result;
  import java.util.HashMap;
  import java.util.Iterator;
  import java.util.Vector;
  import javax.servlet.http.HttpServletRequest;
  public class CustomPolicy extends AbstractStep {
  private static String CLASSNAME = CustomPolicy.class.getName();
  private static ILogger LOGGER = LogManager.getLogger(CLASSNAME);
  private String allowedIpAddress = null;
  private String allowedRoleName = null;
  private String protectedServiceMethodName = null;
  public CustomPolicy() {
  public void init() throws IllegalStateException {
  // nothing to initialize
  public void destroy() {
  * This is the main method which will validate that the request is coming from
  * the correct IP Address and has permission to access the specified metod.
  public IResult execute(IMessageContext messageContext) throws Fault {
  LOGGER.entering(CLASSNAME, "execute");
  Result result = new Result();
  result.setStatus(IResult.FAILED); //initialize result
  String processingStage = messageContext.getProcessingStage();
  LOGGER.log(Level.INFO, "Processing stage is " + processingStage);
  HttpServletRequest httpServletRequest = (HttpServletRequest)
  messageContext.getProperty("javax.servlet.request");
  String remoteAddr = httpServletRequest.getHeader("Host");
  LOGGER.log(Level.SEVERE, "Dir IP:"+remoteAddr);
  String remoteHost = httpServletRequest.getRemoteHost();
  LOGGER.log(Level.INFO, "ADDR" + remoteAddr+ "HOST"+remoteHost);
  boolean isRequest =
  (IMessageContext.STAGE_REQUEST.equals(messageContext.getProcessingStage()) ||
  IMessageContext.STAGE_PREREQUEST.equals(messageContext.getProcessingStage()));
  //Execute the step Only when its a Request pipeline else return success
  if (!isRequest) {
  result.setStatus(IResult.SUCCEEDED);
  return result;
  MessageContext msgCtxt = (MessageContext)messageContext;
  String _MethodName = msgCtxt.getRequest().getMethodName();
  LOGGER.log(Level.INFO,
  "Writing Allowed IP Addr before creating SOAP header " +
  allowedIpAddress);
  LOGGER.log(Level.INFO,
  "Writing Remote IP Addr before creating SOAP header " +
  msgCtxt.getRemoteAddr());
  /*LOGGER.log(Level.INFO,
  "Writing Remote IP Addr before creating SOAP header " +
  remoteAddr);*/
  String cadTempo = allowedIpAddress;
  Vector vect = new Vector();
  for (int i = 0; i < allowedIpAddress.length(); i++) {
  if (cadTempo.indexOf(",") != -1) {
  //vect.add(cadTempo.substring(0, cadTempo.indexOf(",") - 1));
  vect.add(cadTempo.substring(0, cadTempo.indexOf(",")));
  cadTempo =
  cadTempo.substring(cadTempo.indexOf(",") + 1, cadTempo.length());
  LOGGER.log(Level.INFO,
  "AQUI111");
  } else {
  if (!cadTempo.equalsIgnoreCase("")) {
  vect.add(cadTempo);
  LOGGER.log(Level.INFO,
  "AQUI222");
  break;
  for(int i=0;i<vect.size();i++){
  String temp = (String)vect.get(i);
  if (temp.equals(msgCtxt.getRemoteAddr()) &&
  _MethodName.equals(protectedServiceMethodName)) {
  LOGGER.log(Level.INFO,
  "AQUI333");
  result.setStatus(IResult.SUCCEEDED);
  break;
  } else {
  msgCtxt.getInvocationStatus().setAuthorizationStatus(InvocationStatus.FAILED);
  LOGGER.log(Level.INFO,
  "AQUI444");
  /*if(allowedIpAddress!=null){
  result.setStatus(IResult.SUCCEEDED);
  /*if (allowedIpAddress.equals(msgCtxt.getRemoteAddr()) &&
  _MethodName.equals(protectedServiceMethodName)) {
  result.setStatus(IResult.SUCCEEDED);
  } else {
  msgCtxt.getInvocationStatus().setAuthorizationStatus(InvocationStatus.FAILED);
  // Set the result to SUCCESS
  //result.setStatus(IResult.SUCCEEDED);
  return result;
  public String getIpAddress() {
  return allowedIpAddress;
  public void setIpAddress(String IpAddress) {
  this.allowedIpAddress = IpAddress;
  LOGGER.log(Level.INFO, "IP Address is.. " + allowedIpAddress);
  public String getServiceMethodName() {
  return protectedServiceMethodName;
  public void setServiceMethodName(String serviceMethodName) {
  this.protectedServiceMethodName = serviceMethodName;
  public String getRoleName() {
  return allowedRoleName;
  public void setRoleName(String roleName) {
  this.allowedRoleName = roleName;
  And the xml:
  <csw:StepTemplate xmlns:csw="http://schemas.confluentsw.com/ws/2004/07/policy"
  name="Custom authenticate step" package="project1"
  timestamp="Oct 31, 2005 05:00:00 PM" version="1"
  id="0102030405">
  <csw:Description>Custom step that authenticates the user against the
  credentials entered here. This step requires Extract
  credentials to be present before it in the request pipeline.</csw:Description>
  <csw:Implementation>project1.CustomPolicy</csw:Implementation>
  <csw:PropertyDefinitions>
  <csw:PropertyDefinitionSet name="Basic Properties">
  <csw:PropertyDefinition name="Enabled" type="boolean">
  <csw:Description>If set to true, this step is enabled</csw:Description>
  <csw:DefaultValue>
  <csw:Absolute>true</csw:Absolute>
  </csw:DefaultValue>
  </csw:PropertyDefinition>
  </csw:PropertyDefinitionSet>
  <csw:PropertyDefinitionSet name="Custom Access Rules">
  <csw:PropertyDefinition name="IpAddress" type="string" isRequired="true">
  <csw:DisplayName>IpAddress</csw:DisplayName>
  <csw:Description>IP Address that is allowed access</csw:Description>
  <csw:DefaultValue>
  <csw:Absolute>192.168.0.1</csw:Absolute>
  </csw:DefaultValue>
  </csw:PropertyDefinition>
  <csw:PropertyDefinition name="ServiceMethodName" type="string"
  isRequired="true">
  <csw:DisplayName>ServiceMethodName</csw:DisplayName>
  <csw:Description>Service Method Name that is Protected (Secured)</csw:Description>
  <csw:DefaultValue>
  <csw:Absolute>getTime</csw:Absolute>
  </csw:DefaultValue>
  </csw:PropertyDefinition>
  </csw:PropertyDefinitionSet>
  </csw:PropertyDefinitions>
  </csw:StepTemplate>
  Please any tip or idea is welcome, thanks in advance for the help.
  Carlos.

  Hi again
  copied your code for testing. And it works fine.
  So both the code and policy-step definition is fine, log output below.
  What is your log output?
  Using soapui to send the request will give the ip of my localhost, using the test client will give the ip of the server, because that is the actual client.
  I guess the server ip is 192.168.0.1 in your case, as you are testing from test console.
  <b>anyway, results from SOAPUI:</b>
  2009-05-19 09:52:15,096 FINE [HTTPThreadGroup-4] CSWComponent - Executing policy step. Policy='SID0003004', Step Name='Custom Policy Step', Step Class='com.*.soa.wsm.CustomPolicy'
  2009-05-19 09:52:15,096 FINER [HTTPThreadGroup-4] wsm.CustomPolicy - com.*.soa.wsm.CustomPolicy execute:ENTERING
  2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Processing stage is Request
  2009-05-19 09:52:15,096 SEVERE [HTTPThreadGroup-4] wsm.CustomPolicy - Dir IP:hostname.domain:8890
  2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - ADDRhostname.domain:8890HOST10.47.89.116
  2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - MethodName=getHostNameElement
  2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Allowed IP Addr before creating SOAP header 10.47.89.116, 192.168.0.1
  2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Remote IP Addr before creating SOAP header 10.47.89.116
  2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI111
  2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI222
  2009-05-19 09:52:15,097 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI333
  2009-05-19 09:52:15,097 FINER [HTTPThreadGroup-4] agent.Agent - com.cfluent.agent.Agent intercept:ENTERING
  <b>But if I use the test client the remote IP would be 10.47.137.50 and execution fails, as code is written</b>
  <i>
  2009-05-19 09:54:12,266 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Allowed IP Addr before creating SOAP header 10.47.89.116, 192.168.0.1
  2009-05-19 09:54:12,266 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Remote IP Addr before creating SOAP header 10.47.137.50
  2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI111
  2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI222
  2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI444
  2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI444
  2009-05-19 09:54:12,267 FINE [HTTPThreadGroup-4] CSWComponent - Step execution failed: Policy=[SID0003004] Pipeline=[Request] Step Name=[Custom Policy Step] Step Class=[com.tandberg.soa.wsm.CustomPolicy]
  2009-05-19 09:54:12,267 FINER [HTTPThreadGroup-4] common.PrepareForServiceStep - Step PrepareForServiceStep called
  </i>

• OWSM 11g: Custom policy implementation

  Hi all,
  I am unable to replicate the example as discussed in the section 14 of Security and Administrator’s Guide for Web Services 11g Release 1 (11.1.1) B32511-03, April 2010. I am applying the custom policy on a osb (11g r3) proxy service. Kindly take a look at the steps mentioned below & suggest suitably where i may be going wrong:
  1. Creation of the IpAssertionExecutor class which holds the implementation logic (same as Step 1)
  2. Creation of the policy-config.xml file (same as Step 2)
  3. oracle.logging-utils_11.1.1.jar was also added to compile the above class.
  4. IpAssertionExecutor Class & policy-config.xml were added as a jar file as mentioned in page no: 4 of the following link: http://www.scribd.com/doc/25941008/How-to-Create-OWSM-11g-Custom-Policy-Assertion (same as Step 4)
  5. Updation of classpath (same as Step 5)
  6. Creation of oracle/ip_assertion_policy file (same as Step 2)
  7. Importing the Custom Policy File (same as Step 6)
  8. Attaching the Custom Policy to a Web Service or Client (same as Step 7)
  For testing purpose, i used soapui and specified the bind address in the request properties. However, the policy is not working as desired.
  Additionally, i hardcoded the String ipAddr (ip address) in the IpAssertionExecutor class & redeployed the jar. But still couldn't get it working.
  I shall be obliged if someone can help me.
  Thanks in advance

  In the security tab for your OSB Service, ensure that you set the radio button for processing of ws header. Otherwise no policies appear to be called.

• Error while invoking webservice attached with custom policy

  I created a webservice in SOA 11g and attached a custom policy which is doing encryption(message protection) to its exposed service endpoint .This web service runs fine if i run it independently. Then i created a simple SOA process and call this web service.Then i am getting Fabric Invocation Exception.Can anyone tell me what can be the problem?

  I want to do the encyrpton only in secured webservice. I just want to invoke that web service from another process. In this case which policy can i attach in the reference of the SOA process which is calling secured web service?

• Custom Policy vs. J2EE Security

  Hi there, Java Security architecture gurus,
  I am currently trying to find the best architecture for the new security framework for our company's application. The system requires instance based security. ACLs are stored in a database. JAAS's authentication is just fine, but its file based authorization is not sufficient for our needs. Access rights change during runtime and they should not be refreshed that inefficient way with Policy.refresh().
  The solution I would like to establish should cope with changing environments without the need to change the code that is using security checks. E.g. the app should be able to run as a stand-alone application or within J2EE application servers or servlet engines.
  I have looked at the Java 2 Security API and found out that implementing a customized version of the JAAS Policy class can be one approach. A good benefit is the tight integration with the Java Security framework and that it not necessary to reimplement things like the AccessController and privileged actions.
  Now, I have the following questions:
  - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
  - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
  The alternative approach would probably be J2EE security with the cost of restricting the app to the J2EE environment. To me it seems to be impossible to implement instance based security with role based descriptive J2EE security. With programatic EJB security, I would need to make isPrincipalInRole() completely dynamic to support it.
  I looked through the forum for quite a while without success but if you already discussed this topic I would really appreciate a pointer.
  Thanks,
  Christoph

  Chris,
  There is a very good article from IBM that implements the same thing you are trying to implement i.e. instance base security and also custom Policy(u may need this).
  http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442
  Now, I have the following questions:
  - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
  Custom policy is required primarily if you are going away from the default policy format that sun recommends. If you want to read your permissions from a database you may need to implement a custom Policy class.
  - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
  This is recommended by Sun. You may have to delegate the Permission checks that you know you cannot handle to default policy class.
  In your CustomPolicy.java getPermissions() method, the following code will code to the end of the function
  // If the permission is not found here then delegate it
  // to the standard java Policy class instance.
  java.security.Policy policy = java.security.Policy.getPolicy();
  return policy.getPermissions(codeSource);
  Hope this helps.

• How to Call EJB from coldfusion

  I need to call EJB that's created in JBoss from coldfusion.
  I'm getting different errors depending on how I set the home object
  and provider url.
  If I prefix provider url with jnp://, then I get the
  following error
  The connection to the remote JNDI server on host jnp at port
  1099 has failed (as have all backup hosts listed, if any) - please
  verify that the server is running and the NamingService is
  available
  If I take the jnp out and keep just the ip address and port,
  then i get the following error
  null (no security manager: RMI class loader disabled).
  So I'm not sure what the issue is and I haven't used this
  feature before.
  Here's my code

  I tries to call custom EJBfrom custom component received
  follwong error
  ERROR [STDERR] javax.naming.CommunicationException [Root exception is java.lang.ClassNotFoundException:
  No ClassLoaders found for: com.mycom.myapp.action.interfaces.pm.ejb.PmFacadeRemote
  (no security manager: RMI class loader disabled)]
  any idea?
  Thanks
  YogLC

• How a custom component is called when we install a custom component in UCM.

  How a custom component is called when we install a custom component in UCM.
  On what event the component services will be activated and called.
  Suppose i create a Custom service name MULTIPLECHECKIN then this service will be called on what event and where it will be defined to call.

  Saurabh,
  the code is packed in the component (see component\Security Filter\java\Security Filter\ModifyAttributesFilter.java - the first Security Filter is the component name, the other Security Filter is the Java package name).
  What is important:
  - your class must implement the FilterImplementor interface (you will need UCM standard classes - server.zip in your classpath) and its doFilter method
  How the filter is executed?
  - actually, in this case you don't need any new service - you can use the standard 'hook', which is provided by standard checkin services
  - in Component Wizard create a new component, add your compiled class to it (make sure you follow the rules not to end up in classpath issues)
  - in Component Wizard click the 'Java Code' tab. Here you can add a Custom filter called validateCheckinData, which is executed by standard checkin services. If you parametrize the filter to call your class created above, you are done.
  'Working with Content Components' manual (e.g. here: http://download.oracle.com/docs/cd/E10316_01/cs/cs_doc_10/documentation/developer/using_components_10en.pdf) can give you a basic picture. A better resource is Bex Huff's book - I would recommend you to get it, because it has a step-by-step HelloWorld example which can guide you through Component Wizard. I could also send you my own component (send me an email at [email protected]) which implements a filter for user quotas, so you just need to "replace classes".
  As for the other half of your task, searching for the file in the database server will work only if you use database as your storage (ie. install and configure File Store Provider component accordingly). Of course, you could do a search for file in this case - just consider that you will be comparing two BLOBs rather than two relatively short check-sums (most likely strings or arrays of bytes). Besides, it will not work if you use filesystem as your storage.
  Jiri

• Calling EJB from an applet in 9iAS Release 2?

  Hello!
  In 9iAS Release 1 it is not so easy to call an EJB from an applet. First the applet needs special privileges and then the applet starts only once. The cause of problem is the implementation of ormi.
  Will 9iAS Rel. 2 support Applets calling EJBs?

  Jeff,
  I am also trying to make an applet client for an EJB deployed to OC4J.
  I modified the java2.policy file as you suggested, but when I tried to run my applet, I
  got the following error:
  java.lang.ExceptionInInitializerError: java.security.AccessControlException: access denied (java.util.PropertyPermission tunneling.shortcut read)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
       at java.lang.System.getProperty(Unknown Source)
       at java.lang.Boolean.getBoolean(Unknown Source)
       at com.evermind.server.rmi.RMIInitialContextFactory.<clinit>(RMIInitialContextFactory.java:34)
       at java.lang.Class.forName0(Native Method)
       at java.lang.Class.forName(Unknown Source)
       at com.sun.naming.internal.VersionHelper12.loadClass(Unknown Source)
       at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
       at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
       at javax.naming.InitialContext.init(Unknown Source)
       at javax.naming.InitialContext.<init>(Unknown Source)
       at its.fnd.ejb.EJBHomeFinder.getHomeObject(Unknown Source)
       at its.fnd.flight.ejb.EJBFlightFactory.<init>(Unknown Source)
       at its.fnd.flight.FlightFactory.<init>(FlightFactory.java:97)
       at EJBApplet.jbInit(EJBApplet.java:47)
       at EJBApplet.init(EJBApplet.java:36)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  I am using OC4J (stand-alone) version 9.0.2.0.0 on Solaris 7 and Microsoft Internet Explorer
  5.0 with the java 1.3.1 plug-in.
  Here is the applet code that I use to lookup the EJB home interface:
  Properties props = new Properties();
  props.put(Context.INITIAL_CONTEXT_FACTORY,"com.evermind.server.rmi.RMIInitialContextFactory");
  props.put(Context.PROVIDER_URL,"ormi://host:6666/app");
  props.put(Context.SECURITY_PRINCIPAL,"admin");
  props.put(Context.SECURITY_CREDENTIALS,"password");
  Context ctxt = new InitialContext(props);
  Object homeObj = ctxt.lookup("my_bean");
  MyBeanHome home = PortableRemoteObject.narrow(homeObj, MyBeanHome.class);
  The HTML page with the <applet> tag is a static HTML page that is part of OC4J's default
  web application. The applet class file is located in a subdirectory of the default-web-app
  directory. Here is the HTML page...
  <HTML>
  <HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
  <TITLE>
  HTML Test Page
  </TITLE>
  </HEAD>
  <BODY>
  <object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="580" height="450" name="EJBApplet" align="middle" alt="Loading EJBApplet ...">
  <param name="java_code" value="EJBApplet">
  <param name="java_codebase" value="/tests">
  <param name="java_archive" value="xerces.jar,ejb.jar,oc4j.jar,jaas.jar"/>
  <param name="java_type" value="application/x-java-applet;version=1.3">
  <param name="java_scriptable" value="true">
  <table cellpadding="1" bgcolor="#FFFFFF" width="580" height="450">
  <tr><td>
  This is a place for an APPLET.<br>Your browser doesn't support the correct applet java plug-in.<br><br>You can install the correct plug-in from here.<br><a target='_blank' onClick='javascript:self.window.close()' href="/classes/3rdparty/j2re-win-plug-in.exe">Click here to install plug-in.</a><br><br>Or if you have an Internet connection you can install the correct plug-in from here.<br><a target='_blank' onClick='javascript:self.window.close()' href="http://java.sun.com/products/plugin/1.3/plugin-install.html">Click here to install plug-in from Internet.</a><br><br>You can call your System Administrator for assistance.</td></tr>
  </table>
  </object>
  </BODY>
  </HTML>
  I have searched the Internet, and the documentation, and tried several, different things,
  but I can't get it to work.
  Any and all help will be greatly appreciated.
  Thanks,
  Sofia.

• Calling EJB from Oracle via IIOP

  I've spent the last two days trying to figure out how I can call an
  EJB from an Oracle Stored Procedure. I first looked into WLS JNDI
  (Using WLInitialContextFactory ), but my collegue recommended I look
  into IIOP because it is "less proprietary". I was able to get a WL
  example working that does a lookup on an EJB and "narrows" the IIOP
  object...so it looked promissing, but then I tried to load the JAR
  into Oracle and it said:
  "referenced name javax/rmi/PortableRemoteObject could not be found"
  So I did a quick check and it looks like this didn't come into
  existance until JDK 1.3. By all accounts, Oracle 8.1.6 supports JDK 2
  (1.2). So now I'm stuck. I've got a few examples about connecting to
  the Oracle ORB using session-iiop, but I don't know if Weblogic will
  be able to work with this. I don't know how I'd even call it because
  the URL requires an Oracle SID...so now what? I see three options.
  Please let me know which would be best (or another option that I'm
  missing)
  1. Try connecting with Weblogic "T3"
  2. Try to get the right combination of classes loaded so 1.2 can work
  like 1.3
  3. Use the Oracle IIOP (I have no examples for connecting to other
  ORBs so I have no idea how to lookup objects).
  Chris

  [email protected] (Chris Snyder) writes:
  Andy Piper <[email protected]> wrote in message news:<[email protected]>...
  [email protected] (Chris Snyder) writes:
  1. Try connecting with Weblogic "T3"It depends on what version of WLS you are using. If you are using 6.1
  then you are out-of-luck because this only support JDK 1.3.1.We are using WLS 6.1 and Oracle 8.1.6. There's got to be a way to
  connect what is essentially a 1.2 JVM to a 1.3.1 JVM. On my way home
  yesterday I was wondering if just straight RMI would work...although
  we need to encrypt the connection. I've seen several people talk
  about calling EJB's from stored procedures so it seems like there is a
  way. Any other ideas?The really gross way is HTTP. In a previous life I had a customer use
  oracle's HTTP plug-in to do this. You could probably invert the
  problem also. I.e. write CORBA objects that sit inside an Orb hosted
  in WLS and invoke on those using oracle's CORBA support. But HTTP is
  probably the way most likely to work. You probably couldn't use RMI
  over HTTP either - you would have to write a servlet that delegated to
  your beans.
  andy

• Reload source file after custom build step

  Hello,
  I use a source code generator that creates c-code (i.e. hello.c) from some kind of definition file.
  I want the generator to create hello.c on each build, so i have decided to put a batch (that calls the generator) into the "custom build step" of my project.
  This way the generator is called before each build.
  Unfortunatly CVI does not reload the changed hello.c after it has been modified/overwritten by the batch... the build is done with the previous version of hello.c. Not until the build is finished CVI recognizes that hello.c has been modified and prompts "Update Window from Disk", then I have to run a second build in order to get the changes of hello.c applied.
  How can I accomplish to have only build process that first calls the generator and then compiles the project (with modified hello.c)?
  Thanks

  The problem happens because you have the file open in CVI. If a file is opened in CVI, then CVI uses the contents that are available in the opened window and not the contents on disk. Also, once CVI starts a build it does not monitor changes to the file on disk - consider what should happen if the file on disk changes while it is being compiled. So while the custom build step does overwrite the file on disk, CVI uses the contents that are in the source window for the compilation. To avoid this problem, make sure the file is not opened in CVI when you build - this will make CVI load and compile the file from disk after the custom build step overwrites it.