Customer security concerns with using OWC (Beehive)
Hi,
My customer is currently using strtc for OWCs but I believe that this will move to Beehive very soon.
Their security team has locked down strtc and need answers to some security questions.
When using Beehive for conferencing, can you answer what the support teams will be able to access please?
The type of things that their security team want to know are:
"we need to give them details of what can be done by Oracle Support while we are linked together via this site. Is this something you can gather details together for and send over to me? Type of things they want to know are whether files can be copied from our network / linked pc, can files be dropped onto our network / linked pc, can you explore our network via the linked pc without us knowing etc."
Thanks for any advice.
Kind Regards,
Rachel
Hi,
Beehive Web conferencing has similar capabilities to STRTC and the transfer of files between the server and the client is not one of our capabilities - the system allows co-browsing to be enabled to allow the customer to show the support staff the problem in situ and the capability exist for the support staff to control the remote users desktop - with their approval should it be thought valuable to solving the problem. The session can also be recorded.
So we cannot do anything on the remote PC without their knowledge and approval.
File movement between support and the customer is done via the Oracle Support portal not the web conferencing system.
Phil
Similar Messages
-
Unable to use a custom security realm with Netscape Directory Server in WebLogic 7
I have all users and groups stored in a Netscape LDAP server (version 4.1.6 on
Solaris 8), so I want to create a custom security realm in WebLogic 7 (also run
on Solaris 8) which uses my LDAP server as the Authenticator. I tried this by
using the Admin Console and followed exactly the steps in Chapter 3 of the "Managing
WebLogic Security" doc. However, when I rebooted WebLogic and logged into the
Admin Console again and clicked the Users node under my custom realm, I saw this
message in the right-hand pane: "There are no Authentication providers available
that support the creation of Users". Also, I don't see my custom realm in the
dropdown list under mydomain -> Security tab -> General tab -> Default Realm.
What did I do wrong? Also, where does WebLogic store the custom security realm
info? It is definitely not in config.xml.
Thanks,
Eric MaThanks for the info.
I wonder when they will fix it.
Jakub
U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
news:[email protected]..
>
According to BEA Tech Support, a known bug prevents the WLS 7 AdminConsole from
displying users and groups defined in Netscape Directory Server.
Eric Ma
"Jakub Wroniszewski" <[email protected]> wrote:
I have the same problem.
Any new ideas?
Rgds,
Jakub
U¿ytkownik "Eric Ma" <[email protected]> napisa³ w wiadomo¶ci
news:[email protected]..
Now I doubt my custom security realm is actually using the NetscapeDirectory Server
as the authenticator. Unlike in WebLogic 6.1 Admin Console, whereclicking on
the Users node displays all users in the LDAP server, in WebLogic 7I keep
getting
the message "There are no Authentication providers available that
support
the
creation of Users." Any suggestions?
"Eric Ma" <[email protected]> wrote:
Never mind. I tried again by following the steps outlined at
http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.deve
l
oper.interest.security&item=8463&utag=
and it seemed to have worked for me.
"Eric Ma" <[email protected]> wrote:
I have all users and groups stored in a Netscape LDAP server (version
4.1.6 on
Solaris 8), so I want to create a custom security realm in WebLogic7
(also run
on Solaris 8) which uses my LDAP server as the Authenticator. I
tried
this by
using the Admin Console and followed exactly the steps in Chapter3
of
the "Managing
WebLogic Security" doc. However, when I rebooted WebLogic and logged
into the
Admin Console again and clicked the Users node under my custom realm,
I saw this
message in the right-hand pane: "There are no Authentication
providers
available
that support the creation of Users". Also, I don't see my customrealm
in the
dropdown list under mydomain -> Security tab -> General tab ->
Default
Realm.
What did I do wrong? Also, where does WebLogic store the customsecurity
realm
info? It is definitely not in config.xml.
Thanks,
Eric Ma -
Questions from a customer concerning services used within Beehive
Hi - I have a customer who is concerned about security with concerns to opening ports for Beehive. They have come back with the following questions: 1. What service is used by each port? TCP, UDP, ICMP? 2. Is Network Address Translation (NAT) needed?
Any assistance here would be appreciated.
BrentBrent,
BeehiveOnline has a number of ports in use mainly for duifferent protocols and the ports and there use is as follows:
Port 443 - Https traffic - 90% of all access is via thei route
Port 21 - FTPS traffic with explicit TLS - we use passive FTPS so there will be an incoming data channnel from the mid tier to allow through the remote firewall
Port 9554 - Proprietary Windows plugin traffic for OBEE and OBEO
That is all of the outward facing ports and their protocols caaess types.
NAT - we may have some of this in use at the firewall to redirect to our internal ports on the mid-tiers - not surprisingly they are not straight through connections.
Phil -
Table security concerns with form on intranet
We are trying to maintain database security for forms that run
on the intranet. The first line of security is to require all
users to logon to the application. The main concern is the
database user being asscessed without the application. Here are
the current ideas:
The easiest solution would be to hide the user/password
information on the html that launches the form, however (to my
knowledge) this is not possible.
I moved the table containing application users passwords to a
second user (db user) and am using a function to validate logon
information. This works great, the problem is where to put the
actual data tables user by the application. If they are in the
first user which the form logs into by default then a "curious"
person may access the tables via a sql session using the
user/password from the html. The best thing I can come up with
is to put the data tables in the second user containing the
logon password table, however if the grants exist for the user
that the form defaults to we have the same problem.
Dynamic grants would be perfect however you can not create
grants with the logon function.
Any input would be greatly appreciated.
-Doug
nullYou can mantain this table in a separate user (administrative
user) and create a function under this user to validate
user and password. Grant privilege for the users to execute
this function, but not to select the table. In this way, any
user can execute this function but cannot query the table.
The only one allowed to query and update this table is the
owner. Based on Oracle concepts, if the user has rights to
execute a function or procedure, he automatically has implicit
rights to the objects being accessed by this function or
procedure. But to access these implicit objects directly,
he must have specific rights. I hope this can help you.
null -
Airport Extreme security concern with Airport Utility App
Just bought the new Airport Extreme (802.11ac) last night. BY FAR the easiest wireless setup I have ever done (< 5 minutes). Hats off to the Apple developers on this one - they crushed it! One of the things that makes this device so easy to setup though is the iPad/iPhone Airport Utility app. I used the iPad version.
My concern - When I startup this app it goes straight to the main config screen. Just tap on the Airport Extreme image, then tap Edit and I'm into my wireless settings (id's, passwords, etc.). And that's my concern. It didn't ask me for any kind of password to get into the utility, or the settings. What's to stop someone else from using my iPad to get into the wireless settings, or from someone else installing the app on their iPad and getting into my wireless settings.
It feels like this is a huge security hole. Am I missing something?
Thanks in advance - MarkInColoIs there a way to lock down the app on my iPad so that the settings can't be accessed unless I authorize it?
No
Only way I can think of is uninstall the app, and install it again only when I need it. Isn't there a better way?
If it were me, I would not install or use AirPort Utility for the iPad, iPhone etc. Use only AirPort Utility on your Mac, and do not enable the option to have KeyChain Access remember the password.
Then, anyone who wants to access the settings in AirPort Utility on the Mac will have to enter the Base Station password to be able to make any changes in AirPort Utility. -
Data security concern while using JDBC
My java application connecting to a database to read patient information. Do I have to worry about encrypting the data? I am using oracle jdbc driver. Is there any chance, anyone can read the data on transit?
In theory it is possible. In practice I don't know that there are any recorded instances outside NSA. I've read that there are no known cases of credit card numbers being harvested from plaintext IP traffic.
Your question should really be directed to your employer or the customer.
If you're on an Intranet I would forget about it; if you're using the Internet it may be required to use SSL. -
Custom security JHeadstart 11gTP1 -Use Role-based Authorization is missing
In JHeadstart 11g TP1 the option Use Role-based Authorization is missing.
Will this option only be available in de production release of JHeadstart 11g? What is the reason why this is missing? Is it still possible to use CUSTOM authorization in JHeadstart 11g TP1?It is not missing.
If you turn on custom authorization, you can specify your own roles against groups to access them, and use role names in the insert allowed/update allowed and delete allowed expressions.
Steven Davelaar,
JHeadstart Team. -
Cannot assign custom security manager to repository
Hello,
I've been following the details on how to implement a read-only security manager (https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e2ddd63d-0b01-0010-46bb-e092790068cb) and I have run into the following problem:
After following the instructions for option B in the document (creating a security manager only) and deploying my project, the new security manager appears in the list of managers on the admin screen (Content Management -> Repository Managers -> Security Manager) but it is not available in the drop down list of security managers for my repository. Without that entry I cannot apply the new security manager to my repository.
According to the document, the new security manager should be part of this list but it is not even after I've restarted the J2EE engine.
The document is dated May 2006 so perhaps there have been some changes to the system that are not covered in the document. We are running NW 7.0 SP14.
Any help in determining why my custom security manager is not part of the security manager drop down list would be appreciated.Ok, after much decompiling and inspection of the standard KM security manager implementations I found the answer to my question.
Basically I found that the security manager tutorial only applies if you plan on using your custom security manager with your own custom repository manager. You cannot apply a security manager created using that document to a standard KM repository manager.
In my case I want to apply a custom security manager to a standard KM File System Repository. By inspecting the SFSRepositoryManager.cc.xml file I found the following entry:
<attribute name="securitymgr.ref" type="ref" refType="/cm/repository_managers/security_managers/SecurityManager" mandatory="false" hotReload="true" />
The refType value defines which security managers are displayed in the drop down list of available Security Managers at runtime for the repository manager. In order to get a custom security manager to be available you must define the cc.xml for your custom security manager so that it extends "SecurityManager" not "SecurityManagerMi" as the tutorial describes.
Changing the extension means your security manager implementation must also change so that it extends com.sapportals.wcm.repository.manager.AbstractRepositorySubManager and implements com.sapportals.wcm.repository.manager.ISecurityManager.
Now if only I could figure out how to reward points to myself ..... -
Safari password auto fill security concern
Just discovered what I consider to be a big security concern with iCloud Keychain. If you go into Settings, then Safari and your iCloud Keychain is under stored passwords and auto fill, the passwords are stored in plain text with no asterisk or anything. This means that all someone needs is your 4digit unlock code and they are then able to view all your stored passwords in Safari. They should at least require your iCloud Keychain password to view these, or just asterisk them out. If someone saw you enter your four digit unlock code, and then put your phone down, they could get this information without you even knowing it. This is not safe.
The purpose of that section is so that you can see your passwords, there wouldn't be much point in replacing them with asterisks. They are password protected, just don't give others your password.
-
Windows 7 -> Adobe - Flash Player: 16.0.0.296 is the installed version, but the list below (Platform, Browser, Player version) shows 16.0.0.287 as actual .... Should we "downgrade" ?
Due the latest security concerns with flash, I had to rethink the whole story - maybe better just uninstall flash?
rgds,
ChrisHi Chris,
Version 16.0.0.296 is the latest release available. However, it's only being pushed out through our silent auto update and enterprise distribution channels. We're hard at work making sure this is also available on https://get.adobe.com/flashplayer but that's going to take another day or two to complete. Once it's out everywhere, we'll update our release notes and associated pages with the proper version number.
Thanks,
Chris -
Help - using custom login module with embedded jdev oc4j to access ejb 3
Hi All (Frank ??),
I'm just wondering if anyone has successfully been able to leverage a custom login module in combination
with a client that connects to a local EJB 3 stateless session bean through Jdeveloper 10.1.3.2's embedded oc4j.
I have spent 2+ days trying to get this to work - and i think I resound now to the fact im going to
have to deploy to oc4j standalone instead.
I got close.. but finally was trumped with the following error from the client trying to access the ejb:-
javax.naming.NoPermissionException: Not allowed to look up XXXXXX, check the namespace-access tag
setting in orion-application.xml for details.
Using the various guides available, I had no problem getting the custom login module working
with a local servlet running from JDev's embedded oc4j.. however with ejb - no such luck.
I have a roles table (possible values Member, Admin) - that maps to sr_Member and sr_Admin
respectively in various config files.
I'm using EJB 3 annotations for protecting methods .. for example
@RolesAllowed("sr_Member")
Steps that I had to do so far :-
In <jdevhome>\jdev\system\oracle.jwee.10.1.3.40.66\embedded-oc4j\config\system-jazn-data.xml1) Add custom login module
<application>
<name>current-workspace-app</name>
<login-modules>
<login-module>
<class>kr.security.KnowRushLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>dataSource</name>
<value>jdbc/DB_XE_KNOWRUSHDS</value>
</option>
<option>
<name>user.table</name>
<value>users</value>
</option>
<option>
<name>user.pk.column</name>
<value>id</value>
</option>
<option>
<name>user.name.column</name>
<value>email_address</value>
</option>
<option>
<name>user.password.column</name>
<value>password</value>
</option>
<option>
<name>role.table</name>
<value>roles</value>
</option>
<option>
<name>role.to.user.fk.column</name>
<value>user_id</value>
</option>
<option>
<name>role.name.column</name>
<value>name</value>
</option>
</options>
</login-module>
</login-modules>
</application>2) Grant login rmi permission to roles associated with custom login module (also in system-jazn-data.xml)
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>Member</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>3) I've tried creating various oracle and j2ee deployment descriptors (even though ejb-jar.xml and orion-ejb-jar.xml get created automatically when running the session bean in jdev).
My ejb-jar.xml contains :-
<?xml version="1.0" encoding="utf-8"?>
<ejb-jar xmlns ....
<assembly-descriptor>
<security-role>
<role-name>sr_Admin</role-name>
</security-role>
<security-role>
<role-name>sr_Member</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>Note- i'm not specifying the enterprise-beans stuff, as JDev seems to populate this automatically.
My orion-ejb-jar.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-ejb-jar ...
<assembly-descriptor>
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<default-method-access>
<security-role-mapping name="sr_Member" impliesAll="true">
</security-role-mapping>
</default-method-access>
</assembly-descriptor>My orion-application.xml contains ...
<?xml version="1.0" encoding="utf-8"?>
<orion-application xmlns ...
<security-role-mapping name="sr_Admin">
<group name="Admin"></group>
</security-role-mapping>
<security-role-mapping name="sr_Member">
<group name="Member"></group>
</security-role-mapping>
<jazn provider="XML">
<property name="role.mapping.dynamic" value="true"></property>
<property name="custom.loginmodule.provider" value="true"></property>
</jazn>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping name="sr_Admin">
<group name="Admin"/>
<group name="Member"/>
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
</orion-application>My essentially auto-generated EJB 3 client does the following :-
Hashtable env = new Hashtable();
env.put(Context.SECURITY_PRINCIPAL, "matt.shannon");
env.put(Context.SECURITY_CREDENTIALS, "welcome1");
final Context context = new InitialContext(env);
KRFacade kRFacade = (KRFacade)context.lookup("KRFacade");
...And throws the error
20/04/2007 00:55:37 oracle.j2ee.rmi.RMIMessages
EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
javax.naming.NoPermissionException: Not allowed to look
up KRFacade, check the namespace-access tag setting in
orion-application.xml for details
at
com.evermind.server.rmi.RMIClientConnection.handleLookupRe
sponse(RMIClientConnection.java:819)
at
com.evermind.server.rmi.RMIClientConnection.handleOrmiComm
andResponse(RMIClientConnection.java:283)
....I can see from the console that the user was successfully authenticated :-
20/04/2007 00:55:37 kr.security.KnowRushLoginModule validate
WARNING: [KnowRushLoginModule] User matt.shannon authenticated
And that user is granted both the Admin, and Member roles.
The test servlet using basic authentication correctly detects the user and roles perfectly...
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
LOGGER.log(Level.INFO,LOGPREFIX +"doGet called");
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();
out.println("<html>");
out.println("<head><title>ExampleServlet</title></head>");
out.println("<body>");
out.println("<p>The servlet has received a GET. This is the reply.</p>");
out.println("<br> getRemoteUser = " + request.getRemoteUser());
out.println("<br> getUserPrincipal = " + request.getUserPrincipal());
out.println("<br> isUserInRole('sr_Admin') = "+request.isUserInRole("sr_Admin"));
out.println("<br> isUserInRole('sr_Memeber') = "+request.isUserInRole("sr_Member"));Anyone got any ideas what could be going wrong?
cheers
Matt.
Message was edited by:
mshannonThanks for the response. I checked out your blog and tried your suggestions. I'm sure it works well in standalone OC4J, but i was still unable to get it to function correctly from JDeveloper embedded.
Did you ever get the code working directly from JDeveloper?
Your custom code essentially seems to be the equivalent of a grant within system-jazn-data.xml.
For example, the following grant to a custom jaas role (JAAS_ADMIN) that gets added by my custom login module gives them rmi login access :-
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>kr.security.principals.KRRolePrincipal</class>
<name>JAAS_Admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>If I add the following to orion-application.xml
<!-- Granting login permission to users accessing this EJB. -->
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping>
<group name="JAAS_Admin"></group>
</security-role-mapping>
</namespace-resource>
</read-access>Running a standalone client against the embedded jdev oc4j server gives the namespace-access error.
I tried out your code by essentially creating a static reference to a singleton class that does the role lookup/provisioning with rmi login grant :-
From custom login module :-
private static KRSecurityHelper singleton = new KRSecurityHelper();
protected Principal[] m_Principals;
Vector v = new Vector();
v.add(singleton.getCustomRmiConnectRole());
// set principals in LoginModule
m_Principals=(Principal[]) v.toArray(new Principal[v.size()]);
Singleton class :-
package kr.security;
import com.evermind.server.rmi.RMIPermission;
import java.util.logging.Level;
import java.util.logging.Logger;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.policy.Grantee;
import oracle.security.jazn.realm.Realm;
import oracle.security.jazn.realm.RealmManager;
import oracle.security.jazn.realm.RealmRole;
import oracle.security.jazn.realm.RoleManager;
import oracle.security.jazn.policy.JAZNPolicy;
import oracle.security.jazn.JAZNException;
public class KRSecurityHelper
private static final Logger LOGGER = Logger.getLogger("kr.security");
private static final String LOGPREFIX = "[KRSecurityHelper] ";
public static String CUSTOM_RMI_CONNECT_ROLE = "remote_connect";
private RealmRole m_Role = null;
public KRSecurityHelper()
LOGGER.log(Level.FINEST,LOGPREFIX +"calling JAZNConfig.getJAZNConfig");
JAZNConfig jc = JAZNConfig.getJAZNConfig();
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getRealmManager");
RealmManager realmMgr = jc.getRealmManager();
try
// Get the default realm .. e.g. jazn.com
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getGetDefaultRealm");
Realm r = realmMgr.getRealm(jc.getDefaultRealm());
LOGGER.log(Level.INFO,LOGPREFIX +"default realm: "+r.getName());
// Access the role manager for the remote connection role
LOGGER.log(Level.FINEST,
LOGPREFIX +"calling default_realm.getRoleManager");
RoleManager roleMgr = r.getRoleManager();
LOGGER.log(Level.INFO,LOGPREFIX +"looking up custom role '"
CUSTOM_RMI_CONNECT_ROLE "'");
RealmRole rmiConnectRole = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
if (rmiConnectRole == null)
LOGGER.log(Level.INFO,LOGPREFIX +"role does not exist, create it...");
rmiConnectRole = roleMgr.createRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing new grantee");
Grantee gtee = new Grantee(rmiConnectRole);
LOGGER.log(Level.FINEST,LOGPREFIX +"constructing login rmi permission");
RMIPermission login = new RMIPermission("login");
LOGGER.log(Level.FINEST,
LOGPREFIX +"constructing subject.propagation rmi permission");
RMIPermission subjectprop = new RMIPermission("subject.propagation");
// make policy changes
LOGGER.log(Level.FINEST,LOGPREFIX +"calling jc.getPolicy");
JAZNPolicy policy = jc.getPolicy();
if (policy != null)
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'login' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, login);
LOGGER.log(Level.INFO, LOGPREFIX
+ "add to policy grant for RMI 'subject.propagation' permission to "
+ CUSTOM_RMI_CONNECT_ROLE);
policy.grant(gtee, subjectprop);
// m_Role = rmiConnectRole;
m_Role = roleMgr.getRole(CUSTOM_RMI_CONNECT_ROLE);
LOGGER.log(Level.INFO, LOGPREFIX
+ m_Role.getName() + ":" + m_Role.getFullName() + ":" + m_Role.getFullName());
else
LOGGER.log(Level.WARNING,LOGPREFIX +"Cannot find jazn policy!");
else
LOGGER.log(Level.INFO,LOGPREFIX +"custom role already exists");
m_Role = rmiConnectRole;
catch (JAZNException e)
LOGGER.log(Level.WARNING,
LOGPREFIX +"Cannot configure JAZN for remote connections");
public RealmRole getCustomRmiConnectRole()
return m_Role;
}Using the code approach and switching application.xml across so that namespace access is for the group remote_connect, I get the following error from my bean :-
INFO: Login permission not granted for current-workspace-app (test.user)
Thus, the login permission that I'm adding through the custom remote_connect role does not seem to work. Even if it did, i'm pretty sure I would still get that namespace error.
This has been such a frustrating process. All the custom login module samples using embedded JDeveloper show simple j2ee servlet protection based on settings in web.xml.
There are no samples showing jdeveloper embedded oc4j using ejb with custom login modules.
Hopefully the oc4j jdev gurus like Frank can write a paper that demonstrates this.
Matt. -
How to make Custom Discoverer workbook use Custom Security profile of Apps
We use Discoverer in Oracle Apps setup. We have added Custom security in our HR People Form of Apps.
This Custom Security restricts one HR Emplpoyee not view other HR employee record except for himself/herself. Also maintining that they should be able to view all other employee's records.
The following code was put under the Security Profile Form -- > Custom Security Tab
exists (select 1
from per_jobs b
where ASSIGNMENT.job_id = b.job_id
and (b.name not like '%HR%')
and (b.name not like '%Human%')
and ASSIGNMENT.assignment_number is not null
union
select 1
from fnd_user fu
where fu.user_name = fnd_global.user_name
and fu.employee_id = PERSON.person_id
and ASSIGNMENT.assignment_number is not null)
Above security profile works fine for HR People Form.
However, It does not work for our Discoverer Workbooks. I found a note on Metalink 422841.1 which talks about leveraging the Custom Security of Apps in Discoverer Report. I read it, but did not get much clue.
Can Anyone help.
ThanksHi,
If you want to use custom HR security with Discoverer you have to ensure that the correct security filters are applied when the Discoverer reports are run. These filters can use the supplied HR_SECURITY package or you can develop your own conditions using table lookups or functions. To get the filters applied to your reports you have a number of options:
1. Build the security into custom folders using additional conditions
2. Use custom database views in Discoverer and build the security into the views
3. Use mandatory conditions in you Discoverer folders using either a function call or database contexts set at login time
4. Use VPD (Virtual Private Database)
I am not sure which of these options you are using to implement your HR security in Discoverer. The last option, VPD, is the most flexible and can give the best performance but maybe it is more complex to set up.
Rod West -
OEPE can't launch server that uses custom Security provider
I recently migrated a Weblogic 8.1 server that we had a custom security provider for, to 10.3.2. It works fine when started with the startWeblogic.cmd file but when I try to start it using OEPE in eclipse it starts fine and runs fine but OEPE reports that
"Unable to validate WebLogic domain.Please make sure the running WebLogic instance is an Administration Server"
When I look at the Error Log it appears that it thinks one of my custom security classes is not found. But the server is running fine, so it is fine, it's on the classpath via the use of the EXT_PREPEND_CLASSPATH environment variable.
I am running Weblogic 10.3.2 on Windows XP using eclipse Ganymede 3.5.2 and OEPE version 1.5.0.201003170852
Here's the Error Log:
eclipse.buildId=
java.version=1.6.0_03
java.vendor=Sun Microsystems Inc.
BootLoader constants: OS=win32, ARCH=x86, WS=win32, NL=en_US
Framework arguments: -product org.eclipse.epp.package.jee.product
Command-line arguments: -os win32 -ws win32 -arch x86 -product org.eclipse.epp.package.jee.product
This is a continuation of log file C:\tools\eclipse-workspaces\galileo\.metadata\.bak_3.log
Created Time: 2010-05-12 14:04:01.549
Error
Thu May 13 14:25:11 EDT 2010
Server Weblogic 10.3 failed to start.
eclipse.buildId=
java.version=1.6.0_03
java.vendor=Sun Microsystems Inc.
BootLoader constants: OS=win32, ARCH=x86, WS=win32, NL=en_US
Framework arguments: -product org.eclipse.epp.package.jee.product
Command-line arguments: -os win32 -ws win32 -arch x86 -product org.eclipse.epp.package.jee.product
This is a continuation of log file C:\tools\eclipse-workspaces\galileo\.metadata\.bak_3.log
Created Time: 2010-05-12 14:04:01.549
Error
Thu May 13 14:25:10 EDT 2010
Another server (or another process) is running on the same TCP/IP port '7001'.
eclipse.buildId=
java.version=1.6.0_03
java.vendor=Sun Microsystems Inc.
BootLoader constants: OS=win32, ARCH=x86, WS=win32, NL=en_US
Framework arguments: -product org.eclipse.epp.package.jee.product
Command-line arguments: -os win32 -ws win32 -arch x86 -product org.eclipse.epp.package.jee.product
This is a continuation of log file C:\tools\eclipse-workspaces\galileo\.metadata\.bak_3.log
Created Time: 2010-05-12 14:04:01.549
Warning
Thu May 13 14:25:10 EDT 2010
Unable to validate WebLogic domain.
Please make sure the running WebLogic instance is an Administration Server
eclipse.buildId=
java.version=1.6.0_03
java.vendor=Sun Microsystems Inc.
BootLoader constants: OS=win32, ARCH=x86, WS=win32, NL=en_US
Framework arguments: -product org.eclipse.epp.package.jee.product
Command-line arguments: -os win32 -ws win32 -arch x86 -product org.eclipse.epp.package.jee.product
This is a continuation of log file C:\tools\eclipse-workspaces\galileo\.metadata\.bak_3.log
Created Time: 2010-05-12 14:04:01.549
Error
Thu May 13 14:25:10 EDT 2010
java.io.IOException
at weblogic.management.remote.common.ClientProviderBase.makeConnection(ClientProviderBase.java:187)
at weblogic.management.remote.common.ClientProviderBase.newJMXConnector(ClientProviderBase.java:81)
at javax.management.remote.JMXConnectorFactory.newJMXConnector(Unknown Source)
at javax.management.remote.JMXConnectorFactory.connect(Unknown Source)
at oracle.eclipse.tools.weblogic.server.internal.WlsJMXHelper.createConnector(WlsJMXHelper.java:269)
at oracle.eclipse.tools.weblogic.server.internal.WlsJMXHelper.connectToJMX(WlsJMXHelper.java:76)
at oracle.eclipse.tools.weblogic.server.internal.WlsJMXHelper.getDomainAttribute(WlsJMXHelper.java:139)
at oracle.eclipse.tools.weblogic.server.internal.WlsJ2EEDeploymentHelper.validateRemote(WlsJ2EEDeploymentHelper.java:1687)
at oracle.eclipse.tools.weblogic.server.internal.WeblogicServerBehaviour.validateRemote(WeblogicServerBehaviour.java:2646)
at oracle.eclipse.tools.weblogic.server.internal.ServerWatcher.runOnce(ServerWatcher.java:574)
at oracle.eclipse.tools.weblogic.server.internal.ServerWatcher.run(ServerWatcher.java:482)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.naming.CommunicationException [Root exception is weblogic.rjvm.PeerGoneException: ; nested exception is:
weblogic.utils.NestedException: java.lang.AssertionError: Exception creating response stream]
at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:74)
at weblogic.jndi.internal.WLContextImpl.translateException(WLContextImpl.java:452)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:408)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:393)
at javax.naming.InitialContext.lookup(Unknown Source)
at weblogic.management.remote.common.ClientProviderBase.makeConnection(ClientProviderBase.java:170)
... 11 more
Caused by: weblogic.rjvm.PeerGoneException: ; nested exception is:
weblogic.utils.NestedException: java.lang.AssertionError: Exception creating response stream
at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:234)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
at weblogic.jndi.internal.ServerNamingNode_1032_WLStub.lookup(Unknown Source)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:405)
... 14 more
Caused by: weblogic.utils.NestedException: java.lang.AssertionError: Exception creating response stream
at weblogic.rjvm.RJVMImpl.gotExceptionReceiving(RJVMImpl.java:957)
at weblogic.rjvm.ConnectionManager.gotExceptionReceiving(ConnectionManager.java:1030)
at weblogic.rjvm.MsgAbbrevJVMConnection.gotExceptionReceiving(MsgAbbrevJVMConnection.java:459)
at weblogic.rjvm.t3.MuxableSocketT3.hasException(MuxableSocketT3.java:327)
at weblogic.socket.SocketMuxer.deliverExceptionAndCleanup(SocketMuxer.java:784)
at weblogic.socket.SocketMuxer.deliverHasException(SocketMuxer.java:724)
at weblogic.socket.JavaSocketMuxer.processSockets(JavaSocketMuxer.java:359)
at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
at weblogic.work.ExecuteRequestAdapter.execute(ExecuteRequestAdapter.java:21)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)
Caused by: java.lang.AssertionError: Exception creating response stream
at weblogic.rjvm.MsgAbbrevJVMConnection.readMsgAbbrevs(MsgAbbrevJVMConnection.java:238)
at weblogic.rjvm.MsgAbbrevInputStream.init(MsgAbbrevInputStream.java:173)
at weblogic.rjvm.MsgAbbrevJVMConnection.dispatch(MsgAbbrevJVMConnection.java:439)
at weblogic.rjvm.t3.MuxableSocketT3.dispatch(MuxableSocketT3.java:322)
at weblogic.socket.BaseAbstractMuxableSocket.dispatch(BaseAbstractMuxableSocket.java:298)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:915)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:844)
at weblogic.socket.JavaSocketMuxer.processSockets(JavaSocketMuxer.java:335)
... 4 more
Caused by: java.lang.ClassNotFoundException: com.companyname.security.principal.CompanyNameWebLogicPrincipal
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
at java.io.ObjectInputStream.resolveClass(Unknown Source)
at java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)
at java.io.ObjectInputStream.readClassDesc(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at java.util.LinkedList.readObject(Unknown Source)
at sun.reflect.GeneratedMethodAccessor46.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.defaultReadFields(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.defaultReadFields(Unknown Source)
at java.io.ObjectInputStream.defaultReadObject(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.readObject(AuthenticatedSubject.java:406)
at sun.reflect.GeneratedMethodAccessor57.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at weblogic.rjvm.InboundMsgAbbrev.readObject(InboundMsgAbbrev.java:65)
at weblogic.rjvm.InboundMsgAbbrev.read(InboundMsgAbbrev.java:37)
at weblogic.rjvm.MsgAbbrevJVMConnection.readMsgAbbrevs(MsgAbbrevJVMConnection.java:227)
... 11 moreI am also facing the same issue.
i am running my web service program on tomcat. the server is weblogic 9.1. I am trying to invoke the EJBs running on the server from the tomcat.
i am getting similar exception. anyone got a solution for this ?
Caused by: weblogic.rjvm.PeerGoneException: ; nested exception is:weblogic.utils.NestedException: java.lang.AssertionError: Exception creating response stream at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:234)
thanks
Kiranlal. -
I am changing from Word to Pages. I have created my custom template with all my styles etc and that is what comes up when I go for a New Document. Fine. How do I get it to use the same Custom Template when I use Pages to open a Word document?
The template is a document in itself, it is not applied to an existing document whether it is a Pages document or a Word document converted to a Pages document.
You would need to either copy and paste content, using existing styles, or apply the styles to the converted Word document.
You can Import the Styles from an existing document and those imported Styles can be used to override the current document's styles:
Menu > Format > Import Styles
The process is simplified if the styles use the same names, otherwise you will need to delete the style you don't want and replace it with the one that you do want when asked, then the substitution is pretty straightforward.
Peter -
my itunes in pc fails to secure link with itunes store it shows the process bar it automatically quits the process it also does not shows any on the screen. i am using windows xp service pack 3. what shoul i do?
Diagnostics test
Microsoft Windows XP Professional Service Pack 3 (Build 2600)
ECS G31T-M7
iTunes 10.5.2.11
QuickTime 7.6.9
FairPlay 1.13.37
Apple Application Support 2.1.6
iPod Updater Library 10.0d2
CD Driver 2.2.0.1
CD Driver DLL 2.1.1.1
Apple Mobile Device 4.0.0.97
Apple Mobile Device Driver 1.57.0.0
Bonjour 3.0.0.10 (333.10)
Gracenote SDK 1.9.5.502
Gracenote MusicID 1.9.5.115
Gracenote Submit 1.9.5.143
Gracenote DSP 1.9.5.45
iTunes Serial Number 0012ABAC07F3CCB0
Current user is an administrator.
The current local date and time is 2011-12-31 14:06:21.
iTunes is not running in safe mode.
WebKit accelerated compositing is enabled.
HDCP is not supported.
Core Media is not supported. (16005)
Video Display Information
Intel(R) G33/G31 Express Chipset Family
**** External Plug-ins Information ****
No external plug-ins installed.
**** Network Connectivity Tests ****
Network Adapter Information
Adapter Name: {7599FAD1-1BB9-4AC6-80AF-404253DC519E}
Description: Atheros L2 Fast Ethernet 10/100 Base-T Controller - Packet Scheduler Miniport
IP Address: 192.168.1.5
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.1
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
Lease Obtained: Sat Dec 31 13:46:09 2011
Lease Expires: Tue Jan 03 13:46:09 2012
DNS Servers: 192.168.1.1
Active Connection: LAN Connection
Connected: Yes
Online: Yes
Using Modem: No
Using LAN: Yes
Using Proxy: No
SSL 3.0 Support: Enabled
TLS 1.0 Support: Enabled
Firewall Information
Windows Firewall is on.
iTunes is enabled in Windows Firewall.
Connection attempt to Apple web site was successful.
Connection attempt to browsing iTunes Store was successful.
Connection attempt to purchasing from iTunes Store was successful.
Connection attempt to iPhone activation server was unsuccessful.
The network connection timed out.
Connection attempt to firmware update server was unsuccessful.
The network connection timed out.
Connection attempt to Gracenote server was successful.
Last successful iTunes Store access was 2011-12-31 14:00:02.
**** Device Connectivity Tests ****
iPodService 10.5.2.11 is currently running.
iTunesHelper 10.5.2.11 is currently running.
Apple Mobile Device service 3.3.0.0 is currently running.
Universal Serial Bus Controllers:
Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27C8. Device is working properly.
Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27C9. Device is working properly.
Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27CA. Device is working properly.
Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27CB. Device is working properly.
Intel(R) 82801G (ICH7 Family) USB2 Enhanced Host Controller - 27CC. Device is working properly.
No FireWire (IEEE 1394) Host Controller found.
Connected Device Information:
rawkiss’s iPhone, iPhone 3G running firmware version 4.0
Serial Number: 86931UEAY7H
**** Device Sync Tests ****
Sync tests completed successfully.I have found a fix after doing additional research through this forum. Tech Note #328730 addresses this problem and it works for Photoshop Album 3.2 even though it was written for release 1.0.
Here is a link that will take you directly to the Tech Note:
http://kb.adobe.com/selfservice/viewContent.do?externalId=328730
When using this fix the Tech Note indicates:
"Imported image data and tags are lost when you re-create the My Catalog.psa file, so you need to reimport images and reapply any tags"
however it did retain the captions (at least it did for me).
Maybe you are looking for
-
I have a problem with Iphone 5 pocketdialing constantly
I have a problem with iphone 5 pocketdialing constantly
-
Sharing files between user accounts
I have just set up a new user account on my MBP and I can't really work out how to provide the new user access to the files and folders inside my home folder. I'm particularly interested in photos and music for use in iLife apps. I have started to pl
-
Run a script on file open?
I realize there is a way to run scripts when AI launches, but is there a way to run a script when AI opens a file?
-
why can't do updates for elements 9 keep coming up as "error in system try later" I can't now process RAW files they come up as CR2. This has happened in lightroom 5 also
-
Hi, I am trying to update AD process form data through the OIM API. I have to clear all the telephone numbers. I am getting this error when i run it. varbinary is incompatible with text 2011-06-24 10:48:31,918 ERROR [XELLERATE.SCHEDULER.TASK] Class/M