Dummy's Guide To Securing Web Applications!

Similar Messages

• Securing Web Applications by HTTP Basic Authentication

  We are working on providing security for web applications in Webdynpro.We downloaded the material from net regarding this.In that it was mentioned to open the webdynpro project's web.xml file in the Netweaver Developer Studio.In the material,we are asked to click the General  TAb and check "Login Configuration".But there is no such checkbox in our general tab screen.Also many tabs are missing like Context,Resources,mapping,Environment,EJB's,Web objects.How to enable/display these tabs?Is there any means of setting properties in the server to get these tabs?
  regards,
  J.Iswaryal
  K.Brinda

  Hi J.Iswaryal,
  I guess two things based on your post.
  1. You have created one wer service and you want to make secure this web service using HTTP basic authentication.
  2. You have such wweb service and you want to consume this web service lets say in webdynpro application.
  <b>For, point one,</b>
  After creating web service goto webservice perspective in NWDS. there, choose your web service project.
  Now, open Web service configuration file recided in your project.
  Here, go under config1-> security and double click on it.
  It will display security options for this web service.
  Choose transport protocol as HTTP, Authentication mechanism as HTTP authentication and choose Basic radio button.
  Now, save this, rebuild this and deploy on server.
  <b>For point 2,</b>
  Make model for your web service.
  before calling your web service, set your username and password in code as shown below.
  wdContext.current<web service model node>element().modelobject()._setusername(<username>);
  wdContext.current<web service model node>element().modelobject()._setPassword(<password>);
  Rehards,
  Bhavik

• Installation guide for SAP Web Application Server

  Hi guys
  'm new to ep can u tel how to install   SAP Web Application Server
  thanks
  regards
  kamal

  hi anup
  thanks
  In this some commands are used whether it is unix  r some other os.. can u tel me someother answers also..
  Edited by: kamal_ep on Apr 7, 2009 8:12 AM

• Securing web applications?

  hi,
  I have not worked on servlets and Jsp extensively, but clear with basics just thought of implementing a sample web project which makes use of Certificates for authentication. so can anybody suggest me few links about how to do setup and implement Certificate based authentication?
  thanks and regards

  Assuming you mean authenticating the server using certificates and not each client and that you're using Tomcat V5
  http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
  You can do the rest in your applications web.xml.
  http://java.sun.com/webservices/docs/1.3/tutorial/doc/Security2.html
  (nb watch out for spaces in the urls)

• How to get the network details in flex4.5 web application

  How to get the network details in flex 4.5 web application
  similar to the nativeinterface in air application

  checkout this document for secure web application
  http://help.adobe.com/en_US/flex/using/WS2db454920e96a9e51e63e3d11c0bf6167e-7fff.html    

• Creating secure web apps in JDeveloper 10g preview

  Hi all,
  I am trying to set up a secure web application and test it within JDeveloper 10g preview. So far, I am able to set up the correct entries in web.xml and ???-oc4j-app.xml (actually had to add the role mapping manually in the last file). I am able to automotically bring up a login form, enter my username/password and get to the protected resources. What I am not able to do is the following:
  1. Display an error page when the login fails (I get a generic HTTP 403 page instead of the page I specified in web.xml).
  2. Enable SSL. I can set the write checkboxes, etc., but instead of displaying the login form, the browser asks me to open/save the file home.do (the protected resource). I think there is some setup that is messing, but what is it?
  Any help is appreciated. Thanks.
  Ara

  Sorry, I guess I shoud have made it clearer: I am using HTTP-FORM authentication and I have specified a login and error page there. Neither page is protected (i.e., their URI pattern is not specified in the servlet deployment descriptor).
  I get the login page fine. I am also able to log in,provided I submit the right username/password. The problem comes when I submit an incorrect name/password. In that case, I get a generic HTTP 403 page instead of the error page I specified.
  Hope this provides more clues.
  Ara

• USING SSO TO SECURE THE WEB APPLICATION RUNNING ON JBOSS/WEBSPHERE

  We are using Oracle portal for all our applications. We have Oracle Application Server, portal, SSO and OID installed. Basically the user should login through
  protal, and the authentication is done by SSO against OID. After the authentication, the user accesses the portal home page. From the home page, there are application links. By clicking these application links, the user should be able to access the applications. But these applications are running on JBoss and WebSphere. Is there any way that we can secure these applications
  by Oracle SSO?
  I know that there is a plug-in (mod-osso) running on the Oracle Web Server to fulfill the tasks like directing the request to the single sign-on server,
  authenticating, putting sso cookie into the session if authentication is successful. So the Oracle Web Server will take care of the authentication for all partner applications.
  There is no such plug-in released for the web server of JBoss or WebSphere. Anybody has the experience or suggestion on how to solve our issue?
  Thanks!

  Hi,
  Have you imported the java certificate into R/3 backend system ? if so.
  Then just go to backend system and check on sm50 for each applicaion instance of any error eg.
  SM50-> Display files (ICON) as DB symbol with spect.(cntrlshiftF8)
  You will get logon ticket details.
  with thanks,
      Rajat

• Secure and non-secure access to the web application in one war

  Say we have one web application (in one war) which includes JSP, servlets and the security intercepter. There is one business requirement to have most of the JSP(s) accessed via HTTPS, but a few JSP(S) accessed via HTTP.
  My questions are:
  a. Is this possible, or a reasonable requirement or a good practice?
  b. if yes, what can we do to make it happen in the security intercepter implementation?
  c. If not, what is the technical reasons?
  Thanks much.

  a) Yes its is reasonable and good practive, there is an overhead using https, so you should only encrypt file you need to. When you use an online store, only account details / payments are https, the shop itself is http
  b) I dont really understand your difficulty. You can define a folder as 'secure' and put all your secure pages in this folder, leaving non secure files in a different folder. Whenever a page in the secure folder is accessed, https is automatically invoked.

• Browser based InfoPath form deployed on a Claims based Web Application calling a Secure Web Service via Data Connection

  hi,
  We have a Browser based InfoPath Form deployed on a Claims based Web Application. We are tyring to call WCF Services that are secure using Certificates via the Data Connections on Infopath Form.
  Earlier we used to get the Data in BCS External List via the WCF Services and the Data Connections used to get the Data from the BCS External List. Due to Performance Issues, we want to remove the BCS External List and straightaway call the secure WCF Services
  via the Data Connections.
  Have anyone implemented this scenario.
  Thanks
  Ram
  Thanks Ram

  Hi Ram,
  As these are browser based InfoPath forms, you have two options 
  1) Deploy as sandboxed forms
  In this case you have to create a secure store application id and then set the credentials for that account.
  You then have to export the data connection to Data connections library and modify the .udcx file to utilize the newly created secure store application id.
  This may sometime give issues related to sandboxed code service. You have to give permissions on the secure store for the user account which the sandboxed code service is running.
  2) Deploy as administrator approved forms
  This would be ideal way of doing things as you have full control over the web request if you write code behind InfoPath forms.
  3) Deploy as a Hybrid solution
  a) Write a full trust proxy solutions (extend SPProxyOperation class and override execute method) and make the web request call inside this and return the response
  b) Invoke above operation from the sandboxed InfoPath form's code behind by SPUtility.RegisteredProxyOperation(four part assembly name, operation args)
  Hope this helps.
  Thanks,
  Srikanth

• Unable to consume secured Web service from a Dynpro application

  Hello,
  I have followed <a href="http://help.sap.com/saphelp_nw04/helpdata/en/c3/bac36a469e4c75aba646077e71516d/frameset.htm">this tutorial</a>
  in order to protect and consume a secured Web service from a Dynpro application using SAP logon ticket.
  The problem is that after implementing everything needed I  receive 401 Unauthorized when I am trying to consume it from the web dynpro side.
  If I manually transfer the request the credentials, before the execute i.e:
  modObj._setUser
  modObj._setPassword
  modObj.execute();
  I am able to call it, meaning the dynpro application doesn't transfer these credentials to the Webservice even though it's authentication property is set to true.
  Any idea how to solve it?
  Roy
  Message was edited by:
          Roy Cohen

  Try below steps
  • Add jars
  o security.class
  o tc/sec/destinations/interface
  • Setting WebDynpro project property
  o Project>Properties>Web Dynpro References-->Interface references
  &#61607; Name=tcsecdestinations~interface
  o Project>Properties>Web Dynpro References-->Service reference
  &#61607; Name=webservices
  &#61607; Name=tcsecdestinations~service
  • Dynamically Set httpdestination and Call web service
  final InitialContext ctx = new InitialContext();
  final DestinationService dstService = (DestinationService)ctx.lookup(DestinationService.JNDI_KEY);
  if (dstService== null)
  throw new NamingException ("Destination service not available");
  final Destination destination = dstService.getDestination("HTTP"," DestinationName");
  // getting user name
  Properties destprop = destination.getDestinationProperties();
  String username = destprop.getProperty("USERNAME");
  String password = destprop.getProperty("PASSWORD");
  final HTTPDestination httpDestination = (HTTPDestination) destination;
  HttpURLConnection httpConnection = httpDestination.getURLConnection();
  String httpURL = String.valueOf(httpConnection.getURL());
  Request_AdvLocationVer1ViDocument_getLocation obj=wdContext.currentRequest_AdvLocationVer1ViDocument_getLocationElement().modelObject();
  obj._setUser( user );
  obj._setPassword(pass);
  obj._setEndPoint(httpURL);
  obj.execute();
  Rahul

• How to call OWSM secured web-service from ADF application

  I have a OWSM secured web-service, which takes username/password.
  I want to invoke this webservice from ADF application. ADF application has its own security and it takes its own username/password. End user can't provide the username/password for web-service call. My ADF application should call the webservice and provide it appropriate username/password.
  What is the best practice to handle such scenario. I don't want to hardcode username/password in Java (ADF) code.
  Thanks
  Sanjeev.

  it is not clear to me if you are having problems with calling java code from OIM or if the problem is the web service API.
  Lets do some divide and conquer:
  Can you create a simple java class that just writes a couple of lines to the log? Please attach this code to the OIM task and make sure it runs.
  Once this works we can start looking at the web service call.
  Best regards
  /Martin

• Security for creating web templates using web application designer

  I work for ChevronTexaco as a BW Security Analyst. I have a request to set up roles for web template creation using the Web Application Designer. Where can I get help in setting up the security for these types of roles? My experience is in setting up roles for running and creating queries in BEX. I need to know what additional authorizations will enable web template creation. Setting up a trace in ST01 has been less than helpful since it dumps out tons of RS_COMP tracing that doesn't help me much.
  The user wants to be able to create web templates for existing queries in BEX and restrict by rs_comp infocubes/areas/reportid, etc. and to be able to save to restricted role names. Are there new auth groups specific to this type of activity that I need to code for in addition to the basic end user or report builder authorizations?
  Any help would be greatly appreciated.
  Jeff Ehritt
  925 827-6012
  ChevronTexaco

  Thanks Marc, I'll check it out. My problem was that I was trying to create the role by granting a userid sap_all, sap_new and s.a_system as well as power user auths for a specific application. I set up a trace in ST01 for authorization cking on the ID while one of our BW Central Support people went into Web Designer to create a template and everything else they wanted to do.
  The resulting trace spewed out so much stuff from S_RS_comp and comp1 as to be virtually useless since it named scores of different cubes and infoareas that the analyst wasn't even interested in. The results puzzled me and made it extremely difficult to pin down the required authorizations. Usually ST01 can be used as a blueprint to create the role,ie; everything that the user touches is traced but no more than that. Have you seen this before? With just the new role I had set up the user could not save to a role unless I coded the fully qualified role name such as YRH_SENDAT_USER. YRH* would not work.
  Thanks,
  Jeff Ehritt
  ERP COE SAP BW Security

• Security For BW Web Application Designer

  I work for ChevronTexaco as a BW Security Analyst. I have a request to set up roles for web template creation using the Web Application Designer. Where can I get help in setting up the security for these types of roles? My experience is in setting up roles for running and creating queries in BEX. I need to know what additional authorizations will enable web template creation. Setting up a trace in ST01 has been less than helpful since it dumps out tons of RS_COMP tracing that doesn't help me much.
  The user wants to be able to create web templates for existing queries in BEX and restrict by rs_comp infocubes/areas/reportid, etc. and to be able to save to restricted role names. Are there new auth groups specific to this type of activity that I need to code for in adition to the basic end user or report builder authorizations?
  Any help would be greatly appreciated.
  Jeff Ehritt
  925 827-6012
  ChevronTexaco

  Hi Jeff,
  there are no special authorization objects for Web Templates. RS_COMP will still only work for queries, structures.... Saving to roles requires certain authorizations for the role (s_agr_*), here you can define the roles you can save templates to.
  Regards, Klaus

• Where is security configuration for deployed web application stored

  Hi,
  We have deployed a folder as a web application. The changes I am making in Deployments -> web application -> Security -> URL Pattern -> Roles -> Edit a Stand-Alone Web Application URL Pattern Scoped Role is not saved and it is getting lost when I restart the application.
  For example I have added "AppTesters" group in "valid-users" url-pattern.
  Can anybody help me where these settings are stored and why it is not getting saved across application restarts.
  Thanks,
  Sambath.

  How are you restarting your weblogic Admin Server?
  This is only possible if some how while your Admin Server is restarted, the ldap directory that is present int the %DOMAIN_HOME%/your_domain/servers/AdminServer/data directory is deleted or updated with the previous values.
  This may give you some idea how to proceed with this issue.
  Thanks,
  Sandeep

• Adding a secure, internal-only SharePoint Web application / Site collection in existing farm

  Hi,
  We are currently working on creating a new internal-only SharePoint site that will host sensitive information. We are planning the architecture to provide a secure environment to host this information in SharePoint. We will create the new web app on a separate
  database with encryption enabled TDE; we are also planning to encrypt the data through the SharePoint (Insert third-party vendor here) forms before it gets to the SP DB. And obviously, SharePoint permissions will be set accordingly.
  Additionally, we would like to have the site accessible
  only through our internal network and keep it off the DMZ.
  Our current SharePoint environment consists of two web-front end servers (load-balanced) externally exposed (DMZ), one application server and the SQL server both behind the DMZ (internal-only). Currently all of our SharePoint web apps are accessible externally
  through SSL.
  What is the best way to accomodate this new internal-only web application within our existing farm providing the security measures explained before?
  I am thinking  on adding an extra WFE server to the existing farm and put it behind the DMZ (internal-only) in a similar way as our application server is configured right now, but just serving exclusively this new internal site's content. I would then
  have the NEtwork guys to make the site accessible only to users logged-in internally in our network and through this new dedicated server only. My concern is that since all of our other web apps in the farm are exposed externally, and since the new server
  would be part of the same farm, that could be open doors for bad guys to access this information. Are there any other topology options I should consider? I have thought about creating a small (one-server only) new farm just for this purpose, but I am trying
  to avoid going that route.
  Any thoughts?
  Thank you,
  Rob

  You're mostly going down the right track.
  A new web application in dedicated SQL DB and web application policies to deny all external accounts access to the sites will go a long way. You can also make sure that the DNS does not resolve externally.
  If you want security you will probably be building the web application on https alone, which is my preference for any farms these days. That might negate the need for your encrypted infopath system.
  However you cannot add a WFE to a farm and dedicate a web app soley to that server. Any server with the SharePoint Foundation Web Application role will host all web applications. You can steer traffic to one
  server or another but that's not really doing much for security. If it's on one WFE it's on them all. For that reason I would say that the standalone farm is the best, most secure, solution.
  All of what you've been describing will help with security but you'll have to spend hours testing connections, securing files and testing testing testing.  Whilst the standalone will just work.
  No, i don't know why that turned into tiny print either.