Enabling ORM causes coldfusion.security.SecurityManager$UnauthenticatedCredentialsException

Similar Messages

• Too many open socket connections causing ColdFusion to crash?

  I’m currently working on an e-commerce site which sends and receives information to/from the client’s order management system via XML over a TCP/IP socket.  It uses a very old java-based custom tag called CFX_JSOCKET (which appears to have been written in 2002) to open the socket, send the data, and get the response.  The code that calls the custom tag and sends/receives data from the OMS pre-dates my working on the site, but its always worked, so I haven’t paid it much attention.
  Back in the summer of 2009 we started experiencing issues with ColdFusion (v.7 on Window 2003 at the time) locking up on a more and more frequent basis, until it ultimately became a daily issue.  After extensive research we narrowed the issue down to the communication between the web server and our client’s order management server.  It seemed the issue with ColdFusion hanging was either related to there being too many connections open, or to these connections hanging and resulting in dead threads.  This an educated guess based on a blog post I’d seen online, not actual monitoring of either CF or the TCP/IP connections.  As soon as we dialed back the timeout on the CFX_JSOCKET tag from 20 seconds to 10, the issue disappeared, so we left it at that and moved on.
  Fast forward to this January. The site is hosted at a new location, on a 64-bit Windows 2008 box running ColdFusion 9.  Over the years traffic on the site has continued to grow.  The nature of the clients business means that August and January are their business times of the year (back to school for college kids) and in January ColdFusion once again started locking up on an almost-daily basis.  
  One significant difference is that the address cleansing software that previously ran on the box and was used to verify shipping addresses is not available for 64-bit, so when we moved to the new server last summer, that task was moved to the client’s order management software and handled via XML like all other interaction with that system. However, while most XML calls to that server (order input, inventory check, etc) take under a second to complete, the address cleansing call regularly takes over 5 seconds to return data, and frequently times out. 
  Once we eliminated the address cleansing call from the checkout process, ColdFusion once again stopped locking up regularly.  So it appears that once again it’s the communication between the web server and the order management server that’s causing problems. We currently have that address cleansing call disabled on the web site in order to keep ColdFusion from crashing, but that’s not a long term solution.
  We don’t have, nor can I find online, the source code for the CFX_JSOCKET custom tag, so I decided I’d write some CF code utilizing the java methods to open the socket, send the data, get the response, and close the connection.  My test code is working fine (under no load).  However, in trying to troubleshoot an issue I had with it, I started monitoring the TCP/IP connections using TCPView.  And I noticed that all the connections to the order management server, whether opened via the custom tag or my new code, remain open in either a TIME_WAIT or FIN_WAIT2 status for well over 2 minutes, even though I know for a fact that my new code is definitely closing the connection from the web server side. 
  They do all close eventually, but I’m wondering 1. Why they’re remaining open that long; 2. Is that normal; and 3. If all these connections remaining open could be what’s causing ColdFusion to choke. 
  Does this sound plausible?  If so, does anyone have any suggestions/recommendations about how to fix it?  My research seems to indicate this might be a matter of the order management system not closing the connection on its end, but I’m in way over my head, and before I go to client and tell them it’s their OMS causing the issue, I need to feel a little more confident that I’m on the right track. 
  Any help or advice would be very greatly appreciated.  And thanks for taking the time to read through my long-winded explanation of the problem.
  Set-up details:
  ColdFusion Version: 9,0,0,251028  Standard 
  Operating System: Windows Server 2008 
  Java Version: 1.6.0_14 
  Java VM Name: Java HotSpot(TM) 64-Bit Server VM 
  Java VM Version: 14.0-b16 
  Thanks,
  Laurie

  Hi Laurie,
  Not aware of custom tag called CFX_JSOCKET. I guess the process you described very well is consuming a resource then you are getting a problem. Trick is what parameter to adjust. Perhaps you are running out of one the threads in CFadmin > Server Settings > Request Tuning.
  I expect if you enable CF Metrics logging where you can log the threads and other resources then you can find out which parameter needs adjusting. Let me know if you want some details on enabling CF Metrics. Perhaps others will have much better idea than me and help without the overhead of logging.
  The other interesting thing is you are using CF9.0.0. Do you have some reasons for not being on updater1 CF9.0.1?
  HTH, Carl.
  PS I posted before however seems to have gone, just hope does not come back and then I have posted twice.

• Does ColdFusion : Security Bulletin APSB10-11 apply to MX 7.0.2

  I contacted adobe phone support and was directed to post my question to the forum because adobe doesn't provide phone support for server products.
  So, Does ColdFusion : Security Bulletin APSB10-11 apply to MX 7.0.2?
  In the Security Bulleting it reads like it does:
  Summary
  Important vulnerabilities have been identified in ColdFusion 8.0, 8.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX. The vulnerabilities could lead to cross-site scripting and information disclosure.
  source: http://www.adobe.com/support/security/bulletins/apsb10-11.html
  However, there are no solutions in the technote:
  Issue
  Note: This technote and the attachments have been updated on 05/13/2010. All ColdFusion users should review the technote again. An issue when this security fix was applied with Cumulative Hot Fix 4 for ColdFusion 8.0.1 has been identified and resolved. The issue was caused by a naming conflict.
  ColdFusion 9.0, 8.0.1 and 8.0 are affected with the issue mentioned in the security bulletin APSB10-11. This technote provides fixes for the security issues along with the installation instructions.
  source: http://kb2.adobe.com/cps/841/cpsid_84102.html
  Additionally, does anyone know if Cold Fusion MX 7.0.2 is a supported product?
  Thank you any help will be benifitial.

  I contacted adobe phone support and was directed to post my question to the forum because adobe doesn't provide phone support for server products.
  I have had phone support from them, and they were quite helpful.  Do you mean they don't do free phone support?  No, they don't.
  I cannot believe they suggested you raise an issue on the forum.  That's just sh!t.  There's no other way of describing that.
  Additionally, does anyone know if Cold Fusion MX 7.0.2 is a supported product?
  http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63
  Only for "Extended support", whatever that is.
  [searches]
  Hmmm... http://www.adobe.com/support/programs/policies/terms_customer.html:
  Extended Support. If version of software held by Customer at time of renewal has been end-of-lifed during the next renewal term, Customer may renew to Extended Support, provided that Extended Support is available for such software version.  Information about Software that has been or soon will be end-of-lifed and Extended Support availability dates by product version are published at www.adobe.com/support. If Customer elects to purchase Extended Support, the Annual Support Fee shall be twenty-five (25%) percent of the license fee paid for the Software (if such fee cannot be established, the percentage would be based on the then-current list price of the license fee for the Software), however in no event shall the amount be less than the last renewal prior to renewing under Extended Support.
  If extended support is renewed, the renewal fee would be the Annual Support Fee paid for the prior year increased by the applicable Consumer Price Index (CPI)*, for the 12-month period preceding the renewal date. Should Customer upgrade to the next major version of the Software (e.g., upgrade from 4.0 to 5.0), the Annual Support Fee for the upgraded version shall be the lesser of twenty percent (20%) of the then current list price of the license fee for such upgraded version, or the Annual Support Fee for the last renewal prior to renewing under Extended Support increased by the applicable Consumer Price Index (CPI)*, for the 12-month period preceding the renewal date.
  So there you go.  It's something you'd have to be paying for anyhow, and my reading of that is that it's too late to get it now anyhow.
  I think this will also mean that you're definitely out of luck in regards to any sort of patching going on for CFMX7.
  Adam

• HT204382 HAS DOWNLOADING 3rd -PARTY DIVX in the past ON A iMAX COMPUTER CAUSE ANY SECURITY RISKS

  HAS DOWNLOADING 3rd -PARTY divX in the past ON A iMAX COMPUTER CAUSE ANY SECURITY RISKS

  Hi,
  For some reason this Post has ended up with and iChat and iChat Shairng categorisation
  The Question has nothing to do with iChat.
  ON the matter of DIVX I have no idea.
  10:13 PM      Thursday; February 28, 2013
  Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
    iMac 2.5Ghz 5i 2011 (Mountain Lion 10.8.2)
   G4/1GhzDual MDD (Leopard 10.5.8)
   MacBookPro 2Gb (Snow Leopard 10.6.8)
   Mac OS X (10.6.8),
   Couple of iPhones and an iPad
  "Limit the Logs to the Bits above Binary Images."  No, Seriously

• Is there any guide lines how you can secure windows 7 gpo enable system services startup security settings?

  Is there any guide lines how you can secure windows 7 gpo enable system services startup security settings?
  For example like many do with Forefront Client Security Anti-Malware service, and there is lots of other service that you would like to have control over to get an secure and stable Windows 7.
  /SaiTech

  Hi, 
  Since there is no response from you, we considered that you have gotten what you want in previous post. 
  For further question, please don't hesitate to come back here and let's discuss again. 
  If you have any feedback on our support, please click here
  Kate Li
  TechNet Community Support

• [svn] 977: Bug: BLZ-93 - When a producer sends a message to a secure destination with no credentials it causes a security exception to get logged with a log level of error .

  Revision: 977
  Author: [email protected]
  Date: 2008-03-27 17:04:59 -0700 (Thu, 27 Mar 2008)
  Log Message:
  Bug: BLZ-93 - When a producer sends a message to a secure destination with no credentials it causes a security exception to get logged with a log level of error.
  QA: Yes
  Doc: No
  Details:
  Updates to catch-all exception logging hinge points on the server to use a new method on MessageException that protects against repeat logging of the same exception as we unwind the call stack on the server, as well as allowing exception subclasses to control the log level, intro text and inclusion of a full stack trace in the logged output. This allows things like SecurityExceptions, which represent common errors like incorrect user credentials, to avoid polluting the log with error-level logging and stack traces. It also consolidates our catch-all handling for MessageExceptions and their subclasses in a single point, avoiding problems with needing to make updates or tweaks to our logging output in multiple places.
  Ticket Links:
  http://bugs.adobe.com/jira/browse/BLZ-93
  Modified Paths:
  blazeds/branches/3.0.x/modules/common/src/java/flex/messaging/log/Log.java
  blazeds/branches/3.0.x/modules/common/src/java/flex/messaging/util/ExceptionUtil.java
  blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/MessageBroker.java
  blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/MessageException.java
  blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/endpoints/amf/MessageBrokerFi lter.java
  blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/endpoints/amf/SuspendableMess ageBrokerFilter.java
  blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/security/SecurityException.ja va
  blazeds/branches/3.0.x/modules/core/src/java/flex/messaging/services/ServiceException.jav a

  One thing I forgot to add, which may be causing you
  problems: the "mount volume" command is not part of
  the Finder dictionary. It stands alone.
  bill
    Mac OS X
  (10.4.10)   1 GHz Powerbook G4
  I tried the mount command. After executing it in Script Editor, I was prompted with login and password, but it was my Keychain!
  I don't know if you have your keychain unlocked or what else..
  Maybe the original poster (Rick Anderson) has his keychain locked and the prompt is from it.
  Just a guess...
  Ciao,
  Ermanno
  Dual 2 GHz PowerPC G5   Mac OS X (10.4.9)   4.5 GBy SDRAM, 5 external FW disks, 2 Internal SATA disks

• [svn] 2818: Fix up the remaining uses of stage that might cause a security violation.

  Revision: 2818
  Author: [email protected]
  Date: 2008-08-12 12:01:36 -0700 (Tue, 12 Aug 2008)
  Log Message:
  Fix up the remaining uses of stage that might cause a security violation.
  QE: YES
  Doc:
  Checkintests: YES
  Reviewer: Alex
  Bugs:
  mx/controls/DataGrid.as
  mx/controls/List.as
  Listen to mouse down on sandbox root instead of systemManager. Fix remove listener code.
  mx/controls/sliderClasses/SliderThumb.as
  Listen to mouse down on sandbox root instead of systemManager. Remove stage listener for MOUSE_MOVE since
  systemManager will add a stage listener automatically if the caller has access to the stage.
  mx/preloaders/DownloadProgressBar.as
  Use the DownloaderProgressBar's stageWidth/stageHeight properties instead of directly accessing the stage.
  Modified Paths:
  flex/sdk/branches/3.0.x/frameworks/projects/framework/src/mx/controls/DataGrid.as
  flex/sdk/branches/3.0.x/frameworks/projects/framework/src/mx/controls/List.as
  flex/sdk/branches/3.0.x/frameworks/projects/framework/src/mx/controls/sliderClasses/Slide rThumb.as
  flex/sdk/branches/3.0.x/frameworks/projects/framework/src/mx/preloaders/DownloadProgressB ar.as

  Revision: 2818
  Author: [email protected]
  Date: 2008-08-12 12:01:36 -0700 (Tue, 12 Aug 2008)
  Log Message:
  Fix up the remaining uses of stage that might cause a security violation.
  QE: YES
  Doc:
  Checkintests: YES
  Reviewer: Alex
  Bugs:
  mx/controls/DataGrid.as
  mx/controls/List.as
  Listen to mouse down on sandbox root instead of systemManager. Fix remove listener code.
  mx/controls/sliderClasses/SliderThumb.as
  Listen to mouse down on sandbox root instead of systemManager. Remove stage listener for MOUSE_MOVE since
  systemManager will add a stage listener automatically if the caller has access to the stage.
  mx/preloaders/DownloadProgressBar.as
  Use the DownloaderProgressBar's stageWidth/stageHeight properties instead of directly accessing the stage.
  Modified Paths:
  flex/sdk/branches/3.0.x/frameworks/projects/framework/src/mx/controls/DataGrid.as
  flex/sdk/branches/3.0.x/frameworks/projects/framework/src/mx/controls/List.as
  flex/sdk/branches/3.0.x/frameworks/projects/framework/src/mx/controls/sliderClasses/Slide rThumb.as
  flex/sdk/branches/3.0.x/frameworks/projects/framework/src/mx/preloaders/DownloadProgressB ar.as

• Subscribe to only coldfusion security bulletins

  How can I subscribe to *ONLY* coldfusion security bulletins.  Preferably CF9 only.
  thanks,
  jbee

  Is Microsoft is still releasing security bulletins for pre-SP1 Windows Server 2008 R2?  My guess is no.  The "service pack support end date" is listed as 4/9/2013.
  Which is exactly what that date means. No more updates for the previous SP level(s) of the product; no more
  support for systems running the previous SP level(s) of the product.
  But the admin thinks pre-SP1 is still eligible for security bulletins until the end of its Extended Support
  The 'admin' is incorrect, and this behavior is no different than it has been since the updates for Windows Server 2003 Service Pack 1 were cut off in April 2007. Following the cutoff date, updates are explicitly coded to ignore older SP level(s) of the product.
  This should be very easy to prove to your 'admin'. Show your 'admin' a WS2008R2 *RTM* machine in the WSUS console with one of those current updates released after April 2013 and observe very closely the
  Not Applicable status that is reported, and have the 'admin' contemplate why that is. Or, if no WSUS, just scan WU and try to find anything released after April 2013 in the list of available updates (assuming there are actually
  any available updates at all).
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Can this be safely removed and how without causing other security issues???

  Having repeated problems with FF hanging and/or closing unexpectedly. Problem listed is always "plugin-container.exe has encountered a problem and has to close". Running version 3.6.15. Can this be safely removed and how without causing other security issues???

  Disable the plugin-container for some or all 4 plugins. <br />
  http://kb.mozillazine.org/Plugin-container_and_out-of-process_plugins#Disabling_crash_protection

• LCM causes Essbase security to be overwritten and can no longer log in.

  When using LCM and migrating Foundation / Shared Services and loading it back in from the file.
  It somehow overwrote something with Essbase security so no user (including the admin) can log in. Through EAS or through Workspace / Planning
  Any suggestions how to reset this? Is it that Essbase is no longer connected to Shared services somehow. This is clearly a bug as there is no way that this should be possible. But hoping someone has seen this before and has a work around.

  if you can. Log into the system as the master Essbase admin through EAS and refresh the shared services security.
  Alternatively you may need to kill the essbase.sec file and cause it to reset the master Essbase user. This should be done with care though as you can cause the environment to become corrupt if all the steps aren't done properly

• SQL Reporting Services 2014, Enabling Kerberos causes report manager to be extremely slow

  We are migrating our environment from SQL Reporting Services 2008 to 2014 on a new server. We are currently using kerberos on the 2008 instance, but when I enable kerberos on the 2014 Reporting Services instance the Report Manager becomes extremely slow.
  Has anyone seen this before? Any ideas of what I can check to see what is causing this problem.

  Just to clarify it is not slow when I run a report, it is slow in general. From first load to accessing a folder, settings, etc. This is all before even executing a report. 
  The error I see while using Wireshark is KRB Error: KRB5KDC_ERR_BADOPTION NT Status: STATUS_NO_MATCH. When I drill down the into the
  error I can see the kerberos string is testprjmnmtreports14.company.com, which is the URL we are using to access the site. I made sure to add that name as an SPN for the service account that is running SQL Reporting Services, however I still receive the error.
  Then I tried configuring the site to run without a hostheader, so I accessed the site with the server name ECTSTSQLRS5 and the site works perfectly fine, no errors are reported either. So it seems I have isolated the issue down to Kerberos but I am not sure
  how to resolve it. Here is some more information about my environment:
  DNS/URL used: testprjmnmtreports14.company.com
  Server Name (FQDN): ECTSTSQLRS5.company.int
  AD Domain Name: company.int
  Server Version: Windows Server 2012 R2
  AD Functional Level: 2008 R2
  I also have the following SPNs set for my SQL service account:
  http/testprjmngmtreports14.company.com
  http/testprjmngmtreports14
  http/ECTSTSQLRS5.COMPANY.INT
  http/ECTSTSQLRS5
  As you can see I am trying to use a .com address but my AD domain is .int which I think is the issue, but I do not have the same problem on my other server that is running Windows Server 2008 R2. 

• Security manager enabled w/o -Djava.security.manager

  Hi all,
  I am facing an issue where java.policy is being enforced w/o a -Djava.security.manager specified on the command line.
  from ps -ef | grep java, I found the java process and it does not have -Djava.security.manager. However, when I modify jdk/jre/lib/security/java.policy, I can see the effect of the security setting when I restart the java process. I scanned through the source code, I do not find any setSecurityManager() API call either.
  Given the above, does anyone have suggestion on how the security manager is enabled in this case?
  Regards,
  Tom

  System.setProperty("java.security.manager","true");
  System.getProperties().setProperty("java.security.manager","true");
  Properties p = System.getProperties();
  p.setProperty("java.security.manager","true");
  // etc

• Search issue caused by Secure Store Service Sporadic Failures

  I am running into a fun issue.  I am getting a lot of errors in my search crawl logs that say the following:
  The crawler could not communicate with the server. Check that the server is available and that the firewall access is configured correctly.
  And
  The filtering process has been terminated
  And
  An unrecognized HTTP response was received when attempting to crawl this item. Verify whether the item can be accessed using your browser. ( Error from SharePoint site: WebExceptionStatus TrustFailure The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. )
  And finally,
  The SharePoint item being crawled returned an error when requesting data from the web service. ( Error from SharePoint site )
  The thing is, I still get most of the results. Probably 3/4ths of the pages and external content are crawled. These happen sporadically.  I believe it to be caused by a spotty secure store service.  
  When I try to manage the secure store service, sometimes the page loads. Other times it says:
  Cannot complete this action as the Secure Store Shared Service is not responding. Please contact your administrator
  If I refresh the page a couple times, it comes back up. I believe this constant up and down is causing issues. I have tried the following to resolve this:
  IIS resets on all servers
  Restarting individual app pools on all servers
  Making sure the correct services were running on all servers, and restarting them
  Restarting the servers
  Creating a new secure store service is not an option, as the custom software running on the environment requires it heavily, and rebuilding all the credentials is a huge pain. If this were not a live environment, it would be worth it. However, this IS a
  live site.
  Has anyone else seen a spotty SSS like this one?

  You may be right, and these two could be unrelated, or both be caused by some underlying environmental issue (quite possible).  The Secure Store Service is indeed used when indexing.  I'm not logged into the servers right now, but when crawling
  the external content source, the errors are about the secure store service.
  I've set fiddler as a proxy on search and watched the crawls. I'll have to review those again to find the response, but I believe the errors were all authentication-related.
  I'll probably spend my day today going through logs and report back.

• Will enabling FireVault cause Windows VM problem?

  I have loaded Parallels (Build 1970) on my MBP running OS X v10.4.8 and would like to know if I enable FireVault, will it cause any problems with loading/running the Windows VM and file sharing capabilities? Or by virtue of performing the Mac login that unencrypts my files by default, will Parallels and the Windows XP VM run seamlessly?

  It's not possible to know with absolute certainty if your router is causing this bottleneck or not. The bandwidth delivered by AT&T is shared among all the devices that use it, and if they're all streaming video or performing some other demanding task your Internet speed may be the limiting factor.
  An Apple AirPort Base Station will not have any difficulty whatsoever serving five clients, or many more for that matter, and it makes no difference whether they are Macs or PCs or an assortment of each.
  I am not familiar with the limitations of AT&T's supplied router, but most ISPs supply cheap junk. If you purchase an Apple AirPort Base Station from an Apple Store, and you don't like it for whatever reason, you can always return it within 14 days for a complete refund. Keep the box and everything else it came with. 90 days of free telephone support is included in the purchase price.

• Coldfusion secure FTP & digital certificates

  Hello !
  I am currently in the process of developing a corporate CF intranet site that is behind a corporate firewall and part of the application will need to send a data file (FTP put) to a remote FTP server using secured FTP (FTPS). I have never used Coldfusion before for either secured or unsecured FTP.  I am planning on using the CFFTP tag to open the connection and send the data file but I have a number of other questions regarding the use & installation of the digital certificates.:
  Current development environment setup:
  CF version 9 standard edition running on Windows Server 2008 R2
  Microsoft IIS 7
  Current production environment setup:
  CF version 9  enterprise edition running on Windows Server 2008 R2
  Microsoft IIS 7
  1.  The data file that is being created must be sent to a finanacial institution and they will be providing a digital certificate (p12 format) to me.  What do I do with that certificate once I get it ?  I have installed SSL certificates before on http web sites with IIS without any issues but I am not sure what to do with the certificate for secured FTP.  Do I import the certificate into IIS using the MMC snap on or does the certificate need to be integrated into Coldfusion in some other way and if so, what needs to be done ?
  2.  What other steps need to be prior to being able to use the CFFTP tag for a secured FTP send ?
  I would appreciate as much help as possible as I haven't used CF for FTP before.
  Thank you.

  Dave,
  Thank you for answering.
  1.  I have imported the certificate into the cacerts file by using the following command:
       keytool -import -keystore ../lib/security/cacerts -alias x  -file c:\downloads\y
       where x was the alias name I assigned and y was the certificate name (extension of 'der').
  I tried importing a p12 and p7b certificate but neither of those worked.  I received the message 'Not a valid X.509 Certificate' from the command.  I then successfully imported a Base64 certificate (der).  I believe the certificate has been successfully imported because I ran the following and it shows the MD5 fingerprint:
       keytool -list -alias x -keystore ../lib/security/cacerts
       where x is my alias name I assigned in the original import
  2.  I then ran the following CFM command replacing the '*'s with the appropriate server name, user name, and password
       <cfftp action="open" connection="conn1" secure="yes" server="********" username="******" password="*****" port="21"
       </cfftp>
       I am getting the CF error
  An error occurred while establishing an sFTP connection.
  Verify your connection attributes: username, password, server, fingerprint, port, key, connection, proxyServer, and secure (as applicable). Error: User Authentication failed.
  Any suggestions or help would be appreciated.
  Thank you.