Extend Security FAQ Example Broken?

I have been trying out the Extend Seurity example in the Coherence FAQ here http://coherence.oracle.com/pages/viewpage.action?pageId=1343626
Basically the way it works is that the Extend proxy uses a class scheme that uses a sub-class of com.tangosol.net.cache.WrapperNamedCache to wrap the "real" cache. This sub-class can then override methods you want to secure to do an access check before forwarding the method call to the wrapped cache.
Now, this all appeared to work fine until I tried to execute queries against the cache. The queries will execute against the "wrapped" cache which resides in the storage enabled nodes of the cluster, as the Extend proxies are storage disabled. I started to get back errors that the methods I was querying on did not exist in the objects I had put into the cache.
E.G. Missing or inaccessible method: com.tangosol.util.Binary#getIntValue[]
The reason for this it turns out is that the "put" method of the WrapperNamedCache in the extend proxy gets instances of com.tangosol.util.Binary for its key and value parameters as the Extend Client has POF serialized the values to send over the wire. When WrapperNamedCache calls "put" on the real cache presumably it send these com.tangosol.util.Binary values. It then appears that these are serialized again to go over the wire to the real cache so the underlying real cache ends up containing a serialized value of a serialized value and hence my queries fail.
Is this "double" serializing due to me mis-configuring the caches, or am I stuck with it?
Obviously it is pretty impractical to de-serialize the objects in the methods of the WrapperNamedCache sub-class.
Presumably making the Extend proxies storage enabled nodes of the cluster wouldn't make any difference either.
I am beginning to give up on ever having a secure Coherence cluster as so many things related to security in Coherence seem broken.
Banging my head in frustration...
JK.

I haven't been able to get this to work, and I'm using Noah's updated code.
I'm trying to implement row-level security using the EntitledNamedCache, so basically I'll be intercepting calls to get() and checking the client's privileges against the data they're trying to read.
The problem - as Jonathan experienced - is that inside the EntitledNamedCache the super.get() call to the WrapperNamedCache returns a com.tangosol.util.Binary instead of the actual object that was put() in.
Is there a way for WrapperNamedCache.get() to return the actual object?

Similar Messages

Kerberised CIFS / SMB Extended Security

Does anyone have any info when kerberised CIFS or SMB extended security is likely to be introduced into the S7000 series?
I had some info from a Sun Engineer that fixes relating to this would be coming in 2009.Q4 (which became 2010.Q1)
Example CR's related to this are:
6791642
6791165
6791210
Amongst others.
Does anyone know if this is on the radar for a future release of the 7000 series appliance kit?
Alan

Hi Alan
I just wondered if the lack of kerberised CIFS or SMB extended security is causing a problem I've been trying to get around.
We have a share set up on our 7310, to host MSI packages to be deployed via a Windows Server 2008 R2 group policy object, the packages are failing to install with errors pointing to permission problems. I've checked through the permissions and all seems well, with the computer account having full access to the share.
The packages deploy fine when they are hosted on a Windows based server, from what I've read this could be a kerberos authentication problem or some other missing feature from the CIFS implementation on the Sun. I can connect to the share on the Sun once logged onto the Windows computer and install the packages.
Thanks
Matthew

OS 10.7, SMB Connection, Change to Unicode with Extended Security on Windows Server 2008 Standard

Hi All, I've searched Google, and I've also contacted Apple Support with no luck: I want to implement unicode with extended security on Windows Server 2008 Standard server shared folders so that Lion can connect normally (i.e. Finder->Go->Connect to Server->IP Address or server name) to SMB shares and access files. I'm lacking information; has anyone actually implemented unicode with extended security? If so, how?
Thanks in advance.
Tom

Thanks for the reply aorlich. Do you mean enable file sharing on my Mac? With file sharing enabled, I still cannot get to my Windows 7 shares, although the files on my Mac do become available to Windows. Thanks again.

Jcifs.smb.SmbException: NTLMv2 requires extended security

Hi,
I'm implemeting SSO for my application deployed in tomcat using JCIFS. It was working for some time and after more sessions like > 3 its throwing error like
jcifs.smb.SmbException: NTLMv2 requires extended security (jcifs.smb.client.useExtendedSecurity must be true if jcifs.smb.lmCompatibility >= 3)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)I'm using jcifs 1.3.7 and jdk 1.5. Also my web.xml is like
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>Tomcat Documentation</display-name>
<filter>
<filter-name>NtlmHttpFilter</filter-name>
<filter-class>jcifs.http.NtlmHttpFilter</filter-class>
<init-param>
<param-name>jcifs.http.domainController</param-name>
<param-value>10.202.0.41</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.lmCompatibility</param-name>
<param-value>1</param-value>
</init-param>

<init-param>
<param-name>jcifs.util.loglevel</param-name>
<param-value>3</param-value>
</init-param>

<init-param>
<param-name>jcifs.smb.client.domain</param-name>
<param-value>DOMAINAME</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.username</param-name>
<param-value>1233</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.password</param-name>
<param-value>P@ssw0rd1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>NtlmHttpFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<description>
Tomcat Documentation.
</description>
<servlet>
<servlet-name>test1</servlet-name>
<servlet-class>TestServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>uploadexcel</servlet-name>
<servlet-class>TestUpload</servlet-class>
</servlet>
<servlet>
<servlet-name>testServlet</servlet-name>
<servlet-class>SampleTest</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>test1</servlet-name>
<url-pattern>/test</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>uploadexcel</servlet-name>
<url-pattern>/uploadexcel</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>testServlet</servlet-name>
<url-pattern>/testServlet</url-pattern>
</servlet-mapping>

<error-page>
<exception-type>java.lang.NullPointerException</exception-type>
<location>/error.jsp</location>
</error-page>
</web-app>Please let me know whether any cofiguratio settings needs to be made
Regards,
Sukuimar

Hi,
Thanks for suggestion. After making it true i got below error.
note: NtlmPasswordAuthentication.java was java class obtanied with JIFS utility
jcifs.smb.SmbException
java.lang.NullPointerException
     at jcifs.smb.NtlmPasswordAuthentication.nTOWFv1(NtlmPasswordAuthentication.java:197)
     at jcifs.ntlmssp.Type3Message.<init>(Type3Message.java:177)
     at jcifs.smb.NtlmContext.initSecContext(NtlmContext.java:75)
     at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:347)
     at jcifs.smb.SmbSession.send(SmbSession.java:235)
     at jcifs.smb.SmbTree.treeConnect(SmbTree.java:161)
     at jcifs.smb.SmbSession.logon(SmbSession.java:171)
     at jcifs.smb.SmbSession.logon(SmbSession.java:164)
     at jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:189)
     at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:121)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
     at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
     at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
     at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
     at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
     at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
     at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
     at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
     at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
     at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
     at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
     at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
     at java.lang.Thread.run(Thread.java:595)
     jcifs.smb.NtlmContext.initSecContext(NtlmContext.java:90)
     jcifs.smb.SmbSession.sessionSetup(SmbSession.java:347)
     jcifs.smb.SmbSession.send(SmbSession.java:235)
     jcifs.smb.SmbTree.treeConnect(SmbTree.java:161)
     jcifs.smb.SmbSession.logon(SmbSession.java:171)
     jcifs.smb.SmbSession.logon(SmbSession.java:164)
     jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:189)
     jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:121)Even i tried to change it to
<init-param>
<param-name>jcifs.smb.lmCompatibility</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.useExtendedSecurity</param-name>
<param-value>false</param-value>
</init-param>
But still its giving previous error. So, should i upgrade it to 1.3.8. Also am i hitting any bug in 1.3.7 please let me know
Regards,
Sukumar
Edited by: Sukumar-Java-Beginner on Mar 30, 2009 11:39 PM

UPnP Extended Security? Please Help.

Hello i was recently trying to complete this turorial:
http://www.youtube.com/watch?v=o9vJedWSyw8
as my internet is bad on black ops 2, (strict) and my Bt does not allow me to port forward properly :/
I have tried it but i got a error, so i got in touch with the author of the video and recieved this message,
"from the looks of it you are setting up the right ports, but your router isnt allowing you to forward them. This will most likely be caused by a security setting on your router. There should be some option on the games and application sharing page, that disables extended security. That should fiix the problem if you can find it."
So how can i disable this UPnP Extended Security, or Extended Security?
I have a Bt Home Hub 2.
Thanks,

Elhadi wrote:
I know how to turn it off, im trying to disable something called extended security so it lets me use portmapper
On the Home Hub 3 B you get the following screen (distorted by cut and paste) on the Port Forwarding , UPnP tab
The Home Hub 2 may not have this facility.
Wireless Broadband Home Network Port Forwarding System Basic Settings
Configuration Supported Applications UPnP DMZ Firewall
UPnP
Universal Plug and Play (UPnP) enables a wide range of applications, such as games and messaging, and devices to connect to each other and work together.
UPnP:   On
             Off
Extended UPnP Security:   On
                                      Off
                                                                                                                             Apply    Cancel
It is recommended to keep the Extended UPnP security enabled to ensure the security of your home network.

Extending security privileges

Just after a bit of advice on security...
If I build a form in LiveCycle, am I able to extend security priviliges in Acrobat to allow users of the free Reader software to password protect the form?
Or can I set the form up so that when the user comletes and saves it, it automatically password protects it?
The second option is my preferred choice, just not sure if either are possible.
Any help is much appreciated.
Thanks,
Chris

Thank you for your reply.
In that case I'll expand on what we want to achieve and hopefully someone can propose a solution.
We send our clients some forms which they complete, lock/flatten and then send back to us. We now need to ask our clients to enter their bank details onto the form. We want to make this as secure as possible and asking the client to email us back using an encrypted email isn't really viable, hence we wanted the form to password protect itself on completion/saving.
Is there anything else we could put in place to make this work?
Thanks again

Extends security

Hi folks,
I'm trying to get a reasonable cluster security solution working using Kerberos. I want to be able to secure nodes joining the cluster and secure things
like Extends connections via the proxies. So far the cluster node security piece seems to be working fine (using the standard Coherence security).
To secure the Extends connection I've tried using the Oracle example solution from here [http://wiki.tangosol.com/pages/viewpage.action?pageId=1343626 |http://wiki.tangosol.com/pages/viewpage.action?pageId=1343626 ]
(even though it doesn't seem ideal due to the number of security checks) but it causes a problem when the Extends proxy node itself is
authenticated with the cluster. The example solution uses an EntitledNamedCache class that calls checkAccess() in every method. In this
checkAccess() method the code fetches the current subject from what it says is the "calling thread". The problem is that it actually returns the subject
that the Extends node used to authenticate against the rest of the cluster - not the subject associated with the Extends call. Has anyone tried something
similar and got it to work? Like I say - this only seems to be a problem if you have your Extends node authenticating with the rest of the cluster. I guess all it needs is a successful way to get the subject details from the Extends call.
Another interesting issue is that if you obtain a Subject from the Coherence Security.login(..) call and then call Security.runAs(..) the subject
is POF serialized and sent over the wire. If you obtain the same subject by using standard JAAS login, and call Security.runAs(..) it's not serialized. Odd.
I'm using Java 1.6 and Coherence 3.5.1b461. Any help/comments would be much appreciated. Many Thanks,
Reon Campbell.

Hi Reon,
The root problem seems to be that somehow the Subject is not being passed by Extend for you.
Extend will always run in the context of a Subject if one is available. The security framework (standard Coherence security) will only log in if there is no current Subject. So, if the Subject is passed by Extend, the proxy will execute the message in a Subject.doAs(). The security framework checks to see if there is a current Subject and, if so, it will use it. Otherwise it will call the configured callback handler to log in. If in EntitledNamedCache you are seeing the security framework Subject, it means no Subject was passed and the security framework called the callback handler.
Also, it shouldn't matter whether you use standard JAAS or not because the implementation of Security.login and Security.runAs just use JAAS.
Extend only passes the Subject when a Channel is created, which is the first time a cache reference is retrieved. After that, the Subject associated with the Channel will always be used. My guess, is that you are not running in the context of a Subject when you get that first cache reference. Here is some sample code:
        Subject subject = Security.login("manager", "password".toCharArray());
        NamedCache cache   = null;
        try
            cache = (NamedCache) Security.runAs(subject, new PrivilegedAction()
                public Object run()
                    NamedCache cache = getNamedCache("dist-test");
                    return cache;
        catch (Exception e)
            // failed if security exception
            e.printStackTrace();
        cache.put("key", "value");The final issue for you is that the built in SubjectPofSerializer does not serialize public or private credentials and PrincipalPofSerializer only serializes principal name, so the built in serializers will not serialize a Kerberos ticket. The only solution currently is to write a custom serializer.
Regards,
David
Coherence Development

Extending Expense Management Example in BPM Suite

Hi All,
I am a newbie for BPM Suite. I went through the expense management example.. Next, I would like to extend the example and integrate it with external resources like database and http server (apache tomcat will do).
For eg, Can I store the list of participants in the database and retrieve them when I launch my workspace.
I read about BPM Process API (PAPI), PBL, Fuego but I am not able to relate these. Can anyone please explain me how are they used in integration with BPM Suite ??? Next, How is BPEL Manager Used with BPM Suite ???
I tried searching internet for tutorials/articals but was not able to find anything relevant.
Kindly help...
Many Thanks,
Sophie

Here are the steps:
1. create an external source for your DB: right-click on External Resources -> New External Resource -> Type: SQL Database -> enter all necessary information on your DB (page 145 Oracle BPM StudioGuide)
2. create a module: right-click on Catalog -> New -> Module -> enter name (page 167 Oracle BPM StudioGuide)
3. catalog the external resource: right-click on the newly created Module -> Catalog Component -> SQL -> choose your ex. res.
4. create a BPMObject according to your data structure you want to store.
5. create a presentation based on this BPMObject
6. use a BPM Object Interactive Call in your screenflow to display the form (presentation).
7. implement an automatic activity (impl. type: method) and enter this SQL statement into the method (var1SF id my instance variable in the screenflow):
INSERT INTO buch (id, titel, author, preis)
VALUES (var1SF.id, var1SF.titel, var1SF.author, var1SF.preis)
Have also a look at the thread:
h4. BPM and database interaction
and consider Dan Atwood's answer (i couldn't implement it yet...) on reading data from the DB

Secure connection suddenly broken in SGD 4.6 on CentOS?

hello all,
since yesterday, it is broken, when the first is displayed, and i choos "Login", the sgd displays:
Error Page
The following exception was thrown
and nothing else
looking at the server, i noticve this strange error:
[root@nemo certs]# /opt/tarantella/bin/tarantella security certinfo --certfile ./cert-4607-my-site.fr.pem
The certificate file doesn't exist.
but i verified my files with openssl commands, and they are ok!
i also noticed this kind of messages that happens often:
Jan 24 22:05:07 nemo kernel: ttaxpe[19381]: segfault at 0000000000000008 rip 00000000080c2d4c rsp 00000000fff54400 error 4
and in /opt/tarantella/var/log/error.log:
2011/01/28 21:02:20.875 ssl10864 ssldaemon/socket/forwarderrorOracle Secure Global Desktop (4.6) ERROR:
The Secure Global Desktop Security Daemon failed to create a socket connecting to the Secure Global Desktop server on port 443 on behalf of client 127.0.0.1:443.
connect(11,127.0.0.1:443): (111) Connection refused ssldaemon/socket/forwarderror
what can i do? Anybody can help or suggests something?
thanks in advance
gerard

anybody here? Anybody has ever encountered this problem?
i can reproduce it with an app server under solaris 10.
I tried to restart all the processes without success.
The only so-called workaround is to re-install everything :(
gerard

How to extend secure network and guest network.

Sorry if this has been covered but I couldn't find it.
I have an Airport Extreme running the 7.6.3 firmware. Once Comcast gets their act together it will be running off a static IP. I want to wirelessly extend my guest WiFi and my secure WiFi. What do I need to get this done? Do I need to get an Express for each network? Or can another Extreme repeat both networks? Eventually I hope we will have Cat5 running to the repeater's location but that could be a long way off.
Thanks!

I cannot get the web page to open when I do a search on the SMC8014, but it appears that this is a modem/router or gateway type of device.....which will not allow the Guest Network feature to be enabled on the AirPort Extreme.
I did find this, which confirms that the SMC is a modem/router or gateway....not what you want.
http://www.speedguide.net/routers/smc-smc8014-biz-business-cable-gateway--534
The solution is to find out from SMC or your Internet Service Provider whether or not the 8014 can be configured to operate in "Bridge Mode".....which would then allow you to configure the AirPort Extreme to operate as the main router on the network. This would allow the Guest Network option on the AirPort Extreme to be enabled correctly.
Or better yet.....ask your ISP for a simple modem.......not a modem/router or gateway type of device.
So assuming this is all compatable (or I get compatable equipment), I can extend both networks with 1 express or 1 extreme?
That is correct.

USB-8451 examples broken in LV 2012

I have a USB-8451 on order but it hasn't arrived yet. I went ahead and downloaded and installed the driver software, NI-845x 2.0. I am running LV 2012 (12.0.1f5 32-bit) and I didn't see any options for 2012 support in the installer, so I clicked the LV 2011 support and installed that. That seems to have created one LLB file, ni845x.llb.
I searched for examples using the 8451 but didnt' find any (i.e. "Help --> Find examples" in LV 2012). I searched NI support online and found SPI Execute Read of Shift Register.vi. When I open it and point to the llb file to resolve references, the VI is broken. All the sub-VIs are not executable. The errors are 1) call lib. fcn. note contains unwired or bad terminal, 2) invalid refnum class, and 3) you have connected two terminals of different types.
Why are these broken? Does it have anything to do with the USB-8451 not actually being hooked up to my computer?

Hi Vishak,
It may take some time for this to get fixed. I have resubmitted the request to have it fixed.
2.1.2 is still the latest version of the driver. For future reference, the best place to find the most recent version of our drivers is at ni.com/drivers.
Catherine B.
Applications Engineer
National Instruments

Reports Security API - example

Hello!
Has anyone tried to use Reports Server Security API? Where I can find an example?
Thanks!

It is not available yet. White paper and examples about security API will be published on OTN:
http://otn.oracle.com/products/reports/apis/
Currently you can find examples for data source and destination.
Regards,
Oracle Reports Team

2011 9501 C-Series Example broken wire/property

Hello,
I'm trying to run the 2011 Position Control (open loop) example for the 9501 module, but it is showing a broken connection to the "Time Interval" property of the "Straight-Line Move" property node in the "Calculate Move Profile" VI. I've searched and the Time Interval property is not listed as a property of Straight-Line Move.
I'm running 2011 Softmotion Standard, is this simply an issue of not having Premium, or is this an actual problem with the code that I can fix. If so any advice on where to start? Thanks

Wandering,
As long as you have the Soft Motion and Real Time modules installed, there should be no reason why a broken wire should appear when the Calculate Move Profile.vi is opened. If the Real Time module is not installed, then every wire to this property node would be broken, not just the Time Interval.
This could indicate that a particular file or dll is missing. I would attempt to try a repair on the installation of both of these modules, restart your computer, and then see if the example opens up correctly.
If you are still able to use the 2010 example, you could easily fix this reported issue with the incorrect Mechanical Action by referring to this NI White Paper, and look at item #288167 under Axis Interface. This describes the simple work around necessary in order to fix this small error.
Huntington W
National Instruments
Applications Engineer
***Don't forget to give Kudos and Accepted as Solution where it is deserved***

Extending & securing my network using AX

I have a 2Wire wireless modem at the house I've just moved in. Its encryption is WEP and I think it's easily guessable. I'd like to use my AirPort Express unit to extend this network and make it more secure using WAP2 as I had in my old house. Is that possible? How to?
I tried to connect my AX to a nearby power outlet and even though AirPort Utility found it, I couldn't get beyond the orange blinking. I can see both networks (my AX and the 2Wire), but I can't connect to my AX. I can modify the AX configuration and everything, so maybe I'm doing something wrong?
Thanks.
JJ

I'd like to use my AirPort Express unit to extend this network and make it more secure using WAP2 as I had in my old house. Is that possible?
In order to extend the 2Wire's wireless network, you would have to configure both the 2Wire & AirPort Express Base Station (AX) into a Wireless Distribution System (WDS). Unfortunately, very few non-AirPort routers are WDS-compatible so it will be very unlikely that you will be able to extend the 2Wire with the AX.

OIM: Extending Security Outside of the Enterprise

o.k., long story short, we have an installation of OIM 10.1.4 governing our enterprise security. we have many custom Java J2EE applications registered as Partner Applications on the domain, some using the SSO SDK, and others using MOD_OSSO. everything is working just fine within the enterprise, on our primary security domain. so, pretending our domain is "secure.com", we have "https://app1.secure.com", "https://anotherapp.secure.com", etc., and everyone is playing nicely together.
however, as our company grows and expands, we are starting to get requests from external organizations to integrate via SSO with our security enterprise. again, they are outside of our enterprise, with completely different servers and applications, and would not / could not be on our "secure.com" domain. i don't know all the details, but their applications have their own internal user base, security, etc...
now, i do understand there would be issues around synchronizing user stores, etc., but putting that aside for a minute... is there any way to "extend the reach" of our enterprise security (using Oracle technologies or other...), such that once someone has presented valid credentials on our "secure.com" server, i could return them to "othercompany.com" as a valid user...?
obviously, i can think of Java code i could write that passes an encrypted value around, like Oracle does, but writing my own security code doesn't necessarily sound like a promising option, especially when experts have already written software like this.
so, given a primary user store at our location, and federated user stores elsewhere on other domains, how might i extend our enterprise security and SSO infrastructure safely outside our network?
thanks,
.rich

Hi rhoward,
In most cases, I would say, from a practical standpoint, the answer to your question is "yes".
I suppose that it might be possible to cobble together your own federation endpoint :)...
The thing is that OASIS specifies a number of different "profiles" (=~usage scenarios), and some of them can get pretty complicated, with re-directs going all over the place.
The benefit of using a commercial federation "product" would be that assuming you picked the right one, it would provide the pieces for all of the profiles that you need to support (I don't know which ones, because that will depend on what you need).
It's been awhile since I've worked directly in the federation space, but there were basically 3 "players" awhile ago, Oracle (OIF), RSA (FIM) and Ping Identity. Sun had a federation product as part of their "FAM" product line, but I don't know what the status of that is now.
So, it all depends on what you need. FYI, among the OASIS profiles, the XASP is probably the least complicated, basically just a request-response, but integrating that into a WAM can be a challenge.
Jim

Extend Security FAQ Example Broken?

Similar Messages

Maybe you are looking for