HTTPOnly on Cookies

The security group of my company perform a web security scan (with WebInspect ), and they found that Set-Cookie does not use HTTPOnly Keyword, and they send me a list of the urls that they find with this vulnerability (In fact, all pages of my Global Payroll Application doesn't use this 'feature' ). I think that this "feature" is on the WebServer, I'm using PeopleTools 8.49.30 And WebSphere 6.1.0.23 ( I try to find where to activate, but I didn't find ). Dou you know How I can enable this "feature" ?

Hi,
you can see the document ID "ID 985574.1" on Oracle Support to know the answer:
This is fragment of the document:
"PeopleSoft PIA does not support HTTPOnly for cookies. Enhancement request Bug:11521341 has been created with development to request this feature in a future PeopleTools release. This document will be updated when and if this enhancement becomes part of a tools release. As of now, it is still not part of PT 8.52."
It could be implemented on PT 8.53 but you have to wait until the next year...
Regards,

Similar Messages

Unable to recreate JSESSIONID cookie in Internet Explorer

Hello All,
(Running CF Version: 9,0,0,251028,   Windows 2008 Server, IIS-7)
I am using the code below to expire the JSESSIONID cookie that is generated by CF because CF does not set the "HTTPOnly" and "Secure" cookie attributes by default when the JSESSIONID is initially created . I am then recreating the JSESSIONID cookie with the required attributes.
This works great for all browsers EXCEPT Internet Explorer!
When the code below runs in Internet Explorer, the JSESSIONID cookie does become expired as it should as seen in the 1st line of the function below. However, The script after that fails to recreate the JSESSIONID in Internet Explorer. this is driving me nuts because it works like a charm in ALL other browsers.
I am aware of the solution which involves setting these attributes in an xml configuration file on the CF server. However that solution is not an option for me. I am forced to use the method below to setup my secure/httponly JSESSIONID cookie. Any ideas would be greatly appreciated!!!
<cffunction name="OnSessionStart" output="false" access="public" description="I fix the sessionid">
         <cfcookie name="JSESSIONID" expires="now"/>
       <cfscript>
          var.HTTPOnly = "HTTPOnly";
          var.domain = cgi.server_name;
          var.path = "/";
          var.secure = "Secure;";
          var.response = getPageContext().getResponse();
          var.header = "JSESSIONID" & "=" & session.sessionid & ";domain=." & var.domain & ";path=" & var.path & ";" & var.secure & var.HTTPOnly;
          var.response.setHeader("SET-COOKIE", var.header);
        </cfscript>
        <cfreturn />
</cffunction>

Below is the responseHeader dump (from IE9).
Looks the exact same in FireFox and Chrome. However, a cfdump of the cookie scope will reveal (JSESSIONID=), nothing, zip, zilch, nada in IE9. Since the JSESSIONID cookie value is empty or null, a login attempt will result in a flash of the screen and the user is never logged in.
While a cfdump of Firefox and Chrome happily display a valid JSESSIONID cookie value and allow users to login to my application just fine.
(Note: The secure attribute is intentionally turned off due to my non-ssl dev pc.)
Cache-Control
no-cache, no-store, must-revalidate
Connection
close
Content-Type
text/html; charset=UTF-8
Date
Sat, 10 Sep 2011 19:35:08 GMT
Explanation
OK
Http_Version
HTTP/1.0
SET-COOKIE
struct
1
JSESSIONID=843032102a51ca7bfa0f60831221c8642e45;domain=.localhost;path=/;HTTPOnly
2
JSESSIONID=843032102a51ca7bfa0f60831221c8642e45;path=/
3
JSESSIONID=;expires=Fri, 10-Sep-2010 19:35:08 GMT;path=/
Server
JRun Web Server
Status_Code
200
X-Frame-Options
deny
X-XSS-Protection
1; mode=block
expires
{ts '2011-09-10 15:35:08'}
pragma
no-cache
Thanks for the help!
Neil

ACE : Stickyness with static cookies problem

Hi Gilles
I restart a conversatoion as a question to clarify the situation :
I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :
It seems that the ACE ignores the static entries !
To make my question clear, I repeat hereafter the setup and the encountered problem :
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
R105816849   for the server HQCHECOM01
R105852786   for the server HQCHECOM02
In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
R355972695   for the server HQCHECOM01
R357158616   for the server HQCHECOM02
I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
56 static cookie-value "R355972695" rserver HQCHECOM01
64 static cookie-value "R357158616" rserver HQCHECOM02
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
72 static cookie-value "R105816849" rserver HQCHECOM01
80 static cookie-value "R105852786" rserver HQCHECOM02
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
   inservice
rserver HQCHECOM02 80
   inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
   inservice
rserver HQCHECOM02 443
   inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
But instead, the ACE perform another load balancing decision and selects SERVER-2 !
The page is reloaded, but the name of the user does not appear on it
LiveHTTP Trace on Firefox :
GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105816849; path=/
Date: Mon, 18 Oct 2010 15:31:37 GMT
Server: Apache/2.2.13 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: image/jpeg
Here we switch on HTTPS :
https://ecom.test.toto.com/uk/en/j_spring_security_check
POST /uk/en/j_spring_security_check HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01
Here we see cookie for the same server but for the HTTPS sticky group :
HTTP/1.1 302 Moved Temporarily
Set-Cookie: STICKED-TO=R355972695; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:39 GMT
Server: Apache/2.2.13 (Red Hat)
Location: http://ecom.test.toto.com/uk/en/home
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Here we switch back to HTTP :
http://ecom.test.toto.com/uk/en/home
GET /uk/en/home HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Here we see that the second server has been wrongly selected !
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-GB
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif
GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Content-Length: 382
Connection: close
Content-Type: image/gif
Hypothesis :
It seems that the static entries are not considered by the ACE...

Yves,
you have to specify the destination port
56 static cookie-value "R355972695" rserver HQCHECOM01 80
64 static cookie-value "R357158616" rserver HQCHECOM02 80
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
   probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
   inservice
   rserver HQCHECOM02 80
   inservice
Gilles.

ACE : Stickyness problem with http cookies

Hi,
I am facing a serious problem with stickyness in a e-commerce configuration.
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 441)
     sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
       cookie insert browser-expire
       timeout 240
       replicate sticky
       serverfarm ECOM_FARM_TEST_HTTP
          sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
       cookie insert browser-expire
       timeout 240
       replicate sticky
       serverfarm ECOM_FARM_TEST_HTTPS
     serverfarm host ECOM_FARM_TEST_HTTP
       description *** e-Commerce Test Server Farm ***
       probe ECOM_PROBE_TEST
       rserver HQCHECOM01 80
        inservice
       rserver HQCHECOM02 80
        inservice
         serverfarm host ECOM_FARM_TEST_HTTPS
      description *** e-Commerce Test Server Farm ***
      probe ECOM_PROBE_TEST
      rserver HQCHECOM01 443
       inservice
      rserver HQCHECOM02 443
       inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received) !!
The ACE sees the cookie "B" but does not find it in its database for the sticky group ECOM_STICKY_TEST_HTTP
The ACE perform another load balancing decision and selects SERVER-2 ! (instead of SERVER-1)
The page is reloaded, but the name of the user does not appear on it
The question :
As it is not possible to have only one sticky group in this configuration what would be the solution to make sure that the same server is selected for http and https ?
Thank you for any hints,
Yves

Hi Gilles,
I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :
It seems that the ACE ignores the static entries !
To make my question clear, I repeat hereafter the setup and the encountered problem :
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
R105816849   for the server HQCHECOM01
R105852786   for the server HQCHECOM02
In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
R355972695   for the server HQCHECOM01
R357158616   for the server HQCHECOM02
I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
56 static cookie-value "R355972695" rserver HQCHECOM01
64 static cookie-value "R357158616" rserver HQCHECOM02
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
72 static cookie-value "R105816849" rserver HQCHECOM01
80 static cookie-value "R105852786" rserver HQCHECOM02
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
   inservice
rserver HQCHECOM02 80
   inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
   inservice
rserver HQCHECOM02 443
   inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
But instead, the ACE perform another load balancing decision and selects SERVER-2 !
The page is reloaded, but the name of the user does not appear on it
LiveHTTP Trace on Firefox :
GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105816849; path=/
Date: Mon, 18 Oct 2010 15:31:37 GMT
Server: Apache/2.2.13 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: image/jpeg
Here we switch on HTTPS :
https://ecom.test.toto.com/uk/en/j_spring_security_check
POST /uk/en/j_spring_security_check HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01
Here we see cookie for the same server but for the HTTPS sticky group :
HTTP/1.1 302 Moved Temporarily
Set-Cookie: STICKED-TO=R355972695; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:39 GMT
Server: Apache/2.2.13 (Red Hat)
Location: http://ecom.test.toto.com/uk/en/home
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Here we switch back to HTTP :
http://ecom.test.toto.com/uk/en/home
GET /uk/en/home HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Here we see that the second server has been wrongly selected !
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-GB
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif
GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Content-Length: 382
Connection: close
Content-Type: image/gif
Hypothesis :
It seems that the static entries are not considered by the ACE...

Jabber login issue

Hi
I have recently deploy expressway edge 8.1.1 with cucm 9.1.2 and cups 9.1.1.However,when I try to login via internet using jabber 9.7.2，it return error "username or password wrong".From the log in expressway-core，I can see the log below
(192.168.121.32 is the ip add of my cucm ,username is zhangzr)
2014-06-19T22:08:08+08:00 EXPC edgeconfigprovisioning UTCTime="2014-06-19 14:08:08,603" Module="network.http.edgeconfigprovisioning" Level="DEBUG" Action="Received" Request-url="https://192.168.121.32:8443/cucm-uds/clusterUser?username=zhangzr"
HTTPMSG:
|HTTP/1.1 200 OK
Date: Thu, 19 Jun 2014 14:08:08 GMT
X-Frame-Options: SAMEORIGIN
Content-Type: application/xml
Server:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><clusterUser uri="https://192.168.121.32:8443/cucm-uds/clusterUser?username=zhangzr" version="9.1.2"><result version="9.1.2" uri="https://192.168.121.32:8443/cucm-uds/user/zhangzr" found="true"/><homeCluster>192.168.121.32</homeCluster></clusterUser>
|
2014-06-19T22:08:08+08:00 EXPC edgeconfigprovisioning UTCTime="2014-06-19 14:08:08,604" Module="network.http.edgeconfigprovisioning" Level="DEBUG" Action="Send" Url="https://192.168.121.32:8443/cucm-uds/user/zhangzr/devices"
HTTPMSG:
|GET //192.168.121.32:8443/cucm-uds/user/zhangzr/devices HTTP/1.1
Authorization: <CONCEALED>
|
2014-06-19T22:08:08+08:00 EXPC ssh: Event="sshd" Module="openssh" Level="INFO" Detail="Allocated port 34882 for remote forward to localhost:8443" UTCTime="2014-06-19 14:08:08"
2014-06-19T22:08:08+08:00 EXPC ssh: Event="sshd" Module="openssh" Level="INFO" Detail="RSA+cert host key for IP address '192.168.121.31' not in list of known hosts." UTCTime="2014-06-19 14:08:08"
2014-06-19T22:08:08+08:00 EXPC ssh: Event="sshd" Module="openssh" Level="INFO" Detail="Authenticated to expe.gdhwater.com ([192.168.121.31]:2222)." UTCTime="2014-06-19 14:08:08"
2014-06-19T22:08:08+08:00 EXPC edgeconfigprovisioning UTCTime="2014-06-19 14:08:08,872" Module="network.http.edgeconfigprovisioning" Level="DEBUG" Action="Received" Request-url="https://192.168.121.32:8443/cucm-uds/user/zhangzr/devices"
HTTPMSG:
|HTTP/1.1 403 Forbidden
Set-Cookie: JSESSIONIDSSO=A2FB5364EB77D11136697ABAC436EE78; Path=/; Secure; HttpOnly
Set-Cookie: JSESSIONID=588E4DCBE1165A82680BFF3BDD6A865B; Path=/cucm-uds/; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 07:00:00 CST
Server:
Cache-Control: private
Date: Thu, 19 Jun 2014 14:08:08 GMT
Content-Type: text/html;charset=utf-8
<html> <head> <title> Cisco System - Error report </title> <style type="text/css"> a { color: #316984; text-decoration: none; } a:hover { color: #316984; text-decoration: underline; } a:visted { color: #316984; text-decoration: none; } body { background-attachment: fixed; background-color: #ffffff; background-repeat: no-repeat; color: #316984; font-family: arial,helvetica,sans-serif; } #content { border: 1px solid #d6d7d6; font-size: 93.5%; margin: 0px 10% 30px 10%; } #content-header { background-color: #eeeeee; b
order-bottom: 1px solid #666666; color: #666666; font-size: 124.5%; padding: 5px 15px 5px 15px; } #copyright { font-size: 75%; margin: 0px 10% 0px 10%; padding: 3px 0px 0px 0px; text-align: right; } img { display: block; margin: 0px 0px 20px 0px; } #logo { margin: 30px 10% 0px 10%; } p { padding: 5px 15px 5px 15px; } pre { padding: 5px 15px 5px 30px; } </style> </head> <body> <div id="logo"> <img src="/ciscologo.gif" alt="Cisco Systems, Inc." /> </div> <div id="content"> <div id="content-header">HTTP Status 403 - Access to the requested resource has been denied </div> <p> <b> type: </b> Status report </p> <p> <b>message: </b> Access to the requested resource has been denied </p> <p> <b>description: </b> Access to the specified resource has been forbidden. </p> </div> </body></html>
|2014-06-19T22:08:08+08:00 EXPC edgeconfigprovisioning: Level="INFO" Detail="Failed to authenticate user against server" Username="zhangzr" Server="('https', '192.168.121.32', 8443)" Reason="<twisted.python.failure.Failure <type 'exceptions.Exception'>>" UTCTime="2014-06-19 14:08:08,874"
2014-06-19T22:08:08+08:00 EXPC edgeconfigprovisioning: Level="INFO" Detail="All attempts to authenticate user failed" Username="zhangzr" UTCTime="2014-06-19 14:08:08,875"
Anyone can see what is the problem from the log? Should we upload a jabber-config.xml for remote-access to cucm so that we can authenticate ?Or is there any other reason causing such problem?

Hi,
I have exactly the same issue running exactly the same CUCM and CUPS versions.
I am running Expressway 8.2 and Jabber Client 9.7.4.
My log files show the same as yours, but I don't see any incorrect username or password statements.
Internally the clients work fine, externally they seem to parse both Expressway servers and returning the cups and cucm internally addresses in the log files. And then the clients responds with "Cannot communicate with the server". Logging stops.
Anyone got any pointers?

Error: Your request can't be completed right now. Please try again later.

I have MS Exchange 2007 - 2013 CU3 coexistence at two sites connected by VPN link.
OWA and Outlook work fine for mailboxes on 2007 server. OWA does not work for mailboxes on 2013 server, however Outlook connects fine to any mailbox on 2013 server.
Here is what happens with OWA.
Users (Moved from 2007 or Created on 2013) can log in to OWA and see their mailbox folder structure and messages, but when they click on any email they get "Error: Your request can't be completed right now. Please try again later. " instead of
the message body. When they try to create a new message via OWA, GAL lookup does not seem to be working, everyone gets "Error:
The message can't be sent because at least one recipient isn't valid."
I can't see any errors in the application event viewer that get logged during OWA session.
HTTP Log has the following error codes: 241,242,302,401,403,405,500.
I am not sure at this point, but I think 405 is the HTTP error that can be associated with errors displayed in OWA
date                       11/28/2013
time                       18:01:02
s-ip                          192.168.1.1
cs-method                POST
cs-uri-stem             /owa/service.svc
cs-uri-query             action=GetConversationItems&UA=0
s-port                      444
cs-username             DOMAIN\chukcha
c-ip                        192.168.1.113
cs(User-Agent)          Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko
cs(Referer)
https://EXCHANGE2013/owa/#path=/mail
Any suggestions on troubleshooting this problem?

did some additional troubleshooting with network analyzer. the error message that gets logged in IIS logs is not what's being sent to the client.
[Client]
POST /owa/service.svc?action=GetConversationItems&UA=0 HTTP/1.1
Accept: */*
X-Requested-With: XMLHttpRequest
Action: GetConversationItems
Content-Type: application/json; charset=utf-8
X-OWA-CANARY: X-OWA-CANARY_cookie_is_null_or_empty
X-OWA-Attempt: 1
X-OWA-ActionId: -57
X-OWA-CorrelationId: 8515b843-9c69-4531-8674-f6b5e7809e9e_138566716478556
X-OWA-ClientBegin: 2013-11-28T19:32:44.785
Referer: https://EXCHANGE2013/owa/#path=/mail
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Host: EXCHANGE2013
Content-Length: 1303
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: X-BackEndCookie .....................REMOVED..........................
{"__type":"GetConversationItemsJsonRequest:#Exchange","Header":{"__type":"JsonRequestHeaders:#Exchange","RequestServerVersion":"Exchange2012","TimeZoneContext":{"__type":"TimeZoneContext:#Exchange","TimeZoneDefinition":{"__type":"TimeZoneDefinitionType:#Exchange","Id":"Eastern
Standard Time"}}},"Body":{"__type":"GetConversationItemsRequest:#Exchange","Conversations":[{"__type":"ConversationRequestType:#Exchange","ConversationId":{"__type":"ItemId:#Exchange","Id":"AAQkADg1MTViODQzLTljNjktNDUzMS04Njc0LWY2YjVlNzgwOWU5ZQAQAHZFTFsN5EeHqAKB00zcFrs="},"SyncState":""}],"ItemShape":{"__type":"ItemResponseShape:#Exchange","BaseShape":"IdOnly","FilterHtmlContent":true,"BlockExternalImagesIfSenderUntrusted":true,"AddBlankTargetToLinks":true,"ClientSupportsIrm":true,"InlineImageUrlTemplate":"data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAEALAAAAAABAAEAAAIBTAA7","MaximumBodySize":2097152,"InlineImageUrlOnLoadTemplate":"InlineImageLoader.GetLoader().Load(this)","InlineImageCustomDataTemplate":"{id}"},"ShapeName":"ItemPartUniqueBody","SortOrder":"DateOrderDescending","MaxItemsToReturn":20,"FoldersToIgnore":[{"__type":"FolderId:#Exchange","ChangeKey":"AQAAAA==","Id":"AAMkADg1MTViODQzLTljNjktNDUzMS04Njc0LWY2YjVlNzgwOWU5ZQAuAAAAAABFVn93oA4MSKtu0usRdmN7AQClJKxCwbCpQq7y7C/rPhKtAAABXjCJAAA="}]}}
[Server]
HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache, no-store
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
request-id: 230bdffb-ae8f-4d6e-968f-8902b634cc36
X-CalculatedBETarget: EXCHANGE2013.DOMAIN.local
X-Content-Type-Options: nosniff
X-OWA-Version: 15.0.775.32
X-OWA-Error: Microsoft.Exchange.Data.Storage.TooManyObjectsOpenedException
X-OWA-CorrelationId: 8515b843-9c69-4531-8674-f6b5e7809e9e_138566716478556
X-OWA-ClientBegin: 2013-11-28T19:32:44.785
X-FrontEnd-Begin: 2013-11-28T14:32:44.781
X-BackEnd-Begin: 2013-11-28T14:32:44.784
X-FrontEnd-Handler-Begin: 2013-11-28T14:32:44.782
X-BackEnd-End: 2013-11-28T14:32:44.800
X-DiagInfo: EXCHANGE2013
X-BEServer: EXCHANGE2013
X-UA-Compatible: IE=EmulateIE7
X-AspNet-Version: 4.0.30319
Set-Cookie: UC=8c348df144034474a37cbc553448fd87; path=/; secure; HttpOnly
Set-Cookie: ...................REMOVED..........................
expires=Thu, 28-Nov-2013 19:42:44 GMT; path=/owa; HttpOnly
X-FrontEnd-End: 2013-11-28T14:32:44.801
X-Powered-By: ASP.NET
X-FEServer: EXCHANGE2013
Date: Thu, 28 Nov 2013 19:32:44 GMT
3f
A problem occurred while you were trying to use your mailbox.
0

APEX 5.0 Upgrade from 4.2 successful but APEX doesnt work

Hi,
I just upgraded to APEX 5.0 from 4.2.
The upgradeprocess is solved without mistakes.
But when i try to go to the adminpage (like http://apexserver/pls/apex/apex_admin ) the browser is getting this:
X-ORACLE-IGNORE: IGNORE X-ORACLE-IGNORE: IGNORE X-ORACLE-IGNORE: IGNORE X-ORACLE-IGNORE: IGNORE Content-Type:text/html; charset=utf-8 Cache-Control:no-store Pragma:no-cache Expires:Sun, 27 Jul 1997 13:00:00 GMT Set-Cookie:ORA_WWV_USER_61817374465583=ORA_WWV-mKS9zsXl3aEGSO7yn9sMhAo-; path=/pls/apex; HttpOnly Set-Cookie:ORA_WWV_RAC_INSTANCE=1; path=/pls/apex; HttpOnly Status:302 Location:f?p=4550:10:12821611738183:::::
If i try to start an application (like http://apexserver/pls/apex/f?p=110) it shows this:
X-ORACLE-IGNORE: IGNORE X-ORACLE-IGNORE: IGNORE X-ORACLE-IGNORE: IGNORE X-ORACLE-IGNORE: IGNORE Status:302 Location:f?p=110:1::::::
The Webserver is an IIS with Thoth-Gateway.
Anyone knows the reason of these errormessages?
thanks,
Marco

Hi Maco W.,
The Webserver is an IIS with Thoth-Gateway.
Anyone knows the reason of these errormessages?
    The upgrade is successful as it has nothing to do with Web Server, it just upgrades the database objects.
    This maybe due to you are not using a Web Server recommended by Oracle.
    Refer : https://docs.oracle.com/cd/E59726_01/install.50/e39144/overview.htm#HTMIG367
    There may be change in how APEX 5.0 handles the HTTP requests, which is not supported by IIS.
    Moreover, the developer of Thoth-Gateway(Morten Braten) may have developed it keeping APEX 4 in mind.
    Switch to Oracle Supported Web Server options given above, which will resolve your issue.
    Hope this helps!
Regards,
Kiran

OAM 11g throws error when user store is changed

We have OAM 11g integrated with OIF 11g as the SP. We need to change the OAM User store from OID to OVD. I added a new User store in the OAM console and set that as the default store. In the OAM console, under System Configuration -> Common Configuration -> Data Stores -> User Identity Stores, I added the OVD repository we want to use and set it as the default store. When I make this change in OAM data stores, OAM throws an error.
On the browser I see the error: System error. Please re-try your action. If you continue to get this error, please contact the Administrator.
In the OAM diagnostic logs, I see the following errors:
[2012-08-11T08:37:27.016-04:00] [oam_server1] [ERROR] [OAMSSA-20005] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000040f,0] [APP: oam_server] Error initializing User/Role API : null.
[2012-08-11T08:37:27.021-04:00] [oam_server1] [WARNING] [OAMSSA-20007] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000040f,0] [APP: oam_server] Unable to connect to the User Store. User Store may not be initialized : Error initializing User/Role API : null..
[2012-08-11T08:37:27.021-04:00] [oam_server1] [ERROR] [OAMSSA-12126] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000040f,0] [APP: oam_server] Cannot assert the username from DAP token.
The user exists in OVD and appropriate attributes have been set.
Comparing the trace for the two, in the OID trace, I see a 302 for the URL at /oam/server/dap/cred_submit. In the OVD trace, I see a 200 for the same URL.
Following is a successful request when OID is set as the default user store:
GET /oam/server/dap/cred_submit?osso_sassoToken=v1.0%7ENEVGMzBGMUJFRTdGRkM0NjQxREFFQn5GODdEQjFEMjczMjZCQjFCQTZEQTlDQTI5RDA3RTA0QTQ2OThEQzdEfjRCMDk0OUE1RjgyNjcwRkU2M0E3OTM5QjI1OTlCMzdEfmRiYzEzMDFiMWMxOTFiMDA5ZmM3YWM5MTFjNjM5MDhjNTgwMzZjMzYyZDZhZTQ3OTY5ZGRiNTllYmVlMTUwMjkxYTY4MzQwZjU2ZGEwMmNhMmE4YTM0YWUwNmUxMjY4MzE5NmFkNjM4YzIwOTliMWZmM2NmZTRhMjYyYmU2N2M1MDEwYWY5OWFmOWU1NTg5NGIyYTVjYWRkOGRlMDI5NjVjN2I2YzM5YTJjMDU1NmU5OTJkMzU4Y2RlYzAxNmU4MWZjMDRiYjFjM2RhYTAzYzliNDIwNjQzOTZlNzZlMzZhOTMwZjI4YTAyMzdmMTI1NjVjOTcwYTk1NzFkZDMzNzQ%3D HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://hostname.idpdomain.com/fed/user/?refid=id-5RtbGMaw6NfaaPUgth-wxZwxY5Q-
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: hostname.spdomain.com:14101
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Sat, 11 Aug 2012 12:42:32 GMT
Transfer-Encoding: chunked
Location: https://www.google.com
Set-Cookie: OAM_ID=VERSION_4~8u5oPtHwZW/uJbd8ybw87A==~I2VDurl3pyBxQdHBmwHXXu5AabtNgaGcQx1FJ6v3sVzuoU0WOvMyDi40pizUWNrSIUkCIrl7Fc6cumRyKUAU0yHSHEtzwtiGO3bmiC7rOXKglLnO9Iw0eNUATA1AuJ7m9a6JxE5fX2vDFDYzk/H9eK5/74mO9TKNP0HTcKF6NzEluuTT3sRlQH3dAzBhPouTCO6yMmd00SmQEhrQxCpUc+ec78GFQgfKrE+6mDNTFSO9gHEB0JQ+xzGzzsr34BDCTB2FC41d0Q3tTGXANSHHRg==; path=/; secure; HttpOnly
Set-Cookie: OAM_REQ=invalid; path=/; secure; HttpOnly
X-ORACLE-DMS-ECID: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000042d
X-Powered-By: Servlet/2.5 JSP/2.1
Following is a failed request when OVD is set as the default user store:
GET /oam/server/dap/cred_submit?osso_sassoToken=v1.0%7ENEVGMjRDREUyNUU4QTI1REUwMzVGM344MzRCNTU5RTNCREM1MjFBMjFBRDQ4MTBBNjMzMTI5QzM0MUU5RjI5fjA4ODY1M0JENjg1ODk1MTZDNUVGQjU0NTYwRjg5OEREfjYyMWE3NzhjMzUwMmVhODQ5MWRkMGIyYTBkYmM1MGU0ZDlmZTA0ZjE1NDBhMDVkOGM3ZWIwOGUzNGY3ZDhiNTBhMTNkMjY0MDliMGZmMmY2MzJjZGZjM2UzNzgzNzQ3YzM3OTIwYjlkMmNhZWY0ZDQ2M2MyYzE1NWM2MDkxMjI4MjU0NTEyZDIzODU3NTBlZjI4MjRlZTAzOWFkYmMxYTVmZWE3NTk5NTRlMGY3NTkyNjE5YTRkM2U3OTczZjZiMThmYzgxODg2MzM3ZDg5NzQ2NWUxYmZhNThjOGVmN2VhZmI5OGRiMDNiZmJmZGJjOWUzZmNjYTU1N2U5OWVjMDQ%3D HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://hostname.idpdomain.com/fed/user/?refid=id-R5gYcX-W8o6-bQSR2IIYdkQLLKA-
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: hostname.spdomain.com:14101
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Date: Sat, 11 Aug 2012 12:37:26 GMT
Pragma: no-cache
Content-Length: 2051
Content-Type: text/html; charset=UTF-8
Expires: 0
Set-Cookie: OAM_JSESSIONID=0VksQmSHwhpr2vT33Kq1ZgqWgxrtk2BXxpr4PgmL1LwThMxYSlKQ!-450564370; path=/; HttpOnly
X-ORACLE-DMS-ECID: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000040f
X-Powered-By: Servlet/2.5 JSP/2.1

Hi AV,
we had the same problem
the reason was a wrong definition in cutomizing
Partner Processing -> Define Partner Determination Procedure -> User Interface Settings
there for the relevant procedure we had to define this sequence of functions :
1. Activity Partner
2. Contact Partner
3. Employee Responsible
4. Sales Representative
Regards
Meinrad

Office 365 API, error: The token has invalid value 'roles' for the claim type ''

Hi guys,
I am trying to develop a Daemon / Server application using the new Office 365 APIs. I have added a new application to Azure Active Directory. I am using cURL + the app ID and secret to get a JWT token, this is the exact request:
curl -X POST https://login.windows.net/TENANT_KEY/oauth2/token \
-F redirect_uri=http://spreadyDaemon \
-F grant_type=client_credentials \
-F resource=https://outlook.office365.com/ \
-F client_id=XXXX \
-F client_secret=XXXX=
I get back a JWT however it has no scopes for access set here is the decoded JWT claims:
"ver": "1.0",
"aud": "https://outlook.office365.com/",
"iss": "https://sts.windows.net/TENANT_KEY/",
"oid": "17fa33ae-a0e9-4292-96ea-24ce8f11df21",
"idp": "https://sts.windows.net/TENANT_KEY/",
"appidacr": "1",
"exp": 1415986833,
"appid": "XXXX",
"tid": "e625eb3f-ef77-4c02-8010-c591d78b6c5f",
"iat": 1415982933,
"nbf": 1415982933,
"sub": "17fa33ae-a0e9-4292-96ea-24ce8f11df21"
Therefore when I do a request to the exchange API endpoint I get the following response:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Server: Microsoft-IIS/8.0
request-id: d08d01a8-7213-4a13-a598-08362b4dfa70
Set-Cookie: ClientId=WDALDNO0CAIOOZDZWTA; expires=Sat, 14-Nov-2015 16:40:59 GMT; path=/; HttpOnly
X-CalculatedBETarget: am3pr01mb0662.eurprd01.prod.exchangelabs.com
x-ms-diagnostics: 2000001;reason="The token has invalid value 'roles' for the claim type ''.";error_category="invalid_token"
X-DiagInfo: AM3PR01MB0662
X-BEServer: AM3PR01MB0662
X-AspNet-Version: 4.0.30319
Set-Cookie: exchangecookie=6bf68da033684824af21af3b0cdea6e3; expires=Sat, 14-Nov-2015 16:40:59 GMT; path=/; HttpOnly
Set-Cookie: [email protected]=[email protected]4Wbno2ajNGQkZKWnI2QjJCZi9GckJKBzc/Oy9LOzdLOy6vOycXLz8XKxoGaio2PjZvPztGPjZCb0ZqHnJeekZiak56djNGckJI=; expires=Sun, 14-Dec-2014 16:40:59 GMT; path=/EWS; secure; HttpOnly
Set-Cookie: [email protected]=[email protected]4Wbno2ajNGQkZKWnI2QjJCZi9GckJKBzc/Oy9LOzdLOy6vOycXLz8XKxg==; expires=Sun, 14-Dec-2014 16:40:59 GMT; path=/EWS; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: DB4PR02CA0026
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm="",Basic Realm=""
Date: Fri, 14 Nov 2014 16:40:59 GMT
Content-Length: 0
I have asked a stack overflow question here: http://stackoverflow.com/questions/26950838/office-365-api-error-the-token-has-invalid-value-roles-for-the-claim-type
Any help on the matter will be hugely appreciated, thanks!

Hi Manu,
To wrap this thread up; I have had an answer on stack overflow.
It appears that currently the grant type client_credentials is not supported, according to a comment on this blog post by Matthias' http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx
"There is no way in the code flow to avoid username/password. We're working on a client credential flow for later this fall that will give you the functionality required to run background services. For this you will not need a username/password,
but the application will directly assert its identity and authenticate as itself."
Unfortunately I require client_credentials for a daemon process, Q4 is the scheduled release for support for this grant time.
Thanks for the help,
Nick

Problem with ebay

Hello.
When I try to open some feedback I have this error:
Set-Cookie: s=BAQAAAT9zetnMAAWAAAEACFHPhIpnbG9iZXQ3NwADAAVRz4UHMTYzODQBZQACUc+FByMyAAYAAVHPhQcwAKgAAVHPhIoxAUoAF1HPhQc1MWNlMzMwZS4zLjEuOC43OC4wLjAuMgAMAAlRz4UHMTI1NDg5NzAzAO4AfFHPhQczBmh0dHA6Ly93d3cuZWJheS5jby51ay9zY2gvaS5odG1sP190cmtzaWQ9cDM5ODQubTU3MC5sMTMxMy5UUjguVFJDMC5BMC5YbmIrNmwmX25rdz1uYis2bCZfc2FjYXQ9MCZfZnJvbT1SNDAjaXRlbTM1YmU4OTM0ZjcHABEADVHON7owMDAwMGdsb2JldDc3ABIAClHPhQd0ZXN0Q29va2llAPQAIlHPhQckMiQ5TXluREdoQiRZVXE1TVNXQXhab2hISHN6TGM0MGYvAPgAIFHPhQc4ZDc3MzA5ZTEzZjBhNTY5NjRlMmY3ZjJmZmVlNmM1OAA9AAhRz4UHZ2xvYmV0NzdJ0Dewbmc+Gs9K9h3d4E39AyY4xg**;Domain=.ebay.co.uk;Path=/; HttpOnly
Set-Cookie: nonsession=BAQAAAT9zetnMAAaAAEAACFOvZwdnbG9iZXQ3NwFkAAJTr2cHI2EACAAcUfXAhzEzNzI0NjgxMDF4MjMwODI5OTI5NzE5eDN4MlkAygAgWzQ1BzkxM2Q5MzkzMTNlMGE1ZTdjNzE3N2JiN2ZmYmFiMjk3AMsAAlHOOo8yNQFMABhTr2cHNTFjZTMzN2MuMy4xLjExLjc4LjIuMC4yAU0AF1OvZwc1MWNlMzM4NS4zLjEuMy40My4wLjAuMgAQAAhTr2cHZ2xvYmV0NzcAMwAMU69nBzQ3MDAtNDE2LFBSVADzACJTr2cHJDIkOU15bkRHaEIkWVVxNU1TV0F4Wm9oSEhzekxjNDBmLwA1AARTr2cHYmlibwCcADhTr2cHblkrc0haMlByQm1kajZ3Vm5ZK3NFWjJQckEyZGo2d0Zrb2VsQUptRm9RK2RqNng5blkrc2VRPT0AnQAIU69nBzAwMDAwMDAw5Fgpk/F5vM2crNoL4l3tTRHS0aI*; Domain=.ebay.co.uk; Expires=Sun, 29-Jun-2014 01:08:23 GMT; Path=/
Set-Cookie: secses=BAQAAAT9zetnMAAaAAUsAF1OvZwc1MWNlMzMwZS4zLjEuOC43OC4wLjAuMrOJEehxcax+6xhuNTHX/toVLW4I; Domain=.ebay.co.uk; Path=/
Set-Cookie: lucky9=6002805; Domain=.ebay.co.uk; Expires=Thu, 28-Jun-2018 01:08:23 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Location: http://feedback.ebay.co.uk/ws/eBayISAPI.dll?ViewFeedback2&userid=digit-navigator&&_trksid=p2047675.l2560&rt=nc&iid=230829929719&sspagename=VIP:feedback&ftab=FeedbackAsSeller
RlogId: p4e%60ccadeljkrk9%3Fvo%7B2d71f%2B%7Ein3wg2t%7E7-13f8d7948e9
Content-Length: 0
Date: Sat, 29 Jun 2013 01:08:22 GMT
This only happens with Firefox, Any help?

Hello,
'''Try Firefox Safe Mode''' to see if the problem goes away. Safe Mode is a troubleshooting mode, which disables most add-ons.
''(If you're not using it, switch to the Default theme.)''
* You can open Firefox 4.0+ in Safe Mode by holding the '''Shift''' key when you open the Firefox desktop or Start menu shortcut.
* Or open the Help menu and click on the '''Restart with Add-ons Disabled...''' menu item while Firefox is running.
''Once you get the pop-up, just select "'Start in Safe Mode"''
'''''If the issue is not present in Firefox Safe Mode''''', your problem is probably caused by an extension, and you need to figure out which one. Please follow the [[Troubleshooting extensions and themes]] article for that.
''To exit the Firefox Safe Mode, just close Firefox and wait a few seconds before opening Firefox for normal use again.''
''When you figure out what's causing your issues, please let us know. It might help other users who have the same problem.''
Thank you.

How to Set up HTTPOnly and SECURE FLAG for session cookies

Hi All,
To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
I have found the below solutions.
For setting up the HTTPOnly for the session cookies.
1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
     this.sessioncookie.httponly = true;
For setting up the secure flag for the session cookies.
2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
     this.sessioncookie.secure = "true"
Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
Your timely help is well appreciated.
Thanks in advance.

BKBK wrote:
Abdul L Koyappayil wrote:
BKBK wrote:
You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
I couldnt understand this. I mean how are you relating this with my question.
When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
     If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
Name:
JSESSIONID
Content:
782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
Domain:
xyz.abc.pqr.com
Path:
Send for:
Any kind of connection
Accessible to script:
No (HttpOnly)
Created:
Wednesday, September 3, 2014 2:25:10 AM
Expires:
When the browsing session ends
BKBK wrote:
2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
     I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
BKBK wrote:
3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
     I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

Applet and HttpOnly cookies in IE 6.0 SP1

Hello all.
I am working on a trusted file upload applet. This applet creates a
HttpURLConnection object and simulates a browser POST request. It
uploads form variables and also sends one or more files to the server.
Microsoft has introduced support for a new kind of cookie in Internet
Explorer 6.0 SP1. This is called as a "HttpOnly" cookie and scripts do
not have access to this cookie. (The cookie does not show up in
document.cookie variable).
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure10102002.asp
My server side script that receives the request is an ASP.NET script.
Since ASP.NET 2.0, the ASPNET_SessionID cookie is sent as a httpcookie.
When my applet does the POST request, it is able to pick up all the
cookies, but the ASPNET_SessionID cookie. This is causing my session to
expire. Is there a way I can pick up HttpOnly cookies too?
This problem exists only when I'm using the Sun Plugin for IE. When I
use MS JVM everything is fine. I'm using Sun Plugin version 1.4.2_04.
Any help is appreciated.
Adarsh Bhat

Naveen,
Normally the browser should support the javascript version you are using. The best way is to upgrade the browser to higher SP if it runs on a different SP.
Usually, Javascript erros are very abstract, so tough to handle. So, got to be careful when coding.
Check this link for details on Javascript erros etc
http://www.irt.org/script/general.htm
Hope this helps,
Kumar

How to set httponly cookies in J2EE 5

Hi folks,
I ma using Tomcat 6 which implements Servlet API 2.5 (part of the J2EE 5). I know I could set the usehttponly="true" in the context.xml to turn on all cookies to httponly. However, if I only need to set certain cookies to be httponly, how to do it in J2EE 5? I do not find Cookie.setHttponly() method in J2EE 5.
Thanks in advance!
Billy

Either the support document cited above is in error or (more likely) has just not been updated for IOS 8.
It states that:
AirPrint printers connected to the USB port of an Apple AirPort Base Station or AirPort Time Capsule are not supported with AirPrint. Connect your AirPrint printer to your network using Wi-Fi, or connect it to a LAN port on your AirPort device using Ethernet.
I have an early HP LaserJet P1102w and found that it can be set up to work wirelessly even if it is connected by USB to either a MAC or Airport/Time Capsule.
The trick is to install it each way and label each in the system preferences accordingly, (a separate icon for each version)
Examples: the wireless HP P1102 - Air Print, the USB cabled HP P1102w - USB, and the Airport/TC HP P1102w - Airport (or TC or LAN name)
My iPhone 5s also found the HP1102w using AirPrint.
Additionally the wireless printer connection will display the printer Options and Supplies just like the USB wired connection -- the Airport/TC connection will not.
So even if you use the USB/Airport/TC route, you can still quickly switch to the wireless or USB to check the toner (or ink)
Hope some find this useful.
Equip:
HP P1102w (with latest firmware update from HP)
MacbookPro & Macbook Pro Retina (both running OSX 10.9.5 - Mavericks)
TimeCapsule (latest Airport Utility & Firmware)
iPhone 5s ( iOS 8.0.2)

Question: Disable Cookie Httponly in v7.0.9?

I've been asked by one of the application teams I support if there is any way to set httponly to false in iPlanet 7.0.9, something along the lines of this Weblogic equivalent (found elsewhere in the forums):
  <session-descriptor>
    <cookie-http-only>false</cookie-http-only>
  </session-descriptor
I've scoured the v7.0.9 PDFs, searched this forum, and Googled around a bit, but so far drawn a blank.
Customer says: "Server is sending JSESSIONID as HttpOnly, and this is not what we require."
Does anyone here have any advice? (Even if it's just to confirm that this is not possible!)
Thanks,
--Neil.

I've been asked by one of the application teams I support if there is any way to set httponly to false in iPlanet 7.0.9, something along the lines of this Weblogic equivalent (found elsewhere in the forums):
  <session-descriptor>
    <cookie-http-only>false</cookie-http-only>
  </session-descriptor
I've scoured the v7.0.9 PDFs, searched this forum, and Googled around a bit, but so far drawn a blank.
Customer says: "Server is sending JSESSIONID as HttpOnly, and this is not what we require."
Does anyone here have any advice? (Even if it's just to confirm that this is not possible!)
Thanks,
--Neil.

Setting Secure and HttpOnly flags in JSESSIONID cookie

I have a web app hosted on WebLogic (8.1 I'm afraid!), and want to secure the JSESSIONID cookie by setting the Secure and HttpOnly flags on it. The intention is to prevent cookie theft.
As regards the Secure flag, I've tried using the myCookie.setSecure(true) method. This works fine when I debug and step through the code , but by the time the cookie gets back to the client, it has been reset to false again (I'm not clear what by though...).
There isn't a Cookie method to allow you to set HttpOnly.
I've thought of using a filter to intercept the response and set the flags explicitly, but this seems like a lot of work for something that seems very simple. I can't find anything in the WebLogic documentation that allows me to configure the settings either.
Does anyone have any bright ideas about how I can do this?
Thanks
Geoff

I don't think there is HTTPOnly support for WebLogic 8.1 or other versions.
May be you want to send a note to WebLogic support to find out of they are planning this feature in future ?
Jayesh
Yagna Sys

HTTPOnly on Cookies

Similar Messages

Maybe you are looking for