IPlanet Web Server 6.0 SP3-4: authenticating succeeds with bogus password

There is a very serious problem with ACL configured to authenticate against the ldap server.
Going through the Global settings, if you configure it to use a Ldap server and then configure the ACL to allow only the authenticated users... however, by typing a bogus password, as long as userid is correct, I can get access to the URL pages.
Previously, I have responded to "Thuan Nguyen" in the subject "Problem authenticating iPlanet Web Server 6.0 SP3 and SP4 with LDAP", regarding authentication to the Ldap with bogus password.
I have emailed and called in to inform SUN of this severe security problem with their Web Server, but I don't even know if this information is getting through.
Isn't there anyone out there who can also confirm this?
And if there is any existing workarounds for this?
Thank you.

This is documented in the 6.0 SP5 (and higher)
release notes as fixed problem 4770629, and,
according to the SP5 release notes, "All users of
previous versions of Sun ONE Web Server are strongly
recommended to install this service pack."
Note that the problem only occurs when the LDAP entry
lacks a uid.Thanks for the info. However, the LDAP server I'm using does have the UID value.
Regardless, I will try the SP5 and get back to you.
Thank you.

Similar Messages

  • Context lookup problem in iplanet application server 6.0 sp3?

    Hi all,
    I am writing codes in the following enviornment, iplanet application server 6.0 sp3 with iplanet web server 4.1 sp7 in Window 2000.
    When I tried to login to the system, error occured when i try to lookup context for my session bean.
    The error message is as follows:
    login_process.jsp: Home / Remote Error:String index out of range: -7
    [10/Apr/2002 18:09:10:5] error: Exception: SERVLET-execution_failed: Error in ex
    ecuting servlet JSPRunnerSticky: java.util.EmptyStackException
    Exception Stack Trace:
    java.util.EmptyStackException
    at java.util.Stack.peek(Stack.java:86)
    at java.util.Stack.pop(Stack.java:68)
    at com.netscape.server.deployment.AppComponentDescriptorUtil.popCurrentAppComponent(Unknown Source)
    at com.netscape.server.servlet.servletrunner.AppInfo.popWebAppDescriptor(Unknown Source)
    at com.netscape.server.servlet.servletrunner.ServletInfo.service(Unknown Source)
    at com.netscape.server.servlet.servletrunner.ServletRunner.execute(Unknown Source)
    at com.kivasoft.applogic.AppLogic.execute(Unknown Source)
    at com.kivasoft.applogic.AppLogic.execute(Unknown Source)
    at com.kivasoft.thread.ThreadBasic.run(Native Method)
    at java.lang.Thread.run(Thread.java:479)
    could anyone suggest a method to solve the problem?
    Thx very much!

    There is a major security breach in authenticating
    iPlanet Web Server 6.0 SP3 and SP4 using Sun ONE
    Directory Server. Using a valid user id, any
    password except null string would allow user access
    the restricted resources. iPlanet Web Server 6.0 SP5
    and 4.1 SP12 worked fine with similar configuration.Did you get an answer for this?
    We are having the exact same problems with our iPlanet Web server 6.0 SP3.
    thank you.

  • Calling servlet problem in iPlanet web server.

    Hello, friends.
    I have installed iPlanet web server 6.0. After installation I am using the default virtual server only. Thus, for all testing pages also, I use the default Document Root only (C:\iplanet\servers\docs\testsite) (I think, here "docs" is the default document root, right? If I am wrong, please correct me). I have got 2 JSP pages and 1 servlet. I put the JSP pages, into "testsite" folder and put the servlet into a folder called "myservlets" (C:iplanet\servers\docs\myservlets).
    The jsp1.jsp page calls the servlet.class and in return the servlet redirects to jsp2.jsp page.
    My question is: what paths should I use in jsp1.jsp file and in servlet.class file?
    Thanks in Advance for all your help,
    ~ Nirav

    There is a major security breach in authenticating
    iPlanet Web Server 6.0 SP3 and SP4 using Sun ONE
    Directory Server. Using a valid user id, any
    password except null string would allow user access
    the restricted resources. iPlanet Web Server 6.0 SP5
    and 4.1 SP12 worked fine with similar configuration.Did you get an answer for this?
    We are having the exact same problems with our iPlanet Web server 6.0 SP3.
    thank you.

  • Can iDSIE (Meta-directory) be used as a single authentication point from iPlanet Web Server for multiple databases using direct "or" indirect connectors?

    Basically, the latest release of iPlanet Web Server forces the user/group information source to be an LDAP database. Currently, the user accounts are in Active Directory, NT, Oracle and NetWare Directory Service in this heterogeneous environment.
    What I am looking for is a meta-directory product which can do two things:
    1-Single authentiation point for users in mulitple databases from iPlanet Web Server.
    2-Single administration point for all of the databases listed above.
    For example, can I add/modify/delete a user account at the meta-directory level and have this propagate to all of the databases listed above reducing the administration to one meta-directory product?

    With an Virtual Directory solution, you can authenticate Iplanet Web Server against nearly anything including any LDAPv3 Directory Server, Microsoft Active Directory, Windows NT Domains, Oracle RDBMS, IBM DB2 RDBMS, Microsoft SQL, and others.
    All of this is done dynamically and doesn't require any heavyweight synchronization process. The Virtual Directory acts as a dynamic schema / DIT / data translation engine for different types of repositories.
    OctetString's Virtual Directory Engine is one such example. You can download a 30 day evaluation copy at:
    http://www.octetstring.com
    It will take you all of 30 minutes to get iPlanet Web Server authenticated against and using groups from things like Oracle RDBMS, Windows NT Domains, or Active Directory.

  • Kerberos Authentication DB in Oracle iPlanet Web Server

    [Here is a blog about how to configure Kerberos Authentication Database in Oracle iPlanet Web Server on Solaris 10 update 8 |http://blogs.sun.com/meena/entry/using_kerberos_as_authentication_database]

    As long as the application server that LCDS is deployed in is supported, it doesn't  matter which webserver is being used.
    HTH
    Kumaran

  • Plumtree portal server (v5.0.1) hosted on iPlanet Web Server (v6.0)

    Has anyone tried to port the Plumtree Corporate Portal v5.0.1 portal server component to iPlanet Enterprise Web Server 6.0 (aka SunONE Web Server, v6.0 )? Plumtree doesn't support this, but I am trying to merge a custom SSO authenticator to the Plumtree portal (v5.0.1). The authenticator runs as a plug-in to SunONE Web Server and has been in place on our customer's web site for a long time now.
    I have this working great in with SSL turned off, but I am having a difficult time getting past an error when I turn on SSL. I can get the portal server to run fine with SSL turned on through Tomcat on the same machine, using the same certificate and JRE. I can also get the SunONE server to run other servlet applications fine with SSL turned on. However, there appears to be either: (1) an incompatibility between SunONE's NSServlet plug-in that handles servlets and the Plumtree framework classes that set up replies via SSL, or (2) a configuration error in my setup somewhere. I'm hoping that (2) is the real culprit, but I've tried just about everything I can think of, and haven't been able to resolve this problem.
    The server starts up fine and I can load non-portal content without a problem. But when I log in, the portal's main community page that should be returned is not being returned to the client. PTSpy (a debugging aid for the Plumtree portal) doesn't indicate any problems, so I know the content is being built by the portal correctly, but the built page is never being sent back to the requesting client.
    Here is the error that gets logged to my SunONE server's error log:
    [29/Dec/2003:15:05:53] failure ( 2772): Internal error: Unexpected error condition thrown (unknown exception,no description), stack: java.lang.NoClassDefFoundError: javax/net/ssl/SSLSocket
    at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:793)
    at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:702)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:583)
    at java.net.URL.openStream(URL.java:960)
    at org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFactory.java:149)
    at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(DefaultEntityHandler.java:493)
    at org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java:314)
    at org.apache.xerces.framework.XMLParser.parse(XMLParser.java:1097)
    at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:195)
    at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:124)
    at com.plumtree.openfoundation.xml.dom.XPBuilder.LoadDocumentFromURI(XPBuilder.java:203)
    at com.plumtree.xpshared.jsutil.JSRegistry.LookupJSComponentVersions(JSRegistry.java:243)
    at com.plumtree.xpshared.jsutil.JSRegistry.GetJSComponentVersions(JSRegistry.java:184)
    at com.plumtree.xpshared.jsutil.JSRegistry.GetJSComponent(JSRegistry.java:465)
    at com.plumtree.xpshared.jsutil.JSRegistry.GetJSComponent(JSRegistry.java:444)
    at com.plumtree.uiinfrastructure.statichelpers.ConfigHelper.GetCommonJSIncludes(ConfigHelper.java:1330)
    at com.plumtree.uiinfrastructure.form.AFormAS.DisplayCommonJavaScript(AFormAS.java:59)
    at com.plumtree.portalpages.common.uiparts.PlumtreeAS.DisplayCommonJavaScript(PlumtreeAS.java:88)
    at com.plumtree.portalpages.common.uiparts.PlumtreeDP.DisplayHead(PlumtreeDP.java:599)
    at com.plumtree.portalpages.common.uiparts.PlumtreeDP.Display(PlumtreeDP.java:112)
    at com.plumtree.portaluiinfrastructure.activityspace.Interpreter.ProcessDisplayPageOrRedirect(Interpreter.java:816)
    at com.plumtree.portaluiinfrastructure.activityspace.Interpreter.HandleRequest(Interpreter.java:1589)
    at com.plumtree.portaluiinfrastructure.activityspace.Interpreter.DoService(Interpreter.java:448)
    at com.plumtree.uiinfrastructure.web.XPPage.service(XPPage.java:141)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.iplanet.server.http.servlet.NSServletRunner.invokeServletService(NSServletRunner.java:919)
    at com.iplanet.server.http.servlet.WebApplication.service(WebApplication.java:1061)
    at com.iplanet.server.http.servlet.NSServletRunner.ServiceWebApp(NSServletRunner.java:981)It looks like a Java classpath issue, but I've verified (even in the same log file with java debugging turned on) that the SSLSocket class is getting loaded. I've even tried moving the specification of the jar file containing this class (jsse.jar, part of the JRE) to the beginning and end of my classpath setting.
    I'm using the same JRE that is bundled with the Tomcat release supplied with my Plumtree 5.0.1 installation (1.4.1_02). I can't get the JRE that came bundled with the SunONE v6.0 release to work at all.
    I've posted a similar message on a couple other forums (Java and iPlanet-related, as well as on Plumtree's customer forum) and haven't found an answer yet. Does anyone have any ideas?

    In case anyone else experiences this, I have apparently stumbled upon an issue with iPlanet's handling a specified JRE/JDK instead of the supplied JDK in iPlanet Web Server v6.0, SP5, though I found a way around it to resolve my problem.
    I had been specifying a different JRE to run with through the administrative server manager. However, even though I was specifying to load all the JRE's jar files in my classpath setting, iPlanet was only loading the rt.jar file for my specified JRE. With verbose logging turned on, the error log was indicating that the other classpath specified jar files were being loaded, but apparently they were not being used. The JDK that was released with iPlanet appears to be being used for all other JRE classes outside of those defined in rt.jar. Since the JDK supplied with the iPlanet release didn't contain jsse.jar, which contains SSL support, it was not being loaded and was causing the problem I was seeing.
    Instead of specifying the JRE of a different JDK that I was using, I changed the global setting in the administrative server manager to override the entire JDK. This has resolved my problem.
    So if you specify a JRE to override the iPlanet supplied JDK/JRE, it appears that only the rt.jar file of the specified JRE will be loaded, and the jar files associated with the iPlanet-supplied JRE will be used for all other classes. Specification of a complete JDK to override the supplied one will resolve this.

  • Iplanet web server 6.0 ACL question

    Hi,
    I am using ACLs to protect some of my URLs in iplanet web server 6.0.
    I am getting one problem. Its not a problem actually but would like to know how to avoid authenticating the users 2 times.
    In my ACL file, when ever I create an entry for a path, I am getting the following by default.
    authenticate (user,group) {
    database = "default";
    method = "basic";
    My entry is like this with the above lines.
    acl "path=/www/develop/itsecurity/admin";
    authenticate (user,group) {
    database = "default";
    method = "basic";
    allow absolute (all)
    (user = "modadmin");
    allow absolute (all)
    (user = "itsecadm");
    deny (all)
    (user = "anyone");
    Now if the entry is like this with
    authenticate (user,group) {
    database = "default";
    method = "basic";
    after the first line, then whenever that particulaar user "itsecadm" tries to access the URL, he gets userid and password dialogue box. After entring into the page, if he tries to access or click any other link, it is asking the userid and password again.If he gives this second time, next time onwards it is not asking userid and password.
    But When I remove the lines
    authenticate (user,group) {
    database = "default";
    method = "basic";
    from the file for that particular entry, it is not asking 2nd time userid/password.
    Could you please tel me why this happening. Why this entry is created whenever I am adding a new one into ACL file?
    Is any one facing the similar problem with iplanet web server 6.0 ACL files?
    Thanks & Regards
    Murthy

    Hi,
    Thank you for your suggestion. I have tried with your option also. Still I am getting the second time userid/password dialogue box.
    Is there any other solution to avoid the second time user authentication dialogue box?
    Do you want to see the ACL file?
    Thanks & Regards,
    Murthy

  • How to install iPlanet Administrative Server while installing iPlanet Web Server Ver 6.0 Service Pack 3 in SUN Ultra 10,Solaris 5.8

    We are the partner of Sun Developer Connection Program.
    Company: ITI Ltd.
    Member no: 1024878
    We tried to install iPlanet Web Server ver 6.0
    Service Pack 3, in Sun Ultra10 Solaris 5.8 machine.
    During the time of installation it is giving Error:
    Failure installing iPlanet Administration Server
    Do you want to continue? if Yes
    it starts poceeding with the installation and again gives an Error:
    Failure installing Core Java Classes.
    Do you want to continue? if Yes
    It completes the installation.
    But startconsole cannot be executed.
    Please send the solution.

    May I ask where did you get the bits for iWS 6.0 SP3? The latest version currently available for download is iWS 6.0 SP2.
    http://wwws.sun.com/software/download/download/
    Thanks

  • What is different between setup.exe and ezsetup.exe for iPlanet Application server 6.0 SP3?

    iPlanet Application server 6.0 SP3 for windows versions.

    Hi,
    setup.exe has 3 types of installation modes, namely, express, typical and custom. But the ezsetup doesn't asks these questions. The difference between them are..
    Setup.exe - Express - Asks fewer questions like, iAS username password, directory server username, password, product key etc
    Setup.exe - Typical - Asks for same questions as of Express setup and few more additional questions and allows you to install iAS and use a directory server which is already installed.
    Setup.exe - Custom - The most complicated and the highly interactive installation where it requiress 32-33 inputs from the user and fully customisable.
    EzSetup.Exe - Doesn't have any sub option, doesn't allow you to use the existing directory server or web server, all it asks is 2 questions..., which directory to install and the product key.
    Hope this helps.
    Regards
    Raj

  • SSL implementation on iplanet web server 6.0

    Hi,
    we've successfully implemented verisign SSL certificate on iplanet web server 6.0 and we have configured the a parent directory to non-ssl class and the a sub directory to the ssl-class. when we tried to run a JSP page, we are getting an error that the page is not found.
    if both are configured for the same directory (ie.. the parent directory then its working fine)....
    can anybody tell me what went wrong with the implementation...
    thanks in advance,
    regards
    Ramachandran

    How did you configure one directory use ssl and another director not? Are you using only one listener?
    I would like to configure my iws to work like this:
    a directory like server/app uses ssl3
    another directory like server/appler uses ssl3 without client authentication. Important: I�m not able to create another listener. I must use listerners already created.

  • IPlanet Application Server 6.0, SP3 and Struts 1.0

    To all,
    I've created a How To document and modified application zip file for running
    the struts-example application on iPlanet Application Server 6.0, SP3. The
    good news is that this "ported" struts-example also works on Tomcat 3.2 and
    WebLogic 6.0 SP1!
    Please read if you're interested at
    http://www.icsynergy.com/downloads/index.html#struts-example.
    Please note that we've created a "patch" for SP3 to fix a "bug" in iPlanet.
    You can download this at
    http://www.icsynergy.com/downloads/index.html#patch.
    Have a good day,
    Matt

    Hi,
    setup.exe has 3 types of installation modes, namely, express, typical and custom. But the ezsetup doesn't asks these questions. The difference between them are..
    Setup.exe - Express - Asks fewer questions like, iAS username password, directory server username, password, product key etc
    Setup.exe - Typical - Asks for same questions as of Express setup and few more additional questions and allows you to install iAS and use a directory server which is already installed.
    Setup.exe - Custom - The most complicated and the highly interactive installation where it requiress 32-33 inputs from the user and fully customisable.
    EzSetup.Exe - Doesn't have any sub option, doesn't allow you to use the existing directory server or web server, all it asks is 2 questions..., which directory to install and the product key.
    Hope this helps.
    Regards
    Raj

  • Hi, I am using HP11 and iPlanet web server. When trying to upload files over HTTP using FORM ENCTYPE="multipart/form-data" that are bigger than a few Kilobytes i get a 408 error. (client timeout).

    Hi, I am using HP11 and iPlanet web server. When trying to upload files over HTTP using FORM ENCTYPE="multipart/form-data" that are bigger than a few Kilobytes i get a 408 error. (client timeout). It is as if the server has decided that the client has timed out during the file upload. The default setting is 30 seconds for AcceptTimeout in the magnus.conf file. This should be ample to get the file across, even increasing this to 2 minutes just produces the same error after 2 minutes. Any help appreciated. Apologies if this is not the correct forum for this, I couldn't see one for iPlanet and Web, many thanks, Kieran.

    Hi,
    You didnt mention which version of IWS. follow these steps.
    (1)Goto Web Server Administration Server, select the server you want to manage.
    (2)Select Preference >> Perfomance Tuning.
    (3)set HTTP Persistent Connection Timeout to your choice (eg 180 sec for three minutes)
    (4) Apply changes and restart the server.
    *Setting the timeout to a lower value, however, may    prevent the transfer of large files as timeout does not refer to the time that the connection has been idle. For example, if you are using a 2400 baud modem, and the request timeout is set to 180 seconds, then the maximum file size that can be transferred before   the connection is closed is 432000 bits (2400 multiplied by 180)
    Regards
    T.Raghulan
    [email protected]

  • Global data in a servlet using iPlanet Web Server

    Our configuration is an Applet->Servlet->JNI->C/C++ code.
    We have C code that does a number of lengthy mathematical calculations. This C code not only uses its own global variables but, it is also comprised of numerous subroutines that all call each other, reading and writing global C variables as they go. These globals are all isolated to the C code shareable object (.so) library that is included using the LoadLibrary call when the servlet is initialized.
    The problem is that in a multi-user environment (3-5 simultaneous users) we need to have each user have their own "copy" of the servlet (and the C code) so that users will not be accessing each other's global data. We can NOT have only one copy of the C code and define it as synchronized because the calculations that are performed can take a very long time and we can not hold off user requests while the firs user finishes.
    Our hope is that there is a way to configure the iPlanet Web server such that each new user that starts up a copy of the Applet/Servlet combination will get their own "space" so that they can work independently of any other user. We have at most 20 users of this system and only 3-5 simultaneous users so we should not have a problem with memory or CPU speed.
    If anyone has a solution, I would greatly appreciate it!

    The C library is shareable. But you don't want it to be shared. That's your question summarized, isn't it?
    You probably can't prevent it from being shared, so to prevent multiple use of it you would have to queue up the requests to be done one at a time. WynEaston's suggestion of having the servlet implement SingleThreadModel would help, but I believe the servlet spec allows servers to run multiple copies of a servlet that does that (as opposed to running a single copy in multiple threads).
    Your other alternative is to rewrite the math in Java, or at least in some object-oriented language where you don't need global variables (which are the source of your problem). All right, I can already hear you saying "But that wouldn't be as fast!" Maybe not, but that isn't everything. Now you have a problem in queueing theory: do you want a single server that's fast, but jobs have to wait for it, or do you want multiple servers that aren't as fast, but jobs don't have to wait? That's a question you would have to evaluate based on the usage of your site, and it isn't an easy one.

  • Using iPlanet Web Server 6.0 (with ASP or JSP), is it possible to create a StarOffice, Word or Acrobat document using a template and merging it with data from a database (say Oracle)?

     

    Hi,
    It is possible, But it has to be done through codes and iPlanet Web Server has nothing to do with it. But if you want to create the word document by ASP you have to install ASP plugin like ChilliASP (from Chilisoft) with iPlanet Web Server.Merging with database can be done through your code.
    To know more abt creating word doc through ASP try this link
    http://web.ukonline.co.uk/vance/code/aspworddoc.pdf
    Regards,
    T.Raghulan.

  • Works in Tomcat but not in iPlanet Web server

    I have a servlet which first generates a form which has one input field, when user fills in the text field and submits the form it is posted to same servlet. The posted data is processed and redirected to another servlet. Everything works fine on Tomcat3.2 but fails to work on iPlanet web server and throws HTTP Error 500.
    Can someone help me with this? What might be the problem?

    Don't know whey it worked in Tomcat and not in iPlanet, but the reason is because I missed '/' in getRequestDispatcher() methoc
    public RequestDispatcher getRequestDispatcher(java.lang.String path)
    The pathname must begin with a "/" and is interpreted as relative to the current context root.

Maybe you are looking for

  • H/w requirements for DIrectory server for 200,000 users

    Hi, I would like to implement Directory services for 200,000 users. How can I know whether iPlanet Directory 5.1 will support this many users or not? If supports, Which h/w I have to use? If any one can let me know the formula to calculate users and

  • VF02- No a/c document- Wrong Businee Area

    HI Gurus, I created an invoice but for this No accounting document is generated. when i try to to release manually by going VF02, system is showing the errroe like " Wrong Business Area" Can any one tell me the reason Cheers, Sumith

  • USB Printer Driver in OS X 10.2.8

    Hi, I am going to set up a B&W G3 for someone this Thursday. She wants to use her old printer, but can't find the printer's driver CD. I know one of the great things about Mac OS X is that it has many USB printer drivers built right into the system,

  • RoboHelp 8.0.1 Update not finding installed version 8

    I downloaded and installed (using default options on a Windows XP machine) Adobe RoboHelp 8 trial about a month ago, paid for a license and activated it. When I click on Help > Update, I see that an update to 8.0.1 is available. I download it and run

  • MPEG4 packet loss

    I was wondering if anyone has had an issue with using Router on a stick with GRE tunnels, when sending IP video (MPEG4)? The router on the stick is needed to make a tunnel across a non-multicast network. Feeds are put into a 3750, which is trunked to