Is it secure to store username and password in session?
I need to call web services from an ADF page. As I know the only way that I can free users from entering username/passwords again is keeping username/password in session variables.
then in the proxy code I can call the web service through such a code:
myPort.setUsername(sessionUserName);
myPort.setPassword(sessionPassWords);
myPort....
I can write an agent or gateway at the service side to do authentication in the service.
Is it a secure way and is there a better way to protect web services and still have access to them via ADF pages?
Regards
Farbod
Hi,
MDS is not a polic store nor an identity management system. It does not really make sense what you are asking for. Instead of jazn-data.xml you can use OID and RDBMS for holiding user identities and policies. If it is only user identities and groups you want to move to another store then you have OID, RDBMS, Active Directory. OAM etc.. The jazn-data.xml file btw. is used at design time only. Upon deployment - by default - users and groups are created from jazn-data.xml into the integrated WLS LDAP server. Policies in jazn-data.xml file are copied to system-jazn-data.xml of the target WLS server.
Frank
Similar Messages
-
Calling A Secured webservice using Username and password in the Soap header
I want to call a secured webservice.
The Username and password should be sent with the payload in the SOAP Header
as
<wsse:Security S:mustunderstand="0" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="SecurityToken-XXXXXXXXXXXXXXXXXXXXXXXXX" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>uname</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pwd</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
Can you please send me the steps?
I tried with giving the username and password under Service Account.
I tried to create a wspolicy under business service. But nothing works...
Please help me at the earliest.
Also please give me steps in sequence.Now i made sure that the endpoint is available!
Now am getting this error:
<soapenv:Fault>
<faultcode>soapenv:Server</faultcode>
<faultstring>BEA-380002: localhost1</faultstring>
<detail>
<con:fault xmlns:con="http://www.bea.com/wli/sb/context">
<con:errorCode>BEA-380002</con:errorCode>
<con:reason>localhost1</con:reason>
<con:location>
<con:node>RouteNode1</con:node>
<con:path>request-pipeline</con:path>
</con:location>
</con:fault>
</detail>
</soapenv:Fault>
Also in the invocation trace i can observe the following things:
Under Invocation Trace:-
========================
Receiving request =====> Initial Message context
===============================================
under added header:-
==================
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Header>
under RouteNode1
================
Route to "TargetMyService_BS"
$header (request):-
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Header>
Under Message Context changes:-
*===============================*
I can find this element also:-
con:security>
*<con:doOutboundWss>false</con:doOutboundWss>*
*</con:security>*
eventhough we enabled ws security, how the above tag can be false?
I think its getting failed to populate the header with the required login credentials.
The other doubt i have is:-
=================
I have chosen the service account type is static...is this right? -
Windows Security asking for username and password to access college intranet.
I'm trying to access my college intranet form home and I get a dialog box called "windows security". It asks for a username and password. I've never set up a username or password. I've been onto internet setting>security and enabled "automatic
logon with current username and password", this did not work. Please help, I really need to get onto the site!trying to access my college intranet form home
Contact your college network support. The syntax for specifying your authentication may be different than you usually use when you are just connecting there locally.
Robert Aldwinckle -
Security issue: parameters username and password in the jbo:ApplicationModule
Hello,
in the <jbo:ApplicationModule> tag, you can give parameters for username and password, Then the .jsp connects to the DB via the username/password. Alternativly, You can provide this within the <Module>.properties file.
Now the question: Isn't this a security hole? I mean, is it under all circumstances impossible, that the source-code can be delivered by the web-server or that the byte-code from the servlet (compiled from .jsp) can be "restringed"?
Are there other ways to protect the credentials for accessing the ORACLE DB?
MichaelHi John
thank You very much. You wrote
BC4J provides a number of mechanisms for specifying the DB username and password that do not require
the password to be stored in a JSP page. By default, in 9.0.2, the DB password is stored in
a BC4J configuration (persisted in a bc4j.xcfg file), which should be secured at the customer site. I've forgotten to mention our environment is SuSE7.2, DB 8.1.7.3, iAS 1.0.2.2, Portal 3.0.9.8.
For simplicity we would like to use the first method via bc4j.xcfg, But our bc4j.xcfg looks as follows
<quote>
<BC4JConfig>
<AppModuleConfigBag>
<AppModuleConfig name="OPKv1ModuleLocal">
<ApplicationName>de.condor.OPKv1.OPKv1Module</ApplicationName>
<DeployPlatform>LOCAL</DeployPlatform>
<JDBCName>WEBAPP_NETx</JDBCName>
<jbo.project>de.condor.OPKv1.opkv1PRJ</jbo.project>
</AppModuleConfig>
</AppModuleConfigBag>
</BC4JConfig>
</quote>
So the question is, where to leave schema/password?JDeveloper should have also generated a connection description in the same file named WEBAPP_NET. This
named connection should contain the relevant elements. It is not recommended that you edit this file directly. The
configuration editor and/or the connection editor should be used instead.
Hope this helps.
JR -
Web application security. Getting username and password from database
Hi!
I need to write the following web application (I write it using java server faces):
1) User enters his username/password on the login page
2) Program goes to database where there are tens of thousands of usernames/passwords, and verifies it.
3) If user and password exist in DB, user gets access to the other pages of the application
Maybe I don't understand some point. I tried to use j_security_check(it's very easy to configure secured pages in web.xmp). The problem is that it works(as far as I understand) only with roles defined on server before the application runs. I can't add ALL these usernames to the roles on server. The best way, as I see it, is to go to DB, check username/password, create new role for the time of session, go to j_security_check where the j_username and j_password get the values from db and get the access to secured pages(as far as the roles have been dinamically added).
Am I right and this should be the algorithm?
How can I implement it?
I've read about JAAS. How can it help to solve the problem? Do I need j_security_check if I use JAAS? How should I configure my application if I use it?
Could you please give me some code example?
All this must work on IIS (for now, I develope it in Netbeans and run it on Java Application Server)
Please help.
Edited by: nemaria on Jul 7, 2008 2:39 AMHi,
Any security constrained url pattern which calls the action j_security_check passes the parameter to the realm mentioned in the server.xml.If the realm is set as JAAS,then the authenticate method of the jaasrealm does the basic validation like non empty field value from the input form.The appname set as the realm parameter points to the one or more loginmodules which has the life cycle methods like initialize(...),login(),commit(),abort() and logout().Once the basic validation is done in the JaasRealm class of the webcontainer,the LoginContext is created and user is autheticated (against DB username/password) via the login().Then the user is authourised in the commit().Then Jaasrealm takes care of creating the LoginContext,calling login(),creating Subject with principals,credentials added and setting that in the session.
I have a big trouble in accessing the HttpServletRequest object in the LoginModules.i.e getting the j_username and j_password in the LoginModules or in the CallBackHandlers.PolicyContext doesn't work for me.Is there any other way?
Regards,
Ganesh -
SSO not accepting username and password after session timeout
Dear Charan,
We have the same issue after ATG upgrading from 12.1.1. to 12.1.3, Users are facing the same error.
Error: The application you are trying to access requires you to sign in again even if you have signed in previously.
Sign In
I have set "inactivity period to 0" instead of 15 min, but did not disable the GITO.
After upgrade I did not de-register/register the SSO, does it requires?
Please advise if you have resolve this issue.
Regards,
Ravi PurbiaDear Helios,
I have raise the SR and they asked me to follow the same document 1303564.1 solution 1, solution 2, solution 3, but it does not help still the issue is exist, users are upset to re-login issue.
Dear Charan,
Did you resolve this issue, please guide us.
All I have done is Oracle Apps12.1.1 upgraded to 12.1.3 and my OID/SSO version 10.1.4.3.
Appriciate if anybody can help me on this.
Regards,
Ravi Purbia -
Auto input Default Username and Password
Hi David ,
When I am connecting AWM 11.2.0.2A version with the AWM database and it is prompting for username and password for the target AWM schema . Can we autoinput and take the username and password defined somewhere so that once the database has been clicked it will logged in without prompting for username and password.
Many thanks,
DebashisNo, there is no facility to store the username and password between sessions. Oracle's security coding policies are pretty strict on this kind of thing.
-
Avoid using Username and password in SOAP Envelope
Hi Team
I am working on calling the sercured web-service from PLSQL and able to call it successfully and get the response.
In the SOAP envelope, I have header and body.
Header contains the WS Security which includes username and password to authenticate the web-service and body contains the actual input pay load for service.
Currently, header has username and password as 'hard-coded', is there a way to avoid the usage of username and password.
We already tried to SIF for EBS methodology where in following steps are done:
1) Create and event in EBS.
2) Pass the event along with payload to SOA.
3) SOA receives the event and triggers web-service and gets the response.
4) Pass the response to EBS.
This technique does avoid usage of username and password but takes 20 seconds to do the job. However, the appraoch above takes hardly 1 second.
Please let me know in case any one has any idea on how to avoid credentials usage in SOAP envelope.
Thanks
Mirza TanzeelHow about doing away with that approach entirely?
Password authentication requires one to keep a secret, secret. And that is the primary problem as how does one safely guard the secret, and manage the secret (by regularly changing)?
Relying on secrets is a problem. I have never been a fan of password based security.
Instead:
a) use HTTPS to secure communication between sender and receiver
b) use robust firewall rules to ensure that only sender is allowed to communicate with receiver
c) implement sound network management and exception reporting (to detect and prevent violations on network infrastructure level)
If you lack in the network infrastructure and administration areas, then:
a) make the web service endpoint on server on localhost only (do not expose it to the outside world)
b) establish a trusted ssh connection between sender and receiver using strongly encrypted RSA/DSA keys
c) configure sender with a service that opens a reverse tunnel to target, exposing the web service as a local port on its localhost -
Write code for authentication of username and password using struts
write code for authentication of username and password using session using struts with jdbc connection..
write code for authentication of username and
password using session using struts with jdbc
connection..and please, allow me to spoon feed you! -
Firefox won't store my usernames and passwords
'''bold text'''hi there,
firefox won't remember my usernames and passwords...
need help.Do you mean names and passwords in the Password Manager or do you mean that you are no longer logged on to (remembered by) websites after closing and restarting Firefox?<br />
If the latter happens then you have a problem with cookies that are not kept or the file that stores the cookies is corrupted.<br />
Such details are stored in a cookie.<br />
* Websites remembering you and automatically log you in is stored in a cookie.
* You must allow that cookie (Tools > Options > Privacy > Cookies: Exceptions), especially for secure websites and if you let cookies expire when Firefox closes
* Make sure that you do not use [[Clear Recent History]] to clear the "Cookies" and the "Site Preferences"
*http://kb.mozillazine.org/Password_Manager
*http://kb.mozillazine.org/User_name_and_password_not_remembered -
Please excuse the lousy table...Its late :-)
I have a multi-server SP2010 farm. Patched up to
Configuration database version: 14.0.6106.5002
My goal is to have a claims based web application that authenticated to ADAM for Extranet. I have configured the servers exactly to MSDN and technet specs (following this spec to the
letter (
http://technet.microsoft.com/en-us/library/ee806882.aspx) to allow the forms side of the web app to authenticate to ADAM.
IT WORKS IN DEV!!! , which is a single server farm. However, it does not work in production. I get the following:
Claims Auth log entries:
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
f2ut
Verbose
Authenticated with login provider. Validating request security token.
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Using membership provider 'ADAMProvider'.
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Doing password check on '[email protected]'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Failed password check on '[email protected]'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Unexpected
Password check on '[email protected]' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security
token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
fo1t
Monitorable
SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password
could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
fsq7
High
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
8306
Critical
An exception occurred when trying to issue security token: The security token username and password could not be validated..
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
f2un
Verbose
Form authentication failed.
I have tried EVERYTHING (well, nt everything, I don’t have the fix I suppose).
I found plenty out there and nothing directly correlates with this issue.
I searched on all parts of the errors I got.
This contains an interesting blurb about setting up access for the apppool id correctly.
That’s not the case for me. It works in dev and the same id are used there.
http://sharepoint-2010-world.blogspot.com/2011/03/adam-forms-based-authentication-in.html
This was good but it doesn’t give specs on what the environment looks like:
http://social.msdn.microsoft.com/Forums/en/sharepoint2010general/thread/557143a6-4b36-4939-bb7f-d62a9335fd18
The was interesting…but I am patched up beyond the June 2011 CU so it’s a moot point:
http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/9b8368ef-c5e5-4ead-b348-7b2b5587cfc8
Any and all help would be greatly appreciated!Hi.
You say its a multiserver farm, do you have more than one web server then?
If thats the case, have you tried accessing the site on each server directly?
Found this for you, maybe that can help?
Troubleshooting Exceptions: System.ServiceModel.FaultException`1
http://msdn.microsoft.com/en-us/library/bb907220.aspx
and this:
SharePoint 2010 Claims Authentication - The security token username and password could not be validated reoccurring every morning
http://social.technet.microsoft.com/Forums/pl-PL/sharepoint2010setup/thread/383f1f9b-5c4a-4e19-b770-2a54b7ab1ca1
and
This seems to be a good guide:
http://donalconlon.wordpress.com/2010/02/23/configuring-forms-base-authentication-for-sharepoint-2010-using-iis7/
Good luck
Thomas Balkeståhl - Technical Specialist - SharePoint - http://blksthl.wordpress.com -
I have a iphone 5 and I can login with my apple id to purchase music. However, when I try to login into icloud using the very same username and password that I use in the apple store it does not work to enter icloud, so what what gives???
I could do that, however when I select the icloud button (or whatever the heck it is) I am asked to enter the apple id and password. So if you are suppose to create another one for icloud you'd think it would give you the option at this point which would be logical.
-
Extracting username and password from security header
Hey all,
I'm writing a BPEL process that invokes two secured web services. One of them authenticates using Username Token and the other has a authenticate method in which the username and password are supplied as Strings. I have successfully propagated the credentials from the BPEL process to the web service using Username Token by doing the following:
1) I secured my BPEL process
2) I imported oasis-200401-wss-wssecurity-secext-1.0.xsd and from it created a variable of type Security
3) I added the security variable to the Header Variables for the BPEL process input
4) I added the security variable to the Input Header Variables for the web service's invoke operation
This worked fine. However, I need to be able to extract out the username and password and supply them as Strings to the authenticate method of the other web service. How can this be done? If it can't, what are some alternatives?
Environment:
JDeveloper 11.1.1.6.0
Thanks,
BillHi Sri,
If I understand your steps correctly, I think the problem I'm having rests with the second step. I don't know how to get a hold of the username and password to assign to the local variables you mention. The BPEL process itself uses Username Token for authentication. These credentials need to be passed to the web services invoked within the BPEL process. If I assign the security header variable directly to the string output for the BPEL process, the string returned will be the complete XML security header, which includes the username and password. However, the security header variable itself doesn't expose the username and password directly. In other words, I can't expand the security header variable node in the dialog for editing the Assign operation and get to the username and password. I think one solution is to parse out the username and password from the complete XML security header using string operations (substring, index-within-string, etc). Also, regarding step 4, I'm not sure if passing the credentials in the header will work for this web service. I think the web service is expecting the credentials as parameters to its authenticate method.
Thanks,
Bill -
Connecting printer to a secure wireless network which requires both username and password
I have the hp photosmart 6510. I have it in my college dorm, which has a secure network with requires both a user name and password. I need help setting it up as I can't seem to get the printer to enter a username and password. I know the printer works and I know that my computer can print wirelessly with the printer. My college game me this setup configuration.
Configuration Item Preferred Value Optional Value (less preferred)
Network Name of SSID umd-secure
802.1x Operating Mode
(note: 802.11b is no longer supported) Infrastructure or Network (not ad hoc)
Security Mode Enterprise (not Personal)
Network Authentication WPA2 WPA-less prefered
Data Encryption CCMP or AES (TKIP-less prefered)
Roaming Identity or Outer Identity anonymous
Authentication Type or Outer Authentication TTLS (PEAP-Less prefered)
Authentication Protocol or Inner Authentication PAP (MS-CHAPv2-less prefered)
Validate Server Certificate or Verify Server Name Yes
Certificate Issuer or Trusted Root CA Thawte Premium Server CA (Any Trusted CA -less prefered)
Server Name or Certificate Name wireless.umd.edu
Server Name must match YesHi @hatyai ,
Thank you for visiting our English HP Support Forum. We are only able to reply to posts written in English. To insure a quick response it would be advisable to post your question in English. The following links are here to assist you if you prefer to post in the following Language Forum.
English: http://h30434.www3.hp.com
Spanish: http://h30467.www3.hp.com
French: http://h30478.www3.hp.com
Portuguese: http://h30487.www3.hp.com
German: http://h30492.www3.hp.com
Korean: http://h30491.www3.hp.com/t5/community/communitypage
Simplified Chinese: http://h30471.www3.hp.com/t5/community/communitypage
Thank you for your understanding
I work for HP. However I speak only for myself, not for HP nor anyone else -
How do I force Firefox to remember and use my username and password for a site ?
#Tools -> Options -> Security - tick "remember passwords"
#Log in to a website
You should be asked to save the user name and password upon login.
Maybe you are looking for
-
Acrobat Pro 9: "Merge files into a single pdf" creates blank pages
I have a similar problem as a previous post (which hasn't been answered). I am able to pdf individual Word documents fine, but when I try to Combine > Merge files into a single pdf, the resulting pdf pages are all blank. I don't receive any error mes
-
Dark line across white menu bar space
Something really weird just happened. Across the white menu bar (where it lists Finder and shows the clock, etc) there is now a somewhat faint black line. it's a few cm thick, and looks a little blurred. This is what happened prior to the line appear
-
Rule creation with Function module to be executed.
Hi there, I have been trying to create a function module and then use it in a rule... I have declared ACTOR_TAB, AC_CONTAINER, but still I get an error with the below statement. swc_get_element ac_container 'PERNR' pernr. The error I get is as below:
-
How to trigger a hotsync from windows shortcut or on window start-up?
The subject says it all, can we trigger a hotsync using a shortcut command or via a startup application? For the record, I have and use bluetooth for wireless sync. I am running Windows XP Post relates to: Treo 650 (Unlocked GSM)
-
HT4743 Unable to View/Purchase TV Shows from iTunes Store in Brunei.
Hi Is there any particualar reason as to why TV shows are not available in the iTunes Store for Brunei?