J2ee Security methods in JSF

Similar Messages

• Custom Policy vs. J2EE Security

  Hi there, Java Security architecture gurus,
  I am currently trying to find the best architecture for the new security framework for our company's application. The system requires instance based security. ACLs are stored in a database. JAAS's authentication is just fine, but its file based authorization is not sufficient for our needs. Access rights change during runtime and they should not be refreshed that inefficient way with Policy.refresh().
  The solution I would like to establish should cope with changing environments without the need to change the code that is using security checks. E.g. the app should be able to run as a stand-alone application or within J2EE application servers or servlet engines.
  I have looked at the Java 2 Security API and found out that implementing a customized version of the JAAS Policy class can be one approach. A good benefit is the tight integration with the Java Security framework and that it not necessary to reimplement things like the AccessController and privileged actions.
  Now, I have the following questions:
  - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
  - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
  The alternative approach would probably be J2EE security with the cost of restricting the app to the J2EE environment. To me it seems to be impossible to implement instance based security with role based descriptive J2EE security. With programatic EJB security, I would need to make isPrincipalInRole() completely dynamic to support it.
  I looked through the forum for quite a while without success but if you already discussed this topic I would really appreciate a pointer.
  Thanks,
  Christoph

  Chris,
  There is a very good article from IBM that implements the same thing you are trying to implement i.e. instance base security and also custom Policy(u may need this).
  http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442
  Now, I have the following questions:
  - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
  Custom policy is required primarily if you are going away from the default policy format that sun recommends. If you want to read your permissions from a database you may need to implement a custom Policy class.
  - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
  This is recommended by Sun. You may have to delegate the Permission checks that you know you cannot handle to default policy class.
  In your CustomPolicy.java getPermissions() method, the following code will code to the end of the function
  // If the permission is not found here then delegate it
  // to the standard java Policy class instance.
  java.security.Policy policy = java.security.Policy.getPolicy();
  return policy.getPermissions(codeSource);
  Hope this helps.

• SOAP and J2EE security

  We have deployed several SOAP services (Apache SOAP) on a WLS6.1
  server. Since there are more and more services are being deployed
  people are getting worried about security. I was wondering what the
  best solution was to to authentication and authorization on EJB and
  method level for SOAP clients ? I was thinking about the following
  solution: use the standard J2EE security by defining security
  constrainst in the ejb-jar.xml file. Therefor every client needs to
  provide credentials to use the EJB's (this should work for both
  RMI/IIOP and SOAP clients).
  What are your ideas and opinions about this solution ?
  If you post a reply please CC to [email protected]

  Hi,
  Let me know if you find answer of your question.
  thanks

• Setting a security method in Adobe forms

  Hi all,
  This is th Adobe form developemnt. the output PDF will be downloaded to the Presentation server.When ever i am viwing the PDF Document-> Security.> Show security settings it is showing as 'No security'. But I need to set the set the security method as 'Password secured'.
  Please help me out in this issue. How to set the password security in Adobe forms.
  Thanks & Regards
  Deepika

  Hi Deepika,
  You could try to add a password to the PDF as follows:
  Prerequisites: NW70 SP-13 or higher (include ADS J2EE engine)
  Preparation
  1. Job profile
    first create xml file which has following content:
  <?xml version="1.0" encoding="UTF-8"?>
  <JobProfile>
  <Description>
  ##Password encryption
  </Description>
  <Protect transform = "add">
  <OpenPassword>open</OpenPassword>
  <MasterPassword>master</MasterPassword>
  </Protect>
  </JobProfile>
  You can select any name for <OpenPassword> and <MasterPassword>.
  Save this xmlfile. And copy it to ADS server
  /usr/sap/<SID>/SYS/global/AdobeDocumentServices/JobProfiles/Custom/Print
  2. Create Password alias on ADS
  Visual Admin -> server -> services -> DocumentServicesConfiguration
    -> Password tab
  Create 2 alias
     Alias: open   (It should be same as as above XML tag <OpenPassword>)
     password:  this password will be used for opening PDF.
     Alias: master (It should be same as as above XML tag
  <MasterPassword>)
     password: this password will be used for opening with Acrobat
  Professional.
  3. Modify print program
  When you call sfp runtime, you need to use 'SET_JOB_PROFILE' with job
  profile name (created by step1)
  http://help.sap.
  com/saphelp_nw70/helpdata/EN/46/3862dfac8e00c2e10000000a11466f/frameset.
  htm
  Sample ABAP report is available:
  FP_TEST_03
    Job Profile -> select file which is created by step1. (You can use F4
  help)
  These are addtional steps to add password encryption for PDF.
  Regards,
  Tiago

• Rmi-iiop: calling secured method on Ejb -- NO PERMISSION Exception

  In WL6.1, I have an Ejb with secured methods. The (Swing) client application accesses the Ejb through rmi-iiop using the JDK1.3.1 Orb.
  Unfortunately, it seems that the caller identity (which was supplied in the InitialContext lookup) is not propagated
  to the server: any call to a secured method
  fails with a CORBA NO_PERMISSION Exception.
  Using the t3 protocol the program works fine, but that would require the 25Mb weblogic.jar on all clients, which is unattainable for us.
  Any ideas how this situation can be corrected?
  -Allard Siemelink

  Hi Allard,
  Please pose this in the weblogic.developer.interest.rmi-iiop.
  Thanks,
  Allard Siemelink wrote:
  In WL6.1, I have an Ejb with secured methods. The (Swing) client application accesses the Ejb through rmi-iiop using the JDK1.3.1 Orb.
  Unfortunately, it seems that the caller identity (which was supplied in the InitialContext lookup) is not propagated
  to the server: any call to a secured method
  fails with a CORBA NO_PERMISSION Exception.
  Using the t3 protocol the program works fine, but that would require the 25Mb weblogic.jar on all clients, which is unattainable for us.
  Any ideas how this situation can be corrected?
  -Allard Siemelink--
  Apurb Kumar
  Developer Relations Engineer
  BEA Support

• Unable to password protect file to email using Acrobat XI whether saving excel PDF or scanning document and then trying.  Security Method has no drop down menu to change None.

  I cant get password to work on Acrobat XI.  Can not get a drop down menu to appear to change security method from None.

  Make sure that you use Adobe Acrobat, not Adobe Reader.

• How to find solution for avoiding WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product

  HI All,
  We are using Oc4j version 10g 10.1.3 , and while starting conatiner  getting below warning , let me know if anyone have solution for this,.
  14/01/10 01:01:29 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product!
  Please take the appropriate actions to migrate to an alternative strategy! **********
  2014-01-10 01:01:29.833 WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release
  of this product!

  I just checked my BIOS and my current setting is set at IDE although it also mentions that the default should be AHCI. Currently I have a dual boot of Windows 7 (need it for Tax software) and Arch
  So I guess, when I get the new HDD, I will first set it to AHCI and then install the OSes on it. See if NCQ helps any, and if not I will turn it back and re-install (if I have to). I am planning to have Windows only in virtualbox in the new drive.
  Anyhoo, while I was in the BIOS I found two things which I had questions about :
  1) Under Onboard Devices --> Integrated NIC , my setting is currently set at "On w/PXE" and it says the default should be just "On". Would it be ok to change it back to On since its a single machine and its not booting an OS on any server. I just don't want to have to re-install anything now since I will be doing that in the new HDD.
  2) How would I know whether my BIOS would support a 64 bit OS in Virtualbox? I checked some setting under Virtualization, but they weren't very clear.
  I will edit this post and let you know exactly what settings were present under the Virtualization sub-section.

• Adobe Acrobat 7: Can not insert pages, changing the document: Not Allowed, but Security Method set t

  In Adobe 7, I need to add some pdf pages to the end of a document, but the insert pages (as well as all other items under Document> are greyed out.
  On the document properties\ Security> the document restrictions summary says "Changing the Document: Not Allowed", but the Security Method in the drop down above is set to "No Security"
  Thanks!

  If there are form fields, then whoever added them probably used the forms menu, not the Acrobat form fields. Thus the PDF was converted to Designer and you are out of luck. The FORMS button found in various places in Acrobat 7 and latter takes you to Designer, not the Acrobat form tools. The latter are located in the tools menu.

• Struts/servlet page flow problem due to j2ee security

  Whe I type url such as http://localhost:7777/myapp/action.do, I want to see the execution result page from this action. However the result page will always be index.jsp because j2ee security which I have a loginaction.do and its result page is index.jsp. How can I have overcome this problem.
  Thanks,

  To give more details about the problem I have, user likes to put a URL in the browser, then press enter. User likes to see the running results. However, user is not able to see the results because j2ee security requires user log in. After sucessful login, user is going to see the index page. My question is how user be able to view his result page after login.
  cheers.

• What is the best practice to handle JPA methods in JSF app?

  I am building a JSF-JPA web app(No EJB).
  I have several methods that has JPA QL inside.
  Because I have to put those methods inside JSF beans to inject EntityManagerFactory (am I right about this?).
  And I do want to separate those methods from regular JSF beans which are used by page authors.
  And I may need to use them in different JSF managed beans.
  My question here is that what is the best practice to handle that?
  I. write a or a few separate JSF Beans and inject them into regular Beans?
  II. write a or a few separate JSF Beans and access them into regular Beans using FacesContext?
  III. others?
  Waiting to hear from you opinions.

  You can create named queries on your Entities themselves then just call entityMgr.createNamedQuery("nameOfQuery");
  Normally, we put these named queries in the class of the entity which will be returned. This allows for all information pertaining to a given entity and all ways of accessing that entity (except em.find() and stuff, of course) to be in one place. As long as the entity is defined in your persistence.xml file, any named queries which reside on that entity will be available through the EntityManager.
  As for the EntityManagerFactory, we normally create an application scope bean which holds the factory itself (because this is a heavy-weight object) and then just get all EntityManager instances from that by injecting this bean into whatever needs it. For example, I might have:
  //emfBB is the injected app scope bean which holds the entity manager factory.
  private EmfBB emfBB;
  private void lookupSomeData()
  EntityManager em = this.getEmfBB().getEmf()
  I hope this answered your question?
  ~Zack
  Edited by: zmarr on Nov 6, 2008 1:29 PM

• Using dynamic groups for j2ee security

  Hi all,
  I have my realm setup in server.xml and my standard and sun-specific deployment descriptors setup for j2ee security.
  Everything seems to work fine for groups defined via uniquemember attributes (all users are specified), but I'm having trouble with dynamic groups (defined with the memberurl attribute)
  How do I configure my realm in my server.xml to get this working?

  Hi,
  I got an official answer from SUN.
  "Dynamic Groups" are not (longer) supported with SJS AS 7!
  It will probably be supported with SJS AS 8 SE.
  If you have a iPlanet 6.5 application that is running with dynamic groups, just wait a little bit before you migrate.

• Security Method?  Saving downloaded PDF's

  I have credit card accounts which I access on Safari. Each month I download the statements as .pdf files. When I view some of these downloads on Preview, I can save them using a Save-As command. But for files downloaded from other sides, the Save-As is grayed out.
  When I check the info for each file, the only difference I can see is that the files I can't "save-As" have a "Password encrypted" Security methods whereas the other ones have no security method. Ownership/Permissions seem the same for each one
  How can I remove this limitation? The work around I use is to rename the files in the info tab and then drag them to the folder I want.
  Thanks for your help

  > If I then try to copy it over to the external hard-drive I get another error.
  Error message?

• JAAS or regular J2EE Security?

  Hi, can some offer me some examples of why I should prefer JAAS (and vice versa) over J2EE security via constraints and roles in web.xml? I'm just not sure which to use...
  Thanks...

  hi,
  you should have a look towards jGuard to use JAAS in j2ee in an easy way:
  homepage:
  http://jguard.sourceforge.net/
  sourceforge page:
  http://sourceforge.net/projects/jguard
  it hides the JAAS complexity , and enable dynamic configuration, and great flexibility!
  sincerly yours,
  Charles(jguard team).

• J2ee security and page flow problem

  To give more details about the problem I have, user likes to put a URL in the browser, then press enter. User likes to see the running results. However, user is not able to see the results because j2ee security requires user log in. After sucessful login, user is going to see the index page. My question is how user be able to view his result page after login.
  cheers.

  In the future, please post JSP/Servlet questions in the appropriate forum: http://forum.java.sun.com/category.jspa?categoryID=20
  This is pretty simple to do:
  1) set up a Filter that applies to a specific url pattern, such as " /protected/* " so that the Filter is invoked when resources within the "protected/" path get accessed
  2) in the Filter code, store the user's desired path in the session scope (let's call it "loginRedirectFrom") and redirect the user to the login screen.
  3) in your login servlet/jsp, after the user has been verified, redirect to the url you stored in "loginRedirectForm".

• OID Dynamic Groups and J2EE security roles

  Hi
  I've searched the forums but can't get a definite answer. Is it possible to use OID dynamic groups and map them to J2EE security roles? I can't find anything that says specificially not but I can't seem to get it to work.
  Thanks
  Adam

  Hi,
  Let me know if you find answer of your question.
  thanks