JNI and security
Hi,
We are coding new functionallity on a legacy C code. We are using JNI to to comunicate to an opensource library.
We faced with the need to create some files and to connect to a remote host, but due to the jvm sandbox we cannot operate as we need.
We tried policy files, signed jars,... but surely we missed something.
The simptoms are that when the control passes to our java classes, the jvm doesn't read any policy file (including java.policy).
In the class constructor we ask for a security manager and check if the create file operation could be done.
Everything works well, but the file is not written (we add some content, so it must have 10 or 12 bytes).
Could any one bring us some light?
Thanks in advance!
The JVM reads the policy files at startup, not 'when control passes to Java classes'. Does that help?
Similar Messages
-
JVM Crash When Using JNI and COM
I'm trying to call a DLL compiled from VB6 source code that I do not have access to. The VB6 code simply retrieves data from a DB2 database using ADO and my client code grabs that data and marshals it to my Java code. I'm attempting to achieve this using JNI and COM (without a third-party bridge). It works 75% of the time, but the other 25% of the time, the JVM crashes with the usual Hotspot crash log containing an access violation exception. However, I don't know what in my C++ code (VC++ 8) could be causing this except for passing a "wild" pointer to the code lying underneath the COM object interface. If that is the case, I don't know how I am doing that.
The Java code that is calling my native method is running on Tomcat 5.5.25 and just to be safe, I am not allowing multiple threads to concurrently call the method in my JNI DLL (though I realize that this will kill performance). Once I can get past this problem, I'll do the COM interfacing on a worker thread in my native code so I don't screw up CoInitialize and CoUninitialize calls in the case the same thread is concurrently executing multiple calls to my native code.
I've noticed that in most cases, the JVM crashes during my call to the pClsAccount->OpenConnection method. However, my DLL isn't what is listed on the top of the call stack, which is why I suspect the passing of a wild pointer, though I'm just taking a guess at that. Does anyone have an idea as to what's going on ?
JNIEXPORT jobject JNICALL Java_CustomerInfo_nGetCustomerAccountInfo(JNIEnv *env, jobject customerInfo, jstring accountNumber, jstring iniFileName)
jboolean isCopy;
// Account info class and instance to be instantiated
jclass accountInfoCls = NULL;
jobject accountInfoObj = NULL;
// The constructor ID of the accountInfoCls
jmethodID ctorID = NULL;
// Pointer to the interface for the ClsAccount COM object
_clsAccount *pClsAccount = NULL;
HRESULT hr;
BSTR bstrIniFileName(L"");
try
const char *nativeAccountNumber = NULL;
if (accountNumber != NULL)
nativeAccountNumber = env->GetStringUTFChars(accountNumber, &isCopy);
else
jclass newExcCls;
env->ExceptionDescribe();
env->ExceptionClear();
newExcCls = env->FindClass("java/lang/IllegalArgumentException");
env->ThrowNew(newExcCls, "accountNumber passed in was null !");
return NULL;
// Initialization
variantt varConnectionSucceeded = variantt(false);
variantt varGetAccountInfoSucceeded = variantt(false);
variantt varAccountNumber = variantt(nativeAccountNumber);
bstrt bstrLastPaymentDate = bstrt();
bstrt bstrLastErrorMessage = bstrt();
bstrt bstrLastErrorNumber = bstrt();
jlong jTotalDue = NULL;
jlong jEstablishedDueDay = NULL;
jlong jLastPaymentAmount = NULL;
jstring jLastPaymentDate = NULL;
jstring jLastErrorMessage = NULL;
jstring jLastErrorNumber = NULL;
jthrowable jException = NULL;
const char *chLastPaymentDate = NULL;
const char *chLastErrorMessage = NULL;
const char *chLastErrorNumber = NULL;
long long totalDue;
long long lastPaymentAmount;
long establishedDueDateDay;
//Convert string from Java string to C string to VB string
const char *nativeIniFileName = NULL;
if (iniFileName != NULL)
nativeIniFileName = env->GetStringUTFChars(iniFileName, &isCopy);
else
jclass newExcCls;
env->ExceptionDescribe();
env->ExceptionClear();
newExcCls = env->FindClass("java/lang/IllegalArgumentException");
env->ThrowNew(newExcCls, "iniFileName passed in was null");
return NULL;
bstrIniFileName = comutil::ConvertStringToBSTR(nativeIniFileName);
CoInitialize(NULL);
// Create an instance of the COClass with the interface over it
hr = CoCreateInstance(__uuidof(clsAccount), NULL, CLSCTX_INPROC_SERVER, __uuidof(_clsAccount), (void **)&pClsAccount);
if (hr == S_OK)
varConnectionSucceeded.boolVal = pClsAccount->OpenConnection(&bstrIniFileName);
 
if (varConnectionSucceeded.boolVal == -1)
varGetAccountInfoSucceeded.boolVal = pClsAccount->GetAccountPaymentInformation(&(varAccountNumber.GetVARIANT()));
env->ReleaseStringUTFChars(accountNumber, nativeAccountNumber);
// Extract all available account information from the ClsAccount object
if (varGetAccountInfoSucceeded.boolVal == -1)
totalDue = pClsAccount->TotalDue.int64;
establishedDueDateDay = pClsAccount->EstablishedDueDateDay;
lastPaymentAmount = pClsAccount->LastPaymentAmount.int64;
bstrLastPaymentDate = pClsAccount->LastPaymentDate;
chLastPaymentDate = comutil::ConvertBSTRToString(bstrLastPaymentDate.GetBSTR());
jTotalDue = (jlong)totalDue;
jEstablishedDueDay = (jlong)establishedDueDateDay;
jLastPaymentAmount = (jlong)lastPaymentAmount;
jLastPaymentDate = env->NewStringUTF(chLastPaymentDate);
delete[] chLastPaymentDate;
pClsAccount->CloseConnection();
// Populate error fields if any errors occur
bstrLastErrorMessage = pClsAccount->LastErrMessage;
chLastErrorMessage = comutil::ConvertBSTRToString(bstrLastErrorMessage.GetBSTR());
bstrLastErrorNumber = pClsAccount->LastErrNumber;
chLastErrorNumber = comutil::ConvertBSTRToString(bstrLastErrorNumber.GetBSTR());
jLastErrorMessage = env->NewStringUTF(chLastErrorMessage);
jLastErrorNumber = env->NewStringUTF(chLastErrorNumber);
delete[] chLastErrorMessage;
delete[] chLastErrorNumber;
const char* clsName = "com/nuance/merchantsmutual/businessentities/CustomerAccountInfo";
// Find the Java class and the ID of its constructor
accountInfoCls = env->FindClass(clsName);
ctorID = env->GetMethodID(accountInfoCls, "<init>", "(JJJLjava/lang/String;Ljava/lang/String;Ljava/lang/String;)V");
jException = env->ExceptionOccurred();
if (jException != NULL)
env->ExceptionDescribe();
env->ExceptionClear();
//Release all resources associated with the ClsAccount instance
pClsAccount->Release();
//Instantiate the class with the given parameters
accountInfoObj = env->NewObject(accountInfoCls, ctorID, jTotalDue, jEstablishedDueDay, jLastPaymentAmount, jLastPaymentDate, jLastErrorMessage, jLastErrorNumber);
jException = env->ExceptionOccurred();
if (jException != NULL)
env->ExceptionDescribe();
env->ExceptionClear();
else if (hr == REGDB_E_CLASSNOTREG)
cout << "COM class not registered" << endl;
else if ( hr == CLASS_E_NOAGGREGATION)
cout << "COM class can't be aggregated" << endl;
else if (hr == E_NOINTERFACE)
cout << "No interface for COM class clsAccount" << endl;
else if (hr == E_POINTER)
cout << "*ppv pointer was NULL !" << endl;
else
cout << "Error occurred while creating COM object. HR is [" << hr << "]" << endl;
// Free the BSTR because a new one was returned with a call to comutil::ConvertStringToBSTR
SysFreeString(bstrIniFileName);
// Release the string when it's no longer needed. MUST call if string won't be used
// anymore or else a memory leak will occur
env->ReleaseStringUTFChars(iniFileName, nativeIniFileName);
CoUninitialize();
 
catch (_com_error &e)
cout << "Encountered an exception in GetCustomerAccountInfo: Error was " << e.ErrorMessage();
pClsAccount->Release();
catch (...)
pClsAccount->Release();
return accountInfoObj;
Edited by: Cthulhu76 on Jan 5, 2010 9:18 AM0x49202400 JavaThread "ContainerBackgroundProcessor[StandardEngine[Catalina]]" daemon [_thread_blocked, id=5340, stack(0x49bf0000,0x49c40000)]
0x48a7e800 JavaThread "Thread-1" [_thread_in_native, id=5976, stack(0x48f00000,0x48f50000)]
0x48a0dc00 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=3072, stack(0x48c60000,0x48cb0000)]
0x48a09000 JavaThread "CompilerThread0" daemon [_thread_blocked, id=4988, stack(0x48c10000,0x48c60000)]
0x48a07c00 JavaThread "Attach Listener" daemon [_thread_blocked, id=3124, stack(0x48bc0000,0x48c10000)]
0x48a07000 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=2572, stack(0x48b70000,0x48bc0000)]
0x489f5c00 JavaThread "Finalizer" daemon [_thread_blocked, id=5752, stack(0x48b20000,0x48b70000)]
0x489f4c00 JavaThread "Reference Handler" daemon [_thread_blocked, id=2596, stack(0x48ad0000,0x48b20000)]
0x003c6000 JavaThread "main" [_thread_in_native, id=4252, stack(0x00820000,0x00870000)]
Other Threads:
0x489f0400 VMThread [stack: 0x48a80000,0x48ad0000] [id=5624]
0x48a18800 WatcherThread [stack: 0x48cb0000,0x48d00000] [id=1192]
VM state:not at safepoint (normal execution)
VM Mutex/Monitor currently owned by a thread: None
Heap
def new generation total 36288K, used 12762K [0x02940000, 0x050a0000, 0x07800000)
eden space 32256K, 34% used [0x02940000, 0x0343af58, 0x048c0000)
from space 4032K, 37% used [0x04cb0000, 0x04e2ba28, 0x050a0000)
to space 4032K, 0% used [0x048c0000, 0x048c0000, 0x04cb0000)
tenured generation total 483968K, used 7518K [0x07800000, 0x250a0000, 0x42940000)
the space 483968K, 1% used [0x07800000, 0x07f57958, 0x07f57a00, 0x250a0000)
compacting perm gen total 14080K, used 14016K [0x42940000, 0x43700000, 0x46940000)
the space 14080K, 99% used [0x42940000, 0x436f0320, 0x436f0400, 0x43700000)
No shared spaces configured.
Dynamic libraries:
0x00400000 - 0x0040f000 C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
0x7c800000 - 0x7c8c0000 C:\WINDOWS\system32\ntdll.dll
0x77e40000 - 0x77f42000 C:\WINDOWS\system32\kernel32.dll
0x77380000 - 0x77411000 C:\WINDOWS\system32\USER32.dll
0x77c00000 - 0x77c48000 C:\WINDOWS\system32\GDI32.dll
0x77f50000 - 0x77feb000 C:\WINDOWS\system32\ADVAPI32.dll
0x77c50000 - 0x77cef000 C:\WINDOWS\system32\RPCRT4.dll
0x76f50000 - 0x76f63000 C:\WINDOWS\system32\Secur32.dll
0x77ba0000 - 0x77bfa000 C:\WINDOWS\system32\MSVCRT.dll
0x7c8d0000 - 0x7d0cf000 C:\WINDOWS\system32\SHELL32.dll
0x77da0000 - 0x77df2000 C:\WINDOWS\system32\SHLWAPI.dll
0x76290000 - 0x762ad000 C:\WINDOWS\system32\IMM32.DLL
0x77420000 - 0x77523000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll
0x6d7c0000 - 0x6da10000 C:\Program Files\Java\jre1.6.0_07\bin\client\jvm.dll
0x76aa0000 - 0x76acd000 C:\WINDOWS\system32\WINMM.dll
0x7c340000 - 0x7c396000 C:\WINDOWS\system32\MSVCR71.dll
0x6d270000 - 0x6d278000 C:\Program Files\Java\jre1.6.0_07\bin\hpi.dll
0x76b70000 - 0x76b7b000 C:\WINDOWS\system32\PSAPI.DLL
0x6d770000 - 0x6d77c000 C:\Program Files\Java\jre1.6.0_07\bin\verify.dll
0x6d310000 - 0x6d32f000 C:\Program Files\Java\jre1.6.0_07\bin\java.dll
0x6d7b0000 - 0x6d7bf000 C:\Program Files\Java\jre1.6.0_07\bin\zip.dll
0x6d570000 - 0x6d583000 C:\Program Files\Java\jre1.6.0_07\bin\net.dll
0x71c00000 - 0x71c17000 C:\WINDOWS\system32\WS2_32.dll
0x71bf0000 - 0x71bf8000 C:\WINDOWS\system32\WS2HELP.dll
0x71b20000 - 0x71b61000 C:\WINDOWS\system32\mswsock.dll
0x5f270000 - 0x5f2ca000 C:\WINDOWS\system32\hnetcfg.dll
0x71ae0000 - 0x71ae8000 C:\WINDOWS\System32\wshtcpip.dll
0x76ed0000 - 0x76efa000 C:\WINDOWS\system32\DNSAPI.dll
0x76f70000 - 0x76f77000 C:\WINDOWS\System32\winrnr.dll
0x76f10000 - 0x76f3e000 C:\WINDOWS\system32\WLDAP32.dll
0x76f80000 - 0x76f85000 C:\WINDOWS\system32\rasadhlp.dll
0x4a6a0000 - 0x4a6ac000 C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\MMI\WEB-INF\lib\CustomerInfoProxy.dll
0x77670000 - 0x777a9000 C:\WINDOWS\system32\ole32.dll
0x77d00000 - 0x77d8b000 C:\WINDOWS\system32\OLEAUT32.dll
0x7c420000 - 0x7c4a7000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_E6967989\MSVCP80.dll
0x78130000 - 0x781cb000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_E6967989\MSVCR80.dll
0x777b0000 - 0x77833000 C:\WINDOWS\system32\CLBCatQ.DLL
0x77010000 - 0x770d6000 C:\WINDOWS\system32\COMRes.dll
0x77b90000 - 0x77b98000 C:\WINDOWS\system32\VERSION.dll
0x75da0000 - 0x75e5d000 C:\WINDOWS\system32\SXS.DLL
0x75e60000 - 0x75e87000 C:\WINDOWS\system32\apphelp.dll
0x4dc30000 - 0x4dc5e000 C:\WINDOWS\system32\msctfime.ime
0x4b0d0000 - 0x4b395000 C:\WINDOWS\system32\xpsp2res.dll
0x71bb0000 - 0x71bb9000 C:\WINDOWS\system32\WSOCK32.dll
0x4bbe0000 - 0x4bbea000 C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\MMI\WEB-INF\lib\ClearTranProxy.dll
0x745e0000 - 0x7489e000 C:\WINDOWS\system32\msi.dll
0x71c40000 - 0x71c97000 C:\WINDOWS\system32\NETAPI32.dll
0x4bc50000 - 0x4bc6c000 C:\WINDOWS\system32\DBNETLIB.DLL
0x71f60000 - 0x71f64000 C:\WINDOWS\system32\security.dll
0x76c90000 - 0x76cb7000 C:\WINDOWS\system32\msv1_0.dll
0x76cf0000 - 0x76d0a000 C:\WINDOWS\system32\iphlpapi.dll
0x761b0000 - 0x76243000 C:\WINDOWS\system32\crypt32.dll
0x76190000 - 0x761a2000 C:\WINDOWS\system32\MSASN1.dll
0x4bcf0000 - 0x4bcff000 C:\Program Files\Common Files\System\Ole DB\SQLOLEDB.RLL
0x4a8a0000 - 0x4a8aa000 C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\MMI\WEB-INF\lib\MIGI.DLL
0x73570000 - 0x736c2000 C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\MMI\WEB-INF\lib\MSVBVM60.DLL
0x4a950000 - 0x4a9e2000 C:\Program Files\Common Files\System\ado\msado15.dll
0x74a50000 - 0x74a6a000 C:\WINDOWS\system32\MSDART.DLL
0x4c850000 - 0x4c8c9000 C:\Program Files\Common Files\System\Ole DB\oledb32.dll
0x4dbb0000 - 0x4dbc1000 C:\Program Files\Common Files\System\Ole DB\OLEDB32R.DLL
VM Arguments:
jvm_args: -Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 5.5 -Dcatalina.base=C:\Program Files\Apache Software Foundation\Tomcat 5.5 -Djava.endorsed.dirs=C:\Program Files\Apache Software Foundation\Tomcat 5.5\common\endorsed -Djava.io.tmpdir=C:\Program Files\Apache Software Foundation\Tomcat 5.5\temp -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\logging.properties -Djava.library.path=C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\MMI\WEB-INF\lib vfprintf -Xms512m -Xmx1024m
java_command: <unknown>
Launcher Type: generic
Environment Variables:
JAVA_HOME=C:\Program Files\Java\jdk1.6.0_07
[error occurred during error reporting (printing environment variables), id 0xc0000005]
--------------- S Y S T E M ---------------
OS: Windows Server 2003 family Build 3790 Service Pack 2
CPU:total 4 (4 cores per cpu, 1 threads per core) family 6 model 7 stepping 6, cmov, cx8, fxsr, mmx, sse, sse2, sse3, ssse3
Memory: 4k page, physical 2097151k(2097151k free), swap 4194303k(4194303k free)
vm_info: Java HotSpot(TM) Client VM (10.0-b23) for windows-x86 JRE (1.6.0_07-b06), built on Jun 10 2008 01:14:11 by "java_re" with MS VC++ 7.1
time: Mon Dec 28 15:24:00 2009
elapsed time: 600 seconds -
I have forgotten my security questions but when I click on My Apple ID and got to password and security, there is no option to rest my questions and/or send my self a rescue email, what do I do now ?
You need to contact Apple. Click here, phone them, and ask for the Account Security team, or fill out and submit this form.
(89174) -
Start up problems after Safari 3.1 and Security update
Updated safari and security update last night.
Safari downloaded and installed but there was an error downloading or installing the security update, I forgot.
After I restarted everything booted up fine, but was stuck on "Starting Mac OS X" screen.
Did a fsck and zap the pram, still stuck.
Today I tried booting up in safe mode, stuck on the gray screen with the apple logo.
Then I tried booting up from an external firewire dvd drive. Repaired permissions, repaired the disk, but it is still stuck on "Starting Mac OS X" screen. Help please...
Thank youOk i had a similar problem, with all the recent updates for Leopard, including the 10.5.2 combo update... the 12" PowerBook G4 kept getting stuck on the grey apple and spinning wheel... if it managed to get past this it would get stuck on the blue screen!!!
The way i got around this, after trying all these other tips was: Archived & Installed 10.5; restarted, waited; downloaded 10.5.2 Combo update, installed; restarted, waited; waited; waited; after getting back to desktop, restarted, waited; then ran Software Update only installing one at a time, and after each install, restarted, waited; when all Software updates completed, proceeded with iLife updates etc... It took a while (still quicker than the 3 days of failed installs and updates) with a lot of waiting on the blue screen (5-20mins) but we got there in the end. Disks where checked with Leopard Disk Utility before and after, permissions where checked before and after completing all installs, also with a DW 4.1 optimization. Also note worthy is the RAM was upgraded from the initial 256Mb (!!!) with an extra Gb. -
Bursting with translation and security attributes?
Hi folks,
I've been lurking on the forum for a while and despite not always finding a solution, existing threads normally pointed me in the right direction - so thanks :)
I'm working on EBS 11.5.10 with the latest Bi-Publisher 5.6.3 (5472959) and bursting (5968876) patches installed.
I have successfully done the following individual AR Invoice Bi-Publisher tasks:
1. translated an invoice RTF template by attaching an xliff file to the data definition,
2. applied security attributes to the template to restrict updates on the resulting PDF,
3. burst a custom AR invoice print and emailed the resultant pdf's.
The PDF generated by the combined Invoice print correctly applies the translation and security attributes; however when I run the "XML Publisher Report Bursting Program" to the XML file the resultant burst PDF's do not apply the translation or security attributes. I assume this a limitation of bursting control files? If so, is this on the list of future enhancements to Bi-Publisher?
Here's an example of my control file document entry, I have included locale and pdf-security entries - these don't cause an error but equally don't generate the desired result (p.s. I know I'm emailing on a PRI filter - it's just a test):
<xapi:document output-type="pdf" delivery="att_email">
<xapi:template type="rtf"
location="/usr/tmp/xxxINVOICE3.rtf"
locale="fr-US"
pdf-security="true" pdf-encryption-level="1" pdf-permissions-password="xxxxxx"
filter=".//G_INVOICE_HEADER[PRINTING_OPTION='PRI']" >
</xapi:template>
</xapi:document>
Thanks
Dave=================
==Properties Idea's
=================
You would have happened to try applying the security stuff in the application for your template? Try that and see if the pdf properties get set.
If that doesn't work your left with two options:
1. create a java concurrent program and set the properties manually.
2. Log a tar.
=================
==local idea's
=================
Are you sure you don't have to create template config for the locale? i suspect that's why it's not applying the xliff translation. Also, your NLS_LANG needs to be set to FRENCH for the approriate template to be applied. If your logged-in as english your french format template will not be applied, neither will the translation. As an example you can query vl table and you'll only get american (us) but if you alter your session you'll get the translation for that language when your query the table.
location="xdo://xxxAR.xxx_XML_PRINT.fr.US"
try it out and see if that works. Note: This will only work if your session NLS_LANG is set to FRENCH. -
How to Set up HTTPOnly and SECURE FLAG for session cookies
Hi All,
To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
I have found the below solutions.
For setting up the HTTPOnly for the session cookies.
1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
this.sessioncookie.httponly = true;
For setting up the secure flag for the session cookies.
2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
this.sessioncookie.secure = "true"
Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
Your timely help is well appreciated.
Thanks in advance.BKBK wrote:
Abdul L Koyappayil wrote:
BKBK wrote:
You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
I couldnt understand this. I mean how are you relating this with my question.
When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
Name:
JSESSIONID
Content:
782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
Domain:
xyz.abc.pqr.com
Path:
Send for:
Any kind of connection
Accessible to script:
No (HttpOnly)
Created:
Wednesday, September 3, 2014 2:25:10 AM
Expires:
When the browsing session ends
BKBK wrote:
2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
BKBK wrote:
3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea?? -
My friend created me an itunes store account with his credit card , his credit card is about to expire and they are asking me to re-enter the credit card and security card number .... I don't have these numbers ... How can i create new itunes account without credit card?????
Why do you need to create a new account?
Just change the payment method.
http://support.apple.com/kb/ht1918 -
I forgot the answers for the security questions and when I try to change them (My Apple ID -> Manage your account -> Password and Security) I'm asked to answer the exact questions I'm trying to change because I don't remember the answers. How can I do it?
Can't you try the email option instead?
-
[Request] Move Windows Control Panel applet from "System and Security" to "Programs"
The "Flash Player (32-bit)" Windows Control Panel applet should be moved from "System and Security" to "Programs" where the Java applet is.
Vote: https://bugbase.adobe.com/index.cfm?event=bug&id=2953107
Thanksnjb,
Why not just run the ThinkVantage System Update and let it install as usual. You can also "un-check" those drivers that you don't want to install.
*Non Lenovo employee*
I have a Y2P (i5) ... Feel free to ping me if you want me to test some applications with your Y2P if you have the same model. I don't mind keep doing recovery on it if needed .... =) -
System and security control panel
Could someone with a W520 take a screenshot of the lenovo apps in their "system and security" section of control panel please. I am doing a ground up install from bare windows 7 to get rid of the preloaded SQL server 2005 and adding back the programe I want.
Just want to seee what came preloaded.
Thanksnjb,
Why not just run the ThinkVantage System Update and let it install as usual. You can also "un-check" those drivers that you don't want to install.
*Non Lenovo employee*
I have a Y2P (i5) ... Feel free to ping me if you want me to test some applications with your Y2P if you have the same model. I don't mind keep doing recovery on it if needed .... =) -
"logon time" between USR41 and security audit log
Dear colleagues,
I got a following question from customer for security audit reason.
> 'Logon date' and 'Logon time' values stored in table USR41 are exactly same as
> logon history of Security Audit Log(Tr-cd:SM20)?
Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
at the time when user logged on, the security audit log is recorded .
I tried to check SAP GUI logon program:SAPMSYST several ways, however,
I could not check it because the program is protected even for read access.
I want to know about specification of "logon time" between USR41 and security audit log,
or about how to look into the program:SAPMSYST and debug it.
Thank you.
Best Regards.Hi,
If you configure Security Audit you can achieve your goals...
1-Audit the employees how access the screens, tables, data...etc
Answer : Option 1 & 3
2-Audit all changes by all users to the data
Answer : Option 1 & 3
3-Keep the data up to one month
Answer: No such settings, but you can define maximum log size.
4-Log retention period can be defined.
Answer: No !.. but you can define maximum log size.
SM19/SM20 Options:
1-Dialog logon
You can check how many users logged in and at what time
2-RFC login/call
Same as above you can check RFC logins
3-Transaction/report start
You can see which report or transaction are executed and at what time
(It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
4-User master change
(You can see user master changes log with this option)
5-System/Other events
(System error can be logged using this option)
Hope, it clear the things...
Regards.
Rajesh Narkhede -
Can I expect iCloud to safely back up and secure my documents, music and pictures? I am using Cloud on phone, pad, and desktop. Have depended on external hard drive in the past. It is malfunctioning. Will the Cloud replace it for storage and safety?
Time Machine in itself, without an external drive may well be good for instances where you accidentally delete documents that you later require. However in the event of a hard drive failure, if Time Machine backup is kept on the same drive as the original items, it will not be much use to you.
In my opinion, it is vitally important that you have an external drive for backup, whether you use Time Machine or a another backup solution is entirely up to you.
My situation is slightly unusual, I have four hard drives in my computer and multiple arrays of hard drive enclosures with multiple hard drives within them (in total I have 40 TB of storage). As a result of this I tend to employ more than one backup procedure, I use Time Machine to backup some items and a utility called tri-backup to backup other items. I also keep two backups of everything.
Time Machine is free, it's included with your operating system, I wonder if you mean time capsule. -
HT1222 MacOSX v10.6.8 mail and security update issues - help?
in the system profiler, my mail app is showing as v4.5 but has the application name Mail 3.6
Not sure if that matters but I read to reinstall updcombo and security update but when installing the security update I get:
security update 2012-004 can't be installed on this disk. This volume does not meet the requirements
Help?this is where the install stops
-
Unable to Reboot After Latest Apple Updates (SA-2011-06-23-1 and Security Update 2011-004)
Hi All,
After applying today's updates (06/23/2011) in APPLE-SA-2011-06-23-1 Mac OS X v10.6.8 and Security Update 2011-004, my MacBook will no longer boot. Prior to updating, the MacBook workked perfectly (except for the occasional error entry in the system and kernel log). The MackBook model number is A1278, with a RAM upgrade (4 GB).
When booting in NORMAL mode, the grey screen with Apple logo (and spinning wheel) is shown for about 50 seconds. The device never shows the blue background or login window. It simply shuts down like the power was pulled.
When booting in SAFE mode, the grey screen with Apple logo (and spinning wheel) is shown for about 1 minute 30 seconds. The blue background is shown and quickly transitions to the login windows. About 45 seconds after the login window is shown, the machine shuts down like the power was pulled.
On the few occassions I logged in to take advantage of the 45 second safe mode window (before shutdown), I was *not* able to copy off my log files (in /log/var) to a thumb drive because the computer would not mount the USB device.
When I peeked at the system's log file, I caught the tail end of "signature validation failed" for a bunch of hardware - from video to audio. I can only peek because the computer will shutdown before I have an opportunity to study anything in detail. The failed verifications may or may not be related to the shutdown - signature verfication might be disabled in safe mode; I simply don't know.
It seems the world's most advanced operating system [tm] is performing the world's most epic failure. Any ideas to get this brick working again would be greatly appreciated.
Jeffrey Walton
Baltimore, MD, USHere's what I've found:
(1) I cannot run Disk Utility because I don't have my install disk handy
(2) I cannot run Repair Permissions because Apple does not make a separate ISO available to fix their mistakes
(3) There does not appear to be a wat to back out updates (ie, no Add/Remove Programs)
I was able to boot into safe mode and perform:
> sudo bash
$ chmod -R root /
Amazingly, the command ran to completion. Unfortunately, it did not fix the problem. As soon as some spare cycles were available (interesting indeed!), the machine shutdown.
+1 to Apple engineers for creating a broken patch
+1 to Apple quality assurance for letting the junk out the door
+1 to Apple, for not offering an ISO to fix a broken installation
+1 to Steve, who has managed to keep his anti-trust lock on the hardware and broken software
Great job, Apple -
Is there a way to view Flash videos on my iMac without downloading Adobe Flash Player? I'm concerned about performance and security with Adobe Flash Player.
If the video is only available in a format that requires Flash player : then no.
However, a great many can also be viewed in an HTML5 version, in which case http://hoyois.github.io/safariextensions/clicktoplugin/ or similar can be set up so that Flash never runs unless you specifically choose it to.
Maybe you are looking for
-
Hi, I'm having a couple problems with my Dual 2.0 Power Mac G5 (early 2005) and wondering how I can fix them and if they might be related. Problem 1: My 20" Apple Cinema Display keeps going black. I'll come back to my computer after it has been on, t
-
Reset my Apple TV - no menu appearing except icons for "computers" and "settings"
How do I get back my menu of TV and other icons?
-
Adding a blank row to a JTable when a user begins to edit a current row
Hi, this may be a daft question, but I've been looking through the forum and didnt find anything that really helped me. So I'm posting this in the hope someone will be a ble to point me in the right direction. In my current application I have a JTabl
-
CALL transaction using itab aswell as skip the first screen
Hi All, I am doin BDC for some Ztransaction and i am that transaction using CALL TRANSACTION... but i want to skip the first screen of the Ztransaction as well as pass the Itab .. mode .. update and message table.... how can i do it... CALL TRANSACTI
-
Apple ID completely inaccessible
It has been over six weeks now that I haven't been able to use my Apple ID for anything. Since 11 March, that's when I first contacted Support. They continue to assure me that they are doing their best to restore it for me. I'm told, a week ago, tha