JSF-Security Sourceforge project

Similar Messages

• CoreId & jsf-Security question

  I was told by our admin group that we will use CoreId for security enforcement for our JSF apps. Fine.
  I am now wondering if the jsf-Security library I am using (thanks Duncan & Frank) will enable me to still get the logged in user's ID and role membership(s)... and if so how?
  I have a link on my home page that currently uses a backing bean to determine if the user has a role using the #{securityScope.userInRole['admin']} and if so the link goes one place, if not it goes another. Can someone confirm that this will still work if the authentication comes from CoreId?
  Sorry if I sound daft on this but this part of the puzzle is really beyond my expertise and there is too much conflicting info out there on the web about it.
  Thanks.

  Hi,
  I think you can configure CoreId in OracleAs for container managed authentication. In this case all works the same. Just check the OC4J security documentation for the setup
  Frank

• How to import jsf  hello world project in eclipse

  Hi ,
  I m inam, have downloaded a jsf hello world project from www.mkyong.com, and trying to import that into eclipse ide, but not able to import,
  Please help me,and specify the steps, so that i could feel relax,i m too eager to know the solution to this problem,
  Regards

  Welcome to the forum.
  As others have said, there is no way to read Aperture 3 Projects or Libraries in Aperture 2. If you want to carry on using the same files on both computers you will have to stay with Aperture 2, or replace the tower with an Intel-based one that will run new software.
  As much as we might dislike it, PPC-based Macs are getting left behind in terms of what software they will run.
  Ian

• Help me out with Directory structure for JSF+SPRING+HIBERNATE Project

  Hi frnds ,
  My name is Walter working for a startup software company . We are working on Hospital Management System (HMS) project .. MVC Architecture ...using Hibernate Spring and JSF ..we need to design Directory Structure for our project..
  plzz help me friends in suggesting MVC Directory structure ...? also plzz help me by directing me with the navigation flow?
  Thnxx in advance
  Regards
  Walter

  Thank you so much .. friends ..for your kind replies..thanks to Illu, anguquga and special thanks to BalusC for giving me the advice for hiring EE Artitech ..
  Anyways I have discussed with my teammates designing the directory structure
  anguquga your directory structure is close to what I have designed ..referiing to a sample application on web..
  Hospital Management system MVC architecture Directory structure
  This is the way the structure goes on ..
  model --> for Hibernate as well as Spring
  View --> for JSF
  src(-)
  |
  ------(-) java
       |
       -------(-) model
            |
            ------(+) businessobject
            |
            ------(-) dao
            |
            ------(+) hibernate
            |
            ------(+) exception
            |
            ------(-) service
            |
            ------ (+) impl
            |
            ------(+) util
            (-) view
            |
            ------(+) bean
            |
            ------(+) builder
            |
            ------(+) bundle
            |
            ------(+) servicelocator
            |
            ------(+) util
            |
            ------(+) validator
  (-) Web or WebRoot
  |
  ----- (-) JSP Files�etc.,
  |
  ----- (-) META-INF
  |
       ------     (+) Images
  |
       ------     (+) Scripts ==== CSS (cascading style sheets, JavaScript files etc.,)
  |
  ----- (-) WEB-INF =========xml files web.xml, faces-config.xml etc.,
       |
       -----(-) Classes
            |
  -----(-) HMS
  |
                 ----- (+) model
                 |
                 ----- (+) view
  |
  ----- (+) lib
  I am sure you may notice few errors .. if u find any plzz reply me back.... thnxx in advance for replies...and thnxx for giving your valuable replies...
  Walter (Kaleem)

• Row Level security on Projects view

  How can custom reports be written in Oracle Projects such that only projects to which the user has access to is returned? Is adding the pa_security.allow_query condition the proper way?
  Are there any public API's or views that are available in R12.1.2

  You can use PA_INTERFACE_UTILS_PUB.SET_GLOBAL_INFO to initialize the environment and pass the parameter P_ADVANCED_PROJ_SEC_FLAG value as 'Y' , then your report will use role based security, for the standard oracle project views.
  Hope this helps!
  Sathish Raju
  www.projectsaccounting.com

• 10.4.2 401 Unauthorized error when i secured my project

  Hi ,
  I secured my application with authentication and authorization with default login page and error page.
  After i assigned users for an application role and doing grants for all the webpages and taskflows needed.. i am unable to login successfully into app.
  i get
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
  Any1 please let me know y this issue arises..
  Prabas

  did u grant permission for the taskflow and the page in jazn-data.xml file?

• JSF security question - how are public methods protected?

  I'm somewhat new to JSF, so pardon my ignorance if this is a silly question.
  Let's say you have a bean with several public action methods. You create a JSP and specify some of those methods as "actions" or "actionListeners".
  How well protected are methods that are not exposed via the JSP? Is there anything stopping people from analyzing the rendered HTML, seing how it binds to a method "${bean.editABC}," and modifying it to the equivalent of "${bean.deleteABC}," for example?
  Thank You.

  Does they appear in the HTML source anyhow? I've never seen it.

• What is the best approach to store "dynamic" user accessibility ?

  Hi all,
  We are implemennting security in our ADF BC + Faces application. There is always requirement to hide/disable functionalities that a user is not allowed / authorized to access.
  Usually we do this during development time, based on what role the user is in. Using this approach, there is no way to change that , or give access to new role during runtime (after the deployment). This is what I call "static accessibility".
  In our apps, we need the give / revoke access to some functionalities during runtime. This is what I call "dynamic accessibility".
  One approach that comes to my mind is :
  We define the accessibility to each function that we want to protect (hide/unhide) in database tables. Then every time a use enter a page, read these tables through JDBC calls then store tha data in Managed Bean.
  Has anybody here implement this "dynamic accessibility" ?
  Is there a better approach ?
  Thank you very much,
  xtanto

  Saeed,
  SRDemo uses a managed bean that checks is user in role when called and returns true or false. Another approach - more elegant - is the use of a security property resolver as available
  http://jsf-security.sourceforge.net
  Regarding dynamic permissions, the use of JAAS seems to be a good solution. ADF Security uses JAAS permissions to assign component access to users.
  E.g. if the user role manager has access to edit the salary column, then the security constraint added to the update button could be
  #{!bindings.<attribute binding>.updateable}
  Note that ADF Security sets the updateable flag on an attribute.
  Or you use
  #{bindings.<iterator binding>.permissionInfo.create}
  #{bindings.<attribute binding>.permissionInfo.update}
  #{bindings.permissionInfo['pageDefName'].view}
  etc. to determine what a user can do or can't.
  Note that I haven't tested if the permissions are cached for a specific application or if they are checked each time again. If they are checked each time then this would be a performance penalty but allows to dynamically set permissions to user groups as obviously needed in your applications.
  No, we don't have tutorial for this. But a Oracle By Example for end-to-end security implementation is on my collateral plan for JDeveloper 11 (just need to write a doc writer ;-) )
  Frank

• Managed Bean Best Practices

  Hi
  Are there any best practices for using Managed Beans?
  We plan to use our own custom-built JSF components. Need to understand how to design backing beans for performance/effort optimization.
  For example :
  1. How to make managed beans thread-safe for concurrent requests, without compromising on efficiency/speed?
  2. How to enforce the J2EE security with managed-beans?
  3. How to decide the scope of these beans to ensure minimal data-storage in session?
  4. How to decide the granularity at which a managed-bean should be used for example :
  4.1 One bean-per-component
  Advantages :
  a) if complex components require special data-holding/processing/event-handling capabilities from bean
  (e.g. datagrid model,tree model,menu model)
  Problems :
  - with multiple components in a page/form
  a) it becomes tedious to debug/change/track which bean serves which component
  b) if session scope is required, too many beans will be cached in session
  c) unnecessarily too many beans will be created on server (= n pages * m components-per-page)
  d) unnecessarily increases the length of faces-config.xml
  4.2 One bean-per-form
  Advantages :
  a) in multi-form web pages, to ensure the functional behaviour of each form is separate/modular in its own bean.
  b) each managed-bean would map to specific/meaningful functionality/user-interaction in use-case.
  Problems :
  - if form includes complex components (datagrid/tree/menu) requiring a specialised bean class, then
  a) either one of the specialized bean has to be augmented with additional logic to handle data/events for all other components within the form
  (Not good, as it mixes-up the responsibilities of component-specific-beans, and the bean may no more be reusable in another form)
  b) or without using component-specific beans, only single form bean should handle the data/events for all components in the form?
  (Neither good, since if a complex tree-compoent is reused in multiple forms, then the logic to handle data/events for such a component will be repeated in those many form-specific managed beans)
  4.3 One bean-per-page
  Advantages :
  a) seems more modular/meaningful way - since a page would map to some feature within the use-case
  b) bean will contain only behaviour which is relevent for the associated page/function within use-case
  Problems :
  a) in multi-form pages, can single bean handle data/events for multiple forms?
  b) if page uses complex component (e.g datagrid, tree) that needs its own bean - how does page-bean exchange data with component-bean?
  Thanks,
  Arti

  Are there any best practices for using Managed
  Beans?There are no best practices for using Managed Beans in terms of Sun, or other vendors recommendations. But there are some patterns that can be applied to the managed beans (The managed bean is already a pattern). Also common sense is allways a good practice.
  For example, the managed bean should not have business logic code, only presentation logic code, etc.
  1. How to make managed beans thread-safe for
  concurrent requests, without compromising on
  efficiency/speed?The beans can be created by request, so concurrency is not an issue. If they are session scope, also is not an issue because, a user can only have one thread running. Only in application scope you must have carefull.
  >
  2. How to enforce the J2EE security with
  managed-beans?see this:
  http://jsf-security.sourceforge.net/
  About jsf-security
  >
  3. How to decide the scope of these beans to ensure
  minimal data-storage in session?If you wnat minimal data-storage in session the answer is request or none.
  In question 4, you make the question and give the answer ;-)

• JSSF  what you say about this security lib for JSF?

  JSSF - Java Server Security Faces it's framework for security layer. With JSP tags and pages/resource access control. Support MyFaces and Sun RI JSF
  http://sourceforge.net/projects/jssf/

  In bin package you can find file usage.txt (with
  simple instruction) and security.xml (example of
  configuration)
  do you upload or not?
  critics without reason bad practice :-)I haven't made any criticisms I've just asked for some information.
  >
  also in end of this file you found "planing tasks"
  where i add task for home page creation.I was referring to your home page on sourceforge (http://jssf.sourceforge.net/). I'm not really in the habit of downloading things before I can read about them.

• Implementing security for the Projects in OWB

  Hi,
  Can we able to implement the security for the individual projects?
  Thanks
  Vinay

  Hi,
  do not know exactly what kind of security you want to implement. But the below is the excerption from OWB User guide about implementing security at Project level...
  You should be able to find more info in OWB User Guide.
  Freezing Projects
  If you want to freeze the project MY_PROJECT and prevent access to all its contents,
  the following restrictions will apply:
  You cannot create, edit, or delete any objects under a frozen project.
  You cannot invoke any of the services that modify objects within this frozen
  project. For example, you cannot perform an MDL import, a source import, or a
  snapshot restore in this project.
  You can deploy, export, and execute runtime procedures within a frozen project.
  You can validate and generate within a frozen project.
  You cannot add or remove any objects from a frozen project to a snapshot.
  The frozen project security policy is implemented within Warehouse Builder through
  the following files. These files are located on your installation CD under:
  samples/security_feature/frozenproject.
  frozenProject.pkb: Holds the implementation of the security policy.
  frozenProject.sql: Contains a table of the structure as shown in Table 19–2. The
  administrator can freeze projects by inserting them into this table and setting the
  isFrozen flag to 1.
  HTH
  mahesh

• Project Server 2013 reporting security

  HI
  I have a question and I have seen a couple similar ones but nothing definitive on the topic of permissions/security for Project server 2013 (in project server security mode) for either Excel(Odata) reports or for SSRS reports. 
  Even setting security aside the Out of the box configuration is certainly not elegant or even usable.
  Situation:
  In PWA project managers and team members can only see projects they, own, are team members on, or have been granted permissions explicitly to. (Pretty standard - is using security templates and "my Projects"). We are using secure store
  and impersonation for access to reports. We do have report authors groups.
  As an example a PM needs to create a weekly  status report but should not have to pull all the data back to then filter for their one project.
  However, when a PM goes to either SSRS or Excel using oData they can see every project in the company.  This is just does not make a lot of sense. Why would I hit the database for 100projects when I only care about one and yet there seems
  to be a lack of information on the topic. In contacting Microsoft we were told there was nothing we could do that is how it was designed.
  REALLY???? (see above)
  What we have come up for our approach is  that we're currently using the UserID value to set parameters in our data sources, but are looking for more 'elegant' approaches
  to security (if they exist) as there are some liabilities with this approach (EX is a report author forgets to put the parameter in the users will get everything back.
  QUESTION:
  If there is not another approach then we will stay with it. We can't imagine there isn't a better way.
  Additionally, the Project user view only contains the identity of the project owner not the rest of the team members (including sponsors who might need to see the data.) so where are they in the database?
  Tasks

  Hi Paul,
  I have a similar situation only I'm using Project Online. I have setup Groups and Categories where there is a relationship between clients and groups, and projects and categories. 
  Only issue is that when running a report a user receives an error and then all the data shows for all projects irrespective of the group/category/project relationship and the fact that user only exists in one group (and therefore can't see
  or access the other projects in PWA outside of their group.
  Hope that makes sense.
  Regards,
  Conrad

• Migrating Security In Oracle BI 11g - Project Amelia

  We'd like to introduce an open source project that assists with the migration of basic security from an OBI 11g (FMW) source environment to a target environment. The project generates a WLST script that executes a security artifact migration process. It is also great for creating an inventory of application roles and principal assignments that can be used in project documentation.
  This is a perfect tool for upgrades from OBI 10g to OBI 11g.
  Advanced users should have no problem testing and running the solution. Please provide feedback or potentially consider contributing to the project.
  The project page can be found here,
  http://amelia.artofbi.com/
  The project code can be downloaded from here,
  https://github.com/artofbi/Oracle-FMW-Amelia
  The first post and description of the project can be found here,
  http://www.artofbi.com/index.php/2011/09/introducing-project-amelia-easier-migration-of-obi-11g-security/
  This project was originally designed to provide a quicker mechanism for migrating Oracle BI 11g security. It clearly has a resounding place in other OPSS based FMW applications. Project Amelia is a new open source project to assist with migrating and documenting Policy Store Security in Oracle Fusion Middleware, specifically for but not limited to Oracle Business Intelligence 11g. The project contains the core scripts and binary files required for utilization in any Java ready Operating System.
  The project is released under the Apache License 2.0 which means it is free to use, free to share, and free to copy.
  Please feel free to leave any comments or questions in the forum thread.
  Cheers,
  Christian
  http://www.artofbi.com

  Check this http://www.rittmanmead.com/2011/02/obiee-11g-migrations/
  and http://docs.oracle.com/cd/E23943_01/doc.1111/e15722/toc.htm

• Wrong security configuration in web.xml

  Hi all
  I am developing an application with JDeveloper 10.1.3.3 using ADF-BC/JSF. I have followed the example of SRDemo and my .jspx files are located in two folders : public_html/app and public_html/pricelist/
  My application will have two user roles. The administrators who access everything and the users that need to access only the pages located in faces/app and get access denied mesages in all pricelist management pages.
  I have used file based security and defined users and roles in jaz-data.xml. I have also verified that the data in that file are correct using the isUserInRole() function.
  What I cannot get to work correctly is the security in the web.xml since the way I have it both users and admins are granted full access to the faces/app/pricelist pages.
  The security constrains on my web.xml look like this :
      <security-constraint>
          <web-resource-collection>
              <web-resource-name>PricelistData</web-resource-name>
              <description> Price list management pages</description>
              <url-pattern>faces/app/pricelist/*</url-pattern>           
          </web-resource-collection>
          <auth-constraint>
              <role-name>admin</role-name>
          </auth-constraint>
      </security-constraint>
      <security-constraint>
          <web-resource-collection>
              <web-resource-name>UserData</web-resource-name>
              <url-pattern>faces/app/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
              <role-name>user</role-name>
              <role-name>admin</role-name>
          </auth-constraint>
      </security-constraint>
      <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>jazn.com</realm-name>
      </login-config>
      <security-role>
          <role-name>user</role-name>
      </security-role>
      <security-role>
          <role-name>admin</role-name>
      </security-role>Can anyone tell me what am I doing wrong, or suggest anything else I should check ?
  Thanassis

  Well you're orion-application.xml file looks okay to me, and addition if the isUserInRole is returning proper values, it's hooked up correctly.
  (By the way, a useful bean/free piece of code to do just what you're doing is the JSF-Security scope as written by Duncan Mills on Sourceforge)
  As such I'd be looking at the security constraints URLs. You haven't by chance changed the url-pattern for the Faces Servlet? The default is this:
  <servlet-mapping>
      <servlet-name>Faces Servlet</servlet-name>
      <url-pattern>/faces/*</url-pattern>
  </servlet-mapping>...and your url-patterns assumes it starts with faces. Note it is correct in your url-patten to not include a forward slash before faces in the security constraint.
  Another thing that springs to mind, when you navigate to the protected page through your menu structure, what URL do you see in the browser? Is it the URL of the page you came from, or the URL of the page you navigated to ... and in addition ..... another thing to try is in your browser, rather than navigating through your menu structure, go straight to the URL of the page. Does the login page then show?
  The reason I mention this is if you're using the default navigation style in JSF for JDev 10.1.3 (if memory serves me well, it's direct), the Servlet may not actually inforce your protected page navigation as the navigated-to page is never actually served by the Faces servlet to the JEE engine to enforce security. I think I had a b1tch about this issue in the following OTN Re: ER: JSF direct navigation ignores JAZN container based security. Could this be what you're hitting?
  As such try changing the navigation type to redirect.
  CM.

• Use of "Secure Fields"

  We noticed an interesting issue with P6.2. There is a new option, "use secure fields" in the product. When creating Project or Resource codes, there is a then a checkbox for "secure field" which can be checked or unchecked.
  However, if Use Secure Fields is enabled and a user does not have the permission View Secure Fields, that user cannot select a filter based on a field EVEN IF THE CHECKBOX IS UNCHECKED.
  Is this a bug, or am I misunderstanding the intent of this feature?

  Project Management provides privileged users the ability to define secure resource, project, and activity codes. These codes can be used by an organization to define the approval process, etc.
  This functionality allows organizations to classify certain codes so that only a user with the assigned privilege can view, edit or assign the selected code value.
  Secure codes and secure code assignments can be exported to XML format, however Secure Codes, their values and assignments are not included when a project is exported from the database in XER format, nor when a project is copied.
  There are four (global) security privileges to view, assign or modify Secure Codes:
  Add and Delete Secure Codes
  Edit Secure Codes
  Assign Secure Codes
  View Secure Codes
  If you have any further question please contact support through the following link http://customerportal.primavera.com/customer.
  Saryn