Jsf servlet override security contraints

Similar Messages

• 500 Internal Server Error  : Servlet error: Security sensitive exception..

  Hi
  Thank you for reading my post.
  i Faced a problem when i tried to run my ADF + BC application on standAlone OC4J version 10.1.3.1.0 .
  I have validation like what i saw before in demos for username length ,etc
  I developed the application in Jdeveloper 10.1.3.1.0 , i deploy it to server from Jdeveloper and now i tried to run it in browser and it return :
  500 Internal Server Error
  Servlet error: Security sensitive exception occured. Please consult application log for details.
  in the browser and
  the cmd console which i used to start the server shows something like :
  F:\oc4j\bin>oc4j -start
  Starting OC4J from F:\oc4j\j2ee\home ...
  2006-09-02 01:11:52.437 ERROR J2EE HTTP-00004 Internal error raised tyring to in
  stantiate web-application: webapp defined in web site OC4J 10g (10.1.3) Default
  Web Site. Application: bc4j does not exist. Error creating Web application: weba
  pp
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(javax.faces.Short,null)
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(null,java.lang.Short)
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(javax.faces.Byte,null)
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(null,java.lang.Byte)
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(javax.faces.Integer,null)
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(null,java.lang.Integer)
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(javax.faces.Long,null)
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(null,java.lang.Long)
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(javax.faces.Float,null)
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(null,java.lang.Float)
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(javax.faces.Double,null)
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(null,java.lang.Double)
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ValidatorRule end
  WARNING: [ValidatorRule]{faces-config/validator} Merge(javax.faces.LongRange)
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(javax.faces.DateTime,null
  Sep 2, 2006 1:11:53 AM com.sun.faces.config.rules.ConverterRule end
  WARNING: [ConverterRule]{faces-config/converter} Merge(javax.faces.Number,null)
  06/09/02 01:11:56 Oracle Containers for J2EE 10g (10.1.3.1.0)  initialized
  2006-09-02 01:12:41.093 NOTIFICATION ---- JAZNSecurityContext.getUserPrincipal()
  : NULLthe log file (from j2ee/home/log/oc4j/log.xml ) shows the following :
  <MESSAGE>
    <HEADER>
      <TSTZ_ORIGINATING>2006-09-02T01:11:52.437+03:30</TSTZ_ORIGINATING>
      <COMPONENT_ID>j2ee</COMPONENT_ID>
      <MSG_ID>J2EE HTTP-00004</MSG_ID>
      <MSG_TYPE TYPE="ERROR"></MSG_TYPE>
      <MSG_LEVEL>1</MSG_LEVEL>
      <HOST_ID>sal10000</HOST_ID>
      <HOST_NWADDR>85.9.120.221</HOST_NWADDR>
      <MODULE_ID>http</MODULE_ID>
      <THREAD_ID>10</THREAD_ID>
      <USER_ID>legolas w</USER_ID>
    </HEADER>
    <CORRELATION_DATA>
      <EXEC_CONTEXT_ID><UNIQUE_ID>85.9.120.221:44575:1157146912453:0</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
    </CORRELATION_DATA>
    <PAYLOAD>
      <MSG_TEXT>Internal error raised tyring to instantiate web-application: webapp defined in web site OC4J 10g (10.1.3) Default Web Site. Application: bc4j does not exist. Error creating Web application: webapp</MSG_TEXT>
    </PAYLOAD>
  </MESSAGE>
  <MESSAGE>
    <HEADER>
      <TSTZ_ORIGINATING>2006-09-02T01:12:41.031+03:30</TSTZ_ORIGINATING>
      <COMPONENT_ID>adf</COMPONENT_ID>
      <MSG_TYPE TYPE="TRACE"></MSG_TYPE>
      <MSG_LEVEL>1</MSG_LEVEL>
      <HOST_ID>sal10000</HOST_ID>
      <HOST_NWADDR>85.9.120.221</HOST_NWADDR>
      <MODULE_ID>share.security</MODULE_ID>
      <THREAD_ID>11</THREAD_ID>
      <USER_ID>legolas w</USER_ID>
    </HEADER>
    <CORRELATION_DATA>
      <EXEC_CONTEXT_ID><UNIQUE_ID>85.9.120.221:44575:1157146960593:1</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
    </CORRELATION_DATA>
    <PAYLOAD>
      <MSG_TEXT>Setting JAZN Config property ...</MSG_TEXT>
    </PAYLOAD>
  </MESSAGE>
  <MESSAGE>
    <HEADER>
      <TSTZ_ORIGINATING>2006-09-02T01:12:41.093+03:30</TSTZ_ORIGINATING>
      <COMPONENT_ID>adf</COMPONENT_ID>
      <MSG_TYPE TYPE="NOTIFICATION"></MSG_TYPE>
      <MSG_LEVEL>1</MSG_LEVEL>
      <HOST_ID>sal10000</HOST_ID>
      <HOST_NWADDR>85.9.120.221</HOST_NWADDR>
      <MODULE_ID>share.security</MODULE_ID>
      <THREAD_ID>11</THREAD_ID>
      <USER_ID>legolas w</USER_ID>
    </HEADER>
    <CORRELATION_DATA>
      <EXEC_CONTEXT_ID><UNIQUE_ID>85.9.120.221:44575:1157146960593:1</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
    </CORRELATION_DATA>
    <PAYLOAD>
      <MSG_TEXT>---- JAZNSecurityContext.getUserPrincipal(): NULL</MSG_TEXT>
    </PAYLOAD>
  </MESSAGE>

  please , can any one tell me where is the problem ?
  if i do not use BC in the jsf page it works fine , but when i use drag and drop feature to put a BC form in the page it shows that horribel error.

• Security contraint

  If you specify "/servlet/*" for the url-pattern in the security-constaint of web-resource-collection
  element (in the deployment descriptor) - the url-pattern: /servlet/* protects all the servlets
  within the web application. What or how do I specify so that only one servlet named
  MyServlet is the only one the get security contraint put on it and not all the rest of the
  servlets within the web app. - Thanks
  Example:
  <security-constraint>
    <web-resource-collection>
      <url-pattern>/servlet/*</url-pattern>
    </web-resource-collection>
  ...the above protects all servlets within the web application.
  How do I change the url-pattern to only protect one servlet.
  The following don't seem to work:
  <security-constraint>
    <web-resource-collection>
      <url-pattern>/servlet/ServletNameToProtect</url-pattern>
    </web-resource-collection>

  Sorry about that - it seems to be a bug in tomcat 5.0.27 because
  the security-constraints work correctly if you access the servlet
  using a context relative address but doesn't work correctly if you
  include the protocol, host and port. It took me most of the day
  to figure this out because I thought I was doing something wrong
  (still in the learning stag).

• Aplication Module +Blob + Servlets + ADF Security JAAS

  Interesting....
  http://rickymax.wordpress.com/2009/10/20/aplication-module-blob-servlets-adf-security-jaas

  Sorry, but there is no oracle's spanish forum where i cant post it.

• [SOLVED] Failed to install override security policy

  Hi,
  I am trying to install Arch linux in UEFI in a dual boot setup with Windows 8.1. I already have the Windows OS installed, but every time I go to boot from the Arch installation CD I made using the latest .iso download (2013.12.01), I get the following:
  ERROR
  Failed to install override security policy: (14) not found
  I hit return on the "OK", (the only available option), and the error reappears once again. After I hit return for a second time, the installation quits and I am returned to a normal Windows boot. This error happens right at the very start, I literally tell my computer to boot from the CD drive and then straight away the error appears.
  I have tried the solution suggested here:
  https://bbs.archlinux.org/viewtopic.php?id=169354
  (i.e. replacing the bootx64.efi with the loader.efi file (but renamed of course), in the EFI/BOOT/ directory of the iso), and I have tried using other versions of the iso (specifically 2013.10.01) as well as re downloading and re burning the most recent iso. All of these have been to no avail.
  I am running an ASUS Sabbertooth 990FX (Rev 1.01), which I know to be an UEFI board. Also, I was able to install Windows 8.1 in UEFI just fine.
  Any thoughts about what the problem may be?
  PS: Merry Christmas to you all!
  -Ryan
  --- SOLUTION ---
  Download the Arch Linux variant of rEFInd, from http://www.rodsbooks.com/refind/getting.html. Then, install as per the instructions for you particular operating system and needs; follow the following: http://www.rodsbooks.com/refind/installing.html.
  Reboot. Next time your computer starts, after the POST is completed, instead of booting into your normal operating system/boot loader, rEFInd should load instead. It will search for bootable media and operating systems automatically, and present you with a list of options. Choose the one corresponding to your CD/DVD/flash drive (depending on your installation medium). It should then boot in UEFI.
  Once you are prompted with a command shell, type the commands:
  # mount -t efivarfs efivarfs /sys/firmware/efi/efivars # ignore if already mounted
  # efivar -l
  If a list of variables is displayed, then you know you have succeeded in booting the installation media in UEFI!
  Hope this helps some people...
  Last edited by Machione (2014-01-10 21:32:05)

  Lone_Wolf wrote:Buckeye, Machione did you try disabling secure boot ?
  Thanks for the response Lone_Wolf.
  I had a good old rummage through the "UEFI BIOS setup" for my motherboard (ASUS Sabertooth 990FX rev 1.01), and found no option to either disable nor enable Secure Boot, which I found rather odd, so I did some searching online and found this quote:
  "I've recently bought an ASUS Sabertooth 990FX, which is a uefi
  motherboard.
  Secure boot cannot be ENabled."
  from: http://comments.gmane.org/gmane.linux.mageia.user/8143
  Intrigued, I then done some more searching, and came to opening up Windows System Information, to see if I had Secure Boot enabled or not already. The result (as shown in the below screenshot), is that Secure Boot is "Unsupported", which means that my "PC does not support Secure Boot or is a Legacy (BIOS) installed Windows". Since I am running Windows already in UEFI, this means that my motherboard indeed does not support Secure Boot, and hence there is no need for me to disable it.
  https://www.dropbox.com/s/3to4x7pcxctzz … enshot.jpg
  I will send a quick email to ASUS to confirm this finding, but it certainly seems like Secure Boot is not an option that I have, and hence I have no need to disable it in the first place.
  Thanks anyway for the response,
  -Ryan

• Servlet error: Security sensitive exception occured. , where is log files?

  thank you for reading my post
  i get this message , where should i look for log files ?
  Servlet error: Security sensitive exception occured. Please consult application log for details.

  I ran into this just myself last week.
  We used to show the Exception type and a stacktrace in the browser as the default error message.
  In 10.1.3.1 we've modified it so that the details of the application (ie the stack trace and exception) are output by default.
  Avi indicated the correct log file to look at.
  If you do want to revert to the old behaviour for development time, then you can do so by setting the attribute development="true" in the orion-web.xml file of the deployed application.
  <orion-web-app .... development="true"/>
  cheers
  -steve-

• Error: Admin users are not allowed to have override security

  In shared services, I provisioned the users FDM "Provision Manager" access. When I log on to FDM application, I see all those users have administrator privileges. When I tried to change the security level, it is throwing an error
  Error: Admin users are not allowed to have override security
  How can I create users who are not as admin in FDM? The user guide dont seem to help me much in this regards.

  All you need to do is make sure there role is set to an Intermedate role 1-9 and not Administrator. I would suggest you do the following.
  1) Log into FDM as the main admin user.
  2) Go to user maintenance and delete all users who are not meant to have adminstarator access but can still access everything like admins.
  3) Go into Shared Services and check that these users are provisioned for FDM with one of the Intermediate roles only.
  4) Once confirmed re-add these users back in the FDM user maintenance screen by selecting them from the new user dropdown and give them the appropraite location access.
  5) Log off FDM as the admin user.
  6) Log in as the intermedaite user and tes tthe access

• [SOLVED]UEFI boot gives 'failed to install override security policy'

  Hi, newb here who has hit a dead end quite early in the process of installing Arch.
  When trying to boot Arch into EFI mode, it says
  'failed to install override security policy'
  Of course I did my research and it seems that only three other people on this planet have had the same problem, and their solutions do not work for me.
  http://superuser.com/questions/615142/u … ity-policy
  Overwriting EFI/boot/bootx64.efi with loader.efi enables me to see a menu where I can choose from booting Arch, UEFI shell v1 or UEFI shell v2. Still, selecting Arch results in a blank screen with two grey bars at the top and bottom of the screen, so not really not much help.
  I'm not a UNIX nor an EFI wizard, so please bear with me. I'm a Windows user with some anecdotal Linux knowledge (I have installed Ubuntu countless times, wanted a bit of a challenge this time) who wanted to make the switch to the Linux ecosystem, but this error prevents me from doing so. I also tried to install rEFInd as suggested here: https://bbs.archlinux.org/viewtopic.php?id=174734
  But I seem to be unable to boot into any UEFI shell v2, it's also printing the errors:
  ASSERT_EFI_ERROR (Status = Not Found)
  ASSERT C:\svn_code...and so on )
  My Windows installation is on BIOS/MBR, so I cannot install rEFInd manually using Windows, and I also cannot use the v1 UEFI shell because of the lacking bcfg command. I don't know how to procede from here. My board is an AsRock P67 Extreme4 Rev 09 with a 2.10 EFI. This board doesn't even have Secure Boot if I'm correct, I also searched every possible submenu of the EFI for an option to disable Secure Boot, but haven't found anything.
  Last edited by 0x33 (2015-03-11 17:35:56)

  I presume you are trying to use gummiboot?
  Please post the contents of /boot/loader/loader.conf and also your gummiboot configuration file for your Arch system (if you are not using gummiboot post the config. files for whichever boot loader/manager you are using).
  Load the Arch live ISO, mount all your partitions and `arch-chroot` into your system and then post the output of:
  lsblk -f
  # parted -l
  # efibootmgr -v
  Last edited by Head_on_a_Stick (2015-03-10 21:05:43)

• JAAS/JAZN: LDAPLoginModule doesn't work with servlet RunAs() security mode

  Just thought I'd post this here too, in case any developers actually read this list or in case someone else has run into a similar issue or has any ideas...
  I'm having a problem where whenever I use Oracle 10gAS's LDAPLoginModule at the same time as RunAs() mode OC4J crashes.
  Application is UIX/Struts for the view layer and ADF BC for the model layer. It is being developed in JDeveloper 10g (10.1.2.0.0) and deployed on 10gAS (10.1.2.0.0)
  I am using JAAS (JAZN) for authentication. I am using a custom JAAS LoginModule for the app: "oracle.security.jazn.login.module.LDAPLoginModule". Instructions for using the module are documented in the OC4J Security Guide, Chapter 9 "Configuring External LDAP
  Providers":
  http://download-east.oracle.com/docs/cd/B14099_07/web.1012/b14013/ldap3rdparty.h
  tm#sthref500
  This is working fine - I can successfully authenticate against my LDAP server.
  In order to retrieve security credentials (i.e. the Subject) while in the Model later, I am running the servlet in doAs() mode, also known as "runas-mode". This is documented in Chapter 4:
  http://download-east.oracle.com/docs/cd/B14099_07/web.1012/b14013/genconfig.htm#
  sthref322
  This works great - when I authenticate against the local XML file I can successfully run the application and retrieve the Subject and Principals.
  The problem is that whenever I try to use both of these at the same time the application will not run. I have attached a trace with JAAS/JAZN debug messages enabled.
  It appears to be failing in the process of creating the BC Application Module. Apparently when it creates a new thread to monitor the application module pool, in the process of establishing JAAS permissions for the new thread it attempts to retrieve the REALM from the oracle.security.jazn.realm.LDAPPrincipal object -- which is an unsupported function when the Principal was generated by an LDAPLoginModule. For some reason this error crashes the entire process.
  You can see a trace of my program here:
  http://www.asugroup.com/jazn-errorlog.txt
  This should be simple to reproduce by simply creating an ADF BC application, modifying orion-web.xml so that the servlet is in runas-mode, and modifying $ORACLE_HOME/j2ee/home/config/jazn-data.xml to use the LDAPLoginModule.
  All I can figure is that it must be a "bug" (or unsupported functionality) in 10gAS. WHY in the world is 10g failing on the getRealm() function of a Principal that it setup itself? Any suggestions or help would be appreciated. The only solution I can think of at this point is to throw Oracle's LoginModule implementation right out the window and write my own... although I don't even know if that will work yet.
  Jeremy

  ok, so i know that this isn't metalink... but i'm pretty sure this is either a "bug" or "unsupported feature" -- although now that i've looked a bit deeper i'm guessing it has something to do with the "role.mapping.dynamic" flag too. (Haven't tested it yet but I think it might work fine if I put the roles in the local XML file.)
  Anyway, if anyone's interested, here's detailed steps so you - YES YOU! - can reproduce the problem yourself if the desire grips you. :)
  I put this together for the TAR but figured there's some useful information in here (e.g. the debugging stuff) so it might be helpful for someone in the future to post it here too.
  1. Open or create any ADF BC project in JDeveloper. It can be ANY project as long as it uses ADF BC for the MODEL layer.
  2. Add orion-web.xml to the VIEW project if it's not already there.
  2a) Right click on orion-web.xml and select Properties
  2b) In the "JAZN" section, select the checkbox "Run as Mode"
  3. Edit web.xml to require authorization to run the app.
  3a) Right click on web.xml and select Properties
  3b) Under the "security roles" section add the name of an group you're a member of on the LDAP server. Only include the relative name of the group - not the full LDAP distinguished name. Also, convert the name to lowercase.
  3c) Under "security constraints" add a new constraint.
  3d) In the constraint, make a new resource collection called "everything" and add the URL pattern "/".
  3e) In the constraint, go to the authorization tab and select your LDAP group name.
  3f) Go to the "Login Configuration" section of web.xml and choose HTTP Basic Authentication. Leave the realm blank.
  4. Add orion-application.xml to the project if it's not already there. Configure the "JAZN" tag as follows:
  <jazn provider="XML">
  <property name="role.mapping.dynamic" value="true" />
  </jazn>
  3. Deploy the application to Oracle 10g Application Server.
  4. On the application server, edit the file $ORACLE_HOME/j2ee/home/config/jazn-data.xml
  4a) In the section jazn-data/jazn-loginconfig add a new "application" section for your application. See below for example.
  4b) Make sure the "name" of your application matches the deployment name in your EAR file for the project you deployed.
  5. I recommend enabling JAZN debugging. See below for instructions on that.
  6. Restart OC4J if you already haven't - to make sure it rereads the config, then try to run your application.
  SAMPLE JAZN-DATA.XML (CUSTOMIZE FOR YOUR LDAP SERVER)
  <jazn-data>
  <jazn-loginconfig>
  <application>
  <name>your_j2ee_deployed_application_name</name>
  <login-modules>
  <login-module>
  <class>oracle.security.jazn.login.module.LDAPLoginModule</class>
  <control-flag>required</control-flag>
  <options>
  <option>
  <name>oracle.security.jaas.ldap.provider.url</name>
  <value>ldap://10.1.1.7:389</value>
  </option>
  <option>
  <name>oracle.security.jaas.ldap.provider.user</name>
  <value>cn=stoneware,ou=stoneware,ou=okemos,ou=mi,ou=et,o=ou1</value>
  </option>
  <option>
  <name>oracle.security.jaas.ldap.provider.credential</name>
  <value>!yourpassword</value>
  </option>
  <option>
  <name>oracle.security.jaas.ldap.provider.type</name>
  <value>other</value>
  </option>
  <option>
  <name>oracle.security.jaas.ldap.user.searchbase</name>
  <value>o=ou1</value>
  </option>
  <option>
  <name>oracle.security.jaas.ldap.user.searchscope</name>
  <value>subtree</value>
  </option>
  <option>
  <name>oracle.security.jaas.ldap.user.name.attribute</name>
  <value>cn</value>
  </option>
  <option>
  <name>oracle.security.jaas.ldap.user.object.class</name>
  <value>inetOrgPerson</value>
  </option>
  <option>
  <name>oracle.security.jaas.ldap.role.searchbase</name>
  <value>o=ou1</value>
  </option>
  <option>
  <name>oracle.security.jaas.ldap.role.searchscope</name>
  <value>subtree</value>
  </option>
  <option>
  <name>oracle.security.jaas.ldap.role.name.attribute</name>
  <value>cn</value>
  </option>
  <option>
  <name>oracle.security.jaas.ldap.role.object.class</name>
  <value>groupOfNames</value>
  </option>
  <option>
  <name>oracle.security.jaas.ldap.membership.searchscope</name>
  <value>direct</value>
  </option>
  <option>
  <name>oracle.security.jaas.ldap.member.attribute</name>
  <value>member</value>
  </option>
  </options>
  </login-module>
  </login-modules>
  </application>
  </jazn-loginconfig>
  </jazn-data>
  for Sun Java System Application Server and Microsoft Active Directory examples see:
  http://download-east.oracle.com/docs/cd/B14099_07/web.1012/b14013/ldap3rdparty.htm#sthref500
  ENABLING JAZN DEBUGGING MESSAGES ON ORACLE 10G APPLICATION SERVER
  1. Login to Enterprise Manager 10g Application Server Control
  2. If you are part of a farm you will get a list of instances. Select the instance your app is deployed on.
  3. In the "System Components" section of the home page, click on your OC4J instance (default name is "home").
  4. In the OC4J home, click on the "Administration" tab.
  5. Select "Server Properties" from the Instance Properties section.
  6. In the Command Line Options section, there is an option called "Java Options".
  7. At the end of the "Java Options", append the text "-Djazn.debug.log.enable=true"
  8. When prompted, restart the OC4J instance.
  Debug information is captured by OPMN and stored in a log file. The log file can be found in the directory $ORACLE_HOME/opmn/logs
  The default name (if your instance name is "home") is "OC4J~home~default_island~1"

• Include to jsf  servlet output data

  hello
  my servlet transforms xml document by xstl and i want to include into my jsf page what servlet writes in outputStream
  i had tried facelet's ui:include, but it said that the path invalid
  what way can i go to resolve this problem?
  thank you
  Edited by: user10279326 on Dec 24, 2010 1:16 PM
  Edited by: user10279326 on Dec 24, 2010 1:16 PM

  You could use an URLConnection in a JSF backing bean to invoke the servlet, then output the result through a property of the backing bean.
  If we're talking about lots of data you might want to rethink your strategy a little. For example you could use Ajax to fetch the data from the servlet through the client side and display a 'processing' icon while it is busy loading the data. That way your page displays almost immediately and the servlet result will then display as soon as it is done processing.

• Is application developed by servlet more secure than jsp?

  jsp has appeared, but someone still use servlet.
  Those reason is that servlet can make application higher security. Is it true?

  Servlets are no more secure than JSPs, because JSPs are servlets - they're just another way of building the same thing. There is nothing you can do in a JSP that you can't do in a servlet or vice versa.
  Why switch to or from JSPs or servlets? - you should be using both. Use servlets for heavy processing logic and JSPs for presentation (MVC pattern). That way you get maximum separation of logic and presentation. You can pretty much let HTML developers work normally, then come along afterwards and stick a little bit of Java code in the page to make it all dynamic. Better still, you can create easy-to-use custom tags that your HTML developers can easily understand without needing any programming experience. This leaves you free to work on the logic in the back-end.

• Override Security Profile for one employee

  Hi
  I have one employee who works in 'Accounts Department' and the HR user of accounts department can see only the employees of Accounts Department based on the security profile. This is working fine. But theres a different requirement. Some employees are transferred to other departments for 3-6 months for different purposes. During this time also the HR user of accounts department needs to view this employees details due to HR policies and procedures. Can we achieve this? If yes, how?
  - Gulzar

  Q 1 - When Employee is transferred from Dept 1 to Dept 2 for 6 months, Should the HR for both Dept 1 and Dept 2 be able to see his details for 6 months?
  Q 2 - After 6 months period, employee's organization is again updated to Dept 1, should again HRs of both Dept 1 and Dept 2 be able to see his details even after the 6 months period?
  Q 3 - If answer for Q 2 is - "after 6 months period, only HR of Dept 1 should see his details" , how to identify Employee's home department? Will it be the Employee's Organization effective as of Employee's hire date?

• Servlet/session security

  Sorry if this has been covered before, but what steps does WebLogic take to
            ensure that session ids can not be hijacked (outside of running the
            application entirely under SSL)? For example, using some digested user agent
            information, including ip address.
            We are undergoing an application security audit, and I suspect that will be
            one of the points of concern for the auditors, so I'd like to be prepared.
            Any info would be appreciated.
            Bob Alcorn
            Senior Software Engineer
            Blackboard, Inc.
            http://www.blackboard.com/
            

  The autodeploy directory should be j2eesdk_beta2\domains\domain1\autodeploy\
  There should be no problem for installing this version on xp. I have xp and it works fine.
  Have you set environment variables like JAVA_HOME J2EE_HOME?
  I am not sure whether these variables matters.

• How to override security for table access when using SAP Query?

  We have a number of infosets which use table join between PA0001 and CATSDB table. To execute a query based on such a query you would need access to table auth group PA through S_TABU_DIS. This was earlier not a problem as SAP query was earlier used by support staff and not end users. We do not want to give S_TABU_DIS with to end users as this amounts to givin them access to all PA tables.
  The generated code for the query checks for the condition
  "%rtmode-no_authchk = space"
  before going for the authorization check.
  Thus, ideally the authorization check for an InfoSet can be skipped if we can pass X for this variable from the InfoSet definition. Is there a way to do this?
  Would appreciste any inputs to help suppress the authorization check at this point. Thanks.....

  >
  Julius Bussche wrote:
  > Perhaps you could replace it with a class of your own (transaction SE24)?
  >
  > I have not tried to do this; it was just a thought.
  >
  > Kind regards,
  > Julius
  unfortunately this does not work. SAP saw fit to 'hard-code' the implementation of the interface in RSAQEXCE:
  (only parts of that abap displayed here).
  170 data: iref type ref to if_query_tab_access_authority.
  1107 *       FORM AUTHORITY_BEGIN
  1112 form authority_begin using p_auth_classname type AQS_CLSNA.
  1119   perform authority_init using p_auth_classname.
  1120   call method iref->access_authority_begin.
  well for my part (searching a solution for a query on LTAK, wanting L_LGNUM as an object) i'm out of ideas. i shall have to modify SAP-standard and disable the class and do my own coding in the info-set. no other possibility - i cannot allow S_TABU_DIS for group LA and even if i did, what help would it be - i would have to allow that to all companies in that client having WM - and that would be literally all - i need LGNUM here!

• Legacy Servlet to JSF

  Hi,
  I am writing an application in JSF that will replace another Java Servlet but perform the same functions. The first step is to establish the front page in JSF with all the options, but link to the legacy servlet for all those options, and replace them one by one until the legacy servlet is gone.
  I would like to run both applications in seperate containers, and use HTTP to redirect back and forth. Problem is, I don't know how to tell the legacy servlet to use the sessionid it has already established.
  The first time I call to the legacy servlet, it will create a session, and I can acquire the sessionid from HttpSession.getSessionId(), then pass that back (somehow, haven't figured out yet how to call into the JSF servlet either). But once that has been done, I can provide that sessionid in any legacy servlet invocation.
  Is this simple to do? How would I go about it?
  The next problem I have is securing this transmission, which would probably entail encryption. Perhaps I should just be running these two servlets in the same context and avoid all this confusion.
  Ideas?
  Thanks for any suggestions.

  Hi,
  Before starting the very first JSF page (and before
  the JSF front controller is invoked) I must use a
  servlet to read some parameters, init some objects
  and then jump to the first JSF page. Some objects
  that the bean generates must be saved in a JSF
  managed bean.
  The question is, how can I set those parameters in
  the managed bean if it wasn�t still initialised ?
  Code like this:
  ApplicationFactory factory = (ApplicationFactory)
  FactoryFinder.getFactory(FactoryFinder.APPLICATION_FAC
  TORY);
  Application app = factory.getApplication();
  ValueBinding vb =
  app.createValueBinding("#{AManagedBean}");
  AManagedBean mb=  (AManagedBean)
  vb.getValue(FacesContext.getCurrentInstance());     Fails with a null pointer exception (it seems to not
  t be finding �AmanagedBean�).
  you didn't even set the value, thats why you are getting a "null pointer exception". Try
  vb.setValue(FacesContext.getCurrentInstance(), AManagedBean)
  >
  Do you know how to set the properties in the
  s in the managed bean ? Any comment or help would be
  really welcome.
  First set any properties of the "AmanagedBean" and then create the value binding in any of the scopes(request, seesion, application)
  >
  Thanks in advance,
       - Juan