JSP development and security issue

I saw several "serious integrations" and also some postings
here which are suggesting to put a jsp in /public_html directory...
Be aware, that nothing will prevent a user from uploading
a new jsp to this location and then executing it from a
remotely client, which can seriously damage your system!

Correction: I made an assumption that "/public_html"
has (in the many cases) write access, since people are posting
files in this public access directory...

Similar Messages

Other web browsers and security issues?

Since even an Apple KB article recognizes the need for an additional browser and because of Safari's limitations and problems, I'm going to try switching to another browser (most likely OmniWeb and am looking at Firefox, Shira and Opera also though perhaps not as a primary browser) but I'm wondering about their ability to keep on top of any security issues for Mac? (and how do you keep up with security updates?)
Though perhaps unfounded, at least with Safari, I feel that Apple has a vested interest in keeping on top of security issues (for Safari and Java) and I can readily find out about security updates via software updater.

Most of the other Mac browsers have their adherents. They are all good browsers (I have 7 browsers installed to test various web sites and for change-of-pace usage). They all have their strengths and they all have their weaknesses. Only iCab and OmniWeb are still shareware, the rest are now or always have been free (Opera just recently stopped charging for its browser).
I have settled on Firefox as my alternate browser and I use it maybe just a tad more than Safari, but I do switch back and forth between them. The Mozilla foundation is good at getting security updates out when needed. Firefox has a button on the toolbar to check for updates. One nice thing about Firefox is that you can install free extensions which enhance the features available. I have one to supplement tab features, one to control iTunes from Firefox's status bar, one to help me format messages in discussion forums, and one to block ads.
I prefer OmniWeb for doing intensive research because of the way it handles tabs in its sidebar, showing me which ones I've looked at and which ones I haven't, and giving me great flexibility in rearranging tabs, which are viewable as thumbnails or text names (I have had up to a hundred or so tabs open in OmniWeb.
Shiira is good and its fast. I have not checked for updates for a while, but the last time I updated there was still a problem with Shiira kicking you out of logged-in sites when you moved from page to page with in web site. This may have been fixed by now - they were aware of the problem back then.
Camino is a native OS X cousin of Firefox and is also fast, but is not updated as often.
I would stay away from Mozilla or Netscape unless you need all the additional modules they have and which take up hard disk space. Firefox and Camino represent the browser module of Mozilla/Netscape. Mozilla and Netscape have modules for email, irc chat, newsgroups, and for creating and editing web pages. Netscape is a branded and slightly customized version of Mozilla and is not updated as often.
Opera is a nice browser and some use it as their main browser, but I have not seen anything that really stands out for me, but that does not mean it is not worth a look.
I would stay away from abandonware Internet Explorer.
As for checking for updates, several of them, as with many Mac programs, now have a menu item that allows you to check for updates. Most of them also announce their updates on both VersionTracker and MacUpdate.
Happy Exploring.

Journaling and Security Issues

I am adding a 750GB external HD to my system as a scratch disc and as a backup for my files. I plan to use PGP to protect sensitive data on the drive. If I enable journaling, won't this create a copy of the data that is not protected? Is it best to keep journaling off to protect sensitive files?
And, if journaling is enabled, how large is the journal and how long does the data remain in the journal? Is there any way to wipe that data after a while or is it constantly replaced with new data?
Finally, is it more likely that a drive will fail without journaling turned on as implied by some of the Apple documentation?
Thanks for your input.

Depending on what program you are using, in most cases the performance will be better leaving the scratch space on the internal drive.
That's not quite how Journaling works. It's not a backup of files but rather a log of changes made to the volume directory. This is how Apple explains it: http://docs.info.apple.com/article.html?artnum=107249
No. Journaling shouldn't have any affect on a drives physical attributes but it does help prevent directory corruption.
Now Time Machine on the other hand does pose a security issue.
George

Query By Example and security issues

HI,
I have started looking at security issues in our ADF application.
Is the default implementation of Query By Example (QBE) on a table safe from Cross Site Scripting and SQL Injection?
In other words, can a user enter some value in a QBE input field that can either:
- execute a malicious script (CSS)
Or
- somehow change the underlying will change the SQL query
I am more worried about SQL Injection as QBE takes input from a web user, and makes a corresponding SQL query to the database.
Are there any ways to prevent any of these?
Thanks

Timo thanks for your answer.
So far I am confident on the following (based on responses and other reading):
1) default implementation of Query By Example (QBE) (e.g. search fields) is "safe /safer" from/on SQL injection issues.
2) User entered data via non QBE fields (I assume this is "For other input text you" Timo mentions) should by checked against special characters (> < etc) to "prevent " cross side scripting.
However, should I do 2) for QBE filters on alphanumeric columns (default implementation) ? I can do it, but if I do it I would loose some searching functionality
as >, < are valid wildcard characters.
Thanks

Servlet and JSP combination and design issue

My task is to generate the list box dynamically based on the input XML file.
I create a JSP page and a servlet.
http://www.myserver.com/page1.jsp
In page1.jsp, I have the following to call servlet from JSP page
<jsp:include page="myproj.TableGeneration"/>
In my case, I think I don't need servlet at all, but just Java Bean
class to generate the table. And JSP page call that Java Bean class.
But in what situation we need the combination of servlet and JSP?
What do you think? Any ideas? Thanks!

Trying to keep the data separate from the view is always a good idea
I have used XML in a similar way - the XML is the data, this is read and it is uses to populate various page beans - the beans are then simply used in the JSP page to get the information only

Dynamic List and Security Issue

Hi
I have a Dynamic List Wizard for orders, which the user can click on edit to edit or modify the order and if the user choose "Yes" to submit ( the order form has a submit filed which has Yes / No Values)then the EDIT button disappear and the user has no more control on the record(using show if conditional Region server behavior).
- Now i noticed that when i click on the edit the address bar includes the (www.mysite.com/form.php?order_id=1) now say the order Number 2 is already submitted (still on the list but no Edit button for it) if i write 3 or 4 or any other number instead of 1 at the address bar (www.mysite.com/form.php?order_id=3) the record which has the order number 3 displays on the screen and then you can edit it and when click update the Edit Button becomes Active which destroy the whole concept.
so, how to fix that?

Hi Lorie,
Taking it a step further
interesting that you´re mentioning this -- because I was just in the middle of finding a workaround for the very same issue ;-)
I actually did find a pretty easy solution, which basically goes like this:
1) wrap the whole table *plus* any possibly added hidden fields located below this table in a "Show IF conditional region" behaviour -- but make sure to *not* include the buttons within the "KT_bottombuttons" div in here.
2) as I assume that your "supplier_name" column holds a numeric value which equals the user´s "kt_login_id" Session Variable (which it should !), define the following conditions for the "Show IF conditional region" behaviour:
Expression 1: choose "supplier_name" from the tNG recordset
Condition: ==
Expression 2: choose Session -> kt_login_id
3) tick the Has ELSE option
4) confirm with OK
5) replace the default "has Else" message with something meaningful like "you can´t edit this record !"
Switching to Code view and navigating to the very start of your "Show IF conditional region" should display something like this:
if (@$row_rsqueryname['supplier_name'] == @$_SESSION['kt_login_id']) {
When viewing the modified Dynamic Form in a browser, you´ll note that this solution will indeed display the form instances for all "authorized" records, whereas those form instances which don´t match the required credentials will be replaced with that "has else" message.
BUT !! This solution has one major drawback which I haven´t been able to resolve yet :: when the Dynamic Form goes into Insert Record mode
(means when you click the "add new" link in the Dynamic List), all inner form instances will display that "has else" message.
The only workaround I currently can come up with is to have the List´s "add new" link point to a separate "add_new.php" page that´s going to insert a single record.
Cheers,
Günter Schenk
Adobe Community Expert, Dreamweaver

802.1x multipoint authenticator and security issue

Hi everybody
Let say we have following set up:
host1
host2 ) ----------------hub------ f1/0-switch( authenticator)-------------------------Radius server.
host3
The switch is configured as follows.
Switch(config)#interface FastEthernet 1/0
Switch(config-if)#dot1x port-control auto
Switch(config-if)#dot1x host-mode multi-host
Let say only host1 has valid credentials and the rest hosts i.e h2,h3 are rogue hosts. host1 sends authentication request and successfully authenticated and switch transition its port to an authorized state. But does it not mean the other hosts h2 and h3 which were not authenticated but yet are able to access network ?
thanks and have a great weekend.

This board is more for Wireless Security not LAN. but I would think it's because you are connecting through a hub instead of a switch. Hubs share the data, so when the switch gets the auth for the valid client it turns that port as it should.
Now an invalid client connects and because the port is already thinking the client is valid, it passes all the traffic.
Make sense?
Steve
Sent from Cisco Technical Support iPhone App

DB Link working method and security issue.

Hi All,
I need some clarification how db link works.
If I am having DB link and done some DML operations. After that I have done some DML opearation on the local database. I haven't commited the data yet. Then DB Link goes down. What will happen?
In my case from local database if i am issuing
select * from emp@iasdb
then it shows updated data.
If i am connecting to target database then it shows non updated data. How it is possible?
What happen when DB Link goes down? Which database (taget / local) will keep lock of tables / rows I am updating?
Tom can you please help me.
Regards,
Pritesh.

If i am connecting to target database then it shows non updated data. How it is possible?Changes are visible only to the session doing the changes (until saved). Works even if the changes are across databases.
If remote DB goes down, this is what you get on local DB:
commit
ERROR at line 1:
ORA-02054: transaction 6.34.41922 in-doubt
ORA-02068: following severe error from REMOTE_DB
ORA-12152: TNS:unable to send break messageand if you now try to access the objects that were updated by above in-doubt transaction, you get this:
select * from t
ERROR at line 1:
ORA-01591: lock held by in-doubt distributed transaction 6.34.41922ORA-01591 lock held by in-doubt distributed transaction string
Cause: An attempt was made to access resource that is locked by a dead two-phase commit transaction that is in prepared state.
Action: The database administrator should query the PENDING_TRANS$ and related tables, and attempt to repair network connection(s) to coordinator and commit point. If timely repair is not possible, the database administrator should contact the database administrator at the commit point if known or the end user for correct outcome, or use heuristic default if given to issue a heuristic COMMIT or ABORT command to finalize the local portion of the distributed transaction.

Creating second user account on TC. No separate folder and security issues

Hi,
I've had my TC for some time, and after some start-up triuble all is working very nicely now.
That is, until I wanted to set up the TC for my girlfriends backups too. On my mac, i created a user account for the TC, and i see two folders when i connect to the TC: "Timecapsule" and "MyAccountName". Now when i did the same on the other Macbook, i get only the "Timecapsule" account, not a folder (or sharepoint) with her account name. Also, I saw that as the sparsebundle files are on the 'main' sharepoint, it is possible to access both from both computers, wierd.
Any thoughts on how I can use 1 TC for 2 computers with 2 sharepoints for both?
So, on my own computer i would have a general folder and a personal folder, on the other the same...
Help much appreciated!

To clarify: When i connect to the TC, i mount two volumes, but on the other Macbook, I only get the main volume, not the specific user volume.

Security issues (ACLs)

I'm still struggling with ACLs and security issues within iFS.
We intend to use the iFS as document store. In order to eliminate redundancy no document will be stored twice within the document store.
iFS Folders act as organizational units. Each department has got its folder as base for their part of the document store.
Now I need to find a way, so that department a can place the same document in its own folder as department b (for example "link" it via WebUI) while being able to modify the ACL independently of department b.
The last hint of an oracle guy (forgot the name) was to use agents to adjust the ACLs.
Now that I've got this solution working I must see that this approach is no solution. It adjusts the ACLs whenever a document is added to a folder. This will delete the changes to the ACLs which were made by department a (assuming the folder belongs to department b).
Merging two ACLs is not a trivial task (at least for me) and is also unwanted, since I have to remove changes of one department from the whole ACL when the document is removed from the Folder again (which is also an impossible task).
Since I see no solution without several months of implementation work (adding link objects to iFS which represent a document within a Folder and control its ACL) I'm asking again for some advice.
I am amazed that no other applications require this functionality. It is a common task to provide different views with different privileges onto the same set of data. Even database is able to do this. Why is iFS unable to do this ?
Regards,
Jens
null

<BLOCKQUOTE>quote:<HR>Originally posted by Alison Stokes:
Your statement :
"being able to modify the ACL independently of department b"
indicates that you want to maintain two separate ACLs for a single document. This is currently not supported. To allow department a and b to each modify the access privileges to the document, they must share a single ACL. To allow the departments to both modify the ACL, you would grant both departments the 'Grant' permission in the ACL's access control list. Subsequently, they will be able to see and modify the access privileges granted to the members of the other department.
We are currently considering enhancing the ACL model for a future release. You're input is valued greatly.
<HR></BLOCKQUOTE>
At least someone got my point. (seems to be a rather difficult topic to explain)
Yes. I do not want two departments to able to modify each others ACLs.
Whenever someone would delete an ACE or even Document of the other department (intentionally or by accident) my phone would asking me why the ACL has been modified without their knowledge. But I want to able to supply the same dokument to more than one department with a separate ACL for each department. (modifiable by the responsible person of the department)
Regards,
Jens
null

I need to get the logs of my iPhone 5. I'm a registered as a developer and I have an issue with one of my app which is already in the market

I need to get the logs of my iPhone 5. I'm a registered as a developer and I have an issue with one of my app which is already in the market

The Firefox 3.5.x branch has reached end-of-life and is no longer maintained. 
You will no longer receive security updates. 
You can update Firefox via "Help > Check for Updates" or download and install the latest Firefox 3.6.x. 
Firefox 4 and later require at least OS X 10.5 and an Intel Mac.
* http://www.mozilla.com/firefox/4.0/system-requirements/
If you have problems with updating or with the permissions then easiest is to download the full version and trash the currently installed version to do a clean install of the new version.
Download a new copy of the Firefox program and save the DMG file to the desktop
* Firefox 3.6.x: http://www.mozilla.com/en-US/firefox/all-older.html
* Trash the current Firefox application to do a clean (re-)install
* Install the new version that you have downloaded
Your profile data is stored elsewhere in the [http://kb.mozillazine.org/Profile_folder_-_Firefox Firefox Profile Folder], so you won't lose your bookmarks and other personal data.

About "kernel.exec-shield" and "because they will bring security issue" for linux ASE

In " ASE Quick Installation Guide for Linux", "kernel.exec-shield=0" and “kernel.randomaize-va-space=0” should be set.
But SuSE engineers say that “kernel.exec-shield=0”and “kernel.randomaize-va-space=0” will bring the OS security issue.
Customer want to know why ASE need the above parameters ?
Has anybody the idea for customer's question?

If the parameters are not set as documented, attempts to start additional engines beyond the first one will fail, generating stack traces.
ASE acts in many ways like it's own operating system, scheduling individual user connections (spids) to actively run (note that ASE was developed well before native threading was commonly available). Each spid has it's own stack information that gets swapped in when it is set to "running" state on the engine and swapped out when it yields the engine. The mechanics of this is not that different from the buffer overrun exploits described in the Red Hat document linked to by the
install guide, http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf
and the exec-shield mechanics definatately interfere ASE's operations when ASE is using multiple dataserver processes (engines) that swap spids around.
-bret

Jdeveloper WS Proxy client and ADFpage both throwing security issues

Hello experts, can you please help me. I have web service deployed on weblogic server.
I have not set any credential for this web service. I can test the service from SOAPUI without providing any credentials.
Then I generated WS proxy client using Jdeveloper. When I try to run the client, I do not know why I get security execption (shown below) eventhough I have not secured the web service deployed on weblogic server.
java.lang.SecurityException: keyStoreFilename is either null or empty string
at weblogic.wsee.security.util.CertUtils.getCertificate(CertUtils.java:87)
at pilot1.ContactWSPortTypePortClient.getBSTCredentialProvider(ContactWSPortTypePortClient.java:104)
at pilot1.ContactWSPortTypePortClient.setPortCredentialProviderList(ContactWSPortTypePortClient.java:78)
at pilot1.ContactWSPortTypePortClient.main(ContactWSPortTypePortClient.java:46)
Process exited with exit code 0.
Here is my client class :
public static void main(String[] args) {
try {
contactWSService = new ContactWSService();
ContactWSPortType contactWSPortType = contactWSService.getContactWSPortTypePort();
Map<String, Object> requestContext = ((BindingProvider) contactWSPortType).getRequestContext();
setPortCredentialProviderList(requestContext);
// Add your code to call the desired methods.
// QueryPageInputSecondPage qpisp= new QueryPageInputSecondPage(); //I have commented it in order to resolve security issue
System.out.println("Inside the client class");
} catch (Exception ex) {
ex.printStackTrace();
Inside the method setPortCredentialProviderList(), I have not provided any credentials, keystores etc. Because weblogic is not setup with SSL and also I have not set up any authorization or authentication for the web service. I do not know why I am able to test it through SOAPUI and why not using WS proxy.
I also tried to invoke the web service from ADF page by creating data contorl. I did not provide any policy details because there is not security enabled for the web service on weblogic server. Even when I run the ADF application, I get below security error :
<Error while invoking endpoint "http://10.1.1.59:7010/ContactWSWebSvc/ContactWSPortTypePort" from client; Security Subject: anonymous>
####<Jul 9, 2012 10:02:31 AM EDT> <Error> <oracle.adf.model.connection.webservice> <dmnov23-HP> <DefaultServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <a7d8487bcbe16046:-44aec1c2:1386c02f9ac:-8000-000000000000007f> <1341842551474> <BEA-000000> <Failed to execute a SAAJ interaction.
javax.xml.ws.soap.SOAPFaultException: java.lang.NullPointerException
at oracle.j2ee.ws.client.jaxws.DispatchImpl.throwJAXWSSoapFaultException(DispatchImpl.java:1024)
at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:808)
at oracle.j2ee.ws.client.jaxws.OracleDispatchImpl.synchronousInvocationWithRetry(OracleDispatchImpl.java:235)
Appreciate your quick response.
thanks a lot
jyothi
Edited by: Jyothi on Jul 9, 2012 2:45 PM
Edited by: Jyothi on Jul 9, 2012 2:48 PM

Also, I do not know why the Jdev classpath is set with lot of jar files. May be that is how the Jdeveloper is setup when we install since it has to support lot of applications. I am really shocked to see this.
When I run the WS proxy client (java client) for this webservice from Jdeveloper, it is finally throwing java.lang.SecurityException: keyStoreFilename is either null or empty string error. As I mentioned earlier, I did not provide any credentials or keysotre details inside setPortCredentialProviderList(). I am totally confused why Jdeveloper is behaving like this for unsecured web service.
C:\Program Files\Java\jdk1.6.0_31\bin\javaw.exe" -server -classpath C:\JDeveloper\mywork\Application2\.adf;C:\JDeveloper\mywork\Application2\Pilot1\classes;C:\fmu\oracle_common\modules\oracle.jsf_1.2.9\glassfish.jsf_1.0.0.0_1-2-15.jar;C:\fmu\oracle_common\modules\oracle.jsf_1.2.9\glassfish.jstl_1.2.0.1.jar;C:\fmu\oracle_common\modules\oracle.jsf_1.2.9\javax.jsf_1.1.0.0_1-2.jar;C:\fmu\oracle_common\modules\oracle.jsf_1.2.9\wls.jsf.di.jar;C:\fmu\oracle_common\modules\oracle.idm_11.1.1\identitystore.jar;C:\fmu\oracle_common\modules\oracle.adf.model_11.1.1\adfm.jar;C:\fmu\oracle_common\modules\groovy-all-1.6.3.jar;C:\fmu\oracle_common\modules\oracle.adf.model_11.1.1\adftransactionsdt.jar;C:\fmu\oracle_common\modules\oracle.adf.view_11.1.1\adf-dt-at-rt.jar;C:\fmu\oracle_common\modules\oracle.adf.model_11.1.1\adfdt_common.jar;C:\fmu\oracle_common\modules\oracle.adf.model_11.1.1\adflibrary.jar;C:\fmu\oracle_common\modules\oracle.xdk_11.1.0\xmlparserv2.jar;C:\fmu\oracle_common\modules\oracle.adf.model_11.1.1\db-ca.jar;C:\fmu\oracle_common\modules\oracle.adf.model_11.1.1\jdev-cm.jar;C:\fmu\oracle_common\modules\oracle.ldap_11.1.1\ojmisc.jar;C:\fmu\oracle_common\modules\oracle.adf.share_11.1.1\commons-el.jar;C:\fmu\oracle_common\modules\oracle.adf.share_11.1.1\jsp-el-api.jar;C:\fmu\oracle_common\modules\oracle.adf.share_11.1.1\oracle-el.jar;C:\fmu\oracle_common\modules\oracle.adf.security_11.1.1\adf-share-security.jar;C:\fmu\oracle_common\modules\oracle.adf.security_11.1.1\adf-controller-security.jar;C:\fmu\modules\javax.activation_1.1.0.0_1-1.jar;C:\fmu\oracle_common\modules\oracle.adf.share_11.1.1\adf-share-support.jar;C:\fmu\oracle_common\modules\oracle.adf.share.ca_11.1.1\adf-share-ca.jar;C:\fmu\oracle_common\modules\oracle.adf.share.ca_11.1.1\adf-share-base.jar;C:\fmu\oracle_common\modules\oracle.adf.share_11.1.1\adflogginghandler.jar;C:\fmu\oracle_common\modules\oracle.adf.share_11.1.1\adfsharembean.jar;C:\fmu\oracle_common\modules\oracle.jmx_11.1.1\jmxframework.jar;C:\fmu\oracle_common\modules\oracle.jmx_11.1.1\jmxspi.jar;C:\fmu\oracle_common\modules\oracle.adf.model_11.1.1\bc4j-mbeans.jar;C:\fmu\oracle_common\modules\oracle.adf.model_11.1.1\bc4jwizard.jar;C:\fmu\oracle_common\modules\oracle.javatools_11.1.1\resourcebundle.jar;C:\fmu\modules\javax.mail_1.1.0.0_1-4-1.jar;C:\fmu\oracle_common\modules\oracle.ldap_11.1.1\ldapjclnt11.jar;C:\fmu\oracle_common\modules\oracle.jps_11.1.1\jps-api.jar;C:\fmu\oracle_common\modules\oracle.jps_11.1.1\jps-common.jar;C:\fmu\oracle_common\modules\oracle.jps_11.1.1\jps-ee.jar;C:\fmu\oracle_common\modules\oracle.jps_11.1.1\jps-internal.jar;C:\fmu\oracle_common\modules\oracle.jps_11.1.1\jps-unsupported-api.jar;C:\fmu\oracle_common\modules\oracle.jps_11.1.1\jps-manifest.jar;C:\fmu\oracle_common\modules\oracle.jps_11.1.1\jacc-spi.jar;C:\fmu\oracle_common\modules\oracle.pki_11.1.1\oraclepki.jar;C:\fmu\oracle_common\modules\oracle.osdt_11.1.1\osdt_core.jar;C:\fmu\oracle_common\modules\oracle.osdt_11.1.1\osdt_cert.jar;C:\fmu\oracle_common\modules\oracle.osdt_11.1.1\osdt_xmlsec.jar;C:\fmu\oracle_common\modules\oracle.osdt_11.1.1\osdt_ws_sx.jar;C:\fmu\oracle_common\modules\oracle.iau_11.1.1\fmw_audit.jar;C:\fmu\modules\javax.security.jacc_1.0.0.0_1-1.jar;C:\fmu\oracle_common\modules\oracle.jdbc_11.1.1\ojdbc6dms.jar;C:\fmu\jdeveloper\BC4J\jlib\bc4jtester.jar;C:\fmu\oracle_common\modules\oracle.adf.model_11.1.1\adfm-debugger.jar;C:\fmu\oracle_common\modules\oracle.adf.model_11.1.1\regexp.jar;C:\fmu\oracle_common\modules\oracle.help_5.0\ohj.jar;C:\fmu\oracle_common\modules\oracle.help_5.0\help-share.jar;C:\fmu\oracle_common\modules\oracle.bali.share_11.1.1\share.jar;C:\fmu\jdeveloper\jlib\jewt4.jar;C:\fmu\oracle_common\modules\oracle.help_5.0\oracle_ice.jar;C:\fmu\jdeveloper\ide\lib\idert.jar;C:\fmu\jdeveloper\ide\lib\javatools.jar;C:\fmu\wlserver_10.3\server\lib\weblogic.jar;C:\fmu\oracle_common\modules\oracle.mds_11.1.1\mdsrt.jar;C:\fmu\oracle_common\modules\oracle.mds_11.1.1\oramds.jar;C:\fmu\modules\javax.servlet_1.0.0.0_2-5.jar;C:\fmu\modules\javax.jsp_1.2.0.0_2-1.jar;C:\fmu\jdeveloper\ide\macros\..\..\..\wlserver_10.3\server\lib\ojdbc6.jar;C:\fmu\oracle_common\jlib\commons-cli-1.0.jar;C:\fmu\oracle_common\modules\oracle.xmlef_11.1.1\xmlef.jar;C:\fmu\oracle_common\modules\oracle.dms_11.1.1\dms.jar;C:\fmu\oracle_common\modules\oracle.xdk_11.1.0\xml.jar;C:\fmu\oracle_common\modules\oracle.javacache_11.1.1\cache.jar;C:\fmu\oracle_common\modules\oracle.ucp_11.1.0.jar;C:\fmu\oracle_common\modules\oracle.odl_11.1.1\ojdl.jar;C:\fmu\oracle_common\modules\oracle.javatools_11.1.1\javatools-nodeps.jar;C:\fmu\modules\javax.management_1.2.1.jar;C:\fmu\modules\javax.management.j2ee_1.0.jar;C:\fmu\jdeveloper\ide\macros\..\..\..\oracle_common\modules\oracle.nlsrtl_11.1.0\orai18n.jar;C:\fmu\modules\glassfish.el_1.0.0.0_2-1.jar;C:\fmu\oracle_common\modules\oracle.jrf_11.1.1\jrf.jar;C:\fmu\modules\com.oracle.toplink_1.0.0.0_11-1-1-5-0.jar;C:\fmu\modules\org.eclipse.persistence_1.1.0.0_2-1.jar;C:\fmu\modules\com.bea.core.antlr.runtime_2.7.7.jar;C:\fmu\oracle_common\modules\oracle.toplink_11.1.1\javax.persistence_2.0_preview.jar;C:\fmu\modules\com.bea.core.apache.xercesImpl_2.8.1.jar;C:\fmu\modules\glassfish.jaxb_1.0.0.0_2-1-12.jar;C:\fmu\modules\javax.xml.bind_2.1.1.jar -Djavax.net.ssl.trustStore=C:\fmu\wlserver_10.3\server\lib\DemoTrust.jks pilot1.ContactWSPortTypePortClient
java.lang.SecurityException: keyStoreFilename is either null or empty string
 at weblogic.wsee.security.util.CertUtils.getCertificate(CertUtils.java:87)
 at pilot1.ContactWSPortTypePortClient.getBSTCredentialProvider(ContactWSPortTypePortClient.java:104)
 at pilot1.ContactWSPortTypePortClient.setPortCredentialProviderList(ContactWSPortTypePortClient.java:78)
 at pilot1.ContactWSPortTypePortClient.main(ContactWSPortTypePortClient.java:46)
Process exited with exit code 0.

EJB security supress in development and testing

Hi,
I'm not quite sure if its a right place for the post but it seems to me as a good one for a start. I think that my problem should be quite common and I'm really surprised that I can't find the answer :/, perhaps I search for a wrong thing, but let's get down to business :).
I have JEE project which includes EJB module and enterprise client.
EJB is secured, when I try to access its methods via the client I have to provide proper credentials and everything works perfetly well.
However, during the developement cycle 2 issues may arise.
1. It can be frustrating that each time I need to access (i.e every debug), secured method I have to provide user credentials.
2. I don't know how programmaticaly provide credentials in order to make unit tests.
So,
is it possible to "supress security" during developement, so that no security checks are made ??
Maybe there are different solutions ??
Or my assumptions are wrong ??

Thanks, the solution works :)
If anyone has a same issue, I provide ejb-jar.xml.
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee"
version = "3.0"
xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd">
<enterprise-beans>
<session>
<ejb-name>CartBean</ejb-name>
<ejb-class>cart.secure.ejb.CartBean</ejb-class>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>kuku</role-name>
</security-role>
<method-permission>
<unchecked></unchecked>
<method>
<ejb-name>CartBean</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
</assembly-descriptor>
</ejb-jar>
Only one thing, that bothers me remains, that is why I had to define the bean in the descriptor ??
If I didn't put <enter ... than I go the following error:
Deploying application in domain failed; Error loading deployment descriptors for module [cart-secure] -- Referencing error: This bundle has no bean of name [CartBean]

What components do I need to develop and run JSP applications?

I am currently developing a JSP-based application using Apache, Tomcat, MySQL, and JDBC. I'm considering switching to Oracle since I know it better and it has better support for certain capabilities.
But, it's very confusing trying to determine from the Oracle sites just what I need and which platforms are supported. What do I need to buy and what can I download?
So, which Oracle components do I need to develop and test JSP applications using Application Server? I'll probably get into XML as well.
Does any of it run on Win98, WinNT, Win2000, or SolarisIntel? I likely will not deploy on any of these platforms, but it would be convenient to develop on my Intel laptop, if possible.
--Terry Westley, [email protected]

Oracle's IAS includes an Apache and Jserv with JSP runtime by default.
You could simply migrate your Apache/Tomcat JSP to Apache/Jserv/Oracle JSP without problems, including win32 plattform.
To run Servlet compliant with JSDK 2.2+ you has to use Apache mod_ose module with your servlets and jsp running inside the Oracle JVM, this combination is more scallable and secure for big projects, but it requires more hardware for your laptop.
Best regards, Marcelo.

JSP development and security issue

Similar Messages

Maybe you are looking for