Jsp sites access control
Hi,
i am new in web-app-programming.
I have developed a few jsp pages. One of them is login page and the other should only be accessable after logging in the login page.
The current state is: the pages can also be accessed directly with the url like this: "http://localhost:8080/application_root/my_url_pattern/somepage.jsp".
I am looking for a solution to avoid the direct access per url.
my ideas are:
1) set the render control of the jsp site-> it works well-> but a bit complex
2) out source the jsp site -> save the jsp sites somewhere else as the applicationroot-> I have the problem that the site could no be found. Can somebody tell me how can i solve this problem.
thank u
Ming
Message was edited by:
m_z
You can set up a servlet filter in the web.xml. That lets you intercept every single request to certain areas of the app, and modify/redirect it if necessary.
Example: This sets up a filter that runs on all requests to the "/tools" directory:
In web.xml:
<filter>
<filter-name>testFilter</filter-name>
<filter-class>com.TestFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>testFilter</filter-name>
<url-pattern>/tools/*</url-pattern>
</filter-mapping>And an example java class of a filter. This one just logs the request URI.
package com;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class TestFilter implements Filter{
public void init(FilterConfig arg0) throws ServletException {}
public void destroy() {}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if (request instanceof HttpServletRequest){
HttpServletRequest req = (HttpServletRequest)request;
System.out.println("Servicing request for " + req.getRequestURI());
chain.doFilter(request, response);
}
Similar Messages
-
We have been working with a design company to design our website HTML. However, a portion of these HTML files need to be password protected, all of these files are stored in one particular folder called "/tools". The problem here is that these files should only be accessible if the user has logged into the site, and the design firm has given all of these files an .html extension, which means that they will not be able to run embedded JSP code.
From what I understand, if I want to create access control in these .html files I will need to rename them all to .jsp and then update all the links to these files to use the .jsp extension. But the design firm is telling me that their other clients never needed to do this and were able to use JSP to control access to the folder itself. They said that it is possible using JSP to prevent access to a particular folder on the webserver, and that anybody without a valid login or session who tries to access the files in the folder can be redirected to the login page. All of this can be achieved without having to insert JSP code into the password-protected HTML files and renaming them with a .jsp extension. Is this true? We want to avoid doing this because there are a lot of HTML files and links that will need to be changed if we rename the files to .jsp.
I'm still a relative beginner with JSP and have never heard of any functionality which allows JSP to stop a browser from accessing a particular folder on the server. Am I missing something here? Is there really a better way of doing this without using JSP code?
I have thought about putting the folder in an offline location and then using a controller JSP/servlet to check the user's login status and then read & display the HTML file from the offline folder. But I am not sure if this is really an efficient way of doing this.
Any suggestions?
Thanks,
PhilYou can set up a servlet filter in the web.xml. That lets you intercept every single request to certain areas of the app, and modify/redirect it if necessary.
Example: This sets up a filter that runs on all requests to the "/tools" directory:
In web.xml:
<filter>
<filter-name>testFilter</filter-name>
<filter-class>com.TestFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>testFilter</filter-name>
<url-pattern>/tools/*</url-pattern>
</filter-mapping>And an example java class of a filter. This one just logs the request URI.
package com;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class TestFilter implements Filter{
public void init(FilterConfig arg0) throws ServletException {}
public void destroy() {}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if (request instanceof HttpServletRequest){
HttpServletRequest req = (HttpServletRequest)request;
System.out.println("Servicing request for " + req.getRequestURI());
chain.doFilter(request, response);
} -
An access control proxy in front of my JSP pages
Hi All,
I want to protect the access to my jsp pages. If for example the user types in his browser www.abc.com/page1.jsp, I want to capture that request and pass it to an access control engine. If the user is authorized then he should get that page if not he should be directed to another page.
any answers will be appreciated ... I'm using tomcat 5.5.For example the user types in his browser www.abc.com/page1.jsp, I want to capture that request and pass it to an access control engine. If the user is authorized then he should get that page if not he should be directed to another page.
Focus a bit on your design: Ask yourself how will the whole world accessing the page can be identified?
It is via machine to machine authentication and handshake or user authentication and authorisation?
Machine to machine will happen on a VPN infrastracture where specified connections are directed to a host port else the other, or user authentication and authorisation where user login to determine which bit of yourr page he has access to, then using MVC framework you can say hang-on! base on your credential you're authorised to use this page instead.
Note if no one is identifying him/herself on your system before having access to the required resource then your design aim sounds excuse me to say abit difficult to achieve. Again from the look at things you're trying to achieve this using acccess router, please if that is the case then think otherwise because it is not possible,
Edited by: bidox on Mar 29, 2008 9:25 AM -
Hello,
I'm attempting to get a SharePoint 2013 Provider Hosted Application working in a brand new SharePoint environment. I've created snapshots of both my dev and the sharepoint environments along the way and have meticulously documented every step of the
way. I've followed these instructions (among many other resources found along this journey) :
http://msdn.microsoft.com/en-us/library/fp179923(office.15).aspx
http://technet.microsoft.com/en-us/library/fp161236(office.15).aspx
http://msdn.microsoft.com/library/office/fp179901%28v=office.15%29
Upon package and publish of my application to SharePoint, I get a 401 Unauthorized error. I use Fiddler to obtain the SPErrorCorrelationID to ultimately obtain the following ULS Viewer Output. Please explain how to fix if you're able.
Please Note: I was under the impression that a Provider Hosted Application does not use the Azure Access Control service, so I'm confused as to why my system is attempting to make this connection?
Also Note: I've used a self signed and godday obtained certificate to successfully f5 debug my basic web.title (out of the visual studio 2012 box) sharepoint provider hosted application... so I know my certs are good.
Here's my ULS output:
03/24/2014 08:54:47.83 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://portal.cltenet.com/_layouts/15/appredirect.aspx?instance_id=22d5252f%2D392c%2D4f68%2Db820%2Da3053b9d4f24)
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.83 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation Authentication Authorization agb9s Medium Non-OAuth request.
IsAuthenticated=True, UserIdentityName=0#.w|cltenet\sp.apps, ClaimsCount=25 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.83 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation Logging Correlation Data xmnv Medium Site=/ 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.84 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Deployment acjjg Medium The current user has System.Threading.Thread.CurrentPrincipal.Identity.Name
= 0#.w|cltenet\sp.apps, System.Security.Principal.WindowsIdentity.GetCurrent().Name = NT AUTHORITY\IUSR, System.Web.HttpContext.Current.User.Identity.Name = 0#.w|cltenet\sp.apps. 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.84 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsrv Medium redirectLaunUrl after getting it from query
string, web or app instance: https://hightrust31.cltenetapps.com/Pages/Default.aspx?{StandardTokens} 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation General aib0n High trying to get app tokens for site: 888b71f7-51ee-40f5-8344-8de4869d37d0
Unable to load app tokens from appInstanceId: 22d5252f-392c-4f68-b820-a3053b9d4f24 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsrw Medium redirectLaunUrl after getting token replacement:
https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http%3A%2F%2Fportal%2Ecltenet%2Ecom&SPLanguage=en%2DUS&SPClientTag=0&SPProductNumber=15%2E0%2E4420%2E1017 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsry Medium m_oauthAppId after NormalizeAppIdentifier()
i:0i.t|ms.sp.ext|[email protected]8df36d5d. Now getting app principal info. 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsr0 Medium decided that we need to do a POST to the
app. 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsr1 Medium m_redirectMessage: EndpointAuthorityMatches
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsr2 Medium realm matched attempting to get app token
using GetAccessToken() 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth advzm High Error when get token for app i:0i.t|ms.sp.ext|[email protected]8df36d5d,
exception: Microsoft.SharePoint.SPException: The Azure Access Control service is unavailable. at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)
at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext
userIdentityContext, String applicationId, Uri applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken) 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsr3 High App token requested from appredirect.aspx
for site: 888b71f7-51ee-40f5-8344-8de4869d37d0 but there was an error in generating it. This may be a case when we do not need a token or when the app principal was not properly set up. LaunchUrl:https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http://portal.cltenet.com&SPLanguage=en-US&SPClientTag=0&SPProductNumber=15.0.4420.1017
Exception Message:The Azure Access Control service is unavailable. Stacktrace: at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)
at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext
userIdentityContext, String applicationId, Uri applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenFromThreadIdentityOrUserToken(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPApplicationContextAccessTokenType tokenType, SPAppPrincipalInfo appPrincipal, Boolean useThreadIdentity, SPUserToken userToken) at Microsoft.SharePoint.ApplicationPages.AppRedirectPage.ValidateAndProcessRequest().
Since this is a nonfatal error, it will be sanitized and posted to the app as part of the app launch. 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation General ajlz0 High Getting Error Message for Exception Microsoft.SharePoint.SPException:
The Azure Access Control service is unavailable. at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext) at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext
serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext userIdentityContext, String applicationId, Uri
applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext serviceContext,
String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenFromThreadIdentityOrUserToken(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPApplicationContextAccessTokenType tokenType, SPAppPrincipalInfo appPrincipal, Boolean useThreadIdentity, SPUserToken userToken) at Microsoft.SharePoint.ApplicationPages.AppRedirectPage.ValidateAndProcessRequest()
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth aib0p Medium Doing appredirect from appredirect.aspx:
in site: 888b71f7-51ee-40f5-8344-8de4869d37d0 with RedirectLaunchUrl: https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http%3A%2F%2Fportal%2Ecltenet%2Ecom&SPLanguage=en%2DUS&SPClientTag=0&SPProductNumber=15%2E0%2E4420%2E1017
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://portal.cltenet.com/_layouts/15/appredirect.aspx?instance_id=22d5252f%2D392c%2D4f68%2Db820%2Da3053b9d4f24)).
Execution Time=26.5933938531294 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
Your help is very much appreciated.
With Respect,
LarryYes, actually - I was able to resolve it.
However I don't know how, unfortunately. I suspect it was because I needed to have the names of the certificates, defined during the certificate registration (to sharepoint) process, different.
I have a complete document that shows step by step instructions on the exact process I took to complete the provider hosted application creation, deployment and publishing. It was a daunting task, but I finished it successfully.
If there's a way to send private message on this forum, please do so and I'll respond with a way to obtain my document.
NOTE: I'm not all impressed with the way this forum works. This is supposed to be a Microsoft resource and I'll be damned if I ever get a response to highly technical questions. Completely lame. Boooooo Microsoft. -
ESYU: R12 - Order Management를 위한 Multi Org Access Control(MOAC) setup 방법
Purpose
Oracle Order Management - Version: 12.0 to 12.0
Information in this document applies to any platform.
R12의 Order Management에 대핸 Multi Org Access Control(MOAC) setup 방법에 대해 알아본다.
Solution
일반적인 MOAC Setup:
1. HRMS에서 Security Profile을 정의:
a. HRMS Management responsibility 선택
b. HRMS Manager> Security> Profile로 이동
c. Security Profile이 정의되어 있는지 확인 (OM responsibility 혹은 Site level로)
d. 만일 아직 setup 되어져 있지 않다면 Operating Units를 입력
e. 저장
Note: 만일 위 d step과 같이 새로운 security profile을 생성하였다면 concurrent program 'Security List Maintenance'를 꼭 실행해야 한다.
그렇지 않으면 multiple operating units가 OM forms의 LOV에 나타나지 않을 것이다.
이 program은 multi-org access를 validating 하기 위해 사용하는 table에 data를 생성한다.
Navigation: HRMS Management> HRMS Manager> Processes & Reports> Submit Process & Report> Security List Maintenance
2. MO Profile Options setup:
a. MO: Security Profile - 이 profile setting은 MOAC functionality를 활성화 한다.
b. MO: Default Operating Unit - 이 Operating Unit는 OM forms과 report에서 default가 될 것이며, 이를 clear 하거나 변경하기 위해 LOV를 사용할 수 있다.
Keep the MO profiles in sync:
MO: Security Profile은 site와 responsibility level로 setting 할 수 있다.
MO: Default Operating Unit은 site, responsibility, user level로 setting 할 수 있다.
Application이 원하는대로 동작되지 않는것을 발견하면 이 profile options의 setting 값을 확인한다.
3. OM setup:
R12 upgrade 시 OM Profile에서 migrate 된 새로운 OM System Parameters를 확인:
Order Management Super User> Setup> System Parameters> Values
(See <<NOTE 393646.1>>-R12 Readiness Cheat Sheet: Migrated OM Profile Options)
4. Form에서 hidden field 'Operatin Unit'를 활성화시키고 default folder로 저장:
Sales Order and Order Organizer forms
Quick Sales order and Organizer forms
Sales Agreement forms
Pricing and Availability form
Other forms
Note: Sales Order form에서 hidden field 'Operating Unit'를 'Show' 하기 전에 fotm안에 이 field를 위한 공간을 만들어 놓아야 한다.
예를 들면 Customer Number field를 짧게 하거나 Operating Unit field로 이 field를 덮어씌울수 있다.
Reference
Note 393634.1Hi Larry,
Have you considered adding the exec apps.mo_global.set_policy_context call to your connection's start-up script?
Tools -> Preferences -> Database -> Filename for connection startup scriptNot the most flexible approach, so I'm not sure if it is appropriate for your application, but just a thought. You might create distinct connection names with different start-up scripts for each org_id.
Regards,
Gary
SQL Developer Team -
Assign Access Control HTTP 404
The assign access control throws the http 404 error when i try to provision from shared services. It however works from workspace. Is this a known issue on 11.1.2.2? If there are any ways to make it work, Please post.
ak123 wrote:
Its the same when I try from both port 28080 and 9000.So are you running the embedded http server on port 9000? if not and you are using OHS then try accessing Shared Services through that port e.g. http://<sharedservices>:19000/interop/index.jsp
Actually I am not sure that matters with HFM and you can go direct through 28080 or 19000, worth a try, if not maybe it just needs registering again as Pablo said.
Cheers
John
http://john-goodwin.blogspot.com/ -
War file and access control with WebLogic
I am trying to put some access control on different files in my war-file, but just can't get it to work... It seems like all roles defined in weblogic.properties gives the user access to all files in the war. I just don't understand the connections between the security realm, the weblogicURL.policy file and the web.xml file... If I do not specify a weblogic.security.URLAclFile, no access control is done at all.
This is how my weblogic.properties file looks like:
weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
weblogic.password.koko=kokokoko
weblogic.password.arnebelinda=arne1234
weblogic.security.group.ppuseradmins=arnebelinda
and my weblogicURL.policy:
deny Principal weblogic.security.acl.GroupImpl "everyone" {
Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
and finally, my web.xml-file:
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>index.jsp</url-pattern> </web-resource-collection>
<auth-constraint>
<role-name>ppuseradmins</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>WebLogic Server</realm-name>
</login-config>
<security-role>
<role-name>ppuseradmins</role-name>
</security-role>
</web-app>
it does not matter which user is part of the ppuseradmins group. The user koko is not a member, but is given access to my whole .war anyway (after submitting correct username/password). Omitting the <realm-name> does not seem to work either; the default realm is not used, instead null is used.
Does anybody have a clue? I would really appreciate it!
I am using WebLogic 5.1 sp 9
best regards,
PJIn you pocily file entry, you have specified "/admin/-"
However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
Could that be the problem ? -
I am trying to put some access control on different files in my war-file, but just
can't get it to work... It seems like all roles defined in weblogic.properties
gives the user access to all files in the war. I just don't understand the connections
between the security realm, the weblogicURL.policy file and the web.xml file...
If I do not specify a weblogic.security.URLAclFile, no access control is done
at all.
This is how my weblogic.properties file looks like:
weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
weblogic.password.koko=kokokoko
weblogic.password.arnebelinda=arne1234
weblogic.security.group.ppuseradmins=arnebelinda
and my weblogicURL.policy:
deny Principal weblogic.security.acl.GroupImpl "everyone" {
Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
and finally, my web.xml-file:
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>index.jsp</url-pattern> </web-resource-collection>
<auth-constraint>
<role-name>ppuseradmins</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>WebLogic Server</realm-name>
</login-config>
<security-role>
<role-name>ppuseradmins</role-name>
</security-role>
</web-app>
it does not matter which user is part of the ppuseradmins group. The user koko
is not a member, but is given access to my whole .war anyway (after submitting
correct username/password). Omitting the <realm-name> does not seem to work either;
the default realm is not used, instead null is used.
Does anybody have a clue? I would really appreciate it!
I am using WebLogic 5.1 sp 9
best regards,
PJ
In you pocily file entry, you have specified "/admin/-"
However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
Could that be the problem ? -
Hi,
I have a requirement in which I have to assign couple of email ids to the "Manage Access Request" field to process site access requests. And, this is possible using server object model but I have to achieve this on SharePoint Online with the help
of CSOM.
There are two properties which control the access request configuration, first is "RequestAccessEnabled", a Boolean flag which turns on or off the access request feature for the site. The second property defines one or more email addresses where
requests will be sent to. It is named "RequestAccessEmail".
The above both properties are available for server object model but not for CSOM.
So, is there any other workaround or way to achieve the sane in CSOM?
Thanks,I don't think there is a programmatic workaround for SharePoint Online. But the email address is just used for Notification. Anyone with Manage Permissions can approve Access Requests. If you create an email distribution list for the multiple
addresses that should be notified you should be able to add the email address for the distribution list into the Access request email field using the user interface.
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem. -
제품 : ORACLE SERVER
작성날짜 : 2005-11-24
FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징
=======================================================================
PURPOSE
row leve의 security 및 context관리 방법인 FGAC에 대한 간단한 개념 및 사용방법은
<bul 23026>에 제시하였다.
이 문서에는 FGAC를 위한 dbms_rls package의 8i ~ 10g까지의 version별 특징을
정리하며, STATIC_POLICY와 POLCICY_TYPE parameter에 대해서는 예제를 이용하여
자세히 살펴보도록 한다.
Explanation & Examples
dbms_rls.add_policy를 사용할 때 일반적으로 주는 value값의 예제는 다음과 같다.
이중 대부분은 default값을 이용하여, 일반적으로는 앞의 5개의 parameter만
value를 주면 된다.
SQL> exec DBMS_RLS.ADD_POLICY ( -
> object_schema => 'SCOTT', -
> object_name => 'EMP', -
> policy_name => 'POL1', -
> function_schema => 'SYS', -
> policy_function => 'PREDICATE', -
> statement_types => 'SELECT', -
> static_policy => false, -
> policy_type => DBMS_RLS.DYNAMIC
> long_predicate => false);
1. FGAC의 version별 특징
(1) sec_relevant_cols/sec_relevant_cols_opt : 10G
위에 기술한 add_policy procedure의 parameter외에 10g에서 추가된
parameter로 다음 두 parameter가 존재한다.
이 parameter는 해당되는 column이 조회될때만 policy가 작동하게 하기 위한
것으로 metalink.oracle.com site에서 <Note 250795.1> 를 살펴보면 사용 방법
및 예제를 확인 가능하다.
- sec_relevant_cols
- sec_relevant_cols_opt
(2) long_predicate : 10G
default는 false이며, true로 지정하는 경우 predicate이 4000 bytes이상이
될 수 있다.
(3) statement_types : 10G부터 INDEX type추가
9i까지는 SELECT, INSERT, UPDATE, DELETE에 대해서는 FGAC를 적용할 수
있었으나, 10g부터는 INDEX type도 지정 가능하다.
index를 지정하는 경우, function-based index 생성을 제한할 수 있으며,
자세한 예제는 metalink.oracle.com site에서 <Note 315687.1>를 조회하여
확인할 수 있다.
(4) EXEMPT ACCESS POLICY 권한 : 9i
특정 user가 모든 fine-grained access control policy의 영향을 받지
않도록 하려면 exempt access policy권한을 grant하면 되며, 이것은 9i부터
소개되었다.
SQL> grant exempt access policy to scott;
와 같은 방식으로 권한을 부여하면 되며, 이에 대한 자세한 예제는
metalink.oracle.com site에서 <Note 174799.1>를 통해 확인 가능하다.
(5) synonym에 대한 policy설정 : 9.2
synonym에 대해서 VPD (Virtudal Private Database)에 대한 policy를 설정하는
것이 가능해 졌으며 이에 대해서는 metalink.oracle.com에서 <Note 174368.1>를
조회하여 자세한 방법 및 예제를 살펴볼 수 있다.
(6) static_policy : 8.1.7.4
static_policy paramter는 8i에는 없던 것으로 9i에서 도입되면서, 8.1.7.4에도
반영되었다. default값은 false이며, 8173까지는 항상 false인 형태로 동작한다.
즉, policy function이 매번 object를 access할때마다 실행된다.
8.1.7.4부터는 이 parameter를 true로 설정할 수 있는대, 이렇게 되면
해당 session에서 policy function이 한번 실행되고 그 function이 shared pool에
cache되어 있으면 재실행없이 그대로 사용된다.
10g부터는 (7)번에 설명하는 policy_type parameter가 추가되어,
이 parameter에 true로 지정하는 대신, static_type은 false로 두고,
policy_type을 dbms_rls.static 으로 지정하면,
9i와 8174에서 static_policy를 true로 한것과 같은 결과가 나타난다.
(7) policy_type: 10g
다음과 같이 5가지 value가 가능하며, 이 중 default는 dynamic이다.
- STATIC
policy fuction에 포함된 predicate이 runtime환경에 따라 다른 결과를 내지
않는 경우 사용하게 된다. 예를 들어 sysdate의해 다른 결과를 return하는
경우에는 사용하면 사용하면 문제가 될 수 있다.
static을 사용하는 경우 policy function은 한번 실행되어 SGA에 올라온 다음
이후 같은 session에서 같은 object를 사용시에는 재실행 없이 해당 predicate의
결과를 그대로 사용한다.
- SHARD_STATIC
STATIC과 같으나, 이 값은 다른 object에 대해서도 같은 predicate function이
사용되는 경우, 먼저 cache된 predicate을 찾아서 있으면 그 값을 이용한다.
STATIC의 경우는 다른 object 사이에서는 공유하지 않으며 같은 object에
대해서만 cache된 값을 사용한다.
- CONTEXT_SENSITIVE
한 session에서 context가 변경되면 그때 predicate를 재 실행시킨다.
WAS(web application server)를 사용하는 경우 connection pooling방법을
기본적으로 사용하는대, 이 경우 하나의 session을 여러 사용자가 이어서
교대로 사용하는 방식이 된다. 이 경우 middle tier단에서 context를 설정해
주면 context가 변경될때마다 predicate를 새로 실행시켜 변경된 sysdate나
session_user등의 값을 다시 계산하게 되는것이다.
jdbc에서 context설정에 관한 예제는 metalink.oracle.com에서
<Note 110604.1>에서 확인가능하다.
- SHARED_CONTEXT_SENSITIVE
context_sensitive와 동일하며, 단 shared_static과 마찬가지로 여러 object에
대해서 같은 predicate을 사용하는 경우 다른 object에 대한 같은 predicate이
cache되어 있는지를 먼저 살펴본다.
존재하면 session private application context가 변경되기 전까지 그 predicate의
결과를 그대로 사용한다.
- DYNAMIC
이 값이 default값이다. 즉, predicate function이나 시스템이나 환경에
영향을 받는다고 판단하여 statement가 실행될때마다 매번 predicate function을
재 실행하여 환경에 맞는 값을 return하여 준다.
아래에서 sysdate 값에 따라 다른 결과를 return하게 되어 있는
predicate을 이용한 예제를 통해 정확한 메카니즘을 확인한다.
2. static_policy 및 policy_type의 value에 따른 policy function의 작동예제
(a) STATIC_POLICY => TRUE and POLICY_TYPE => NULL
(1) 기존에 pol1 policy가 존재하는 경우 다음과 같이 drop시킨다.
SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
(2) 다음과 같이 predicate function을 scott user로 만들어둔다.
SQL> create or replace function PREDICATE (obj_schema varchar2, obj_name varchar2)
2 return varchar2 is d_predicate varchar2(2000);
3 begin
4 if to_char(sysdate, 'HH24') >= '06' and to_char(sysdate, 'MI')<'05' then
5 d_predicate := 'ename = sys_context (''USERENV'' , ''SESSION'');
6 else d_predicate := 'sal>=3000';
7 end if;
8 return d_predicate;
9 end predicate;
10 /
(3) pol1을 새로 add시킨다.
SQL> exec DBMS_RLS.ADD_POLICY ( -
object_schema => 'SCOTT', -
object_name => 'EMP', -
policy_name => 'POL1', -
function_schema => 'SCOTT', -
policy_function => 'PREDICATE', -
statement_types => 'SELECT', -
static_policy => TRUE, -
policy_type => NULL);
(4) adams user에서 scott.emp를 조회해 본다.
단 다음과 같이 scott.emp에 대한 select권한을 king에게 주어야 한다.
SQL>grant select on emp to king;
SQL>!date
Thu Nov 24 14:01:13 EST 2005
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
5분이후가 되어 predicate function의 if조건을 만족하지 않아도,
king user는 같은 값을 emp table에 대해서 return한다.
SQL>!date
Thu Nov 24 14:10:13 EST 2005
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
(b) STATIC_POLICY => FALSE and POLICY_TYPE => DBMS_RLS.DYNAMIC
(1) 기존의 policy를 다음과 같이 drop시킨다.
SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
(2) pol1을 새로 add시키는대 이대 static_policy와 policy_type을 다음과 같이
변경한다.
SQL> exec DBMS_RLS.ADD_POLICY ( -
object_schema => 'SCOTT', -
object_name => 'EMP', -
policy_name => 'POL1', -
function_schema => 'SCOTT', -
policy_function => 'PREDICATE', -
statement_types => 'SELECT', -
static_policy => flase, -
policy_type => dbms_rls.dynamic);
(3) king user에서 조회해본다.
predicate function은 위의 2-(a)에서 실행한 것을 그대로 사용한다.
즉 (a)를 실행하지 않은 경우, 조회전에 (a)-(2)번을 실행해야 한다.
SQL>!date
Thu Nov 24 15:01:13 EST 2005
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
5분 이후가 되어 다시한번 king user에서 실행해본다.
SQL>!date
Thu Nov 24 15:10:13 EST 2005
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7788 SCOTT ANALYST 7566 19-APR-87 3000
20
7839 KING PRESIDENT 17-NOV-81 5000
10
7902 FORD ANALYST 7566 03-DEC-81 3000
20
RELATED DOCUMENTS
<Note 281970.1> 10g Enhancement on STATIC_POLICY with POLICY_TYPE Behaviors
in DBMS_RLS.ADD_POLICY Procedure
<Note 281829.1> Evolution of Fine Grain Access Control FGAC Feature From 8i
to 10gfirst you could use default column values, not a trigger, which is more expensive.
if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it ) -
"Assign Access Control" returns error for essbase apps in shared services
Hello,
I installed and configured Oracle EPM 11.1.2 (Foundation, Essbase, Planning, Reporting&Analysis):
OS: Windows Server 2008 Sp2 (32bit)
Default Installation with default ports,
Installation of all components on the same server,
no clustering
EPM System Diagnostic says that everything is OK.
Now I want to assign filter access for an essbase database in the Shared Services.
Starting the menu item "Assign Access Control" in Shared Services returns the following error:
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
+10.4.5 404 Not Found+
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
+....+
Can anybody help ???
best regards,
NicoleHello,
here's what I found out so far:
I get the error if I start the shared services console via the URL "http://servername:port/interop/index.jsp" and then select the "assign access control" for an essbase database.
If I start the shared services console via the workspace everything works fine.
Does anybody know what to do so that it also works if I start the shared services console via URL?
best regards,
Nicole -
Data Access control in J2EE technologies/apps
Hi Guys,
I am working on a project that requires that i implement a mechanism for controlling data access to the content that is displayed on the pages of a Struts based web application.
First off to clarify, i am not refering to the ability for different users to log on to a specific page and or view specific pages. That is a different type of access control. I am more interested in the "Data Access" i.e. where multiple users can view the same page but the data that is displayed depend on the data access control privileges they have.
I am intersted to know of the different approaches/frameworks out there to implementing "data access" control. Is there a framework out there for this kind of thing?
Im thinking to do this the controls/privileges need to be configured (i.e. data access categories, users etc) somewhere probably in the database. The rules can get quite complicated so im wondering whether there is already a framework that i can use to accomplish this rather than implementing it from scratch.
Thinking about how it will work, the rules the govern the access are very specific to our business domain so i am not really sure whether it is possible if there is any third party framework that i can use that is very generic and will allow the rules to be configured.
Thanksyou are right, access control is very application dependent, and is therefore not a good target to turn into a generic framework.
In my opinion the king of security frameworks is Spring Security, so you could take a look at that.
[http://static.springsource.org/spring-security/site/|http://static.springsource.org/spring-security/site/]
Other than that, I have used a simple setup using Javaserver Faces. I had a user bean with a set of boolean flags indicating the user's capabilities (directly mapped to a database table) and in the components I would have rendered="#{user.userRole}" attributes where necessary, to conditionally switch off elements when the user wasn't allowed to see it, in some cases rendering a readonly view in stead.
Its a chore to test, but quite easy to maintain and to read IMO. -
Applying Support Packs at GRC Access Control 5.3 overall solution level
Hi All
I recently noticed something at a customer, that GRC Access Controls 5.3 launch pad shows a different SP level e.g. version8, while the components, Compliant User Provisioning shown SP10, RAR shown SP12 etc.
My questions are;
1. Should SP updates be applied at a component level i.e. at RAR, CUP, ERM, and SPM level?
2. Would this customer scenario cause an issue in the future, when for example RAR is sitting on a different SP level than CUP etc.?
3. If GRC Access Controls launch pad shows SP level/version, does this SP level/version represent the SP level/version that applies to all components? or does this represent SP level/version of the launchpad only?
4. Are the Support Packs required to be applied on the ABAP stack as well?
Thanks
OdwaHi Odwa,
Please see my replies below.
1. Should SP updates be applied at a component level i.e. at RAR, CUP, ERM, and SPM level? NO, Just apply them to the entire GRC-AC from the JSPM
2. Would this customer scenario cause an issue in the future, when for example RAR is sitting on a different SP level than CUP etc.? Yes, one of these days there is going to be a problem becuas eof this
3. If GRC Access Controls launch pad shows SP level/version, does this SP level/version represent the SP level/version that applies to all components? or does this represent SP level/version of the launchpad only?
4. Are the Support Packs required to be applied on the ABAP stack as well? Yes they need to be applied on all the ABAP stacks as well, it is very omportant that support packs remain in sync everywhere.
Thanks!
Chinmaya
Edited by: chinmaya prakash on Dec 6, 2010 4:10 PM -
Assign access control,http 404 error
Hi,
when i right click on assign access control,i receive the following error:
The page cannot be found
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
Please try the following:
If you typed the page address in the Address bar, make sure that it is spelled correctly.
Open the server111:19000 home page, and then look for links to the information you want.
Click the Back button to try another link.
Click Search to look for information on the Internet.
HTTP 404 - File not found
Internet Explorer
Can you help me in this regard ?
Thanks,
ColDFireak123 wrote:
Its the same when I try from both port 28080 and 9000.So are you running the embedded http server on port 9000? if not and you are using OHS then try accessing Shared Services through that port e.g. http://<sharedservices>:19000/interop/index.jsp
Actually I am not sure that matters with HFM and you can go direct through 28080 or 19000, worth a try, if not maybe it just needs registering again as Pablo said.
Cheers
John
http://john-goodwin.blogspot.com/ -
Internal error if pointing on jsp-site
I set up the Sun ONE Webserver 6.1 SP2 and deployed a webapp named prodass3. It functioned, but displaying jsp-sites.
If I point to a HTML-site within the webapp, the HTML-site is displayed correctly. Access-log entry:
192.168.200.53 - - [08/Jun/2004:17:34:55 +0200] "GET /prodass3/index.html HTTP/1.1" 200 1734
But if I point to a JSP-site, I get an internal error. Access-log entry:
192.168.200.53 - - [08/Jun/2004:17:46:42 +0200] "GET /prodass3/index.jsp HTTP/1.1" 500 305
I think the JSP-files would not be compiled. But there is no error or something like that..
Java Globally and Java for class vsclass1 are enabled.
Java Home Path: C:/Programme/Sun/WebServer6.1/bin/https/jdk/
What am I doing wrong?
Kind regards, JonasI can't find in server.xml a 'wrong' classpath like you mentoined above.
I also copied the jdk (1.4.2) from the developing environment on the server maschine and linked the java home to the new path.
I also restarted the virtual server..
Here the server.xml:
Can, you tell me is there something else wrong?
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
-->
<!DOCTYPE SERVER PUBLIC "-//Sun Microsystems Inc.//DTD Sun ONE Web Server 6.1//EN" "file:///C:/Programme/Sun/WebServer6.1/bin/https/dtds/sun-web-server_6_1.dtd">
<SERVER qosactive="false">
<PROPERTY name="docroot" value="C:/Programme/Sun/WebServer6.1/docs"/>
<PROPERTY name="accesslog" value="C:/Programme/Sun/WebServer6.1/https-gsa_tomcat-test.gartenmann.ch/logs/access"/>
<PROPERTY name="user" value=""/>
<PROPERTY name="group" value=""/>
<PROPERTY name="chroot" value=""/>
<PROPERTY name="dir" value=""/>
<PROPERTY name="nice" value=""/>
<LS id="ls1" port="80" servername="gsa_tomcat-test.gartenmann.ch" defaultvs="https-gsa_tomcat-test.gartenmann.ch" security="false" ip="any" blocking="false" acceptorthreads="1"/>
<MIME id="mime1" file="mime.types"/>
<ACLFILE id="acl1" file="C:/Programme/Sun/WebServer6.1/httpacl/generated.https-gsa_tomcat-test.gartenmann.ch.acl"/>
<VSCLASS id="vsclass1" objectfile="obj.conf" rootobject="default" acceptlanguage="off">
<PROPERTY name="docroot" value="C:/Programme/Sun/WebServer6.1/docs"/>
<VS id="https-gsa_tomcat-test.gartenmann.ch" connections="ls1" mime="mime1" aclids="acl1" urlhosts="gsa_tomcat-test.gartenmann.ch" state="on">
<PROPERTY name="docroot" value="C:/Programme/Sun/WebServer6.1/docs"/>
<USERDB id="default"/>
<SEARCH>
<WEBAPP uri="/search" path="C:/Programme/Sun/WebServer6.1/bin/https/webapps/search" enabled="true"/>
</SEARCH>
<WEBAPP uri="/prodass3" path="C:/Programme/Sun/WebServer6.1/https-gsa_tomcat-test.gartenmann.ch/webapps/prodass3" enabled="true"/>
</VS>
</VSCLASS>
<JAVA javahome="C:/Programme/Java/jdk1.4.2jdev/" serverclasspath="C:/Programme/Sun/WebServer6.1/bin/https/jar/webserv-rt.jar;${java.home}/lib/tools.jar;C:/Programme/Sun/WebServer6.1/bin/https/jar/webserv-ext.jar;C:/Programme/Sun/WebServer6.1/bin/https/jar/webserv-jstl.jar;C:/Programme/Sun/WebServer6.1/bin/https/jar/ktsearch.jar" classpathsuffix="" envclasspathignored="true" nativelibrarypathprefix="" debug="on" debugoptions="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n" dynamicreloadinterval="-1">
<JVMOPTIONS>-Djava.security.auth.login.config=C:/Programme/Sun/WebServer6.1/https-gsa_tomcat-test.gartenmann.ch/config/login.conf</JVMOPTIONS>
<JVMOPTIONS>-Djava.util.logging.manager=com.iplanet.ias.server.logging.ServerLogManager</JVMOPTIONS>
<JVMOPTIONS>-Xmx256m</JVMOPTIONS>
<SECURITY defaultrealm="native" anonymousrole="ANYONE" audit="false">
<AUTHREALM name="file" classname="com.iplanet.ias.security.auth.realm.file.FileRealm">
<PROPERTY name="file" value="C:/Programme/Sun/WebServer6.1/https-gsa_tomcat-test.gartenmann.ch/config/keyfile"/>
<PROPERTY name="jaas-context" value="fileRealm"/>
</AUTHREALM>
<AUTHREALM name="native" classname="com.iplanet.ias.security.auth.realm.webcore.NativeRealm">
<PROPERTY name="jaas-context" value="nativeRealm"/>
</AUTHREALM>
<AUTHREALM name="ldap" classname="com.iplanet.ias.security.auth.realm.ldap.LDAPRealm">
<PROPERTY name="directory" value="ldap://localhost:389"/>
<PROPERTY name="base-dn" value="o=isp"/>
<PROPERTY name="jaas-context" value="ldapRealm"/>
</AUTHREALM>
</SECURITY>
<RESOURCES/>
</JAVA>
<LOG file="C:/Programme/Sun/WebServer6.1/https-gsa_tomcat-test.gartenmann.ch/logs/errors" loglevel="info" logtoconsole="true" usesyslog="false" createconsole="false" logstderr="true" logstdout="true" logvsid="false"/>
</SERVER>
Maybe you are looking for
-
No more external drives with Firewire?
Seems like overnight this technology was discontinued - much to my misfortune. I need to back up a TON of video files to clear memory cards. I just bought a new drive from Best Buy, but it's write-protected and only has USB connectivity. What happene
-
Need to use CUCM locate user location in the office
hi guys quick question is , is there a log/or SNMP/ for extension mobilty user signin to which phyical phone? we are planning ask users to use laptop and extenstion mobility to let user work at any desk in the 4 floor office building. however curre
-
Windows handle of the Main Window of the SAPGUI
Hi experts, i need to have the window handle value of the window of the Main MDI window of the SAP GUI from ABAP, does anyone know a FunctionModule or something like this to retrieve this information? I need to retrieve information about the geometry
-
[SOLVED] pacman won't find libreoffice Hebrew package
Hi, I'm on a fully updated ARch 64b/KDE. Ever since Open office has been replaced by Libre Office, I can't install the required Hebrew speller- see terminal output below. Please advise! Thanks ----------------------copy of terminal (as root) -------
-
Trying to create a remote task in closing cockpit following error appear in sap: "External error: rc='0000000065' (User is not authorized: XXXXX)" another user with exactly the same profile in sap can create tasks without any problem. Any ideas? Edit