Non-secure DDNS security risk?

We are running a 2008R2 domain. Our DCs are also DHCP/DNS(ADI) servers. The DCs are also member of the DNSUpdateProxy group. We do not have an account being used for passing Dynamic Update credentials.  I read something from Ace Fekay that said
this is not recommended for DCs, with DNS/DHCP to be in the DNSUpdateProxyGroup, but the DCs are obviously not using DHCP and the security on their records looks fine. 
We are set to allow both non-secure and secure updates because we have some access points and some HP ILOs(Integrated Lights-Out clients) that are not on the domain and using dhcp. I know that allowing non-secure updates is a huge risk, but
trying to get details about the risk. We are also set to "Always dynamically update DNS records" & "Dynamically Update DNS records for clients that do not request updates." Almost all of our servers(the main risks we
care about) are not using DHCP, except for the ILOs.  We are not using NAP.  Here are the questions.
1.  DNS Spoofing with Windows computer - If someone brings in a windows computer with the same computername as one of our critical servers(obviously it will be off the domain) can it grab an IP address and update the record of the critical server? - I was
thinking it would detect the naming conflict.
2. DNS spoofing with Linux computer -  If someone brings in a Linux computer with the same computername as a critical server, can it grab the IP address for a critical server that has a static address?
I am trying to find some real world scenarios to get approval to switch to "secure-only" updates  The biggest risk from doing that is that we have trouble finding all the DDNS records. Then some expire and we lose connectivity to those resources
until we get it fixed.  If anyone can throw some realistic disaster scenarios at me, I would appreciate it.
Thanks,
Dan Heim

Hi,
If you have installed the DHCP service on a domain controller, be absolutely certain not to make that server a member of the DNS Update Proxy group. Doing so would
give any user or computer full control of the DNS records corresponding to the domain controllers, unless you manually modified the corresponding ACL. Moreover, if a DHCP server that is running on a domain controller is configured to perform dynamic updates
on behalf of its clients, that DHCP server is able to take ownership of any record, even in the zones that are configured to allow only secure dynamic update. This is because a DHCP server runs under the computer account, so if it is installed on a domain
controller it has full control over DNS objects stored in the Active Directory.
For non-windows computers, you can enable name protection.
For more information please refer to:
Secure Dynamic Update
http://technet.microsoft.com/en-us/library/cc961412.aspx
Configuring Name Protection
http://technet.microsoft.com/en-us/library/dd759188.aspx
Hope this helps.

Similar Messages

  • Phone number held hostage?  Security and Privacy Risk

    Let me preface this by saying I do not own an iPhone.
    The previous owner of my phone number, however, was an iPhone user.  Apparently there is a way he could link the number to his Apple ID.   After getting rid of his phone, he never disassociated the number from his Apple ID. 
    The problem this creates is that now anyone who wants to text me from an iOS device is unable to do so without turning off the iMessage service.  Since my (his) number is registered to an Apple ID, my HTC appears to iMessage as another iOS device and thus texting never goes out to the cellular network... the previous owner is getting any text sent from an iMessage-enabled iPhone meant for me.
    Effectively, Apple has created a situation where this person, or any person with an iOS device for that matter, can knowingly or unknowingly manage to hold a celluar number hostage from a texting perspective, creating a security and privacy risk.
    Has anyone run into this before and if so what is the recourse?  There has to be some was for Apple to dissociate a number no longer used by a previous user.

    Unfortunately, I don't have an iPhone or a support contract so Applecare won't even talk to me without me ponying up $19.  I see no sense in having to pay for a problem I didn't create. 

  • Sharing calendar appears on another persons device - security and privacy risk

    I really wanted to raise this as a bug, but couldn't find anywhere to do that.
    On my wife's iPhone which is running iOS 7, I wanted to share her iCloud calendar to my Apple ID so that I could see her calendar from my iPhone (also iOS 7).  Although I received the email telling me to accept the shared calendar, when I clicked the link it told me I was not authorized.  I then discovered that my parents had received the sharing invite on their phone (iOS 4.2.1) which they accepted and could see her calendar.
    This is a security and privacy risk because they are not connected to my iCloud account and it is not the account we specified to share with.  Also we did not specify their account to share with.  How can this happen?  Their iPhone was never registered to my Apple ID.  The only connection I can think of is that I believe my email address (which is also my Apple ID) is listed as their secondary email address or something.

    Sorry just realised it was their iPad 3 that received the invite not their iPhone, and it would have been running iOS 6

  • The installer has encountere​d an unexpected error installing this package F-Secure Client Security

    Hello there :  whe just buy a T61 after windows xp finish install i try to install  F-Secure Client Security and the install fails i log the following : i try almost everything , can some one help?
    MSI (c) (D4:10) [14:19:03:929]: Enabling baseline caching for this transaction since all active patches are MSI 3.0 style MSPs or at least one MSI 3.0 minor update patch is active
    === Logging started: 21-08-2008  14:19:03 ===
    Action start 14:19:03: INSTALL.
    Action start 14:19:03: LaunchConditions.
    Action ended 14:19:03: LaunchConditions. Return value 1.
    Action start 14:19:03: PrepareDlg.
    Info 2898. DlgFont8, Tahoma, 1
    Info 2898. VerdanaBold13, Verdana, 1
    DEBUG: Error 2826:  Control BottomLine on dialog PrepareDlg extends beyond the boundaries of the dialog to the right by 7 pixels
    The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2826. The arguments are: PrepareDlg, BottomLine, to the right
    Action ended 14:19:04: PrepareDlg. Return value 1.
    Action start 14:19:04: FindRelatedProducts.
    Action ended 14:19:04: FindRelatedProducts. Return value 1.
    Action start 14:19:04: AppSearch.
    Action ended 14:19:04: AppSearch. Return value 1.
    Action start 14:19:04: CCPSearch.
    Action ended 14:19:04: CCPSearch. Return value 1.
    Action start 14:19:04: RMCCPSearch.
    Action ended 14:19:04: RMCCPSearch. Return value 0.
    Action start 14:19:04: ValidateProductID.
    Action ended 14:19:04: ValidateProductID. Return value 1.
    Action start 14:19:04: CostInitialize.
    MSI (c) (D4:10) [14:19:04:049]: Baseline: Sorting baselines for {B5DF29E9-885D-4FD0-B62D-33615AC65A53}.
    MSI (c) (D4:10) [14:19:04:049]: Baseline: New baseline 7.11.0 from transaction.
    MSI (c) (D4:10) [14:19:04:049]: Baseline: Sorted order Native: Order 0.
    MSI (c) (D4:10) [14:19:04:049]: Baseline Data Table:
    MSI (c) (D4:10) [14:19:04:049]: ProductCode: {B5DF29E9-885D-4FD0-B62D-33615AC65A53} Version: 7.11.0 Attributes: 0 PatchId: Native BaselineId: -2147483648 Order: 0
    MSI (c) (D4:10) [14:19:04:049]: Baseline File Table:
    Action ended 14:19:04: CostInitialize. Return value 1.
    Action start 14:19:04: FileCost.
    Action ended 14:19:04: FileCost. Return value 1.
    Action start 14:19:04: IsolateComponents.
    Action ended 14:19:04: IsolateComponents. Return value 1.
    Action start 14:19:04: CostFinalize.
    Action ended 14:19:04: CostFinalize. Return value 1.
    Action start 14:19:04: MigrateFeatureStates.
    Action ended 14:19:04: MigrateFeatureStates. Return value 0.
    Action start 14:19:04: WelcomeDlg.
    DEBUG: Error 2826:  Control BottomLine on dialog WelcomeDlg extends beyond the boundaries of the dialog to the right by 7 pixels
    The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2826. The arguments are: WelcomeDlg, BottomLine, to the right
    Info 2898. DlgFontBold8, Tahoma, 1
    DEBUG: Error 2826:  Control BannerBitmap on dialog VerifyReadyDlg extends beyond the boundaries of the dialog to the right by 7 pixels
    The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2826. The arguments are: VerifyReadyDlg, BannerBitmap, to the right
    DEBUG: Error 2826:  Control BottomLine on dialog VerifyReadyDlg extends beyond the boundaries of the dialog to the right by 7 pixels
    The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2826. The arguments are: VerifyReadyDlg, BottomLine, to the right
    DEBUG: Error 2826:  Control BannerLine on dialog VerifyReadyDlg extends beyond the boundaries of the dialog to the right by 7 pixels
    The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2826. The arguments are: VerifyReadyDlg, BannerLine, to the right
    Action ended 14:19:05: WelcomeDlg. Return value 1.
    Action start 14:19:05: ProgressDlg.
    DEBUG: Error 2826:  Control BannerBitmap on dialog ProgressDlg extends beyond the boundaries of the dialog to the right by 7 pixels
    The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2826. The arguments are: ProgressDlg, BannerBitmap, to the right
    DEBUG: Error 2826:  Control BottomLine on dialog ProgressDlg extends beyond the boundaries of the dialog to the right by 7 pixels
    The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2826. The arguments are: ProgressDlg, BottomLine, to the right
    DEBUG: Error 2826:  Control BannerLine on dialog ProgressDlg extends beyond the boundaries of the dialog to the right by 7 pixels
    The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2826. The arguments are: ProgressDlg, BannerLine, to the right
    Action ended 14:19:06: ProgressDlg. Return value 1.
    FE7CFB0F8FC9EE44190B518848DC785C
    MSI (s) (64:9C) [14:19:22:948]: Using cached product context: machine assigned for product: FE7CFB0F8FC9EE44190B518848DC785C
    MSI (s) (64:9C) [14:19:24:572]: Enabling baseline caching for this transaction since all active patches are MSI 3.0 style MSPs or at least one MSI 3.0 minor update patch is active
    Action start 14:19:24: INSTALL.
    Action start 14:19:24: LaunchConditions.
    Action ended 14:19:24: LaunchConditions. Return value 1.
    Action start 14:19:24: FindRelatedProducts.
    Action ended 14:19:24: FindRelatedProducts. Return value 0.
    Action start 14:19:24: AppSearch.
    Action ended 14:19:24: AppSearch. Return value 0.
    Action start 14:19:24: CCPSearch.
    Action ended 14:19:24: CCPSearch. Return value 0.
    Action start 14:19:24: RMCCPSearch.
    Action ended 14:19:24: RMCCPSearch. Return value 0.
    Action start 14:19:24: ValidateProductID.
    Action ended 14:19:24: ValidateProductID. Return value 1.
    Action start 14:19:24: CostInitialize.
    MSI (s) (64:9C) [14:19:24:662]: Baseline: Sorting baselines for {B5DF29E9-885D-4FD0-B62D-33615AC65A53}.
    MSI (s) (64:9C) [14:19:24:662]: Baseline: New baseline 7.11.0 from transaction.
    MSI (s) (64:9C) [14:19:24:662]: Baseline: Sorted order Native: Order 0.
    MSI (s) (64:9C) [14:19:24:662]: Baseline Data Table:
    MSI (s) (64:9C) [14:19:24:662]: ProductCode: {B5DF29E9-885D-4FD0-B62D-33615AC65A53} Version: 7.11.0 Attributes: 0 PatchId: Native BaselineId: -2147483648 Order: 0
    MSI (s) (64:9C) [14:19:24:662]: Baseline File Table:
    MSI (s) (64:9C) [14:19:24:662]: Dumping __MsiPatchMedia table...
    MSI (s) (64:9C) [14:19:24:662]: Delta compression fallback method for this product transaction is 'MSI 2.0 legacy obsolescence'
    Action ended 14:19:24: CostInitialize. Return value 1.
    Action start 14:19:24: FileCost.
    Action ended 14:19:24: FileCost. Return value 1.
    Action start 14:19:24: IsolateComponents.
    Action ended 14:19:24: IsolateComponents. Return value 1.
    Action start 14:19:24: CostFinalize.
    Action ended 14:19:24: CostFinalize. Return value 1.
    Action start 14:19:24: SetODBCFolders.
    Action ended 14:19:24: SetODBCFolders. Return value 1.
    Action start 14:19:24: MigrateFeatureStates.
    Action ended 14:19:24: MigrateFeatureStates. Return value 0.
    Action start 14:19:24: InstallValidate.
    Action ended 14:19:24: InstallValidate. Return value 1.
    Action start 14:19:24: InstallInitialize.
    Action ended 14:19:29: InstallInitialize. Return value 1.
    Action start 14:19:29: AllocateRegistrySpace.
    Action ended 14:19:29: AllocateRegistrySpace. Return value 1.
    Action start 14:19:30: ProcessComponents.
    Action ended 14:19:30: ProcessComponents. Return value 1.
    Action start 14:19:30: UnpublishComponents.
    Action ended 14:19:30: UnpublishComponents. Return value 1.
    Action start 14:19:30: MsiUnpublishAssemblies.
    Action ended 14:19:30: MsiUnpublishAssemblies. Return value 0.
    Action start 14:19:30: UnpublishFeatures.
    Action ended 14:19:30: UnpublishFeatures. Return value 1.
    Action start 14:19:30: StopServices.
    Action ended 14:19:30: StopServices. Return value 1.
    Action start 14:19:30: DeleteServices.
    Action ended 14:19:30: DeleteServices. Return value 1.
    Action start 14:19:30: UnregisterComPlus.
    Action ended 14:19:30: UnregisterComPlus. Return value 1.
    Action start 14:19:30: SelfUnregModules.
    Action ended 14:19:30: SelfUnregModules. Return value 1.
    Action start 14:19:30: UnregisterTypeLibraries.
    Action ended 14:19:30: UnregisterTypeLibraries. Return value 1.
    Action start 14:19:30: RemoveODBC.
    Action ended 14:19:30: RemoveODBC. Return value 1.
    Action start 14:19:30: UnregisterFonts.
    Action ended 14:19:30: UnregisterFonts. Return value 1.
    Action start 14:19:30: RemoveRegistryValues.
    Action ended 14:19:30: RemoveRegistryValues. Return value 1.
    Action start 14:19:30: UnregisterClassInfo.
    Action ended 14:19:30: UnregisterClassInfo. Return value 1.
    Action start 14:19:30: UnregisterExtensionInfo.
    Action ended 14:19:30: UnregisterExtensionInfo. Return value 1.
    Action start 14:19:30: UnregisterProgIdInfo.
    Action ended 14:19:30: UnregisterProgIdInfo. Return value 1.
    Action start 14:19:30: UnregisterMIMEInfo.
    Action ended 14:19:30: UnregisterMIMEInfo. Return value 1.
    Action start 14:19:30: RemoveIniValues.
    Action ended 14:19:30: RemoveIniValues. Return value 1.
    Action start 14:19:30: RemoveShortcuts.
    Action ended 14:19:30: RemoveShortcuts. Return value 1.
    Action start 14:19:30: RemoveEnvironmentStrings.
    Action ended 14:19:30: RemoveEnvironmentStrings. Return value 1.
    Action start 14:19:30: RemoveDuplicateFiles.
    Action ended 14:19:30: RemoveDuplicateFiles. Return value 1.
    Action start 14:19:30: RemoveFiles.
    Action ended 14:19:30: RemoveFiles. Return value 1.
    Action start 14:19:30: RemoveFolders.
    Action ended 14:19:30: RemoveFolders. Return value 1.
    Action start 14:19:30: CreateFolders.
    Action ended 14:19:30: CreateFolders. Return value 1.
    Action start 14:19:30: MoveFiles.
    Action ended 14:19:30: MoveFiles. Return value 1.
    Action start 14:19:30: InstallFiles.
    MSI (s) (64:9C) [14:19:30:150]: Dumping binary patch manager data...
    MSI (s) (64:9C) [14:19:30:150]: The file represented by File table key 'ILAUNCHR.CFG' has no eligible binary patches
    MSI (s) (64:9C) [14:19:30:150]: The file represented by File table key 'fsc_jar.jar' has no eligible binary patches
    MSI (s) (64:9C) [14:19:30:150]: The file represented by File table key 'ILAUNCHR.exe' has no eligible binary patches
    MSI (s) (64:9C) [14:19:30:150]: The file represented by File table key 'RunSetup.exe' has no eligible binary patches
    MSI (s) (64:9C) [14:19:30:150]: The file represented by File table key 'ilwrap.exe' has no eligible binary patches
    MSI (s) (64:9C) [14:19:30:150]: Dumping binary patch manager data...
    Action ended 14:19:30: InstallFiles. Return value 1.
    Action start 14:19:30: PatchFiles.
    Action ended 14:19:30: PatchFiles. Return value 1.
    Action start 14:19:30: DuplicateFiles.
    Action ended 14:19:30: DuplicateFiles. Return value 1.
    Action start 14:19:30: BindImage.
    Action ended 14:19:30: BindImage. Return value 1.
    Action start 14:19:30: CreateShortcuts.
    Action ended 14:19:30: CreateShortcuts. Return value 1.
    Action start 14:19:30: RegisterClassInfo.
    Action ended 14:19:30: RegisterClassInfo. Return value 1.
    Action start 14:19:30: RegisterExtensionInfo.
    Action ended 14:19:30: RegisterExtensionInfo. Return value 1.
    Action start 14:19:30: RegisterProgIdInfo.
    Action ended 14:19:30: RegisterProgIdInfo. Return value 1.
    Action start 14:19:30: RegisterMIMEInfo.
    Action ended 14:19:30: RegisterMIMEInfo. Return value 1.
    Action start 14:19:30: WriteRegistryValues.
    Action ended 14:19:30: WriteRegistryValues. Return value 1.
    Action start 14:19:30: WriteIniValues.
    Action ended 14:19:30: WriteIniValues. Return value 1.
    Action start 14:19:30: WriteEnvironmentStrings.
    Action ended 14:19:30: WriteEnvironmentStrings. Return value 1.
    Action start 14:19:30: RegisterFonts.
    Action ended 14:19:30: RegisterFonts. Return value 1.
    Action start 14:19:30: InstallODBC.
    Action ended 14:19:30: InstallODBC. Return value 0.
    Action start 14:19:30: RegisterTypeLibraries.
    Action ended 14:19:30: RegisterTypeLibraries. Return value 1.
    Action start 14:19:30: SelfRegModules.
    Action ended 14:19:30: SelfRegModules. Return value 1.
    Action start 14:19:30: RegisterComPlus.
    Action ended 14:19:30: RegisterComPlus. Return value 1.
    Action start 14:19:30: InstallServices.
    Action ended 14:19:30: InstallServices. Return value 1.
    Action start 14:19:30: StartServices.
    Action ended 14:19:30: StartServices. Return value 1.
    Action start 14:19:30: InstallExecute.
    Action ended 14:19:32: InstallExecute. Return value 1.
    Action start 14:19:32: RunILauncher.
    Action ended 14:19:32: RunILauncher. Return value 1.
    Action start 14:19:32: RegisterUser.
    Action ended 14:19:32: RegisterUser. Return value 1.
    Action start 14:19:32: RegisterProduct.
    Action ended 14:19:32: RegisterProduct. Return value 1.
    Action start 14:19:32: PublishComponents.
    Action ended 14:19:32: PublishComponents. Return value 1.
    Action start 14:19:32: MsiPublishAssemblies.
    Action ended 14:19:32: MsiPublishAssemblies. Return value 0.
    Action start 14:19:32: PublishFeatures.
    Action ended 14:19:32: PublishFeatures. Return value 1.
    Action start 14:19:32: PublishProduct.
    Action ended 14:19:32: PublishProduct. Return value 1.
    Action start 14:19:32: InstallFinalize.
    MSI (s) (64:9C) [14:19:59:637]: Product: F-Secure Client Security -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.  Action RunILauncher, location: C:\Programmer\F-Secure\FSMSI\ilwrap.exe, command: fsc_jar.jar /U /F /ROFTWARE\Data Fellows\F-Secure\ILauncher /C
    Action ended 14:19:59: InstallFinalize. Return value 3.
    Action ended 14:19:59: INSTALL. Return value 3.
    Action ended 14:19:59: ExecuteAction. Return value 3.
    Action start 14:19:59: FatalError.
    DEBUG: Error 2826:  Control BottomLine on dialog FatalError extends beyond the boundaries of the dialog to the right by 7 pixels
    The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2826. The arguments are: FatalError, BottomLine, to the right
    Action ended 14:20:01: FatalError. Return value 2.
    Action ended 14:20:01: INSTALL. Return value 3.
    === Logging stopped: 21-08-2008  14:20:01 ===
    MSI (c) (D4:10) [14:20:01:594]: Product: F-Secure Client Security -- Installation failed.

    Hi nikki7,
    Are you using a non-english operating system? If you are, then the KnowledgeBase article I included below should be helpful. I hope this helps!
    Error -2705 from the MSI Installer Built with the Visual Studio .NET Installation Builder: http://digital.ni.com/public.nsf/allkb/19CA3B8F15B​4FB9386256DDA006DFED8?OpenDocument
    Regards,
    Jason D
    Applications Engineer
    National Instruments

  • Security realm - Security:097533 - Developing own authentication provider

    hi everyone,
    i Developing own authentication provider and i installed a security patch, so while i restarting the weblogic server  encountered the below Exeption:
    <10/05/2013 05:54:33 PM COT> <Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified..
    weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
    at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
    at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1789)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:443)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841)
    Truncated. see log file for complete stacktrace
    Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
    at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
    at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
    at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
    at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
    at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
    Truncated. see log file for complete stacktrace
    Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
    at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:42)
    at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
    at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
    at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
    at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
    Truncated. see log file for complete stacktrace
    this is the config.xml :
    <domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd http://xmlns.oracle.com/weblogic/security/extension http://xmlns.oracle.com/weblogic/1.0/security.xsd">
    <name>base_domain</name>
    <domain-version>12.1.1.0</domain-version>
    <security-configuration>
    <name>base_domain</name>
    <realm>
    <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
    <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
    <sec:active-type>AuthenticatedUser</sec:active-type>
    </sec:authentication-provider>
    <sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:as400-realmType">
    <sec:name>AS400Realm</sec:name>
    <sec:control-flag>OPTIONAL</sec:control-flag>
    </sec:authentication-provider>
    <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
    <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
    <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
    <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
    <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
    <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
    <sec:user-lockout-manager>
    <sec:lockout-enabled>false</sec:lockout-enabled>
    </sec:user-lockout-manager>
    <sec:deploy-role-ignored>false</sec:deploy-role-ignored>
    <sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
    <sec:security-dd-model>DDOnly</sec:security-dd-model>
    <sec:name>myrealm</sec:name>
    <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
    <sec:name>SystemPasswordValidator</sec:name>
    <pas:min-password-length>8</pas:min-password-length>
    <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
    </sec:password-validator>
    </realm>
    <default-realm>myrealm</default-realm>
    <credential-encrypted>{AES}kyVB/9J9Fbvp11tAnYgn6grV6wQwNZZGHSh2JLQtesxS46Re+QCfIAttNE5JugllQvUHOhE+pz0AnEfYL2p5q2oeRsjqoQz2/1Lg8x+3WMoKic0xnRzw2RWoFjQo3F9x</credential-encrypted>
    <node-manager-username>weblogic</node-manager-username>
    <node-manager-password-encrypted>{AES}4jkSbv5dMOl6cRpRa4QwB83XVavtq168cV4L+NSFDcI=</node-manager-password-encrypted>
    <cross-domain-security-enabled>true</cross-domain-security-enabled>
    </security-configuration>
    <server>
    <name>AdminServer</name>
    <listen-address>localhost</listen-address>
    <staging-mode>nostage</staging-mode>
    </server>
    <embedded-ldap>
    <name>base_domain</name>
    <credential-encrypted>{AES}9YeG1UFRNQzM0v6/j8cFvT9x9fkJUl1FJOWGInl5dax26FgMNEVwKNxOBHvW2opm</credential-encrypted>
    </embedded-ldap>
    <configuration-version>12.1.1.0</configuration-version>
    this is the mbean xml (A400Realmmbean.xml):
    <?xml version="1.0" ?>
    <!DOCTYPE MBeanType SYSTEM "commo.dtd">
    <MBeanType Name = "AS400Realm" DisplayName = "AS400Realm"
    Package = "co.com.claro.security"
    Extends = "weblogic.management.security.authentication.Authenticator"
    PersistPolicy = "OnUpdate"
    >
    <MbeanAttribute Name = "ProviderClassName" Type = "java.lang.String"
    Writeable = "false"
    Default =
    "&quot;co.com.claro.AS400Realm&quot;"
    />
    <MBeanAttribute Name = "Description" Type = "java.lang.String"
    Writeable = "false" Default = "&quot;My Identity Assertion Provider&quot;"
    />
    <MBeanAttribute Name = "Version" Type = "java.lang.String"
    Writeable = "false" Default = "&quot;1.0&quot;"
    />
    </MBeanType>
    and the runtime class:
    AS400Realm.java:
    * To change this template, choose Tools | Templates
    * and open the template in the editor.
    package co.com.claro.security;
    import java.util.HashMap;
    import javax.security.auth.login.AppConfigurationEntry;
    import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
    import weblogic.management.security.ProviderMBean;
    import weblogic.security.provider.PrincipalValidatorImpl;
    import weblogic.security.spi.AuthenticationProviderV2;
    import weblogic.security.spi.IdentityAsserterV2;
    import weblogic.security.spi.PrincipalValidator;
    import weblogic.security.spi.SecurityServices;
    import weblogic.security.principal.WLSGroupImpl;
    import weblogic.security.principal.WLSUserImpl;
    public final class AS400Realm implements AuthenticationProviderV2
    private String description;
    // private SimpleSampleAuthenticatorDatabase database;
    private LoginModuleControlFlag controlFlag;
    // public String PARAM_JAAS_CONTEXT = "jaas-context";
    // public String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
    // public String DEFAULT_GROUP_NAME = "default";
    public void initialize(ProviderMBean mbean, SecurityServices services)
    System.out.println("AS400Realm.initialize");
    AS400RealmMBean myMBean = (AS400RealmMBean)mbean;
    description = myMBean.getDescription() + "\n" + myMBean.getVersion();
    // database = new SimpleSampleAuthenticatorDatabase(myMBean);
    String flag = myMBean.getControlFlag();
    if (flag.equalsIgnoreCase("REQUIRED")) {
    controlFlag = LoginModuleControlFlag.REQUIRED;
    } else if (flag.equalsIgnoreCase("OPTIONAL")) {
    controlFlag = LoginModuleControlFlag.OPTIONAL;
    } else if (flag.equalsIgnoreCase("REQUISITE")) {
    controlFlag = LoginModuleControlFlag.REQUISITE;
    } else if (flag.equalsIgnoreCase("SUFFICIENT")) {
    controlFlag = LoginModuleControlFlag.SUFFICIENT;
    } else {
    throw new IllegalArgumentException("invalid flag value" + flag);
    public String getDescription()
    return description;
    public void shutdown()
    System.out.println("AS400Realm.shutdown");
    private AppConfigurationEntry getConfiguration(HashMap options)
    options.put("PARAM_DATASOURCE_NAME", "jdbc/Oracle");
    return new
    AppConfigurationEntry(
    "co.com.claro.security.AS400LoginModule",
    controlFlag,
    options
    public AppConfigurationEntry getLoginModuleConfiguration()
    HashMap options = new HashMap();
    return getConfiguration(options);
    public AppConfigurationEntry getAssertionModuleConfiguration()
    HashMap options = new HashMap();
    options.put("IdentityAssertion","true");
    return getConfiguration(options);
    public PrincipalValidator getPrincipalValidator()
    return new PrincipalValidatorImpl();
    public IdentityAsserterV2 getIdentityAsserter()
    return null;
    AS400LoginModule.java :
    * To change this template, choose Tools | Templates
    * and open the template in the editor.
    package co.com.claro.security;
    import com.ibm.as400.access.AS400;
    import java.io.IOException;
    import java.sql.Connection;
    import java.sql.PreparedStatement;
    import java.sql.ResultSet;
    import java.sql.SQLException;
    import java.util.Enumeration;
    import java.util.Map;
    import java.util.Vector;
    import java.util.logging.Level;
    import java.util.logging.Logger;
    import javax.naming.Context;
    import javax.naming.InitialContext;
    import javax.naming.NamingException;
    import javax.security.auth.Subject;
    import javax.security.auth.callback.Callback;
    import javax.security.auth.callback.CallbackHandler;
    import javax.security.auth.callback.NameCallback;
    import javax.security.auth.callback.PasswordCallback;
    import javax.security.auth.callback.UnsupportedCallbackException;
    import javax.security.auth.login.LoginException;
    import javax.security.auth.login.FailedLoginException;
    import javax.security.auth.spi.LoginModule;
    import javax.sql.DataSource;
    import weblogic.security.spi.WLSGroup;
    import weblogic.security.spi.WLSUser;
    import weblogic.security.principal.WLSGroupImpl;
    import weblogic.security.principal.WLSUserImpl;
    * @author dmunoz
    final public class AS400LoginModule implements LoginModule {
    private Subject subject;
    private CallbackHandler callbackHandler;
    private String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
    private String DEFAULT_GROUP_NAME = "default";
    // Determine whether this is a login or assert identity
    private boolean isIdentityAssertion;
    // Authentication status
    private boolean loginSucceeded;
    private boolean principalsInSubject;
    private Vector principalsForSubject = new Vector();
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
    // only called (once!) after the constructor and before login
    System.out.println("SimpleSampleLoginModuleImpl.initialize");
    this.subject = subject;
    this.callbackHandler = callbackHandler;
    // Check for Identity Assertion option
    isIdentityAssertion =
    "true".equalsIgnoreCase((String) options.get("IdentityAssertion"));
    private boolean authenticateAS400(String user, String passwd) throws Exception {
    String host ="172.31.2.80";//Config.getProperty(Config.AS400_AUTHENTICATION_HOST);
    AS400 as400System;
    as400System = new AS400(host, user, passwd);
    return as400System.validateSignon();
    public boolean login() throws LoginException {
    // only called (once!) after initialize
    System.out.println("SimpleSampleLoginModuleImpl.login");
    // loginSucceeded should be false
    // principalsInSubject should be false
    Callback[] callbacks = getCallbacks();
    String userName = getUserName(callbacks);
    if (userName.length() > 0) {       
    if (!isIdentityAssertion) {               
    String passwordHave = getPasswordHave(userName, callbacks);
    try{
    loginSucceeded = authenticateAS400(userName, passwordHave);
    }catch(Exception e){
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.WARNING, null, e);
    throw new LoginException(e.getMessage());
    } else {
    // anonymous login - let it through?
    System.out.println("\tempty userName");
    if (loginSucceeded) {
    principalsForSubject.add(new WLSUserImpl(userName));
    addGroupsForSubject(userName);
    return loginSucceeded;
    public boolean commit() throws LoginException {
    // only called (once!) after login
    // loginSucceeded should be true or false
    // principalsInSubject should be false
    // user should be null if !loginSucceeded, null or not-null otherwise
    // group should be null if user == null, null or not-null otherwise
    System.out.println("SimpleSampleLoginModule.commit");
    if (loginSucceeded) {
    subject.getPrincipals().addAll(principalsForSubject);
    principalsInSubject = true;
    return true;
    } else {
    return false;
    public boolean abort() throws LoginException {
    // The abort method is called to abort the authentication process. This is
    // phase 2 of authentication when phase 1 fails. It is called if the
    // LoginContext's overall authentication failed.
    // loginSucceeded should be true or false
    // user should be null if !loginSucceeded, otherwise null or not-null
    // group should be null if user == null, otherwise null or not-null
    // principalsInSubject should be false if user is null, otherwise true
    // or false
    System.out.println("SimpleSampleLoginModule.abort");
    if (principalsInSubject) {
    subject.getPrincipals().removeAll(principalsForSubject);
    principalsInSubject = false;
    return true;
    public boolean logout() throws LoginException {
    // should never be called
    System.out.println("SimpleSampleLoginModule.logout");
    return true;
    private void throwLoginException(String msg) throws LoginException {
    System.out.println("Throwing LoginException(" + msg + ")");
    throw new LoginException(msg);
    private void throwFailedLoginException(String msg) throws FailedLoginException {
    System.out.println("Throwing FailedLoginException(" + msg + ")");
    throw new FailedLoginException(msg);
    private Callback[] getCallbacks() throws LoginException {
    if (callbackHandler == null) {
    throwLoginException("No CallbackHandler Specified");
    Callback[] callbacks;
    if (isIdentityAssertion) {
    callbacks = new Callback[1];
    } else {
    callbacks = new Callback[2];
    callbacks[1] = new PasswordCallback("password: ", false);
    callbacks[0] = new NameCallback("username: ");
    try {
    callbackHandler.handle(callbacks);
    } catch (IOException e) {
    throw new LoginException(e.toString());
    } catch (UnsupportedCallbackException e) {
    throwLoginException(e.toString() + " " + e.getCallback().toString());
    return callbacks;
    private String getUserName(Callback[] callbacks) throws LoginException {
    String userName = ((NameCallback) callbacks[0]).getName();
    if (userName == null) {
    throwLoginException("Username not supplied.");
    System.out.println("\tuserName\t= " + userName);
    return userName;
    private void addGroupsForSubject(String userName) {
    try {
    for (Enumeration e = getGroupNamesAS400(userName);
    e.hasMoreElements();) {
    String groupName = (String) e.nextElement();
    System.out.println("\tgroupName\t= " + groupName);
    principalsForSubject.add(new WLSGroupImpl(groupName));
    } catch (Exception ex) {
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
    public Enumeration getGroupNamesAS400(String usuario)
    throws Exception {
    if(usuario == null) {
    throw new Exception("Usuario no puede ser vacio");
    Vector<String> grupos = new Vector<String>();
    grupos.add(DEFAULT_GROUP_NAME);
    Connection conn = null;
    ResultSet rs = null;
    PreparedStatement statement = null;
    try {
    Context c = new InitialContext();
    DataSource dst = (DataSource) c.lookup(PARAM_DATASOURCE_NAME);
    conn = dst.getConnection();
    String query = "SELECT COD_ROL AS ROL " +
    "FROM gestionnew.us_rol_perfil " +
    "JOIN gestionnew.usuarios " +
    "ON us_rol_perfil.id_perfil = usuarios.id_perfil " +
    "WHERE upper(usuarios.usuariorr) = ?";
    statement = conn.prepareStatement(query);
    statement.setString(1, usuario.toUpperCase());
    rs = statement.executeQuery();
    while (rs.next()) {
    grupos.add(rs.getString("ROL"));
    } catch (SQLException ex) {
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
    } catch (NamingException ex) {
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
    } finally {
    if (conn != null) {
    try {
    conn.close();
    } catch (SQLException ex) {
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
    if (rs != null) {
    try {
    rs.close();
    } catch (SQLException ex) {
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
    if (statement != null) {
    try {
    statement.close();
    } catch (SQLException ex) {
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
    return grupos.elements();
    private String getPasswordHave(String userName, Callback[] callbacks) throws
    LoginException {
    PasswordCallback passwordCallback = (PasswordCallback) callbacks[1];
    char[] password = passwordCallback.getPassword();
    passwordCallback.clearPassword();
    if (password == null || password.length < 1) {
    throwLoginException("Authentication Failed: User " + userName +
    ". Password not supplied");
    String passwd = new String(password);
    System.out.println("\tpasswordHave\t= " + passwd);
    return passwd;
    thanks

    hi everyone,
    i Developing own authentication provider and i installed a security patch, so while i restarting the weblogic server  encountered the below Exeption:
    <10/05/2013 05:54:33 PM COT> <Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified..
    weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
    at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
    at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1789)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:443)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:841)
    Truncated. see log file for complete stacktrace
    Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
    at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
    at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
    at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
    at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
    at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
    Truncated. see log file for complete stacktrace
    Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for AS400Realm is not specified.
    at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:42)
    at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
    at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
    at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
    at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
    Truncated. see log file for complete stacktrace
    this is the config.xml :
    <domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd http://xmlns.oracle.com/weblogic/security/extension http://xmlns.oracle.com/weblogic/1.0/security.xsd">
    <name>base_domain</name>
    <domain-version>12.1.1.0</domain-version>
    <security-configuration>
    <name>base_domain</name>
    <realm>
    <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
    <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
    <sec:active-type>AuthenticatedUser</sec:active-type>
    </sec:authentication-provider>
    <sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:as400-realmType">
    <sec:name>AS400Realm</sec:name>
    <sec:control-flag>OPTIONAL</sec:control-flag>
    </sec:authentication-provider>
    <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
    <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
    <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
    <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
    <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
    <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
    <sec:user-lockout-manager>
    <sec:lockout-enabled>false</sec:lockout-enabled>
    </sec:user-lockout-manager>
    <sec:deploy-role-ignored>false</sec:deploy-role-ignored>
    <sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
    <sec:security-dd-model>DDOnly</sec:security-dd-model>
    <sec:name>myrealm</sec:name>
    <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
    <sec:name>SystemPasswordValidator</sec:name>
    <pas:min-password-length>8</pas:min-password-length>
    <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
    </sec:password-validator>
    </realm>
    <default-realm>myrealm</default-realm>
    <credential-encrypted>{AES}kyVB/9J9Fbvp11tAnYgn6grV6wQwNZZGHSh2JLQtesxS46Re+QCfIAttNE5JugllQvUHOhE+pz0AnEfYL2p5q2oeRsjqoQz2/1Lg8x+3WMoKic0xnRzw2RWoFjQo3F9x</credential-encrypted>
    <node-manager-username>weblogic</node-manager-username>
    <node-manager-password-encrypted>{AES}4jkSbv5dMOl6cRpRa4QwB83XVavtq168cV4L+NSFDcI=</node-manager-password-encrypted>
    <cross-domain-security-enabled>true</cross-domain-security-enabled>
    </security-configuration>
    <server>
    <name>AdminServer</name>
    <listen-address>localhost</listen-address>
    <staging-mode>nostage</staging-mode>
    </server>
    <embedded-ldap>
    <name>base_domain</name>
    <credential-encrypted>{AES}9YeG1UFRNQzM0v6/j8cFvT9x9fkJUl1FJOWGInl5dax26FgMNEVwKNxOBHvW2opm</credential-encrypted>
    </embedded-ldap>
    <configuration-version>12.1.1.0</configuration-version>
    this is the mbean xml (A400Realmmbean.xml):
    <?xml version="1.0" ?>
    <!DOCTYPE MBeanType SYSTEM "commo.dtd">
    <MBeanType Name = "AS400Realm" DisplayName = "AS400Realm"
    Package = "co.com.claro.security"
    Extends = "weblogic.management.security.authentication.Authenticator"
    PersistPolicy = "OnUpdate"
    >
    <MbeanAttribute Name = "ProviderClassName" Type = "java.lang.String"
    Writeable = "false"
    Default =
    "&quot;co.com.claro.AS400Realm&quot;"
    />
    <MBeanAttribute Name = "Description" Type = "java.lang.String"
    Writeable = "false" Default = "&quot;My Identity Assertion Provider&quot;"
    />
    <MBeanAttribute Name = "Version" Type = "java.lang.String"
    Writeable = "false" Default = "&quot;1.0&quot;"
    />
    </MBeanType>
    and the runtime class:
    AS400Realm.java:
    * To change this template, choose Tools | Templates
    * and open the template in the editor.
    package co.com.claro.security;
    import java.util.HashMap;
    import javax.security.auth.login.AppConfigurationEntry;
    import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
    import weblogic.management.security.ProviderMBean;
    import weblogic.security.provider.PrincipalValidatorImpl;
    import weblogic.security.spi.AuthenticationProviderV2;
    import weblogic.security.spi.IdentityAsserterV2;
    import weblogic.security.spi.PrincipalValidator;
    import weblogic.security.spi.SecurityServices;
    import weblogic.security.principal.WLSGroupImpl;
    import weblogic.security.principal.WLSUserImpl;
    public final class AS400Realm implements AuthenticationProviderV2
    private String description;
    // private SimpleSampleAuthenticatorDatabase database;
    private LoginModuleControlFlag controlFlag;
    // public String PARAM_JAAS_CONTEXT = "jaas-context";
    // public String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
    // public String DEFAULT_GROUP_NAME = "default";
    public void initialize(ProviderMBean mbean, SecurityServices services)
    System.out.println("AS400Realm.initialize");
    AS400RealmMBean myMBean = (AS400RealmMBean)mbean;
    description = myMBean.getDescription() + "\n" + myMBean.getVersion();
    // database = new SimpleSampleAuthenticatorDatabase(myMBean);
    String flag = myMBean.getControlFlag();
    if (flag.equalsIgnoreCase("REQUIRED")) {
    controlFlag = LoginModuleControlFlag.REQUIRED;
    } else if (flag.equalsIgnoreCase("OPTIONAL")) {
    controlFlag = LoginModuleControlFlag.OPTIONAL;
    } else if (flag.equalsIgnoreCase("REQUISITE")) {
    controlFlag = LoginModuleControlFlag.REQUISITE;
    } else if (flag.equalsIgnoreCase("SUFFICIENT")) {
    controlFlag = LoginModuleControlFlag.SUFFICIENT;
    } else {
    throw new IllegalArgumentException("invalid flag value" + flag);
    public String getDescription()
    return description;
    public void shutdown()
    System.out.println("AS400Realm.shutdown");
    private AppConfigurationEntry getConfiguration(HashMap options)
    options.put("PARAM_DATASOURCE_NAME", "jdbc/Oracle");
    return new
    AppConfigurationEntry(
    "co.com.claro.security.AS400LoginModule",
    controlFlag,
    options
    public AppConfigurationEntry getLoginModuleConfiguration()
    HashMap options = new HashMap();
    return getConfiguration(options);
    public AppConfigurationEntry getAssertionModuleConfiguration()
    HashMap options = new HashMap();
    options.put("IdentityAssertion","true");
    return getConfiguration(options);
    public PrincipalValidator getPrincipalValidator()
    return new PrincipalValidatorImpl();
    public IdentityAsserterV2 getIdentityAsserter()
    return null;
    AS400LoginModule.java :
    * To change this template, choose Tools | Templates
    * and open the template in the editor.
    package co.com.claro.security;
    import com.ibm.as400.access.AS400;
    import java.io.IOException;
    import java.sql.Connection;
    import java.sql.PreparedStatement;
    import java.sql.ResultSet;
    import java.sql.SQLException;
    import java.util.Enumeration;
    import java.util.Map;
    import java.util.Vector;
    import java.util.logging.Level;
    import java.util.logging.Logger;
    import javax.naming.Context;
    import javax.naming.InitialContext;
    import javax.naming.NamingException;
    import javax.security.auth.Subject;
    import javax.security.auth.callback.Callback;
    import javax.security.auth.callback.CallbackHandler;
    import javax.security.auth.callback.NameCallback;
    import javax.security.auth.callback.PasswordCallback;
    import javax.security.auth.callback.UnsupportedCallbackException;
    import javax.security.auth.login.LoginException;
    import javax.security.auth.login.FailedLoginException;
    import javax.security.auth.spi.LoginModule;
    import javax.sql.DataSource;
    import weblogic.security.spi.WLSGroup;
    import weblogic.security.spi.WLSUser;
    import weblogic.security.principal.WLSGroupImpl;
    import weblogic.security.principal.WLSUserImpl;
    * @author dmunoz
    final public class AS400LoginModule implements LoginModule {
    private Subject subject;
    private CallbackHandler callbackHandler;
    private String PARAM_DATASOURCE_NAME = "jdbc/Oracle";
    private String DEFAULT_GROUP_NAME = "default";
    // Determine whether this is a login or assert identity
    private boolean isIdentityAssertion;
    // Authentication status
    private boolean loginSucceeded;
    private boolean principalsInSubject;
    private Vector principalsForSubject = new Vector();
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
    // only called (once!) after the constructor and before login
    System.out.println("SimpleSampleLoginModuleImpl.initialize");
    this.subject = subject;
    this.callbackHandler = callbackHandler;
    // Check for Identity Assertion option
    isIdentityAssertion =
    "true".equalsIgnoreCase((String) options.get("IdentityAssertion"));
    private boolean authenticateAS400(String user, String passwd) throws Exception {
    String host ="172.31.2.80";//Config.getProperty(Config.AS400_AUTHENTICATION_HOST);
    AS400 as400System;
    as400System = new AS400(host, user, passwd);
    return as400System.validateSignon();
    public boolean login() throws LoginException {
    // only called (once!) after initialize
    System.out.println("SimpleSampleLoginModuleImpl.login");
    // loginSucceeded should be false
    // principalsInSubject should be false
    Callback[] callbacks = getCallbacks();
    String userName = getUserName(callbacks);
    if (userName.length() > 0) {       
    if (!isIdentityAssertion) {               
    String passwordHave = getPasswordHave(userName, callbacks);
    try{
    loginSucceeded = authenticateAS400(userName, passwordHave);
    }catch(Exception e){
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.WARNING, null, e);
    throw new LoginException(e.getMessage());
    } else {
    // anonymous login - let it through?
    System.out.println("\tempty userName");
    if (loginSucceeded) {
    principalsForSubject.add(new WLSUserImpl(userName));
    addGroupsForSubject(userName);
    return loginSucceeded;
    public boolean commit() throws LoginException {
    // only called (once!) after login
    // loginSucceeded should be true or false
    // principalsInSubject should be false
    // user should be null if !loginSucceeded, null or not-null otherwise
    // group should be null if user == null, null or not-null otherwise
    System.out.println("SimpleSampleLoginModule.commit");
    if (loginSucceeded) {
    subject.getPrincipals().addAll(principalsForSubject);
    principalsInSubject = true;
    return true;
    } else {
    return false;
    public boolean abort() throws LoginException {
    // The abort method is called to abort the authentication process. This is
    // phase 2 of authentication when phase 1 fails. It is called if the
    // LoginContext's overall authentication failed.
    // loginSucceeded should be true or false
    // user should be null if !loginSucceeded, otherwise null or not-null
    // group should be null if user == null, otherwise null or not-null
    // principalsInSubject should be false if user is null, otherwise true
    // or false
    System.out.println("SimpleSampleLoginModule.abort");
    if (principalsInSubject) {
    subject.getPrincipals().removeAll(principalsForSubject);
    principalsInSubject = false;
    return true;
    public boolean logout() throws LoginException {
    // should never be called
    System.out.println("SimpleSampleLoginModule.logout");
    return true;
    private void throwLoginException(String msg) throws LoginException {
    System.out.println("Throwing LoginException(" + msg + ")");
    throw new LoginException(msg);
    private void throwFailedLoginException(String msg) throws FailedLoginException {
    System.out.println("Throwing FailedLoginException(" + msg + ")");
    throw new FailedLoginException(msg);
    private Callback[] getCallbacks() throws LoginException {
    if (callbackHandler == null) {
    throwLoginException("No CallbackHandler Specified");
    Callback[] callbacks;
    if (isIdentityAssertion) {
    callbacks = new Callback[1];
    } else {
    callbacks = new Callback[2];
    callbacks[1] = new PasswordCallback("password: ", false);
    callbacks[0] = new NameCallback("username: ");
    try {
    callbackHandler.handle(callbacks);
    } catch (IOException e) {
    throw new LoginException(e.toString());
    } catch (UnsupportedCallbackException e) {
    throwLoginException(e.toString() + " " + e.getCallback().toString());
    return callbacks;
    private String getUserName(Callback[] callbacks) throws LoginException {
    String userName = ((NameCallback) callbacks[0]).getName();
    if (userName == null) {
    throwLoginException("Username not supplied.");
    System.out.println("\tuserName\t= " + userName);
    return userName;
    private void addGroupsForSubject(String userName) {
    try {
    for (Enumeration e = getGroupNamesAS400(userName);
    e.hasMoreElements();) {
    String groupName = (String) e.nextElement();
    System.out.println("\tgroupName\t= " + groupName);
    principalsForSubject.add(new WLSGroupImpl(groupName));
    } catch (Exception ex) {
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
    public Enumeration getGroupNamesAS400(String usuario)
    throws Exception {
    if(usuario == null) {
    throw new Exception("Usuario no puede ser vacio");
    Vector<String> grupos = new Vector<String>();
    grupos.add(DEFAULT_GROUP_NAME);
    Connection conn = null;
    ResultSet rs = null;
    PreparedStatement statement = null;
    try {
    Context c = new InitialContext();
    DataSource dst = (DataSource) c.lookup(PARAM_DATASOURCE_NAME);
    conn = dst.getConnection();
    String query = "SELECT COD_ROL AS ROL " +
    "FROM gestionnew.us_rol_perfil " +
    "JOIN gestionnew.usuarios " +
    "ON us_rol_perfil.id_perfil = usuarios.id_perfil " +
    "WHERE upper(usuarios.usuariorr) = ?";
    statement = conn.prepareStatement(query);
    statement.setString(1, usuario.toUpperCase());
    rs = statement.executeQuery();
    while (rs.next()) {
    grupos.add(rs.getString("ROL"));
    } catch (SQLException ex) {
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
    } catch (NamingException ex) {
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
    } finally {
    if (conn != null) {
    try {
    conn.close();
    } catch (SQLException ex) {
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
    if (rs != null) {
    try {
    rs.close();
    } catch (SQLException ex) {
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
    if (statement != null) {
    try {
    statement.close();
    } catch (SQLException ex) {
    Logger.getLogger(AS400LoginModule.class.getName()).log(Level.SEVERE, null, ex);
    return grupos.elements();
    private String getPasswordHave(String userName, Callback[] callbacks) throws
    LoginException {
    PasswordCallback passwordCallback = (PasswordCallback) callbacks[1];
    char[] password = passwordCallback.getPassword();
    passwordCallback.clearPassword();
    if (password == null || password.length < 1) {
    throwLoginException("Authentication Failed: User " + userName +
    ". Password not supplied");
    String passwd = new String(password);
    System.out.println("\tpasswordHave\t= " + passwd);
    return passwd;
    thanks

  • Uploading Security profiles & Security rights using sourcing Workbook

    I am trying to use workbook to upload Security profiles & Security rights, and finding it difficult to get the "Resource" field mapping attributes in "eso_security_profiles" tab of the workbook. Is there a reference sheet for this, or a place from where I can map the display names with resource.
    Example: If I want update the security rights for Currency attribute with in Master Data under Security Rights tab, we need to use "masterdata.Currency" in "Resource" field of "eso_security_profiles" tab in the workbook. similarly from where can we get the entire list of attributes and thier Resource.

    Hi,
    When I take the download from localized resources (*.class_name), inorder to map the display security attributes to "Resource" in workbook, I am still unable to find the Resource for few attributes like..below..
    Queued Messages
    User Impersonation For Buyer
    User Impersonation For Seller
    Cache Configuration
    Cluster Configuration
    Daemon Alerts.....
    and there are many more for which I dont have a match. Please suggest if there are any tips or considerations that we can help while trying to achieve this.
    Thanks in advance.
    Vinod.

  • Netscape.security.AppletSecurityException: security.member access

    Hi,
    I have a jarred applet. Netscape4.7 reads it fine.
    There is a class in the jarred file, that reads in a property file
    from the server and populates some public fields in that same class.
    And to do this, i have tried using reflection - the getFields/getDeclaredFields methods
    of the 'Class' class. I get the following:
    netscape.security.AppletSecurityException: security.member access
    at java.lang.Throwable.<init>(Compiled Code)
    at java.lang.Exception.<init>(Compiled Code)
    at java.lang.RuntimeException.<init>(Compiled Code)
    at java.lang.SecurityException.<init>(Compiled Code)
    at netscape.security.AppletSecurityException.<init>(Compiled Code)
    at netscape.security.AppletSecurityException.<init>(Compiled Code)
    at netscape.security.AppletSecurity.checkMemberAccess(Compiled Code)
    at netscape.security.AppletSecurity.checkMemberAccess(Compiled Code)
    at java.lang.Class.checkMemberAccess(Compiled Code)
    * at java.lang.Class.getDeclaredFields(Compiled Code)
    I have used reflection in the main applet class of the jarred file,
    (getDeclaredMethods/getMethods) and it works fine.
    I was thinking that if the browser loads a class from over the
    network, then it would atleast allow that class to perform reflection
    on itself, if not on other classes.
    Can anyone please enlighten me please ?
    Thanks,
    -r:)

    I got the solution, I thought I tried it with getFields,
    but seems like i did not. The applet works with
    getFields, and hence solves my problem.
    Thanks all.
    -r:)
    Hi,
    I have a jarred applet. Netscape4.7 reads it fine.
    There is a class in the jarred file, that reads in a
    property file
    from the server and populates some public fields in
    that same class.
    And to do this, i have tried using reflection - the
    getFields/getDeclaredFields methods
    of the 'Class' class. I get the following:
    netscape.security.AppletSecurityException:
    security.member access
    at java.lang.Throwable.<init>(Compiled Code)
    at java.lang.Exception.<init>(Compiled Code)
    at java.lang.RuntimeException.<init>(Compiled
    d Code)
    at java.lang.SecurityException.<init>(Compiled
    d Code)
    at
    t
    netscape.security.AppletSecurityException.<init>(Compil
    d Code)
    at
    t
    netscape.security.AppletSecurityException.<init>(Compil
    d Code)
    at
    t
    netscape.security.AppletSecurity.checkMemberAccess(Comp
    led Code)
    at
    t
    netscape.security.AppletSecurity.checkMemberAccess(Comp
    led Code)
    at java.lang.Class.checkMemberAccess(Compiled
    d Code)
    * at java.lang.Class.getDeclaredFields(Compiled Code)
    I have used reflection in the main applet class of the
    jarred file,
    (getDeclaredMethods/getMethods) and it works fine.
    I was thinking that if the browser loads a class from
    over the
    network, then it would atleast allow that class to
    perform reflection
    on itself, if not on other classes.
    Can anyone please enlighten me please ?
    Thanks,
    -r:)

  • IPhone iPhone SDK (build 9M2199a, beta 8) Security.h Security-Framework

    Hi!
    I've downloaded and installed the iPhone SDK (build 9M2199a, beta 8).
    Now, i'm trying to write code to use the Keychain in iPhone but "SecItem.h" in "Security.h" (Security-Framework) is missing so the Attributes (kSecClass, ...) can't be found and the code doesn't compile.
    Where i can get it ?
    Thanks for help.
    Message was edited by: iPhoneProj

    I had the same issue. The security code seem to only work if you build for Device|Debug. You can't run the code in the simulator.

  • My friends has found he has, since 2006, accumulated multiple apple ids. he's very concerned about icloud security and security in general, having his pc hacked repeatedly. how can he permanently delete the extra, apple ids, please?

    my friend has found he has, since 2006, accumulated multiple apple ids. he's very concerned about icloud security – and security in general, having had his pc hacked repeatedly. how can he permanently delete the extra, apple ids, please? Thanks.

    Hello, windypinesands.  
    Thank you for visiting Apple Support Communities.  
    If your friend is concerned with the security of his Apple ID or iCloud account, I would recommend reaching out to our Apple ID Account Security team to assist him with this issue. 
    Apple ID: Contacting Apple for help with Apple ID account security
    http://support.apple.com/kb/HT5699
    Cheers,
    Jason H.

  • HT201263 just updated to IOS7 now Ipad is stuck at Apple ID security, add security questions, what now??

    just updated to IOS7 now Ipad is stuck at Apple ID security, add security questions, what now??

    add your security questions. if its asking you for them, rather then set them up, then reset them using appleid.apple.com

  • Deployment des F-Secure Client Security 11.06

     Guten Morgen bei der Installation der F-Secure Client Security 11.06 build 284 versucht der Installer das Cloudflare Netzwerk zu erreichen, ich vermute mal zum Hash Check ob es keine korrupte Installation ist. Grundsätzlich ist dagegen ja nichts einzuwenden, leider geht das Programm aber nicht über den Proxy, sondern versucht direkt raus zu gehen und hängt somit in der Firewall fest. Die Installation dauert somit ca 30 Minuten, da erst nach 20-25 Minuten ein Timeout erfolgt, und das Programm ohne das Cloudflare Netzwerk zu erreichen installiert. Hat jemand ähnliche Erfahrungen? Mache ich was falsch? Muss man beim erstellen der Installations.exe was beachten? Lokal ist der Proxy im Internetexplorer gesetzt. Danke schon im Vorfeld! Sollte ich im falschen Unterforum sein, bitte verschieben

    Hallo David715, hast du ein http-Proxy in Einsatz? Wenn ja, hast du dieses im Policy Manager hinterlegt?Leider haben wir nicht ähnliche Erfahrungen.Leider können wir nicht sagen ob du was falsch macht.In diesem Fall,  würde ich dich bitten unseren Kundensupport Telefonisch oder über unser Formular zu kontaktieren, damit wir das Problem lösen können. Ciao rioda

  • F-Secure Client Security missing

    Hello all
    F-Secure Client Security ver. 9.0 is missing from the Discovered Product list. The product appeared on the list up to ver. 7.9, after that no sign of it. Have anyone else experienced the same ?
    Is F-Secure definition missing in the PRU, or is there anything else that causes this ?
    Thank you in advance for all answers.
    KjellSiv

    Originally Posted by KjellSiv
    I forgot to tell what version we have:
    ZCM: 10.3.0.0
    ZAM: 10.3.0.53910
    ZPM: 10.3.0.31
    Jan 2010 PRU
    KjellSiv
    These F-secure products are available in the newest PRU:
    F-Secure F-Secure Anti-Virus 2003 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Anti-Virus 2004 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Anti-Virus 2005 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Anti-Virus 2006 [+Definition Files, +Virus Engine, +Spy Defs]
    F-Secure F-Secure Anti-Virus 2008 [+Definition Files, +Virus Engine, +Spy Defs]
    F-Secure F-Secure Anti-Virus 2009 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Anti-Virus 5.xx [+Definition Files, +Virus Engine]
    F-Secure F-Secure Anti-Virus 7.x [+Definition Files, +Virus Engine]
    F-Secure F-Secure Anti-Virus Client Security 5.5 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Anti-Virus Client Security 6.0 [+Definition Files, +Virus Engine, +Spy Defs]
    F-Secure F-Secure Anti-Virus for Citrix Servers 5.5 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Anti-Virus for MIMEsweeper 5.5 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Anti-Virus for Win. Srvrs 5.41 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Anti-Virus for Windows Servers 5.5 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Anti-Virus for Windows Servers 7.0 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Anti-Virus for Wkstns 5.41 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Anti-Virus for Workstations 5.43 [+Definition Files, +Virus Engine]
    F-Secure F-Secure AV for Internet Gateways 6.x
    F-Secure F-Secure AV for Internet Mail 6.x
    F-Secure F-Secure BackWeb 6.x
    F-Secure F-Secure Certificate Wizard 5.x
    F-Secure F-Secure Client Security 7.x [+Definition Files, +Virus Engine, +Spy Defs]
    F-Secure F-Secure Content Scanner Server 6.x [+Definition Files, +Virus Engine]
    F-Secure F-Secure Distributed Firewall 5.x
    F-Secure F-Secure FileCrypto 5.xx
    F-Secure F-Secure FileCrypto Master Key Wiz. 5.x
    F-Secure F-Secure Internet Gatekeeper 6.3 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Internet Gatekeeper 6.42 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Internet Gatekeeper 6.5 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Internet Security 2003 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Internet Security 2004 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Internet Security 2005 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Internet Security 2006 [+Definition Files, +Virus Engine, +Spy Defs]
    F-Secure F-Secure Internet Security 2008 [+Definition Files, +Virus Engine, +Spy Defs]
    F-Secure F-Secure Internet Security 2009 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Management Agent 4.5
    F-Secure F-Secure Management Agent 5.x
    F-Secure F-Secure Management Agent 7.x
    F-Secure F-Secure Personal Express 6.0 [+Definition Files, +Virus Engine]
    F-Secure F-Secure Policy Manager Console 5.xx
    F-Secure F-Secure Policy Manager Console 6.x
    F-Secure F-Secure Policy Manager Console 7
    F-Secure F-Secure Policy Manager Server 5.xx
    F-Secure F-Secure Policy Manager Server 6.x
    F-Secure F-Secure Policy Manager Server 7
    F-Secure F-Secure SSH Client 4.3
    F-Secure F-Secure SSH Client 5.x
    F-Secure F-Secure SSH Server 5.x
    Maybe apply the latest PRU and see if it solves the problem?
    Thomas

  • F-Secure Linux Security

    Is there a version of F-Secure Linux Security for home users?

    Will there be a Linux service anytime soon ?

  • Dynamic security using Security table in SSAS Tabular model

    Hi, 
    Platform : SSAS Tabular model (VS 2010)
    I need to apply Dynamic security using Security table(manually created) in Tabular model, Need to apply filter for 2 tables. I am able to
    create roles in Tabular model using USERNAME() and LOOKUP() function it worked fine. But the problem is when i am trying to give full access for a particular column and limit the access in other column, it is not working properly.
    Please find below table and guide me where i am falling short. In the Security table wherever you find ALL it means full access.
    Security table
    Login Name
    Dim_Country
    Dim_Customer
    DOMAIN\User1
    ALL
    2
    User1 should see all countries but Only 2,4 Customers
    DOMAIN\User1
    ALL
    4
    DOMAIN\User2
    2
    ALL
    User2 should see all customers but Only 2,3 countries
    DOMAIN\User2
    3
    ALL
    DOMAIN\User3
    ALL
    ALL
    User3 should see all Customers and Countries
    DOMAIN\User4
    1
    3
    User4 should see 1 Country and 3 Customer
    ALL - means NO restriction
    Numeric values indicate the Dimension IDs
    Do let me know if further explanations required.
    Thanks,
    Sundar

    Hi Sundar,
    According to your description, you want to implement dynamic security using Security table in SQL Server Analysis Services Tabular model, right?
    It is very common to have data security implementation in BI projects either at databases or Cubes and sometimes this security implementation and maintenance goes out of control due to the dynamic flow of business information. Here are some links which describe
    dynamic security implementation at SSAS tabular model using an external security table, please see:
    http://bipassion.wordpress.com/2012/10/01/ssas-tabular-dynamic-security/
    http://www.bidn.com/blogs/ChrisSchmidt/ssas/4332/dynamic-security-in-tabular
    Regards,
    Charlie Liao
    TechNet Community Support

  • Accessing Active Risk Manager (ARM) folder security markings through Risk Performance Manager

    Hello folks,
    I am building custom reports in RPM to display ARM data but am struggling to get a security label assigned to the reports.
    In the standard reports the security label changes according to the risks inputted but I can't see the wood for the trees in the expression used!
    Any hints or tips?
    Many thanks,
    Christian

    Hi sea_lene,
    In Reporting Services, each subreport instance is a separate query execution and a separate report processing task. So it the performance should be an issue. To improve the performance, we can consider changing the dataset query in the main report by using
    one of the following mitigation strategies:
    Collect data in a data warehouse and use the data warehouse as a data source for a single dataset.
    Use SQL Server linked servers and write a query that retrieves data from multiple databases.
    Use the OPEN ROWSET capability to specify different databases.
    References:
    Troubleshooting Reports: Report Performance
    More tips to improve performance of SSRS reports
    Hope this helps.
    Thanks,
    Katherine Xiong
    Katherine Xiong
    TechNet Community Support

Maybe you are looking for