Non-software based security to prevent theft?

I recently purchases a Macbook, and I've already been looking at software based security tracking. I've discovered Lojack, Orbicule's Undercover, and U Washington's Adeona (which is free), and I've written my own perl script too. I don't have valuable data on my laptop, but because i'm a poor student i'd like to keep the laptop itself.
However, it seems that almost any software based security can be overcome, so I'm wondering what about a hardware based security device? Something that doesn't matter if the hard drive is removed? It's the lojack for cars idea -- install a transmitting device somewhere inside the car.
I think a simple solution would be to attach a tiny processor to the wireless router which can run a simple emailing script sending encrypted messages to my email account. Or a "fake ram card" which is actually a wireless transmitter or something else that can not be easily noticed or removed?
Does anybody have a recommendation?

I am on a campus... And my computer and ipod are registered with Apple, so I assume those actions help.
Look, seriously, there have got to be some simple solutions for tracking down a stolen laptop. Here's some ideas:
1) A processor (or something?) lock to the harddrive. That is, you can't simply swap out the hard drive to disable the security software. the bootstrap os will refuse to load an os that's not on the harddrive it was keyed to. this way, they have to put the harddrive back in, and my software can resume emailing location markers.
2) A modified battery (or ram card), by appearances identical to the normal battery. Nobody suspects the battery... but take out 25% of the battery, and replace it with a wireless router (they fit on a usb stick these days) that can reactivate the security software or to send the regular (encrypted) location updates to my personal email account whenever it finds an open network. So I can notify the police or campus security etc.
3) blah blah blah
In this day of advanced technology... it should be impossible to steal a laptop and get away with it. somebody (or company) just needs to sit down and work out the details. i suspect some people already have, i just don't know where.

Similar Messages

IP based security with JSP?

Hi,
How easy/hard would it be to implement IP based security in a JSP application? I.e. We want to restrict the IP addresses that can access our application.
Is this something that can be done in the web.xml using the security contraints??
Or is it much more ocmplex than this?
(We want to prevent our customer from sharing the application with third-parties, so we can not rely on a firewall based approach)
Thanks

Well, for Apache, it's easier. I think for Location to work, you need virtual directories set up. I could be wrong... Or try using Directory intead of Location. I recall Location was for something special... but I forget the details. For Apache/Tomcat, I've usually used aliases to handle directories...
Alias /ITMS "ITMS_HOME/tools/tomcat/jakarta-tomcat-4.0.3/webapps/ITMS"
<Directory "ITMS_HOME/tools/tomcat/jakarta-tomcat-4.0.3/webapps/ITMS">
AllowOverride None
Options Indexes
Order allow,deny
Allow from all
ExpiresActive On
ExpiresByType application/octet-stream "access plus 7 days"
ExpiresByType image/gif "access plus 7 days"
ExpiresByType image/jpeg "access plus 7 days"
ExpiresByType text/x-javascript "access plus 0 seconds"
ExpiresByType text/css "modification plus 7 days"
ExpiresByType text/html "access plus 0 seconds"
ExpiresByType text/vnd.wap.wml "access plus 0 seconds"
ExpiresDefault "now plus 1 month"
</Directory>
You can set up deny's from IP or IP range or domain.
Deny from .domain.com
Deny from 123.232.123.33
Deny from 123.232.124.

Difference b/w Hardware & Software based firewall

How can i differenciate the Hardware & Software based firewall?
What are the key advantages of Hardware based firewall?
what are the limitation of software based firewall?
Regards,

Hi Syed
Software based firewalls are the firewalls which are provided by software for eg you install an antivirus program Mcafee the firewall which will be provided by Mcafee is software based firewall. Windows inbuilt firewall is another example of software based firewall.
Hardware based firewall are those where we require a different hardware to perform packet check. For eg Cisco FWSM,PIX,Fortigate are all example of hardware based firewall.
Limitation of Software based firewall:
Software-based firewalls aren't the ultimate security tool, however. A personal firewall can't prevent viruses from entering your system through legitimate sources such as a web browser or through email. An anti-virus program with constantly updated virus signatures must always be included in an overall security strategy.
Personal firewalls also can't protect an entire network unless the software-based firewall is installed on every computer. In medium and large-scale environments, software-based firewalls must be managed properly to ensure optimal security coverage.
Regards,
Anim Saxena
Technical Community Manager - Network Security
*Kindly rate helpful Posts*

Using container managed form-based security in JSF

h1. Using container managed, form-based security in a JSF web app.
A Practical Solution
h2. {color:#993300}*But first, some background on the problem*{color}
The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
- Username
- Group
- Password
The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
1. Start up your app server and log into the admin interface (http://localhost:4848)
2. Drill down into Configuration > Security > Realms.
3. Here you will see the default realms defined on the server. Drill down into the file realm.
4. There is no need to change any of the default settings. Click the Manage Users button.
5. Create a new user by entering username/password.
Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
h2. {color:#993300}*Step 2: Create the project*{color}
Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
1. Start by creating a new Visual Web JSF project.
2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
1. login.jsp (A Visual Web JSF file)
2. loginproxy.jspx (A plain JSPX file)
3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
Code follows for each of the files:
h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
    <navigation-rule>
<from-view-id>/login.jsp</from-view-id>
        <navigation-case>
<from-outcome>loginproxy</from-outcome>
<to-view-id>/loginproxy.jspx</to-view-id>
        </navigation-case>
    </navigation-rule>
NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
    <jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
    <f:view>
        <webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:textField binding="#{login.username}"
id="username" style="position: absolute; left: 216px; top:
96px"/>
<webuijsf:passwordField binding="#{login.password}" id="password"
style="left: 216px; top: 144px; position: absolute"/>
<webuijsf:button actionExpression="#{login.button1_action}"
id="button1" style="position: absolute; left: 216px; top:
216px" text="GO"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
        </webuijsf:page>
    </f:view>
</jsp:root>h3. *login.java -- implent the
button1_action() method in the login.java backing bean*
    public String button1_action() {
        setValue("#{requestScope.username}",
(String)username.getValue());
setValue("#{requestScope.password}", (String)password.getValue());
        return "loginproxy";
    }h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="2.0">
<jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
doctype-system="http://www.w3.org/TR/html4/loose.dtd"
doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
<jsp:directive.page contentType="text/html"
pageEncoding="UTF-8"/>
<html>
<head> <meta
http-equiv="Content-Type" content="text/html;
charset=UTF-8"/>
<title>Logging in...</title>
</head>
<body
onload="document.forms[0].submit()">
<form
action="j_security_check" method="POST">
<input type="hidden" name="j_username"
value="${requestScope.username}" />
<input type="hidden" name="j_password"
value="${requestScope.password}" />
</form>
</body>
</html>
</jsp:root>
{code}
h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
target page, placed in the secure folder to test access*
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
<jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
<f:view>
<webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:staticText id="staticText1" style="position:
absolute; left: 168px; top: 144px" text="A Secure Page"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
</webuijsf:page>
</f:view>
</jsp:root>
{code}
h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
*web.xml will be used to define:*
- Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
- Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
- Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
*sun-web.xml will be used to define:*
- This is where you map a Role to the Users or Groups that are allowed to use it.
+I know this is confusing the first time, but basically it works like this:+
*Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
{code}
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description/>
<url-pattern>/faces/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name/>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>User</role-name>
</security-role>
{code}
h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
{code}
<security-role-mapping>
<role-name>User</role-name>
<group-name>Users</group-name>
</security-role-mapping>
{code}
h3. {color:#ff6600}*Almost done!!!*{color}
h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
h3. {color:#ff6600}*_Gotcha #1_*{color}
You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
h3. {color:#ff6600}*_Gotcha #2_*{color}
Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
*DONE!!!*
h2. {color:#993300}*_Here's how it works:_*{color}
1. The user requests the a page from your context (http://localhost/MyLogin/)
2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
5. The user enters username and password and clicks a button to submit.
6. The button's action method stores away the username and password in the request scope.
7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
9. The hidden username and password fields grab the username and password variables from the request scope.
10. The loginproxy page is automatically submitted with the magic action "j_security_check"
11. j_security_check notifies the container that authentication needs to be intercepted and handled.
12. The container authenticates the user credentials.
13. If the credentials fail, the container forwards the request to the login.jsp page.
14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
+Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
+The user is now at the secure welcome page.+
If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
Kerry Randolph

If you want login security on your web app, this is one way to do it. (the easiest way i have seen).
This method allows you to create a custom login form and error page using JSF.
The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
I'm new to programming, so none of this may be a good practice, or may not be secure at all.
I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
--Kerry

Log file non-mac-based version of client? And CGBitmapContextGetData:invali

I'm not sure if this is a security problem. I had to completely reset my airport yesterday and today re installed my remote back-up. My keychain is messing up. I don't know if these logs are normal or if something is amiss. My IP address before resetting it yesterday started with a 169 which means something ... please if someone can let me know if there is something i should do or if there are any questions i can answer. thank you.
Jul 24 17:12:20 Macintosh com.apple.coreservicesd[47]: NOTE: Using non-mach-based version of client -> server communication, via direct function calls.
Jul 24 17:12:20 Macintosh com.apple.coreservicesd[47]: NOTE: Using non-mach-based version of client -> server communication, via direct function calls.
Jul 24 17:17:12 Macintosh com.apple.launchd[110] ([0x0-0x68068].com.apple.systempreferences[538]): Exited: Terminated
Jul 24 17:17:12 Macintosh com.apple.coreservicesd[47]: NOTE: Using non-mach-based version of client -> server communication, via direct function calls.
Jul 24 17:25:45: --- last message repeated 1 time ---
Jul 24 17:25:45 Macintosh com.apple.coreservicesd[47]: NOTE: Using non-mach-based version of client -> server communication, via direct function calls.
Jul 24 17:28:45: --- last message repeated 1 time ---
Jul 24 17:28:45 Macintosh /usr/sbin/ocspd[676]: starting
Jul 24 17:29:33 Macintosh com.apple.coreservicesd[47]: NOTE: Using non-mach-based version of client -> server communication, via direct function calls.
Jul 24 17:29:37: --- last message repeated 1 time ---
Jul 24 17:29:37 Macintosh Microsoft Word[679]: CGBitmapContextGetData: invalid context
Jul 24 17:29:59: --- last message repeated 189 times ---
Jul 24 17:29:59 Macintosh com.apple.coreservicesd[47]: NOTE: Using non-mach-based version of client -> server communication, via direct function calls.
Jul 24 17:29:59: --- last message repeated 1 time ---
Jul 24 17:29:59 Macintosh Microsoft Word[679]: CGBitmapContextGetData: invalid context
Jul 24 17:30:02: --- last message repeated 204 times ---
Jul 24 17:30:02 Macintosh com.apple.coreservicesd[47]: NOTE: Using non-mach-based version of client -> server communication, via direct function calls.
Jul 24 17:30:02: --- last message repeated 1 time ---
Jul 24 17:30:02 Macintosh Microsoft Word[679]: CGBitmapContextGetData: invalid context
Jul 24 17:30:31: --- last message repeated 2355 times ---
Jul 24 17:30:31 Macintosh Microsoft Word[679]: doClip: empty path.
Jul 24 17:30:31 Macintosh Microsoft Word[679]: CGBitmapContextGetData: invalid context
Jul 24 17:30:32: --- last message repeated 70 times ---
Jul 24 17:30:31 Macintosh [0x0-0x84084].com.microsoft.Word[679]: Thu Jul 24 17:30:31 Macintosh.local Microsoft Word[679] <Error>: doClip: empty path.
Jul 24 17:30:32 Macintosh Microsoft Word[679]: CGBitmapContextGetData: invalid context
Jul 24 17:30:49: --- last message repeated 1066 times ---

BAM! I had tried to disable my scheduled task, and it didn't seem to make a difference. I saw your reply and decided to just delete the scheduled task. My "6/29/09 10:46:39 AM com.apple.coreservicesd[74] NOTE: Using non-mach-based version of client -> server communication, via direct function calls." seem to be gone now.
2 things: 1) My scheduled task was a "When the drive is connected" type
2) I had originally "unchecked" this task, but when I went back in at a later date, it was checked. So either my user error, or somehow CCC re-enabled it.
I was really getting sick of my log getting pummeled.

Form based security in WebLogic 7.0 - back button quirk

I have an application comprised of several JSPs that are protected via Form based
security and enforce an SSL connection via the appropriate declarations in the
web.xml. This aspect of the application seems to be working with the exception
of one small quirk.
If a user presses that back button until such time as the receive the container
provided login page once again, and subsequently provide a valid user id and password,
they are NOT successfully logged in. Rather, they receive the ugly 403 Forbidden
error that states that the server understood the request, but is refusing to fufill
it. This only seems to happen given the above course of events involving the
use of a back button in the browser (or selection of an item from the history
list). I suspect that this has something to do with the session id being cached
or something, but I'm not sure? Can anyone offer any assistance on this one?
Also, does anyone know of a way of preventing the user from bookmarking this container
provided login page as this also seems to be causing problems for users. If they
bookmark the first protected page of the application all is fine, but if they
bookmark the login page they receive the 403 error.
Thanks in advance!

The cure for the symtops described below was to simply add a welcome-file-list
element with appropriate welcome pages to the web.xml descriptor. It makes sense
now that I have worked it out.
Todd
"Todd Gould" <[email protected]> wrote:
>
I have an application comprised of several JSPs that are protected via
Form based
security and enforce an SSL connection via the appropriate declarations
in the
web.xml. This aspect of the application seems to be working with the
exception
of one small quirk.
If a user presses that back button until such time as the receive the
container
provided login page once again, and subsequently provide a valid user
id and password,
they are NOT successfully logged in. Rather, they receive the ugly 403
Forbidden
error that states that the server understood the request, but is refusing
to fufill
it. This only seems to happen given the above course of events involving
the
use of a back button in the browser (or selection of an item from the
history
list). I suspect that this has something to do with the session id being
cached
or something, but I'm not sure? Can anyone offer any assistance on this
one?
Also, does anyone know of a way of preventing the user from bookmarking
this container
provided login page as this also seems to be causing problems for users.
If they
bookmark the first protected page of the application all is fine, but
if they
bookmark the login page they receive the 403 error.
Thanks in advance!

Form based security in WebLogic 7.0

I'm sorry for the beginner level question, but I seem to be missing a critical step
in getting Form based security to work. I have a Web application comprised of several
JSPs. I want to attache simple FORM based security contrainsts to all pages in the
app. Here are the exceprts from my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>DTSTAT</web-resource-name>
<url-pattern>/StateServlet/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Sysops</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/StateServlet/login.html</form-login-page>
<form-error-page>/StateServlet/login-error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>Sysops</role-name>
</security-role>
The app deploys correctly and I have verified that the constrinsts, etc. are recognized
by WebLogic by inspecting the content displayed from the Admin console under the
"Edit Web Apllication Deployment Descriptor" link - all looks as I had expected and
matches the XML configuration above.
I then use the "Define Resources and Roles for Web Resource Collections" link. Under
the "Define Policies" section I see the constraints as defined above. I then use
the "Define Roles" link to define the "Sysops" role for this application and add
the condition "Caller is a member of the group" and use Administrators as the Group.
From this point, I invoke one of the JSPS in the app and presented with the Login
page as expected. However, no matter what I enter for user and password, I always
get the login-error page back. I'm purposely trying to keep this simple so that
I can use the system user as a test case (who is a member of the Administartors group).
However, I have also created an additional separate user and added them to the Administartors
group as well with the same unsuccessful results.
Can anyone help me out please? I've been reading the docs and seem to be missing
a key element somewhere.
Thanks in advance,
Todd

          Try to refer to the documentation for
          Configuring Security in Web Applications at
          http://e-docs.bea.com/wls/docs70///webapp/security.html
          Does the weblogic.log file contain any error or warning
          messages corresponding to your problem ?
          If you have a test case to reproduce the problem, you
          can contact BEA support at [email protected]
          Thanks
          Developer Relations Engineer

How to register non-wsdl based URL in OEG

How do we register a non-wsdl based URL endpoint in OEG? We had no problem registering a simple WSDL based endpoint on an OEG server. However we cannot find documentation on how to secure/register a RESTful or JSON – URL based service (SOAP, XML over HTTP type service).
Does this functionality exist? Or are there best practices on what to do with OEG for these types of services?
Our use case looks like:
Akamai - - > OEG - -> OSB (WSDL, RESTful, JSON type web services) - -> .Net service (WSDL, RESTful, JSON type web services)

In case of REST and other non-WSDL type services, there is no SOAP/WSDL based web service like registration process, you'd use OEG as the proxy. You can receive REST based requests at OEG, retrieve parameters (there are convenience filters available for retrieval of attribute values and other types of REST related functions in OEG, as part of the Policy library, "Extract REST Request Attribute", "Validate REST filter", "Create REST Request" etc. - search for REST at the top using Policy Studio, drag it on to canvas and click help for docs on these filters) and do the routing to actual REST end point services. You have the option to receive and use the SOAP message as a basis of generation of the REST url.
REST to SOAP - http://www.soatothecloud.com/2008/11/how-to-convert-from-rest-to-soap.html
SOAP to REST - http://markoneill.sys-con.com/node/1989916
On use with JSON: you can convert XML to JSON on the outbound side to serve mobile clients etc. using script based(standard XSLT) conversions at the gateway. Conversions to Java using google gson library is also an option.
To register a REST service, simply map the path (e.g. "/MyRESTService") to the policy you're using to process the REST request.
Let's say you want to simply route a REST request through OEG (e.g. - to OSB). You would create a policy (right-click on "Policies" and add it). Drag in a "Static Router" filter and place in it the hostname and port of the host you want to route to (e.g. - to OSB). Then right-click on it and choose "Set as start" so that it is the first thing which is processed for this REST request. Then drag in a "Connection" filter, and chain it (using a green arrow) after the Static Router filter. The "Connection" filter actually makes the connection to the backend host.
Now, map the path (using "Add Relative Path") to the service so that if a REST request to "/MyRESTService" or "/MyRESTService/something" comes into OEG, it is routed on to the backend host.
Deploy your policy (using F6 or the "deploy" button on the Policy Studio toolbar). Then send in your REST request.
There is actually already a simple REST service setup on OEG, called "healthcheck". If you point a browser to http://<OEG_IP_ADDRESS:8080/healthcheck" then this is run.
If the backend REST service returns JSON, the response JSON will simply be sent back through OEG.

Form-Based Security

I cannot seem to get container-managed security to work with Java Studio Creator.
I have a standard jsp page as the logon form, submitting to j_security_check. Authentication works correctly, but then, when the protected page is rendered, I keep getting the "Faces Context cannot be found" exception. Is this because I have a non-faces page between two faces pages?
Here are the steps:
1). Access the main page
2). Main faces page gets rendered correctly.
3). Access a link which sends the user to a protected page
4). Logon page gets rendered. (plain JSP or HTML file)
All is well so far
5). User credentials are submitted
6). Authentication works correctly
7). Forward user to the protected faces page
8). "Cannot find Faces Context" exception.
Obviously, I cannot create a "standard" jsp page in Creator, as Creator creates the faces context and the java backend automatically. I had to create the JSP page through a text editor, and save it to the Creator project directory.
The same thing happens if I create a regular HTML file in Creator with the same form submitting to j_security_check.
Anyone run into this? Has anyone gotten container-managed, forms-based security working with Creator?
Thanks.

Ummmm.... okay, I feel really foolish and stupid. I guess I was getting tunnel vision, staring at this project so much.
Sheesh! Thanks for the reply, j.f.brown! Had you not made the reply, who knows how long I would have stared at this problem.
I'm never going to live this down. heh heh.

Mac based security managed centrally (Acs or whatever)

I have a project My customer
want to use Mac Address based Security on their whole network.They want only specific mac addressed pc/notebooks can be connected to their network.But they dont want configuration per switch basis.They wan centralized management.
We first looked for ACS.But we realized that ACS supports only Wireless access point for this kind of purpose.I also found that there is a ACS feature called NAR(Network Access Restriction) Can i use this feature?
They dont want additional integratio n(Active directory or etc.) and dont install any software to their pc/notebooks.Because of this i cant use EAP solution.
They have app 300 pcs and they will enter whole mac address list to ACS and only this PCs will be connect to network.Is it possible ?
Best Regards

I wouldnt recommend this as a strong security solution, but it could be done - in theory.
Customers devices need to be configured to initiate a PAP authentication using pre-configured credentials (a'la NAC auth bypass).
ACS will have this username+password configured plus a network access restriction that lists the allowed set of macaddrs.
While this may work for 300 users, NARs are not that easily scalable.

Session Facade and Access to a Non SQL Based Persistent Data Store

Hi,
We are currently using jDeveloper 10.1.3.5 and Oracle Application Server 10.1.3.5. We develop all our applications as Java portlets using Oracle PDK and they are exposed through Oracle Portal.
In our environment, the persistent data is stored on a combination of an Oracle database and a non SQL based persistent data store.
The way we access the non SQL persistent data store is by posting a URL and receiving an XML document back in response. This mechanism is used both for enquiry and update of the persistent store.
We have to create a new XML schema for each entity that we need to access and there are software changes on both our environment (Java) and the non SQL based persistent data store.
In an attempt to shorten development times we are looking to start using ADF faces and EJB3.
We have downloaded the SRDemo tutorial and made it work but there are some challenges.
1. The SRDemo seem to have a very minimal implementation of a business layer. From what I can see, it is essentially some straightforward wiring between database attributes and their viewable representation. Is there a demo/tutorial containing a bit more meat in the business layer that you are aware of?
2. Given our non SQL based persistent data store, how would you go about implementing EJB3 for such scenario. Is it recommended at all? How would you go about integrating the rest of the application (business layer and representation layer) to data arriving from such source?
3. SRDemo is not intended to be exposed as a portlet. Is there a tutorial that we can use incorporating JSR168, ADF Faces and EJB3 in the same application? I also understand that there is a JSF-JSR168 bridge available. Can you provide some pointers here? Where can we find it? Would we be able to use it in jDeveloper 10.1.3.5?
Regards

Matt,
The only way to associate an "x-axis" with a signal in the Write Data VI would be to feed it waveforms, which are constrained to use time as the x-axis unit. There is really no way around this, so in my opinion, the best solution for you would be to use the "rows are channels" conversion and write the frequency and amplitude values to the file independently. Then when you read the file in DIAdem, take the two channels and build a graph out of them there.
Regards,
E. Sulzer
Applications Engineer
National Instruments
E. Sulzer
Applications Engineer
National Instruments

Pearl 8120 failing to load University's web based security page

I have a 8120 Blackberry pearl and it is connecting to the wireless and receiving an IP address however it won't redirect to the web based security screen that is used to log on. I tried the IT guys on campus but they were clueless.
Can Anyone Help?

You don't happen to go to Texas A&M do you? I tried to do this same thing on our campus (connect to VPN) and it doesn't work. The help desk central guys said they have recieved several emails recently regarding connecting new Blackberries (apparently 8120's or 8830's) to the network, and they couldn't get it to work. They believed it was a disagreement between the software and the network. I feel the same thing because I can see the network, I enter my password and username and try to connect, but it doesn't want to work for some reason. It says connection failed for some reason. If you find anything out just reply back to this. If I find anything out, I will also reply back, or maybe start a new thread. Jay
UPDATE: Okay, looked up a few things....this may alleviate the problem. Instead of connecting via the WiFi screen as usual, you may have to connect via the VPN screen. To get to this, go to Settings>Options>Security Options>VPN>Log In.
I haven't tried this yet, but I will soon to see if it works. There has got to be a way to get this thing to connect, I just don't know how to yet. More tomorrow...
Message Edited by jay47 on 09-15-2008 11:44 AM

IDM, GRC and position based security

We use position based security in our ERP system and are implementing GRC. In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs. We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead. There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.
Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?
How can IdM be configured to react to a position change and update the roles appropriately?
Has anyone implemented GRC and IDM with position based security?
Regards,
Wayne

Hi Wayne,
In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.
You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.
I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.
So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.
This is all theory though, I'm just getting started with IdM myself.
Kind regards,
Dagwin

Non web-based to-do list

I don't have wireless access to the internet all of the time yet would still like to be able to manage a to-do list on my ipod touch. Any suggestions? All of the apps online seem to be web-based.

Create a dummy contact and put your to do list in the notes section. Or wait until after February (when the Software Development Kit will be released) and see if anyone comes out with a non-web based To Do app.
Personally, I go with the small paper notebook....

Adding an External Application that uses J2EE Form Based Security

I'm trying to add an External application that uses the J2EE Form based security. i.e. uses j_username, j_password and posts to j_security_check.
I don't really see how Oracle SSO will support this. The container needs to take control of a clients request and determines when the "Login" page is presented to establish credentials. Posting directly to j_security_check isn't working for me.
I'm using Sybase EAServer 4.12 as the external application.
Is this supported in Oracle SSO?
Do I need to provide a different mechanism for logging user's in?
Also, can someone explain what the benefit would be if I configured the EAServer app as a "Partner" app? I would still have to provide an interface for login. The input would be different but the end result would be the same I guess. What advantages does a Partner app have?
Lastly, is there an NNTP server for these forums?
Thanks.
Darrell

The cure for the symtops described below was to simply add a welcome-file-list
element with appropriate welcome pages to the web.xml descriptor. It makes sense
now that I have worked it out.
Todd
"Todd Gould" <[email protected]> wrote:
>
I have an application comprised of several JSPs that are protected via
Form based
security and enforce an SSL connection via the appropriate declarations
in the
web.xml. This aspect of the application seems to be working with the
exception
of one small quirk.
If a user presses that back button until such time as the receive the
container
provided login page once again, and subsequently provide a valid user
id and password,
they are NOT successfully logged in. Rather, they receive the ugly 403
Forbidden
error that states that the server understood the request, but is refusing
to fufill
it. This only seems to happen given the above course of events involving
the
use of a back button in the browser (or selection of an item from the
history
list). I suspect that this has something to do with the session id being
cached
or something, but I'm not sure? Can anyone offer any assistance on this
one?
Also, does anyone know of a way of preventing the user from bookmarking
this container
provided login page as this also seems to be causing problems for users.
If they
bookmark the first protected page of the application all is fine, but
if they
bookmark the login page they receive the 403 error.
Thanks in advance!

Non-software based security to prevent theft?

Similar Messages

Maybe you are looking for