Page security on glassfish
Hi ,
I'm using Jdev 11.1.2.3 and glassfish as webserver
I want to make one entry login page for my application deployed on glassfish, I found a solution when the application was deployed on weblogic using ADF Security and authenticated role, but in glassfish ADF Security is not enabled.
for exp, if i have :
login.jspx
index.jsf
app.jsf
in the url when i enter :
http://localhost:8080/MyERP/faces/index.jsf ==> redirect to http://localhost:8080/MyERP/faces/login.jspx
same thing
http://localhost:8080/MyERP/faces/app.jsf ==> redirect to http://localhost:8080/MyERP/faces/login.jspx
because in the login I will determiner the user profile
Thanks
because I implemented Glasfish security role mapping on my application, the solution I found to logout my application is to kill the browser process, in that case the user must enter new user login :
public String browserKill() throws IOException {
String os = System.getProperty("os.name");
if (os.contains("Windows")) {
Runtime.getRuntime().exec("taskkill /F /IM chrome.exe");
Runtime.getRuntime().exec("taskkill /F /IM iexplore.exe");
Runtime.getRuntime().exec("taskkill /F /IM firefox.exe");
Runtime.getRuntime().exec("taskkill /F /IM safari.exe");
Runtime.getRuntime().exec("taskkill /F /IM opera.exe");
} else {
// Assuming a non Windows OS will be some version of Unix, Linux, or Mac
Runtime.getRuntime().exec("kill `ps -ef | grep -i firefox | grep -v grep | awk '{print $2}'`");
Runtime.getRuntime().exec("kill `ps -ef | grep -i chrome | grep -v grep | awk '{print $2}'`");
Runtime.getRuntime().exec("kill `ps -ef | grep -i safari | grep -v grep | awk '{print $2}'`");
return null;
Fakhri
Similar Messages
-
How do I call a 10g report from a jsp page securly?
How can I call a report from a jsp page securly? We are migrating from 10g forms to J2EE, and we want to keep using our reports. In forms we were able to do this using a cookie. How can I pass a users credentials to reports without the user having to connect to the database? Single Sign-on isn't an option either.
Thanks,
JimHi Jim,
If you want to pass the user credentials to the report dynamically, then SSO (Single Sign-On) is the only option I can think of.
If the user credentials can be hard-coded, then the following 2 solutions are possible:
1. Use cgicmd.dat file, and write the user credentials in the file.
2. In your report JSP itself, you could write the following:
<rw:report id="report" parameters="userid=scott/tiger@mydb">
Navneet. -
Access denied by Page security check
Hi,
I would like to allow access to page 1 only to users in the group 'CPY'
i do un authorizzation scheme 'CPY_GROUP' (exists sql query type)
SELECT '1'
FROM GRP gr, USG ug, USR us
WHERE gr.GRP_APP_ID='CRM'
AND gr.GRP_ID = 'CPY'
AND us.USR_ID = UPPER(:P101_USERNAME)
AND us.USR_ID=ug.USG_USR_ID
AND gr.GRP_ID=ug.USG_GRP_ID;
on the page 1, on the security session, i pick 'CPY_GROUP' from select list
when run my application with a user of 'CPY_GROUP' i have the error
Access denied by Page security check
Error You are not authorized to access this function. (my Identify error message displayed when scheme violated)
Any help?
Thanks in advance
kmHi Scott,
I am facing a similar kind of problem. I am using :P101_USERNAME only in login page to check for user name and password. I have not used it in any of the further pages.
But i am still getting the error "Access denied by Page security check". Please suggest me some solution.
Thanks in advance,
Anjali -
"Page Security cannot be asserted" error
I have a page that depending on business logic will give various error dialogs (Y/N), however I keep getting the following error (when returning to self/calling page):<br>
<<<b>Page Security cannot be asserted. The page has either expired or has been tampered.</b>>>
<br><br>
I've was getting this when I pressed no so I did a work around by explicitly forwarding to current page:<br>
<< super.setForwardURL(oapagecontext, true, "OA.jsp?page=/oracle/apps/per/[mypackages]/MyPagePG&akRegionApplicationId=800", true, hashmap1, "N", true);>><br><br>
But after adding that, if I throw a validation exception (<<throw new OAException(..)>>) it gives me the same old error along with the one I specified in the exception constructor.<br><br>
Is there something special about this foward? In other places I use the very same method to redirect to dialog without any problems.<br><br>
Any ideas what causes this error?<br>
-C
<br><br>Source:<br>
<<
<br> String yes = oapagecontext.getMessage("AK", "FWK_TBX_T_YES", null);
<br> String no = oapagecontext.getMessage("AK", "FWK_TBX_T_NO", null);
<br> dialogPage.setOkButtonItemName(okButtonName);
<br> dialogPage.setNoButtonItemName("No");
<br> dialogPage.setOkButtonToPost(true);
<br> dialogPage.setNoButtonToPost(true);
<br> dialogPage.setPostToCallingPage(true);
<br> dialogPage.setOkButtonLabel(yes);
<br> dialogPage.setNoButtonLabel(no);
<br> java.util.Hashtable formParams = new java.util.Hashtable();
<br> if(appraisalId!=null){
<br> formParams.put("AppraisalId", appraisalId);
<br> }
<br> if(objectiveId!=null){
<br> formParams.put("pObjectiveId", objectiveId);
<br> }
<br> if(oapagecontext.getParameter("AddAnotherYes")!=null){
<br> formParams.put("AddAnotherYes", oapagecontext.getParameter("AddAnotherYes"));
<br> }
<br> if(oapagecontext.getParameter("ApplyYes")!=null){
<br> formParams.put("ApplyYes", oapagecontext.getParameter("ApplyYes"));
<br> }
<br> formParams.put("event", oapagecontext.getParameter("event"));
<br> dialogPage.setFormParameters(formParams);
<br> oapagecontext.redirectToDialogPage(dialogPage);
>>I found the problem.<br><br>
<b>HashMap hashmap = super.getKeyParams(oapagecontext);<br>
hashmap.put("MyParam1", value)<br>
hashmap.put("MyParam2", value)<br>
hashmap.put("MyParam3", value)<br>
</b><br><br>
As it turns out, "MyParam1" was already pre-populated in the key hashmap and so when I tried to reset it, the framework noticed it was rekeyed and threw the mentioned error. Simply removing the line that inserts that param into the map fixed the problem.<br><br>
So, the solution was to use the code inspector in debug mode to crawl the hashmap to see what key params were auto-populated.<br><br>
hth,<br>-C -
Hi,
I have try to use Page Security.
I have disabled Many Item with the Disabled Properties.
Ex: disabled="${oa.FunctionSecurity.<Function_Name>}"
In the log:
OALOG: Unknown Source: OAF LOG: Event : Test Function For Grant, in: Unknown Source: .<Function_Name>
With the FunctionSecurity, i can't insert or update data.
Without, i have no problem.
If i used the security only on an VO Item. I can't update this item, but he isn't readonly.
Have you an answer ?
Nicolas
Thank you
Message was edited by:
nicox91It's an OAFramework Bug in the EO Object.
I have jus modify my controler.
if (!pageContext.testFunction("<Function>"))
OAWebBean item = webBean.findIndexedChildRecursive("<Item>");
if (item != null)
OAMessageTextInputBean bean = (OAMessageTextInputBean) item;
bean.setDisabled(true);
} -
WebCenter page security problems
We are running a CustomPortal which is connected to a local AD.
When i try to setup the page security in runtime on the server iam getting errors:
German Errormessage: Mitglieder konnten nicht aus dem Policy-Speicher abgerufen werden
English translation: Members couldn't be loaded out of the policy repository.
The CustomPortal is still running but when i try to change the page security this errorsmessage occurs every time.
At the moment we are running WebCenter PS3Maybe it's a conflict in authorization providers. When you add a provider in your security realm, there should be a flag to set whether or not the authenticator is mandatory, optional and so on.
The order in which the providers are set is also important. If for example your AD is set as the first provider and is a required authenticator, than you will get an error of that kind in your application.
Go to your weblogic console and open the security realm. Open the provider tab
Is the AD provider the first one or is the DefaultAuthenticator the first one?
When you open the AD provider, how is the control flag set?
What provider is the AD provider? Do you use the general LDAP provider or the ActiveDirectoryAuthenticator? -
Hi,
I know that page level security is implemented by configuring Application Service in CC&B. But its something weird that it did stop working in my CC&B set up. I know something i am missing
1) I logged into the application with my user 'XXXX'
2) This user XXXX has an active custom User group YYYY which is having the base application service for the Adjustment with Add , Inquire, Change Privileges.
3) I could Add , Inquire, Change the Adjustments which looks good. Then i removed the Add, Change Privilege from the application service in the User Group but still i could create the Adjustment which looks weird.
Please let me know what i am missing here. I want to revoke the user privilege to create or change adjustments.Issue http://<server>:<port>/flushAll.jsp (case-sensitive)
-
How to tell page security model?
10.1.4.
I couldn't find any API calls or officially supported views that tell you whether a page inherits its security from a template, from the root page, or from its parent.
Are there any?
If not, any behind-the-scenes lookups I can do?
-JohnPossibly a quicker solution: plug her serial number into the online service assistant and it should tell you the resulting model.
Matt -
Injecting message security int Glassfish EJB3.0 Web Service Endpoint
I need to specify message security in sun-ejb-jar.xml descriptor. According to documentation: https://glassfish.dev.java.net/javaee5/webservices/dispatch_process.html#EJB
when EJB is deployed, ejb-jar.xml, webservices.xml, and sun-ejb-jar.xml get created. This works. The documentation goes on to say that if an ejb-jar.xml or sun-ejb-jar.xml file is provided in the EJB-JAR, they will be used as starting points when descriptors are generated. This does not seem to work.
I have tried to create descriptors by hand but was unsuccessful at this as well.
Is there a way to modify descriptors generated by the application server following a deploy with no descriptors), so that I can package them with my EJB-JAR? I tried and couln't get that to work.
Basically, I need to be able to add message-security-binding and auth realm configs to the sun-ejb-jar.xml, if that is at all possible. Thanks for any help anyone can give.
FrankWell, I managed to get this to sort of work. I am able to deploy my EJB with only a sun-ejb-jar.xml descriptor. The glassfish container generates the webservices.xml and ejb-jar.xml, and updates the sun-ejb-jar.xml file passed in. I now am seeing a new problem.
Here are the scenarios:
1) Default security provider:
Request policy: auth-source="content" auth-recipient="after-content"
Client signs and then encrypts message, all works fine.
2) Specify provider and request protection in sun-ejb-jar.xml to be signature
Request policy: auth-source="content"
Client signs message
All works fine.
3) Specify provider and request protection in sun-ejb-jar.xml to be signature and encrypted. (Should be same as Scenario one).
Request policy: auth-source="content" auth-recipient="after-content"
Client signs and then encrypts message.
The server throws the following exception:
[#|2007-03-07T17:30:37.895-0700|SEVERE|sun-appserver-pe9.0|javax.enterprise.resource.webservices.jaxws.server.soapmd|_ThreadID=12;_ThreadName=httpWorkerThread-8080-1;_RequestID=eb686a92-f5a7-4a24-a83f-fbffeed3dd4d;|Error in decoding SOAP Message
Error in decoding SOAP Message
at com.sun.xml.ws.encoding.soap.server.SOAPXMLDecoder.toInternalMessage(SOAPXMLDecoder.java:89)
at com.sun.xml.ws.protocol.soap.server.SOAPMessageDispatcher.toMessageInfo(SOAPMessageDispatcher.java:187)
at com.sun.xml.ws.protocol.soap.server.SOAPMessageDispatcher$SoapInvoker.invoke(SOAPMessageDispatcher.java:571)
at com.sun.xml.ws.protocol.soap.server.SOAPMessageDispatcher.receive(SOAPMessageDispatcher.java:145)
at com.sun.xml.ws.server.Tie.handle(Tie.java:88)
at com.sun.enterprise.webservice.Ejb3MessageDispatcher.handlePost(Ejb3MessageDispatcher.java:160)
at com.sun.enterprise.webservice.Ejb3MessageDispatcher.invoke(Ejb3MessageDispatcher.java:89)
at com.sun.enterprise.webservice.EjbWebServiceServlet.dispatchToEjbEndpoint(EjbWebServiceServlet.java:178)
at com.sun.enterprise.webservice.EjbWebServiceServlet.service(EjbWebServiceServlet.java:109)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at com.sun.enterprise.web.AdHocContextValve.invoke(AdHocContextValve.java:100)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:536)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:71)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:182)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
at com.sun.enterprise.web.VirtualServerPipeline.invoke(VirtualServerPipeline.java:120)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:137)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:536)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:231)
at com.sun.enterprise.web.connector.grizzly.ProcessorTask.invokeAdapter(ProcessorTask.java:667)
at com.sun.enterprise.web.connector.grizzly.ProcessorTask.processNonBlocked(ProcessorTask.java:574)
at com.sun.enterprise.web.connector.grizzly.ProcessorTask.process(ProcessorTask.java:844)
at com.sun.enterprise.web.connector.grizzly.ReadTask.executeProcessorTask(ReadTask.java:287)
at com.sun.enterprise.web.connector.grizzly.ReadTask.doTask(ReadTask.java:212)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:252)
at com.sun.enterprise.web.connector.grizzly.WorkerThread.run(WorkerThread.java:75)
Caused by: javax.xml.ws.soap.SOAPFaultException: Cannot find the dispatch method
at com.sun.xml.ws.encoding.soap.SOAPDecoder.raiseFault(SOAPDecoder.java:674)
at com.sun.xml.ws.encoding.soap.server.SOAPXMLDecoder.decodeDispatchMethod(SOAPXMLDecoder.java:152)
at com.sun.xml.ws.encoding.soap.SOAPDecoder.decodeBodyContent(SOAPDecoder.java:337)
at com.sun.xml.ws.encoding.soap.SOAPDecoder.decodeBody(SOAPDecoder.java:327)
at com.sun.xml.ws.encoding.soap.SOAPDecoder.decodeEnvelope(SOAPDecoder.java:250)
at com.sun.xml.ws.encoding.soap.server.SOAPXMLDecoder.toInternalMessage(SOAPXMLDecoder.java:81)
... 29 more
Please note that the client is the same for Scenario 1 and 3, yet the outcome is greatly different.
Also, I did try manually change the generated descriptor, rather than passing in sun-ejb-jar.xml. This did not work either. same error.
Thanks for any help.
Message was edited by:
FrankF@Sun
Message was edited by:
FrankF@Sun -
Application/page security and event sequencing
I've created a very simple app following the instructions in pro oracle application express (chapter three) exactly. I've got all the components working using the table based authentication. I have three pages, a login page, a nothing page (the app "hello world") and I created a separate user registration page. I've added a button to the login page that says "register new user". So I envision you come to the normal login page, if not registered click "register new user" button and go to the registration page (user, pw, email, get the validation string via email, run pl/sql procedure, etc). I've verified using the page directly (run page), and using the verification link directly, all good.
I can't seem to click the "register new user" button and go from the login page to the registration page. That button submits the page and I have a branch set for "on submit before computation, validation, and processing" tied to that button (? maybe set up wrong). But all the normal login processes fire anyway and it stays on the login page "trying" to log me in. I thought my new button would/could skip those things and bring me to my registration page. Do I need to make the registration page public or open? How? How would I have a secure application yet have one page (new user registration) that can be accessed by the public to register to use the application?Thanks Andy
My button(s) did not have the URL redirect property section. I think it's because I copied 1 button and when I created a new one from scratch I needed to place it in the region and not amongst the region items. I went through the wizard a few times until I was able to access the URL redirect option.
As for the security question, I still have an open question here. If I try to go to pages in my application by fooling around with the URL, it won't let me unless I'm logged in (forcing me to the login page - good). But that was not true of the registration page I made The only thing special about my registration page is that I used the login page template when I created it (I guess).
If you create a new page and use the login page template does that set some property that allows it to be accessed by the general public before actually logging in? Where would I see or set this property for pages I want available to anyone without logging in?
Thanks again
Steve -
Intra page "security" within the web tier
we currently have a web application using turbine/velocity technologies. we currently have security at the page level where based on a users's role (credentials managed in oracle database tables), they can or can't see a particular page.
now we have a requirement to present a different view based on the user's role. for instance, users in the "worker" role can't cancel an order, but they can update an order. thus they wouldn't see the cancel button. somone in the "supervisor" role could cancel an order and should see the cancel button. we want the ability to take this to the level of specifying view (and access) to any object on a particular page/screen/form/whatever.
so, i'm interested in what others have done to perhaps tackle this interesting issue of providing component level views based on a users credentials. we also do not currently have security on our back end components (slsb), and it would be nice to use the same security model in both areas. meaning you've gotta provide security credentials to get access to the beans and those same credentials are the ones used by the web tier.
any thoughts, reading suggestions, patterns, etc would be most most appreciated.
Thanks!
~marki think you should look towards jGuard (http://jguard.sourceforge.net).
jGuard provides easy JAAS integration into J2EE.
with jGuard, you can configure, and change on-the-fly your authentication and/or authorization settings in a unique way(works on multiple application servers).
jGuard provides too a tag library to protect your ressources depending on your roles,or your access right to a specific url, or a specific credential like it seems you are looking for.
to have more information on the jGuard features, you can grab them on the web site( http://jguard.sourceforge.net), or on the sourceforge page (http://sourceforge.net/projects/jguard).
hope it helps,
Charles (jGuard team). -
I'm using Safari 3.x and have been using it for several months now. It seems recently that almost every time I hit the "previous' page arrow, I get a security popup asking me if I "really want to return do that page". I believe this is some kind of security setting that I would like to have go away IMMEDIATELY. I'm getting very tired of have to check the box before Safari will return to the previous page.
Is there anyway to turn this warning off? I really don't get the reason for it to even exist as I only get it if I'm going back to a page I just was on. I can understand something like this if it was a warning that I'm about to go on a NEW page that may have some kind of security flaw.
While I don't care for Safari 4.x, I would reinstall it in a NY minute if it doesn't have this stupid warning popup.HI,
That would be frustrating and time consuming...
Try deleting this file. com.apple.Safari.plist
/Users/YourName/Library/Preferences. Drag that file from the Preferences folder to the Trash, empty the Trash and restart your Mac.
Carolyn -
I no longer see the padlock sign when on https sites. Why? And is the web page secure?
When making payments etc on https sites I used to get a padlock symbol on the address line or bottom right hand corner tool bar. This was a symbol I had been told to check for to ensure the page is secure. I no longer see the padlock symbol on https sites since I upgraded to Firefox 4? On the tool bar at the top all I get is the golden star for book marking a page and nothing on the bottom tool bar.Why? And is the page still secure?
The padlock has been replaced by the site identity button, for details on using it see https://support.mozilla.com/kb/Site+Identity+Button
If you want to add a padlock icon to the location bar, you can use the Padlock add-on - https://addons.mozilla.org/firefox/addon/padlock-icon/ -
Hi Scott,
Question: I've create several tabs in my application. "Academic Affairs", "Housing","Busar", etc. If I already created a report page in tab "Academic Affairs", how do I allow the "Bursar" tab to see that same report page without recreating that same report page under the "Bursar" tab?
ArtnetteI'm not sure if it has anything to do with security, but I know I am having an issue with getting this to work, also, so maybe that is to what Artnette is referring?
My home page has a 'Search Results' region. My home page is 1 and I have a Tab T_HOME that is current for page 1.
My users want another tab that basically displays the same results as the 'Search Results', with a few fields changed, accessible under another tab, T_SUMMIT. Right now the only way that I can think of to do this is to basically recreate the whole page and that is just not good coding.
If I try the suggested approach, I have Tab Page = 1 for T_HOME and T_SUMMIT (my new tab). So when page one displays, both tabs are current and neither one is clickable...so I cannot click on the new T_SUMMIT to change my page view based on the request sent from the tab...
Hope that makes sense? Any suggestions?
Thanks,
Janel -
Access denied by Page security check to a different page?
Hi, all,
I have an authorization scheme that I'm using, and I'd like for it to redirect to the login page when authorization fails instead of displaying the standard error screen. How can I do that?
Also, is it possible to have page not found errors redirect to the login screen?
Thanks!Don,
In the PL/SQL code of your authorization scheme, you can always do:
apex_application.g_unrecoverable_error := true;
owa_util.redirect_url('f?p=&APP_ID.:1');
return true;
This will redirect to page 1 (via the login page and then to page 1 after authentication, so change '1' to whatever you want).
About "page not found" errors, no.
Scott
Maybe you are looking for
-
Report S_ALR_87011964 Asset balances does not match AW01N
In march 08, useful life of one asset is reduced to 4.4 years effective Mar 08. Accordingly - system has revised Plan Deprn figures from march 08 to through Dec 08 & planned book value is nil as at Dec 08(These calculationa are perfect). Then Deprn r
-
Game is running with low resolution and poor performance
Hi, I have purchased dv4 entertainment laptop 2 years back. Recently, I installed Ford Collections - Car game in my laptop, but it is not running properlly which means that the resolution is little poor and it is very poor and getting slow when playi
-
looking for a FREE english to malay and malay to english (bidirectional) dictionary (kamus) to dowload to my mac book for use off line. i don't want to put my credit card number in my aplle id profile, so looks like any free app in i tunes is out for
-
How to merge user accounts into one account
I have 2 user accounts and need to merge them into one (having both running seems to slow down the computer significantly). There is some overlap in itunes and apps but none on iphoto. What would be the best way to do it? Krzys
-
Is there anyway to create Javadocs without using dos?? i.e. by including code in my application classes to create Javadocs automatically?? I've never created Javadocs before and all the code examples on the site seem to use commands in dos to create