PHP_MySQL version of a high security user authentication web app.

Similar Messages

• Web Application Security - User authentication and registration

  I am trying to develop a very simple web app with following feature
  1. Users should be able to register (sign-up) with the application, i.e backed code will create new user account when new users sign up.
  2. Once the user account is created, they should be able to log in.
  I was reading Java Security section in Java EE tutorial. To use any of Java EE security, the recommended way is to have security-constraint in web.xml specifying roles that have access to application. The roles are then mapped to the users that are created in the application server. The problem here is that the users cannot be created at deployment time. Users are created at run-time as new people sign up using the registration form. So, how can user be created with the application server before deploying the application?
  It seems very odd to be that application users are defined at the app-server level. Eg, Ebay/Amazon has millions of users. Are all those users defined at the application server where their app is deployed?
  If JavaEE security cannot support this simple usecase, what is the point of having security-constraint and all the other security features?

  As per your comment you want to use J2EE/JAAS security for existing user and want sign in feature. You can do it by providing link on log in screen. Please create sign up page and unprotected resource in web.xml. Once user fill sign in details you can store his detail in your authorization repository ( LDAP / Database ) and then either redirect request to login page or submit to your authorization scheme directly.

• Guide to developing SECURE TOMCAT/JSP web apps - ??

  Hi,
  It would be very useful to have a checklist or guidelines to ensure a JSP/tomcat web site one develops is secure, in particular for the scenario where the web application is not huge/complex &/or is developed by part-time developers. That is I guess I'm generally asking for the easiest way of ensuring one develops a secure JSP/tomcat app.
  Q1 - Does anyone know of a tutorial/checklist for ensuring a JSP/tomcat web app is secure? The types of things I'm thinking of include the following items, which I've put forward as specific questions to the mail group in their own right.
  Q2 - How do you ensure directory's under doc root can't be viewed? (ie users see a directory listings)
       - is putting in an index.html in each sub-directory a solid answer?
       - can this be handled in one hit via WEB.XML entries? if so an example if possible?
  Above and beyond basic User Authentication checking (eg username/password check at beginning of session) what is an easy but secure way of checking -:
  Q3 check that user (ie specific) is allowed to access a specific JSP page? (assuming the web app is a totally JSP based solution, ie no controller servlet frontend, ie and that all JSP pages are effectively assessable under docroot). Easy way of doing this?
       eg (a) put specific check at beginning of each JSP page?
       (b) other?
  and
  Q4 given that a user is allowed to access that JSP page, check that he is allowed to view the data which he has requested? (ie stop people determining how the URL with parameters is constructed and manually changing the parameters - eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4". Easy way of doing this?
       eg (a) put specific check at beginning of JSP page?
       (b) other
  Q5 Is it generally acceptable, given appropriate precautions are taken, to setup a web site with all JSP files assessable under doc root, and that the manner in which the user navigates around the application is based on direct calls from the browser to the next JSP page with parameters? (again one concern I have is eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4"). If this is not acceptable what is recommended?
       (a) as above put a specific check at the beginning of the JSP page
       (b) for example having to specifically put a controller servlet as a front end, and then direct to JSP pages which are hidden?
  - in this case how can one hide specific directories under doc root?
       (c) other??
  Q6. Regarding image security I assume one really does have to store them outside doc root and develop a small "getImage" servlet so that requests to images can be verified to ensure that (assuming the app lets users load images) the end user can't see another user's image?
  Q7. Any other general checklist items for a simple JSP/tomcat web site re security one should check for???
  Thanks in Advance
  Greg

  Have you ever looked at the Jakarta struts framework for developing web apps? You could then incorporate your custom designed security both into your own extension of the controller servlet (check if particular user has access to certain pages / actions). You can also design your own custom tags which determine whether a particular user has access to certain parts of the page. You cal also perform additional checks in the actions, to ensure that the user does have access to certain actions (i.e. checking parameters etc.)

• Securing a J2EE web app

  Hi, probably the wrong place to put this but i couldn't find anywhere more suitable :-p
  I've got a web app that i've got secured using a JDBC realm, using web.xml configuration etc and all is well. However I want to limit it so that if a user logs in then no-one can log in again with the same credentials until said user has logged out. Is this possible out of the box with JEE5 or do i have to implement something myself to redirect output.
  Regards
  ARB

  Not sure how 'out the box' you want.
  Tomcat has this feature which can be configured by adding username/password paris to an xml file, I realise Tomcat is not part of the JEE5 bundle but it is 'out the box' and you need a server, right?

• Insert SharePoint document version in Word documents - Viewing in Word Web App

  Hello all,
  I'm using Labels with the label format {Version} to display the SharePoint document version in MS Office documents stored on my company´s SharePoint site. This works fine if I open the document from the Word client application but if I open it from Word Web
  App it displays the previous version number (a minor one). After half an hour or so, when I open the document in Word Web App, the version number is the correct one. I tought it was related with the IE cache so I cleaned it but the results were the same.
  Is there any way around this?
  Thanks a lot.

  Hi,
  By design. Versioning is a property of a SharePoint item. When displaying an item from SharePoint, Office Web Apps only checks if there has been any change to the file content. It does not check for changes in metadata (if the Properties of the file have
  been modified). It then displays the cached image of the last modified version of the file instead of running a new file conversion. This is why the last minor version is displayed in the Content Control instead of the major version. This behaviour is completely
  intended and designed to work this way. This is, in fact, a performance optimization. If we would not have this performance optimization in place, then this would mean that Office Web Apps would need to download the file again every time there is a metadata
  change (which would, of course, mean overloading the SharePoint server).
  I found a similar thread as below, please refer to it for workaround:
  https://social.msdn.microsoft.com/Forums/sharepoint/en-US/75c09197-934b-42ff-8de6-c321267dfd68/document-property-not-updated-when-viewing-a-word-document-in-office-web-apps
  Regards,
  Rebecca Tu
  TechNet Community Support

• Detail on High Availability options for Web Apps

  Hi,
  I do really struggle to locate actual information on Azure Availability offerings / capabilities...as an Infrastructure Architect it has bugged me for years now with Azure offerings!
  Something that simply states the availability within any local DC and options for true HA over 2 or more DC's.
  We are moving away from using Web Roles to Web Apps for solutions for our clients. I understand the principles of fault domains, etc. with Web Role requirements for min. of 2 to (mostly) avoid MS update disruption within a single DataCenter, but cannot locate
  similar info. with regard to Web Apps.
  Really appreciate if someone could point me to some appropriate detail as I've failed....
  (Also, cannot find anything on DocumentDB....)
  Many Thanks,
  Lee

  Hi,
  High Availability of a running service always comes with a cost, and priorities will be app-specific. If it's the web tier, then you may indeed want to consider hosting in multiple geo's. If it's a backend processing tier, sometimes it's "ok" to
  let a service go offline, as long as requests are queued up. If it's the storage system (preventing queueing of messages), perhaps an alternate queue in a different data center could be available for redundancy purposes.
  I would request you to check this article:
  https://msdn.microsoft.com/en-us/library/azure/dn251004.aspx
  Hope this information helps.
  Regards,
  Azam khan

• How to make a Secure User Authentication !!!!!!!!

  Hello to all the experts out there,
  I am making a website, in which user has to logs in by entering his userid and password. after login, he can make a transaction of money from his account. u can think of it as an online banking site. so this must be secure login i.e password should not be stolen by any third party or proxies, so it must be encrypted; same account should not be accessed by two pc's at the same time etc. i have implemented it by using sessions only.
  checking userid and password from database if valid then store it to session and forward to welcome page page
  <%
  rs1 = stmt.executeQuery("select userid, password from users where userid = '" + vuserid + "' AND password = '" + vpassword + "'");
  if(rs1.next() )
  {   userExist = true;
       //user exists, now make session object
       UserInfo ui = new UserInfo();
       ui.setUserid(vuserid);
       ui.setPassword(vpassword);
       session.setMaxInactiveInterval(1800);
       session.setAttribute("UserInfo", ui);
  rs1.close();
  stmt.close();
  con.close();
  %>
  <jsp:forward page="Lwelcome.jsp" />
  <%
  then at each page i check the attribute UserInfo
  <%
  UserInfo ui = (UserInfo) session.getAttribute("UserInfo");
  if(ui != null && ui.getUserid().length() !=0 && ui.getPassword().length() !=0)
  %>
  // HTML code
  <%
  %>
  It works fine.
  plz tell me how to encript the password before sending it to server and should i also save the password in encripted form in the database?
  how to achieve single login? and also as i have created an instance of UserInfo class at the time of setting attributes in session(code given above), what is the scope of this object?
  Thanks in advance!!!

  Use HTTPS. Start the HTTPS session when they first access the login page and continue using HTTPS until they log out. This way the password will be encoded. Check the documentation for you application server as to how to set up HTTPS for you system.

• SAP Security User Accountable Web Form

  We are in process of creating users into SAP System. We have created a form where power users can fill it out their information with thier access they need and superviser can approved it. After that they will send that form to the security person.
  When that person leaves, supervisor has to send an another form again.
  Is there anyway we can automate this process through SAP?
  Thanks.

  Hello Krishna,
  have a look at this Weblog: <a href="/people/john.astill/blog/2005/07/21/php-user-management-part-1 User Management Part 1</a>. It lists all the required BAPI's. Could be a starting point.
  Regards
  Gregor

• Grant permission through dynamic parameters entered by user through web app

  This is my code.
  f1=request.getParameter("URL");
  out.println("parameter f1 ===>"+f1);//user name
  f2=request.getParameter("URL1");
  out.println("parameter f2 ===>"+f2);//table name
  f3=request.getParameter("URL2");
  out.println("parameter f3 ===>"+f3);//privilege name
  sql="GRANT f3 to \"" + f1 + "\""+"on \""+f2+"\"";
  st= con.createStatement();
  st.execute(sql);
  out.println("grant succeeded");
  it is giving error that invalid SQL query.please help in writing this code.Any other method for giving dynamic SQL query for granting permission.

  Welcome to the forum!
  >
  Any other method for giving dynamic SQL query for granting permission.
  >
  You should NOT be using dynamic SQL for issuing grants. Security is something that should be taken seriously and grants should ONLY be given to users that need the permission. The necessary grants should be created and reviewed BEFORE they are executed.
  Best practices are to create scripts containing your DDL and place those scripts in a version control system.
  The scripts can then be executed in sql*plus, sql developer or another tool and the results reviewed to ensure that they executed properly.
  If dynamic SQL is needed you:
  1. create a sql statement manually and test it to make sure it works properly
  2. create the code to assemble similar statements and VIEW the output DDL to make sure that it is valid
  3. add exception handling and security handling to the code so that is can only be used for the intended operations and is not subject to SQL injection.
  4. manually execute the DDL produced by the code to make sure there are no syntax errors.
  Clearly you did not even test your SQL before trying to write code to produce it or you would have known your syntax is invalid.
  >
  sql="GRANT f3 to \"" + f1 + "\""+"on \""f2"\"";
  >
  >
  it is giving error that invalid SQL query.
  >
  Of course it is. That code might try to produce the equivalent of:
  GRANT select to "scott" on "hr.employees";There are SEVERAL errors in that code.
  1. You are enclosing the SCHEMA in double-quotes. That means the actual user name will be treated as case-sensitive. So if someone provides 'scott' it will be considered lower-case. There is NO user "scott" in Oracle unless you created that user yourself and used double-qoutes to preserve the case.
  ALL of the schemas created by Oracle, and most users, are UPPER case. So your code will not find any name if the user supplies a LOWER case or mixed-case value.
  2. You are enclosing the target schema and object name in double quotes. There are two things wrong. The same case issue applies again. And the string "hr.employees" will be treated as ONE value. The proper way to quote such a value is:
  "HR"."EMPLOYEES"3. You have the DDL components in the wrong order, hence it is invalid. The ON clause comes BEFORE the target schema.
  GRANT select to on hr.employees to scott;See the SQL Language doc for the GRANT statement
  http://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_9013.htm
  All of the issues you have demonstrate why you should NOT be using dynamic SQL to do DDL. You don't understand the syntax so you can't write code to implement that syntax.
  The syntax is much more complex than the siimple code you are trying to use.
  Grant statements often need to include "SCHEMA.OBJECT" syntax and your code makes no provision for that.
  DDL needs to be tightly controlled and doing it in code can create huge, gaping security holes.
  Abandon your method and use prepared scripts for the DDL commands you need to execute.

• Setting security constraint for web App

  Hai all!
  I am new to bea and i am trying to set up security constraints for my webaplication..
  I want user to be authenticated before he access any of the pages in browser..
  All i did was adding following entries to web.xml
  <security-constraint>
            <web-resource-collection>
                 <web-resource-name>
                      webresources
                 </web-resource-name>
                 <url-pattern>
                 </url-pattern>
            </web-resource-collection>           
            <login-config>          
                 <auth-method>
                 BASIC
                 </auth-method>          
            </login-config>
       </security-constraint>
  But no such thing is happening,,
  I know i am doing wrong but donno where exactly i am wrong..
  Pls guide me in sequnece of steps regarding what to do to accomplish what i want..
  Thanks and Regards
  Manohar

  I guess you need to set the role that is allowed to log into your application.
  try this in web.xml:
       <security-constraint>
            <display-name>Whatever</display-name>
            <web-resource-collection>
                 <web-resource-name>resource</web-resource-name>
                 <description>Desc</description>
                 <url-pattern>/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <description>desc</description>
                 <role-name>MyRole</role-name>
            </auth-constraint>
                 <user-data-constraint>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <login-config>
            <auth-method>BASIC</auth-method>
       </login-config>
       <security-role>
            <description>desc</description>
            <role-name>MyRole</role-name>
       </security-role>
  and map the role with a group/user in weblogic.xml:
       <security-role-assignment>
            <role-name>MyRole</role-name>
            <principal-name>MyGroupOfUsers</principal-name>
       </security-role-assignment>
  Hope this helps.
  Xavi
  "Manohar" <[email protected]> wrote:
  >
  Hai all!
  I am new to bea and i am trying to set up security constraints for my
  webaplication..
  I want user to be authenticated before he access any of the pages in
  browser..
  All i did was adding following entries to web.xml
  <security-constraint>
            <web-resource-collection>
                 <web-resource-name>
                      webresources
                 </web-resource-name>
                 <url-pattern>
                 </url-pattern>
            </web-resource-collection>           
            <login-config>          
                 <auth-method>
                 BASIC
                 </auth-method>          
            </login-config>
       </security-constraint>
  But no such thing is happening,,
  I know i am doing wrong but donno where exactly i am wrong..
  Pls guide me in sequnece of steps regarding what to do to accomplish
  what i want..
  Thanks and Regards
  Manohar

• JSTL not working on EJB user view web app

  hi people,
  i found an error while trying to have a EJB 3.0 jpa persistent conection and jstl library. this is the error i got:
  [04:57:34 PM] Wrote Web Application Module to /home/isanchez/.jdeveloper/system11.1.1.3.37.56.60/o.j2ee/drs/GeCU/ViewWebApp.war
  [04:57:34 PM] Wrote EJB Module to /home/isanchez/.jdeveloper/system11.1.1.3.37.56.60/o.j2ee/drs/GeCU/ViewEJB.jar
  [04:57:34 PM] WARNING: Connection Developer has no password. Developer-jdbc.xml file not generated for connection Developer.
  [04:57:34 PM] removed bundleresolver.jar from lib because it cannot be part of an EJB deployment
  [04:57:34 PM] Wrote Enterprise Application Module to /home/isanchez/.jdeveloper/system11.1.1.3.37.56.60/o.j2ee/drs/GeCU
  [04:57:34 PM] Deploying Application...
  <01-jun-2010 16H57' CEST> <Error> <Deployer> <BEA-149265> <Failure occurred in the execution of deployment request with ID '1275404254910' for task '11'. Error is: 'weblogic.application.ModuleException: Could not setup environment'
  weblogic.application.ModuleException: Could not setup environment
       at weblogic.servlet.internal.WebAppModule.activateContexts(WebAppModule.java:1499)
       at weblogic.servlet.internal.WebAppModule.activate(WebAppModule.java:442)
       at weblogic.application.internal.flow.ModuleStateDriver$2.next(ModuleStateDriver.java:375)
       at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
       at weblogic.application.internal.flow.ModuleStateDriver.activate(ModuleStateDriver.java:95)
       Truncated. see log file for complete stacktrace
  Caused By: weblogic.deployment.EnvironmentException: [J2EE:160101]Error: The ejb-link 'SessionEJB' declared in the ejb-ref or ejb-local-ref 'ejb/local/SessionEJB' in the application module 'ViewWebApp.war' could not be resolved. The target EJB for the ejb-ref could not be found. Please ensure the link is correct.
       at weblogic.deployment.BaseEnvironmentBuilder.addEJBLinkRef(BaseEnvironmentBuilder.java:453)
       at weblogic.deployment.EnvironmentBuilder.addEJBReferences(EnvironmentBuilder.java:485)
       at weblogic.servlet.internal.CompEnv.activate(CompEnv.java:157)
       at weblogic.servlet.internal.WebAppServletContext.activate(WebAppServletContext.java:3117)
       at weblogic.servlet.internal.WebAppModule.activateContexts(WebAppModule.java:1497)
       Truncated. see log file for complete stacktrace
  >
  <01-jun-2010 16H57' CEST> <Error> <Deployer> <BEA-149202> <Encountered an exception while attempting to commit the 1 task for the application 'GeCU'.>
  <01-jun-2010 16H57' CEST> <Warning> <Deployer> <BEA-149004> <Failures were detected while initiating deploy task for application 'GeCU'.>
  <01-jun-2010 16H57' CEST> <Warning> <Deployer> <BEA-149078> <Stack trace for message 149004
  weblogic.application.ModuleException: Could not setup environment
       at weblogic.servlet.internal.WebAppModule.activateContexts(WebAppModule.java:1499)
       at weblogic.servlet.internal.WebAppModule.activate(WebAppModule.java:442)
       at weblogic.application.internal.flow.ModuleStateDriver$2.next(ModuleStateDriver.java:375)
       at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
       at weblogic.application.internal.flow.ModuleStateDriver.activate(ModuleStateDriver.java:95)
       Truncated. see log file for complete stacktrace
  Caused By: weblogic.deployment.EnvironmentException: [J2EE:160101]Error: The ejb-link 'SessionEJB' declared in the ejb-ref or ejb-local-ref 'ejb/local/SessionEJB' in the application module 'ViewWebApp.war' could not be resolved. The target EJB for the ejb-ref could not be found. Please ensure the link is correct.
       at weblogic.deployment.BaseEnvironmentBuilder.addEJBLinkRef(BaseEnvironmentBuilder.java:453)
       at weblogic.deployment.EnvironmentBuilder.addEJBReferences(EnvironmentBuilder.java:485)
       at weblogic.servlet.internal.CompEnv.activate(CompEnv.java:157)
       at weblogic.servlet.internal.WebAppServletContext.activate(WebAppServletContext.java:3117)
       at weblogic.servlet.internal.WebAppModule.activateContexts(WebAppModule.java:1497)
       Truncated. see log file for complete stacktrace
  >
  [04:57:36 PM] #### Deployment incomplete. ####
  [04:57:36 PM] Remote deployment failed (oracle.jdevimpl.deploy.common.Jsr88RemoteDeployer)
  #### Cannot run application GeCU due to error deploying to IntegratedWebLogicServer.
  [Application GeCU stopped and undeployed from Server Instance IntegratedWebLogicServer]
  there is a bean that uses the Result class from jstl, all libraries are well defined and the projecto compiles fine.
  import javax.servlet.jsp.jstl.sql.Result;
  can someone help me out with the root of this problem? thank you in advance!!!
  Israel S Llorens

  Hi,
  According to your description, my understanding is that the Remote Event Receiver sometimes not fire when you create a new sub site.
  I suggest you can try to debug the remote event receiver using Azure Service Bus to find if there is something wrong cause the remote event receiver not fire.
  Here is a detailed article for your reference:
  http://blogs.msdn.com/b/officeapps/archive/2013/01/03/debugging-remote-event-receivers-with-visual-studio.aspx
  Thanks
  Best Regards
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Jerry Guo
  TechNet Community Support

• Web app security exception: Bad URLMatchMap

  Can anyone help me diagnose an error? I am simply trying to place a security constraint
  on a servlet within an ear-deployed web-application.
  The exception occurs as the first POST comes to the servlet I am trying to protect:
  <Apr 16, 2001 12:40:09 PM EDT> <Error> <Kernel> <ExecuteRequest failed
  java.lang.IllegalArgumentException: bad URLMatchMap path: 'version="1.0"'
  at weblogic.servlet.utils.URLMatchMap.get(URLMatchMap.java:196)
  at weblogic.servlet.security.internal.WebAppSecurity.getConstraint(WebAp
  pSecurity.java:135)
  at weblogic.servlet.security.internal.SecurityModule.checkTransport(Secu
  rityModule.java:177)
  at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSe
  curityModule.java:48)
  at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess
  (ServletSecurityManager.java:150)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe
  rvletContext.java:1250)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm
  pl.java:1622)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  >
  <?xml version="1.0" ?>
  <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN'
  'http://java.sun.com/j2ee/dtds/web-app_2.2.dtd'>
  <web-app>
  <display-name>ANSWeb</display-name>
  <description>no description</description>
  <servlet>
  <servlet-name>UPMessageServlet</servlet-name>
  <display-name>UPMessageServlet</display-name>
  <description>no description</description>
  <servlet-class>com.aether.ans.gateway.up.UPMessageServlet</servlet-class>
  </servlet>
  <servlet>
  <servlet-name>ANSServlet</servlet-name>
  <display-name>ANSServlet</display-name>
  <description>no description</description>
  <servlet-class>com.aether.ans.server.ANSServlet</servlet-class>
  <load-on-startup />
  </servlet>
  <servlet>
  <servlet-name>WCTPServlet</servlet-name>
  <display-name>WCTPServlet</display-name>
  <description>no description</description>
  <servlet-class>com.aether.ans.gateway.wctp.WCTPServlet</servlet-class>
  </servlet>
  <servlet-mapping>
  <servlet-name>UPMessageServlet</servlet-name>
  <url-pattern>/UPMessage</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>ANSServlet</servlet-name>
  <url-pattern>/Server</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>WCTPServlet</servlet-name>
  <url-pattern>/WCTPCallback</url-pattern>
  </servlet-mapping>
  <session-config>
  <session-timeout>30</session-timeout>
  </session-config>
  <resource-ref>
  <description>no description</description>
  <res-ref-name>url/ANS.dtd</res-ref-name>
  <res-type>java.net.URL</res-type>
  <res-auth>Container</res-auth>
  </resource-ref>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Protected Server</web-resource-name>
  <url-pattern>/Server</url-pattern>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>Client</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  </login-config>
  <security-role>
  <role-name>Client</role-name>
  </security-role>
  <ejb-ref>
  <description>no description</description>
  <ejb-ref-name>ejb/ANSServer</ejb-ref-name>
  <ejb-ref-type>Session</ejb-ref-type>
  <home>com.aether.ans.server.ANSServerHome</home>
  <remote>com.aether.ans.server.ANSServer</remote>
  </ejb-ref>
  <ejb-ref>
  <description>no description</description>
  <ejb-ref-name>ejb/Alert</ejb-ref-name>
  <ejb-ref-type>Entity</ejb-ref-type>
  <home>com.aether.ans.entity.AlertHome</home>
  <remote>com.aether.ans.entity.Alert</remote>
  </ejb-ref>
  </web-app>
  <?xml version="1.0" ?>
  <!DOCTYPE weblogic-web-app PUBLIC '-//BEA Systems, Inc.//DTD Web Application 6.0//EN'
  'http://www.beasys.com/servers/wls600/dtd/weblogic-web-jar.dtd'>
  <weblogic-web-app>
  <description>no description</description>
  <security-role-assignment>
  <role-name>Client</role-name>
  <principal-name>Client</principal-name>
  </security-role-assignment>
  <reference-descriptor>
  <resource-description>
  <res-ref-name>url/ANS.dtd</res-ref-name>
  <jndi-name>ans.url.dtd</jndi-name>
  </resource-description>
  <ejb-reference-description>
  <ejb-ref-name>ejb/Alert</ejb-ref-name>
  <jndi-name>ejb.Alert</jndi-name>
  </ejb-reference-description>
  <ejb-reference-description>
  <ejb-ref-name>ejb/ANSServer</ejb-ref-name>
  <jndi-name>ejb.ANSServer</jndi-name>
  </ejb-reference-description>
  </reference-descriptor>
  </weblogic-web-app>

  Hi Andrew,
  Even without moderation enabled, any submission made through the BC platform is filtered through our protection engine to prevent XSS. Any type of potentially malicious code is immediately stripped from the submission, and this is not done at a client-side level.
  Kind Regards,
  Alex

• Multiple users, using the same web app items?

  Iam building a service for familes were the parents should be able to read / add / edit the same secure web app items.
  So when logged in the user have access to the same user submitted web app items.
  I found a thread answerd by Liam and my guess this is not possible? Can it be partial be done e.g. just let the "family" read the familys items? And no there is not possible to add / pair the users in backend because there are to many.
  Any tip where to look? I have tried to use the "uniqe ID, datasource, unique template" method but do you "wizards" :-) think that's the way to go?
  This thread suggest it's not doable.
  http://forums.adobe.com/message/5547102
  Thanks!
  //Johan
  Formpartner

  Not in association Johan no.
  You can have one "Family" login they all use to log in but it will kick one out if the other logs in and of course, multiple people sharing the same login increases the security risk.
  You can only set one owner as well.

• How to remove inactive session from monitor users in oracle apps 11i

  Hi All,
  when I am monitoring users from security- user - monitor in apps 11i, its showing many inactive users.
  I dont know how to remove them
  kindly help me.
  thanks in advance
  sagb

  Hi hsawwan,
  Thank you very much for the reply, it really worked fine.
  thanx again
  Sagb

• Single form for secure zone registration and web app submission?

  Hi
  Is it possible to setup a form where a user can simultaneously register for a secure zone and submit a web app entry? The knowledge base / tutorials describe a two step process (web form for secure zone registration and web app input form for web app submission), but I would like users to be able to do both with a single form
  Thanks in advance for any suggestions
  mls

  In order to have a customer create a web app item they must be logged into the secure zone already.  I've seen some instructions on how to let users submit web app items outside a secure zone but that requires creating a dummy anonymous user and logging them into the secure zone via javascript.  You could use this method and once it's submitted you'll have to manually attach the web app item to the correct user in the BC Admin.  That might not work for you but you can read more about that at http://forums.adobe.com/docs/DOC-1784
  You can't use the above solution with the current user's username and password because those tags are only available when the user is logged into a secure zone already.  If your signup form needs to be filled out first, the user isn't logged in.
  Your best bet is to have the public signup form redirect the user after submission to an "Add item" form you have created. Maks sure that form is in a secure zone so when they add the item it is attached to their account.
  If you don't want to redirect them to a secure zone and want it more seamless you could try to use some javascript/ajax to submit the form via javascript and after the form is submitted, use the javascript code in the above to log them in (be careful to use the https://yoursite.worldsecuresystems.com url if you are passing username and password info gathered from your form to log them in via javascript/ajax).  Once they are logged in via the javascript you can use more ajax to fetch a page's HTML that resides in a secure zone.  This HTML returned from the javascript can be your "add web app item" form and since they were logged in via javascript (securely, right?) this HTML should contain the right information.  Insert this returned HTML into your form container that held the original signup form and they can continue to add a web app item without having to log in.
  This is theory and might work but you'll have to start experimenting with it via javascript.  I haven't actually tried to do this so hopefully some other community members who might have tried this can weigh in here as well.
  Good luck!