RDBMSRealm ACL for a URL
I have been unable to find or determine how to define a ACL for a URL using
the RDBMSRealm. We have implemented the example RDBMSRealm and I have found
the following about setting ACLs on URLs
Setting ACLs on URLs
weblogic.security.urlAclFile=urlAclPolicyFile
The weblogic.security.urlAclFile property specifies the name of a policy
file that extends the access control provided by the weblogic.allow
properties for WebLogic Server servlets that serve web pages and files,
including HTML pages, HTTP Servlets, and JSP pages. In the urlAcl policy
file, you can grant users and groups access to specific files and
directories. See Controlling access on URLs for specifics on setting up your
urlAcl policy file.
I want the ACLs for URLs to be read from the RDBMSRealm not from a
urlAclPolicyFile. Can I do it?
Thanks for any help.
there is no way to incorporate the ACL on URL into the RDBMSRealm. further, a
more forward-looking approach to this would be to use the URL access control
mechanisms in WebApplication DeploymentDescriptors. that way, it's J2EE
standard.
see also:
http://www.weblogic.com/docs51/classdocs/webappguide.html#dd_security
.paul
Jon Scoleri wrote:
I have been unable to find or determine how to define a ACL for a URL using
the RDBMSRealm. We have implemented the example RDBMSRealm and I have found
the following about setting ACLs on URLs
Setting ACLs on URLs
weblogic.security.urlAclFile=urlAclPolicyFile
The weblogic.security.urlAclFile property specifies the name of a policy
file that extends the access control provided by the weblogic.allow
properties for WebLogic Server servlets that serve web pages and files,
including HTML pages, HTTP Servlets, and JSP pages. In the urlAcl policy
file, you can grant users and groups access to specific files and
directories. See Controlling access on URLs for specifics on setting up your
urlAcl policy file.
I want the ACLs for URLs to be read from the RDBMSRealm not from a
urlAclPolicyFile. Can I do it?
Thanks for any help.
Similar Messages
-
Hi,
we are trying to set define ACL for weblogic security for JSP
and could't manage to do it. In the online documentation there
are examples for servlets but not for html or jsp files.
How have to be defined the ACLs for jsp and html files ?
Thanks in advance.
GRIDSYSTEMS Bartolome Real Planells
See http://www.weblogic.com/docs51/admindocs/properties.html#urlacl for
details on setting ACLs on URLs...
Bartolome Real Planells wrote:
> Hi,
>
> we are trying to set define ACL for weblogic security for JSP
> and could't manage to do it. In the online documentation there
> are examples for servlets but not for html or jsp files.
>
> How have to be defined the ACLs for jsp and html files ?
>
> Thanks in advance.
>
> -------------------------------------------------------------------
> GRIDSYSTEMS Bartolome Real Planells
-
Error while creating a deployable proxy for a URL in NWDS
Hi ,
There is a requirement for calling a webservice in the .NET platform from JAVA using NWDS. The webservice of the server is pinged using the URL of the webservice. when the URL is passed in the WS navigator of CRD ( that is Development Server) , the response is retreived successfully . The version of NWDS is 7.0.23.
we are facing problem when we are trying to create a Deployable proxy in NWDS by using the following steps :
1) Create a Development Component
2) Select the Deployable Proxy
3) Create the Client Proxy Defintion of the created DC
At step 3 , when we giving the url or WSDL link like "http:// www3.authoring.syngenta/newswebservice.asmx?WSDL" (this is just for example) , it is showing as "Invalid wsdl or wsdl not found " . so that we are not able to procees further.
When we are trying to create proxy the for the WSDL link like " http:// www.authoring.syngenta/newswebservice.asmx?WSDL" , we are able to create successfully.
can anyone suggest why we are able to create the proxy for the URL "http:// www.authoring.syngenta/newswebservice.asmx?WSDL" and not for the other URL.
Any pointers or suggestions are very helpful.
Thanks and Regards,
SreedeviLate response I know, but I have solved a similar problem recently and thought I would share.
Firstly, the problem is not with the namespace. The "Namespace ..." part is just stating the namespace the "Incorrect Value" has. So this error is complaining about the value "Unknown" - which isn't very helpful.
It appears the SAP SE80 importer does not like elements like the following because it can't understand <s:element ref="s:schema" />. It appears this is a common thing to be included in .NET generated WSDLs.
<s:element minOccurs="0" maxOccurs="1" name="GetCursDynamicResult"> <s:complexType> <s:sequence> <s:element ref="s:schema" /> <s:any /> </s:sequence> </s:complexType></s:element>
SAP will also not like this example as it does not support mixed content (see: http://www.w3schools.com/schema/schema_complex_mixed.asp)
<s:element minOccurs="0" maxOccurs="1" name="SaldoXMLResult">
<s:complexType mixed="true">
<s:sequence>
<s:any />
</s:sequence>
</s:complexType>
</s:element>
You can "Fix" the problem in both cases by removing the offending text in a local copy of the WSDL file so remove line 4 in the first example and change line 2 in the second to <s:complexType> the proxy can then be generated. No idea if the resulting service will be fully operational though! -
Exception on creation of service metadata for WSDL URL
Hi expert,
im consuming a wsdl file in my wdj dc , and on trying to execute im getting exception as follows .
WsdlApp--com.sap.tc.webdynpro.model.webservice.exception.WSModelRuntimeException: Exception on creation of service metadata for WSDL URL 'E:\***********\MIOS_*********_********.wsdl' and service factory configuration 'null'
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.getOrCreateWsrService(WSModelInfo.java:422)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.readOperationsFromWSDL(WSModelInfo.java:372)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.importMetadataInternal(WSModelInfo.java:342)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.importMetadata(WSModelInfo.java:326)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo$Cache.getModelInfo(WSModelInfo.java:199)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.getModelInfoFromCacheOrCreate(WSModelInfo.java:1035)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.getModelInfoFromCacheOrCreate(WSModelInfo.java:248)
at com.sap.tc.webdynpro.model.webservice.gci.WSTypedModel.<init>(WSTypedModel.java:41)
at com.*****.wsdlwdj.batch.****************Batch.<init>(******************Batch.java:51)
at com.*****.wsdlwdj.comp.*************Component.test**********Auth(************Component.java:266)
at com.*****.wsdlwdj.comp.wdp.Internal****Component.test****Auth(Internal********Component.java:331)
at com.*****.wsdlwdj.comp.WsdlView.wdDoInit(WsdlView.java:97)
at com.*****.wsdlwdj.comp.wdp.InternalWsdlView.wdDoInit(InternalWsdlView.java:129)
at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doInit(DelegatingView.java:61)
at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
at com.sap.tc.webdynpro.progmodel.view.View.initController(View.java:445)
at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:709)
at com.sap.tc.webdynpro.progmodel.view.ViewManager.bindRoot(ViewManager.java:579)
at com.sap.tc.webdynpro.progmodel.view.ViewManager.init(ViewManager.java:155)
at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.doOpen(WebDynproWindow.java:295)
at com.sap.tc.webdynpro.clientserver.window.ApplicationWindow.show(ApplicationWindow.java:182)
at com.sap.tc.webdynpro.clientserver.window.ApplicationWindow.open(ApplicationWindow.java:177)
at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:364)
at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:783)
at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:303)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:185)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.tc.webdynpro.clientserver.session.RequestManager.setSpnegoParameter(RequestManager.java:963)
at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:157)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1064)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Caused by: com.sap.engine.services.webservices.jaxrpc.exceptions.WebserviceClientException: GenericServiceFactory initialization problem. Could not load web service model. See nested exception for details.
at com.sap.engine.services.webservices.espbase.client.dynamic.impl.DGenericServiceImpl.generateProxyFiles(DGenericServiceImpl.java:158)
at com.sap.engine.services.webservices.espbase.client.dynamic.impl.DGenericServiceImpl.<init>(DGenericServiceImpl.java:56)
at com.sap.engine.services.webservices.espbase.client.dynamic.GenericServiceFactory.createService(GenericServiceFactory.java:92)
at com.sap.engine.services.webservices.espbase.client.dynamic.GenericServiceFactory.createService(GenericServiceFactory.java:114)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.getOrCreateWsrService(WSModelInfo.java:420)
... 55 more
Caused by: com.sap.engine.services.webservices.jaxrpc.exceptions.ProxyGeneratorException: Proxy Generator Error. Problem with WSDL file parsing. See nested message.
at com.sap.engine.services.webservices.jaxrpc.wsdl2java.ProxyGenerator.generateProxy(ProxyGenerator.java:182)
at com.sap.engine.services.webservices.espbase.client.dynamic.impl.DGenericServiceImpl.generateProxyFiles(DGenericServiceImpl.java:155)
... 59 more
Caused by: com.sap.engine.lib.xml.util.NestedException: IO Exception occurred while parsing file:/usr/sap/*****/JC**/j2ee/cluster/server1/E:/****/FolderName/WSDLNAME.wsdl (No such file or directory) -> java.io.FileNotFoundException: /usr/sap/***/JC**/j2ee/cluster/server1/E:/WSDL FILE/FolderName/wsdlname.wsdl (No such file or directory)
at com.sap.engine.services.webservices.wsdl.WSDLDOMLoader.loadDOMDocument(WSDLDOMLoader.java:1039)
at com.sap.engine.services.webservices.wsdl.WSDLDOMLoader.loadWSDLDocument(WSDLDOMLoader.java:1126)
at com.sap.engine.services.webservices.jaxrpc.wsdl2java.ProxyGenerator.generateProxy(ProxyGenerator.java:178)
... 60 more
Caused by: java.io.FileNotFoundException: /usr/sap/***/JC**/j2ee/cluster/server1/E:/WSDL FILE/FolderName/wsdlname.wsdl (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:106)
at java.io.FileInputStream.<init>(FileInputStream.java:66)
at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:69)
at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:156)
at java.net.URL.openStream(URL.java:913)
at com.sap.engine.lib.xml.parser.AbstractXMLParser.parse(AbstractXMLParser.java:201)
at com.sap.engine.lib.xml.parser.AbstractXMLParser.parse(AbstractXMLParser.java:263)
at com.sap.engine.lib.xml.parser.Parser.parse_DTDValidation(Parser.java:260)
at com.sap.engine.lib.xml.parser.Parser.parse(Parser.java:271)
at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:101)
at com.sap.engine.lib.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:127)
at com.sap.engine.services.webservices.wsdl.WSDLDOMLoader.loadDOMDocument(WSDLDOMLoader.java:1023)
... 62 more
Regards
Govardanim using 7.01 and here we have options to use No Logical Destinations , but now i created destinations at visual admin at Server>Services>Web Service Security>WebService Clients>Sap.com-->Dynamic WS Proxies., as WS_METADATA_DEST and WS_MODELDATA_DEST and have filled in other details too like url , user name , password etc
now im getting another error like as shown below please help
com.****.wsdlwdj.applicaiton.WsdlApp
[EXCEPTION]
com.sap.tc.webdynpro.model.webservice.exception.WSModelRuntimeException: Exception on creation of service metadata for WS metadata destination 'WS_METADATA_DEST' and WS interface '{http://****.com/****}MIOS_Matrix***********'. One possible reason is that the metadata destination 'WS_METADATA_DEST' has not been properly configured; check configuration.
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.getOrCreateWsrService(WSModelInfo.java:440)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.readOperationsFromWSDL(WSModelInfo.java:372)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.importMetadataInternal(WSModelInfo.java:342)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.importMetadata(WSModelInfo.java:326)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo$Cache.getModelInfo(WSModelInfo.java:199)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.getModelInfoFromCacheOrCreate(WSModelInfo.java:1035)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.getModelInfoFromCacheOrCreate(WSModelInfo.java:248)
at com.sap.tc.webdynpro.model.webservice.gci.WSTypedModel.<init>(WSTypedModel.java:41)
at com.****.wsdlwdj.model.test.TestModel.<init>(TestModel.java:51)
at com.****.wsdlwdj.comp.VcWsdlComponent.matrixAuthExecut(VcWsdlComponent.java:448)
at com.****.wsdlwdj.comp.wdp.InternalVcWsdlComponent.matrixAuthExecut(InternalVcWsdlComponent.java:280)
at com.****.wsdlwdj.comp.VcWsdlComponent.wdDoInit(VcWsdlComponent.java:132)
at com.****.wsdlwdj.comp.wdp.InternalVcWsdlComponent.wdDoInit(InternalVcWsdlComponent.java:225)
at com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent.doInit(DelegatingComponent.java:108)
at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.init(ClientComponent.java:430)
at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:362)
at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:783)
at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:303)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:185)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.tc.webdynpro.clientserver.session.RequestManager.setSpnegoParameter(RequestManager.java:963)
at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:157)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1064)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Caused by: com.sap.engine.services.webservices.espbase.discovery.BaseIOException: Invalid Response Code 500 while accessing URL: http://devpid:8000/sap/xi/engine?type=entry&version=3.0&Sender.Service=BS_****_PORTAL&Interface=http%3A%2F%2F****.com%2Fbank_report%5EMIOS_Authorizers_List_Portal&sap-user=xi_portal&sap-password=****1234. Response Message: Empty HTTP request received. Content Type: text/xml. Body Content: <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP:Header>
</SOAP:Header>
<SOAP:Body>
<SOAP:Fault xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"><faultcode>SOAP:Client</faultcode><faultstring>Empty HTTP request received</faultstring><faultactor>http://sap.com/xi/XI/Message/30</faultactor><detail><SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1"><SAP:Category>XIProtocol</SAP:Category><SAP:Code area="MESSAGE">EMPTY_HTTP_REQUEST_RECEIVED</SAP:Code><SAP:P1/><SAP:P2/><SAP:P3/><SAP:P4/><SAP:AdditionalText/><SAP:ApplicationFaultMessage namespace=""/><SAP:Stack>Empty HTTP query received; message processing not possible
</SAP:Stack></SAP:Error></detail></SOAP:Fault>
</SOAP:Body>
</SOAP:Envelope>
at com.sap.engine.services.webservices.server.management.discovery.DestinationsResolver.resolveURL(DestinationsResolver.java:246)
at com.sap.engine.services.webservices.server.management.discovery.DestinationsResolver.resolveEntity(DestinationsResolver.java:130)
at com.sap.engine.services.webservices.espbase.query.WSQueryImpl.initialize(WSQueryImpl.java:184)
at com.sap.engine.services.webservices.espbase.query.WSQueryImpl.findWSInterfaces(WSQueryImpl.java:151)
at com.sap.engine.services.webservices.server.management.discovery.ServiceDiscoveryImpl.getWSDLUrl(ServiceDiscoveryImpl.java:71)
at com.sap.engine.services.webservices.espbase.client.dynamic.GenericServiceFactory.createService(GenericServiceFactory.java:134)
at com.sap.tc.webdynpro.model.webservice.metadata.WSModelInfo.getOrCreateWsrService(WSModelInfo.java:429)
... 49 more -
IPv6 ACLs for ZBFW with changing IPv6 prefix?
Hi all
Is there a trick to keep IPv6 ACLs for ZBFW working when the IPv6 prefix will change ?
Background:
6RD based residential internet access.
Provider has a /28 6RD-Prefix, and will append the whole 32bits of the DHCP assigned public IPv4 address, leaving a /60 to use at home. Inside should be subnet 0, DMZ should be subnet 1 from that /60.
A few of my DMZ IPv6 hosts should be reachable from the outside world on specific udp/tcp ports, without having to open the whole DMZ subnet towards the IPv6 internet.
No big deal, one would think...
zone security Z-INTERNET
description * the outside world *
zone security Z-DMZ
zone security Z-OUTSIDE
zone-pair security ZP-OUTSIDE-TO-DMZ source Z-OUTSIDE destination Z-DMZ
service-policy type inspect PMAP-INBOUND-TRAFFIC
policy-map type inspect PMAP-INBOUND-TRAFFIC
class type inspect CMAP-IN-TRACE-TRAFFIC
pass
class type inspect CMAP-IN-INSPECT-TRAFFIC
inspect
class class-default
drop log
class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC
match access-group name ACLv6-ICMP-UNREACH <-- some ICMP listed in this ACL, irrelevant here
class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC
match access-group name ACLv6-INBOUND-TRAFFIC
Now.. what would I put into ACLv6-INBOUND-TRAFFIC? Manually setting...
ipv6 access-list ACLv6-INBOUND-TRAFFIC
sequence 10 permit tcp any host <MYcurrent6RDPREFIX>1::<$MYHOSTID> eq http
... works well, until MY6currentRDPREFIX becomes MYnew6RDPREFIX. It does so seldomly, but it does, especially after outages.
For adressing (and re-adressing) the DMZ interface, "ipv6 general prefix MY6RDPREFIX 6rd tunnel6" helps a lot and it works pretty well.
However, one cannot seem to make use of "ipv6 general prefix" in an ipv6 ACL, neither as source nor destination (and neither when defining a stateful DHCPv6 server, for that matter).
router6rd(config-ipv6-acl)#permit ip any ?
X:X:X:X::X/<0-128> IPv6 destination prefix x:x::y/<z>
any Any destination prefix
host A single destination host
router6rd(config-ipv6-acl)#
D'oh. What now?
I do know that scanning the whole /64 would take aeons to complete, but I would like to use predetermined addresses with SLAAC and stateless DHCPv6 (with the help of http://man7.org/linux/man-pages/man8/ip-token.8.html).
Opening the entire subnet makes me cringe, even more since these hosts are bound to be in some public DNS as well. For that matter, it becomes largely irrelevant if the Host-ID comes from ip-token, EUI-64, RFC7217 or privacy extensions (allright, the latter wouldn't quite apply here, I know.)
Am I caught in the "IPv6 is like IPv4 but with longer addresses" trap? Should I just do away with my wish to have only the given DMZ servers reachable, and open up the entire subnet?
Or: Is there a completely different way of doing ZBFW things in IPv6 that I didn't think of?
thanks for your thoughts and ideas.
MarcHi all
Is there a trick to keep IPv6 ACLs for ZBFW working when the IPv6 prefix will change ?
Background:
6RD based residential internet access.
Provider has a /28 6RD-Prefix, and will append the whole 32bits of the DHCP assigned public IPv4 address, leaving a /60 to use at home. Inside should be subnet 0, DMZ should be subnet 1 from that /60.
A few of my DMZ IPv6 hosts should be reachable from the outside world on specific udp/tcp ports, without having to open the whole DMZ subnet towards the IPv6 internet.
No big deal, one would think...
zone security Z-INTERNET
description * the outside world *
zone security Z-DMZ
zone security Z-OUTSIDE
zone-pair security ZP-OUTSIDE-TO-DMZ source Z-OUTSIDE destination Z-DMZ
service-policy type inspect PMAP-INBOUND-TRAFFIC
policy-map type inspect PMAP-INBOUND-TRAFFIC
class type inspect CMAP-IN-TRACE-TRAFFIC
pass
class type inspect CMAP-IN-INSPECT-TRAFFIC
inspect
class class-default
drop log
class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC
match access-group name ACLv6-ICMP-UNREACH <-- some ICMP listed in this ACL, irrelevant here
class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC
match access-group name ACLv6-INBOUND-TRAFFIC
Now.. what would I put into ACLv6-INBOUND-TRAFFIC? Manually setting...
ipv6 access-list ACLv6-INBOUND-TRAFFIC
sequence 10 permit tcp any host <MYcurrent6RDPREFIX>1::<$MYHOSTID> eq http
... works well, until MY6currentRDPREFIX becomes MYnew6RDPREFIX. It does so seldomly, but it does, especially after outages.
For adressing (and re-adressing) the DMZ interface, "ipv6 general prefix MY6RDPREFIX 6rd tunnel6" helps a lot and it works pretty well.
However, one cannot seem to make use of "ipv6 general prefix" in an ipv6 ACL, neither as source nor destination (and neither when defining a stateful DHCPv6 server, for that matter).
router6rd(config-ipv6-acl)#permit ip any ?
X:X:X:X::X/<0-128> IPv6 destination prefix x:x::y/<z>
any Any destination prefix
host A single destination host
router6rd(config-ipv6-acl)#
D'oh. What now?
I do know that scanning the whole /64 would take aeons to complete, but I would like to use predetermined addresses with SLAAC and stateless DHCPv6 (with the help of http://man7.org/linux/man-pages/man8/ip-token.8.html).
Opening the entire subnet makes me cringe, even more since these hosts are bound to be in some public DNS as well. For that matter, it becomes largely irrelevant if the Host-ID comes from ip-token, EUI-64, RFC7217 or privacy extensions (allright, the latter wouldn't quite apply here, I know.)
Am I caught in the "IPv6 is like IPv4 but with longer addresses" trap? Should I just do away with my wish to have only the given DMZ servers reachable, and open up the entire subnet?
Or: Is there a completely different way of doing ZBFW things in IPv6 that I didn't think of?
thanks for your thoughts and ideas.
Marc -
Steps to generate Token for opendoc url call in XI3.1
Hi Guys,
I am quite new to Sdk's and java programming .
I am trying to get some help in generating token for opendoc url to avoid login while trying to access a report in Infoview.
From a previous post I got this code:
<%@ page import="com.crystaldecisions.sdk.framework.*" %>
<%@ page import="com.crystaldecisions.sdk.exception.SDKException" %>
<%@ page import="com.crystaldecisions.sdk.occa.security.*" %>
<%
boolean loginSuccessful = false;
IEnterpriseSession boEnterpriseSession = null;
String username = "Administrator";
String password = "pwd";
String cmsname = "CMS";
String authenticationType = "secEnterprise";
try {
//Log in.
boEnterpriseSession = CrystalEnterprise.getSessionMgr().logon( username, password, cmsname, authenticationType);
if (boEnterpriseSession == null) {
out.print("<FONT COLOR=RED><B>Unable to login.</B></FONT>");
} else {
loginSuccessful = true;
} catch (SDKException sdkEx) {
out.print("<FONT COLOR=RED><B>ERROR ENCOUNTERED</B><BR>" + sdkEx + "</FONT>");
if (loginSuccessful) {
ILogonTokenMgr boLogonTokenMgr = boEnterpriseSession.getLogonTokenMgr();
String logonToken = boLogonTokenMgr.createLogonToken("", 60, 1);
String infoViewURL = null;
String tokenParam = null;
String redirectURL = null;
infoViewURL = "http://server:8080/InfoViewApp/logon.jsp";
tokenParam = "ivsLogonToken=" + logonToken;
redirectURL = infoViewURL + "&" + tokenParam;
response.sendRedirect(redirectURL);
%>
The problem is I don't know where to put this code in the opendoc.jsp file.
I tried to create a custom OpenDoc.jsp with a above code, leaving the original opendoc.jsp as it is. And used this custom jsp file in the opendoc url. This is taking me to Infoview login page and I see taht a token is created at the end of the url but it is not passed.
Can somebody help me to understand where exactly to put this code in the opendoc.jsp and any correction to this code or additional steps to get it working.
Any help is greatly appreciated!The code above is meant to redirect you to InfoView. Change the last bit of code as follows:
//add any opendocument parameters to the URL here
openDocURL = "http://server:8080/OpenDocument/opendoc/openDocument.jsp"
tokenParam = "token=" + logonToken;
redirectURL = openDocURL + "&" + tokenParam;
response.sendRedirect(redirectURL); -
Problem creating Network ACL for a ROLE in Oracle 11gR2
According to Oracle Documentation when you create a new Network ACL you can add privileges to a user or role. I need to create a new ACL for the UTL_SMTP package for a specific role, but when I granted it the users who have that role are still getting the "ORA-24247: network access denied by access control list (ACL)" error when they try to send an email. If I grant the ACL privilege to the same users directly it works fine. Is there any step I'm missing? This is the test I have made on my Solaris 10 - Oracle 11gR2 (11.2.0.3) Standard Edition server:
SQL*Plus: Release 11.2.0.1.0 Production on Wed Aug 21 09:31:52 2013
Copyright (c) 1982, 2010, Oracle. All rights reserved.
SQL> CONNECT system/******@testdb
Connected.
SQL> SET LINES 1000
SQL> SELECT * FROM v$version;
BANNER
Oracle Database 11g Release 11.2.0.3.0 - 64bit Production
PL/SQL Release 11.2.0.3.0 - Production
CORE 11.2.0.3.0 Production
TNS for Solaris: Version 11.2.0.3.0 - Production
NLSRTL Version 11.2.0.3.0 - Production
SQL> COLUMN host FORMAT A20
SQL> COLUMN lower_port FORMAT 99999
SQL> COLUMN upper_port FORMAT 99999
SQL> COLUMN acl FORMAT A40
SQL> COLUMN acl FORMAT A40
SQL> COLUMN principal FORMAT A15
SQL> COLUMN privilege FORMAT A10
SQL> COLUMN is_grant FORMAT A8
SQL> COLUMN status FORMAT A10
SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
no rows selected
SQL> SELECT acl,principal,privilege,is_grant FROM dba_network_acl_privileges;
no rows selected
SQL> CREATE USER testacl IDENTIFIED BY testacl;
User created.
SQL> GRANT CONNECT TO testacl;
Grant succeeded.
SQL>
SQL> BEGIN
2 dbms_network_acl_admin.create_acl('test_smtp.xml','TEST SMTP ACL','TESTACL',true,'connect');
3 dbms_network_acl_admin.assign_acl('test_smtp.xml','localhost',25);
4 commit;
5 END;
6 /
PL/SQL procedure successfully completed.
SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
HOST LOWER_PORT UPPER_PORT ACL
localhost 25 25 /sys/acls/test_smtp.xml
SQL> SELECT acl,principal,privilege,is_grant FROM dba_network_acl_privileges;
ACL PRINCIPAL PRIVILEGE IS_GRANT
/sys/acls/test_smtp.xml TESTACL connect true
After creating this ACL I test it like this:
SQL> CONNECT testacl/testacl@testdb
Connected.
SQL> SELECT host, lower_port, upper_port, privilege, status FROM user_network_acl_privileges;
HOST LOWER_PORT UPPER_PORT PRIVILEGE STATUS
localhost 25 25 connect GRANTED
SQL> DECLARE
2 c utl_smtp.connection;
3 BEGIN
4 c := utl_smtp.open_connection('localhost', 25); -- SMTP on port 25
5 utl_smtp.helo(c, 'localhost');
6 utl_smtp.mail(c, 'Oracle11.2');
7 utl_smtp.rcpt(c, '[email protected]');
8 utl_smtp.data(c,'From: Oracle'||utl_tcp.crlf||'To: [email protected]'||utl_tcp.crlf||'Subject: UTL_SMTP TEST'||utl_tcp.crlf||'');
9 utl_smtp.quit(c);
10 END;
11 /
PL/SQL procedure successfully completed.
SQL>
This works fine and I receive the email correctly. Now if I try to do the same thing for a role:
SQL> CONNECT system/******@testdb
Connected.
SQL> BEGIN
2 dbms_network_acl_admin.drop_acl('test_smtp.xml');
3 commit;
4 END;
5 /
PL/SQL procedure successfully completed.
SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
no rows selected
SQL> CREATE ROLE testacl_role;
Role created.
SQL> GRANT testacl_role TO testacl;
Grant succeeded.
SQL> ALTER USER testacl DEFAULT ROLE ALL;
User altered.
SQL>
SQL> BEGIN
2 dbms_network_acl_admin.create_acl('test_smtp.xml','TEST SMTP ACL','TESTACL_ROLE',true,'connect');
3 dbms_network_acl_admin.assign_acl('test_smtp.xml','localhost',25);
4 commit;
5 END;
6 /
PL/SQL procedure successfully completed.
SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
HOST LOWER_PORT UPPER_PORT ACL
localhost 25 25 /sys/acls/test_smtp.xml
SQL> SELECT acl,principal,privilege,is_grant FROM dba_network_acl_privileges;
ACL PRINCIPAL PRIVILEGE IS_GRANT
/sys/acls/test_smtp.xml TESTACL_ROLE connect true
SQL>
And now I test it again with the same user:
SQL> CONNECT testacl/testacl@testdb
Connected.
SQL>
SQL> SELECT host, lower_port, upper_port, privilege, status FROM user_network_acl_privileges;
no rows selected
SQL> DECLARE
2 c utl_smtp.connection;
3 BEGIN
4 c := utl_smtp.open_connection('localhost', 25); -- SMTP on port 25
5 utl_smtp.helo(c, 'localhost');
6 utl_smtp.mail(c, 'Oracle11.2');
7 utl_smtp.rcpt(c, '[email protected]');
8 utl_smtp.data(c,'From: Oracle'||utl_tcp.crlf||'To: [email protected]'||utl_tcp.crlf||'Subject: UTL_SMTP TEST'||utl_tcp.crlf||'');
9 utl_smtp.quit(c);
10 END;
11 /
DECLARE
ERROR at line 1:
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at "SYS.UTL_TCP", line 17
ORA-06512: at "SYS.UTL_TCP", line 267
ORA-06512: at "SYS.UTL_SMTP", line 161
ORA-06512: at "SYS.UTL_SMTP", line 197
ORA-06512: at line 4
SQL>
I'm aware that role privileges doesn't apply inside procedures, functions or packages by default, but this is an anonymous block so it should use the active roles for the user. I also tried adding a "dbms_session.set_role('TESTACL_ROLE');" at the beggining of the anonymous PL/SQL block but I got the same access error.
Thanks in advance for any help you can give to me on this question, it would be very hard to grant the ACL to all the individual users as they are more than 1000, and we create more regularly.Thanks for your quick reply... I don't have a problem creating the basic ACL with the privileges granted for a user. The problem appears when I try to create an ACL with privileges for a ROLE. You can see here http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_networkacl_adm.htm#BABIGEGG than the official Oracle documentation states that you can assign the ACL principal to be a user or role:
Parameter
Description
acl
Name of the ACL. Relative path will be relative to "/sys/acls".
description
Description attribute in the ACL
principal
Principal (database user or role) to whom the privilege is granted or denied. Case sensitive.
My issue is that when I try to create the ACL for a role it doesn't work.
Have you ever created an ACL for a role? if so please send me an example or let me know which step I might be missing. Cheers. -
The precondition on the request for the URL / evaluated to false
Hi,
I get error message when connect on secure 443 port:
"The precondition on the request for the URL / evaluated to false."
Problem in:
<Location />
SetHandler weblogic-handler
WLExcludePathOrMimeType /DocumentServer
</Location>
It works in httpd.conf, but does NOT work in ssl.conf
We are using WL8.1 and Apache 2.0.48
Thanks,
Oleg.Have you looked at the support pattern for SSL and Web Server plug-ins?
https://support.bea.com/application_content/product_portlets/support_patterns/wls/SSLAndPlug-inPattern.html -
Help on generating token for opendoc url in XI3.1
Hi Guys,
I am trying to get some help in generating token for opendoc url to avoid login while trying to access a report in Infoview.
From a previous post I got this code:
<%@ page import="com.crystaldecisions.sdk.framework.*" %>
<%@ page import="com.crystaldecisions.sdk.exception.SDKException" %>
<%@ page import="com.crystaldecisions.sdk.occa.security.*" %>
<%
boolean loginSuccessful = false;
IEnterpriseSession boEnterpriseSession = null;
String username = "Administrator";
String password = "pwd";
String cmsname = "CMS";
String authenticationType = "secEnterprise";
try {
//Log in.
boEnterpriseSession = CrystalEnterprise.getSessionMgr().logon( username, password, cmsname, authenticationType);
if (boEnterpriseSession == null) {
out.print("Unable to login.");
} else {
loginSuccessful = true;
} catch (SDKException sdkEx) {
out.print("ERROR ENCOUNTERED
" + sdkEx + "");
if (loginSuccessful) {
ILogonTokenMgr boLogonTokenMgr = boEnterpriseSession.getLogonTokenMgr();
String logonToken = boLogonTokenMgr.createLogonToken("", 60, 1);
String infoViewURL = null;
String tokenParam = null;
String redirectURL = null;
infoViewURL = "http://server:8080/InfoViewApp/logon.jsp";
tokenParam = "ivsLogonToken=" + logonToken;
redirectURL = infoViewURL + "&" + tokenParam;
response.sendRedirect(redirectURL);
%>
The problem is I don't know where to put this code in the opendoc.jsp file.
I tried to create a custom OpenDoc.jsp with a above code, leaving the original opendoc.jsp as it is. And used this custom jsp file in the opendoc url. This is taking me to Infoview login page and I see taht a token is created at the end of the url but it is not passed.
Can somebody help me to understand where exactly to put this code in the opendoc.jsp and any correction to this code or additional steps to get it working.
Any help is greatly appreciatedStratos,
Thanks for your inputs,
I changed the code as you suggested , now my whole code looks like :
<%@ page import="com.crystaldecisions.sdk.framework.*" %>
<%@ page import="com.crystaldecisions.sdk.exception.SDKException" %>
<%@ page import="com.crystaldecisions.sdk.occa.security.*" %>
<%
boolean loginSuccessful = false;
IEnterpriseSession boEnterpriseSession = null;
String username = "user";
String password = "Password";
String cmsname = "Server";
String authenticationType = "secEnterprise";
try {
//Log in.
boEnterpriseSession = CrystalEnterprise.getSessionMgr().logon( username, password, cmsname, authenticationType);
if (boEnterpriseSession == null) {
out.print("<FONT COLOR=RED><B>Unable to login.</B></FONT>");
} else {
loginSuccessful = true;
} catch (SDKException sdkEx) {
out.print("<FONT COLOR=RED><B>ERROR ENCOUNTERED</B><BR>" + sdkEx + "</FONT>");
if (loginSuccessful) {
ILogonTokenMgr boLogonTokenMgr = boEnterpriseSession.getLogonTokenMgr();
String logonToken = boLogonTokenMgr.createLogonToken("", 60, 1);
//String logonToken = boLogonTokenMgr.getDefaultToken();
String infoViewURL = null;
String tokenParam = null;
String redirectURL = null;
infoViewURL = "http://Server:8080/InfoViewApp/logon.jsp";
tokenParam = "ivsLogonToken=" + logonToken;
redirectURL = infoViewURL + "&" + tokenParam;
pageContext.forward( "openDocument.jsp?iDocID=" + 4668 + "&token=" + tokenParam);
%>
But I am still getting the Infoview Login Page . The url on the login page is
http://server:8080/OpenDocument/opendoc/logonTrustedAuth.do?appKind=InfoView&iDocID=4668&isApplication=true&token=ivsLogonToken%server%3A6400%4021181JIipxt70VM0kd90v21179JFd4dHn7kW2FKSBi
We can see that a token is being generated and appended to this url but it is not passing the user name and password.
Please let me know what you think about this. -
Enable/disable ACLs for a volume
where is the option enable/disable ACLs for a volume in leopard server 10.5x?
I searched in Server Admin and there Volumes … but I cant find this option which is described in this forum ?!Hi
By default Access Control Lists (ACLs) are enabled on Leopard Server (10.5). The situation was different on Tiger Server (10.4) as you had to enable ACLs for each mounted volume.
To disable ACLs on Leopard Server you have to use the command line:
sudo fsaclctl -p path -d disable
to disable and to enable:
sudo fsaclctl -p path -d enable
As with 10.4 you its a good idea to restart the server after disabling or enabling ACLs, otherwise ACLs won't take. Strictly speaking this should only be true of the Boot volume although in my view its worth doing it for any other mounted volume you are going to be using for sharing.
To display ACL status for all mounted volumes issue this command:
fsaclctl -a
for a specific volume its:
fsaclctl -p path
where path is the name of the volume - you can drag drop the desired volume into the terminal window to show its full path. For example you could have:
fsaclctl -p /
/ is terminal shorthand for the boot volume. Regardless of how you do it you should see something like this:
Access control lists are supported on /Volumes/Data HD
Tony -
RE: Acls for a particular users
Hi,
I want to get a list of Acls for a particular users. Can anyone tell me how
to achieve this. I am using the RDBMS Realm Implementation.
After user logs in, I want to present the user with a list of applications
that the user is authorized. To do this, I need to get a list of Acls for
this user. I tried to implement a method in the DefaultRealmExtender which
gets all the Acls and then checks for permission "execute". This works fine
when the jsp is displayed, but if I leave the browser for a while and then
refresh the page, the entire weblogic shuts down. After debugging, I found
out that it blows up when it tries to check the permission. Any help will be
appreciated.
Thanks,
Gajendra SanilHi VB,
Thanks for your response. But the applicant is still active for some of the Vacancies. I can't delete that person.
We can do this from the applicant from. NAv: Vacancies--> Applicants--> select the rejected applicants--> In the application tab there is one field called " Reconsider Applicant" If you select the reason you will be able to consider that applicant for that same vacancy but in the applicant tab i am not finding the reason field only for this applicant. I think this applicant perform some different step while he is with drewn the applicantion.
Joshna. -
Query: Setting ACL for Roles and Programmatic Approach
Hi All
I'm trying to setup ACL for Roles on WCC(11.1.1.8) server by following the blog https://blogs.oracle.com/kyle/entry/access_control_lists_for_roles using Framework folder and have few queries
Query 1:
Created new folder and associate enterprise roles under Role access list
1. Created a new folder 'MyFolder' with Security group 'Secure', owner 'weblogic'.
2. Assigned Role 'Deployers' under Role Access List with RW permissions.
3. In Admin console, associated user 'jcooper' with 'Deployers' group and 'jausten' with no group.
4. Logged in using 'jcooper' and able to assess 'Myfolder'.
5. Logged in using 'jausten' and also able to assess 'MyFolder'
Observation
Since user 'jausten' is not associated with 'Deployers' group, how can 'jausten' assess the folder? Am I missing some configurations here. Please let me know setup steps to achieve this functionality in desired manner.
Query 2:
Created a prototype using RIDC to create a folder programmatically and assigning RAL to the created folder
DataBinder requestData = client.createBinder();
requestData.putLocal("IdcService", "FLD_CREATE_FOLDER");
requestData.putLocal("fParentGUID", getFolderGUID("/"));
requestData.putLocal("fFolderName", "TestFolder");
requestData.putLocal("xClbraRoleList", ":Deployers(RW)");
ServiceResponse updateResponse = client.sendRequest(connectionContext, requestData);
Observation
Folder got created successfully, but 'Deployers' Role not assigned under Role access list.
Query 3:
Created a prototype using RIDC to assign enterprise roles to the existing folder
DataBinder requestData = client.createBinder();
requestData.putLocal("IdcService", "FLD_EDIT_FOLDER");
requestData.putLocal("fFolderGUID", getFolderGUID("/TestFolder"));
requestData.putLocal("path", "/TestFolder");
requestData.putLocal("xClbraRoleList", ":Deployers(RW)");
ServiceResponse updateResponse = client.sendRequest(connectionContext, requestData);
Observation
Role got associated with folder under Metadata section, whereas folder information section does not contain the reference of updated role e.g. Edit Folder Information section on WCC UI not showing the added role, whereas Edit Metadata values section of UI showing this role.
Please suggest what I'm missing in configuration/code and appropriate way to achieve the functionality.
Thanks.Thanks Jonathan!!
Query 2 and 3 answered by this setting and it worked fine.
Could you please also assist on Q.1
Query 1:
Created new folder and associate enterprise roles under Role access list
1. Created a new folder 'MyFolder' with Security group 'Secure', owner 'weblogic'.
2. Assigned Role 'Deployers' under Role Access List with RW permissions.
3. In Admin console, associated user 'jcooper' with 'Deployers' group and 'jausten' with no group.
4. Logged in using 'jcooper' and able to assess 'Myfolder'.
5. Logged in using 'jausten' and also able to assess 'MyFolder'
Observation
Since user 'jausten' is not associated with 'Deployers' group, how can 'jausten' access the folder?
Am I missing some config? -
ISAPI plugin setup for Idempotent --- URL level
The document http://www.weblogic.com/docs51/admindocs/isapi.html#ini says
Idempotent=ON/OFF is a URL level flag, does this mean I can indicate which
servlet is idempotent and which is not ? but it fails to tell me how to set
it for different URL, what's the setup look like?
iisproxy.ini
weblogichost=myserver
weblogicport=7001
Idempotent=ON --- this would make everything idempontent, how about if I
want /idem/*.jsp all idempotent and /noidem/*.jsp not idempotent ?
thanks
No you cannot set it per servlet, it is an application level flag.
I think the doc is confusing so we will correct it.
Current doc says:
"This is a URL level flag. By default it will be "ON". This means that if the
servers do not respond within HungServerRecoverSecs, the plug-ins will failover.
If set to "OFF" the plug-ins will not failover. It can be
set differently for different URL's or Mime types."
The correct statement for ISAPI should be:
"This is a application level flag. But it can be set differently for different
iisproxy.ini files. By default it will be
"ON". This means that if the servers do not respond within
HungServerRecoverSecs, the plug-ins will
failover. If set to "OFF" the plug-ins will not failover."
By "It can be set differently for different iisproxy.ini files", I mean the
following. You can point to different
iisproxy.dll's for different Virtual directories in IIS. So in each of those
IISproxy.ini files
you can have a different value for the Idempotent parameter.
NSAPI and Apache plugins support multiple objects so the above statement is true
upto some extent for them.
But then again you cannot set it for each servlet differently there too, unless
you have a didicated object for
each servlet in NSAPI,. which is theoretically correct but would be a ridiculous
design :)
Thanks for pointing out. We will correct the docs. Sorry for the confusion.
--Vinod.
Tony Lu wrote:
> The document http://www.weblogic.com/docs51/admindocs/isapi.html#ini says
> Idempotent=ON/OFF is a URL level flag, does this mean I can indicate which
> servlet is idempotent and which is not ? but it fails to tell me how to set
> it for different URL, what's the setup look like?
>
> iisproxy.ini
>
> weblogichost=myserver
> weblogicport=7001
> Idempotent=ON --- this would make everything idempontent, how about if I
> want /idem/*.jsp all idempotent and /noidem/*.jsp not idempotent ?
>
> thanks
-
Hi,
I'm having a problem creating an ACL to allow DHCP.
I want to secure a VLAN running across our Cisco wireless network infrastructure to limit access as much as I can.
Restricting access to limited ip addresses and ports is straightforward, but I can't seem to get the ACL correct to allow clients to obtain ip addresses via DHCP.
I seem to remember that the ACL for DHCP was a little odd -this is what I currently have:
permit udp any host 172.16.30.4 log
permit tcp any host 172.16.30.4 log
permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log
permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.27 eq 8080 log
permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.82 eq 443 log
deny ip any any (28 matches)
172.16.30.4 is the DHCP server, and I would like to limit this to only the ports required for DHCP, but I haven't specified whilst debugging this problem - my inital config was for ports 67 and 68.
I'm seeing traffic being logged against the deny ip any any, so I know the client is trying to send to the correct network etc.
The IP helper address is configured on the interface and is 172.16.30.4.
Can some one let me know what I'm missing.
Cheers,
SteveHi,
Thanks for the response - I'll try the ACL for DHCP shortly.
With regard to the ACL:
permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log
you are correct, that is for DNS.
However, on reflection I believe I will need tcp and udp for this rule as the client device will update DNS dynamically when it obtains an IP address from DHCP and I seem to recall DNS updates require tcp port 53?
Cheers,
Steve -
"cannot create jbcd driver of class " for connect URL 'null'" error
I am trying to get an application that is currently working fine on a Windows platform to work in a Linux environment.
One thing that is different from my setup in Windows, and also one that I have no experience with, is the Linux-Ubuntu default install of Apache uses Virtual Hosts and Tomcat's equivalent multiple sessions.
I'm running the app out of the usr/share/tomcat6/webapps/msgboard instance of Tomcat vs var/lib/tomcat6.
I am calling the application from Apache Virtual Host port 80 using mod_jk. The application cannot run under native Tomcat because of the extensive use of PHP. Everything else in the application is working correctly including a DWR (Ajax) servlet. However I also tried a simple test app from native Tomcat and got the same results.
I also tried connecting with jdbc:mysql://localhost:3306/msgboard?autoreconnect=true&user=root&password=password at the terminal prompt and got
bash: jdbc:mysql://localhost/msgboard?autoreconnect=true: No such file or directory
[1]7074
[2] 7048
[1] Exit 127 jdbc:mysql://localhost/msgboard?autoreconnect=true
[2]+ Donesyslog error is
Feb 23, 2009 3:01:51 PM org.directwebremoting.util.CommonsLoggingOutput info INFO: Exec: Online.getPosts()
Feb 23 15:01:51 ubuntu jsvc.exec[6779]: org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create JDBC driver of class '' for connect URL 'null'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Feb 23 15:01:51 ubuntu jsvc.exec[6779]: Caused by: java.sql.SQLException: No suitable driverFollowing is all the pertinent setup info for reference and critique. Any suggestions would be greatly appreciated.
Apache2.2
Tomcat6
JDBC
mod_jk
Java (not sure what ver, it's the default Ubuntu install ver.)
PHP
Currently I am pointing to mysql-connector-java.jar in my CLASSPATH at /usr/share/java/mysql-connector-java.jar added symlinks commons-dbcp.jar, commons-logging.jar to usr/share/tomcat6/lib
Application is deployed from usr/share/tomcat6/webapps/msgboard
The basic code snippet in class calling the jdbc
WEB-INF/classes/dbLink.class
Context ctx = new InitialContext();
DataSource ds = (DataSource)ctx.lookup("java:comp/env/jdbc/msgboardDB");
WEB-INF/web.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app id="msgboard">
<display-name>Message Board</display-name>
<resource-ref>
<description>DB Connection</description>
<res-ref-name>jdbc/msgboardDB</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
</web-app>
META-INF/context.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<Context path="/msgboard" docBase="msgboard"
debug="5" reloadable="true" crossContext="true">
<Resource name="jdbc/msgboardDB"
auth="Container"
type="javax.sql.DataSource"
maxActive="100"
maxIdle="30"
maxWait="10000"
username="root"
password="thePassword"
driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/msgboard?autoReconnect=true"/>
</Context>
I also included a symlink to this in var/lib/tomcat6/config named msgboard.xml
per instruction at http://ubuntuforums.org/showthread.php?t=430133 and have since removed it.
my.cnf
[client]
port = 3306
bind-address = 127.0.0.1
permissions set in /etc/tomcat6/policy.d/04webapps.policy
permission java.net.SocketPermission "127.0.0.1:3306", "connect,resolve,listen,accept";
per instruction at http://ubuntuforums.org/showthread.php?t=430133
other permiissions set /etc/tomcat6/policy.d/50local.policy
grant codeBase "file:/usr/share/tomcat6/webapps/msgboard/-" {
permission java.net.SocketPermission "127.0.0.1:3306", "connect,resolve,listen,accept";
grant codeBase "file:/usr/share/tomcat6/webapps/msgboard/WEB-INF/classes/-" {
permission java.io.FilePermission "/usr/share/tomcat6/webapps/msgboard/WEB-INF/classes/logging.properties", "read";
grant codeBase "jar:file:/usr/share/tomcat6/webapps/msgboard/WEB-INF/lib/mysql-connector-java-5.1.6.jar!/-" {
permission java.net.SocketPermission "127.0.0.1:3306", "connect,resolve,listen,accept";
I even tried setting Tomcat Security to "no" per instruction at
http://webui.sourcelabs.com/ubuntu/mail/user/threads/Tomcat_connecting_to_MySQL_-Ubuntu8.10_Server.meta
http://ubuntuforums.org/showthread.php?t=1034957&highlight=apache+tomcat+jdbc
http://ubuntuforums.org/showthread.php?t=66615
http://ubuntuforums.org/showthread.php?t=33601&highlight=java+mysql
http://ubuntuforums.org/showthread.php?t=430133
http://programminglinuxblog.blogspot.com/2008/03/connection-pooling-with-java-all.html
http://webui.sourcelabs.com/ubuntu/mail/user/threads/Tomcat_connecting_to_MySQL_-Ubuntu8.10_Server.metaSOLUTION
I had to add
<Resource name="jdbc/webappDB"
auth="Container"
type="javax.sql.DataSource"
maxActive="100"
maxIdle="30"
maxWait="10000"
username="root"
password="password"
driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/webapp?autoReconnect=true"/>into /var/lib/tomcat6/conf/Catalina/localhost/ webapp.xml
Note: the above context file was created automatically after deploying the webapp. I had to add the <resource> to it.
The context I created in usr/share/tomcat_home/webapp/META_INF/context.xml is still there and has the same <resource>.defined in it. I did not verify whether or not it still needs to be there.
After that I had to add two policies
/var/lib/tomcat6/conf/policy.d/03catalina.policy
grant {
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.dbcp.*";
and 04webapps.policy
permission java.net.SocketPermission "127.0.0.1:3306", "connect,resolve,listen,accept";
That did the trick!
Other things that were done but have not been verified as to have any bearing on this issue.
I changed the active java from openjdk to java-sun
I added $tomcat_home/lib:$tomcat_home/lib/mysql-connector.jar:$tomcat_home/lib/commons-dbcp.jar to PATH
Changed CLASSPATH=usr/share/classpath:usr/share/java/commons-dbcp.jar:usr/share/java/mysql-connector.jar
Edited by: wlbragg on Feb 25, 2009 12:58 AM
Edited by: wlbragg on Feb 25, 2009 12:59 AM
Edited by: wlbragg on Feb 25, 2009 1:11 AM
Maybe you are looking for
-
ITunes cannot read ID3 tags written by Perl module MP3::Tag?
Greetings, Just trying to re-arrange ID3 information in a large set of MP3 files. Before I run the following Perl script, iTunes can read the ID3 tagging information. After writing ID3 inform ation to the MP3, iTunes no longer reads any tagging infor
-
How do I turn the shuffle off on my iPhone? I have the "shake" to shuffle turned off, but I don't want it to shuffle at all.
-
Derivation of Commitment Item from Material and Services codes
Hi experts, I need to derivate a Commitment Item from Material and Services codes, because the many material and services are related with the same financial account. I have seen that material codes appears in Source Fields, but service codes not. Ca
-
I have 2-3 apple id's and cannot remember what they are. I have numerous songs that are under these unknown apple id's that are in light gray And are incomplete downloads. ***??
-
Problem with activating account
Hi Guys, I am newbie in the internet stuff and I dont know if I am writing on correct board on this website. I have got problem with activating my account. I received email but when I click on the link it was not working, is this link is correct? htt