RMI security issue

Similar Messages

• Security issue between weblogic server

  Hello,
  Here is security issue that we are facing.
  Here is setup
  Environment 1
  Admin server say "env1admin"
  Managed Weblogic Server say "env1managed"
  We deployed an EJB called HelloEJB in env1managed server and this has an api
  sayHello(). HelloClient is a client to HelloEJB.
  S/w Weblogic 6.1 sp3
  Environment 2
  Admin server say "env2admin"
  Managed Weblogic Server say "env2managed"
  We deployed an EJB called ServiceEJB in env2managed server and this has an api
  serviceRequest(). We use weblogic role based security and restrict access to this
  api by user HelloEJB.
  s/w Weblogic 6.1 sp3
  Here is how the system works:
  We start the env2admin, env2managed (ServiceEJB is which is a Stateless session
  EJB deployed in env2Managed)
  We start the env1admin and env1managed (HelloEJB(which is a Stateless session
  EJB is deployed in env1Managed)
  Test case:
  1)HelloClient invokes HelloEJB api sayHello().
  2)Now at this point in ejbCreate() at HelloEJB() end we get a reference to ServiceEJB
  using Jndi and the context is never closed ). HelloEJB then calls serviceRequest()
  api in ServiceEJB. Then gets back a response and then returns response to HelloClient.
  Now if we repeat the above testcase.
  After step1 in step2 HelloEJB though has all the permissions to invoke api on
  ServiceEJB gets an SecurityException.
  Question is why doe this happen. Only way HelloEJB can make api calls to serviceEJB
  is by making a lookup() every single time. Which is very expensive. I looked at
  documents what they say is leave the context open and never close it. Though I
  am doing that I am getting this exception.
  Any thoughts ?
  Thanks in advance,
  Vijay

  Here are the details of exception stack trace:
  java.rmi.AccessException: Security violation: insufficient permission to access
  method; nested exception is:
  java.lang.SecurityException: Security violation: insufficient permission
  to access method
  java.lang.SecurityException: Security violation: insufficient permission to access
  method
  at weblogic.ejb20.internal.BaseEJBObject.preInvoke(BaseEJBObject.java:92)
  at weblogic.ejb20.internal.StatelessEJBObject.preInvoke(StatelessEJBObject.java:63)
  at service.ServiceBean_nr0s19_EOImpl.sendServiceRequest(ServiceBean_nr0s19_EOImpl.java:25)
  at service.ServiceBean_nr0s19_EOImpl_WLSkel.invoke(Unknown Source)
  at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:298)
  at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerRef.java:93)
  at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:267)
  at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:22)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  End server side stack trace
  ; nested exception is:
  Vijay
  "Vijay" <[email protected]> wrote:
  >
  Hello,
  Here is security issue that we are facing.
  Here is setup
  Environment 1
  Admin server say "env1admin"
  Managed Weblogic Server say "env1managed"
  We deployed an EJB called HelloEJB in env1managed server and this has
  an api
  sayHello(). HelloClient is a client to HelloEJB.
  S/w Weblogic 6.1 sp3
  Environment 2
  Admin server say "env2admin"
  Managed Weblogic Server say "env2managed"
  We deployed an EJB called ServiceEJB in env2managed server and this has
  an api
  serviceRequest(). We use weblogic role based security and restrict access
  to this
  api by user HelloEJB.
  s/w Weblogic 6.1 sp3
  Here is how the system works:
  We start the env2admin, env2managed (ServiceEJB is which is a Stateless
  session
  EJB deployed in env2Managed)
  We start the env1admin and env1managed (HelloEJB(which is a Stateless
  session
  EJB is deployed in env1Managed)
  Test case:
  1)HelloClient invokes HelloEJB api sayHello().
  2)Now at this point in ejbCreate() at HelloEJB() end we get a reference
  to ServiceEJB
  using Jndi and the context is never closed ). HelloEJB then calls serviceRequest()
  api in ServiceEJB. Then gets back a response and then returns response
  to HelloClient.
  Now if we repeat the above testcase.
  After step1 in step2 HelloEJB though has all the permissions to invoke
  api on
  ServiceEJB gets an SecurityException.
  Question is why doe this happen. Only way HelloEJB can make api calls
  to serviceEJB
  is by making a lookup() every single time. Which is very expensive. I
  looked at
  documents what they say is leave the context open and never close it.
  Though I
  am doing that I am getting this exception.
  Any thoughts ?
  Thanks in advance,
  Vijay

• Several RMI (easy) issues

  Hi,
  Developping a small RMI application, I face the following issues:
  I can run several RMI servers on a machine (launched with 1 or more userId (root, guest, foo)) but how can RMI clients be notified of how many RMI servers have been launched (and their port number). How to specify the server we want to log in ? Is it possible to have from a client the list of all RMI servers running on a machine ?
  I would like that clients use login/passwd to connect the RMI server. In fact, If the client authentifies itself with root/passroot it automatically runs on the root RMI server launched. How can I do that ?
  Thanks.
  If it is not clear enought I will explain my problems differently.

  Here are my replies:
  1) the issue is that the server can execute system commands (kill ,renice, performance command...). So, I don't want, if a server has been started as root, that every body accessing this server can run a kill on a process. So every user would have to launch its own server and then only access to services it can perform normally when logging on this machine. Moreover the RMI server has to retrieve a lot of infomation in less than 1sec (do some sys calls and internally retrive the state of all processes running on the server machine) so I think is better do launch several servers.
  Note: the client MUST have a direct access to the server machine. It is a pre-requiered.
  2) Thanks.
  3) So the client can send the login/passwd info tho the server, which look in the unix account on the system, register the client with the good server and that accept the connection.
  A lot of messages talking aboiut RMI security gives some idea on how implmenting a secured connection between client/server but I cannot find any pseudo-code or code sample.
  Do you have sme pointers ?
  Thanks

• WebLogic RMI security

  Hello,
  I'm planning to create some client-server applications using the WebLogic
  RMI implementation but I'm a little bit worried about the security issues
  that can be raised.
  Basically, I don't know whether or not WebLogic provides dynamic class
  loading (RMIClassLoader). If so, how to prevent this to happen, since I want
  to make it sure that no hostile client will be able to hack my application
  in that it will download some classes that will mess with my data.
  Anybody has any comments on that?
  Thanks in advance for any help.
  Andre Mendonca
  [email protected]

  Just to make things clearer, this is the RMI specification from Javasoft
  (very interesting, by the way):
  "When parameters and return values for a remote method invocation are
  unmarshalled to become live objects in the receiving JVM, class definitions
  are required for all of the types of objects in the stream. The
  unmarshalling process first attempts to resolve classes by name in its local
  class loading context (the context class loader of the current thread). RMI
  also provides a facility for dynamically loading the class definitions for
  the actual types of objects passed as parameters and return values for
  remote method invocations from network locations specified by the
  transmitting endpoint. This includes the dynamic downloading of remote stub
  classes corresponding to particular remote object implementation classes
  (and used to contain remote references) as well as any other type that is
  passed by value in RMI calls, such as the subclass of a declared parameter
  type, that is not already available in the class loading context of the
  unmarshalling side."
  My question is: If a client invokes a method in the object residing in the
  weblogic server, passing as a parameter an object that the server doesn't
  know, will weblogic try to download the class from the client location?
  Continuing: later in the specification, one can read:
  "For every class descriptor read from an RMI marshal stream, the
  resolveClass method reads a single object from the stream. If the object is
  a String (and the value of the java.rmi.server.useCodebaseOnly property is
  not true), then resolveClass returns the result of calling
  RMIClassLoader.loadClass with the annotated String object as the first
  parameter and the name of the desired class in the class descriptor as the
  second parameter. Otherwise, resolveClass returns the result of calling
  RMIClassLoader.loadClass with the name of the desired class as the only
  parameter."
  So, can I set this property to false in the StartWebLogic.cmd file and
  expect weblogic not to download any unknown code? Will weblogic classloader
  understand it? What's the default behavior of weblogic server?
  By the way, I'm using WLS 4.5.1, in a windows NT environment.
  Thanks in advance.
  Andre Mendonca
  [email protected]
  "Andre Mendonca" <[email protected]> wrote in message
  news:[email protected]...
  Hello,
  I'm planning to create some client-server applications using the WebLogic
  RMI implementation but I'm a little bit worried about the security issues
  that can be raised.
  Basically, I don't know whether or not WebLogic provides dynamic class
  loading (RMIClassLoader). If so, how to prevent this to happen, since Iwant
  to make it sure that no hostile client will be able to hack my application
  in that it will download some classes that will mess with my data.
  Anybody has any comments on that?
  Thanks in advance for any help.
  Andre Mendonca
  [email protected]

• Can not view slidshows or creat a book on Snapfish.  SF IT folks say it's a security issue on my end.  Any ideas?

  Can not view slidshows or creat a book on Snapfish.  SF IT folks say it's a security issue on my end.  Any ideas?

  You will need to contact Snapfish to find out their system requirements and which plugin you need
  - http://support.snapfish.com/app/answers/detail/a_id/669/brand/3

• I updated some security issues and suddenlly my gmail does not open. it shows 75% of the procees and does not go on

  I updated automatically some security issues in my computer (I don't remember which) and now my gmail will start opening until it reaches 75% and it will not go on opening.
  I can open it Internet explorer but not in Mozila fireworks

  Clear the cache and the cookies from sites that cause problems.
  "Clear the Cache":
  *Tools > Options > Advanced > Network > Cached Web Content: "Clear Now"
  "Remove Cookies" from sites causing problems:
  *Tools > Options > Privacy > Cookies: "Show Cookies"
  Start Firefox in <u>[[Safe Mode|Safe Mode]]</u> to check if one of the extensions or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance/Themes).
  *Don't make any changes on the Safe mode start window.
  *https://support.mozilla.org/kb/Safe+Mode
  *https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes

• Other web browsers and security issues?

  Since even an Apple KB article recognizes the need for an additional browser and because of Safari's limitations and problems, I'm going to try switching to another browser (most likely OmniWeb and am looking at Firefox, Shira and Opera also though perhaps not as a primary browser) but I'm wondering about their ability to keep on top of any security issues for Mac? (and how do you keep up with security updates?)
  Though perhaps unfounded, at least with Safari, I feel that Apple has a vested interest in keeping on top of security issues (for Safari and Java) and I can readily find out about security updates via software updater.

  Most of the other Mac browsers have their adherents. They are all good browsers (I have 7 browsers installed to test various web sites and for change-of-pace usage). They all have their strengths and they all have their weaknesses. Only iCab and OmniWeb are still shareware, the rest are now or always have been free (Opera just recently stopped charging for its browser).
  I have settled on Firefox as my alternate browser and I use it maybe just a tad more than Safari, but I do switch back and forth between them. The Mozilla foundation is good at getting security updates out when needed. Firefox has a button on the toolbar to check for updates. One nice thing about Firefox is that you can install free extensions which enhance the features available. I have one to supplement tab features, one to control iTunes from Firefox's status bar, one to help me format messages in discussion forums, and one to block ads.
  I prefer OmniWeb for doing intensive research because of the way it handles tabs in its sidebar, showing me which ones I've looked at and which ones I haven't, and giving me great flexibility in rearranging tabs, which are viewable as thumbnails or text names (I have had up to a hundred or so tabs open in OmniWeb.
  Shiira is good and its fast. I have not checked for updates for a while, but the last time I updated there was still a problem with Shiira kicking you out of logged-in sites when you moved from page to page with in web site. This may have been fixed by now - they were aware of the problem back then.
  Camino is a native OS X cousin of Firefox and is also fast, but is not updated as often.
  I would stay away from Mozilla or Netscape unless you need all the additional modules they have and which take up hard disk space. Firefox and Camino represent the browser module of Mozilla/Netscape. Mozilla and Netscape have modules for email, irc chat, newsgroups, and for creating and editing web pages. Netscape is a branded and slightly customized version of Mozilla and is not updated as often.
  Opera is a nice browser and some use it as their main browser, but I have not seen anything that really stands out for me, but that does not mean it is not worth a look.
  I would stay away from abandonware Internet Explorer.
  As for checking for updates, several of them, as with many Mac programs, now have a menu item that allows you to check for updates. Most of them also announce their updates on both VersionTracker and MacUpdate.
  Happy Exploring.

• Security Issue with Apple ID

  Today while using my iphone and trying to use facetime for the first time since updating to IOS6, my phone asked me if I wanted to use some email address that I do not have for facetime. What? The message pretty much said that this email address was linked to my apple ID. So I got to work logged into AppleID.Apple.com and saw the email address verified and also saw it displayed as an alternate apple id. Immediately, I changed my Apple ID password and called apple at 1800myapple since that is the number on the website and try to talk to someone that could assist me with this severe issue. Anyway, my iphone went dead and the people on the phone couldn't connect me to anyone because I couldn't give them a serial number to an apple device. I tried to explain to the technicians that this is a problem with my ID and that the alternate ID has access to everything that my Apple ID has access to. Both times the call went nowhere. This is ridiculous. Why can't I talk to a security team? Why is the technician telling me that I can manage my ID from the website, when I know that I am looking at the website and I cannot remove the alternate ID? How did this ID get associated with my account and why did I never receive an email informing me of the change?
  Since Apple has other services and not just products STOP ASKING FOR A SERIAL NUMBER AND ASSIST THE CUSTOMER WITH THE ISSUE especially since it is a SECURITY ISSUE.

  oh man, I know exactly what you're talking about. i have a relatively easy to guess apple id email and everybody in the world thinks it's theirs... but once I turned on two-step authentication, the emails stopped completely.  here's a faq about it:
  http://support.apple.com/kb/HT5570
  once i turned that on, whenever they'd want to reset my password, they would get asked for my recovery key, which they don't have, haha!  victory is mine.

• My account was deleted for security issues. I made a new account, but I can't syncronise my apps with this new account. I bought a new Iphone and would like to transfer the apps ans music on this new one. Can somebody help me?

  My account was deleted for security issues. I made a new account, but I can't syncronise my apps with this new account. I bought a new Iphone and would like to transfer the apps ans music on this new one. Can somebody help me?

  Why would you make a new account?  This will likely cause many problems.  Just get you old account enabled.
  Apple ID: "This Apple ID has been disabled for security reasons" alert appears
  Frequently Asked Questions About Apple ID
  Everything you purchased with the old account will always be tied to that account.  You will have to authorize the computer for that account and you will have to update the apps from that account.

• HT5642 I need to update iOS 6.1.3 on my iPad2 to 6.1.6, due to security issue. Why is no update available? I do NOT want to install iOS 7, due to memory limitations.

  I need to update iOS 6.1.3 on my iPad2 to 6.1.6, due to security issue. Why is no update available? I do NOT want to install iOS 7, due to memory limitations.

  Any upgrade will be to the most recent, compatible version, in this case 7.0.6.

• Bit locker security issues (easy to crack) disk encryption?

  Bit locker security issues (easy to crack) disk encryption?
  Problem 1: When the PC run I think its too easy to get  malicious users (with usb pendrive) or spyware to get the encryption key (fast and easy)
  youtube.com/watch?v=0npTlOq6q_0
  Problem2:not resistant with bruteforce attacks
  youtube.com/watch?v=zvaJxnvbGic
  Problem 3: not resistant with boot hacking
  Im using DriveCrypt plus pack and searched security issues in bit locker.The bit locker allow you the bruteforce/dic attack easy.I think  It would be much safer 1. (I think the keys stored somewhere that is easily read) 2. Do not just be enough password
  need a password+file combination to decrypt the disk. DriveCrypt plus pack use a file+password combination if you know the password but you wont have the file you can not decrypt the disk (protect with bruteforce attack).On system boot protected bruteforce
  attak you can crash the (boot).If the boot system crash you can not decrypt the disk just the password you need the file+password combination plus to decrypt it. I am not a programmer but I see the BitLocker ( easy security catches to crack the disk encryption).Im
  tested DriveCrypt and I can not get the key that easy (Problem 1). I have not tested it in greater depth just trying to (catches to crack software encryption).

  Where is your question, sir?
  If the question were "is it easy to crack", the answer is "no". Your videos make use of several assumptions and ingredients and permissions that a normal attacker does not have.
  "Problem 3" is not clear, please describe what scenario you are talking about.

• Using latest version of fireFox to access Think Central, pages will not load and they say that this is a security issue with FireFox?

  Teachers in our district are supposed to use www.thinkcentral.com with FireFox.
  Some have no problem accessing the lesson plans.
  Most when they login click on a lesson plan and an icon shows up that says loading but never does.
  If you reboot the computer and login you can open a page once but not a second time and no other lessons will open.
  Think Central support says this is a security issue with Firefox.
  I have updated FireFox, all the Adobe, Reader, Flash, Air and Shockwave. As well as Java.
  I have allowed the pop ups to the think Central web site.
  Any help would be appreciated

  Are there any notification icons on the left end of the address bar? If so, please click them to see whether they related to security issues (such as blocked content - shield icon: [[How does content that isn't secure affect my safety?]]) or a plugin requiring permission (Lego-like icon).
  Does Think Central have any help pages about this issue? Without an account, it is difficult to explore the issue first-hand.

• HFM Security Issue - User can submit a journal by by-passing the approval step even though they are not an admin.

  Hi All,
  I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
  The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
  If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
  input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
  "User does not have the access right to perform this journal task"
  The options I have thought for a workaround are as follows:
  1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
  2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
  Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
  We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
  they are:
  1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
  2.   2. A data reviewer (who approves journals)
  The process is as follows:
  1.       1. Logon as Data inputter to submit the journals
  2.       2. Logon as Data reviewer to approve the journals
  3.       3. Logon as Data inputter to post the Journals
  We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
  but once it comes back to step 3, we get an error as follows:
  "User does not have the access right to perform this journal task"
  (This error comes about when the access control on custom 4 is set to None, Read, Promote)
  Custom 4 Access Rights looks as follows:
  C4_ADJ01
  C4_ADJ02
  C4_ADJ03
  C4_ADJ04
  HFMDefault
  Read
  Read
  Read
  Read
  HFMLoad
  All
  Promote
  None
  Read
  HFMReview
  Read
  All
  All
  All
  When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
  For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
  Roles for the groups that users assigned look like the following:
  Test User Name
  Test User Name
  Access Rights
  1
  Base Data input/Journal Data input
  test_HFMLoad
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Enable write back in Web Grid
  Load Excel Data
  Generate Recurring
  Post Journals
  Create Unbalanced Journals
  Manage Templates
  Data Form Write Back from Excel
  Consolidate
  2
  Data Reviewer
  test_HFMReview
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Approve Journals
  Consolidate
  Reviewer 2
  Generate Recurring
  Manage Templates
  Create Unbalanced Journals
  Any help or advice would be much appreciated.
  Thanks in advance,
  M.

  Hi All,
  I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
  The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
  If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
  input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
  "User does not have the access right to perform this journal task"
  The options I have thought for a workaround are as follows:
  1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
  2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
  Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
  We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
  they are:
  1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
  2.   2. A data reviewer (who approves journals)
  The process is as follows:
  1.       1. Logon as Data inputter to submit the journals
  2.       2. Logon as Data reviewer to approve the journals
  3.       3. Logon as Data inputter to post the Journals
  We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
  but once it comes back to step 3, we get an error as follows:
  "User does not have the access right to perform this journal task"
  (This error comes about when the access control on custom 4 is set to None, Read, Promote)
  Custom 4 Access Rights looks as follows:
  C4_ADJ01
  C4_ADJ02
  C4_ADJ03
  C4_ADJ04
  HFMDefault
  Read
  Read
  Read
  Read
  HFMLoad
  All
  Promote
  None
  Read
  HFMReview
  Read
  All
  All
  All
  When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
  For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
  Roles for the groups that users assigned look like the following:
  Test User Name
  Test User Name
  Access Rights
  1
  Base Data input/Journal Data input
  test_HFMLoad
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Enable write back in Web Grid
  Load Excel Data
  Generate Recurring
  Post Journals
  Create Unbalanced Journals
  Manage Templates
  Data Form Write Back from Excel
  Consolidate
  2
  Data Reviewer
  test_HFMReview
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Approve Journals
  Consolidate
  Reviewer 2
  Generate Recurring
  Manage Templates
  Create Unbalanced Journals
  Any help or advice would be much appreciated.
  Thanks in advance,
  M.

• Why are security issues at bottom of security page

  When first using firefox noticed at bottom of security page several security issues.

  I'm pretty sure you want the iTunes support forum here:
  https://discussions.apple.com/community/itunes
  This is for iTunes U (iTunes for Universities).

• Can I create a form that doesn't trigger Acrobat's JavaScript disabled / security issues warning?

  Hello,
  Can I create a pdf that doesn't trigger Acrobat's JavaScript is currently disabled and this document uses it for some features.  Enabling JavaScript can lead to potential security issues.
  I even get this error when I create a blank pdf.
  I'm not using any JavaScript in the form and the nature of the message might tend to be a bit scary to some people since it mentions enabling JS can lead to potential security issues.  I basically want to disable the messaging of a feature I'm not even using.
  Anyone know if this is possible and if so, how I go about it?
  Thank you.

  Hi,
  I too share your frustration!!
  Unfortunately I do not have a complete answer for you.
  From the start I must say that Stefan Cameron has been very helpful (http://forms.stefcameron.com/2010/01/14/acrobatreader-9-3-now-available/), however I have not had sufficient time available to deal with the issue (or find a satisfactory resolution).
  The original post that Srini shared with you related to an XFA form that had FormCalc and Javascript in it. I will now share with you another situation that is closer to your experiences.
  Sometimes where we have a complex solution/form, we often give our users a PDF with instructions and demonstrations. We generate these using Adobe products:
  LiveCycle Designer ES to generate the solution/form;
  Captivate to record the demonstration (.swf);
  Acrobat to package it up in a static PDF.
  The screen shots below are from a PDF that includes written instructions and six Flash (.swf) files. The PDF does NOT include fields/form objects and does NOT include any FormCalc or Javascript.
  One of the big sells in Acrobat 9 was that Adobe had fully integrated Flash (Adobe product, ex. Macromedia) into Acrobat 9. This mean that .swf files could run natively inside a PDF. Brilliant!!!  The website today is still pushing this message, for example:
  Now bear in mind that the following screenshots are from a PDF that does not contain any scripting - its sole purpose is to "inform" the user, "look as good as the work I put into it", incorporate instruction and "multimedia" in a "single polished file" and I should be "confident that my audience will be able to view my work exactly as intended".
  Not so!!
  When the user now opens the form, all looks OK. No warning. They can read the instructions and scroll down to the multimedia (.swf files).
  However when the user clicks on the multimedia, the yellow bar appears:
  I go through the "trust" process:
  And the PDF looks like it is OK, no yellow bar. When I click on the multimedia, it begins to play - yes!! BUT ONLY FOR A SECOND OR TWO AND THEN IT STOPS AND GOES BACK TO THE START - AGGGGHHHHHHH!!!!!. I would apologise for shouting, but this is beyond frustration. The work in capturing six screencasts in Captivate, annotating them, publishing to .swf and packaging up in Acrobat has been a complete waste of time. Worse than that I now have several PDFs out there, that do not work. Good advertisement for my business? I don't think so!!
  The document that Stefan provided (Managing JavaScript Execution in the Acrobat Family of Products) does not mention Flash/.swf as being a problem. However I would recommend that you go through this document, as it may help you.
  So, where to now? I don't know. The previous posts and Stefan's responses have several urls that may help. You should maybe consider logging your experiences as a bug (log at Adobe).
  In the meantime good luck,
  Niall
  UPDATE:
  This behaviour (.swf playing for only a few seconds) happens in PDFs where the .swf is inserted as legacy media to run in earlier versions of Acrobat/Reader. In this case Acrobat/Reader is making an external call to Flash Player. Hence the yellow bar. However it does not explain why the Flash video still does not play when trusted.
  If the .swf is added into the PDF as Flash media to run on Acrobat 9 and above, then it works without displaying the yellow warning bar.
  So maybe any feature of your PDF that calls an external resource is likely to show the yellow warning bar.