Secured NIO Implementation

I have a multi threaded TCP socket based server in which several clients sending data parallel. I am planning to introduce NIO to support several more clients to send data to my server using Non Blocking IO, Issue I am facing now is the current design using Secured SSL for the data transfer. How can I achieve SSL based NIO, can any one help me on this
Thanks in advance

Very difficult. You use the SSLEngine. See the [chapter in my book|http://www.telekinesis.com.au/wipv3_6/FundamentalNetworkingInJava.A21].

Similar Messages

Flex security - RSA implementation?

Hi all,
i am developing a client server app, the client is a flex app that communicate with a php server with amf protocol.
I need some security so i think some possible solution:
1. using https, but with any "web debugging proxy" anyone can decrypt ssl, so this is not a solution
2. using an rsa implementation, so if someone read the traffic it wont be a problem, but if someone
deassemble flex client, can access to the client private key and then the security will go away
Is there some stuff to securize the communication?
Thank you

Hi,
For security purposes, you would store the private key in the card and perform all private key operations there. One approach could be to store a certificate and the corresponding private key in a java card applet and then retrieve the certificate from the card. You could then send a random number (nonce) to the card and ask it to sign the number. The host application can then verify the signature with the public key in the certificate. The host could also verify the certificate against a certificate authority or a known trust chain.
The hard part is that you will need to implement this in the applet yourself. You can define a set of APDU's that you could send to the card for specific responses. For instance one command to get the certificate and another to sign some arbitrary data. You would also want a way of injecting the keys (this is the simple less secure approach though).
With certificates you can use the cryptographic properties to verify that you trust the card and if you do not receive a trusted certificate the program can terminate. Also if the signature is not verified then you could exit as well as the card has not proven ownership of the private key.
Cheers,
Shane

Secured LDAP implementation in Oracle BI

Hi All,
Can anyone tell me how can I implement the secured LDAP in Oracle BI as I have enabled SSL certificate box during the LDAP configuration in the Oracle BI Repository. Is this enough to say that we have implemented secured LDAP or there is something more that I need to do.
Thanks!

In terms of securing your LDAP credentials you probably want the OBIEE Presentation Layer as well to be running over HTTPS otherwise the user LDAP credentials will be sent over a clear text HTTP session (although it might not be an issue for you as the BI Server and the Presentation Services might be running on the same box).

Security component implementation

I'm working on a security component that will grant access (or deny access) to protected resources through a password verification, in a JSF RI website.
Can you tell me, in your opinion, what is the best practises to achieve this? Can I rely on the standard JSF validation approach?
Thank you very much,
Ivan Saorin

ivan.saorin wrote:
Maybe we have found an anomaly in the way JSF manage validation/security. It is not a exactly a bug, rather, the absolute lack of documentation on the argument.
We have found that in certain situation the standard security offered by JSF MUST be enforced by some kind of measure.
Immagine a scenario like this (real life sick), you build a custom component with an internal validation. The component accepts a password from the user, the confirm button is not on the component itself, instead the component rely on the confirm button present on the page (becouse the button is on a toolbar).
The page confirm button usually is associated with an action that, for example, grant to the user to confirm a transaction of some kind.
What normaly happen if the user put the wrong passord in the password field, is that tha validation rule fails, a ValidationException is thrown by the validator. The page re-render itself signaling the error occured to the user.
But if an ill-intentioned user remove the component from the page (with a famous firefox plugin for example),The component exists on the server and the server only. The client cannot remove it from the JSF view.
or simply remove the secCmpId=secCmpId parameter from the request, the decode of the component is not even called, and so any associated validation rule. The result is that the action fired by the page confirm button is not blocked at all!That sounds like a poorly written component to me. The component will exist in the restored view (or this is kept server side); if it is enabled and rendered then it should be decoded. The absence of the expected parameter in the request parameter map should cause an error.
>
For me isan error that JSF is not blocking action by default. They should be admitted only and only is all the validation are gone ok, ad not if one fails.
I know that is a rather peculiar use case, but the extreme confidence in the absolute server-side security usually bounded by JSF can lead to such an implementation.
Obviously we have resolved the security hole that luckily was found during an internal security test.Personally I wouldn't (and haven't) checked something like a password in a validator, preferring to do it in the action method.

Secure Backup Implementation - Step By Step

Hi all,
I'm really need help to implement the Secure Backup in my site. I have the following Hardware components;
WIn2003 - Enterprise Edition
IBM AIX5L - Media Server
IBM TotalStorage Ultrium LTO3 attached to AIX5L Server.
Someone Please help me to configure.
Thanks
KD

I suggest you read the documentation that comes with OSB to plan and implement your installation.
If you have a specific question, please post it here and we will do our best to help you

Urgent help needed in Cube Security implementation

I have a need in implementing security in one of the dimensions(Performance Rating) and users under different roles should be able to browse the cube as below.
The tables information is as below
Dimension Table
Description
Dim_Employee
Employee details-ID,Name,Gender,Age
Dim_PerformanceRating
Performance code,Descriptioin
Dim_Role_User
Role and users available under each role
Fact Table
PerfID,EmplyeeiD,HeadCount as measure
If the User under HR Role browses the cube he should be able to view the details as below:
All Employee Details , counts but performance ratings to be restricted only for the employees under his (HR) role.
Dim-Employee
Dim-Employee
Dim_Perfrating
Dim_Role_user
Measure
Emp ID
Name
Perf Rating
Employee Type
Emp Count
1
A
VP
1
2
B
Other
1
3
C
SM
HR
1
4
D
VP
1
5
E
HR
1
6
F
HR
1
7
G
FE
HR
1
8
H
CE
HR
1
9
I
DNM
HR
1
10
J
NR
HR
1
If the VP browses the cube he should be able to view all the details as below
All Employee Details, counts and all the performance ratings of all the employees under him
Dim-Employee
Dim-Employee
Dim_Perfrating
Dim_Role_user
Measure
Emp #
Name
Perf Rating
Employee Type
Emp Count
1
A
SM
VP
1
2
B
FE
HR
1
3
C
SM
Other
1
4
D
CE
VP
1
5
E
SM
HR
1
6
F
SM
HR
1
7
G
FE
Other
1
8
H
CE
Other
1
9
I
DNM
Other
1
10
J
NR
Other
1

Hi,
You need to Implement a dynamic security. Implement a factless fact table which includes information which user is allowed to see which nodes. Create a Measuregroup for this Table "FactSecurity"
Create a UserDimension which includes Domain\Usernames.
Map the User Dimension and the Perfrating Dimension to the FactSecurity Measuregroup
In the Role implement the security like this:
EXISTS([Dim_Perfrating].[PerformanceCode].[PerformanceCode].Members, STRTOMEMBER("[Users].[DOMAIN].["+UserName+"]"), "FactSecurity")
If needed check Visual Totals.
Kr Jü+rgen

How to implement sharepoint 2010 security implementation at site level ?

Hi,
We are going to implement one school automation system as internet application using sharepoint 2010.
I want to know what type of step's i have to take for best security level implementation in the site level.
Thanking You, Nagendra.

Hiya,
simple as that, SharePoint 2010 has no known vulnerabilities against SQL injections due to the nature of how it works.
It's hard to protect against unknown vulnerabilities. If your planning to allow only authenticated users, you can perform the authentication on a dedicated application server. TMG/UAG/Web Application Proxy.
Besides that, SharePoint 2010 and up was build to be exposed to the internet, with all the considerations that incurs.
I fail to see the validity in the argument about "any web application using Asp.net there is a chance to SQL inject". If you create a custom asp.net application and do not secure yourself, yes you will have a problem. If you do secure yourself, you do not
have a problem. Proposing it as a general approach is faulty.

Session time-out and password security

Hi,
I have a webservice utility, deployed on several platforms (as an EAR on weblogic and webspere, as a WAR on tomcat), they all exhibit the same feature: on first connection, a username/password box pops up, but after the session times out (after 20 minutes or so of inactivity) and the it receives a new page request, instead of re-asking for the username/password, the app just jumps back to its own start page, and then continues without asking.
How can I make it to pop-up the username/password box again?
The security is implemented through the web.xml file:
<security-constraint>
    <web-resource-collection>
      <web-resource-name>Success</web-resource-name>
      <url-pattern>/Logparser</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>webuser</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>default</realm-name>
</login-config>
<security-role>
    <role-name>webuser</role-name>
</security-role>I found that this in itself was not good enough security as you would be able to go directly to one of the sub-pages (if you know the url), and to prevent that I pass (and check) the session-id with each page request.
(all java servlets).
Obviously something is missing, but I don't know what
thanks
Michael

Hi Michael,
Your web application is currently configured to use BASIC authentication.
Instead if you use FORM-based authentication, then any new request (after your web application session times out) will be redirected to the login page. The Servlet specification has more information about FORM-based login.
If you have a Sun ONE Web Server 6.1 or a Sun Java System Web Server 7.0 installation you can find a sample that uses form-login in the following directory
6.1: <install-directory>/plugins/java/samples/webapps/security/form-auth
7.0: <install-directory>/samples/java/webapps/security/form-auth

Secure and non-secure access to the web application in one war

Say we have one web application (in one war) which includes JSP, servlets and the security intercepter. There is one business requirement to have most of the JSP(s) accessed via HTTPS, but a few JSP(S) accessed via HTTP.
My questions are:
a. Is this possible, or a reasonable requirement or a good practice?
b. if yes, what can we do to make it happen in the security intercepter implementation?
c. If not, what is the technical reasons?
Thanks much.

a) Yes its is reasonable and good practive, there is an overhead using https, so you should only encrypt file you need to. When you use an online store, only account details / payments are https, the shop itself is http
b) I dont really understand your difficulty. You can define a folder as 'secure' and put all your secure pages in this folder, leaving non secure files in a different folder. Whenever a page in the secure folder is accessed, https is automatically invoked.

How to implement springsecurity in flex

Hi..All
i'm newbie and need your help
I have difficulty in the implementation of security on the flex project using spring security. in implementation the project i'm using
BlazeDS Turnkey.
Apache Tomcat
Eclipse Ganymede 3.4 (for editing code)
I've tried to make it but always get an error message
"[MessagingError message = 'Destination' securityHelper 'either does not exist or the destination has no channels defined (and the application does not define any default channels .)']- could not establish a connection to' securityHelper'-InvokeFailed"
and below my source code
1. web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <display-name>Spring BlazeDS Integration Samples</display-name>
    <context-param>
        <param-name>flex.class.path</param-name>
        <param-value>/WEB-INF/flex/hotfixes,/WEB-INF/flex/jars</param-value>
    </context-param>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring/*-config.xml
        </param-value>
    </context-param>
    
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    
    <listener>
        <listener-class>flex.messaging.HttpFlexSession</listener-class>
    </listener>
    
    <servlet>
        <servlet-name>flex</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>flex</servlet-name>
        <url-pattern>/messagebroker/*</url-pattern>
     </servlet-mapping>
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
        <welcome-file>default.html</welcome-file>
        <welcome-file>default.htm</welcome-file>
        <welcome-file>default.jsp</welcome-file>
    </welcome-file-list>
</web-app>
2. flex-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:flex="http://www.springframework.org/schema/flex"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
        http://www.springframework.org/schema/flex
        http://www.springframework.org/schema/flex/spring-flex-1.0.xsd">
    <flex:message-broker>
        <flex:message-service
            default-channels="my-streaming-amf,my-longpolling-amf,my-polling-amf" />
        <flex:secured />
    </flex:message-broker>
    
    <flex:remoting-destination ref="productService" />
    
    <flex:remoting-destination ref="contactService" />
    
    <flex:remoting-destination ref="securedProductService" />
    
    <bean id="securityHelper" class="org.springframework.flex.samples.secured.SecurityHelper">
        <flex:remoting-destination/>
    </bean>
    
    <flex:message-destination id="chat" />
    <flex:message-destination id="secured-chat" send-security-constraint="trusted" />
    <flex:message-destination id="simple-feed" />
    <flex:message-destination id="market-feed" allow-subtopics="true" subtopic-separator="." />
    <flex:jms-message-destination id="jms-chat" jms-destination="chatTopic" />     
    <flex:integration-message-destination id="si-receive" message-channel="toFlex"/> 
    <flex:integration-message-destination id="si-send" message-channel="fromFlex"/> 
    
    <bean id="defaultMessageTemplate" class="org.springframework.flex.messaging.MessageTemplate" />
    
    <bean id="simpleFeedStarter" class="org.springframework.flex.samples.simplefeed.SimpleFeed">
        <constructor-arg ref="defaultMessageTemplate" />
        <flex:remoting-destination />
    </bean>
    
    <bean id="marketFeedStarter" class="org.springframework.flex.samples.marketfeed.MarketFeed">
        <constructor-arg ref="defaultMessageTemplate" />
        <constructor-arg value="stocklist.xml" />
        <flex:remoting-destination />
    </bean>
</beans>
3.service-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<services-config>
    <services>
        <default-channels>
           <channel ref="my-amf"/>
        </default-channels>
        <service-include file-path="remoting-config.xml" />
        <service-include file-path="proxy-config.xml" />
        <service-include file-path="messaging-config.xml" />
    </services>
    <channels>
        <channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
            <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
        </channel-definition>
        <channel-definition id="my-secure-amf" class="mx.messaging.channels.SecureAMFChannel">
            <endpoint url="https://{server.name}:{server.port}/{context.root}/messagebroker/amfsecure" class="flex.messaging.endpoints.SecureAMFEndpoint"/>
            <properties>
                <add-no-cache-headers>false</add-no-cache-headers>
            </properties>
        </channel-definition>
        <channel-definition id="my-polling-amf" class="mx.messaging.channels.AMFChannel">
            <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amfpolling" class="flex.messaging.endpoints.AMFEndpoint"/>
            <properties>
                <polling-enabled>true</polling-enabled>
                <polling-interval-seconds>4</polling-interval-seconds>
            </properties>
        </channel-definition>
        <channel-definition id="my-longpolling-amf" class="mx.messaging.channels.AMFChannel">
            <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amflongpolling" class="flex.messaging.endpoints.AMFEndpoint"/>
            <properties>
                <polling-enabled>true</polling-enabled>
                <polling-interval-seconds>5</polling-interval-seconds>
                <wait-interval-millis>60000</wait-interval-millis>
                <client-wait-interval-millis>1</client-wait-interval-millis>
                <max-waiting-poll-requests>200</max-waiting-poll-requests>
            </properties>
        </channel-definition>
        <channel-definition id="my-streaming-amf" class="mx.messaging.channels.StreamingAMFChannel">
            <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/streamingamf" class="flex.messaging.endpoints.StreamingAMFEndpoint"/>
        </channel-definition>
    </channels>
    <security>
        <login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat"/>
        <security-constraint id="trusted">
            <roles>
                <role>ROLE_USER</role>
                <role>ROLE_ADMIN</role>
            </roles>
        </security-constraint>
    </security>
    <logging>
        <target class="flex.messaging.log.ConsoleTarget" level="Warn">
            <properties>
                <prefix>[BlazeDS] </prefix>
                <includeDate>false</includeDate>
                <includeTime>false</includeTime>
                <includeLevel>false</includeLevel>
                <includeCategory>false</includeCategory>
            </properties>
            <filters>
                <pattern>Endpoint.*</pattern>
                <pattern>Service.*</pattern>
                <pattern>Configuration</pattern>
            </filters>
        </target>
    </logging>
    <system>
        <redeploy>
            <enabled>false</enabled>
        </redeploy>
    </system>
</services-config>
4. remoting-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<service id="remoting-service" class="flex.messaging.services.RemotingService">
    <adapters>
        <adapter-definition id="java-object"
            class="flex.messaging.services.remoting.adapters.JavaAdapter"
            default="true" />
    </adapters>
    <default-channels>
        <channel ref="my-amf" />
    </default-channels>
</service>
5. spring/security-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

    <http>
        <form-login default-target-url="/ZeroToHero.html"/>
    </http>
    <authentication-provider>
        <user-service>
            <user name="john" password="john" authorities="ROLE_USER" />
            <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
            <user name="guest" password="guest" authorities="ROLE_GUEST" />
        </user-service>
    </authentication-provider>
</beans:beans>
6. ZeroToHero.mxml
<?xml version="1.0" encoding="utf-8"?>
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" xmlns="*"
    applicationComplete="applicationCompleteHandler()">
    <mx:RemoteObject id="productService" destination="securedProductService" fault="faultHandler(event)"/>
    <mx:RemoteObject id="securityHelperTest" destination="securityHelper" fault="faultHandler(event)">
        <mx:method name="getAuthentication" result="userHandler(event)"/>
    </mx:RemoteObject>
    <mx:Script>
        <![CDATA[
            import mx.messaging.ChannelSet;
            import mx.messaging.channels.AMFChannel;
            import mx.controls.Alert;
            import mx.rpc.AsyncToken;
            import mx.rpc.AsyncResponder;
            import mx.rpc.events.FaultEvent;
            import mx.rpc.events.ResultEvent;
            [Bindable]
            private var user:Object = null;
            private function applicationCompleteHandler():void
                securityHelperTest.getAuthentication();
                chat.consumer.subscribe();
            private function userHandler(event:ResultEvent):void
                user = event.result;
                if (user != null) {
                    userId.text = user.name;
                    userId.editable = false;
                    password.editable = false;
            private function faultHandler(event:FaultEvent):void
                Alert.show(event.fault.faultString + "-" +
                event.fault.faultDetail + "-" +
                event.fault.faultCode, "Error accessing RemoteObject");
            private function login():void
                var token:AsyncToken = securityHelperTest.channelSet.login(userId.text, password.text);
                  token.addResponder(
                      new AsyncResponder(
                          function(event:ResultEvent, token:Object = null):void{
                              user = event.result;
                              userId.editable = false;
                              password.editable = false;
                          function(event:FaultEvent, token:Object = null):void{
                              Alert.show(event.fault.faultString, "Login Failed");
            private function logout():void
                securityHelperTest.channelSet.logout();
                user = null;
                userId.text = "";
                userId.editable = true;
                password.text = "";
                password.editable = true;
                grid.dataProvider.removeAll();
        ]]>
    </mx:Script>
    <mx:Form>
        <mx:FormItem label="User Id">
            <mx:TextInput id="userId"/>
        </mx:FormItem>
        <mx:FormItem label="Password">
            <mx:TextInput id="password" displayAsPassword="true"/>
        </mx:FormItem>
        <mx:FormItem direction="horizontal">
            <mx:Button label="Login" click="login()"/>
            <mx:Button label="Logout" click="logout()"/>
        </mx:FormItem>
    </mx:Form>
    <mx:Accordion width="100%" visible="{user != null}">
        <mx:Canvas label="Products" width="100%">
            <mx:Panel width="100%">
                <mx:DataGrid id="grid" dataProvider="{productService.findAll.lastResult}" width="100%" height="100%">
                    <mx:columns>
                        <mx:DataGridColumn dataField="productId" headerText="Product ID" visible="{user != null ? user.authorities.indexOf('ROLE_ADMIN') >= 0 : false}"/>
                        <mx:DataGridColumn dataField="name" headerText="Name" />
                        <mx:DataGridColumn dataField="category" headerText="Category" />
                        <mx:DataGridColumn dataField="description" headerText="Description" />
                        <mx:DataGridColumn dataField="image" headerText="Image" />
                        <mx:DataGridColumn dataField="price" headerText="Price" />
                        <mx:DataGridColumn dataField="qty" headerText="Qty" />
                    </mx:columns>
                </mx:DataGrid>
                <mx:Button label="Get Data" click="productService.findAll()"/>
            </mx:Panel>
        </mx:Canvas>
        <Chat id="chat" username="{user.name}"/>
    </mx:Accordion>
</mx:Application>
please help me,

remote-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<service id="remoting-service" class="flex.messaging.services.RemotingService">
    <adapters>
        <adapter-definition id="java-object"
            class="flex.messaging.services.remoting.adapters.JavaAdapter"
            default="true" />
    </adapters>
    <default-channels>
        <channel ref="my-amf" />
    </default-channels>
    <destination id="securityHelper">
        <properties>
            <source>org.springframework.flex.samples.secured.SecurityHelper</source>
            <scope>application</scope>
        </properties>
    </destination>
</service>
SecurityHelper.as (for calling remote object from client) of my own. and I think this SecurityHelper.as wrong because not return value, and I do not know how to call a java class SecurityHelper.java
package com.adobe
    [Bindable]
    [RemoteClass(alias="org.springframework.flex.samples.secured.SecurityHelper")]
    public class SecurityHelper
        public function SecurityHelper()
SecurityHelper.java
package org.springframework.flex.samples.secured;
import java.util.Map;
import org.springframework.flex.security.AuthenticationResultUtils;
public class SecurityHelper {
    public Map<String, Object> getAuthentication() {
        return AuthenticationResultUtils.getAuthenticationResult();
thank's
Message was edited by: agungdmt

Query security settings for users

Hi again.
I'm looking for a way of querying security settings for a user.
ie I understand that company/division etc security is implemented through responsibilities.
In which case, is there a way to retrieve those exclusions per user?
(eg User 1 cant see company 50)
Thanks,
g.

Hi again.
I'm looking for a way of querying security settings for a user.
ie I understand that company/division etc security is implemented through responsibilities.
In which case, is there a way to retrieve those exclusions per user?
(eg User 1 cant see company 50)
Thanks,
g.

Oracle 8 security risks

ISS Security Advisory
May 6, 1999
Multiple File System Vulnerabilities in Oracle 8
Synopsis:
Internet Security Systems (ISS) X-Force has discovered that
multiple vulnerabilities exist in Oracle 8 that may allow local
attackers to exploit weaknesses in Oracle administrative tools.
Oracle is the market leader in enterprise database solutions.
Attackers may use these vulnerabilities to amplify their
privilege to that of the foracleF user. By default, the oracle
user controls the entire Oracle database system. Attackers may
launch local denial of service attacks against the database as
well as alter or manipulate data.
Affected Versions:
ISS X-Force has determined that most current versions of Oracle
8 for Unix are vulnerable. These versions include 8.03, 8.04,
8.05, and 8.15. Oracle 8 for Windows NT is not affected by
these vulnerabilities.
Description:
The Oracle 8 distribution is shipped with many administrative
utilities that are owned by the oracle user with the setuid bit
enabled. Several of these utilities implement insecure file
creation and manipulation. These utilities also trust Oracle-
related environment variables. The combined effect of these
vulnerabilities may allow local attackers to create, append to,
or overwrite privileged oracle files. Certain vulnerabilities
exist that may allow local attackers to execute arbitrary
commands as the oracle user. Attackers may also be able to
permanently elevate their privilege to that of the oracle user.
Temporary files that follow symbolic links are a common source
of vulnerabilities in setuid executables. Administrators should
remove or restrict access to setuid executables if possible.
Developers of setuid programs need to take special precautions
to prevent
the introduction of vulnerabilities of this nature. ISS X-Force
recommends
that all Unix developers become familiar with Matt BishopFs
secure
programming guide, available at
http://olympus.cs.ucdavis.edu/~bishop/secprog.html
Fix Information:
ISS X-Force has worked with Oracle to provide a patch for the
vulnerabilities described in this advisory. Oracle has provided
the following FAQ to answer any questions concerning these
vulnerabilities.
Q: IFve heard about a setuid security issue with the Oracle
database? What is this all about?
A: On Unix platforms, some executable files have the setuid bit
on. It may be possible for a very knowledgeable user to use
these executables to bypass your system security by elevating
their operating system privileges to that of the Oracle user.
Q: Which releases are affected by this problem?
A: This problem affects Oracle data server releases 8.03, 8.0.4,
8.0.5, and 8.1.5 on Unix platforms only.
Q: Can I correct this problem or do I need a patch?
A: This problem can easily be corrected. The customer can
download the patch from the Oracle MetaLink webpages at
http://www.oracle.com/support/elec_sup. The patch is a Unix
shell script. This shell script should be run immediately, and
also run after each relink of Oracle.
Q: What is Oracle doing to fix this problem?
A: Effective immediately, Oracle will provide the patch on
OracleFs Worldwide Support Web pages. Oracle will ensure the
patches are incorporated into future releases of Oracle8i
(8.1.6) and Oracle8.0 (8.0.6)
Q: What is Oracle doing to notify users about this problem now?
A: Oracle is notifying all supported customers, via the Oracle
Worldwide Support Web pages, of this issue so they can address
it as required.
ISS X-Force also recommends that all administrators complete a
proactive survey on the use or potential misuse of setuid bits
on privileged executables on their systems.
Credits:
These vulnerabilities were primarily researched by Dan
Ingevaldson of the ISS X-Force.
Copyright ( 1999 by Internet Security Systems, Inc. Permission
is hereby granted for the electronic redistribution of this
Security Alert. It is not to be edited in any way without
express consent of the X-Force. If you wish to reprint the
whole or any part of this Alert Summary in any other medium
excluding electronic medium, please e-mail [email protected] for
permission.
About ISS
ISS is the pioneer and leading provider of adaptive network
security software delivering enterprise-wide information
protection solutions. ISSF award-winning SAFEsuite family of
products enables information risk management within intranet,
extranet and electronic commerce environments. By combining
proactive vulnerability detection with real-time intrusion
detection and response, ISSF adaptive security approach creates
a flexible cycle of continuous security improvement, including
security policy implementation and enforcement. ISS SAFEsuite
solutions strengthen the security of existing systems and have
dramatically improved the security posture for organizations
worldwide, making ISS a trusted security advisor for firms in
the Global 2000, 21 of the 25 largest U.S. commercial banks and
over 35 governmental agencies. For more information, call ISS at
678-443-6000 or 800-776-2362 or visit the ISS Web site at
www.iss.net.
Disclaimer
The information within this paper may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this
information. In no event shall the author be liable for any
damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at
the userFs own risk.
X-Force PGP Key available at:
http://www.iss.net/xforce/sensitive.html as well as on MITFs PGP
key server and PGP.comFs key server.
Please send suggestions, updates, and comments to:
X-Force <[email protected] <mailto:[email protected]>> of Internet
Security Systems, Inc.
null

http://metalink.oracle.com has all the Oracle documentation online. If you search for Security, you'll get plenty of documents. The Oracle Administrator's Guide has a Security Checklist that it probably a good starting point.
This is a huge topic, though.
Justin

Access to IPortalComponentRequest in custom security manager

Hi All,
I am implementing a custom security manager. For my requirements, I need IPortalComponentRequest object in the security manager class. Can anyone give me a clue to get the request object in security manager implementation.
Regards,
Yoga

Hi Romano,
I tried this. Its returning mysapsso2 cookie and authentication_schema cookie. But not retuning any custom cookies added to the response from any other application.
What I have tried to achieve is:
1. When a user login and authentication suceeds, I will add a custom cookie to the response.
2. Get the custom cookie added in the security manager class and do manipulations to check whether the user is authenticated.
Using the method you have suggested, I was not able to get any custom cookies added in other applications.
I tried the code using resource context(resource context obtained form IUser) as suggested in other threads,
HttpServletRequest request = (HttpServletRequest) resourceContext.getObjectValue("http://sapportals.com/xmlns/cm/httpservletrequest");
But this API returns null.
Any way to achieve?
Regards
Yoga

Cannot assign custom security manager to repository

Hello,
I've been following the details on how to implement a read-only security manager (https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e2ddd63d-0b01-0010-46bb-e092790068cb) and I have run into the following problem:
After following the instructions for option B in the document (creating a security manager only) and deploying my project, the new security manager appears in the list of managers on the admin screen (Content Management -> Repository Managers -> Security Manager) but it is not available in the drop down list of security managers for my repository. Without that entry I cannot apply the new security manager to my repository.
According to the document, the new security manager should be part of this list but it is not even after I've restarted the J2EE engine.
The document is dated May 2006 so perhaps there have been some changes to the system that are not covered in the document. We are running NW 7.0 SP14.
Any help in determining why my custom security manager is not part of the security manager drop down list would be appreciated.

Ok, after much decompiling and inspection of the standard KM security manager implementations I found the answer to my question.
Basically I found that the security manager tutorial only applies if you plan on using your custom security manager with your own custom repository manager. You cannot apply a security manager created using that document to a standard KM repository manager.
In my case I want to apply a custom security manager to a standard KM File System Repository. By inspecting the SFSRepositoryManager.cc.xml file I found the following entry:
<attribute name="securitymgr.ref" type="ref" refType="/cm/repository_managers/security_managers/SecurityManager" mandatory="false" hotReload="true" />
The refType value defines which security managers are displayed in the drop down list of available Security Managers at runtime for the repository manager. In order to get a custom security manager to be available you must define the cc.xml for your custom security manager so that it extends "SecurityManager" not "SecurityManagerMi" as the tutorial describes.
Changing the extension means your security manager implementation must also change so that it extends com.sapportals.wcm.repository.manager.AbstractRepositorySubManager and implements com.sapportals.wcm.repository.manager.ISecurityManager.
Now if only I could figure out how to reward points to myself .....

Column Level Security - Grand Total row

Hello All, I have a question about Column Level Security in a report where Grand Total is turned on. I am working inside of the OOTB Paint rpd and I am looking at the 'Finish Sales Trend for Current Year' report on the Brand Analysis dashboard page. Inside of the Admin Tool I added column level security on the Units presentation column in the Sales Measures table. I implemented security that will not allow the Central Region Manager group to view the Units column. When I access the report I noticed that the Grand Total row of the table is slightly skewed because the Units column is hidden. The Grand Total row is showing, however all the results are off by 1 cell.
The forum is not allowing me to attach pictures to this post.
Thanks for your help

Hi User,
It is an bug refer the metalink,
Bug.9576412 - GRAND TOTAL NOT WORKING WHEN COLUMN LEVEL SECURITY IS IMPLEMENTED
For eg:
consieder a report with following columns,
Year Product Measure1 Measure2
In this if for measure1 the column level security is enabled (user1 who is not supposed to see the data).
Then grand total value of measure2 will be in the grand total of measure1. (for user1)
When column level security is enabled, that column will be pushed to the end of the table view.
So that it is happening.
By using case statements with groups or users we can get it work without enabling the column level security.
Thanks,
Vino

Secured NIO Implementation

Similar Messages

Maybe you are looking for