Securing a J2EE web app

Hi, probably the wrong place to put this but i couldn't find anywhere more suitable :-p
I've got a web app that i've got secured using a JDBC realm, using web.xml configuration etc and all is well. However I want to limit it so that if a user logs in then no-one can log in again with the same credentials until said user has logged out. Is this possible out of the box with JEE5 or do i have to implement something myself to redirect output.
Regards
ARB

Not sure how 'out the box' you want.
Tomcat has this feature which can be configured by adding username/password paris to an xml file, I realise Tomcat is not part of the JEE5 bundle but it is 'out the box' and you need a server, right?

Similar Messages

GetAccess SSO and WebLogic J2EE Web app

I have a J2EE web app (servlets/JSPs) running in WLS5.1sp8. I want to use standard
J2EE declarative security to protect the application and a WLS custom security
realm to provide authorisation.
However, I need to use the Entrust getAccess single sign-on infrastructure to
do the initial user authentication. I was hoping there might be some way to propogate
the user's getAccess security credentials into the web application so that when
the user hits a protected web page, they are not prompted to login in again.
However, Weblogic should call into my custom realm with the getAccess provided
user name to check that the user has the correct role.
Anyone have any ideas how/if this is possible?
Thanks,
Martin

That was a good article on how to maintain access levels based on different user roles and i will need it down the lane. Probably, i used a wrong word when i meant 'unauthorized user'.
Actually, let me rephrase it,
Here is my issue rephrased,
1.) My problem is during authentication phase, I want a functionality where a person is redirected to login page by default if he tries to paste URL of some intermediate page of application directly without logging in.
2.) This would also pop up another question, which would be what is the best practice to maintain a user's info i.e. his login credentials throughout the application (I am just storing his user id along with a flag which says its true.) .
Right now, the way i do is, in each action after the user logs in, I check for a session attribute which tells if he has logged. Based on this check, I forward to the next page. But, i think its quite redundant and probably not a best practice. Hence, I need some other elegant way of achieving this.

Integrating Digital Signatures into J2EE Web App

I have a requirement to add digital signature functionality to a J2EE web application. Our customers would like to press a �sign� button on a web page, be prompted to connect their hardware security token (e.g. USB device or smart card), and the signatures stored inside our system for later verification (e.g. in court).
The main issue I can see is that when using hardware-based tokens the private key can never leave the device, so the device itself does the signing. Whereas our J2EE Web Application has all the code on the app server tier, and the data is located on the database (and in our architecture cannot be exported to client PCs for security reasons).
Does anyone know of any solutions to this kind of requirement? Any vendor toolkits that allow this? From what I�ve read from researching this subject the pieces are all there but most web-based security solutions only implement application login authentication of one sort or another.

Hi Tony,
As of DIAdem 2012 there is no product feature that makes it easier to create a web front end to DIAdem. You can host DIAdem with a terminal services approach such as Citrix, which will give you all of DIAdem's functionality in a web GUI. You can also host DIAdem on a cloud server if that's where your data is.
On final option is that LabVIEW offers a user programmable web server which can make calls to DIAdem via ActiveX.
Brad Turpin
DIAdem Product Support Engineer
National Instruments

Guide to developing SECURE TOMCAT/JSP web apps - ??

Hi,
It would be very useful to have a checklist or guidelines to ensure a JSP/tomcat web site one develops is secure, in particular for the scenario where the web application is not huge/complex &/or is developed by part-time developers. That is I guess I'm generally asking for the easiest way of ensuring one develops a secure JSP/tomcat app.
Q1 - Does anyone know of a tutorial/checklist for ensuring a JSP/tomcat web app is secure? The types of things I'm thinking of include the following items, which I've put forward as specific questions to the mail group in their own right.
Q2 - How do you ensure directory's under doc root can't be viewed? (ie users see a directory listings)
     - is putting in an index.html in each sub-directory a solid answer?
     - can this be handled in one hit via WEB.XML entries? if so an example if possible?
Above and beyond basic User Authentication checking (eg username/password check at beginning of session) what is an easy but secure way of checking -:
Q3 check that user (ie specific) is allowed to access a specific JSP page? (assuming the web app is a totally JSP based solution, ie no controller servlet frontend, ie and that all JSP pages are effectively assessable under docroot). Easy way of doing this?
     eg (a) put specific check at beginning of each JSP page?
     (b) other?
and
Q4 given that a user is allowed to access that JSP page, check that he is allowed to view the data which he has requested? (ie stop people determining how the URL with parameters is constructed and manually changing the parameters - eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4". Easy way of doing this?
     eg (a) put specific check at beginning of JSP page?
     (b) other
Q5 Is it generally acceptable, given appropriate precautions are taken, to setup a web site with all JSP files assessable under doc root, and that the manner in which the user navigates around the application is based on direct calls from the browser to the next JSP page with parameters? (again one concern I have is eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4"). If this is not acceptable what is recommended?
     (a) as above put a specific check at the beginning of the JSP page
     (b) for example having to specifically put a controller servlet as a front end, and then direct to JSP pages which are hidden?
- in this case how can one hide specific directories under doc root?
     (c) other??
Q6. Regarding image security I assume one really does have to store them outside doc root and develop a small "getImage" servlet so that requests to images can be verified to ensure that (assuming the app lets users load images) the end user can't see another user's image?
Q7. Any other general checklist items for a simple JSP/tomcat web site re security one should check for???
Thanks in Advance
Greg

Have you ever looked at the Jakarta struts framework for developing web apps? You could then incorporate your custom designed security both into your own extension of the controller servlet (check if particular user has access to certain pages / actions). You can also design your own custom tags which determine whether a particular user has access to certain parts of the page. You cal also perform additional checks in the actions, to ensure that the user does have access to certain actions (i.e. checking parameters etc.)

PHP_MySQL version of a high security user authentication web app.

Since you folks deal with PHP Application Development, I am posting this here.
For a demo of the PHP_MySQL version of the UltraSuite High Security User Authentication Web Application, you can sign up at http://bit.ly/hgNjek.
It offers a multi-layered approach security approach towards protecting important information like user authentication credentials. Protection from dictionary attacks, rainbow table attacks, brute force attacks, SQL injection attacks and much more.
I hope your feedback will help make the application even more useful and secure.
Thank you!
J.S.

Hi,
could you or someone tell me if ADDT supports protection against these methods you mention:
Protection from dictionary attacks, rainbow table attacks, brute force attacks, SQL injection attacks and much more??
And can this system work alongside ADDT?
thanks again

Setting security constraint for web App

Hai all!
I am new to bea and i am trying to set up security constraints for my webaplication..
I want user to be authenticated before he access any of the pages in browser..
All i did was adding following entries to web.xml
<security-constraint>
          <web-resource-collection>
               <web-resource-name>
                    webresources
               </web-resource-name>
               <url-pattern>
               </url-pattern>
          </web-resource-collection>
          <login-config>
               <auth-method>
               BASIC
               </auth-method>
          </login-config>
     </security-constraint>
But no such thing is happening,,
I know i am doing wrong but donno where exactly i am wrong..
Pls guide me in sequnece of steps regarding what to do to accomplish what i want..
Thanks and Regards
Manohar

I guess you need to set the role that is allowed to log into your application.
try this in web.xml:
     <security-constraint>
          <display-name>Whatever</display-name>
          <web-resource-collection>
               <web-resource-name>resource</web-resource-name>
               <description>Desc</description>
               <url-pattern>/*</url-pattern>
               <http-method>GET</http-method>
               <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
               <description>desc</description>
               <role-name>MyRole</role-name>
          </auth-constraint>
               <user-data-constraint>
               <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
     </security-constraint>
     <login-config>
          <auth-method>BASIC</auth-method>
     </login-config>
     <security-role>
          <description>desc</description>
          <role-name>MyRole</role-name>
     </security-role>
and map the role with a group/user in weblogic.xml:
     <security-role-assignment>
          <role-name>MyRole</role-name>
          <principal-name>MyGroupOfUsers</principal-name>
     </security-role-assignment>
Hope this helps.
Xavi
"Manohar" <[email protected]> wrote:
>
Hai all!
I am new to bea and i am trying to set up security constraints for my
webaplication..
I want user to be authenticated before he access any of the pages in
browser..
All i did was adding following entries to web.xml
<security-constraint>
          <web-resource-collection>
               <web-resource-name>
                    webresources
               </web-resource-name>
               <url-pattern>
               </url-pattern>
          </web-resource-collection>
          <login-config>
               <auth-method>
               BASIC
               </auth-method>
          </login-config>
     </security-constraint>
But no such thing is happening,,
I know i am doing wrong but donno where exactly i am wrong..
Pls guide me in sequnece of steps regarding what to do to accomplish
what i want..
Thanks and Regards
Manohar

Web app security exception: Bad URLMatchMap

Can anyone help me diagnose an error? I am simply trying to place a security constraint
on a servlet within an ear-deployed web-application.
The exception occurs as the first POST comes to the servlet I am trying to protect:
<Apr 16, 2001 12:40:09 PM EDT> <Error> <Kernel> <ExecuteRequest failed
java.lang.IllegalArgumentException: bad URLMatchMap path: 'version="1.0"'
at weblogic.servlet.utils.URLMatchMap.get(URLMatchMap.java:196)
at weblogic.servlet.security.internal.WebAppSecurity.getConstraint(WebAp
pSecurity.java:135)
at weblogic.servlet.security.internal.SecurityModule.checkTransport(Secu
rityModule.java:177)
at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSe
curityModule.java:48)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess
(ServletSecurityManager.java:150)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe
rvletContext.java:1250)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm
pl.java:1622)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
>
<?xml version="1.0" ?>
<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN'
'http://java.sun.com/j2ee/dtds/web-app_2.2.dtd'>
<web-app>
<display-name>ANSWeb</display-name>
<description>no description</description>
<servlet>
<servlet-name>UPMessageServlet</servlet-name>
<display-name>UPMessageServlet</display-name>
<description>no description</description>
<servlet-class>com.aether.ans.gateway.up.UPMessageServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>ANSServlet</servlet-name>
<display-name>ANSServlet</display-name>
<description>no description</description>
<servlet-class>com.aether.ans.server.ANSServlet</servlet-class>
<load-on-startup />
</servlet>
<servlet>
<servlet-name>WCTPServlet</servlet-name>
<display-name>WCTPServlet</display-name>
<description>no description</description>
<servlet-class>com.aether.ans.gateway.wctp.WCTPServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>UPMessageServlet</servlet-name>
<url-pattern>/UPMessage</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ANSServlet</servlet-name>
<url-pattern>/Server</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>WCTPServlet</servlet-name>
<url-pattern>/WCTPCallback</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<resource-ref>
<description>no description</description>
<res-ref-name>url/ANS.dtd</res-ref-name>
<res-type>java.net.URL</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Server</web-resource-name>
<url-pattern>/Server</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Client</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>Client</role-name>
</security-role>
<ejb-ref>
<description>no description</description>
<ejb-ref-name>ejb/ANSServer</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>com.aether.ans.server.ANSServerHome</home>
<remote>com.aether.ans.server.ANSServer</remote>
</ejb-ref>
<ejb-ref>
<description>no description</description>
<ejb-ref-name>ejb/Alert</ejb-ref-name>
<ejb-ref-type>Entity</ejb-ref-type>
<home>com.aether.ans.entity.AlertHome</home>
<remote>com.aether.ans.entity.Alert</remote>
</ejb-ref>
</web-app>
<?xml version="1.0" ?>
<!DOCTYPE weblogic-web-app PUBLIC '-//BEA Systems, Inc.//DTD Web Application 6.0//EN'
'http://www.beasys.com/servers/wls600/dtd/weblogic-web-jar.dtd'>
<weblogic-web-app>
<description>no description</description>
<security-role-assignment>
<role-name>Client</role-name>
<principal-name>Client</principal-name>
</security-role-assignment>
<reference-descriptor>
<resource-description>
<res-ref-name>url/ANS.dtd</res-ref-name>
<jndi-name>ans.url.dtd</jndi-name>
</resource-description>
<ejb-reference-description>
<ejb-ref-name>ejb/Alert</ejb-ref-name>
<jndi-name>ejb.Alert</jndi-name>
</ejb-reference-description>
<ejb-reference-description>
<ejb-ref-name>ejb/ANSServer</ejb-ref-name>
<jndi-name>ejb.ANSServer</jndi-name>
</ejb-reference-description>
</reference-descriptor>
</weblogic-web-app>

Hi Andrew,
Even without moderation enabled, any submission made through the BC platform is filtered through our protection engine to prevent XSS. Any type of potentially malicious code is immediately stripped from the submission, and this is not done at a client-side level.
Kind Regards,
Alex

Web app security not working

Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basic secure web
app.
I created an App and created a web project. In it, I deleted the controller, etc
and just have index. jsp. All the index.jsp does is: <%= request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>
When I run the app, it just renders the JSP and does not challenge me to login.
Can you please help what is that I am doing wrong here?
Thanks,
John

"john hryn" <[email protected]> wrote in message
news:3fce2551$[email protected]..
>
Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
app.
I created an App and created a web project. In it, I deleted thecontroller, etc
and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>I think you should have dealers instead of *
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>And here too.
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>

Office Web Apps server security question

Hello,
According to this technet article Microsoft appears to recommend against allowing both external and internal users access to your OWA server.
http://technet.microsoft.com/en-us/library/jj219435(v=office.15).aspx#viewers
"Files that are intended to be viewed through a web browser by using Online Viewers must not require authentication. In other words, the files must be available publicly because Online Viewers can’t perform authentication when it is retrieving files.
We strongly recommend that the Office Web Apps Server farm that you use for Online Viewers is only able to access either the intranet or the Internet, but not both. This is because Office Web Apps Server doesn’t differentiate between requests for intranet
and Internet URLs. Somebody on the Internet could request an intranet URL, for example, causing a security leak if an internal document is viewed."
Just trying to make sense of this. I am building a new Lync 2013 environment and I definitely want my internal users to be able to leverage the OWA server. So does that mean I should not publish that server to the internet? And if I do
not, does that mean my users will not be able to share a powerpoint presentation at all to external users? If this is all true and I'm understanding this correctly, does this mean that most implementations choose one or the other? Or does Lync not
use these "Online Viewers" so I can just disable them and users will still be able to share powerpoint presentations with external users?
Thanks for any help you can provide for this confusion.

No, you should publish to both internal and Internet on the same server, it's just how it's done with Lync. You can't really have two with Lync for this purpose anyway. Users will upload PowerPoint presentations to it when it's time to share,
no editing is possible, and the risk is generally minimal. You can shorten the cache time to help if you're concerned.
Regardless, from the article:
http://technet.microsoft.com/en-us/library/jj219442(v=office.15).aspx setting OpenFromUrlEnabled "Turns on or off the ability to use Online Viewers to view Officefiles from a URL or UNC path.". This is set to false and turned off by default.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications

Web-app scoped security policies not working in WL 8

Hi,
I can't get web-app scoped security policies working in WL 8.1
I have a simple web application. It defines a role(ROLE) and security
constraint (on *.jsp).
If I examine the web app in the administration console, I see that it
has created a role (scoped to /*) called "ROLE" just as you would
expect. It has also created a scoped policy (to *.jsp) with constraints
that the user be in the role ROLE. This is as expected, and it works.
However, if I proceed to create my own scoped policy (on *.html) with
constraints (on ALL methods) that the user be in role ROLE, then I get
no security at all. ie. I can go to server:port/foo.html and it will
work - it is not secured.
Any ideas?
On a completely unrelated issue, when I deploy an EAR (exploded) with a
WAR (exploded) and using the admin console expand the application
correpsonding to th EAR, right click on the WAR node, and try and define
a scoped role, then I get an error "There are no appropriate RoleEditor
providers configured". This sounds like a bug. Trying to define a
scoped policy works as expected.
TIA,
Jon

I can't get web-app scoped security policies working in WL 8.1Well, I can answer this one myself.
WebLogic 8 has a new optimisation (this wasn't present in 7 AFAIK),
available on the Security / Realm / myreal / General tab, which
determines whether or not weblogic considers authorisation of resources
protected by descriptors or not. (ie. it can force only
descriptor-protected authorisation, ignoring admin console policies).
It defaults to ignoring admin console policies, hence my problem.
Jon

Web app security + JAAS

I'm working on the authentication/authorisation aspects of a fairly
large web application using WLS 6.0 (ie allowing users to login and
access resources based on role etc).
Its a standard JSP/Servlet/EJB type architecture and so far it seems
the FORM-based authentication will serve our needs well. However, I've
been instructed (by higher powers) to investigate JAAS authentication.
It looks far more complex to implement so my question is, does it
offer any significant advantages that justify the extra work?
Thanks for your time.

"john hryn" <[email protected]> wrote in message
news:3fce2551$[email protected]..
>
Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
app.
I created an App and created a web project. In it, I deleted thecontroller, etc
and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>I think you should have dealers instead of *
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>And here too.
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>

Web app security ... i don't get it

I do not get it how do one configure web.xml
I want every page to be protected against unlogged user and some pages only to some of them
From what I read it's only necessary to have only one root role that every user is part of and then any sub-role is recognized
My use case:
every page should be protected against unauthorized user
<security-constraint>
        <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
        <web-resource-collection>
            <web-resource-name>JSF Pages</web-resource-name>
            <url-pattern>/faces/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>fullaccess</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>and I want that managers only to have access to /managers so I guess that a new </security-constraint> must be issued to allow the users that have managers role to access the resource.
<security-constraint>
        <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
        <web-resource-collection>
            <web-resource-name>JSF Pages</web-resource-name>
            <url-pattern>/faces/manager/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>managers</role-name> ????
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint> What are the roles that must be declared in web.xml knowing that
<security-role-assignment>
         <role-name>fullaccess</role-name>
         <principal-name>public</principal-name>
     </security-role-assignment>
</weblogic-web-app> and in the realm public group has a member 'managers' (that in my opp must not be mapped)?
..on the moment there is only
<security-role>
        <description>acces pe toate paginile web</description>
        <role-name>fullaccess</role-name>
    </security-role>thanks, Florin POP

Hi guys.
A username and password info to connect to BC is the following:
Username - Your adobe ID email
Password - Your password.
To connect to SFTP its...
Server: Just the address (yoursite.businesscatalyst.com)
username - yoursite.businesscatalyst.com/[email protected]
Password - your password.

Web app security & IIS?

I'm trying to get the security working for a web app. I'm using JAAS and the BASIC
authentication. I don't want to use FORM because the original Perl app (from which
my web app is derived) also used BASIC and I don't want the interface to change.
I've found that the security works great if I go directly to the weblogic server,
so it looks like the problem is with IIS (we're fowarding requests from IIS to
WebLogic). I think the problem lies in my web.xml. It has this in it:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MLV Users Only</realm-name>
</login-config>
From what I can tell, weblogic just uses the realm-name as a label in the dialog
box that pops up, and for nothing else. My guess is that IIS is really trying
to use this as a security realm.
Am I on the right track? Anyone got any hints?
Gary

"john hryn" <[email protected]> wrote in message
news:3fce2551$[email protected]..
>
Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
app.
I created an App and created a web project. In it, I deleted thecontroller, etc
and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>I think you should have dealers instead of *
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>And here too.
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>

Office Web Apps - Best Practice for App Pool Security Account?

Guys,
I am finalising my testing of Office Web Apps, and ready to move onto deploying it to my live farm.
Generally speaking, I put service applications in their own application pool.
Obviously by doing so this has an overhead on memory and processing, however generally speaking it is best practice from a security perspective when using separate accounts.
I have to create 3 new service applications in order to deploy Office Web Apps, in my test environment these are using the Default SharePoint app pool.
Should I create one application pool for all my office web apps with a fresh service account, or does it make no odds from a security perspective to run them in the default app pool?
Cheers,
Conrad
Conrad Goodman MCITP SA / MCTS: WSS3.0 + MOSS2007

i run my OWA under it's own service account (spOWA) and use only one app pool. Just remember that if you go this route, "When
you create a new application pool, you can specify a security account used by the application pool to be either a predefined Network Service account or a managed account. The account must have db_datareader, db_datawriter, and execute permissions for the content
databases and the SharePoint configuration database, and be assigned to the db_owner role for the content databases." (http://technet.microsoft.com/en-us/library/ff431687.aspx)

Web App {tag_edit} doesn't render in web Web App search results within secure zone?

We have secure zones that are to display certain web app items to be filtered by Category. The secure zone members need to filter through web app items and edit these items from the list view. We've set it up accordingly and the list view is exactly how it should be when it is simply displaying on a page within the secure zone, however when the web app search/filtering is applied the "edit" tag doesn't display. Is there anyway to have this work or does it simply not? Please tell me it is possible to filter and edit web apps.
Thanks in advance,

Hi The Bowery, the edit tag will not show in general web app item search results unless the owner of that web app item is logged in to a secure zone to view it.
However, if you are happy for anyone looking at the website to edit all web app items, you can set that in the properties of the web app itself. Then I think the edit tag will show to anyone looking at the web app items.
If you only want the web app item owner to edit the web app item then you need to set up a secure zone for them to log in and view it.
It will show when the web app item owner is logged in and viewing the web app items, if the edit tag has been added to the layout customisations. So it will only show to the web app item owner.
You need to set up a secure zone for the web app item owners to upload and edit their web app items.
Search results on a webapp use the List template layout for the webapp to show a summary of the search results and the detail Template Layout is what shows when you click on the search result summary item. In webapp setups I usually put the edit tag in the List template

Securing a J2EE web app

Similar Messages

Maybe you are looking for