Security Bug in weblogic.httpd.enable

Hi!
When I set this "weblogic.httpd.enable=false". I will get UnmarshalException
for WLStub at ejb client whenever I update my classes. Is this by design?
When I comment out this, the error is gone.
Regards
Yew Yap
"Vince" <[email protected]> wrote in message
news:87f5ng$g7g$[email protected]..
Hi all,
I don't know whether you all know this or not, but I would feel guilty ifI
didn't tell all of you. I found a bug in the properties file. WebLogic
claimed that the httpd can be disabled for security purposes. However, I
realized that no matter what boolean you assign to weblogic.httpd.enable,
the httpd is still alive. The setting in the properties file has noeffect
at all. For those of you who have to disable httpd for the security ofyour
internal networks, this is really a problem. I have reported this to BEA
and will see how they fix this. You can test this on your WebLogic server
by setting the property to false and test to see if the clients canconnect
to your server using http. I was be able to use a browser to connect tothe
server and even more I could replace t3 with http in my java code toconnect
to my EJBs after I disabled httpd.
Vince

Similar Messages

Serious security bug in weblogic 6.0

when I use jaas authenticated to weblogic server 6.0. everything is beatiful. but
I easily bypass the jaas authentication and could login to weblogic server 6.0
as anybody with any credential. Think about it, if I login as system and with
wrong password, and I get in , and the caller will be system.
If anyone inside weblogic team is interested in talking about it, please give
me a email. I don't want to post the way how I did it right now

This potential vulnerability has been confirmed and has been fixed in BEA WebLogic
Server 6.0 Service Pack 1 (SP1). SP1 is currently available for download from
the BEA Download Center at
http://commerce.bea.com/downloads/weblogic_server.jsp#wls.
BEA advises every Service Pack be applied as they are released. Service Packs
include a roll up of all bug fixes for each version of the product, as well as
each of the previously released Service Packs.
BEA treats security issues with the highest degree of urgency and does everything
possible to ensure the security of all customer assets. As a policy, if there
are any security-related issues with any BEA product, BEA will distribute an advisory
and instructions with the appropriate course of action.
Because the security of your site, data, and code is
our highest priority, we are committed to communicating all
security-related issues clearly and openly.
BEA has established a permission-based emailing list specifically
targeted for product security advisories. As a policy, if a user has opted in
to our emailing list and there are any security issues with the BEA product(s)
he/she is using, BEA will distribute an advisory and instructions via email with
the appropriate course of action.
REPORTING SECURITY ISSUES
For immediate attention, BEA has established an email address to which you can
send reports of any possible security issues in BEA products.
These reports should be sent to: [email protected]
All correspondence to this address will be promptly reviewed and all necessary
actions taken to ensure the continued security of all customer assets.
SUBSCRIBE TO EMAIL ALERT
You may subscribe to the permission-based emailing list to receive alerts of security
advisories by registering with BEA at:
http://contact.beasys.com/bea/www/securityelogin.jsp.
Sincerely,
Marc Bishop
Security Product Manager
BEA WebLogic Server

Weblogic.httpd.session.cookies.enable not working in WLS4.5 sp 11 ?

I want to disable the use of cookies in WLS 4.5, and set the following
weblogic.httpd.session.cookies.enable=false
In WLS 4.5 sp7, this correctly prevents the server from using cookies
for session-tracking, forcing the extraction of the session id from a
rewritten URL.
However, for WLS 4.5 sp11 cookies are still sent from the server
Is this a known issue ?
jo

I want to disable the use of cookies in WLS 4.5, and set the following
weblogic.httpd.session.cookies.enable=false
In WLS 4.5 sp7, this correctly prevents the server from using cookies
for session-tracking, forcing the extraction of the session id from a
rewritten URL.
However, for WLS 4.5 sp11 cookies are still sent from the server
Is this a known issue ?
jo

NPE using weblogic.httpd.clustering.enable

I'm having some difficulty trying to configure a cluster. If I set the
 property "weblogic.httpd.clustering.enable" to true I will get the attached
 NullPointerException. Where did I do wrong?
 Thanks for help.
 -- Jerry
 Tue Sep 26 14:09:13 PDT 2000: <HTTP> Log rotation is size based
 Unable to initialize server: java.lang.NullPointerException
 fatal initialization exception
 java.lang.NullPointerException
 at weblogic.t3.srvr.HttpServer.start(HttpServer.java:398)
 at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1305)
 at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)


 Dimitri Rakitine wrote:
 > I think what it means is that you do not need cluster license (and cluster enabled) to
 > use session persistence, and you do not need to set weblogic.httpd.clustering.enable to
 > use file or jdbc persistence.
 But I do need to use clustering and in order to do that
 I gotta have the weblogic.httpd.clustering.enable set to true among
 all other cluster related properties. What would be the point of using session persistence without
 actually running your servers in a cluster ?
 Right ??
 >
 >
 > Andrzej Porebski <[email protected]> wrote:
 >
 > > We are getting the same exact error (NPE). The reason for this error is null ClusterManager
 > > singleton in weblogic and the only way that thing can be null is if the clustered was not properly configured.
 > > Now, according to weblogic docs, if you use jdbc based session persistence, you should
 > > not have to have the so called "cluster" license for Weblogic but that does not seem
 > > to hold glue. We have configured the server to use the jdbc based session
 > > persistence but we still get the error
 >
 > > Wed Sep 27 14:59:11 EDT 2000:<E> <WebLogicServer> #########################################################
 > > Wed Sep 27 14:59:11 EDT 2000:<E> <WebLogicServer> ## Unable to join cluster: Unable to find a license for clustering
 > > Wed Sep 27 14:59:11 EDT 2000:<E> <WebLogicServer> #########################################################
 >
 > > during startup and then the NPE at the very end.
 >
 > > If any one has solved this problem please let me know.......
 >
 > > Thanks
 >
 > > Andrew
 >
 > > Dimitri Rakitine <[email protected]> wrote:
 > >>I think what Weblogic was trying to say (in a somewhat cryptic way)
 > >>is that you didn't set weblogic.cluster.enable=true property.
 > >>
 > >>Jerry Soung <[email protected]> wrote:
 > >>> I'm having some difficulty trying to configure a cluster. If I set the
 > >>> property "weblogic.httpd.clustering.enable" to true I will get the attached
 > >>> NullPointerException. Where did I do wrong?
 > >>
 > >>> Thanks for help.
 > >>
 > >>> -- Jerry
 > >>
 > >>> Tue Sep 26 14:09:13 PDT 2000: <HTTP> Log rotation is size based
 > >>> Unable to initialize server: java.lang.NullPointerException
 > >>> fatal initialization exception
 > >>> java.lang.NullPointerException
 > >>> at weblogic.t3.srvr.HttpServer.start(HttpServer.java:398)
 > >>> at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1305)
 > >>> at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
 > >>
 > >>Dimitri
 > >>http://dima.dhs.org
 >
 > --
 > Dimitri
 > http://dima.dhs.org

Weblogic.httpd.defaultWebApp & weblogic.httpd.webApp. name : PROBLEM!!!

i have a client that give this error: ---------------------------------------------
javax.naming.CommunicationException. Root exception is java.lang.ClassNotFoundException:
class com.dat.abs.ejb.GenClassSessionEJBHomeImpl_WLStub previously not found at
weblogic.rjvm.MsgAbbrev.read(MsgAbbrev.java, Compiled Code) at java.lang.Exception.<init>(Exception.java,
Compiled Code) at java.lang.ClassNotFoundException.<init>(ClassNotFoundException.java,
Compiled Code) at weblogic.rjvm.MsgAbbrev.read(MsgAbbrev.java, Compiled Code)
at weblogic.socket.JVMAbbrevSocket.readMsgAbbrevs(JVMAbbrevSocket.java:505) at
weblogic.rjvm.MsgAbbrevInputStream.prime(MsgAbbrevInputStream.java:134) at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:700)
at weblogic.rjvm.ConnectionManagerClient.handleRJVM(ConnectionManagerClient.java:34)
at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:630) at weblogic.socket.JVMAbbrevSocket.dispatch(JVMAbbrevSocket.java:393)
at weblogic.socket.JVMSocketT3.dispatch(JVMSocketT3.java, Compiled Code) at weblogic.socket.JavaSocketMuxer.processSockets(JavaSocketMuxer.java,
Compiled Code) at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:23)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java, Compiled Code)
--------------- nested within: ------------------ weblogic.rmi.UnmarshalException:
Unmarshalling return - with nested exception: [java.lang.ClassNotFoundException:
class com.dat.abs.ejb.GenClassSessionEJBHomeImpl_WLStub previously not found]
at weblogic.jndi.toolkit.BasicWLContext_WLStub.lookup(BasicWLContext_WLStub.java:256)
at weblogic.jndi.toolkit.WLContextStub.lookup(WLContextStub.java, Compiled Code)
at javax.naming.InitialContext.lookup(InitialContext.java:349) at com.dat.gen.GenEJBHelper.getHomeFor(GenEJBHelper.java:32)
at abs.ABSGenClassInfo.getGenClassSessionHome(ABSGenClassInfo.java:743) at abs.ABSGenClassInfo.getGenClass(ABSGenClassInfo.java:266)
at abs.ABSGenClassInfo.buildInheritanceStack(ABSGenClassInfo.java, Compiled Code)
at abs.ABSGenClassInfo.<init>(ABSGenClassInfo.java:247) at abs.ABSGenClassInfo.getClassInfoFor(ABSGenClassInfo.java:217)
at abs.ABSVerifyClassDependencies.doItWithContext(ABSVerifyClassDependencies.java,
Compiled Code) at abs.ABSMainThread.verifyClassDependencies(ABSMainThread.java,
Compiled Code) at abs.ABSMainThread.run(ABSMainThread.java, Compiled Code) java.lang.NullPointerException:
at abs.ABSGenClassInfo.getGenClass(ABSGenClassInfo.java:266) at abs.ABSGenClassInfo.buildInheritanceStack(ABSGenClassInfo.java,
Compiled Code) at abs.ABSGenClassInfo.<init>(ABSGenClassInfo.java:247) at abs.ABSGenClassInfo.getClassInfoFor(ABSGenClassInfo.java:217)
at abs.ABSVerifyClassDependencies.doItWithContext(ABSVerifyClassDependencies.java,
Compiled Code) at abs.ABSMainThread.verifyClassDependencies(ABSMainThread.java,
Compiled Code) at abs.ABSMainThread.run(ABSMainThread.java, Compiled Code) Class
AngelaForBatch not found!! java.lang.NullPointerException at abs.ABSVerifyClassDependencies.doItWithContext(ABSVerifyClassDependencies.java,
Compiled Code) at abs.ABSMainThread.verifyClassDependencies(ABSMainThread.java,
Compiled Code) at abs.ABSMainThread.run(ABSMainThread.java, Compiled Code) javax.naming.CommunicationException.
Root exception is java.lang.ClassNotFoundException: class com.dat.abs.ejb.GenClassSessionEJBHomeImpl_WLStub
previously not found at weblogic.rjvm.MsgAbbrev.read(MsgAbbrev.java, Compiled
Code) at java.lang.Exception.<init>(Exception.java, Compiled Code) at java.lang.ClassNotFoundException.<init>(ClassNotFoundException.java,
Compiled Code) at weblogic.rjvm.MsgAbbrev.read(MsgAbbrev.java, Compiled Code)
at weblogic.socket.JVMAbbrevSocket.readMsgAbbrevs(JVMAbbrevSocket.java:505) at
weblogic.rjvm.MsgAbbrevInputStream.prime(MsgAbbrevInputStream.java:134) at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:700)
at weblogic.rjvm.ConnectionManagerClient.handleRJVM(ConnectionManagerClient.java:34)
at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:630) at weblogic.socket.JVMAbbrevSocket.dispatch(JVMAbbrevSocket.java:393)
at weblogic.socket.JVMSocketT3.dispatch(JVMSocketT3.java, Compiled Code) at weblogic.socket.JavaSocketMuxer.processSockets(JavaSocketMuxer.java,
Compiled Code) at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:23)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java, Compiled Code)
--------------- nested within: ------------------ weblogic.rmi.UnmarshalException:
Unmarshalling return - with nested exception: [java.lang.ClassNotFoundException:
class com.dat.abs.ejb.GenClassSessionEJBHomeImpl_WLStub previously not found]
at weblogic.jndi.toolkit.BasicWLContext_WLStub.lookup(BasicWLContext_WLStub.java:256)
at weblogic.jndi.toolkit.WLContextStub.lookup(WLContextStub.java, Compiled Code)
at javax.naming.InitialContext.lookup(InitialContext.java:349) at com.dat.gen.GenEJBHelper.getHomeFor(GenEJBHelper.java:32)
at abs.ABSGenClassInfo.getGenClassSessionHome(ABSGenClassInfo.java:743) at abs.ABSGenClassInfo.getGenClass(ABSGenClassInfo.java:266)
at abs.ABSGenClassInfo.buildInheritanceStack(ABSGenClassInfo.java, Compiled Code)
at abs.ABSGenClassInfo.<init>(ABSGenClassInfo.java:247) at abs.ABSGenClassInfo.getClassInfoFor(ABSGenClassInfo.java:217)
at abs.ABSGenDirectory.retrieveGenClassPackage(ABSGenDirectory.java:110) at abs.ABSGenDirectory.doItWithContext(ABSGenDirectory.java,
Compiled Code) at abs.ABSMainThread.verifyClassDependencies(ABSMainThread.java,
Compiled Code) at abs.ABSMainThread.run(ABSMainThread.java, Compiled Code) java.lang.NullPointerException:
at abs.ABSGenClassInfo.getGenClass(ABSGenClassInfo.java:266) at abs.ABSGenClassInfo.buildInheritanceStack(ABSGenClassInfo.java,
Compiled Code) at abs.ABSGenClassInfo.<init>(ABSGenClassInfo.java:247) at abs.ABSGenClassInfo.getClassInfoFor(ABSGenClassInfo.java:217)
at abs.ABSGenDirectory.retrieveGenClassPackage(ABSGenDirectory.java:110) at abs.ABSGenDirectory.doItWithContext(ABSGenDirectory.java,
Compiled Code) at abs.ABSMainThread.verifyClassDependencies(ABSMainThread.java,
Compiled Code) at abs.ABSMainThread.run(ABSMainThread.java, Compiled Code) javax.ejb.EJBException:
at abs.ABSGenClassInfo.<init>(ABSGenClassInfo.java:253) at abs.ABSGenClassInfo.getClassInfoFor(ABSGenClassInfo.java:217)
at abs.ABSGenDirectory.retrieveGenClassPackage(ABSGenDirectory.java:110) at abs.ABSGenDirectory.doItWithContext(ABSGenDirectory.java,
Compiled Code) at abs.ABSMainThread.verifyClassDependencies(ABSMainThread.java,
Compiled Code) at abs.ABSMainThread.run(ABSMainThread.java, Compiled Code)
javax.ejb.EJBException: at abs.ABSGenClassInfo.<init>(ABSGenClassInfo.java:253)
at abs.ABSGenClassInfo.getClassInfoFor(ABSGenClassInfo.java:217) at abs.ABSGenDirectory.retrieveGenClassPackage(ABSGenDirectory.java:110)
at abs.ABSGenDirectory.doItWithContext(ABSGenDirectory.java, Compiled Code) at
abs.ABSMainThread.verifyClassDependencies(ABSMainThread.java, Compiled Code) at
abs.ABSMainThread.run(ABSMainThread.java, Compiled Code) --------------------------------------------------------
the com.dat.abs.ejb.GenClassSessionEJB Class is correctly deployed.
in the Weblogic.properties i use:
weblogic.httpd.defaultWebApp=d:/nowui (and no documentRoot).
If i use instead of weblogic.httpd.defaultWebApp : weblogic.httpd.webApp.pippo=d:/nowui
ALL WORKS FINE!!!!
i'm using Weblogic 510 with SP9 in a Windows 2000 Prof environment
i think that is a bug of weblogic...
Can someone help me ?
thankx

String cookieName =
 T3Services.getT3Services().config().getProperty("weblogic.httpd.session.cook
 ie.name");
 Cheers - Wei
 Kirby Drumm <[email protected]> wrote in message
 news:8j68e4$lqi$[email protected]..
 > Is there any way to determine the value of
 > weblogic.httpd.session.cookie.name from a java server page?
 >
 >
 >

Signature Validation Bug in WebLogic 10.3

I believe I have come across a bug in WebLogic 10.3. I send a signed soap message to the server, but it gets rejected because it fails validation. Fair enough... Took a look at the trace and here is what I found:
<Sep 23, 2008 9:41:03 AM EDT> <Info> <> <BEA-000000> <transformed data: [OctetData, as String in platform default encoding:<soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-18724844"><ser:deposit xmlns:ser="http://services/">
 <arg0>100</arg0>
</ser:deposit></soapenv:Body>]>
<Sep 23, 2008 9:41:03 AM EDT> <Info> <> <BEA-000000> <digest input: (as string, platform default encoding) <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-18724844"><ser:deposit xmlns:ser="http://services/">
<arg0>100</arg0>
</ser:deposit></soapenv:Body>>
ReferenceImpl.ValidateResultImpl:
refURI: #id-18724844
status: false
digestValue: 1B35E823E5137581751EF6A8AB8DD8943D21F024
unmarshalledDigestValue: B3DAB5E81C128858C84DBB05B361C8736C972443
The reason the digest does not match is because WebLogic is not receiving the correctly formatted soap message. For some reason, weblogic does not see the carriage return between </ser:deposit> and </soapenv:Body>. I send the same message to a WebLogic 10.0 server and it does not run into this problem. I use soapUI 2.0.2 as my client.

instead of import weblogic.security.SubjectUtils; use import weblogic.security.spi.WLSUser; and get the username as below
Set users = subject.getPrincipals(WLSUser.class);
 Iterator iter = users.iterator();
 while (iter.hasNext()){
 userName = ((WLSUser)iter.next()).getName();
 System.out.println(userName);
this returns you the username

Another security bug??

All,
I am running Weblogic with SP3. In my web application configured to use
form-based authentication. In the web.xml file I have:
<servlet>
<servlet-name>InfIIPSchedulerServlet</servlet-name>
<servlet-class>examples.servlets.InfIIPSchedulerServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>InfIIPSchedulerServlet</servlet-name>
<url-pattern>InfIIPSchedulerServlet</url-pattern>
</servlet-mapping>
<servlet-name>InfIIPSchedulerServlet</servlet-name>
<url-pattern>jsp/InfIIPSchedulerServlet</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>iip</web-resource-name>
<description>Informatica Information Platform (IIP)</description>
<url-pattern>/jsp/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
</login-config>
public class InfIIPSchedulerServlet {
public void service(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException
HttpSession session = req.getSession(false);
res.setContentType("text/plain");
ServletOutputStream out = res.getOutputStream();
try {
if (session == null) {
out.println("Session is null");
} else {
out.println("Session is " + session.toString());
InfIIPSession ss =
(InfIIPSession)session.getAttribute(com.informatica.viewer.util.InfHttpSessi
onNames.USER_IIPSESSION );
Context context = ss.getContext();
out.println(" Remote user is ");
out.println(req.getRemoteUser());
out.println(" Principal is ");
out.println(req.getUserPrincipal().getName());
out.println(" Principal in Context is ");
out.println((String)context.getEnvironment().get(Context.SECURITY_PRINCIPAL)
} catch (NamingException ne) {
throw new ServletException(ne.getMessage());
After loged in successfully, a welcome page came up. I got the following
output when invoking the servlet with url
http://localhost:7001/iip/InfIIPSchedulerServlet
Session is weblogic.servlet.internal.session.MemorySession@69abf940
 Remote user is
dtseng
 Principal is
guest
 Principal in Context is
dtseng
With url http://localhost:7001/iip/jsp/InfIIPSchedulerServlet the output
become
Session is weblogic.servlet.internal.session.MemorySession@69abf940
 Remote user is
dtseng
 Principal is
dtseng
 Principal in Context is
dtseng
The difference is that the first url is not a protected resource, while
the second is. Why req.getUserPrincipal().getName() returns different values
depending on the context in which is is executed? Is this a security bug?

I would like to see this feature of the phone given a significant overhaul. Instead of just displaying the dail pad, I'd like to have the choice of programming in certain numbers which could offered for dialing in place of the dial pad being shown for the Emergency call feature. Perhaps upto 10 numbers could be programmed in, so you could add the emergency numbers for your area and any other numbers you think would be useful. Of course, this should be optional so that the user has the choice of only allowing calls to the pre-registered numbers, the display of the numpad or both.
That way, everyone would be happy, no?

Ongoing fatal crash and security bug related to connecting external display

The infrastructures in OS X to resume from sleep, to authenticate, and to change displays is fundamentally not working.
The security bug I have encountered has to do with connecting a cinema display exclusively to a MacBook Pro. This is a specific situation, but please note that I have experienced the same problem on no fewer than three independent laptop. Plus, the Genius in the Apple Retail Store was convinced of the general instability of this infrastructure. The security problem is that hot corners no longer function if I transition between two states in the same reboot. The first state is where I have the laptop powered on and using its own internal display exclusively (when I'm on the road). The second state is when I have the laptop displaying its output exclusively on an external display (when I'm at home). What happens is that an attempt to use hot corners fails. There is no response. I even added configuration on all four corners (whereas I originally had settings only for the rightmost corners), and even then, the hot corner action (of sleeping the display or entering locked screen saver mode) does not commence. This prevents the user from being able to secure the display on demand using standard methods that are supposed to work.
The instability level related to connecting the external display exclusively is high. Again, I've experienced this on no fewer than three independent laptops, and the Apple Genius at the Retail Store confirmed that this aspect of OS X did not work consistently. When I want to connect the cinema display to the laptop in such a way that the laptop's own display is not part of the active screen, the process I use succeeds about half the time. Supposing I have been on the road, where I am using the laptop display exclusively. I then put the laptop to sleep. When I return home with the lid open, I connect first the USB (power) from the cinema display to the laptop, and then I connect the Mini DisplayPort. When that step works, what happens is that the login screen shows on the cinema display despite the fact that my laptop lid is closed. This is good, and is what I want. At that point, I open the laptop lid and quickly log in.
With Apple being a mobile device company, I rely on the laptop for tasks that one traditionally may use a desktop for. This simply points to the versatility of the laptop. But I'd like the bugs resolved, so that I do not have to hesitate to make use of the inherent flexibility possible with the MacBook Pro.
Here's what happens when the process (of connecting the external display in a way that establishes itself as the only screen in use by OS X) fails. Firstly, when I connect the external display via Mini DisplayPort, the laptop doesn't even respond. Instead, it remains asleep. So to work around it I have to repeatedly disconnect and reconnect the Mini DisplayPort so that the asleep MacBook Pro will see that there is a display connected to it. Also, sometimes that isn't even enough and I have to open the laptop lid, and put it to sleep again so as to trigger whatever actions are necessary to recognise the external display (presumably by having the laptop recently awake). Around half the time, I have to play this game of disconnecting and reconnecting until it actually works. This high level of reproducibility (confirmed by the Apple Genius representative's confidence that this part of the system doesn't actually work) should make it easy for an engineer to look into the problem.
Fatally, and recently, OS X has completely crashed when I have attempted to connect the external display. The external display has gone completely blue, and after a half a minute, it blanked out and my entire laptop became unresponsive. I called Apple Support and was given a case number. I also took the laptop into the retail store to see if I could recover my current session without rebooting. There was no process suggested to make that happen and I was told to reboot the machine. I've had this happen before on other laptops, and it is frustrating that the kernel reaches such a state that it cannot be used. As I see it, this problem is not too unrelated to the way that I need to play a game in order to get the external display connected exclusively. Here are some workarounds that could be added:
Firstly, whenever I connect an external display, I'd like the laptop to see that this has happened, and to take action accordingly (such as resuming from sleep). Secondly, If I connect an external keyboard, and press a key on it, I'd like this to wake the laptop too (in the event that the first method fails for some unforeseen reason). I'd also like the connection of the cinema display's USB power not to cause the laptop to enter into a confused state between asleep and awake. Sometimes I need to disconnect and reconnect USB power in order to trigger the laptop into waking, but that's only because it's not doing it on its own properly. On the other hand, I also ensure that the laptop doesn't have the Mini DisplayPort connected without also having the cinema display USB power connected, because that also is an unsupported configuration.
I've also gotten the laptop to become confused about whether it is asleep or awake. When I open the lid, it seems to enter into sleep mode, but closing it seems to bring it into an active state.
Also, I've successfully logged on and authenticated with the screen showing exclusively on the external display. But just ten seconds after I start using the system, the laptop falls asleep--with the lid open! Whatever triggers that action doesn't seem to be on track. The laptop is open, there are incoming events such as mouse movements and key presses, and the external display is on and is in use. And then the laptop falls asleep! This has happened numerous times. Not only should this not happen; the instances where it does happen can cause further instability and put my system at risk of fatally crashing.
Also, the authentication system itself is highly buggy--far more than it should be. At times I have opened the laptop lid and caught a glimpse of a window before I have begun the login process. Also, an external authentication application that asks for Kerberos/AFS login credentials has been able to overlay itself on top of the primary authentication (whereas I should only see a single login dialog when I need to authenticate to the system). Also, I've had several of these authentication screens overlay on top of one another, although it's been months since I've experienced that one (so it may have been fixed). Also, around a third of the time, the window that authenticates me (on the black background) somehow transfers itself into the background (even though there's only one window!). What that means is what I begin to type my password, and now the laptop starts beeping at me and I need to manually click on the password field and begin entering my password again. This really shouldn't happen, and indicates too much complexity in this authentication process (such as, more OS X code is involved than is strictly necessary, which is likely to make the authentication system more difficult to test). Also, at times, I have been using too much CPU, such that the authentication screen takes too long to emerge. That also means that I'm not able to logon until I uncleanly shutdown the laptop. If the laptop has been asleep, and is revived in preparation for login, then that login screen should be given highest priority, even if there are other heavy CPU or I/O intensive tasks running in the background. And maybe the login dialog shouldn't disappear when the user is legitimately attempting to log in. So even if there is a possibility that the system is under heavy resource use (or there is a stall or minor deadlock), it shouldn't prevent the user from logging in altogether.
At the moment, the very fact that the system shut down uncleanly means that the full disk encryption suite that I used has entered into an undetermined state, suggesting I may lose access to all my data. It's my hope that I can rely on Apple's products to interoperate in a way that won't cause me to be fearful and restrictive in my use, so that I can freely connect an external display at times, and at other times carry the laptop on the road.

Ive got the same problem with Samsung UE225010 monitor too, its full hd but it looks terrible, could it be Displayport adapter issue, because couple month ago Ive tryed with some IPS display, and it looked same bad.

How to use security roles in Weblogic server?

Hello Gurus,
I am new to Weblogic server and I am trying to investigate how to make
use of security roles in weblogic server (5.1.0). Can anyone point me
to some documentation. Specifically, I am looking for instance level,
and method level security and how to use it.
Thanks for taking your time to read this e-mail.
Thank You all in advance,
Hari.

You should read the security information in the Servlet 2.2 specification
that WL 5.1 implements:
http://java.sun.com/products/servlet/download.html
Chapter 11 deals with declarative and programmatic security, and includes a
section on roles:
11.4 Roles
A role is an abstract logical grouping of users that is defined by the
Application Developer or
Assembler. When the application is deployed, these roles are mapped by a
Deployer to security
identities, such as principals or groups, in the runtime environment.
A servlet container enforces declarative or programmatic security for the
principal associated with
an incoming request based on the security attributes of that calling
principal. For example,
1. When a deployer has mapped a security role to a user group in the
operational environment. The
user group to which the calling principal belongs is retrieved from its
security attributes. If the
principal's user group matches the user group in the operational environment
that the security
role has been mapped to, the principal is in the security role.
2. When a deployer has mapped a security role to a principal name in a
security policy domain, the
principal name of the calling principal is retrieved from its security
attributes. If the principal is
the same as the principal to which the security role was mapped, the calling
principal is in the
security role.
Cameron Purdy
http://www.tangosol.com
"Hari" <[email protected]> wrote in message
news:[email protected]..
Hello Gurus,
I am new to Weblogic server and I am trying to investigate how to make
use of security roles in weblogic server (5.1.0). Can anyone point me
to some documentation. Specifically, I am looking for instance level,
and method level security and how to use it.
Thanks for taking your time to read this e-mail.
Thank You all in advance,
Hari.

Is this a security bug in Windows 8.1?

I think I have discovered a serious security bug in Windows 8.1.
Today I was using my (non-Admin) user account and with Internet Explorer I saved a file in the default Downloads folder (under This PC). The file was saved, but when I went to that folder, the file was not there! Now, I was about to downloaded
it again, using IE, same as before, when I noticed in the Save dialog box that the file had indeed been downloaded, and that it was there, in the Downloads folder under This PC. Frustrated, I went to that very folder, but the file was nowhere
to be found. I was really puzzled.
Then, by chance, while logged in another account (namely the Admin account), I happened to go to the Downloads folder, and there was the file that I had downloaded using the other account.
Obviously, what I described above represents a security problem: firstly because my private files may get saved by mistake into another person's account without me even realizing it, and secondly because I was able to access another person account
(i.e. the Admin account) via the IE's Save dialog box, seeing the list of the files there, and possibly even accessing them (I have not tried the latter, though).
Has anyone experienced anything like the situation I described?
I must also say that I later tried to replicate this abnormal behavior, but for some unknown reason I couldn't. Anyway, I am sure that what I described above is an accurate account of how things went.

Hi,
Since I cannot repro your issue on my own computer, it cannot be a bug.
I suggest we try to use another user account to see if there is the same issue happened.
Please make sure your location of download folder is right:
Right click Downloads folder, and choose Properties.
Make sure the location is right under your user profile.
If not, please click Location and click Restore default.
If we still fail to solve you issue, please run Process monitor at the end of the downloading process to capture the actions, and upload the save log here for further research.
You can also check if there is any weird actions at the end of downloading process.
Process Monitor v3.05
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
How to use, please refer to this article:
Using Process Monitor to capture system events
http://www.sophos.com/en-us/support/knowledgebase/119038.aspx
Keep post.
Kate Li
TechNet Community Support

How to get the weblogic.httpd.session.timeoutSecs value in a JSP file

Hi,
 We are using Weblogic 5.1 SP8. We set weblogic.httpd.session.timeoutSecs=900 in the weblogic.properties file. How can I get this value in a JSP file if I don't use java.util.Properties to parse the properties file?
 Can I use session.getValue(sessionName) to get it? If so, what is the session name for this property?
 Thanks.
 Frank


I think something like this should work:
 T3ServicesDef services = T3Services.getT3Services();
 services.config().getProperty("weblogic.httpd.session.timeoutSecs");
 Frank Yu <[email protected]> wrote:
 > Hi,
 > We are using Weblogic 5.1 SP8. We set weblogic.httpd.session.timeoutSecs=900 in the weblogic.properties file. How can I get this value in a JSP file if I don't use java.util.Properties to parse the properties file?
 > Can I use session.getValue(sessionName) to get it? If so, what is the session name for this property?
 > Thanks.
 > Frank
 Dimitri

Create , delete "security roles" in weblogic console - sample Security providers

Hi Everyone:
Weblogic gave out sample Security Providers for version 7.0 and 8.1. In
those sample Security Provider , the author of codes used property files as
Security Providers Database, however he/she didn't show how to create a
Manageable Sample Role Mapping Provider or Manageable Sample Authentication
Provider, so Administrator of weblogic console can create and delete
"security roles" in weblogic console.
Have anyone known how to do that?
Ming Qin

"ming qin" <[email protected]> wrote in message news:[email protected]..
Hi Everyone:
Weblogic gave out sample Security Providers for version 7.0 and 8.1.In
those sample Security Provider , the author of codes used property filesas
Security Providers Database, however he/she didn't show how to create a
Manageable Sample Role Mapping Provider or Manageable SampleAuthentication
Provider, so Administrator of weblogic console can create and delete
"security roles" in weblogic console.
Have anyone known how to do that?
I would ask in the weblogic.developer.interest.management.console newsgroup.
>
Ming Qin

Setting secure flag on weblogic (5.1) session cookie.

Hello All,
 I need to set secure flag on weblogic session cookie. I am not able to
 find any property in weblogic.properties file to set the secure flag for
 session cookie.
 Does anybody has any idea how to achieve this.?
 Thanks
 Nitin


The best way to reduce GC is to change you application to use less memory. Serious.
There are a number of JVM options for GC. I can't tell you what will work best
for your application.
25 seconds is way too long for a GC. Is the OS paging? You may wish to invest
in additional memory.
Mike Reiche
vijendran <[email protected]> wrote:
Hi,
I am running a load test which will simulate 100 users. when i tried
to simulate i found that GC is happening often even though i set the
heap to 512 MB., and that too some time it takes upto 25 secs. for a
GC to complete. Please advise on how to increase the performance for
more number of users (without clustering weblogic) and to avoid GC happening
often.
Regards
Vijendran

Optimistic Locking - Possible bug with Weblogic

After extensive testing of a j2ee application Im involved with, it would appear their exists a problem with using Weblogic's Optimistic Concurrency (OL) mechanism.
The exact problem is as follows:
The ejbCreate and ejbRemove methods of a particular entity bean are as follows:
public abstract class ProductBean implements javax.ejb.EntityBean {
ejbCreate(){
FolderEntityHome folderEH = FolderComponent.getFolderEntityHome();
folderEH.create(getId());
ejbRemove(){
FolderEntityHome folderEH = FolderComponent.getFolderEntityHome();
try {
FolderBean folderEH.findByProductId(getId());
catch(InvalidAccessRightsException iare)
throw new RemoveException();
Previously before OL was added when a RemoveException was thrown, this would cause the ejbRemove exception to fail, thus both the product and folder would still exist.
After adding OL, when an InvalidAccessRightsException occurs giving rise to a RemoveException being thrown, weblogic simply ignores the RemoveException and deletes the Product even though the Folder could not be deleted. This causes system errors when users try to access the folder which contains a link to a product which no longer exists!
Is anyone aware of this particular problem? Is it indeed a bug with Weblogic? For clarity, I believe I am using version 8.1 and the way in which I have implemented OL is to use an additional version column in the underlying tables for all entity beans.

In case anyone's interested, it appears from further testing that the problem I've been having in the way the RemoveException behaves is down to the difference in which version 6.0 treats this exception compared to version 8.1!
In version 6.0, if you threw a RemoteException at any point in the ejbRemove(), the entity would not be removed!
In version 8.1, something wierd happens. If a RemoteException() is thrown in the ejbRemove() and sometime during the same transaction at the point of commit, the entity on which the exception is thrown is attempted to be accessed (through a finder), then the entity continues to be deleted! If on the other hand, a RemoveException is thrown and no access/modification is attempted on that entity within the same transaction, then at the point of commit, the entity is not removed!
Seems this is indeed a problem which needs to be addressed in future releases.
Message was edited by:
rotan_imretxe
Message was edited by:
rotan_imretxe

HT1414 I am on Holliday and started an iOS upgrade to my iPAD 2, yesterday. The security lock have never been enabled. After the upgrade via WiFi in the hotel, the iPAD asks for a 4 digit kode to access my iPAD! ?????? APPLE, what programming subrouti

I am on Holliday and started an iOS upgrade to my iPAD 2, yesterday. The security lock have never been enabled. After the upgrade via WiFi in the hotel, the iPAD asks for a 4 digit kode to access my iPAD! ?????? APPLE, what programming subroutine is forgotten during functional testing prior to release of the latest iOS upgrade???? - Now from a borrowed hotel guest computer I post my ”HELP NEEDED”. Please advice if there is a way to skip a security kode I never enabled (nor even tried out and diabled) – WITHOUT spending time to find a Apple store helpdesk that restore via iTunes, and delete all my local data.
Reg
SpannishFLY

During the setup of iOS 7 which you went through after installation it asked if you wished to create a passcode. It is possible to skip setting up a passcode at this step but you must have created one.
If you can't remember the passcode and you have enabled "find my iPad" you can use http://www.icloud.com/ to remote erase your iPad, then you can set it up again, and restore it from an iCloud backup.

Security Bug in weblogic.httpd.enable

Similar Messages

Maybe you are looking for