Security contraint

If you specify "/servlet/*" for the url-pattern in the security-constaint of web-resource-collection
element (in the deployment descriptor) - the url-pattern: /servlet/* protects all the servlets
within the web application. What or how do I specify so that only one servlet named
MyServlet is the only one the get security contraint put on it and not all the rest of the
servlets within the web app. - Thanks
Example:
<security-constraint>
<web-resource-collection>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
...the above protects all servlets within the web application.
How do I change the url-pattern to only protect one servlet.
The following don't seem to work:
<security-constraint>
<web-resource-collection>
<url-pattern>/servlet/ServletNameToProtect</url-pattern>
</web-resource-collection>

Sorry about that - it seems to be a bug in tomcat 5.0.27 because
the security-constraints work correctly if you access the servlet
using a context relative address but doesn't work correctly if you
include the protocol, host and port. It took me most of the day
to figure this out because I thought I was doing something wrong
(still in the learning stag).

Similar Messages

Jsf servlet override security contraints

i've a jsf application with administration area that can be accessed only by the role admin, this is a part of the web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Labometer</web-resource-name>
<url-pattern>/faces/labotat/*</url-pattern>
<url-pattern>/faces/labotat/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Labometer</web-resource-name>
<url-pattern>/faces/labometer/*</url-pattern>
<url-pattern>/faces/labotat/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
And this is a part of the faces-config.xml:
<navigation-rule>
<from-view-id>/labotat/*</from-view-id>
<navigation-case>
<from-outcome>config</from-outcome>
<to-view-id>/labotat/admin/config.jsp</to-view-id>
</navigation-case>
</navigation-rule>
the security constraints works if i write the url of admin pages directly in the browser, but not if i click a commandbutton that send me to ad administrative page.
Any suggestions?

Security constraints work from browser to server
requests. In your case, you are posting to first
page which fowards on server to second page. exactly, is the faces servlet that forward to the second page.
Since
the forward is happening on server, security
constraints do not apply. Use <redirec/> in your
faces-config.xml for navigavtion case and it should
workok it works, i didn't know the tag <redirect>.
Thank you very much!

Network Security Requirement : Confidential - Not Enforced

I am having a perplexing problem with the network security requirement feature in SJSAS 8 Update 1.
In deploytool, under my WAR, in the security tab, for my only SecurityConstraint, I set the Network Security Requirement to CONFIDENTIAL. This should cause any access to thse objects over port 80 to be redirected to https via for 443.
The failure is that it does not redirect clients accessing over port 80 to a secure connection. The tricky part is that it fails in a completely random way. Sometimes for some WARs it will work as expected, then after X number of server restarts / redeployments, some of the same WARs will not do the redirect as expected. Through continuous redeploys and restarts during development, all WARs will or will not do the redirect in any given situation.
Has anyone else experienced this problem and worked around it? Any help is greatly appreciated! Thanks in advance!
mod_critical

The following is the deployment descriptor for one of the WARs (this problem affects them all, on multiple different machines with different setups).
The following is from the Security Contraint:
<security-constraint> <display-name>SecurityConstraint</display-name> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/participant/*</url-pattern> <url-pattern>/assetmodel/*</url-pattern> <url-pattern>/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>asadmin</role-name> <role-name>cvbdataentry</role-name> <role-name>cvbadmin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
The rest is as follows:
<?xml version='1.0' encoding='UTF-8'?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" version="2.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" > <display-name>CVBadmin</display-name> <servlet> <display-name>assetmodel/OpenRecord</display-name> <servlet-name>assetmodel/OpenRecord</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.OpenRecord</servlet-class> </servlet> <servlet> <display-name>participant/personell/account/Lookup</display-name> <servlet-name>participant/personell/account/Lookup</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.account.Lookup</servlet-class> </servlet> <servlet> <display-name>participant/personell/account/record</display-name> <servlet-name>participant/personell/account/record</servlet-name> <jsp-file>/participant/personell/account/record.jsp</jsp-file> </servlet> <servlet> <display-name>assetmodel/line/Remove</display-name> <servlet-name>assetmodel/line/Remove</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.line.Remove</servlet-class> </servlet> <servlet> <display-name>participant/location/record</display-name> <servlet-name>participant/location/record</servlet-name> <jsp-file>/participant/location/record.jsp</jsp-file> </servlet> <servlet> <display-name>assetmodel/Save</display-name> <servlet-name>assetmodel/Save</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.Save</servlet-class> </servlet> <servlet> <display-name>syncError</display-name> <servlet-name>syncError</servlet-name> <jsp-file>/syncError.jsp</jsp-file> </servlet> <servlet> <display-name>participant/Search</display-name> <servlet-name>participant/Search</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.Search</servlet-class> </servlet> <servlet> <display-name>participant/location/List</display-name> <servlet-name>participant/location/List</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.location.List</servlet-class> </servlet> <servlet> <display-name>participant/personell/account/Create</display-name> <servlet-name>participant/personell/account/Create</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.account.Create</servlet-class> </servlet> <servlet> <display-name>participant/personell/listresults</display-name> <servlet-name>participant/personell/listresults</servlet-name> <jsp-file>/participant/personell/listresults.jsp</jsp-file> </servlet> <servlet> <display-name>participant/record</display-name> <servlet-name>participant/record</servlet-name> <jsp-file>/participant/record.jsp</jsp-file> </servlet> <servlet> <display-name>participant/personell/account/Passwd</display-name> <servlet-name>participant/personell/account/Passwd</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.account.Passwd</servlet-class> </servlet> <servlet> <display-name>participant/location/Create</display-name> <servlet-name>participant/location/Create</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.location.Create</servlet-class> </servlet> <servlet> <display-name>Logout</display-name> <servlet-name>Logout</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.Logout</servlet-class> </servlet> <servlet> <display-name>participant/location/Remove</display-name> <servlet-name>participant/location/Remove</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.location.Remove</servlet-class> </servlet> <servlet> <display-name>participant/Save</display-name> <servlet-name>participant/Save</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.Save</servlet-class> </servlet> <servlet> <display-name>assetmodel/listresults</display-name> <servlet-name>assetmodel/listresults</servlet-name> <jsp-file>/assetmodel/listresults.jsp</jsp-file> </servlet> <servlet> <display-name>assetmodel/line/record</display-name> <servlet-name>assetmodel/line/record</servlet-name> <jsp-file>/assetmodel/line/record.jsp</jsp-file> </servlet> <servlet> <display-name>assetmodel/line/List</display-name> <servlet-name>assetmodel/line/List</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.line.List</servlet-class> </servlet> <servlet> <display-name>participant/personell/Save</display-name> <servlet-name>participant/personell/Save</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.Save</servlet-class> </servlet> <servlet> <display-name>assetmodel/line/Create</display-name> <servlet-name>assetmodel/line/Create</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.line.Create</servlet-class> </servlet> <servlet> <display-name>participant/personell/List</display-name> <servlet-name>participant/personell/List</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.List</servlet-class> </servlet> <servlet> <display-name>assetmodel/Create</display-name> <servlet-name>assetmodel/Create</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.Create</servlet-class> </servlet> <servlet> <display-name>participant/Remove</display-name> <servlet-name>participant/Remove</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.Remove</servlet-class> </servlet> <servlet> <display-name>participant/Create</display-name> <servlet-name>participant/Create</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.Create</servlet-class> </servlet> <servlet> <display-name>assetmodel/line/listresults</display-name> <servlet-name>assetmodel/line/listresults</servlet-name> <jsp-file>/assetmodel/line/listresults.jsp</jsp-file> </servlet> <servlet> <display-name>participant/personell/Remove</display-name> <servlet-name>participant/personell/Remove</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.Remove</servlet-class> </servlet> <servlet> <display-name>assetmodel/List</display-name> <servlet-name>assetmodel/List</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.List</servlet-class> </servlet> <servlet> <display-name>assetmodel/record</display-name> <servlet-name>assetmodel/record</servlet-name> <jsp-file>/assetmodel/record.jsp</jsp-file> </servlet> <servlet> <display-name>participant/searchresults</display-name> <servlet-name>participant/searchresults</servlet-name> <jsp-file>/participant/searchresults.jsp</jsp-file> </servlet> <servlet> <display-name>menu</display-name> <servlet-name>menu</servlet-name> <jsp-file>/menu.jsp</jsp-file> </servlet> <servlet> <display-name>assetmodel/line/OpenRecord</display-name> <servlet-name>assetmodel/line/OpenRecord</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.line.OpenRecord</servlet-class> </servlet> <servlet> <display-name>participant/location/listresults</display-name> <servlet-name>participant/location/listresults</servlet-name> <jsp-file>/participant/location/listresults.jsp</jsp-file> </servlet> <servlet> <display-name>exception</display-name> <servlet-name>exception</servlet-name> <jsp-file>/exception.jsp</jsp-file> </servlet> <servlet> <display-name>participant/OpenRecord</display-name> <servlet-name>participant/OpenRecord</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.OpenRecord</servlet-class> </servlet> <servlet> <display-name>participant/location/Save</display-name> <servlet-name>participant/location/Save</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.location.Save</servlet-class> </servlet> <servlet> <display-name>participant/personell/OpenRecord</display-name> <servlet-name>participant/personell/OpenRecord</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.OpenRecord</servlet-class> </servlet> <servlet> <display-name>participant/personell/Create</display-name> <servlet-name>participant/personell/Create</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.Create</servlet-class> </servlet> <servlet> <display-name>participant/personell/account/Remove</display-name> <servlet-name>participant/personell/account/Remove</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.personell.account.Remove</servlet-class> </servlet> <servlet> <display-name>participant/personell/record</display-name> <servlet-name>participant/personell/record</servlet-name> <jsp-file>/participant/personell/record.jsp</jsp-file> </servlet> <servlet> <display-name>assetmodel/Remove</display-name> <servlet-name>assetmodel/Remove</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.Remove</servlet-class> </servlet> <servlet> <display-name>assetmodel/PreRecord</display-name> <servlet-name>assetmodel/PreRecord</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.PreRecord</servlet-class> </servlet> <servlet> <display-name>assetmodel/line/Save</display-name> <servlet-name>assetmodel/line/Save</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.assetmodel.line.Save</servlet-class> </servlet> <servlet> <display-name>participant/location/OpenRecord</display-name> <servlet-name>participant/location/OpenRecord</servlet-name> <servlet-class>com.deerteck.cvb.servlet.CVBadmin.participant.location.OpenRecord</servlet-class> </servlet> <servlet-mapping> <servlet-name>assetmodel/OpenRecord</servlet-name> <url-pattern>/assetmodel/openrecord</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/account/Lookup</servlet-name> <url-pattern>/participant/personell/account/lookup</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/account/record</servlet-name> <url-pattern>/participant/personell/account/record</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/Remove</servlet-name> <url-pattern>/assetmodel/line/remove</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/record</servlet-name> <url-pattern>/participant/location/record</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/Save</servlet-name> <url-pattern>/assetmodel/save</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>syncError</servlet-name> <url-pattern>/syncError</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/Search</servlet-name> <url-pattern>/participant/search</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/List</servlet-name> <url-pattern>/participant/location/list</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/account/Create</servlet-name> <url-pattern>/participant/personell/account/create</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/listresults</servlet-name> <url-pattern>/participant/personell/listresults</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/record</servlet-name> <url-pattern>/participant/record</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/account/Passwd</servlet-name> <url-pattern>/participant/personell/account/passwd</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/Create</servlet-name> <url-pattern>/participant/location/create</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Logout</servlet-name> <url-pattern>/logout</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/Remove</servlet-name> <url-pattern>/participant/location/remove</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/Save</servlet-name> <url-pattern>/participant/save</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/listresults</servlet-name> <url-pattern>/assetmodel/listresults</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/record</servlet-name> <url-pattern>/assetmodel/line/record</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/List</servlet-name> <url-pattern>/assetmodel/line/list</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/Save</servlet-name> <url-pattern>/participant/personell/save</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/Create</servlet-name> <url-pattern>/assetmodel/line/create</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/List</servlet-name> <url-pattern>/participant/personell/list</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/Create</servlet-name> <url-pattern>/assetmodel/create</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/Remove</servlet-name> <url-pattern>/participant/remove</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/Create</servlet-name> <url-pattern>/participant/create</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/listresults</servlet-name> <url-pattern>/assetmodel/line/listresults</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/Remove</servlet-name> <url-pattern>/participant/personell/remove</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/List</servlet-name> <url-pattern>/assetmodel/list</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/record</servlet-name> <url-pattern>/assetmodel/record</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/searchresults</servlet-name> <url-pattern>/participant/searchresults</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>menu</servlet-name> <url-pattern>/menu</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/OpenRecord</servlet-name> <url-pattern>/assetmodel/line/openrecord</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/listresults</servlet-name> <url-pattern>/participant/location/listresults</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>exception</servlet-name> <url-pattern>/exception</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/OpenRecord</servlet-name> <url-pattern>/participant/openrecord</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/Save</servlet-name> <url-pattern>/participant/location/save</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/OpenRecord</servlet-name> <url-pattern>/participant/personell/openrecord</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/Create</servlet-name> <url-pattern>/participant/personell/create</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/account/Remove</servlet-name> <url-pattern>/participant/personell/account/remove</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/personell/record</servlet-name> <url-pattern>/participant/personell/record</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/Remove</servlet-name> <url-pattern>/assetmodel/remove</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/PreRecord</servlet-name> <url-pattern>/assetmodel/prerecord</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>assetmodel/line/Save</servlet-name> <url-pattern>/assetmodel/line/save</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>participant/location/OpenRecord</servlet-name> <url-pattern>/participant/location/openrecord</url-pattern> </servlet-mapping> <session-config> <session-timeout>60</session-timeout> </session-config> <error-page> <error-code>500</error-code> <location>/exception.jsp</location> </error-page> <security-constraint> <display-name>SecurityConstraint</display-name> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/participant/*</url-pattern> <url-pattern>/assetmodel/*</url-pattern> <url-pattern>/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>asadmin</role-name> <role-name>cvbdataentry</role-name> <role-name>cvbadmin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>ldap</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginFail.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>asadmin</role-name> </security-role> <security-role> <role-name>cvbdataentry</role-name> </security-role> <security-role> <role-name>cvbadmin</role-name> </security-role> <security-role> <role-name>customer</role-name> </security-role> <security-role> <role-name>accountant</role-name> </security-role> <security-role> <role-name>participant</role-name> </security-role> <ejb-local-ref> <ejb-ref-name>ejb/DataAccessBean</ejb-ref-name> <ejb-ref-type>Session</ejb-ref-type> <local-home>com.deerteck.cvb.ejb.session.DataAccessLocalHome</local-home> <local>com.deerteck.cvb.ejb.session.DataAccessLocalObject</local> <ejb-link>ejb-jar-ic1.jar#DataAccessBean</ejb-link> </ejb-local-ref> <ejb-local-ref> <ejb-ref-name>ejb/LDAPBean</ejb-ref-name> <ejb-ref-type>Session</ejb-ref-type> <local-home>com.deerteck.cvb.ejb.session.LDAPLocalHome</local-home> <local>com.deerteck.cvb.ejb.session.LDAPLocalObject</local> <ejb-link>ejb-jar-ic1.jar#LDAPBean</ejb-link> </ejb-local-ref> </web-app>

IP based security with JSP?

Hi,
How easy/hard would it be to implement IP based security in a JSP application? I.e. We want to restrict the IP addresses that can access our application.
Is this something that can be done in the web.xml using the security contraints??
Or is it much more ocmplex than this?
(We want to prevent our customer from sharing the application with third-parties, so we can not rely on a firewall based approach)
Thanks

Well, for Apache, it's easier. I think for Location to work, you need virtual directories set up. I could be wrong... Or try using Directory intead of Location. I recall Location was for something special... but I forget the details. For Apache/Tomcat, I've usually used aliases to handle directories...
Alias /ITMS "ITMS_HOME/tools/tomcat/jakarta-tomcat-4.0.3/webapps/ITMS"
<Directory "ITMS_HOME/tools/tomcat/jakarta-tomcat-4.0.3/webapps/ITMS">
AllowOverride None
Options Indexes
Order allow,deny
Allow from all
ExpiresActive On
ExpiresByType application/octet-stream "access plus 7 days"
ExpiresByType image/gif "access plus 7 days"
ExpiresByType image/jpeg "access plus 7 days"
ExpiresByType text/x-javascript "access plus 0 seconds"
ExpiresByType text/css "modification plus 7 days"
ExpiresByType text/html "access plus 0 seconds"
ExpiresByType text/vnd.wap.wml "access plus 0 seconds"
ExpiresDefault "now plus 1 month"
</Directory>
You can set up deny's from IP or IP range or domain.
Deny from .domain.com
Deny from 123.232.123.33
Deny from 123.232.124.

"error obtaining the list of methods" from Sun deploytool, "security" pane

I'm trying to apply security features to a web application in a .ear file. Following the J2EE tutorial I try to play with the Security tabbed pane in deploytool. Well, all the time I do get
Error obtaining the list of methods on MyService
java.lang.RuntimeException: my.package.MyService
The thing is, I could sucessfully deploy and use my web service ...
Maybe someone @sun.com could have a look at this stacktrace I got from deploytool (-verbose switch)
Jan 27, 2005 1:36:27 PM com.sun.enterprise.deployment.EjbDescriptor getMethodDescriptors
SEVERE: "DPL8008: method/class loading failure : method/class name - (EjbDescrip
tor.getMethods())"
---------------- Exception -----------------------------------------------------
[EjbComponentSecurityInspector.refresh:595]
Getting method descriptors
java.lang.RuntimeException: de.rochade.srap.ws.RoSrapScriptExecService
java.lang.RuntimeException: de.rochade.srap.ws.RoSrapScriptExecService
at com.sun.enterprise.deployment.EjbDescriptor.getMethodDescriptors(EjbD
escriptor.java:1318)
at com.sun.enterprise.tools.deployment.ui.ejb.EjbComponentSecurityInspec
tor.refresh(EjbComponentSecurityInspector.java:593)
at com.sun.enterprise.tools.deployment.ui.utils.InspectorPane.privateRef
resh(InspectorPane.java:880)
at com.sun.enterprise.tools.deployment.ui.utils.InspectorPane._refresh(I
nspectorPane.java:1012)
at com.sun.enterprise.tools.deployment.ui.utils.InspectorPane.access$100
(InspectorPane.java:38)
at com.sun.enterprise.tools.deployment.ui.utils.InspectorPane$DeferredRe
fresh.run(InspectorPane.java:864)
at com.sun.enterprise.tools.deployment.ui.utils.UIInvocationEvent.dispat
ch(UIInvocationEvent.java:53)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:454)
at com.sun.enterprise.tools.deployment.ui.utils.UIEventQueue.dispatchEve
nt(UIEventQueue.java:168)
at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchTh
read.java:201)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThre
ad.java:151)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:145)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:137)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:100)
Any known bug in deploytool or so?
Asked this first at
http://forum.java.sun.com/thread.jspa?threadID=590706&tstart=0
there are some more problems mentioned ...
Thanx!
Merten

Hi Merten,
I'm not sure if the Security tab will add the basic
auth that you mentioned in your email. You might
have a look at the Login Config on the Endpoint tab
and see if that gives you what you want.
http://docs.sun.com/source/819-0079/dgdesc.html#wp1366
64
JHi J,
I tried this Login Config stuff, but it worked for me only in the servlet (JAX-RPC) world, not for my EJB web service. In the J2EE tutorial I found the steps described for servlet based web services (this security-contraints stuff), I could protect my HTTP POST method successfully. But for an EJB web service, what are the required steps to add HTTP Basic auth? It seems to be way different, is it supported in deploytool the same way as for servlets?
I'll send another copy of my .ear to you ([email protected]). Sorry, I know this is not an dt (deploytool) related issue, but perhaps you can help me anyway. :-) I think I did the right stuff in my deployment descriptors, but it's not working. And I saw a NPE in my server's log file (will send you the stack trace too).
cu
Merten

Security constraint in web.xml

Hi All
I want to set a security contraint to verfity my system user, I know I need to put the following section into the tomcat created web.xml. But I dont know where is the web.xml on my Tomcat 4.1.24, because i found many web.xml files in different directory.
Q1) Sorry I know this is a silly question, but can u tell me which web.xml is the one I need to edit in order to set my the security constraint?
Q2) Instead of editing the created Tomcat web.xml, can I create my own web.xml and put it in <Tomcat_Homw>/webapps/ROOT/WEB-INF. This is just only for the security constraint towards my system.
Many many thanks
Kelvin
<security-constraint>
<web-resource-collection>
<web-resource-name>Administration</web-resource-name>
<url-pattern>/admin</url-pattern>
<url-pattern>/users</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/login-error</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>administrator</role-name>
</security-role>

you need to do it for every web-app... thats why there is one web.xml file for each! There is a thing in CATALINA_HOME/conf/server.xml that u can uncomment to enable 'single-logon' which means u cna log on once and be authenticated for every web-app...
root isn't a web-app i don't think... so therefore u can't restrict access to it (someone correct me if wrong)... I don't know what u mean by restricting access to your 'system'

Security when ownership defined in database

I have a couple of tables in a database and each table has an owner column. The owner
column represents the user that added that row to the table.
I'd like to implement security for the rows in the table such that only the owner and
any user that belongs to an administrator group can modify the row.
How would I go about doing this?
I was hoping to use isUserInRole() because I've implemented coarse container level security using <security-contraints>.
Any help is much appreciated.
Raj

Here's what I've done to achieve what I want:
1. I have a beforePhase listener on the form that will be performing the row edit.
2. The method for the beforePhase listener checks the permissions. If the user is not
allowed to perform the edit, then the servlet response returns error 403. The error page
for code 403 displays an insufficient security privilege page. Here's a snippet of the
unpolished code that performs the check:
String user = FacesContext.getCurrentInstance().getExternalContext().getRemoteUser();
if (!user.equals(row.getOwner()) {
HttpServletResponse resp = (HttpServletResponse) FacesContext.getCurrentInstance().getExternalContext().getResponse();
resp.sendError(403);
NOTE: The only drawback is that I have to do this for each page/form.
Any comments?

Security Context Propagation between Managed Servers

          I'm using WLS 8.1 SP2. I have one domain, two managed servers, each on a separate
          hardware server. Each managed server hosts a different web application. I want
          to authenticate to Web App "A" and be able to invoke Web App "B" (from "A") without
          having to re-authenticate. Is this possible via configuration and, if so, how?
          Thanks.


Frank,
You do not have to do anything to propagate identity between the two
containers. As long as the user is authenticating first..
There have been a number of issues with the propagation, so be sure to stay up
on the service packs.
HTH.
Frank wrote:
How do you propagate security context information from Servlet to
EJBs? I have an web app that uses the container's FORM based authentication.
The servlet resource then calls a session EJB (w/ security contraints
setup). The webapp and the ejbs are bundled into one EAR.
Thanks!--
Tom Mitchell
[email protected]
Very Current Stoneham, MA Weather
http://www.tom.org

Problem establishing WSRP security

Hi,
I have created a SSO scenario between a WSRP producer and a consumer.
Within the Producer Application's "web.xml" i have added "/producer" as a part of security-constraints. So while accessing the producer WSDL, the application first prompts the user for valid credentials.
Now in the consumer application i have set up a basic authentication. After providing the valid credentials in the consumer application, when the consumer application tries to display the remote portlets, it fails with the following exception,
java.io.IOException: Content type [text/html] not supported. Expected content type is [text/xml]. at com.bea.wsrp.proxy.RemoteProxy.sendMessage(RemoteProxy.java:268) at com.bea.wsrp.proxy.RemoteProxy.sendData(RemoteProxy.java:146) at com.bea.wsrp.proxy.RemoteProxy.dispatch(RemoteProxy.java:84) at com.bea.wsrp.proxy.ProxyBase.invoke(ProxyBase.java:447) at $Proxy11.initCookie(Lcom.bea.wsrp.types.InitCookieDocument;)Lcom.bea.wsrp.transport.soap.Message;(Unknown Source) at com.bea.wsrp.consumer.proxy.CookieManager.invokeInitCookie(CookieManager.java:421) at com.bea.wsrp.consumer.proxy.CookieManager.ensureInitCookies(CookieManager.java:289) at com.bea.wsrp.consumer.controls.ProxyPortlet.preRender(ProxyPortlet.java:685) at com.bea.netuix.nf.ControlLifecycle$7.visit(ControlLifecycle.java:443) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:719) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:181) at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:204) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:146) at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:324) at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:196) at com.bea.netuix.servlets.manager.PortalServlet.doPost(PortalServlet.java:772) at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:150) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1077) at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:465)
If i remove the "/producer" from the "security-contraint" tag of "web.xml" of producer application,things are back to normal and i can view the remote portlet from the consumer application.
Just so that you know, the remote portlet is a JSR168 portlet and the server version in 8.1 sp6.
Can some one please provide some hint or suggestion, i have kind of hit the road block.
Any help is highly appreciated.
Thanks,
Vicky

Vikram,
WLP does not support basic auth for web services security for very
simple reasons. WLP relies on SAML assertions for this purpose. See
http://edocs.bea.com/wlp/docs81/wsrp/security.html for details.
Regarding the exception you found, that is most likely because the
producer's servlet container is returning an error page since it could
find basic auth headers from the request.
Subbu
Vikram Patil wrote:
Hi,
I have created a SSO scenario between a WSRP producer and a consumer.
Within the Producer Application's "web.xml" i have added "/producer" as a part of security-constraints. So while accessing the producer WSDL, the application first prompts the user for valid credentials.
Now in the consumer application i have set up a basic authentication. After providing the valid credentials in the consumer application, when the consumer application tries to display the remote portlets, it fails with the following exception,
java.io.IOException: Content type [text/html] not supported. Expected content type is [text/xml]. at com.bea.wsrp.proxy.RemoteProxy.sendMessage(RemoteProxy.java:268) at com.bea.wsrp.proxy.RemoteProxy.sendData(RemoteProxy.java:146) at com.bea.wsrp.proxy.RemoteProxy.dispatch(RemoteProxy.java:84) at com.bea.wsrp.proxy.ProxyBase.invoke(ProxyBase.java:447) at $Proxy11.initCookie(Lcom.bea.wsrp.types.InitCookieDocument;)Lcom.bea.wsrp.transport.soap.Message;(Unknown Source) at com.bea.wsrp.consumer.proxy.CookieManager.invokeInitCookie(CookieManager.java:421) at com.bea.wsrp.consumer.proxy.CookieManager.ensureInitCookies(CookieManager.java:289) at com.bea.wsrp.consumer.controls.ProxyPortlet.preRender(ProxyPortlet.java:685) at com.bea.netuix.nf.ControlLifecycle$7.visit(ControlLifecycle.java:443) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:719) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:731) at com.bea.
netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:181) at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:204) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:146) at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:324) at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:196) at com.bea.netuix.servlets.manager.PortalServlet.doPost(PortalServlet.java:772) at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:150) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1077) at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:465)
>
If i remove the "/producer" from the "security-contraint" tag of "web.xml" of producer application,things are back to normal and i can view the remote portlet from the consumer application.
Just so that you know, the remote portlet is a JSR168 portlet and the server version in 8.1 sp6.
Can some one please provide some hint or suggestion, i have kind of hit the road block.
Any help is highly appreciated.
Thanks,
Vicky

Security constraints not being applied after using custom login module

I am using form based authentication and I applied the custom login module - DBProcLoginModule to work with the embedded OC4J (JDeveloper 10.1.3.2). I have specified two security contraints in web.xml. The authentication is working correctly, however the security contraints are not being applied. All users are able to access all url resources. The security constraints were working properly before applying the custom login module. Pls help.
Leena

Hi,
if "All users are able to access all url resources" then this indicates that the RL isn't properly protected. If the authorization would fail then noone would have access and you would see error code 401
Make sure the role names in web.xml are the same as added by the LoginModule. Also make sure you set the dynamic.role property and the custom security provider property in the orion-application.xml
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true"/>
<property name="role.mapping.dynamic" value="true"/>
</jazn>
Note that the above is not required (because done automatically) if the custom LoginModule configuration is deployed through the orion-application.xml file
Frank

How to log in to SAP MII by using a custom xApp?

Hi there,
I'm developing a custom xApp with a context root of /mycustomapp
I use some security contraints for it so the user has to log in to view the xApp.
As I use some MII services the user has to be logged in to SAP MII, too. However, logging in to SAP NetWeaver doesn't automatically sign in the user to SAP MII, too.
Is it possible at all?
Accessing /mycustomapp leads to a login mask, but the user should be logged in to SAP MII, too.
Regards
Tobias

web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>mycustomapp</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Authentication of Users</display-name>
<web-resource-collection>
<web-resource-name>My Resource Name</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>My_User_Role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRealm</realm-name>
</login-config>
<security-role>
<role-name>My_User_Role</role-name>
</security-role>
</web-app>
web-j2ee-engine.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-j2ee-engine xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="web-j2ee-engine.xsd">
<spec-version>2.4</spec-version>
<security-role-map>
<role-name>My_User_Role</role-name>
<server-role-name>My_User_Role</server-role-name>
</security-role-map>
</web-j2ee-engine>
Besides having the role My_User_Role my user also has the SAP_XMII_User role (and the corresponding developer roles).
Regards
Tobias My_User_Role

WL6.1 RDBMSrealm not working

Platform: Windows & HPUX
Weblogic: WL6.1 sp1
JDK 1.3.x
When we upgraded from WL6.0 to WL6.1sp1, the security does not work like
it did with WL6.0.
I have implement a RDBMSrealm where authorization / ACLs are retrived and
Authentication is done through LDAP.
Symptoms:
Any user who successfully authenticates and authorized to use any page, in
our case the inital page, are able to view and access any other page(JSPs)
ignoring other security contraints specified in the Web XML.
<security-constraint>
<web-resource-collection>
<web-resource-name>public</web-resource-name>
<url-pattern>index.jsp</url-pattern>
<url-pattern>login.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
<role-name>ALL_USERS</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>product_instance</web-resource-name>
<url-pattern>Product.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>PRICING_ADMIN</role-name>
<role-name>PRICING</role-name>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
In the example above, ALL_USERS and ADMIN are authorized to load index.jsp
and login.jsp, they should not however be able to load Product.jsp but are
able to. The second security constraint is ignored or is it looking
somewhere else for the ACL other than the custom RDBMSrealm that I
created.
This all worked flawlessly in WL6.0 and still does.
Jerrie Pineda
[att1.html]

Hello Jerrie,
1. Try adding the following tags in your web.xml file :

<security-role>
<role-name>ALL_USERS</role-name>
<role-name>ADMIN</role-name>
<role-name>PRICING</role-name>
<role-name>PRICING_ADMIN</role-name>
</security-role>
2. Check that your mapping is right in the weblogic.xml file as :
<security-role-assignment>
<role-name>ADMIN</role-name>
<principal-name>admin</principal-name>
</security-role-assignment>
I hope this helps.
Ludovic.
Developer Relations Engineer
BEA Support
<[email protected]> a écrit dans le message news: [email protected]...
Platform: Windows & HPUX
Weblogic: WL6.1 sp1
JDK 1.3.x
When we upgraded from WL6.0 to WL6.1sp1, the security does not work like it did with WL6.0.
I have implement a RDBMSrealm where authorization / ACLs are retrived and Authentication is done through LDAP.
Symptoms:
Any user who successfully authenticates and authorized to use any page, in our case the inital page, are able to view and access any other page(JSPs) ignoring other security contraints specified in the Web XML.
<security-constraint>
<web-resource-collection>
<web-resource-name>public</web-resource-name>
<url-pattern>index.jsp</url-pattern>
<url-pattern>login.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
<role-name>ALL_USERS</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>product_instance</web-resource-name>
<url-pattern>Product.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>PRICING_ADMIN</role-name>
<role-name>PRICING</role-name>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
In the example above, ALL_USERS and ADMIN are authorized to load index.jsp and login.jsp, they should not however be able to load Product.jsp but are able to. The second security constraint is ignored or is it looking somewhere else for the ACL other than the custom RDBMSrealm that I created.
This all worked flawlessly in WL6.0 and still does.
Jerrie Pineda
[att1.html]

Wls 10.0 - intermittent 401 errors

I have a simple HelloWorld servlet that is configured to use CLIENT-CERT as the authentication mechanism.
I am attempting to deploy this to a WLS 10.0 instance (though the problem I'm seeing also occurs under 9.2)
When I access the servlet once from my web browser everything works fine, the 2-way SSL handshake takes place and I get the output from my servlet.
However, if I attempt to access the servlet from multiple tabs concurrently, I get 401 errors intermittently. I can pick any one of the tabs that has a 401 error, hit 'reload' and get the correct output from the servlet.
I'm concluding that this problem shows up when too many concurrent authentication attempts are made I get the 401 errors.
This problem disappears if I remove the <security-contraint> section from the web.xml. This leads to the following questions:
1) If the <security-constraint> configures the servlet to allow any authenticated user (i.e the role specified maps to <principal-name>users</principal-name> in weblogic.xml) AND my WebLogic server is configured to require client certificates (and only listen on the SSL port), is the <security-constraint> serving any purpose?
2) How do I go about debugging this? Is this some sort of thread/resource issue that can be tweaked through WebLogic server settings somewhere?
Thanks in advance,
Bruce

Probably too late for an answer but I try,
We are not able to build our J2EE 1.4 application with weblo 10, we have to build them with weblo 8 which contains the xdoclet. then we deploy it in WL10. then sometimes we have to fix some build constraints that WL10 doesn't allow anymore.

Changing the value of the SOAPElement in the SOAP message

Now another problem I encountered was of overwriting a value in the SOAP message by my value. SOAPElement interface which extends Node interface provides me the method getValue() to get the value of the node but doesnt give me any method to set any other value instead of this.
<token xsi:type="xsd:string">token123</token>
I want to replace the value "token123" with my value.
Is there no provision for altering a value in the SOAP message? Is this due to security contraints?
If yes then can we detach the same node and add a similar node with the new value. I wanted to try the same using addChildElements() method but then the problem here is how do I create a new SOAPElement in the handler as its an interface and not a class. Why I want to add a similar node is because I am having the definition of this object in the WSDL file, so if I attach the node corresponding to the parameter of the object then I would get the object populated with this value at J2EE or .net layer.
Also I thought of adding an attribute to the same node but then since this attribute will not be defined in the WSDL, the value of this attribute will not populate the java object at the J2EE layer. Hence attribute introduction also didnt help.
This is the userData object in the soap body:
</q1:FetchDetailsInput><q2:UserData xmlns:q2="java:com.anthem.enb.common.data" xsi:type="q2:UserData" id="id2">
<password xsi:type="xsd:string">12345</password>
<token xsi:type="xsd:string">token123</token>
<userID xsi:type="xsd:string">vikas123</userID>
</q2:UserData>
This is my code to extract the values from the above message:
Iterator i = ctx.getMessage().getSOAPPart().getEnvelope().getBody().getChildElements();
System.out.println(" i.hasNext() =" + i.hasNext());
while (i.hasNext())
Object obj = i.next();
System.out.println(" obj :" + obj.getClass());
if (obj instanceof SOAPElement)
SOAPElement e = (SOAPElement) obj;
System.out.println("e :" + e);
String operationName = e.getElementName().getLocalName();
LOG.info(CLASS_NAME + "operationName :" + operationName);
if (operationName.equals("UserData"))
Iterator j = e.getChildElements();
LOG.info(CLASS_NAME + " j.hasNext() : " + j.hasNext());
while (j.hasNext())
Object obj2 = j.next();
LOG.info(CLASS_NAME + " obj2 :" + obj2);
LOG.info(CLASS_NAME + " obj2 :" + obj2.getClass());
if (obj2 instanceof SOAPElement)
SOAPElement eGrandChild = (SOAPElement) obj2;
String operationName2 =
eGrandChild.getElementName().getLocalName();
if (operationName2.equals("userID"))
String strPass = eGrandChild.getValue();
LOG.info(CLASS_NAME + " strPass:" + strPass);
else if (operationName2.equals("password"))
String strUserID = eGrandChild.getValue();
LOG.info(CLASS_NAME + " strUserID:" + strUserID);
else if (operationName2.equals("token"))
String strToken = eGrandChild.getValue();
Please help.

how do I create a new SOAPElement in the handler as its an interface and not a class?Here is an example:
<example>
MessageFactory messageFactory = MessageFactory.newInstance();
SOAPMessage m = messageFactory.createMessage();
SOAPEnvelope env = m.getSOAPPart().getEnvelope();
SOAPBody body = env.getBody();
SOAPElement fResponse =
body.addBodyElement(env.createName("fResponse"));
fResponse.addAttribute(env.createName("encodingStyle"),
"http://schemas.xmlsoap.org/soap/encoding/");
SOAPElement result =
fResponse.addChildElement(env.createName("result"));
result.addTextNode("test");
ctx.setMessage(m);
</example>
Jong

Looking for Logoff API functionality from NWA

Hi ,
I have one web application which is deployed on NW 720 system . I have applied security contraint in this web application so when i try access the url pattern it ask user for credentials . But if i close this browser and open a new session then it never ask for user credentials . I guess it takes the user cookie information to re login .
The requirement from my side is to find the API from nwa which can be called during the _jspDestroy functionality so that current user can log off before the broswer is closed . Can you help me here to find that API ?
Best Regards,
Mitul

Hi,
Refer below link if it helps:
http://help.sap.com/saphelp_nw70/Helpdata/en/44/aada5230be5e77e10000000a155369/frameset.htm
Best Regards,
Rupali

Security contraint

Similar Messages

Maybe you are looking for