Security Design Question Role/ code

Similar Messages

• ADF Security Design Question

  Hi All,
  I am developing an ADF web application. The security design is such that user authentication is mapped to database users. The design I see several pros and cons
  1) Different database users means I cannot take advantage of connection pooling.
  2) The architect argues SQL querying can be controlled at database level for each user.
  I have never been involved in such a web application. Can anybody please guide me if this is the way to go for ADF web application, any other pros and cons. The database is Oracle 11g. I still believe that application security should not be tied to the database security.
  Worst case if I have to go with this design, How to implement ADF security using database users.
  Thanks

  I blogged a use case for using Proxy Authentication with JPA here http://blogs.oracle.com/olaf/2010/04/using_oracle_proxy_authenticat.html. (Being a sample it includes a setter for user name, but a case with a JAAS Subject and Principal is easily adaptable).
  I'll dig out an ADF BC example and blog about it, too.
  --olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• Wireless Authentication/Security Design questions

  Wireless newbie here...I was required to quicky stand up a wireless deployment at a new warehouse/office building. I have the basic network up and working. My remote AP's have associated with the 2106 in the main office and users can associate and authenticate with the 1130G AP's and can access the office network. I did the basic configs and am now looking to tighten up security. My questions are as follows:
  1) The user clients are Dell Laptops with integrated wireless. They authenticate using LEAP..how do I migrate to EAP or do I need to. I have a Cisco ACS doing RADIUS authentication now.
  2) Should I be using some kind of supplicant client on the laptops?
  3) How do I filter mac's so rogue AP's and rogue clients cant try and associate.
  4) Am I correct in assuming the connections between the 1130 AP's and 2106 are secured and if so do I need to tweak anything to tighten them up?
  5) I have an AP in the main office building that I want to setup to detect rogue AP's. Do I have it associate as a regular AP and push some kind of policy to turn it into a detector?
  I have attached a diagram to help explain. Any help would be appreciated.
  v/r
  Chad

  1. LEAP is a form of EAP, so you must already have something terminating your EAP sessions. The WLC can do this to some extent, or ACS. Which one you chose will be based upon your requirements for manageability, scalability and feature-richness. I would suggest that PEAP-MSCHAPv2 provides a good balance of usability and security, and is significantly better than LEAP.
  2. No, stick with Windows XP SP2 supplicant. This can be configured using domain policy (2k3 SP1 or better) and is pretty good. Just make sure your laptops have new Intel drivers on them. Dell in particular have been quite bad with sending out old drivers in the builds.
  3. MAC authentication is now lergely regarded as a waste of time. It is so easy to spoof a MAC address it's ridiculous, and it's a fair amount of work for the admin(s).
  4. The LWAPP tunnel encrypts all management / config / security related traffic between the AP and WLC, while user data is simply encapsulated in LWAPP, so it can potentially be read if packets are captured.
  5. All APs will do rogue detection, don't really need to have dedicated APs unless you're REALLY paranoid. Main benefit is quicker detection, but drawback is that the 'detector' AP won't serve clients.
  Regards,
  Richard

• Role of SAP security design consultant

  Hi All,
  what role does a  SAP HR (SAP Security Design) Consultant play?
  how different is it from a regular SAP HR?
  pls let me know
  regards,
  Pratik

  What i assume is you will have to understand different roles of users in that company who will need access to Hr system, and classify under catogories, set up roles and define authorisation profiles, set up structural authorisations based on clients requirements.
  as far as HR is concerned you need to understand different authorisation objects,roles, profiles available in standard SAP ystem and set up new ones add some additional privileges etc whereever required. get your self familiar with various HR authorisation Objects etc.
  Also lil bit of user management, reporting on Infoytpes, tracking changes, modiufication to business critical transactions etc.

• Design question: Scheduling a Variable-timeslot Resource

  I originally posted this in general java programming, because this seemed like a more high-level design descussion. But now I see some class design questions. Please excuse me if this thread does not belong here (this is my first time using the forum, save answering a couple questions).
  Forum,
  I am having trouble determining a data structure and applicable algorithm (actually, even more general than the data structure -- the general design to use) for holding a modifiable (but more heavily read/queried than updated), variable-timeslot schedule for a given resource. Here's the situation:
  Let's, for explanation purposes, say we're scheduling a school. The school has many resources. A resource is anything that can be reserved for a given event: classroom, gym, basketball, teacher, janitor, etc.
  Ok, so maybe the school deal isn't the best example. Let's assume, for the sake of explanation, that classes can be any amount of time in length: 50 minutes, 127 minutes, 4 hours, 3 seconds, etc.
  Now, the school has a base operation schedule, e.g. they're open from 8am to 5pm MTWRF and 10am to 2pm on saturday and sunday. Events in the school can only occur during these times, obviously.
  Then, each resource has its own base operation schedule, e.g. the gym is open from noon to 5pm MTWRF and noon to 2pm on sat. and sun. The default base operation schedule for any resource is the school which "owns" the resource.
  But then there are exceptions to the base operation schedule. The school (and therefore all its resources) are closed on holidays. The gym is closed on the third friday of every month for maintenance, or something like that. There are also exceptions to the available schedule due to reservations. I've implemented reservations as exceptions with a different status code to simplify things a little bit: because the basic idea is that an exception is either an addition to or removal from the scheduleable times of that resource. Each exception (reservation, closed for maintenance, etc) can be an (effectively) unrestricted amount of time.
  Ok, enough set up. Somehow I need to be able to "flatten" all this information into a schedule that I can display to the user, query against, and update.
  The issue is complicated more by recurring events, but I think I have that handled already and can make a recurring event be transparent from the application point of view. I just need to figure out how to represent this.
  This is my current idea, and I don't like it at all:
  A TimeSlot object, holding a beginning date and ending date. A data structure that holds list of TimeSlot objects in order by date. I'd probably also hold an index of some sort that maps some constant span of time to a general area in the data structure where times around there can be found, so I avoid O(n) time searching for a given time to find whether or not it is open.
  I don't like this idea, because it requires me to call getBeginningDate() and getEndDate() for every single time slot I search.
  Anyone have any ideas?

  If I am correct, your requirement is to display a schedule, showing the occupancy of a resource (open/closed/used/free and other kind of information) on a time line.
  I do not say that your design is incorrect. What I state below is strictly my views and should be treated that way.
  I would not go by time-slot, instead, I would go by resource, for instance the gym, the class rooms (identified accordingly), the swimming pool etc. are all resources. Therefore (for the requirements you have specified), I would create a class, lets say "Resource" to represent all the resources. I would recommend two attributes at this stage ("name" & "identifier").
  The primary attribute of interest in this case would be a date (starting at 00:00hrs and ending at 24:00hrs.), a span of 24hrs broken to the smallest unit of a minute (seconds really are not very practical here).
  I would next encapsulate the availability factor, which represents the concept of availability in a class, for instance "AvailabilityStatus". The recommended attributes would be "date" and "status".
  You have mentioned different status, for instance, available, booked, closed, under-maintainance etc. Each of these is a category. Let us say, numbered from 0 to n (where n<128).
  The "date" attribute could be a java.util.Date object, representing a date. The "status", is byte array of 1440 elements (one element for each minute of the day). Each element of the byte array is populated by the number designation of the status (i.e, 0,1,2...n etc.), where the numbers represent the status of the minute.
  The "Resource" class would carry an attribute of "resourceStatus", an ordered vector of "ResourceStatus" objects.
  The object (all the objects) could be populated manually at any time, or the entire process could be automated (that is a separate area).
  The problem of representation is over. You could add any number of resources as well as any number of status categories.
  This is a simple solution, I do not address the issues of querying this information and rendering the actual schedule, which I believe is straight forward enough.
  It is recognized that there are scope for optimizations/design rationalization here, however, this is a simple and effective enough solution.
  regards
  [email protected]

• Method design question...and passing object as parameter to webserice

  I am new to webservice...one design question
  i am writing a webservice to check whether a user is valid user or not. The users are categorized as Member, Admin and Professional. For each user type I have to hit different data source to verify.
  I can get this user type as parameter. What is the best approach to define the method?
  Having one single method �isValidUser � and all the client web service can always call this method and provide user type or should I define method for each type like isValidMember, isValidAdmin ?
  One more thing...in future the requirement may change for professional to have more required field in that case the parameter need to have more attribute. But on client side not much change if I have a single isValidUser method...all they have to do is pass additional values
  isValidUser(String username, String usertype, String[] userAttributes){
  if usertype == member
  call member code
  else if usertype = professional
  call professional code
  else if usertype = admin
  call admin code
  else
  throw error
  or
  isValidMember(String username, String[] userAttributes){
  call member code
  One last question, can the parameter be passed as object in web service like USER object.

  First of all, here is my code
  CREATE OR REPLACE
  TYPE USERCONTEXT AS OBJECT
  user_login varchar2,
  user_id integer,
  CONSTRUCTOR FUNCTION USERCONTEXT (
  P_LOGIN IN INTEGER
  P_ID_ID IN INTEGER
  ) RETURN SELF AS RESULT
  Either your type wont be compiled or this is not the real code..

• Design question for typical Message Based J2EE Apps

  We�re building a request/response (synchronous) messaging using MDBs and trying to figure out the �blue print� best practice for all components needed. Please let me know if any of the components below seem suspect, and whether I need to add/remove additional ones.
  MDBs: Consume MQ and JMS messages and start a Transaction
  Message Request Handlers: are created by MDBs . Receive messages in XML format, use utilities to perform XML marshalling and unmarshalling with Value Objects.
  Session Fa�ade: Stateless Session EJB.
  Business Delegates: Are called by the Message Request Handler to process the message
  Business Objects: Biz logic classes
  DAO Layer: Data Access for CRUD operations
  Messenger : To create a response message and send it back
  How is the Session Facade related to the Biz Delegate. Are they one and the same? Are there any online docs to address these layers?

  I was trying not to overly complicate this by inlcuding the data structure, but two of the treesets data:
  [model.Role@c7d5 code = [audit] description = [Access to data] name = [JIMS Audit], model.Role@4455 code = [basic] description = [Basic access] name = [JIMS Basic], model.Role@d131 code = [privacy] description = [Access to JIMS privacy data]
  locationTypeList=[LocationType@b234 code = [amc] description = [Am. Part Code] name = [amc], LocationType@b1ea code = [mat] description = [Management Indicator Ticket] name = [mat], LocationType@313e code =
  There are 3 DAO objects and more need to be added now. The user object will need data from all of them. The JSP's access this data directly. It's needed for security and location roles to determine access to functions and data within the app. The user has groups and these groups have security roles and locations that are separate and yet combine to give individual user access and admin rights. The key is that individual groups have separate data relevant to that group as a module that can be modified, added or removed and yet still combines with other groups data to give a total array of values for the individual user. I'm thinking the nature of the nested objects may require inner classes and/or a decorator pattern, but I'm still thinking though it.
  Message was edited by:
  jamesEston

• Dreamweaver design question

  Hi all. I'm new to the forum and ha da design question. My site took about 3 weeks to complete and after finishing what I though was a pretty error free website I noticed that dreamwever 8 was coming up with numerous errors that matched http://validator.w3.org's scans. My question is this. Why does dreamwever ( regardless of the release ) allow the designer of the website he/she is creating without pointing out the errors as they go along with simple instructions on how to fx them.  As an example My meta tags
  <META NAME="keywords" CONTENT="xxxxxxx">
  <META NAME="description" CONTENT="xxxxxxxx">
  <META NAME="robots" CONTENT="xxxxx">
  <META NAME="author" CONTENT="xxxxxx">
  <META NAME="copyright" CONTENT="xxxxxx">
  all had to be changed over to
  <meta name="keywords" xxxxxxxxxxxxx">
  <meta name="description" CONTENT="xxxxxxx">
  <meta name="robots" CONTENT="xxxxxx">
  <meta name="author" CONTENT="xxxxxxxx">
  <meta name="copyright" CONTENT="xxxxxxxx">
  all because dreamweaver didnt tell me that the <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  didnt fit the original design. Now my site ( if you wish to view the code ) is www.gamblingwhore.com and if you look at the page source you will see that the code has been corrected on dw 8 but still shows more than 30 errors on http://validator.w3.org. Does dreamwevaer not have the basic tool available to fix these errors without such hassle. Its not just my site either, many sites built in dreamwever can be checked with the http://validator.w3.org website only to find more than 20 -100 different errors.
  Dream weaver creators need to focus on these errors because they hinder seo and they create alot of extra work
  Thank you

  The w3c and XHTML have come a ways since the release of Dreamweaver 8 (I used it in late 2004 and 2005).
  Dreamweaver 8 will build transitional XHTML files as well as old style single tag HTML. It all depends on the personal preferences of the designer.
  Just for kicks, go to say... 20 random websites and see just how many get a green light when you validate them. If its half, you're lucky. This page doesn't even validate;
  Dreamweaver has the menu option (at least in CS3 an CS4) under the Commands menu to "Clean Up HTML" or "Clean Up XHTML" depending on what you're building. I make a point of running that command as I build along with Apply Source Formatting.
  I also use a local validator program to check my code before putting anything.
  That's why they call it WYSIWYG software.
  If it did everything perfectly for everyone every single time, good web designers would find themselves out of work.

• WLPI Design Question

  I've got a bit of a design question for Process Integrator. Currently I'm building
  a prototype for an exception handling system using Process Integrator. The application
  has to be web based and I'm using the Front Controller design pattern that is
  described in the J2EE Blueprint docs.
  I've come across a bit of a design problem. Should I design the application so
  that all the user actions in a task are accessed via the api set or should I build
  this functionality into the template. For example, a user will action a task which
  requires the user to update some variables in the template. In the template definition
  should use a Send XML to Client action and then use the taskExecute method on
  the worklist, or should I do it all programatically?
  Also if I do use the Send XML to Client should I then mark the task done using
  the APIs or using the Studio. I have noticed that if I mark the task done wihtin
  the studio after sending the xml, the task becomes available for the next user,
  even if the variables haven't been updated yet.
  Sorry about the rambling nature of this post.
  Thanks in advance.
  Preyesh

  If you want to write code that's easier for you to write, you do whatever the hell you want.
  If you want to write good code, retain the ID.

• Security/session questions

  Hi,
  I have some security/session questions for you guys.
  My application uses flex, blazeds and spring. I use RemoteObjects to initiate calls from flex to java. The application consists of a login screen and 'other screens' available only to authenticated users after login. When the user logs in the server stores user credentials on the FlexContext (FlexContext.getFlexSession().setAttribute). So if the server timeout is reached and the user presses 'refresh' the user is thrown out and the login screen appears.
  Question 1: How can I check if the timeout is reached when the user makes a call to the server, without checking manually against the FlexContext. Are there any config parameters to set?
  Question 2: Is it necesssary to check against the user credentials in the session for every flex-to-server call? (I guess someone can omit the login screen and do a manual call)
  Question 3: If the answer to question 2 is yes, how can I check against the session credentials? The only way I can think of is calling a method which checks the session attribute manually, but then I have to remember to add this method call to each of the methods called from flex through Blazeds. Is it, for example, possible to call the user-logged-in method before the method given in the RemoteObject is called? (If not authenticated, do not run method).
  Hope someone got the time to help me out.

  I appreciate your answer, but as you yourself write, I think there must be a blazeDS way. But as nobody with extensive BlazeDS knowledge answers this post, I probably have to google this topic even more.
  Following are the main changes in my application: (Introducing spring security)
  Everything seems to be working as it should. But as already stated, I'm a newbie. So if anybody see something suspicious, let me know.
  The main problem I had implementing Spring Security was something that should be easy, but somehow it was not: the loading of the context files. Before introducing the spring security I only had one application-context file, and this was loaded by the DispatcherServlet. When introducing security I tried to add this to the same file. It did not work. Then I tried splitting up the files, and loading both using DispatcherServlet. It did not work. Then I tried loading both using ContextLoaderListener. It did not work. Finally I found the solution. Flex settings must be loaded by the DispatcherServlet, and spring security settings must be loaded by ContextLoaderListener. This work. I don't know if this is the only solution.
  On the server:
  web-xml:
  <context-param>
          <param-name>contextConfigLocation</param-name>
          <param-value>
              /WEB-INF/config/web-application-config.xml
              /WEB-INF/config/web-application-security.xml
          </param-value>
      </context-param>
      <filter>
          <filter-name>springSecurityFilterChain</filter-name>
          <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      </filter>
      <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      <listener>
          <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
      <servlet>
          <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
          <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
          <init-param>
              <param-name>contextConfigLocation</param-name>
              <param-value>/WEB-INF/config/flex-application-config.xml</param-value>
          </init-param>
          <load-on-startup>1</load-on-startup>
      </servlet>
  flex-application-context:
  <flex:message-broker>
          <flex:secured/>
      </flex:message-broker>
  web-application-context:
  I had to implement my own authentication mechanism. Had to compare the username/password against an object attribute. So this bean is not mandatory, but I think you have to write down username/password/role in flex-application-context if not provided.
  <bean id="customAuthenticationProvider" class="packagename.CustomAuthenticationProvider">
          <security:custom-authentication-provider/>  
  </bean>
  web-application-security:
  <http entry-point-ref="preAuthenticatedEntryPoint" />
      <beans:bean id="preAuthenticatedEntryPoint"
          class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint " />
      <!-- Securing the service layer -->
      <global-method-security>
          <protect-pointcut expression="execution(*package.ServiceImpl.*(..))" access="ROLE_USER"/>
      </global-method-security>
  On the client:
  private function login():void {
      var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
      var token:AsyncToken;
      token = cs.login(username, password);
    // Add result and fault handlers.
    token.addResponder(new AsyncResponder(loginResultHandler, loginFaultHandler));
  private function logout():void {
      var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
      var token:AsyncToken = cs.logout();
    // Add result and fault handlers.
    token.addResponder(new AsyncResponder(logoutResultHandler, logoutResultHandler));

• Need help with security design!

  Hi,
  I haven't worked with security design very much. Currently I'm about to develop an application to my father which should implement some sort of security.
  One of the reasons for this application besides making my father happy is educating myself.
  The application is an online image album.
  The security could be divided in role-based security and instance level security.
  Role-based (NO PROBLEM):
  A user cannot delete another user, an administrator can delete users.
  Instance-level (DON'T KNOW HOW):
  A user can load other users image albums if he/her is allowed/granted to view the album and its images. Note that the user could be granted to view the album, but not all of its images.
  My problem is how I should design the "instance-level" security? Should I keep a ACL (Access Control List) with each instance of album and image?
  This seems to be a common functionality to add view/load/read/write permissions to an instance in runtime to let a certain user to operate on an asset?
  Have searched the Internet but haven't found any nice framework to help me.
  Could anyone with some experience please help me out?!
  Kind regards, Andreas

  Hi,
  I ran into the same problem. Could you resolve it?
  please give me your feedback.

• SCA design question - PIX and SCA with dual logical SSL server.

  I have a SCA design question. please correct or verify my solution.
  1. connectivity.
  <Client with port 443>--<ISP>--<PIX>--<SCA>--<SERVER(two IP on single NIC and each IP associates to WEB server) with port 81>
  * client will access WEB server with x.x.1.100 or x.x.1.101
  2. physical IP address
  - PIX outside=x.x.1.1
  - PIX inside=x.y.1.1
  - SCA device=x.y.1.2
  - SERVER NIC1=x.y.1.10
  - SERVER NIC2=x.y.1.11
  3. PIX NAT
  - static#1=x.x.1.100 map to x.y.1.10
  - static#2=x.x.1.101 map to x.y.1.11
  4. SCA configuration.
  mode one-port
  no mode one-port
  ip address x.y.1.2 netmask 255.255.255.0
  ip route 0.0.0.0 0.0.0.0 x.y.1.1
  ssl
  server SERVER1
  ip address x.y.1.10
  localport 443
  remoteport 81
  server SERVER2
  ip address x.y.1.11
  localport 443
  remoteport 81
  Thanks,

  The document http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/scacfggd/ has a link to a page which describes how to use the configuration manager command line interface to configure the Secure Content Accelerator. Several configuration examples are also included in this page.

• Security design issue

  Hi Folks,
  I've a security design issue using J2EE architecture framework in my
  project..
  Proj Requirement:
  i) User Logs-into a health b2b/b2c portal website...
  ii) Check the user exist in the database or LDAP directory service.
  iii) If exist user then check the role Patient/Insurance Provider/Physician?
  iv)If Patient then display his personal health record history.
  else Insurance Provider then display about Insurance Policy information,
  which he can update/create insurance for entered patient id. If patient has
  granted access to Insurance Provider
  and if Physician then display about hospital information like
  waiting patients,sending appointments,etc..
  The above security access control role & policy has to be implemented
  very strong. so that other user cannot view/update someone health records..
  Development tool:WebLogic Server/Oracle/LDAP.. on Linux
  Security Problem:
  i)What is the best security solution for the above requirement?
  ii)How do I authenticate/validate user using J2EE security framework?
  Can anyone explain in details or steps to implement?
  Thanks,
  -raj-

  I'm assuming that your using WLS 6, if so check out (I know we cover this in
  the documentation but I'm guessing at the title) the "securing your site"
  guide. Some of what you're planning the WLS server can protect through good
  ACL usage. I'd recommend creating at least three groups (patient, provider,
  physician), clearly the danger lies in having a user who is a member of more
  than one group. I'd recommend implementing your own role checking at both
  the servlet and EJB levels to fully enforce information access, using
  servlet state and stateful session beans should help.
  Alex
  Raj <[email protected]> wrote in message
  news:[email protected]..
  Hi Folks,
  I've a security design issue using J2EE architecture framework in my
  project..
  Proj Requirement:
  i) User Logs-into a health b2b/b2c portal website...
  ii) Check the user exist in the database or LDAP directory service.
  iii) If exist user then check the role Patient/InsuranceProvider/Physician?
  iv)If Patient then display his personal health record history.
  else Insurance Provider then display about Insurance Policy information,
  which he can update/create insurance for entered patient id. If patienthas
  granted access to Insurance Provider
  and if Physician then display about hospital information like
  waiting patients,sending appointments,etc..
  The above security access control role & policy has to be implemented
  very strong. so that other user cannot view/update someone healthrecords..
  >
  Development tool:WebLogic Server/Oracle/LDAP.. on Linux
  Security Problem:
  i)What is the best security solution for the above requirement?
  ii)How do I authenticate/validate user using J2EE security framework?
  Can anyone explain in details or steps to implement?
  Thanks,
  -raj-

• BC4J + Struts: Design questions!

  OK, I'm wanting to use Struts with BC4J and have a design question for you BC4J users and gurus.
  Here's how I think things would work:
  1. User requests page
  2. Struts ActionServlet calls perform() on Struts ActionForm
  3. Struts ActionForm instantiates BC4J AppModule and calls business method
  4. BC4J AppModule instantiates necessary BC4J ViewObjects and performs business operations which return data
  5. Struts ActionForm receives value objects from BC4J AppModule
  6. Struts ActionForm populates Struts FormBean
  7. Struts ActionForm forwards to Struts JSP which displays Struts FormBean
  I prefixed the components with Struts/BC4J to keep things clear where things belong.
  Now, here are my questions:
  In step 3, what's the best method of doing this? Do I need to do JNDI lookups every time? What's the performance overhead of this? Anyone have any best-practice code that does this?
  Is this the accepted way of doing things? Is there a better way of designing this system?
  Thanks!

  In Step3 you should use the ApplicationModule pooling framework, especially if you are trying to work in stateful mode because the pooling automatically handle the AM activation/passivation.
  There are different way to go at it.
  If you are using the BC4J custom tag library and have an ApplicationModule tag in your jsp, the pooling is already initialize. By the time your action is trigger you just need to retrieve the am using the application id:
  in your jsp:
  <jbo:ApplicationModule id="myAM" ... />
  in your Action implementation:
  HttpContainer container = HttpContainer.getInstanceFromSession(request.getSession());
  SessionCookie cookie = container.getSessionCookie("myAM");
  ApplicationModule am = null;
  if (cookie != null)
  am cookie.useApplicationModule();
  This AM id can be passed as URL parameter...
  If you do have a JSP with an AM tag you need to create the pool with findSessionCookie call.
  For more info about AM pooling look at the end of this thread for Steve resources:
  http://forums.oracle.com/forums/message.jsp?id=912431&gid=513211
  This is what we are currently doing for to provide support for BC4J in Struts for our next release.
  Charles.

• Architecture/Design Question with best practices ?

  Architecture/Design Question with best practices ?
  Should I have separate webserver, weblogic for application and for IAM ?
  If yes than how this both will communicate, for example should I have webgate at both the server which will communicate each other?
  Any reference which help in deciding how to design and if I have separate weblogic one for application and one for IAM than how session management will occur etc
  How is general design happens in IAM Project ?
  Help Appreciated.

  The standard answer: it depends!
  From a technical point of view, it sounds better to use the same "midleware infrastructure", BUT then the challenge is to find the lastest weblogic version that is certified by both the IAM applications and the enterprise applications. This will pull down the version of weblogic, since the IAM application stack is certified with older version of weblogic.
  From a security point of view (access, availability): do you have the same security policy for the enterprise applications and the IAM applications (component of your security architecture)?
  From a organisation point of view: who is the owner of weblogic, enterprise applications and IAM applications. In one of my customer, application and infrastructure/security are in to different departments. Having a common weblogic domain didn't feet in the organization.
  My short answer would be: keep it separated, this will save you a lot of technical and political challenges.
  Didier.