Security issue , Attn: John Stegman and Frank

Hello Frank/John:
I am in the process of experimenting with Frank's suggestion
http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
I already have a schema in my local Oracle Express for testing ADFBC Demo and I have completed Chapter 9. So, I am going to add APPLICATION_USERS and APPLICATION_ROLES in the same schema (instead of AUTHSCHEMA as the article suggests) and see if I can continue from that ADFBC demo (which uses file based security). Looks like a switch in orion-app.xml should help me experiment Frank' suggestion. Let me see if I can apply Frank's suggestion to the ADFBC demo.
John: It would great if you provide a step by step for something really really simple app where the users/pw/roles can be set up in Oracle Express and the app merely allows access to different tables based on user roles and nothing else. I am kinda wary about continuing with SRDemo.
Thanks everyone and I will let you know how things go. By the way, I never knew DBTableOraDataSourceLoginModule existed. I understand it is part of JDEV. I did not see any mention of it in system-jazn-data.xml as the article said.
UPDATE: 4/11/07: Got stuck on page 7- Data-sources.xml. What is a "View Layer Project?" Anyway, selected "UserInterface" and tried to create data-sources.xml. Instead of going WEB-INF, it goes to META-INF under UserInterface. Is the <option>data_source_code... a hard coded entry? I decided to go on and tried add jazn-data.xml but jazn-data.xml is not highlighted in the option and all downhill from that point. Just three more pages (upto Page 10) and I am almost ready to test the non-standalone version! Help!

To Frank:
"To populate the created jazn-data.xml file with the indirected passwords from the data-sources.xml file, choose Tools | Embedded OC4J Server Preferences from the JDeveloper menu. In the menu, expand the Current Workspace node and select the Data Sources entry. Press the Refresh Now button on the right hand side to copy all database connections that exist in JDeveloper into the data-sources.xml file."
This paragraph seems to trouble me, you said that system-jazn.xml need to be populated with the undirected passwords from the data-sources.xml, but in the end you say press the Refresh Now button on the right hand side to COPY all database connections that exist in JDeveloper INTO THE DATA-SOURCES.XML FILE, so which file needs to be updated...
my data-sources.xml is populated, but I can't populate the system-jazn.xml the way you explained above...
when I compile my project everything goes fine no errors, but when I type in the username "sking" and password "welcome" and click on Ok I get the following error in Log: "User sking not authenticated: datasource name could not be resolved"
you use jdbc/authscema -> where jdbc is database connection name and authschema is schema which has the two table in it... I have the same situation but with different names, so I simply changed your jdbc/authschema with system/users... but obviously something is wrong... I don't know what...
please can you tell me what am I doing wrong... thanks in advance Frank

Similar Messages

  • Severe Security Issue with Sharing Permissions and Windows

    I recently discovered a severe Security issue with the windows sharing an permission settings:
    I have two users, an admin user and a parental controlled user. On my mac mini, i have a external harddrive connected. On the harddrive, i have three folders, Itunes, Iphoto (Package) and a Temp Folder. I want to share the Harddrive RW for the admin, but only R for the parental user. But the Temp folder should be accessible for RW for the parental as well.
    1. I set the Drive checkbox "ignore ownership" off.
    2. I set the permissions of the drive to admin RW, parental R and Everyone to "no access"
    3. I apply to enclosed Items
    4. I set the permission of the Temp folder to admin RW, parental RW and Everyone to "no access"
    5. I apply to enclosed Items
    6. I go to "File Sharing" in the Preferences and activate SMB sharing for both users
    7. I delete all previous shares
    8. I add the Disk and use the proposed permissions which are admin RW, parental R, Everyone "no access"
    9. I add the Temp folder and use the proposed permissions which are admin RW, parental RW, Everyone "no access" - Funny, there is a new Group called "Temp" created which has custom access on both sharepoints
    10. I connect to the mac over a Windows machine (NTLM auth set appropriatly). Now I try to create a folder on the root of the Disk share, I get a denied message.
    BUT WHEN I GO INTO A SUBFOLDER (eg. ITUNES or IPHOTO), WHICH HAS ALSO JUST "R" PERMISSION FOR THE PARENTAL USER, I AM ABLE TO RW, DELETE AND DO EVERYTHING!!!
    TO RECAPITULATE: THE SHARING PERMISSIONS ARE "R", AND THE FILE PERMISSIONS IN THE RESPECTIVE FOLDERS FOR THE RESPECTIVE USER ARE ALSO JUST "R". BUT THE USER CAN DO EVERYTHING IN THE SUBFOLDERS!!!

    I recently discovered a severe Security issue with the windows sharing an permission settings:
    I have two users, an admin user and a parental controlled user. On my mac mini, i have a external harddrive connected. On the harddrive, i have three folders, Itunes, Iphoto (Package) and a Temp Folder. I want to share the Harddrive RW for the admin, but only R for the parental user. But the Temp folder should be accessible for RW for the parental as well.
    1. I set the Drive checkbox "ignore ownership" off.
    2. I set the permissions of the drive to admin RW, parental R and Everyone to "no access"
    3. I apply to enclosed Items
    4. I set the permission of the Temp folder to admin RW, parental RW and Everyone to "no access"
    5. I apply to enclosed Items
    6. I go to "File Sharing" in the Preferences and activate SMB sharing for both users
    7. I delete all previous shares
    8. I add the Disk and use the proposed permissions which are admin RW, parental R, Everyone "no access"
    9. I add the Temp folder and use the proposed permissions which are admin RW, parental RW, Everyone "no access" - Funny, there is a new Group called "Temp" created which has custom access on both sharepoints
    10. I connect to the mac over a Windows machine (NTLM auth set appropriatly). Now I try to create a folder on the root of the Disk share, I get a denied message.
    BUT WHEN I GO INTO A SUBFOLDER (eg. ITUNES or IPHOTO), WHICH HAS ALSO JUST "R" PERMISSION FOR THE PARENTAL USER, I AM ABLE TO RW, DELETE AND DO EVERYTHING!!!
    TO RECAPITULATE: THE SHARING PERMISSIONS ARE "R", AND THE FILE PERMISSIONS IN THE RESPECTIVE FOLDERS FOR THE RESPECTIVE USER ARE ALSO JUST "R". BUT THE USER CAN DO EVERYTHING IN THE SUBFOLDERS!!!

  • Security issue with a website and java

    I am having trouble getting Java to work on a website, the message tells me that I have a security issue  but I don't know how to fix it??

    The site may be sending Firefox for Android a page that is not correctly formed.
    We have a feature in Firefox 39 which will allow the request desktop site menu item to show the full desktop site.

  • Security issues using Open Realty and DW (any sites hacked?)...

    I am doing a real estate site and woud prefer to stick with DW and integrate the Open Realty plugin rather than jump in to Joomla for ease of manipulating the overall design. Have any of you ever had any sites hacked using OR? I know you have to use pconnect to use OR; does this increase MySQL vulnerability? I am using GoDaddy and am not sure if they even allow pconnect on their Linux/Apache servers...

    A Trojan Horse almost always results from someone visiting a web site and/or receiving email and in the process inadvertently downloading malicious software. Therefore, it is the *computer user* that literally invites this malware into their computer. This malware did not get into the PCs on your network because someone on the internet got past your network's "firewall" ie the Airport Base Station.
    What someone needs to do is to educate these PC users on your network on the basics of "safe computing", and to install and maintain software on their PCs to guard against and detect this type of malware at the moment it gains entry to the PC. What you do not need to do is expend effort beefing up the security of your network's connection to the internet.

  • Security issue with NetStream.appendBytes() and BitmapData.draw()

    Iuse appendBytes to continuously and seamlessly stream video data into a netStream. since we're NOT playing the video files directly from a web domain, there is no meaning to the checkPolicyFile property of our netStream object and therefore - we cannot BitmapData.draw() our Video instance with the netStream attached.
    Is there any possibility to get images from the netStream in order to manipulate them on-the-fly?

    I ran into the same problem.  Have you managed to find a solution to get around the security violation?

  • Security issue with the SGA and multiple installation group.

    Hi,
    Documentation ARE WRONG:
    http://download.oracle.com/docs/cd/E11882_01/rac.112/e10743/preparing.htm#TDPRC131
    # useradd -u 1100 –g oinstall -G dba -d /home/oracle -r oracle
    http://download.oracle.com/docs/cd/E11882_01/install.112/e10816/typinstl.htm#CWSOL156
    # useradd -u 1100 -g oinstall -G dba oracle
    The "-g" and "-G" must be exchange!
    In an advanced installation with multiple Oracle users call them ( ora1, ..., orai, ..., oran )
    with multiple OSdba group defined users call them ( dba1, ..., dbai, ..., dban)
    Associate each oracle user to a dba group with the same number and the install group as oracle told it.
    User ora1 group dba1
    User orai group dbai
    User oran group dban
    Now make the software installationS with the group OSinstall ( install) as written in the documentation, in 3 Oracle_home
    Call the oracle_home1, oracle_home2, oracle_home3
    Now check semaphores, Sharedmemory and files!
    ipcs -msa
    IPC status from <running system> as of Thu Apr 29 12:14:06 CEST 2010
    T ID KEY MODE OWNER GROUP CREATOR CGROUP NATTCH SEGSZ CPID LPID ATIME DTIME CTIME
    Shared Memory:
    m 16777246 0x6525858 rw-rw-- oracle2 install oracle2 install 36 5368725504 3479 4298 12:10:01 12:10:31 16:30:45
    T ID KEY MODE OWNER GROUP CREATOR CGROUP NSEMS OTIME CTIME
    Semaphores:
    s 50331701 0xb7892c1a ra-ra-- oracle2 install oracle2 install 202 16:30:47 16:30:45
    s 50331700 0xb7892c19 ra-ra-- oracle2 install oracle2 install 202 no-entry 16:30:45
    s 50331699 0xb7892c18 ra-ra-- oracle2 install oracle2 install 202 12:13:48 16:30:45
    ls -l $OSD/oradata/*/*/* | sed s/oracle/oracle2/
    -rw-r----- 1 oracle2 install 11600384 Apr 14 18:30 /app1/oracle/admin/ora11g/oradata/ORA11G/changetracking/o1_mf_5wcsdcfh_.chg
    -rw-r----- 1 oracle2 install 11600384 Apr 15 15:08 /app1/oracle/admin/ora11g/oradata/ORA11G/changetracking/o1_mf_5wf7787k_.chg
    -rw-r----- 1 oracle2 install 11600384 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/changetracking/o1_mf_5wg8jggf_.chg
    -rw-r----- 1 oracle2 install 16695296 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/controlfile/o1_mf_5wg4j9go_.ctl
    -rw-r----- 1 oracle2 install 524296192 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_aud__dol_5wg4mntr_.dbf
    -rw-r----- 1 oracle2 install 104865792 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_aud__dol_5wg4mp3v_.dbf
    -rw-r----- 1 oracle2 install 209723392 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_example_5wg4ml5z_.dbf
    -rw-r----- 1 oracle2 install 419438592 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_stat_dba_5wg4mmhg_.dbf
    -rw-r----- 1 oracle2 install 2097160192 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_sys_undo_5wg4kf8n_.dbf
    -rw-r----- 1 oracle2 install 2097160192 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_sys_undo_5wg4lss2_.dbf
    -rw-r----- 1 oracle2 install 1363156992 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_sysaux_5wg4k1xf_.dbf
    -rw-r----- 1 oracle2 install 1048584192 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_system_5wg4jp26_.dbf
    -rw-r----- 1 oracle2 install 209723392 Apr 28 22:01 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_temp0_5wg4l302_.tmp
    -rw-r----- 1 oracle2 install 209723392 Apr 15 16:06 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_temp1_5wg4lsod_.tmp
    -rw-r----- 1 oracle2 install 104865792 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_users_5wg4l33f_.dbf
    -rw-r----- 1 oracle2 install 104858112 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_1_5wg4jb44_.log
    -rw-r----- 1 oracle2 install 104858112 Apr 28 21:00 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_2_5wg4jdn6_.log
    -rw-r----- 1 oracle2 install 104858112 Apr 28 22:00 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_3_5wg4jgw8_.log
    -rw-r----- 1 oracle2 install 104858112 Apr 29 03:00 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_4_5wg4jk64_.log
    -rw-r----- 1 oracle2 install 104858112 Apr 29 13:01 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_5_5wg4jmcd_.log
    ls -l $OH/bin/oracle | sed s/oracle/oracle2/
    -rwsr-s--x 1 oracle2 install 256263032 Apr 14 13:54 /app1/oracle/product/11.2.0_64/db_1/bin/oracle*
    That the evidence the documentation provide you a wrong way to do it!
    François LANGE

    The right document syntax for this is:
    UNIX: Do I Need To Use The "oinstall" Group? (Doc ID 463052.1)
    FRançois

  • Security Issue Regarding to User and Password (Abid)

    Dear all,
    There are two database servers of Oracle 10g are running on different machines in our company. On both server there are same users like
                        user name      password
    On machine A          abidusr          abc123
    On machine B          abidusr          abc123
    Select password from dba_users where username='SCOTT'
    password
    F894844C34402B67          machine a
    F894844C34402B67          machine b
    The Hash values of both users are same. One can access my this value and can guess my password.
    How I can overcome on this problem.
    Best regards,
    Abid Hussain
    [email protected]

    Hi,
    You can not, as you can not change the password encryption algorithm of Oracle.
    This is a serious problem in Oracle, and will probably be rectified in a future release. The encryption algorithm has changed in 11g, but I do not know if the hash is already unpredictable.
    Further info probably on http://www.petefinnigan.com
    Sybrand Bakker
    Senior Oracle DBA

  • Other web browsers and security issues?

    Since even an Apple KB article recognizes the need for an additional browser and because of Safari's limitations and problems, I'm going to try switching to another browser (most likely OmniWeb and am looking at Firefox, Shira and Opera also though perhaps not as a primary browser) but I'm wondering about their ability to keep on top of any security issues for Mac? (and how do you keep up with security updates?)
    Though perhaps unfounded, at least with Safari, I feel that Apple has a vested interest in keeping on top of security issues (for Safari and Java) and I can readily find out about security updates via software updater.

    Most of the other Mac browsers have their adherents. They are all good browsers (I have 7 browsers installed to test various web sites and for change-of-pace usage). They all have their strengths and they all have their weaknesses. Only iCab and OmniWeb are still shareware, the rest are now or always have been free (Opera just recently stopped charging for its browser).
    I have settled on Firefox as my alternate browser and I use it maybe just a tad more than Safari, but I do switch back and forth between them. The Mozilla foundation is good at getting security updates out when needed. Firefox has a button on the toolbar to check for updates. One nice thing about Firefox is that you can install free extensions which enhance the features available. I have one to supplement tab features, one to control iTunes from Firefox's status bar, one to help me format messages in discussion forums, and one to block ads.
    I prefer OmniWeb for doing intensive research because of the way it handles tabs in its sidebar, showing me which ones I've looked at and which ones I haven't, and giving me great flexibility in rearranging tabs, which are viewable as thumbnails or text names (I have had up to a hundred or so tabs open in OmniWeb.
    Shiira is good and its fast. I have not checked for updates for a while, but the last time I updated there was still a problem with Shiira kicking you out of logged-in sites when you moved from page to page with in web site. This may have been fixed by now - they were aware of the problem back then.
    Camino is a native OS X cousin of Firefox and is also fast, but is not updated as often.
    I would stay away from Mozilla or Netscape unless you need all the additional modules they have and which take up hard disk space. Firefox and Camino represent the browser module of Mozilla/Netscape. Mozilla and Netscape have modules for email, irc chat, newsgroups, and for creating and editing web pages. Netscape is a branded and slightly customized version of Mozilla and is not updated as often.
    Opera is a nice browser and some use it as their main browser, but I have not seen anything that really stands out for me, but that does not mean it is not worth a look.
    I would stay away from abandonware Internet Explorer.
    As for checking for updates, several of them, as with many Mac programs, now have a menu item that allows you to check for updates. Most of them also announce their updates on both VersionTracker and MacUpdate.
    Happy Exploring.

  • Any security issues with My MSN or outlook bookmarks

    any security issues with My Msn and Outlook as bookmarks

    Your question is not quite clear, and no Mac can iOS, but anything and everything made by or for Microsoft carries a security risk.
    Which is why most sensible people run Apple OS X.

  • I updated some security issues and suddenlly my gmail does not open. it shows 75% of the procees and does not go on

    I updated automatically some security issues in my computer (I don't remember which) and now my gmail will start opening until it reaches 75% and it will not go on opening.
    I can open it Internet explorer but not in Mozila fireworks

    Clear the cache and the cookies from sites that cause problems.
    "Clear the Cache":
    *Tools > Options > Advanced > Network > Cached Web Content: "Clear Now"
    "Remove Cookies" from sites causing problems:
    *Tools > Options > Privacy > Cookies: "Show Cookies"
    Start Firefox in <u>[[Safe Mode|Safe Mode]]</u> to check if one of the extensions or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance/Themes).
    *Don't make any changes on the Safe mode start window.
    *https://support.mozilla.org/kb/Safe+Mode
    *https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes

  • My account was deleted for security issues. I made a new account, but I can't syncronise my apps with this new account. I bought a new Iphone and would like to transfer the apps ans music on this new one. Can somebody help me?

    My account was deleted for security issues. I made a new account, but I can't syncronise my apps with this new account. I bought a new Iphone and would like to transfer the apps ans music on this new one. Can somebody help me?

    Why would you make a new account?  This will likely cause many problems.  Just get you old account enabled.
    Apple ID: "This Apple ID has been disabled for security reasons" alert appears
    Frequently Asked Questions About Apple ID
    Everything you purchased with the old account will always be tied to that account.  You will have to authorize the computer for that account and you will have to update the apps from that account.

  • Using latest version of fireFox to access Think Central, pages will not load and they say that this is a security issue with FireFox?

    Teachers in our district are supposed to use www.thinkcentral.com with FireFox.
    Some have no problem accessing the lesson plans.
    Most when they login click on a lesson plan and an icon shows up that says loading but never does.
    If you reboot the computer and login you can open a page once but not a second time and no other lessons will open.
    Think Central support says this is a security issue with Firefox.
    I have updated FireFox, all the Adobe, Reader, Flash, Air and Shockwave. As well as Java.
    I have allowed the pop ups to the think Central web site.
    Any help would be appreciated

    Are there any notification icons on the left end of the address bar? If so, please click them to see whether they related to security issues (such as blocked content - shield icon: [[How does content that isn't secure affect my safety?]]) or a plugin requiring permission (Lego-like icon).
    Does Think Central have any help pages about this issue? Without an account, it is difficult to explore the issue first-hand.

  • HT1338 There is a lot of talk about the Java security issues and the ability to download a patch fix, do i need to do this or will software update pick this up for me?

    There is a lot of talk about the Java security issues and the ability to download an apple patch fix, do i need to do this or will software update pick this up for me?

    Thanks for that, how do I establish if I have Java installed as on Safari preferences it indicates the following
    Web content - Enable Java
                        - Enable JavaScript

  • When opening safari i get a message that says major security issue please contact apple immediately suspicious activity might have been detected. what is this and how do i get rid of it so i can use my internet?

    when opening safari i get a message that says major security issue please contact apple immediately suspicious activity might have been detected. what is this and how do i get rid of it so i can use my internet?

    A misleading and malicious popup. Launch Safari with the Shift key held down; if that doesn't work, temporarily disconnect the computer from the Internet.
    (121307)

  • About "kernel.exec-shield" and "because they will bring security issue" for linux ASE

    In " ASE Quick Installation Guide for Linux", "kernel.exec-shield=0" and  “kernel.randomaize-va-space=0” should be set.
    But SuSE engineers say that  “kernel.exec-shield=0”and “kernel.randomaize-va-space=0” will bring the OS security issue.
    Customer want to know why ASE need the above parameters ?
    Has anybody the idea for customer's question?

    If the parameters are not set as documented, attempts to start additional engines beyond the first one will fail, generating stack traces.
    ASE acts in many ways like it's own operating system, scheduling individual user connections (spids) to actively run (note that ASE was developed well before native threading was commonly available).  Each spid has it's own stack information that gets swapped in when it is set to "running" state on the engine and swapped out when it yields the engine.  The mechanics of this is not that different from the buffer overrun exploits described in the Red Hat document linked to by the
    install guide, http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf
    and the exec-shield mechanics definatately interfere ASE's operations when ASE is using multiple dataserver processes (engines) that swap spids around.
    -bret

Maybe you are looking for