Security Issue - LDAP Authentication and supply of empty passwords
Security Issue with OC4J and JAZN LDAP Realm
Product Versions:
OC4J 9.0.3
Infrastructure 9.0.2.1
When using form based authentication or basic authentication in a WebApp, OC4J authenticates any existing user that as a password defined with an empty password.
Example: If you have a user with the username "user" and password "password". In the login of the WebApp if you supply only the username, OC4J authenticates the user.
Notes:
- If we supply a wrong password we are not authenticated
- If we supply the correct password we are authenticated.
To reproduce the problem, I have used Oracle callerInfo jazdemo, configured to used the JAZN LDAP Realm named sample_subrealm, that is installed with 9ias infrastructure
Notes: If I use JAZN XML Realm everything works as expected.
Bruno Antunes
Java Software Engineer
Jeremy - You'd have to use database authentication to achieve that. Create a DAD without specifying a username/password and change the app's current authentication scheme to DATABASE. Then users can login using their database account credentials. LDAP won't be used when you do this so you'll have to keep the database account passwords in sync with LDAP somehow if that's important.
Scott
Similar Messages
-
An issue with authentication and authorization on ISE 1.2
Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
endYes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.
-
I cannot seem to get anyone to help me because I have asked this same question more than 6 or 7 times. Does Firefox handle all the security issues like pfishing and viruses, worms from attaching to my computer??????
This question is a duplicate of https://support.mozilla.com/en-US/questions/884618
-
Integrated LDAP authentication and now BAM start page is very slow to load
Hi, all~
I have a fresh install of BAM 10.1.3.3 with the 10.1.3.4 patch applied.
I've reviewed the BAM installation guide and LDAP integration tech note, and have been able to successfully integrate BAM with our LDAP, where "successful" means that I'm able to provide my own LDAP credentials and log in to BAM.
However, the BAM start screen now consistently takes somewhere on the order of 1-2 minutes to load... so I guess I'm wondering if there's a common cause for this sort of error?
Any suggestions of things to check would be appreciated.
Thanks,
- NathanFor whatever it's worth, the solution in our case was to decouple BAM (10g) from LDAP.
User administration becomes a slightly more manual process in this case, but the BAM pages load almost instantly for users now, whereas before for some users it would take as much as 10 minutes for a page to load following their logging in.
Another benefit from LDAP decoupling is that IIS is able to do Windows integrated login for users, meaning that the users don't need to provide a login and password any longer.
The one "gotcha" that was encountered had to do with IIS realms and creating JDeveloper connections to the BAM server following the decoupling. From our testing, under IIS -> Web Sites -> Default Web Site -> Properties -> Directory Security (tab) -> "Authentication and access control" Edit button, the following needs to be specified:
Check only "Integrated Windows login" and "Basic authentication"
Specify a "Default domain" by pressing the Select button and choosing an appropriate domain
From there, in your JDeveloper BAM connection, be sure to include the selected domain in your connection properties.
- Nathan -
SSRS (Security) issues in Firefox and Chrome
in both browsers the layout is a mess to start with.
Biggest problem in both cases is: The detailView button is vissible even if your not admin.
So when ppl click this they are able to see/modify datacources and see hidden directories and stuff. I havent checked if they can really change stuff but it seems to me that its not what we want. If you are not admin you shouldnt see the DetailView button
at all.
1 other thing that doesnt work in Chrome. The report itself. you can fill in parameters but the report itself wont show up. but thats a minor problem.
the security issue with the DetailView option available for everyone would be a major problem id sayWhich version of Reporting Services are you running?
Check this article on MSDN about browser compatibility of SSRS: Planning for Reporting Services and Power View Browser Support
SSRS works best on Internet Explorer. If you use other browsers, something may not be displayed correctly. -
how to reactivate an old apple ID that has some security issues? I can't acces the yahoo that was used to create that account because it was already recycled by yahoo.
So when I restore my iPad 2, it is asking me for my old apple ID that was no longer working.....
ANY HELP PLEASEHi marcpople,
If you have had an Apple ID disabled due to a security issue, you may find the following articles helpful:
Apple ID: 'This Apple ID has been disabled for security reasons' alert appears
http://support.apple.com/kb/ts2446
Apple ID: If you forget your password
http://support.apple.com/kb/ht5787
Regards,
- Brenden -
LDAP Authenticator and Password Digest
Hi All,
I am implementing proxy services uisng OSB 11g . The security requirement is to enforce authentication using password digest. Users & passwords are stored in a central external LDAP server.
OSB supports password digest in SOAP messages , but all the dcoumentation suggest enabling the password digest flag in Default Authenticator . When I configure the external LDAP server in security realm it does not provide any option to enable Password Digest.
Is it possible to have passwordDigest based authentication agiant a external LDAP server ?
If yes can some one please suggest how its done ?
Thanks !Got the answer
Out of the box Password Digest is only supported with DefaultAuthenticator . For PasswordDigest authentication with external LDAP , custom authenticators need to be developed and used. -
Security issue! Airport and Keychain
Hi;
I purchased my MacMini in Canada.
About 2 weeks after being back in the UK I noticed two fairly serious problems that were not occuring before. Each time I re-start the following happens:
1) My 'Interference Robustness' is switched off (although I always turn it on).
2) My 'Keychain' is always unlocked (although I always lock it).
I have tested this several times and each time the same thing happens!
I have also noticed today, and yesterday, that when using Safari in Yahoo, when I click on 'In Box' a new window appears sometimes. This appears over the old window. Today I noticed that some e-mails I had not read were opened while I was using the top window. I never set Yahoo or Safari to do this. I have tried re-setting Safari and emptying the cache. This worked yesterday but today the problem seems to re-occur no matter what I do. It does not happen 100% of the time though, which has me even more worried.
Sounds like I may have a serious security problem here.
Can ANYONE help, please???
CheersI have contacted Apple regarding this problem. After about 2hrs(!) on the phone they explained that the only way to resolve this is to do an 'Archive and install'. This was about a week ago - still waiting on the promissed e-mail on how to 'Archive and install'. Is it just me or does Apple service seem to be a lot worse since their recent success (I started with an LCII) - Love Apple but they should be a bit more loyal to those who remained loyal through the 80's and 90's!
Cheers.
Mac Mini Mac OS X (10.3.9) Special Editon -
SECURITY ISSUE! Userid and password for email stored as raw text in dump file!
If you have set up email notifications, the dump for the ix2, possibly others as well, lists your email address, username, and password in readable text in the \procs\ps.out file. This is a blatent security violation and needs to be fixed immediately!
Interesting...I have not been able to duplicate the issue. I have reconfigured email notifications multiple times and collected a dump and do not see the info in the ps.out log. However, it was in the very first dump I collected off of the ix2. Here is a screenshot of what was in there...I have of course blacked out secure info.
Its possible that the smtpsend process was hung and thats why it showed up in this log. I also tried to duplicate this by unchecking/checking the send email notification box and clicking apply multiple times while a dump was being generated. I no longer see what I saw before...I suppose it was a fluke, but this really should be looked into. -
Security issue: parameters username and password in the jbo:ApplicationModule
Hello,
in the <jbo:ApplicationModule> tag, you can give parameters for username and password, Then the .jsp connects to the DB via the username/password. Alternativly, You can provide this within the <Module>.properties file.
Now the question: Isn't this a security hole? I mean, is it under all circumstances impossible, that the source-code can be delivered by the web-server or that the byte-code from the servlet (compiled from .jsp) can be "restringed"?
Are there other ways to protect the credentials for accessing the ORACLE DB?
MichaelHi John
thank You very much. You wrote
BC4J provides a number of mechanisms for specifying the DB username and password that do not require
the password to be stored in a JSP page. By default, in 9.0.2, the DB password is stored in
a BC4J configuration (persisted in a bc4j.xcfg file), which should be secured at the customer site. I've forgotten to mention our environment is SuSE7.2, DB 8.1.7.3, iAS 1.0.2.2, Portal 3.0.9.8.
For simplicity we would like to use the first method via bc4j.xcfg, But our bc4j.xcfg looks as follows
<quote>
<BC4JConfig>
<AppModuleConfigBag>
<AppModuleConfig name="OPKv1ModuleLocal">
<ApplicationName>de.condor.OPKv1.OPKv1Module</ApplicationName>
<DeployPlatform>LOCAL</DeployPlatform>
<JDBCName>WEBAPP_NETx</JDBCName>
<jbo.project>de.condor.OPKv1.opkv1PRJ</jbo.project>
</AppModuleConfig>
</AppModuleConfigBag>
</BC4JConfig>
</quote>
So the question is, where to leave schema/password?JDeveloper should have also generated a connection description in the same file named WEBAPP_NET. This
named connection should contain the relevant elements. It is not recommended that you edit this file directly. The
configuration editor and/or the connection editor should be used instead.
Hope this helps.
JR -
Question about security issues regarding 'cp' and 'mv'
Ok, I wondered about how 'cp' and 'mv' are really working. I have some guesses but I need these things to be confirmed.
Here is what I have:
A partition with a unix file system, say ext2 or 3 (does this make a difference here?) containing *very* sensitive data. The filesystem is encrypted (whirlpool/serpent) but that shouldn't matter. As I do not want corpses of dead files lying around that could be recovered, I always use 'shred -zu' with 26 passes to overwrite and then delete the data.
And that's where I have my conceirns:
If I want to rename a file or move it to another folder on the same partition. Is it save to 'mv' it? Or should I 'cp' it and then 'shred' the original file. I assume that 'mv' will not touch the actual file and just tell the file system of it's new name or place in the folder-structure. Given that, shredding a 'mv'ed file should not leave a trace of it on the drive (except of the old filename before the 'mv' maybe, but that wouldn't be too critical). I assume that, because it's the only thing that would make sense to me, but have to know it for sure!
However, on moving the file to another drive I should probably 'cp' it, then 'shred' the original file. The question I have here is as follows:
How much information which could be recovered leaves 'cp'ing in my RAM? Will I have to find a way to somehow shred the information in the RAM or can I assume that my RAM get's rewritten often enough, that most traces will be gone, say, in a couple of days?
If you have links at hand to confirm your answer, please post them, too.Okay, thanks for that, I will have a closer look on flushing the ram.
Sure, I care about security and privacy, but -- as you might expect -- the data I have are not really THAT sensitive/confidential/whatsoever. I've just gotten into it somehow and now I'm just curious/intrested in improving it for it's own sake more or less. -
Security Issues with Win7 and CS4
In CS4, When I try to save a file to which I have made a change, I get the message:
"Could not save N.....(title) because the file is locked. Use the Properties command in Windows Explorer to unlock the file"
Really? I have 10's of thousands of files which, if I want to add a layer and save, I have to go back to Bridge, locate in Explorer, click Properties and change "All Users" to full control.
That's obscene!
When I get there, "Everyone" is highlighted and given only read and read/execute permissions, on the Security tab. The file isn't locked AFAIK The "Read" box is blank. I can change permissions, but it's good for only this one file, and when looking at Security settings globally, "Everyone" isn't listed.
I need to find a global way around this, and I cannot find it. I am logged on as Admin, and I know there is another layer of Admin. Can that be invoked globally, and how? Is this the right way or is there another? Is it a Photoshop problem or OS problem?
Thanks!That's where I looked, but that's not the right place.
Nothing like noodling a paradox like the Russell "Set of All Sets" to get you going!
I went back to XP to see what happens there. No problem. BUT, I did see a commonality (the paradox breaker looms!) Both the "Edit" folder and "N" drive are shared on the network.
I broke the connection and now it works fine.
If you go to a particular folder or drive in Win7 and click "Share", the first line in the menu that opens says "Nobody"!!
Need I say more?
Thanks, Charlie. You did help. -
Strange issue with imap and a blank empty sent messages folder
So here is a weird one. I got a new computer last week, Mac mini core duo. Set everything up, synced my .Mac and it set up mail. I have been using mail, i try to view Sent Messages for one of my IMAP accounts which should have 10,200 messsages in it. I see nothing. On rebuild mailbox it goes blank. Some messages I send are stored until i rebuild mailbox and it again is empty. On my other Macs (powerbook 12" and dual G4) I am still able to view and manipulate this same accounts Sent Messages. One webmail everything still works as well. While trying to copy old messages down to the Powerbook to archive them I noticed that it was very slow, and messages which were not cached already caused the Copy to fail. I am using Courier IMAP with Maildirs and Postfix on FreeBSD as a server.
my IMAP server uses INBOX as its root.. hence that folder only contains...
INBOX.imapmbox
INBOX
However one level down in INBOX I have...
DeSmit.imapmbox
HealthCareSource HR.imapmbox
SimTech.imapmbox
Lange International.imapmbox
Sandhill Photography.imapmbox
Sales People.imapmbox
Hosting.imapmbox
Marwan.imapmbox
Lucidics.imapmbox
Jeorgea Beck.imapmbox
Web Marketing.imapmbox
Sent.imapmbox
SEBA.imapmbox
Merchant Accounts.imapmbox
The Hired Pens.imapmbox
Kuhl Therapy.imapmbox
Keen Films.imapmbox
PeopleVision.imapmbox
Competition.imapmbox
East Street Woodworking.imapmbox
Cambium Learning.imapmbox
Legal.imapmbox
LFCG.imapmbox
Mailing Lists.imapmbox
Drafts.imapmbox
Ipswitch.imapmbox
Prism Scienceworks.imapmbox
Printers.imapmbox
Mindspark7.imapmbox
Air Media.imapmbox
Demios.imapmbox
Cabem.imapmbox
LexiPixel.imapmbox
Apple.imapmbox
Regent Theatre.imapmbox
Proun Design.imapmbox
Prospects.imapmbox
Goodwin PR.imapmbox
Xplana.imapmbox
Competitive Analysis.imapmbox
Banimon.imapmbox
Zaid.imapmbox
Stay In Touch.imapmbox
Junk.imapmbox
UI Research.imapmbox
Faxes.imapmbox
Dewey Nichols.imapmbox
StrideRite.imapmbox
Future Works.imapmbox
Franklin Cafe.imapmbox
Epsilon.imapmbox
CitySoft.imapmbox
Bearak.imapmbox
Pridgeon Design.imapmbox
BDS.imapmbox
Highland MBP.imapmbox
Create TV.imapmbox
Crystal Clean.imapmbox
Longs Jewelers.imapmbox
Lollipop.imapmbox
AFT.imapmbox
Wholen.imapmbox
Peppercoin.imapmbox
RocketShop.imapmbox
Rocket North.imapmbox
Barrister Books.imapmbox
Venture Capital Fund of NE.imapmbox
bodygard.imapmbox
Blakely Project.imapmbox
Comm Promo.imapmbox
Judith Aronson.imapmbox
Vendors.imapmbox
Trash.imapmbox
Accounts.imapmbox
Agena.imapmbox
Manifesto.imapmbox
Portfolios.imapmbox
Progressive Roofing.imapmbox
Process & Deliverables.imapmbox
Advertising.imapmbox
Chris Zikakis.imapmbox
Mojo Marketing.imapmbox
Lauer Learning.imapmbox
NOME.imapmbox
Nantucket Kneepants.imapmbox
NEMO.imapmbox
Nickelsen Partners.imapmbox
Essential.imapmbox
Lawler Kang.imapmbox
Accounting.imapmbox
Compuworks.imapmbox
Inside of Sent.imapbox we have...
Messages
Info.plist
And inside of Messages are the 2 messages I sent today after testing another rebuild command...
29601.emlx
29193.emlx -
Security issues, System hangs and screen sharing listed in my logs
Should i be worry about this,
i can not even force quit any applications when my system hangs, basically every app is un responsive, and i can only just force restart my MBP
*5/22/09 7:31:02 PM com.apple.launchd[1] (com.apple.ScreenSharing.server[414]) Exited: Terminated*
*5/22/09 7:32:57 PM com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[630]) Exited: Terminated*
*5/22/09 7:32:57 PM com.apple.launchd[1] (com.apple.ScreenSharing.server[629]) Exited: Terminated*
*5/22/09 8:52:02 PM com.apple.launchd[1] (0x10d460.mdworker[436]) Exited with exit code: 1*
*5/22/09 10:05:11 PM com.apple.launchd[1] (0x10d460.mdworker[1709]) Exited with exit code: 1*
*5/22/09 11:00:09 PM com.apple.launchd[1] (0x10d460.mdworker[2656]) Exited with exit code: 1*
*5/22/09 11:32:41 PM com.apple.launchd[1] (0x10d460.mdworker[3368]) Exited with exit code: 1*
*5/22/09 11:39:06 PM com.apple.launchd[1] (com.apple.ScreenSharing.server) Throttling respawn: Will start in 3 seconds*yes but shouldn't i know when someone wants to share my screen?
-
Security issues with applets and windows Vista when printing to file
Hi, everyone
I am currently developing an application that prints out the result of some calculations.
from a Javascript file, the output finally ends up in a java applet that should print the file in a special printer.
For debugging purposes I have created a File printer that creates a file from the output comming to the printer; this way I can debug what commands the printer is receiving.
This worked well on Windows Xp; Vista always asks for permissions for the applet, and altough I guarantee these permissions, printer is not allowed to create the output file and reports an error writing
after a little research, I have found that java applets have all permissions when certificated as trusted applications; all but file creating permissions
anyone has any idea of how could I fix this problem?
Thanks in advanceHI,
Have you actually signed your applet? If the signers certificate is the trusted key store for Java it should treat your applet as trusted. You can use a self signed certificate for testing as long as the cert is in the trusted key store.
Some links that might help:
[http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html]
[http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/rsa_signing.html]
Cheers,
Shane
Maybe you are looking for
-
Screen inverter model no. - Macbook 3.1
The backlight in my macbook recently turned defect. The computer is out of warranty and it can only pay to DIY. I am interested in buying a new 'inverter' for the screen or the cable that it uses. I have diagnosed the problem to being a defect invert
-
Hi Guys, I am trying to load one csv file using sqlldr LKM and facing issue at Call Sqlldr step Error Message is: org.apache.bsf.BSFException: exception from Jython: Traceback (most recent call last): File "<string>", line 22, in <module> Load Error:
-
Create XML element without closing tag using Visual C++
I know how to create xml element with closing tag (using WriteStartElement and WriteEndElement methods) <tag id="1234"> </tag> but is there a way in Visual C++ to produce xml element like this <tag id="1234"/> i.e. without closing tag?
-
Hi ABAP Gurus, How do you set the default tab in SAPSCRIPT? I need to put a tab prior to the item text (or to this statement): /: INCLUDE &RT_NAME& OBJECT EKPO ID F01 LANGUAGE EN I went to SE71>header>basic settings then i added a certain value at "
-
hi gentlemen....I wanna display figures in reports alongwith there value in words e.g $100 will be displayed as One Hundred Dollars Only....plzzz tell me that how can I accomplish this job in reports6i???thanx