Security issue: parameters username and password in the jbo:ApplicationModule
Hello,
in the <jbo:ApplicationModule> tag, you can give parameters for username and password, Then the .jsp connects to the DB via the username/password. Alternativly, You can provide this within the <Module>.properties file.
Now the question: Isn't this a security hole? I mean, is it under all circumstances impossible, that the source-code can be delivered by the web-server or that the byte-code from the servlet (compiled from .jsp) can be "restringed"?
Are there other ways to protect the credentials for accessing the ORACLE DB?
Michael
Hi John
thank You very much. You wrote
BC4J provides a number of mechanisms for specifying the DB username and password that do not require
the password to be stored in a JSP page. By default, in 9.0.2, the DB password is stored in
a BC4J configuration (persisted in a bc4j.xcfg file), which should be secured at the customer site. I've forgotten to mention our environment is SuSE7.2, DB 8.1.7.3, iAS 1.0.2.2, Portal 3.0.9.8.
For simplicity we would like to use the first method via bc4j.xcfg, But our bc4j.xcfg looks as follows
<quote>
<BC4JConfig>
<AppModuleConfigBag>
<AppModuleConfig name="OPKv1ModuleLocal">
<ApplicationName>de.condor.OPKv1.OPKv1Module</ApplicationName>
<DeployPlatform>LOCAL</DeployPlatform>
<JDBCName>WEBAPP_NETx</JDBCName>
<jbo.project>de.condor.OPKv1.opkv1PRJ</jbo.project>
</AppModuleConfig>
</AppModuleConfigBag>
</BC4JConfig>
</quote>
So the question is, where to leave schema/password?JDeveloper should have also generated a connection description in the same file named WEBAPP_NET. This
named connection should contain the relevant elements. It is not recommended that you edit this file directly. The
configuration editor and/or the connection editor should be used instead.
Hope this helps.
JR
Similar Messages
-
Calling A Secured webservice using Username and password in the Soap header
I want to call a secured webservice.
The Username and password should be sent with the payload in the SOAP Header
as
<wsse:Security S:mustunderstand="0" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="SecurityToken-XXXXXXXXXXXXXXXXXXXXXXXXX" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>uname</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pwd</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
Can you please send me the steps?
I tried with giving the username and password under Service Account.
I tried to create a wspolicy under business service. But nothing works...
Please help me at the earliest.
Also please give me steps in sequence.Now i made sure that the endpoint is available!
Now am getting this error:
<soapenv:Fault>
<faultcode>soapenv:Server</faultcode>
<faultstring>BEA-380002: localhost1</faultstring>
<detail>
<con:fault xmlns:con="http://www.bea.com/wli/sb/context">
<con:errorCode>BEA-380002</con:errorCode>
<con:reason>localhost1</con:reason>
<con:location>
<con:node>RouteNode1</con:node>
<con:path>request-pipeline</con:path>
</con:location>
</con:fault>
</detail>
</soapenv:Fault>
Also in the invocation trace i can observe the following things:
Under Invocation Trace:-
========================
Receiving request =====> Initial Message context
===============================================
under added header:-
==================
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Header>
under RouteNode1
================
Route to "TargetMyService_BS"
$header (request):-
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Header>
Under Message Context changes:-
*===============================*
I can find this element also:-
con:security>
*<con:doOutboundWss>false</con:doOutboundWss>*
*</con:security>*
eventhough we enabled ws security, how the above tag can be false?
I think its getting failed to populate the header with the required login credentials.
The other doubt i have is:-
=================
I have chosen the service account type is static...is this right? -
In my company, I used FF for sometime now.
I had some problem in the beginning, but using the proxy IP and Domain\Username + Password I was able to navigate.
Ever since I tried FF4.x and FF5.x... I started to receive the following message:
The proxy moz-proxy://172.20.5.250:8080 is requesting a username and password. The site says: "moz-proxy://172.20.5.250:8080"
Even after inserting the Domain\Username and the Password I keep receiving the same error. In FF3.xx I was able to use the proxy.
Don't know what to do any more there are several pages that have this problem.
http://pplware.sapo.pt/
http://www.facebook.com
http://www.netbooklive.com/
http://daxspeculator.blogspot.com/
Some... don't have any problem:
http://batracer.com
http://www.youtube.com
Even when I try to see the extensions I get this error. This is so weird!!!
For now... I have switched to Chrome, every new version of FF that is released I try it to see if the problem is gone. But, with no luck until now! :(I did have this problem with proxy moz-proxy prompt for username and password. In my case it was for websites hosted not on the internet but on the local corporate intranet. I solved my problem by doing the following action:
Tools -> Options -> Advanced -> Network -> Settings: add the local website to the "No Proxy For:" field.
I hope this will help some of you out there that have manually configured their proxy settings. Also a tip if you need to turn on and off proxy settings I recommend using "Quick Proxy" add-on. -
How to pass username and password with the portal url
i want to access portal from my web site. i have created username and password fields in my web page. when submited , my portal page should open. so how to pass username and password with the portal url.
This is not straightforward; but it is doable.
First tell us about your portal version; portal 10.1.4 has a slightly different method of doing it and the pre-10g portals were completely different animals.
And if you are in AS Rel 2, then the most important document for you would probably be the following:
[Creating Deployment Specific Pages| http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14078/custom.htm#i1015535]
You might want to use it in conjunction with some metalink notes about your portal version and such a login page.
hope that helps!
AMN -
How do you change the old Apple ID username and password to the updated username and password in order to get updated apps from the app store?
cbkitche wrote:
How do you change the old Apple ID username and password to the updated username and password in order to get updated apps from the app store?
Do you mean you kept the same account but you only updated your AppleID?
Just log out and log back in with new ID.
Note that the AppleID is embedded into the item at purchase and cannot be changed.
However, when you change your AppleID, it will link the old account name to the new account name so you will not have any problems updating apps using the new AppleID. -
forgot username and password from the email iCloud chozhe not know forgot. purchase the product, all documents have. What to do?
If you don't know your ID, you can try to find it as explained here: http://support.apple.com/kb/HT5625. If you don’t know your password you can reset the password as explained here: http://support.apple.com/kb/PH2617.
-
This is how I am supposed to contact to have my annual creative cloud membership refunded? I cancelled immediately upon seeing the charge and followed the instructions given and wound up here. Am I supposed to share my username and password with the forum? Adobe, I am about to go social with my frustrations!
No, this is a public forum, as in user-to-user, so you should not share any private information here. You will need to contact Adobe Support by chat or phone, which is apparently getting harder and harder to do. Use the link below and choose the Still Need Help? option at the bottom in the blue area - in the section that opens take your pick of chat or phone.
Contact Customer Care -
I am not able to send mails through Yahoo APP. It gives me an error msg :"the sender address has ben rejected by the server ".
I tried adding username and password in the SMTP server settings,But those optiopns are greyed out.
So, i am not able to enter anything in fields under SMTP server settingsYou probably have changing settings disabled in Restrictions.
-
Need help resetting or changing my admin username and password without the installation disc
I accidentally clicked on the check box that is located in system preferences in accounts that says "Allow user to administer this computer" and unchecked it. So the account that I set up the user name and password to is not the administer anymore and I don't know what account is. So now every time I want to make changes to anything and click on the lock button it will not accept my username and password. So how do I reset my username and password for the administer without the installation disc and without losing any files or folders????
Message was edited by: ashkonnor8808Those changes require an installation DVD. However, see:
Forgot Your Account Password
For Snow Leopard and earlier with installer DVD
Mac OS X 10.6- If you forget your administrator password
For Snow Leopard and earlier without installer DVD
How to reset your Mac OS X password without an installer disc | MacYourself -
I changed my proxy setting to access a restricted school website. I don't know how to change it back to normal settings! Every time i'm browsing internet, Authentication Required windows pop up like 4-7 times a day! randomly! it says "the proxy web2.ucsd.edu:3128 is requesting a username and password. The site says: UCSD Squid proxy-cache". and makes me put in username and password every time. sooo annoying. how do i make the setting go back to default??
1. Open firefox
2. Go to "Tools" tab
3. Go to "Options"
4. Click on "Advanced"
5. Open "Network" tab
6. Click on "Settings"
7. Select "No Proxy"
8. Click "OK" -
I have updated my username and password, but the system keeps asking for my password for an old email for which I have no password.. How can I fix this?
Are you signed into this old ID ("email") in System Preferences>iCloud, System Preferences>Internet Accounts (Mail,Contacts,Calendars), or in Mail>Accounts, Calendar>Accounts or Contacts>Accounts?
-
How do I force Firefox to remember and use my username and password for a site ?
#Tools -> Options -> Security - tick "remember passwords"
#Log in to a website
You should be asked to save the user name and password upon login. -
SECURITY ISSUE! Userid and password for email stored as raw text in dump file!
If you have set up email notifications, the dump for the ix2, possibly others as well, lists your email address, username, and password in readable text in the \procs\ps.out file. This is a blatent security violation and needs to be fixed immediately!
Interesting...I have not been able to duplicate the issue. I have reconfigured email notifications multiple times and collected a dump and do not see the info in the ps.out log. However, it was in the very first dump I collected off of the ix2. Here is a screenshot of what was in there...I have of course blacked out secure info.
Its possible that the smtpsend process was hung and thats why it showed up in this log. I also tried to duplicate this by unchecking/checking the send email notification box and clicking apply multiple times while a dump was being generated. I no longer see what I saw before...I suppose it was a fluke, but this really should be looked into. -
I am trying to access a forum for which you need a username and password but it keeps telling me the username/password i've entered are incorrect. Bizarrely, when I enter the same username/password combination on my iPad, it grants access without any problem.
What could be causing this, is it an issue with cookies, caches or similar. How can I resolve it? The forum administrator is at a loss as to what the problem is.Try the following steps in Safari to see if they help:
1) First try clearing the Safari cache. To do this pull down the Safari menu and select 'Empty cache...', then try logging into the site again.
2) If the issue continues then reset Safari by pulling down the Safari menu and select'Reset Safari...'. You will be presented with a list of items that can be reset. I suggest selecting the 'Reset saved names and passwords', and 'Remove all website data' options at a minimum.
Here is a list of the options and what they do. I pulled it from the Safari help page.
Clear history:
Clears the list of webpages you viewed.
Reset Top Sites:
Clears any changes you made to Top Sites, such as adding or pinning sites. If you also clear your history, your Top Sites page reverts to showing the webpage previews displayed when you first installed Safari.
Remove all webpage preview images:
Clears any thumbnail images Safari saved of webpages you viewed.
Clear the Downloads window:
Clears the list of files you downloaded from websites. Only the names are removed; the files themselves are still on your disk until you remove them.
Remove all website icons:
Removes website icons, which are small graphics that help identify sites on the Internet. You see them in the Safari address field and bookmarks list, and other places. These icons are stored on your computer.
Remove saved names and passwords:
Removes user names and passwords that Safari automatically fills in at websites that require them (if the AutoFill feature is turned on).
Remove other AutoFill form text:
Removes some personal information, such as telephone numbers, that Safari uses to automatically fill in forms on webpages (if the AutoFill feature is turned on). Removing AutoFill information does not remove information from your address book.
Close all Safari windows:
If you don’t close all Safari windows, someone could use the Back and Forward buttons to view the webpages you visited.
Reset all location warnings:
Clears any information websites saved about your location.
Remove all website data:
Removes cookies, tracking information, and other data that websites stored on your computer. -
Windows Security asking for username and password to access college intranet.
I'm trying to access my college intranet form home and I get a dialog box called "windows security". It asks for a username and password. I've never set up a username or password. I've been onto internet setting>security and enabled "automatic
logon with current username and password", this did not work. Please help, I really need to get onto the site!trying to access my college intranet form home
Contact your college network support. The syntax for specifying your authentication may be different than you usually use when you are just connecting there locally.
Robert Aldwinckle
Maybe you are looking for
-
Java.io.EOFException while deploying RPD in OBIEE Cluster using Mbean
I am using oracle.biee.admin:type=BIDomain.BIInstance.ServerConfiguration,biInstance=coreapplication,group=Service to deploy RPD on a clustered environment with 3 servers, I get the following error, it works fine on a single host, any clue ? Connecti
-
I am transferring my Time Machine to a new hard drive, and it keeps crashing. Why?
I purchased a 3 TB Western Digital Firewire Drive (it also has USB) to set up as a new Time Machine. I want to use my present backup file. I am not experiencing any problems with my present Time Machine, but the drive is very full. I am following the
-
Bought a new apple TV today and during setup no lights blinking when i press the remote control buttons is that normal? Thamks.
-
To create an APPOINTMENT using report in webui
Hello Experts, Please send the steps how to create appointment or quotation or any example report program(with sample code) in web ui.
-
Seriously need some hlp on some basic programming
I've completely blanked on how to set up and abstract class, and how to extend from that class. This is what i have right now... public abstract class Piece int col = 0; int row = 0; final int RED = 1; final int BLACK = 2;