Security mechanism

Similar Messages

• Logon Triggers As A Security Mechanism

  I’d like to get people's opinions on an idea that's been proposed by my organization's architecture team.
  I work in a rapid development environment with an extensive database code base.  A good amount of DDL, Code Complication, and adhoc DML occurs on a weekly basis. 
  Currently, we do not share database passwords with anyone.  Our process is far from optimal and the passwords can, at times, land in the hands of developers; but, for the most part, we do our best to keep the passwords secure. We have 20+ databases with 100+ applications and 400+ developers.
  The proposed approach from the architecture team involves the sharing of database passwords with development teams, and the use of logon triggers as our security mechanism.  The logon trigger would allow the logon when it’s coming from an approved program/module & host, and would throw an error and block the logon for unapproved.
  What’s your opinion of this proposal?  Has anyone ever seen the approach before?  If so, was it successful?

  As others have pointed out, the proposal clearly decreases security.  The question is, though, is that the goal?  Is the trade-off of less security worth whatever it is you gain?
  You haven't told us anything about the problem you're trying to solve.  You've merely told us the solution that some other team proposed.  Without knowing what the problem is, it's hard to make any guesses about appropriate trade-offs, whether there are alternatives that haven't been discussed, etc.
  I've certainly seen situations where there were human bottlenecks in getting code changes applied to development environments that caused developers to do things like re-implement database functionality in the middle tier or overload a column just to avoid the hassle putting a request in to the DBA group to promote the PL/SQL change.  This sort of thing can quickly turn an application into an unmaintainable pile of spaghetti code.  If that's the problem you face today and you can't add additional human resources to relieve the promotion bottleneck, that may be a reasonable trade-off.
  By the same token, I've seen plenty of situations where developers had way too much power to accidentally screw up the shared environment by testing a script that inadvertently deleted a bunch of data or that otherwise broke everyone else's code.  That sort of environment can easily make the DBA group more of a bottleneck as now everyone is waiting on the DBA to restore a ton of data rather than to just run a script. 
  I've seen login triggers used to add security where the goal was to keep honest people from making an honest mistake.  For example, I've used login triggers in situations where I wanted to prevent myself (or someone else) from inadvertently accessing the wrong environment accidentally.  It's relatively easy to circumvent a login trigger so the question becomes whether you are trying to deal with active attackers or human error.  If you've got a database of sensitive financial information and you've spent oodles of time and effort to encrypt the data in prod and mask the data in the lower environments, using a login trigger will barely phase a developer from being able to log in and steal all the data you've stored.  On the other hand, if you've got a database that doesn't have a lot of sensitive information and your lower environments already contain a complete copy of prod that gets refreshed without masking periodically, you may not be overly concerned that a rogue developer would want to access production to steal some data.  That doesn't protect you from the rogue developer that wants to cripple the system out of revenge, of course, but that's likely to be less of a concern to different companies. 
  As with all things, it's a matter of figuring out what problem you're trying to solve and figuring out what trade-offs you're willing to make.
  Justin

• Where is the portal30_sso plsql stored package security mechanism ?

  Hi All,
  I'm trying to make new signon page thru a plsql stored package routine test.login , to be recorded in wwsso_ls_configuration_info$ table and therefore to be called by the user browser on each authentication ( i.e. http://machine:port/pls/dbname_portal30_sso/test.login )
  but issuing this address causes 404 page not found, meaning that there is some security repository somewhere in which I have to insert my own "test.login" procedure in.
  In other words, I'm seeking the same mechanism like FND_ENABLED_PLSQL table of the standard plsql cartridge supplied with the eBusiness Suite, in the portal30_sso schema.
  Any help will be much appreciated,
  Gilad.

  Actually you will get the same message if your Package fails in execution. The login page package can infact be in any schema assuming that you are not accessing packages within your package which the owner does not have rights too. In effect the Login page takes the appropriate arguments , displays them, then posts the response to the Login procedure.
  The "How do I customize my Sign-On/Off User Interface in Portal 9.0.2" technote on Portalcenter.oracle.com has a step by step discussion of the process in PL/SQL.

• [BIACM0085] Error executing load plan after reverting from LDAP to original security mechanism in BIA 11.1.1.7.1

  We have tried to change authenticaion of BI Apps 11.1.1.7.1 to LDAP, but reverted this due to some other issues. Now we are back with standard authentication, and all functionality seems to work fine, except execution of a load plan.
  When we select (any) plan that was executed earlier, we get an error:
  [BIACM0085] Error executing load plan. Action: Correct the properties selected or entered and retry.
  [BIACM0080] Cause: Application error: MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood Action: Contact your help desk or system administrator.
  According to one of our WLS gurus there is a mismatch between consumer and provider of a web service with a security policy, but we cannot find any difference between a working and this failing environment.
  We already started a trace in WLS, but this does not help us further.
  Any hints on troubleshooting steps or even better resolution are more than welcome, as this is blocking a new full load and further tests.
  Tx,
  Luc

  We have tried to change authenticaion of BI Apps 11.1.1.7.1 to LDAP, but reverted this due to some other issues. Now we are back with standard authentication, and all functionality seems to work fine, except execution of a load plan.
  When we select (any) plan that was executed earlier, we get an error:
  [BIACM0085] Error executing load plan. Action: Correct the properties selected or entered and retry.
  [BIACM0080] Cause: Application error: MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood Action: Contact your help desk or system administrator.
  According to one of our WLS gurus there is a mismatch between consumer and provider of a web service with a security policy, but we cannot find any difference between a working and this failing environment.
  We already started a trace in WLS, but this does not help us further.
  Any hints on troubleshooting steps or even better resolution are more than welcome, as this is blocking a new full load and further tests.
  Tx,
  Luc

• Web service security

  Hi
  My development environment is netbeans 6.9 and glassfish v2 server.
  I have developed my web service from wsdl file and is working fine over http. I want to make this over secure connection over https ssl.
  I am following this tutorial
  http://download.oracle.com/docs/cd/E17802_01/webservices/webservices/reference/tutorials/wsit/doc/WSIT_Security9.html#wp151774
  According to above article, i did following
  - right click on my web service
  - selected edit web service attributes
  - checked secure service check box
  - select Transport Security (SSL) as the security mechanism
  The tutorial shows that wsit configuration file is generate on this step under web-inf folder. But in my case this is not happening.
  Could any one let me know what would be the issue here.
  Thanks
  Deepak

  hi
  Can anyone help with this...

• Network Security IIS 7.5 FTP & Managed Firewall

  Hello
  The scenario is that we have an IIS 7.5 Windows 2008 R2 box ("IIS Box"), and on that box we want to configure a single FTP site.
  The FTP site will use the Basic Security option (no Anonymous access)
  The IIS Box sits behind a wholly-independent managed firewall appliance from a leading vendor. We trust the managed firewall and its configuration, and as such, Windows Firewall is completely disabled on the IIS Box. The managed firewall is configured to
  NAT 1-1 from private to public IP addresses.
  Ideally, I would have liked to have configured a policy on the managed firewall to allow all traffic through based on a specific source IP address, since the FTP clients to access the FTP site are well-known to us and we are not giving access to very many
  clients. Unfortunately this is not an option because the clients who are requesting access do not have static IP addresses.
  We also believe that establishing a Site-to-Site VPN and running the FTP within that, is not an option.
  What we are considering having to do, therefore, is to configure the managed firewall to allow FTP protocol through, regardless of the source IP address associated with the connection. i.e. Everyone can establish the connection, and we rely upon the Basic
  FTP security mechanism built in to IIS to protect us.
  I do not think this is ideal but it should be only a short term arrangement and we will ensure that the Physical Directory that can be accessed through the service leaves a reasonably narrow scope in terms of potential attack / abuse
  The question I have before I proceed with this, concerns the need for Passive FTP Data Channel ports.
  Clearly, to make this work, I will have to specify within the IIS settings, which ports to use. Let's say for example that I go for ports 10000-11000.
  Q1. My understanding is that I need to configure the managed firewall to permit INBOUND connections to the IIS box targeting ports 10000-11000, 20, and 21. Is that right?
  Q2. If I do, I then have a situation where my firewall is going to allow all connections through on those ports, and since this firewall is NOT application-aware, it won't care whether they are being used for FTP or anything else. It will simply let ALL
  connections through. At this point, what are the ramifications in terms of how IIS will respond? For example, is IIS FTP smart enough to realise that it should only permit connections that it has already arranged over the Control link (20/21)?
  Q3. If I specify in IIS admin that I want to use 10000-11000 for FTP - is IIS clever enough to PREVENT those ports being used by any other apps on the same IIS box? My concern here is, given that the managed firewall will definitely be letting ANYTHING through,
  what potentially happens if some other app or code starts listening on port 10500?
  I understand that whatever dynamic port range is configured on the server would generally be used for Outbound connections any way (source ports) but Still - I just would like any thoughts on the security ramifications of the configuration I am proposing.
  I don't feel Entirely comfortable yet, that I am not opening up an point of vulnerability.
  I am really looking for technical thoughts on the networking side of this, rather than (for example) general advice about "make sure you have Windows Updates installed" etc.
  thanks

  Hi Robert,
  I suggest you use the passive operational mode to achieve your goal.
  In which mode, the client initiates the data channel connection, then the server responds with the TCP port number to which the client should connect to establish the data channel. We can
  restrict the port range used by the FTP service, and then create a firewall rule that allows FTP traffic on only those allowed port numbers.
  How to Configure Windows Firewall for a Passive Mode FTP Server
  http://technet.microsoft.com/en-us/library/dd421710(v=WS.10).aspx
  Best Regards,
  Amy

• Oracle Forms and Portal. & Portal Security

  I need the following questions answered for a client who is
  trying to move from IIS to Oracle Portal. any pointers would be
  extremely helpful
  1. How to configure Oracle Forms to run with Portal.
  2. Is it possible to display forms inside a Portlet. If so, will
  the forms hold the same state when the page is refresed.
  3. Is it possible to display WORD/PDF/EXECL documents in their
  native format inside a Portlet.
  4. Any information on how IIS security integration is possible
  with POrtal. i.e ( if there are ASP pages running on IIS
  security, how to integrate it with Portal Security mechanism
  -Thanks
  ganesh

  You can create roles in Oracle with the appropriate privileges to access the application. For example,
  you could create a role that has only read access to all the tables in the database. You could assign this role to the menu. Also, you may want a role for a manager that whould enable him to insert data or to see a few special forms. You could assign this role to the menu associated with the form.
  Using Form Builder, you can manage menu security with Oracle server roles. After defining the roles to use for a menu module, you could then specify the roles that have access to each menu item. When you set the 'Use Security' property of a menu module to 'Yes', the form enforces security. After setting the 'Use Security' property to 'Yes', you can use 'Module Roles' property to construct the entire list of roles with access to that menu module.
  I hope it helps.

• J2EE Security

  Hi! I'm starting developing my first j2ee application and i'm using weblogic server 6.1 as a j2ee application server.
  My application will consist in jsp pages in the presentation tier and enterprise java beans in the business tier.
  I would like to know how to implement secutiry in my application.
  Should i use the security provided by the weblogic, or it is better to implement a security system using for example sessions?
  Best Regards
  Joao Seixas.

  Hi! I'm starting developing my first j2ee application
  and i'm using weblogic server 6.1 as a j2ee
  application server.
  My application will consist in jsp pages in the
  presentation tier and enterprise java beans in the
  business tier.
  I would like to know how to implement secutiry in my
  application.You should follow the security mechanism provided by J2EE.
  This will mean that your application is portable across containers.
  You can find a good tutorial at the following location:
  http://java.sun.com/j2ee/1.4/docs/tutorial/doc/index.html
  Should i use the security provided by the weblogic, or
  it is better to implement a security system using for
  example sessions?
  Best Regards
  Joao Seixas.

• How to use JAZN as a security provider

  Hello,
  I've got a J2EE application (ADF) which uses JAZN as the security mechanism. We're using BI Publisher in conjunction with this J2EE application.
  How can we reuse the JAZN mechanism within BI Publisher?
  Thanks in advance,
  Regards Leon Smiers

  Then you need to get an AT&T sim card to first activate the phone(the phone should have come with an AT&T sim installed)...you can borrow one to do this, but you can't do anything with any iPhone until it is first activated.

• What do IPSEC mean under Security - AAA - Radius - Authentication

  I can't find exact information regarding the IPSec checkbox in Security -> AAA -> Radius -> Authentication.
  On the Cisco Wireless LAN Controller Configuration Guide 5.1, it says "Check the IPSec check box to enable the IP security mechanism, or uncheck it to disable this feature.
  The default value is unchecked."
  What is exactly mean by IP security mechanism?
  Does this mean that I can terminate VPN client over my WLC?
  Take note that this options appeared even though no crypto card installed in my controller.

  This is old code from the Airespace days. There used to be a VPN module that would ride in the WLC. No longer supported, well can't buy it new, but if you had one already...you get the idea.
  HTH,
  Steve

• What kind of WS-Security does EID 2.3 support?

  Does it depend on the Apache CXF? Thanks

  The only security mechanism for the Endeca Server (powered by Jetty) is SSL. Please see chapter 12 here: http://docs.oracle.com/cd/E29805_01/server.230/AdminGuide.pdf
  HTH,
  Dan
  http://branchbird.com

• Security for value based hierarchy + OLAP

  Hi,
  I am using row-level security mechanism described here: http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security/
  It works well for level based hierarchies... but is there a way to apply it to value based OLAP hierarchy in OBIEE 11.1.1.6?
  My case is:
  - I have parent-child value based hierarchy representing management structure with various depth.
  - of course facts are always linked to leaf members of hierarchy
  - I need to apply security at different levels. E.g. Office manager should have access to one/multiple offices information (basically all employees he manage currently + his previous office before he was moved)
  - In report I display presentation hierarchy that starts at country level and then manager drill to his offices
  - At country level, manager should see a measure aggregate only for his offices (not whole country)
  In relational database there is no problem:
  - I follow rittman blog
  - create session variable that store list of all leaf members of hierarchy (employees) managed by manager
  - with OBIEE "Manage"->"Identity" I apply filter on fact table and get right measure aggregates at all levels of hierarchy
  Issue for OLAP:
  - with OBIEE "Manage"->"Identity" I apply filter on OLAP value based hierarchy
  - in case of filter "MY_BMM"."Org Str"."Org Str Key" = VALUEOF(NQ_SESSION."LEAFS_LIST") -> when manager include hierarchy column to report there are no results because hierarchy starts at country level and he have no access to country data
  - to workaround it I tried: "MY_BMM"."Org Str"."Org Str Key" = VALUEOF(NQ_SESSION."LEAFS_LIST_AND_ALL_ANCESTORS") -> manager can see all aggregates at country level because he have access to country, and OLAP just use country level aggregate
  - IsDescendant("MY_BMM"."Org Str" , VALUEOF(NQ_SESSION."OFFICE_ID")) will work only for single office as we can not use row wise variables here
  One solution I can imagine is to create additional level based dimension that have only 2 levels: "All"->"Org Str Leaf". Then apply filter on this "artifitial" dimension. It is not perfect solution to duplicate dimensions only for security purposes... that's why I ask you for advice if you know better way?
  Regards,
  mudi

  Here is an example, how to set security in OBIEE 11.1.1.5 (or future versions)  against  Oracle OLAP dimensions.
  *(1). Create the Oracle OLAP Hierarchy Descendant View against Value-based hierarchy*
  These views return a row for each ancestor-descendent relationship in the hierarchy. As you can see how easy it is.
  CREATE OR REPLACE VIEW DEPT_DESCENDANTS
  AS
  SELECT 'DEPT' "DIMENSION", 'DEPTHIER' "HIER", ancestor, descendant
  FROM TABLE(OLAP_TABLE('BAWOLAP.BNSOLAP DURATION QUERY', null, 'LIMIT DEPT_HIERLIST TO 'DEPTHIER''',
  'DMNS DESCENDANT AS VARCHAR2(60) FROM DEPT
  DMNS GID_VAL AS NUMBER FROM ___AW_GID_DIMENSION
  MSR ANCESTOR AS VARCHAR2(60) FROM DEPT_FAMILYRELVAL'
  where ancestor is not null
  *(2). Create the User ACL Tables and Populate with Data*
  Create an Access Control list test table by user and Dept. Later this will be populated with production data.
  create table user_dept_acls
  username varchar2(30),
  dept varchar2(60)
  insert into user_dept_acls(username, dept) values ('user1', 'GWM');
  insert into user_dept_acls(username, dept) values ('user1', 'GT');
  insert into user_dept_acls(username, dept) values ('user1', 'SC');
  insert into user_dept_acls(username, dept) values ('user2', 'GWM');
  insert into user_dept_acls(username, dept) values ('user2', 'GT');
  insert into user_dept_acls(username, dept) values ('user3', 'SC');
  commit;
  *(3). Create an Init Block Connection Pool*
  Oracle BI EE requires a separate Connect Pool for Init blocks. It does not allow the default query connection pool to be reused for init blocks. So, we need to create a new init block.
  *(4). Create the ACL Session Variables*
  These session variables hold the list of all members that the user may access.
  Example Session Variable: DEPT_ACL
  Init Block: "Init DEPT_ACL"
  SQL:
  select 'DEPT_ACL', account from user_DEPT_acls where username = ':USER'
  union all
  select 'DEPT_ACL', descendant
  from DEPT_descendants
  where ancestor in (select account from user_DEPT_acls where username = ':USER')
  union all
  select 'DEPT_ACL', ancestor
  from DEPT_descendants
  where descendant in (select account from user_DEPT_acls where username = ':USER')
  The first query block of the init block SQL just selects the members explicitly entered into the ACL table. The second block selects all the descendants of those members from the descendants view. The third block selects all the ancestors to ensure that the user has access to all the members in the drill path starting from the root member.
  Make sure that row-wise initialization is checked in the Variable Target section of the init block.
  *(5). Add the Data Filters*
  In our test case we assigned the data filters to the BIAuthor role, but the filters should be added to whatever role makes the most sense.
  Data filter on "BNSGL"."Department":
  "BNSGL"."Department"."Dept" = VALUEOF(NQ_SESSION."DEPT_ACL")
  *(6). Log in as a Normal User and Query the Hierarchy*
  The user can only see to the members to which they are granted access in the ACL table plus all ancestors and descendants of those members.
  Drill down to the bottom of the hierarchy.
  *(7). Look at the Query Log*
  In the nqquery.log we see that the session variable is expanded into an IN list in the physical SQL query. The BI Server breaks the IN list into two IN lists to avoid the Oracle SQL limit of 1,000 items per IN list.
  Edited by: Nasar Ali-Khan on Jul 2, 2012 8:14 AM

• Securing Web Services with Access Manager

  Hello All
  I have installed the java_app_platform_sdk-5_04-windows.exe that comes with Acces Manager 7.1.
  I want to secure a webservice, so I have created a webapplication (with netbeans 6) with a webservice inside. I have also create a web client application that calls the webservice. The providers are configured in the server and I have enabled the soap security .
  When I use anonymous authentication everything works fine, but if I used any other security method the following exception arises:
  [#|2008-04-29T09:41:07.343+0200|SEVERE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=21;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=1a997eb3-6287-41f4-a540-0b9c86841683;|AMServerAuthModule.validateRequest: Failed in Securing the Request.|#]
  [#|2008-04-29T09:41:07.375+0200|WARNING|sun-appserver9.1|javax.enterprise.system.stream.err|_ThreadID=21;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=1a997eb3-6287-41f4-a540-0b9c86841683;|java.lang.reflect.InvocationTargetException
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule.validateRequest(AMServerAuthModule.java:173)
       at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1179)
       at com.sun.enterprise.webservice.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:168)
       at com.sun.enterprise.webservice.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:129)
       at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
       at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
       at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
       at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
       at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
       at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243)
       at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444)
       at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244)
       at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135)
       at com.sun.enterprise.webservice.JAXWSServlet.doPost(JAXWSServlet.java:159)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:738)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
       at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:290)
       at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:272)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:263)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:214)
       at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
       at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
  Caused by: com.sun.identity.wss.security.SecurityException: Unsupported security mechanism.
       at com.sun.identity.wss.security.handler.SOAPRequestHandler.validateRequest(SOAPRequestHandler.java:232)
       ... 46 more
  |#]
  [#|2008-04-29T09:41:07.390+0200|SEVERE|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=21;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=1a997eb3-6287-41f4-a540-0b9c86841683;|SEC2002: Container-auth: wss: Error validating request
  com.sun.enterprise.security.jauth.AuthException: Validating Request failed
       at com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule.validateRequest(AMServerAuthModule.java:188)
       at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1179)
       at com.sun.enterprise.webservice.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:168)
       at com.sun.enterprise.webservice.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:129)
       at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
       at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
       at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
       at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
       at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
       at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243)
       at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444)
       at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244)
       at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135)
       at com.sun.enterprise.webservice.JAXWSServlet.doPost(JAXWSServlet.java:159)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:738)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
       at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:290)
       at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
       at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
       at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:272)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
       at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:263)
       at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:214)
       at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
       at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
  Caused by: java.lang.reflect.InvocationTargetException
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule.validateRequest(AMServerAuthModule.java:173)
       ... 41 more
  Caused by: com.sun.identity.wss.security.SecurityException: Unsupported security mechanism.
       at com.sun.identity.wss.security.handler.SOAPRequestHandler.validateRequest(SOAPRequestHandler.java:232)
       ... 46 more
  |#]
  It�s says something about th security mechanism is not supported. But I don�t know why. �Any idea?
  Thank you

  Hello again,
  I am not using ssl. I am using the usernametoken or de saml-voucer mechanish and It happens in both. But with the anonymous mechanism doesnt happen.
  ...

• Mutual Certificate Security in Web Services

  Hi all,
  I need some help about mutual certificate in glassfish on netbeans 6.8. I already imported my self-signed-certificates for server and client in the truststore cacert.jks and created private keys for each of them in the keystore.jks. The next thing I did was to use the Security Mechanism: Mutual Certifacte Security to enable the usage of my self-signed-certificates.....So far so good...Here comes the problem: I looked into Wireshark and I saw the transaction of my selfsigned certifcates between client and server, but now I want to print out the extension(like uri=http://xxx) from the client-certificate on serverside.
  This is my serverside source code :
  package org.me.calculator;
  import javax.jws.WebMethod;
  import javax.jws.WebParam;
  import javax.jws.WebService;
  import java.io.ByteArrayInputStream;
  import java.io.InputStream;
  import java.security.cert.CertificateFactory;
  import javax.jws.WebMethod;
  import javax.jws.WebParam;
  import javax.jws.WebService;
  import java.security.cert.X509Certificate;
  import java.util.Collection;
  import java.util.List;
  import javax.annotation.security.RolesAllowed;
  import javax.servlet.http.*;
  * @author User
  @WebService()
  public class CalculatorWS {
  * Web service operation
  @WebMethod(operationName = "add", action="add")
  public int add(@WebParam(name = "i") int i, @WebParam(name = "j") int j) {
  int k= i+j;
  return k;
  @WebMethod(operationName = "Extensionthrower", action="Extensionthrower")
  @RolesAllowed("users")
  public String Extensionthrower() {
  HttpServletResponseWrapper response = null;
  String clientcert = response.getResponse().toString();
  if(clientcert.isEmpty()== false){
  try{
  InputStream inStream = new ByteArrayInputStream(clientcert.getBytes());
  final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
  final X509Certificate cert = (X509Certificate) certificateFactory.generateCertificate(inStream);
  java.util.Collection altNames = cert.getSubjectAlternativeNames();
  if (altNames.size() > 1) {
  throw new Exception("Unable to handle multiple SubjectAltName.");
  java.util.List item = (java.util.List)altNames.iterator().next();
  Integer type = (Integer)item.get(0);
  Object value = item.get(1);
  String result = null;
  switch (type.intValue()) {
  case 0: throw new Exception("SubjectAltName of type OtherName not supported.");
  case 1: result = "rfc822Name=" + (String)value;
  break;
  case 2: result = "dNSName=" + (String)value;
  break;
  case 3: throw new Exception("SubjectAltName of type x400Address not supported.");
  case 4: throw new Exception("SubjectAltName of type directoryName not supported.");
  case 5: throw new Exception("SubjectAltName of type ediPartyName not supported.");
  case 6: result = "uri=" + (String)value;
  break;
  case 7: result = "ipaddress=" + (String)value;
  break;
  default: throw new Exception("SubjectAltName of unknown type.");
  return result;
  }catch(Exception e){System.out.println(""+e);}
  return null;
  }When my clietn sends a request to the server, I get the following message:
  Servlet ClientServlet at /SecureCalculatorClientApp
  Successfully authenticated!
  Result: 2 + 2 = 4. Extension: null .The right Extension it has to print out is i.e.: Extension: http://polizei
  I just used the Debug mode and when it gets to line: "final X509Certificate cert = (X509Certificate) certificateFactory.generateCertificate(inStream);" it throws an Exception....Can anyone help me out? Is something with the input "inStream" wrong?
  Many thanks in advance

  Yes, the server has to load/receive the client cert and compare it with the certs in the truststore.
  Every cert that you generate has to be imported in the truststore, and because every cert that you use has an
  alias, it is easier to look for the right cert.
  If I use @RolesAllowed("users") the credentials are stored in the sun-web.xml, like this:
  <security-role-mapping>
      <role-name>users</role-name>
  <principal-name>CN=..., OU=......</principal-name>
  </security-role-mapping>In the sun-web.xml you define the credentials, now you have to use them for authentication purpose and this is done in the web.xml.
  Wishing best luck

• Weblogic security & EJB role based access

  How does (or not) weblogic security tie into the EJB notion of role based
  control ? Can we create a 'custom' security mechanism for EJB (which
  basically uses the EJB facilities but extends it within the application) by
  using custom weblogic realms ?
  Thanks
  Raju

  Thanks !
  "Terry" <[email protected]> wrote in message
  news:[email protected]...
  comments inline
  r <[email protected]> wrote in message
  news:[email protected]...
  >>
  Here are some more specific questions around an 'example' scenario:
  The application has an entity bean 'Account' that can be accessed by the
  roles 'Bank Employee' and 'Customer'
  'Bank Employee' can execute the 'getBalance()' and 'placeOnHold()'
  methods on the 'Account' bean
  'Customer' can execute the 'withdraw()', 'deposit()', and'getBalance()'
  methods on the 'Account' bean
  These permissions are set up through the deployment descriptor by
  mapping
  the 'Bank Employee' and 'Customer' roles
  to the particular bean methods that the role should be given access to.
  1. How does weblogic provide the facility to map the EJB deployment
  descriptor
  <security-role> to a particular weblogic principal (user orgroup)
  Or, should I say, how do I map the user or group to a
  deployment-descriptor defined role?In the deployment tool, once in the jar select the 'Security' item,create
  an application role (in your case it is probably best to create 2 security
  roles - the bank employee role refering to the bank employee group (usethe
  'in role' checkboxes, and the customer role refering to the customergroup -
  there may at some point be use for an allUsers role, which includes both
  groups, maybe not. What I am saying is that a role is made of a one ormore
  of Principals - in our case groups)
  In the Account Bean select the method permissions item, and create amethod
  permission perm-0, select the perm-0 item that has just popped up in the
  left hand window, tick the box for placeOnHold(), and the boxes for<remote>
  and <home> one level deeper than this in the tree (as an aside, I have
  absolutely no idea why there would be a 'home' box here, ho hum). Selectthe
  'bank employee' 'can invoke' tickbox
  Create perm-1, and do what you did above for 'withdraw()' and 'deposit()'
  methods, and the 'customer' tickbox
  I believe the documents say you would have to set up another permission to
  allow both groups access to the getBalance method, but in practive Ihaven't
  found this the case.
  The documentation for this is at
  http://www.weblogic.com/docs51/classdocs/API_ejb/EJB_deploy.html#1102211
  (or
  search for 'Deploying EJBs with DeployerTool'
  2. Are there any administrative tools provided by weblogic to do
  this
  mapping ?The deployer tool. Otherwise I think it's the acse of writing your own xml
  files
  3. How much effort & complexity is involved in creating a custom
  realm
  Hmmm, depends - you could have the RDBMSRealm that is provided in'examples'
  in half an hour or so (there is a problem with one of the RDBMSUser's
  methods - getUserType or something like that - the solution can be foundin
  the newsgroups if you search), the same is probably true of the LDAPRealm,
  NTRealm etc (although I have never used these).
  Which one you choose depends on what equipment you have available,although
  I would say that the RDBMSRealm canuse a lot of optimisation
  Thanks,Welcome
  Raju
  "Terry" <[email protected]> wrote in message
  news:[email protected]...
  The Principals (i.e. groups and users) from your custom realm are used
  to
  define application roles for the EJBs, but, as far as I am aware youcannot
  use a custom implementation for the ACLs for EJBs
  terry
  r <[email protected]> wrote in message
  news:[email protected]...
  How does (or not) weblogic security tie into the EJB notion of rolebased
  control ? Can we create a 'custom' security mechanism for EJB (which
  basically uses the EJB facilities but extends it within the
  application)
  by
  using custom weblogic realms ?
  Thanks
  Raju