Security of AppV 5 application

Similar Messages

• How to share security context between different application ?

  Hi all,
  I have two applications(ADF faces + BC, JDev 10.1.3.1) deployed into OAS 10.1.3.1.
  The two applications are :
  1) SalesApp -> main menu page = SalesMenu.jspx
  2) ReportApp -> main menu page = ReportMenu.jspx
  I want implement security using CustomLogin.
  The question is :
  How can I share security context between the applications ?
  What I mean is, from SalesMenu.jspx there is one menu item to jump into ReportMenu.jspx, and I want user no need to Login again, Login is once and the user is recognized in the two apps. How to achieve that ?
  Thank you for your help,
  xtanto

  Xtanto,
  actually you can't if these are separate J2EE application deployments. The session is not shared and thus the authentication is lost. I heard that OracleAs is planning to implement a feature that allows you to share the session and thus a context between two J2EE deployments. I am not 100 % sure this is the case and will check with OC4J Product Management
  Frank

• What about security in adf faces application ?

  It seem that the documentation has a little bit changed about security for adf faces application.
  SRDemo J2EE sample application only implemented the security at the web container and may be for the session beans (don't remember) by using security-role and security-constraint in web.xml configuration file.
  It seem that the documentation recommand now to implement adf security and didn't find anymore the reference to the standard j2ee security implementation.
  We found also that the security constraints checked by the web container was sometimes ignored and the container didn't ask us to login before displaying a page.
  Is ADF security a clear Oracle recommandation for ADF Faces application ?
  What about j2ee security for this type of application (why it is not recommended to use it) ?

  Hi,
  there is no single recommedation about security because security ideally is applied on several levels to implement security in depth. Container managed security with J2EE is a good option to secure page access and - if using EJB - to propagate the user identity for method level access control.
  Using ADF Security, which is security added to the binding layer based on JAAS, a second layer of the security onion becomes available that allows you to define which user is allowed to perform which operation on an iterator or attribute binding. This goes beyond of what container managed security can do for you.
  The thrid layer is business layer security and eventually database security.
  For Oracle Open World we will have a developmengt track and one of the presentation I am giving with Ric Smith from our team is about end-to-end application security for ADF Faces, ADF, ADF BCor TopLink/EJB and the Oracle database.
  The plan is to also write this up in a paper, but this would come late because of other priorities I have on my plate. So attending OOW probably is the best option for you to get the big picture
  Frank

• How can I open and fill out a Secured Adobe PDF job application?

  How can I open and fill out a Secured Adobe PDF job application?

  Hi margueritew68053277,
  You should be able to fill that out using the free Adobe Reader, or Adobe Fill & Sign.
  Best,
  Sara

• Security Evaluation of Oracle Application Server

  Are there any published documents on security evaluation of Oracle Application Server?
  Is it secure as a tool against some attacks, for example, are following vulnerabilities when applicable to the server dealt with or should be handled by application? :
  failure to restrict url access,
  broken authentication and session management
  insecure cryptographic storage,
  injection flaws
  failure to restrict directory browsing
  Are there available document that we can refer to on these issues?
  Regards
  Farbod

  Thank you again.
  Can you advise on this part of my message also?
  "Also I see in oracle recommended architectures that there is a firewall between each http server and application server. Does the built in OHS in OAS provide the firewall? or I need to install another firewall?"
  I am going to explain it but I think it is completely inconsistent with the thread title which I got some of my answers in, so let me start a new thread here:
  Application Server Recommended Deployment Architectures, How to?
  Thanks for your useful inputs.
  Best Regards,
  Farbod

• Portal Security with existing JSP Applications

  Hello,
  we have some existing JSP Applications an want to include them into out portal. They are currently running on iAS as standalone applications. But we also want to protect them using portal security.
  How is it possible to use Portal Security for those JSP Applications.
  Regards,
  Frank

  Hello,
  currently I don't need to include them as portlets.
  I included the first Page as jsp Report... because of that, this jsp is secured. But my application has more jsps.
  Probably I could set an sessionvariable in the first protected jsp and check it in all other jsps. If this sessionvar is not existing, the user is not allowed to see this application.
  Currently I have no other idea.
  Regards,
  Frank

• Using SAML secured webservice in ADF Application

  I am looking for some tutorial/docs to use SAML secured webservice in ADF application. In my adf application, I am using the webservices using WebProxy and WebServiceDataControls.
  Any pointers in this direction will be helpful.
  Thanks,
  Rajdeep

  Take a look at the following blog posts - which provides some information regarding the SAML security in ADF
  http://biemond.blogspot.com/2009/05/sso-with-saml-adf-security.html
  http://biemond.blogspot.com/2009/05/sso-with-weblogic-103-and-saml.html
  Thanks,
  Navaneeth

• OS X NTP Security Update my Mail Application has changed

  Since the most recent OS X NTP Security Update my Mail Application has been acting differently.  I no longer see the Tool Bar at the top or the Dock at the bottom unless I hover over those areas.  Is there a setting is need to change?

  Glad to help.
  For further information on full screen mode, Search Full Screen in Help

• Security For BW Web Application Designer

  I work for ChevronTexaco as a BW Security Analyst. I have a request to set up roles for web template creation using the Web Application Designer. Where can I get help in setting up the security for these types of roles? My experience is in setting up roles for running and creating queries in BEX. I need to know what additional authorizations will enable web template creation. Setting up a trace in ST01 has been less than helpful since it dumps out tons of RS_COMP tracing that doesn't help me much.
  The user wants to be able to create web templates for existing queries in BEX and restrict by rs_comp infocubes/areas/reportid, etc. and to be able to save to restricted role names. Are there new auth groups specific to this type of activity that I need to code for in adition to the basic end user or report builder authorizations?
  Any help would be greatly appreciated.
  Jeff Ehritt
  925 827-6012
  ChevronTexaco

  Hi Jeff,
  there are no special authorization objects for Web Templates. RS_COMP will still only work for queries, structures.... Saving to roles requires certain authorizations for the role (s_agr_*), here you can define the roles you can save templates to.
  Regards, Klaus

• Security in an jsp application using BIBeans

  Hi all,
  We are developing a system with BIB to access OLAP 9.2.0.5. We need to implement some access rules at database level, i.e. user 1 can read levels 1, 2 and 3 of a hierarchical dimension, but user 2 can only read level 3. We do not know how to pass this database rules to BI catalog user, or replace this BI user with database connection information, to have more than one different user connection accessing the system. Anyone can help me?
  thanks in advance,
  Alexandre Martins - Commit Consultores - Brazil

  We are developing a jsp application with TAG libraries
  Ex.:
  <orabi:BIThinSession id="BIThinSession1" configuration="/Project1BIConfig1.xml" >
  <orabi:Presentation id="untitled1_Presentation1" location="Presentation1" />
  </orabi:BIThinSession>
  <FORM name="BIForm">
  <!-- Insert your Business Intelligence tags here -->
  <orabi:Render targetId="untitled1_Presentation1" parentForm="BIForm" />
  <%-- The InsertHiddenFields tag adds state fields to the parent form tag --%>
  <orabi:InsertHiddenFields parentForm="BIForm" biThinSessionId="BIThinSession1" />
  </FORM>
  This application hás a login screen, where the user will pass his database username and password, which corresponds equally to a user of same name at the BI Beans catalog.
  Here is the moment that we face the Problem: We can not change the user to switch to the database user. The catalog user is switched by BIUser().
  Workarounds performed:
       1 – We created a ConnectionProvider class to establish the connection with the properties and another class - AuthenticationProvider - to pass parameters to the connection.
            Problem: Could not pass parameters to Application Authentication class. Tried to force application to connect to authentication or vice-versa to pass username that was informed at login screen but this does not work.
       Ex.: trying to set this classes at configuration file (.xml).
       User “ALEX” has database access (OLAP , MOLAP) and catalog access .
  public class AuthenticationProvider implements oracle.dss.security.AuthenticationProvider {
  public void authenticate(Hashtable properties) throws BISecurityException {
  properties.put(“user_name”, “ALEX”);
  properties.put(“password”, “ALEX_1”);
  public class ConnectionProvider implements oracle.dss.security.ConnectionProvider {
  public Object connect(Hashtable properties) throws BISecurityException {
  Connection conn = null;
  try {
  DriverManager.registerDriver(new OracleDriver());
  String sUSER = properties.get("user_name").toString();
  String sPW = properties.get("password").toString();
  String connStr = "";
  if(properties.get("jdbctype").equals("thin")) {
  connStr = "jdbc:oracle:thin:@" +
  properties.get("hostname") + ":" +
  properties.get("port") + ":" +
  properties.get("sid");
  conn = (Connection)DriverManager.getConnection(connStr, sUSER, sPW);
  catch(Throwable t) { throw new BISecurityException("Erro na conexão!", t); }
  return conn;
       2 – Tried to get configuration through session searching all the connections and changing user to desired connection (in this case “thin”, MM.MDM) and reconnecting or disconnecting and reconnecting again.
  At this point, debugged the database connection and could see that username actually changed, but when the program reached the open presentation TAG received an error because TAG could not understand the connection.
       Ex.: This is in between session TAG
  <orabi:BIThinSession id="BIThinSession1" configuration="/Project1BIConfig1.xml" >
  <%
  ManagerFactory mf = BIThinSession1.getManagerFactory();
  MetadataManager mdm = null;
  if (mf != null) {
  mdm = (MetadataManager) mf.lookupManager(
  ManagerFactory.METADATA_MANAGER, null, true);
  if (mdm != null) {
  try {
  int iAttachStatus = mdm.getAttachStatus();
  if ((iAttachStatus != MM.ATTACHED) &&
  (iAttachStatus != MM.ATTACHING))
  mdm.attach();
  Connection[] connectionArray = mdm.getConnections();
  if (connectionArray != null) {
  int count = connectionArray.length;
  for (int index = 0; index < count; index++) {
  String driverType = connectionArray[index].getDriverType();
  if ( (driverType != null) &&
  (driverType.equals(MM.MDM)) &&
  (connectionArray[index].isConnected()) ) {
  if(driverType.equals(MM.MDM)) {
  connectionArray[index].setUsername("ALEX");
  connectionArray[index].setPassword("ALEX_1");
  connectionArray[index].reconnect(connectionArray[index].getPropertyBag());
  catch (Exception ex) {
  ex.printStackTrace(); // just for demo purpose
  %>
  <orabi:Presentation id="untitled1_Presentation1" location="Presentation1" />
  </orabi:BIThinSession>

• Best Approach for Security in WebCenter Portal Application

  Hi,
  We are analyzing a right approach for webcenter portal security on an application . We found that we can do all Roles and Security in Page Hierarchy which in turn stores the security details in Jazn-data.xml . Is this the right approach for defining the roles and security for a webcenter portal application .
  What is the importance of Configuring WS_security in webcenter Portal Application and do we need to define this WS_Security even after defining them in page hierarchy. Could you please guide us on this .
  Thank you,
  Sashank P

  Hi Shashank,
  First sorry for late reply,
  WS_Security, can you please explain what do you mean by WS_Security, from the term i could not infer which part you are talking about.
  Let me tell you about the Webcenter security -
  This is the heirarchy , the Fusion middelware forms the base with webcenter at the top.\
  Webcenter Security
  |
  ADF Security
  |
  Fustion Midddleware Security (OPSS)
  Now you are goin to apply security to your Webcenter and ADF layers.
  Lets come back to the question .
  Any webcenter portal, you have to use the Jazn-Data.xml file to secure all the content whether its the navigation /pages /admin pages/taskflows etc.
  Its pretty much easy to use , let me know if you have any difficulty on that.
  Page hierarchy -> Yes you have an option to set your security for pages alone, here you have addition fine grain permisions (update/delete/personalise etc).
  If you need those fine grain permissions you can use this.
  To Conclude i would say use jazn-data for taskflows/components/admin page protection etc.
  Use Page heirarchy's fine grain permission to pages and navigation model's visible attribute to show/hide navigation based on user's roles.
  Let me know if this helps

• General security when downloading new application

  Hallo, I would appreciate if people could add to this list of to do items as a general security procedure after downloading apps and utilities from the net:
  -Set safari Not to open files after downloading
  -Verifying source in info menu to coroborate that it did indeed just arrive from the web address that you accessed, although this is not always available
  -checking file size against originating source
  -checking places, through spotlight, where various bits and pieces have ended up
  -checking activity monitor to see what active processes it has loaded when it is opened of course
  That's all I know
  thankyou guys

  If so targeted I wouldn't rely upon anybody from Apple to read your comment. Apple doesn't use the AD forums for garnering product feedback or suggestions since this intended to be an end-user to end-user (i.e., users like you helping other users) technical issue support feature. You should send feedback via:
  [http://www.apple.com/feedback> - Apple products feedback links
  If targeted at individuals, some of the suggestions are possible of course.
  -Set safari Not to open files after downloading
  Easily done in most browsers though at some stage you do eventually want/need to open a file.
  -Verifying source in info menu to coroborate that it did indeed just arrive from the web address that you accessed, although this is not always available
  Not always available, but at least in Firefox you can see the URL to which a link is directing you. However, many major sites now use other hosts too so something arriving from a third party site isn't unusual.
  -checking file size against originating source
  This often isn't provided in great detail by the source. I don't know how much code is required to provide a hole but it might just be a few tens of kB.
  -checking places, through spotlight, where various bits and pieces have ended up
  If you mean the originating file, okay, but if you have your browser set to default save to a directory then I don't see why it wouldn't end up there. If you have it set to a place by choice then again I have never in 15 years of web use seen it end up anywhere else.
  -checking activity monitor to see what active processes it has loaded when it is opened of course
  After an application is installed and running? There are many, many sub elements of applications as well as lots of system applications running that I'm not sure anybody except a real Unix wizard could tell. Also there could be a bit of "call home" which is running as part of the application itself, all clear and above board.
  I think the main security issue lies in network traffic. Maybe an application and code inserted in it you wouldn't like. It could even be benign but maybe you just don't like it calling home to tell the developer you just ran his/her application for the 357th time. Several people here highly recommend Little Snitch because it tells you all about your network traffic. I'm running it in demo mode. It's interesting but I don't always recognize the component that is doing the call (it could be Tiger calling Apple about setting my clock) or the address to which it is calling (as I said, lots of services use third parties).
  My take is, I've been using Macs since around 1990. I think since then I remember a free virus scanner catching one virus back in 1993.
  Message was edited by: Limnos

• Securely embedding a flex application in a J2ee application

  Hello,
  I was able to embed a Flex application with blazeDS running inside TOmcat with my existing webapplication. Note: I have configured blaze DS to run withing my existing web applicaiton lets call it "MyWebApp" by just mapping the messagebroker servlet in web.xml.
  Now, MyWebApp uses form based authentication. My flex app is just a part of one of the pages in MyWebApp. The user authenticates with MyWebApp.
  Question is: In my Flex application HOW DO I ENSURE THAT THE USER HAS logged in using MyWebApp.???..
  On the same lines, how do I secure the Remoting endpoints on the server?

  Hey Thanks for replying.
  My toomcat web.xml aslready has the auth-method set to 'Form'. So I d onot understand why should I define it again in the services-config.?.. I refered to the live docs but they do not explain how this will work
  Appreciate your help!!
  <security>
      <login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat">
          <per-client-authentication>false</per-client-authentication>
      </login-command>
     <security-constraint id="trusted">
          <auth-method>Basic</auth-method>
          <roles>
              <role>employees</role>
              <role>managers</role>
          </roles>
      </security-constraint>
  </security>   

• What is the security context when deploying application using SCCM 2012?

  As far as i know when using Group Policy the software is always installed under SYSTEM security context. However i cannot find any information related to SCCM 2012 (and deploying applications) security context.
  Also is there a difference in doing "Install for User" or "Install for Device/System"?
  Thanks

  Thanks. Just to confirm that if you use Group Policy and you Publish the msi for user when the user install it from Add/Remove Programs it is still going to be executed in SYSTEM security context?
  And while we are on this topic - is the above (about the security context in SCCM 2012) written anywhere in some official MS web page?
  Not sure about the context for Intellimirror, but for ConfigMgr it's as Ronnie and Torsten stated. This may be documented somewhere, not sure. Not everything is documented though -- in fact, I'd say less than 25% (probably less than 10%) of everything
  to be known about ConfigMgr is officially documented. Note that this is the same for any product -- there simply are far too many permutations and possibilities to document them all. 
  Jason | http://blog.configmgrftw.com

• Disable security copy for certain application

  I keep receiving an error when disabling the photo appication in the cloud.
  I am out of space in iCloud therefore I would like to recover space by removing photos and videos in the cloud, but I keep receiving error "At the moment it is not possible to disable security copies, try later" (something like that, translated from spanish).
  Any idea?
  Mirko

  Thanks to Apple telephone support I managed to solve this. Problem is that backup in the cloud is shared by both iPhone and iPad, though the problem reported when disabling the photo application is other (..try later).
  To solve this, I went to the iPad and not only stopped syncing to the cloud, but disconnected the iPad from it.
  Then in the iPhone it'll be possible to recover space by disabling whatever application from iCloud backup. Once you're done, you can connect the iPad back to the cloud.
  Tricky, but it works.