Security problem about JCOM

Similar Messages

• Security problem about public modifier.

  1. there are two classes exist in the different package, let's say, Class A in package com.a, and class B in com.b, there is a public(is a must) function in B which is only open to A, we don't want it to be published to the end user when we generate the api-docs, how should i do now?
  2. since the class files and the java files are matched one by one, how can i be sure that the class IS the class i write, not the one replaced by the others?
  much thanks.

  This sounds a lot more like an "incomplete understanding of Java" problem than a "Security General" problem - but anyway...
  1. there are two classes exist in the different
  package, let's say, Class A in package com.a, and
  class B in com.b, there is a public(is a must)
  function in B which is only open to A, we don't want
  it to be published to the end user when we generate
  the api-docs, how should i do now?Are A and B in the same package? If so, then make B.protectedButPublicMethod() be package-protected.
  Is any of B accessible to end-users? If not, then define B inside of A.java as a non-public class. Javadoc will then ignore B's methods (unless you go out of your way to tell it to produce the docs for B).
  Java isn't C++ - there are no "friends" in Java. Package-protected comes closest.
  2. since the class files and the java files are
  matched one by one, how can i be sure that the class
  IS the class i write, not the one replaced by the
  others?.class and .java are NOT matched "one by one". A.java can only contain one public class, but it can also contain an arbitrary number of non-public classes and inner classes.
  However, that is a separate issue from your second question. And the net is, you can't prevent your end-user from replacing your classfiles with their own.
  Note that this isn't a Java-specific problem - it affects any system that allows dynamic libraries (like, say, .dlls on Windows or .so's on Unix).
  Whatever it is you're trying to protect, I think you need to seriously rethink your approach - your questions hint at a system that is, at best, naive.
  Good luck!
  Grant

• HT4623 Why isn't Apple talking about the security problem and the iOS software patch?

  Why isn't Apple telling us about the iOS security problem and the software patch?

  There's an iOS security problem already?
  They just issued an iOS update...

• How do I report a security problem to Firefox?

  Here's the problem: <br />
  Wednesday morning my Mac at home got infected by malware which I believe is usually called the "Google redirect virus". My Mac at home has been upgraded to OSX 10.6.7 and I believe I was using Firefox 3.6.13 (it automatically upgraded tonight). I haven't been able to find any useful information on line about this malware. <br />
  The behavior after infection was that every time I tried to use Google my request would get redirected. If I entered www.google.com in the address bar, the URL would get changed to www.google.com/FuneralHomes/<something> and the browser would try to go there and a "Under Construction" error message or a no-such-page message would be returned. This started happening after I did a Google search and was checking various links in Firefox, but once it started in Firefox I got the same behavior in Safari even without using Safari to look at any links. And it continued to happen in Safari even after I did a "Reset Safari..." <br />
  When I got infected I was using a non-adminstrator account and I was not asked to download anything nor was I prompted for a password. <br />
  I searched on "Google redirect Mac virus" using my (so far) untouched work computer and found several suggestions but no solutions. Apparently this is a PC problem that's been around a few years, but there were some Mac reports from last year. So last night I checked the DNS addresses in my
  Network preferences, looked at /etc/hosts, and removed the only plug-in from the Library:Internet Plug-ins of the infected account, even though it was a Picasa plug-in that predated this infection. None of those seemed to be the problem. I also scanned my disk with an up-to-date "Norton AntiVirus" which
  I got from work some time ago, but it found no viruses. <br />
  What really puzzles me is that the problem gradually went away while I was checking it last night. At first, when I entered www.google.com the browser would still show the redirected address in the prompt that comes up and it had the Legacy.com logo on the left instead of the Google one but it would actually go to the Google website (unless I'm being spoofed). Then at a later attempt, only the wrong logo persisted. Then at an even later attempt the logo got fixed and everything looked fine and appeared to behave correctly. <br />
  Frankly, that's a little scary. It's as if a really smart trojan got
  installed and was covering its tracks while it set up a man-in-the-middle attack (please advise if I'm misusing the jargon). If I'm being too paranoid, great, but I'd still like to know how such behavior could be induced on my machine just by linking to a website. Can anyone help?
  ''moderator- fixed the leading space formatting errors in this posting''

  Thanks, the-edmeister, but the only relevant post I found was from GB Colburn on bleepingcomputer.com, wherein he reported a similar problem about a year ago. I've found a few similar threads in the last year or so (by searching "Google redirect mac virus" in Google) but they are all about the same: someone reports the problem, responders have various random suggestions, the problem seems to go away by itself (at least sometimes), and there's nothing conclusive either good or bad.
  Without myself being as knowledgeable as GB Colburn, it doesn't look to me like the problem is in the DNS system or the router. It acts more like some malware in the automatic completion in the address bar of the browser or maybe in the history system, but I can't figure out how an infection in one browser could affect another browser. And I *really* can't figure out how it could be self-healing.
  It's really frustrating that none of the major parties involved in this—Firefox, Google, Safari (Apple), Verizon (my internet provider)—even have a process for reporting a security issue. At least not one that I, an ordinary semi-naive user, can find.

• Need to solve serious security problem with Oracle Reports URL

  As mentioned repeatedly on this forum, Oracle Reports allows serious security breaches that allow users to see reports that they did not generate -- it's easy to guess a legal URL by changing the getjobid parameter.
  I've reviewed the JavaDocs to part of the rwrun.jar file and reviewed some of the example report plugins. This shows promise in helping to solve this security problem but critical pieces are missing.
  1) The javadocs are accurate for only 10g (9.0.4) but not correct for 10g (10.1.2+), which we are currently using. I need access to the updated version of this javadoc.
  2) Even with the updated version of the JavaDoc, I haven't found a class from which to inherit that would give me the opportunity to generate random jobid values, which then would effectively prevent users from guessing other jobid values, and thereby gaining access to other's reports (which in our cases, may contain sensitive information.
  3) We have found that we can send the parameter=value of EXPIRATION=1 which helps protect such information, but this requires that every program which invokes a report be modified to add this parameter. It would be far better for the report server to be configured to use a java class we write that inherits from some rwrun.jar class that would by default, add the EXPIRATION=1 parameter.

  Hi,
  Thanks for our replies. I will ask to an administrator about this security problem, now I know it depends of a security parameter.
  But I would know if it could be possible to hide the technical name of the query in the url. It could improve the security level of our reports in a first time in this way.
  Thanks a lot,
  JW.

• Signed applets in 1.4.1: non-trust ignored: severe security problem?

  Hello all,
  I am signing applets with a developer certificate.
  Until know everything worked fine with Plugin 1.3.1.
  Know I changed to Plugin 1.4.1 and encountered a strange behaviour: When I open the HTML page with a browser (tried IE 5.5 and Mozilla 1.1) the certificate-question pops up. The problem: if I choose not to trust the certificate, the applets starts nevertheless and I can use the system clipboard inside my Applet (for what applets needs to be signed)!
  This looks like a severe security problem!
  Does anyone know anything about this? Can you reproduce this?
  thanx!
  Marcus

  Hi,
  I tried to reproduce what you said with plugin 1.4.0 (I don't have 1.4.1 yet) and IE6.0 (It doesn't have anything to do with the browser)
  My Java console said :
  "User has denied the priviledges to the code
  writeFile: caught security exception"
  The security seems to work OK in 1.4.0.
  I will have to try 1.4.1.
  Patrick

• Problem About J2EE RI and PetStore Demo

  Hello ^^
  I have a problem about j2ee & petstore.
  I trird to set up sun j2ee RI 1.3.1 + pet store on win2000 or redhat.
  Everything run ok. But when I changed web port 8000 to any port (included
  80),
  j2ee ri server showed the error message below :
  java.net.ConnectException: Connection refused: connect
  java.security.PrivilegedActionException: javax.servlet.ServletException:
  An error occurred while evaluating custom action attribute "items" with
  value "${catalog.categories.list}": An error occurred while getting
  property "categories" from an instance of class
  com.sun.j2ee.blueprints.catalog.client.CatalogHelper
  I used root to start j2ee & cloudscape on linux,
  and changed database to postgresql, too.
  but the error is the same.
  How to solve this problem ??
  Thank you ~~
  Jovi

  Hi,
  I dont know how useful my reply would be since the question was posted about 2 yrs back, but just wanted to reply in case somebody faces the same problem.
  If you change the web port to some other port (other than 8000) then please check the sun-j2ee-ri.xml files. Actually the CatalogDAOSQL.xml is read using a url which includes the port you are running the server on. So, you need to change the port even in the sun-j2ee-ri.xml file.
  One of the sun-j2ee-ri.xml files, where you need to make the change is in the $PETSTORE_HOME/src/apps/petstore/src/sun-j2ee-ri.xml file.
  Other one is in $PETSTORE_HOME/src/apps/supplier/src/sun-j2ee-ri.xml file.
  Look for other sun-j2ee-ri.xml files where the url is hardcoded. (I think the two sun-j2ee-ri.xml files mentioned above, are the only places you need to make the change, but still look for other files in case i have missed)
  Change those urls and redeploy the ears.
  Hope this solves the problem.
  Regards,
  Archit

• Sun Java security problems

  Please any one tel me about Sun Java security problems
  with Desktop application

  Hi.
  If you're using SSGD 4.41, please download the Admin guide from here:
  http://docs.sun.com/app/docs/doc/820-4907
  There, at page #41 you'll find useful info concerning "Client Connections and Security Warnings".
  Hope this helps,
  Rob

• Problem about get the workflow context

  There are 2 servers.
  One is Weblogic server (server1), deployed a fusion web project on it.
  Another is BPM server (server2), deployed the bpm process on it.
  On the fusion web project, we use API to get the tasks. But we encountered a problem about get the workflow context.
  There are 2 method to get the workflow context.
  1. getTaskQueryService().authenticate(userId, password, null, null), this method need to pass in useId and password, we can get the user form request but can't get
  password.
  2. getTaskQueryService().createContext(request), we pass the request on server1, but can't get the context on server2, exception thrown.
  Appreciate if you can give some help.

  javax.el.ELException: java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[jcooper, ERole]
       at javax.el.BeanELResolver.getValue(BeanELResolver.java:266)
       at com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:173)
       at com.sun.faces.el.DemuxCompositeELResolver.getValue(DemuxCompositeELResolver.java:200)
       at com.sun.el.parser.AstValue.getValue(Unknown Source)
       at com.sun.el.ValueExpressionImpl.getValue(Unknown Source)
       Truncated. see log file for complete stacktrace
  Exception thrown when createContext()

• Debugging JNLP security problems

  As we all know, the latest Java update changed the JNLP security around a bit, and I, like many others, am having trouble with it.
  I'm not really here to ask for help with my specific problem, however. It's not the first time I've had trouble with JNLP security, and almost every time, I've only gotten around it with the help of mere guess-work and a fair bit of luck, and I'm still far from sure I've actually solved the problems correctly. The main problem I experience is that the security messages I get from the JNLP client are oriented towards end-users and thus not very helpful at all for tracking down the root cause of the issues. For instance, after this latest update, the JNLP client is just telling me that "The Java security settings have prevented this application from running. You may change this behavior in the Java Control Panel."
  Is there any good way to find out what security problems it is that I'm actually having? "Read the documentation" is of course the easy answer, but the security model seems rather complex and incorporates many parts. Is there some kind of "lint" tool for JNLP out there that can list the problems I'm having? Or is there some way to run the JNLP client in some kind of debug mode?

  Understood guys. But let me make a few points.
  1. Clearly I'm not the only one who had this problem. In fact, I wasn't the first person in this THREAD to have the problem.
  2. I'm fairly computer savvy, and have worked with Photoshop for several years.
  3. Yes, it does say c: in point 3, but I find it odd that in point 4 it does say Program Files/.... A very strange way to write it. Also, the c: drive is the default installation drive, so it's not idiocy for someone to assume that the file would be located on the same drive as you selected for installation.
  4. This is not about technically right or wrong. I never said that the instructions were wrong. I merely was trying to make a suggestion that would help people avoid the same trap I fell into. Was it my mistake? Yes. Would my clarifying suggestion perhaps help others avoid making the mistake I did. I would hope so. Also, as someone else suggested in this thread, Adobe SHOULD have written an installation program for the ACR 3.1 upgrade that did the placing automatically. After all, EVERYONE knew that ACR3.1 would be released shortly after the release for CS2...in fact Mr. Knoll himself was quoted in other forums about when D2X compatibility would actually happen.
  5. The purpose of these forums is to be helpful to other users--not to be patronizing or rude. I'm a big Photoshop fan, and a loyal customer. I'm also in the service industry, and I would bet that customer service experts would raise an eyebrow or two about the tone contained in certain messages in this thread, including from an Adobe employee.
  Just my two cents. Flame away if you must. But you might want to take a look at what I actually suggested in my last message before lighting up the torch.

• Security problem? Bounded taskflow and sessionid in loopback url

  Hi,
  We just had a security evaluation of our public site. We use ADF in several places on the site (through iframes).
  The applications are made up of bounded taskflows. The request Url reads like:
  http://127.0.0.1:7101/test/faces/adf.task-flow?adf.tfId=task-flow-definition&adf.tfDoc=/WEB-INF/task-flow-definition.xml
  and it returns :
  http://127.0.0.1:7101/test/faces/adf.task-flow;jsessionid=R9YWRvkLJyD6lYC79DyTmTl6fxj177x1ZflDcJy4mrlcYmDVSmn0!-1545839156?adf.tfId=task-flow-definition&adf.tfDoc=/WEB-INF/task-flow-definition.xml&_afrLoop=97476727347664&_afrWindowMode=0&_afrWindowId=null
  According to the security evaluation the ;jsessionid=xxx in the header is a security problem, you could in principle copy the url and send it to a different computer and continue the session from there!
  The jsessionid is put there by the loop back script.
  Is there any way of making the loop back script not put the jsessionid in the url?
  Is it a security problem?
  regards
  Johnny

  Hi, thank you for the opinion. I am not talking about hijacking my own session id. But "malware" or a spy in som way could "sniff" the url and send it off to another computer!
  Look at this url, it explains it even better :
  http://fralef.org/tomcat-disable-jsessionid-in-url.html
  Again it is not my opinion but that of a security firm.
  Cookies are not disabled on my computer ( and our security firms), the case is real and how bounded taskflows work.
  Here is the code from the loop back:
  var sess = ";jsessionid=TdJhRvVGHnYZtTfzsMBpmDcSnLVHW0SzgBWl0gQm2tPQ45lwsq1W!-1545839156";
  if (sess.length > 0)
  href += sess;
  After the redirect the cookies "takes" over and the jsession id is not shown again.
  But it is still shown initially.
  And we do use https on our site, my code was just an illustration.
  Johnny
  Edited by: user11345344 on Feb 28, 2013 8:44 PM

• Adobe reader 9 security problem?

  Yes, i recently read about this security problem with the PDF.  I would like to know what if anything has/is being done about it and does it affect all computers or just the corporate ones?  I also read there was a patch coming out about this and I would like to know where and how to get it if it is necessary.

  Well, don't let this scare you ... ... but a lot of software vulnerability information is out there if you just know where to look.
  Probably the most definitive source is the US CERT Vulnerabilities Database which is searchable at http://www.kb.cert.org/vuls/html/search.
  This database is maintained by the "United States Computer Emergency Readiness Team (CERT)" at Carnegie-Mellon University.  It's not the only database out there, but it's one of the best.
  Another thing to bear in mind is that Adobe has many large government contracts ... a huge amount of government documentation (e.g. IRS forms) are produced using PDF.  Therefore, you know that Adobe is informed when a vulnerability is discovered, and it has a positive-duty to participate in looking for them as well as resolving them.  If you keep your systems up-to-date you can expect that patches for them will be timely included.  (I am not, of course, saying that these expectations will invariably be met!)  Software development organizations do maintain, although they do not routinely externally publish, problem/resolution databases that are integrated into their version-control systems.
  Digging just a little bit deeper, I see that Adobe maintains "security advisories" among its support-page options.  (I see that the CERT advisories refer to these URLs.)  So, the information you are looking for is out there, and I'm sure that Adobe Support (note: I do not work for them...) can help answer specific questions ... especially if you have something like a CERT Advisory Number to refer to.
  Many folks imagine that software companies try to conceal their vulnerabilities, when in fact the exact opposite is true:  there is no such thing as "security by obscurity."  White-hat people work very studiously to "get the word out."  It is an international effort.
  It can be a bit disconcerting at first to see literally thousands of reports (some open, some closed) concerning a well-established product that you use every day.  Any exploit or vulnerability, realized or imagined, practical or theoretical, goes into that database:  "Knowledge is Power."

• Possible security problem with my iPhone4, it seems like it has been hacked into and my hotmail, facebook and university accounts (which all have different passwords) and proceed to change my passwords on me. This has happened twice.

  I seem to be having security problems with my iPhone4, it seems like someone has hacked into my hotmail, facebook and university accounts (which all have different passwords) and proceed to change my passwords on me. This has happened twice and I have not left my phone unattended at any time that I can recall nor have I accessed these accounts from another source (i.e. computer/laptop) since changing my passwords after the first hacking occurred. Please help.

  Anyone else at your university complaining about the same thing?  It is more likely someone is stealing passwords by sniffing traffic over the university wifi or with a man-in-the-middle attack or by other means external to your phone.  Try a Google search on "steal password" (without quotes) or "steal SSL password" and you'll learn more than you wanted to know about how passwords get stolen.
  Some related info:
  http://en.wikipedia.org/wiki/Session_hijacking
  http://en.wikipedia.org/wiki/Man-in-the-middle_attack

• Latest mail security problems

  There we were thinking that the switch to Critical Path would solve the security problems of BT Yahoo mail.  It appears not:
  http://www.theregister.co.uk/2014/03/13/bt_likely_to_have_breached_data_protection_act_after_email_a...

  The Backup likely would only help if it were a full Backup of the OS.
  Try these 2 1st...
  Using Disk Utility in Mac OS X 10.4.3 or later to verify or repair disks...
  http://docs.info.apple.com/article.html?artnum=302672
  About Disk Utility's Repair Disk Permissions feature...
  http://docs.info.apple.com/article.html?artnum=25751

• HT1222 So with OSX 10.5.8 does this online banking security problem affect me?

  So with OSX 10.5.8 does this online banking security problem affect me?

  @ stedman1 and Apple computer Inc.
  Believe is religion.
  Is that a private opinion about current security issues or an official statement of the company?