Set security context
While using business objects we set the security context as we connect to the database. How would we do that with Crystal Reports?
Crystal doesn't support it in that way. You simply enter the log on info, User Name and Password, and Cr connects. You can use a Universe to set up Security Context and Cr then passes the user info through and the Universe handles what the user can and can not see.
This generalizing because you did not say what DB you are using or what version of Crystal Reports.
Or if you are using the OEM build for Business One...
There is in later versions a Special Field to get/set the CEUser which you can use in the record selection formula.
Don
Similar Messages
-
Setting security context in sql*plus session
Hi,
For a SQL*Plus session under an account that doesn't have execute privileges on fnd_global, is there any way to set the application security context similar to the way fnd_global.apps_initialize does?
For example, as APPS one can do this:
<br>
sqlplus apps/...
SQL> select SYS_CONTEXT('FND','USER_ID' ) as fnd_user_id from dual;
FND_USER_ID
1 row selected.
SQL> execute fnd_global.apps_initialize( ... );
SQL> select SYS_CONTEXT('FND','USER_ID' ) as fnd_user_id from dual;
FND_USER_ID
123456
1 row selected.What I'd like to do is something like this ...
<br>
sqlplus scott/...
SQL> ... call some EBizSuite procedure where I can supply or
be prompted for an EBizSuite user name, password, and responsibility ...
SQL> select SYS_CONTEXT('FND','USER_ID' ) as fnd_user_id from dual;
FND_USER_ID
123456
1 row selected.Hi
Is there any method to initialize the environment using Java API.
how to call the function fnd_global.apps_initialize
Can you explain the required parameters.
Asheesh -
How to set portal security context for a procedure
Hi, I have procedure that needs to call some of the PDK APIs (WWSBR_API), but outside the scope of the web browser, i.e, automatically via a DBMS_JOB or queue. There is no HTML outputted, but rather a log entry made to a custom table.
The schema that this custom pkg belongs has all the necessary grants made to it from provsyns so that it should run.
How do I programatically set the context of the portal security so as to make the PDK APIs think it has been invoked by a Portal Adminstrator or a user with sufficient privs to perform the actions against the PDK and therefore not bomb out with security exceptions? I have seen this documented quite some time ago, but cannot find the details.
Regards
JohnYou need to use the wwctx_api.set_context procedure.
http://portalstudio.oracle.com/pls/ops/docs/FOLDER/COMMUNITY/PDK/plsql/doc/sdk11scp.htm -
How to set the Context path to AAA/BBB in Weblogic 5.1?
Hi folks,
I want to deploy a web application and set the servlet context as:
AAA/BBB. Put more simply, my application should be accessible via the
following:
http:localhost:7001/AAA/BBB/main.jsp
where http://localhost:7001/AAA/BBB maps to my document root.
One work around is to set the context to AAA:
weblogic.httpd.webApp.AAA=WebAppLocation
And in the deployment descriptor (web.xml) to register all servlets
with a BBB/ prepended to the desired alias:
<servlet-mapping>
<servlet-name>main</servlet-name>
<url-pattern>BBB/main.jsp</url-pattern>
</servlet-mapping>
But this solution does not work for me. Parts of the application refer
the context root (AAA) and create URLs relative to that. These URLs
will not have the BBB part. Searching for it in the code and replacing
it is not desirable (we do not own the code). Does anyone have any
suggestions?
Thanks in advance,
Musafir
What you have done for changing the context root to "/" is all fine but it is important to know that there is a ROOT.war in the deploy folder of JBoss which by default gets bound to "/" context. You must be getting the error message like "Web mapping already exists for deployment" when you would be starting your JBoss server after changing your context root to "/". So either you can completely remove the ROOT.war from the deploy folder or change the context-root of ROOT.war by updating its web.xml like:
<web-app>
<display-name>Welcome to JBoss</display-name>
<description>
Welcome to JBoss
</description>
*<context-param>*
*<param-name>context-root</param-name>*
*<param-value>/jboss-root</param-value>*
*</context-param>*
<servlet>
<servlet-name>Status Servlet</servlet-name>
<servlet-class>org.jboss.web.tomcat.service.StatusServlet</servlet-class>
</servlet>
</web-app>
and also update the jboss-web.xml of ROOT.war:
<jboss-web>
<security-domain>java:/jaas/jmx-console</security-domain>
*<context-root>/jboss-root</context-root>*
</jboss-web>
I hope this serves your purpose.
There can be a workaround also by modifying the index.html of ROOT.war in the deploy folder of your server and redirect request to your web application using meta refresh like:
<meta http-equiv="refresh" content="0;URL='/store'"> -
SQL2005 on winserver 2003. I have a view in Xdb that accesses tables in 2 different databases (Xdb and Ydb) on the same server. I have mixed mode security. I have a SQL user (XYuser) that has read access to all tables and views on both databases, yet when I try to access the view using a C# windows application I get the following error:
The server principal "XYuser" is not able to access the database "Ydb" under the current security context
This same scenario works under SQL 2000. I looked through the postings and tried to set TRUSTWORTHY ON on both databases but that didn't help. I can access any other views or tables on the SQL 2005 server, just not the one that joins the tables cross databases. Any help is much appreciated... johnThis appears to be a Login/Database Mapping issue. I was having this problem, but was able to resolve it as follows:
Using the SQL Server management Studio:
In the Object explorer, under the SERVER security folder (not the database security folder), expand Logins.
That is: ServerName -> Security -> Logins
NOT: ServerName -> Databases -> DatabaseName -> Security -> Users
Select the Login that is having the troubles. Right click on the Login and select ‘Properties.’
The ‘User Mapping’ page should list all databases on the server with a check mark on the databases that the Login has been mapped to. When I was getting the error, the database in question was not checked (even though the Login was assigned as a User on the database itself). Map the Login by checking the box next to the database name. Set the default schema. Then select the roles for the Login in the Database role membership list box. I selected db_datareader and public. After clicking OK to save the changes, the problem was resolved.
In order to ‘Map’ the Login, the Login must not already be as User on the database, so you may have to go to the database security (ServerName -> Databases -> DatabaseName -> Security -> Users) and delete the Login from the list of database Users before mapping the Login to the database. -
Current Security Context Not Trusted When Using Linked Server From ABAP
Hello,
I am experiencing a head-scratcher of a problem when trying to use a Linked Server connection to query a remote SQL Server database from our R/3 system. We have had this working just fine for some time, but after migrating to new hardware and upgrading OS, DBMS, and R/3, now we are running into problems.
The target database is a named instance on SQL Server 2000 SP3, Windows 2000 Server. The original source R/3 system was 4.7x2.00, also on SQL Server 2000 (SP4), Windows 2000 Server. I had been using a Linked Server defined via SQL Enterprise Manager (actually defined when the source was on SQL Server 7), which called an alias defined with the Client Network Utility that pointed to the remote named instance. This alias and Linked Server worked great for several years.
Now we have migrated our R/3 system onto new hardware, running Windows Server 2003 SP1 and SQL Server 2005 SP1. The application itself has been upgraded to ECC 6.0. I performed the migration with a homogeneous system copy, and everything has worked just fine. I redefined the Linked Server on the new SQL 2005 installation, this time avoiding the alias and referencing the remote named instance directly, and it tests out just fine using queries from SQL Management Studio. It also tests fine with OSQL called from the R/3 server console, both when logged on as SAPServiceSID with a trusted connection, and with a SQL login as the schema owner (i.e., 'sid' in lowercase). From outside of R/3, I cannot make it fail. It works perfectly.
That all changes when I try to use the Linked Server within an ABAP application, however. The basic code in use is
EXEC SQL.
SET XACT_ABORT ON
DELETE FROM [SERVER\INSTANCE].DATABASE.dbo.TABLE
ENDEXEC.
The only thing different about this code from that before the upgrade/migration is the reference to [SERVER\INSTANCE] which previously used the alias of just SERVER.
The program short dumps with runtime error DBIF_DSQL2_SQL_ERROR, exception CX_SY_NATIVE_SQL_ERROR. The database error code is 15274, and the error text is "Access to the remote server is denied because the current security context is not trusted."
I have set the "trustworthy" property on the R/3 database, I have ensured SAPServiceSID is a member of the sysadmin SQL role, I've even made it a member of the local Administrators group on both source and target servers, and I've done the same with the SQL Server service account (it uses a domain account). I have configured the Distributed Transaction Coordinator on the source (Win2003) system per Microsoft KB 839279 (this fixed problems with remote queries coming the other way from the SQL2000 system), and I've upgraded the system stored procedures on the target (SQL2000) system according to MS KB 906954. I also tried making the schema user a member of the sysadmin role, but naturally that was disastrous, resulting in an instant R/3 crash (don't try this in production!), so I set it back the way it was (default).
What's really strange is no matter how I try this from outside the R/3 system, it works perfectly, but from within R/3 it does not. A search of SAP Notes, SDN forums, SAPFANS, Microsoft's KnowledgeBase, and MSDN Forums has not yielded quite the same problem (although that did lead me to learning about the "trustworthy" database property).
Any insight someone could offer on this thorny problem would be most appreciated.
Best regards,
MattGood news! We have got it to work. However, we did it in something of
a backwards way, and I'm sure you'll laugh when you see how it was done. Also, the solution depends upon the fact that the remote server is still using SQL Server 2000, and so doesn't have quite so many restrictions placed upon it for distributed transactions and Linked Servers as SQL Server 2005 now does.
At the heart of the solution is the fact that the Linked Server coming FROM the remote server TO our SAP system works fine. Finally, coupled with the knowledge that using DBCON on the SAP side to the remote server also does actually provide a connection (see Notes 323151 and 738371), we set up a roundabout way of achieving our goal. In essence, from ABAP, we set up the DBCON connection to the remote server, at which point all the Native SQL commands execute in the context of the remote server. From within that connection, we
reference the tables in SAP via the Linked Server defined on the remote
server, as if SAP were the remote server, selecting data from SAP and inserting it into the remote (but apparently local to this connection) tables.
So, to spell it out, we define a Linked Server on the remote server pointing back to the SAP server as SAPSERV, with a SQL login mapping defined on the remote system pointing back to a SQL login in the SAP database. We also define a connection to the remote server from SAP using DBCON, using that remote SQL login for authentication.
Then, in our ABAP code, we simply do something along the lines of
exec sql.
set connection 'REMOTE'
endexec.
exec sql.
connect to 'REMOTE'
endexec.
exec sql.
insert into REMOTE_TABLE
select * from SAPSERV.SID.sid.SAP_TABLE
endexec.
exec sql.
commit
endexec.
exec sql.
disconnect 'REMOTE'
endexec.
This is, of course, a test program, but it demonstrated that it worked,
and we were able to see that entries were appropriately deleted and inserted in the remote server's table. The actual program for use is a little more complex, in that there are about four different operations at different times, and we had to resolve the fact that the temp table SAP_TABLE was being held in a lock by our program, resulting in a deadly embrace, but our developer was able to work that out, and all is now well.
I don't know if this solution will have applicability to any other customers, but it works for us, for now.
SAPSERV, REMOTE, REMOTE_TABLE, and SAP_TABLE are, of course, placeholder names, not the actual server or table names, so as not to confuse anyone.
Best regards,
Matt -
Prime Infrastructure 2.1 ASA5580- Security Context Partial Collection Failure
I am attempting to add my ASAs into prime but get stuck almost instantly after adding the new device. Prime is able to get the device name and Device type (Cisco ASA-5580 Adaptive Security Appliance Security Context) Admin status shows up as Managed but Inventory Collection Status shows up as "Partial Collection Failure" For more detail it says "feature_image_firewall Unexpected error. See the log file inventory.log for details."
The only failure in inventory.log I could find was
[2014-09-26 12:40:01,868] [ICE Service[ 1]Thread: 20] [inventory] [ERROR] - 192.168.0.19 For device id: 2848866 Feature = feature_image_firewall and Procedure = ImageFireWal failed in time 45 with the following error and continuing with other features: com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>
[2014-09-26 12:40:01,868] [ICE Service[ 1]Thread: 20] [ice] [ERROR] - com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>
com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>
As far as the ASA config goes:
snmp-server enable
snmp-server host management 192.168.10.27 community c!$c0PR!me version 2c
logging enable
logging history 7
snmp-server enable traps
The above config works on our ASA5520s except I still haven't set up the traps right because there isn't any useful information on those devices so I am not sure what I need to change?My ASA is using DH 1.
For 9.2(1) I read this in the release notes.
Note The ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or later. ASA Version 9.1 was the final release for these models. -
SSO with AD error:An error has occurred propagating the security context...
Hi.
On Windows 2003, I have installed BOXI Edge 3.1 with SAP Integration Kit. My primary and only use of the SAPIK will be for retrieving SAP data for BOXI reports. I DO NOT want to use SAP Authentication. For BOXI, I want to set up only AD Authentication, but because the web.xml files change with the installation of the SAPIK, I have not been successful at setting up AD Authentication. I have modified the web.xml files so that they look like the original web.xml files (without SAPIK).
The AD groups are imported successfully into BOXI. The members of those groups are imported successfully, too. But when a user attempts to login, they get error: An error has occurred propagating the security context between the security server and the client.
I have tried nearly everything to clear this error and there are no Kerberos errors in Wireshark logs on the BOXI server.
Help!
Thank you!
Luis
PS - I asked this question in the SAP Integration Kit forum, and they suggested I ask here, I guess because in the end it may have nothing to do with the SAPIK...Thanks, Tim, for your willingness to help.
The problem is resolved.
I noticed in the Local Security Policy that the right "Log on as a service" displayed only the service account user ID, without the domain identifier - where I expected it to show as "DOMAIN\svcaccount", it only showed "svaccount".
I stopped the Tomcat and SIA services, I removed "svaccount" from the list in "Log on as a service", I reset the account information in the Tomcat and SIA services as "DOMAIN\svcaccount" and saw that change reflected in "Log on as a service" and now AD Authentication works beautifully.
My guess is that it must have been using the local account and not the domain account for running the services.
Next task: SSO...
Wish me luck!
Thanks!
Luis -
Setting Application Context Attributes for Enterprise Users Based on Roles
Hello,
We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
-- For each record in my RoleSitePrivileges table, set
-- an attribute named 'SITE_PRIVILEGE_<SiteID>'.
-- If the current user has been assigned a role matching
-- the value in the 'RoleName' field, set the corresponding
-- attribute to 'Y'... otherwise, set it to 'N'.
FOR iPrivRec IN (SELECT RoleName, SiteID
FROM RoleSitePrivileges
ORDER BY SiteID)
LOOP
SELECT COUNT(*)
INTO roleExists
FROM dba_role_privs
WHERE granted_role = UPPER(iPrivRec.RoleName)
AND grantee = USER;
IF roleExists > 0 THEN
DBMS_SESSION.set_context(
namespace => 'my_ctx',
attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
value => 'Y');
ELSE
DBMS_SESSION.set_context(
namespace => 'my_ctx',
attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
value => 'N');
END IF;
END LOOP;To finish things off, I created a security policy function for the table which returns the following:
RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
FROM session_context
WHERE attribute LIKE ''SITE_PRIVILEGE_%''
AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
Thank you!Hello,
We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
-- For each record in my RoleSitePrivileges table, set
-- an attribute named 'SITE_PRIVILEGE_<SiteID>'.
-- If the current user has been assigned a role matching
-- the value in the 'RoleName' field, set the corresponding
-- attribute to 'Y'... otherwise, set it to 'N'.
FOR iPrivRec IN (SELECT RoleName, SiteID
FROM RoleSitePrivileges
ORDER BY SiteID)
LOOP
SELECT COUNT(*)
INTO roleExists
FROM dba_role_privs
WHERE granted_role = UPPER(iPrivRec.RoleName)
AND grantee = USER;
IF roleExists > 0 THEN
DBMS_SESSION.set_context(
namespace => 'my_ctx',
attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
value => 'Y');
ELSE
DBMS_SESSION.set_context(
namespace => 'my_ctx',
attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
value => 'N');
END IF;
END LOOP;To finish things off, I created a security policy function for the table which returns the following:
RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
FROM session_context
WHERE attribute LIKE ''SITE_PRIVILEGE_%''
AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
Thank you! -
Security context issue when executing a SQL command in SQLCMD
Simplified core issue below:
I have myscript.sql that has:
SELECT name FROM Sys.Databases
GO
USE mydatabase
GO
EXEC mystoredprocedure 'myparameter'
GO
When I open cmd.exe and use:
SQLCMD -S localhost\myinstance -i script.sql
It executes fine.
When I open cmd.exe in C# using the Process class and execute the same command I get the following error:
name
master
tempdb
model
msdb
mydatabase
(5 rows affected)
Msg 916, Level 14, State 1, Server localhost\myinstance, Line 1
The server principal "NT AUTHORITY\SYSTEM" is not able to access the database "mydatabase" under the current security context.
Msg 2812, Level 16, State 62, Server localhost\myinstance, Line 1
Could not find stored procedure 'mystoredprocedure'.
And now the detailed explaination:
I created an MSI which installs my custom application.
During the bootstrap process, SQL Server 2012 Express is installed using the following parameters:
/INSTANCEID="SQLEXPRESS"
/ACTION="Install"
/FEATURES=SQLEngine,Replication
/HELP="False"
/INDICATEPROGRESS="False"
/Q="True"
/QS="False"
/ROLE="AllFeatures_WithDefaults"
/ENU="True"
/ERRORREPORTING="False"
/SQMREPORTING=0
/INSTANCENAME="SQLEXPRESS"
/AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
/AGTSVCSTARTUPTYPE="Disabled"
/ISSVCSTARTUPTYPE="Automatic"
/ISSVCACCOUNT="NT AUTHORITY\NetworkService"
/ASSVCSTARTUPTYPE="Automatic"
/ASCOLLATION="Latin1_General_CI_AS"
/ASDATADIR="Data"
/ASBACKUPDIR="Backup"
/ASTEMPDIR="Temp"
/ASCONFIGDIR="Config"
/ASPROVIDERMSOLAP="1"
/SQLSVCSTARTUPTYPE="Automatic"
/FILESTREAMLEVEL="0"
/ENABLERANU="True"
/SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
/SQLSVCACCOUNT="NT Authority\Network Service"
/SECURITYMODE="SQL"
/ADDCURRENTUSERASSQLADMIN="True"
/RSSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
/RSSVCSTARTUPTYPE="Automatic"
/RSINSTALLMODE="FilesOnlyMode"
/HIDECONSOLE
/IACCEPTSQLSERVERLICENSETERMS
/SAPWD="***************"
The MSI then executes an Installer class DLL written in C# which restores a database to the SqlExpress instance.
When the restore is completed, the Installer class then uses the Process class to launch CMD.exe and execute the SQL script using SQLCMD.
Process vProcess = new Process();
ProcessStartInfo vStartInfo = new ProcessStartInfo("cmd.exe");
vStartInfo.Arguments = "/c set path=%path%;" + Context.Parameters["TargetDir"] + "\\; && sqlcmd -S LocalHost\\myinstance -i myscript.sql";
vProcess.StartInfo = vStartInfo;
vProcess.Start();
vProcess.WaitForExit(30000);
This is where I get the error mentioned above.
However if I execute the same command manually by opening CMD.exe from the RUN command, it executes perfectly.
I can not use -U or -P to supply a user / password, I MUST use integrated security.
Additional info:
Previously SQL Server 2008 Express has been in use for the bootstrapper, and this issue did not occur.
The database the MSI restores is also built from SQL Server 2008. (Will be built from 2012 in the future.)
Installation is performed on an account with administrative rights.
Running the installer AS Administrator does not fix the issue.
Any help would be greatly appreciated, as well please let me know if additional info is required.
Thank youI'm having a similar issue where I'm using a batch file to execute commands to a group of servers. I can use the batch commands when updating MyDatabase but get the security context error when I try to update MyDatabase with a join to TheirDatabase except
on servers where I am sysadmin. Like I said, I can update MyDatabase as long as I don't join to TheirDatabase.
Update A
Set A.CCMCoderStaffSID = IsNull(B.StaffSID, -1)
From MyDatabase.[R_Encounter].[VejdPfcsLinkageDataF19610x5] A
Left Join ThierDatabase.Staff.Staff B on
A.Sta3n = B.Sta3n and A.[CCMCoderF200IEN]= B.StaffIEN
Error:
Msg 916, Level 14, State 1, Server R04PHIDWH58, Line 1
The server principal "MyDomain\ME" is not able to access the database "TheirDatabase" under the current security context.
Line from batch:
sqlcmd -S Server54 -d MyDatabase -i D:\ETLDevelopment\R04\Me\querytools\%RAWTablesScript% -o D:\ETLDevelopment\R04\Me\UpdateSIDV1.txt -
Using NT Security Context with JNDI to talk to AD
Hello all,
Is there a way in JNDI to connect to Active Directory using the current NT Security Context like ADSI does?
I want to run a Java program as a service under Win2k.
I want to assign a user for it to run as (on service start).
When the program is executing, I need to access AD (wish it wasn't so, but out of my hands), preferrably with JNDI, to read/write data.
I would like to be able to connect without having to set SECURITY_AUTHENTICATION to "simple" and providing a username and password since as a service, I don't want to interract with the desktop.
In ADSI, I could set the ADS_SECURE_AUTHENTICATION flag and it would use the NTLM to access AD.
Is there something similar in JNDI? I've searched the forums, but have only found examples of people using JAAS and GSSAPI (which requires entering a username/password and authenticating against a Kerberos realm) or simple authentication (which requires entering a username/password).
Any help would be appreciated.
Regards,
plbThanks schmid03,
FYI, I am on Win2K Advanced Server running J2SDK 1.4.0_01.
Tried changing the conf file, but still a no go. Here's what's happening now...
Get a pop-up window titled "16 bit MS-DOS Subsystem"
Message: c:\WINNT\system32\ntvdm.exe Error while setting up environment for the application. Choose 'Close' to terminate the application.
Buttons: Close, Ignore
after calling "lc.login ();"
but then I can get the Subject and print out Principal (name) and it is correct.
However, in JNDI call "new InitialDirContext ();" I receive:
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:142)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:59)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:36)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:96)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:178)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
at com.sun.security.sasl.gsskerb.GssKerberosV5.evaluateChallenge(GssKerberosV5.java:160)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:374)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:190)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2516)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:263)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:76)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.<init>(InitialContext.java:195)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:80)
at Test$MyAction.run(Test.java:196)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:319)
at Test.go(Test.java:132)
at Test.main(Test.java:73)
I'll check these new messages against other posts in the forum to see if there are similar problems...
If anyone already knows this problem and a fix, please enlighten.
Regards,
plb -
EJBException::No valid security context for the caller identity
Hi,
I was working with EJB and i had a basic doubt in security propogation from the web tier to EJB tier.
I deployed an EJB on JBOSS app server and in that bean i was trying to get the caller principal object from the EJBContext and i was printing the name of the principal.
System.out.println(ctx.getCallerPrincipal().getName());
then i created ordinary EJB client which is a java class and when i invoked the business method i was getting the below error
Exception in thread "main" javax.ejb.EJBException: java.lang.IllegalStateException: No valid security context for the caller identity
at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:63)
at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83)
at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:191)
This error sounds meaningful but how will i set the security context from the java class. If it can be done then is this the same way that the security principal propogates from web tier to EJB tier.
Thanks,
Suresh BHi,
I was working with EJB and i had a basic doubt in security propogation from the web tier to EJB tier.
I deployed an EJB on JBOSS app server and in that bean i was trying to get the caller principal object from the EJBContext and i was printing the name of the principal.
System.out.println(ctx.getCallerPrincipal().getName());
then i created ordinary EJB client which is a java class and when i invoked the business method i was getting the below error
Exception in thread "main" javax.ejb.EJBException: java.lang.IllegalStateException: No valid security context for the caller identity
at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:63)
at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83)
at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:191)
This error sounds meaningful but how will i set the security context from the java class. If it can be done then is this the same way that the security principal propogates from web tier to EJB tier.
Thanks,
Suresh B -
Is it possible to switch the security context while in a process task?
I have a process task which needs to perform some tasks that require a higher level of permissions than the current user has. So, I am looking for a way to switch to another security context using the credentials of another user account, like xelsysadm, and then using the OIMClient class, perform a logon as that other user and then call the necessary oimClient.getService(class) methods as needed.
My first problem is where do I store these other credentials? I was hoping to use the Security Credentials MAP as set up in the Enterprise Manager console and access this map using the oracle.security.jps series of classes. However, I am getting access denied when I try to access the Credentials Map.
Here is the code snippet I am using:
JpsContext ctx = JpsContextFactory.getContextFactory().getContext();
CredentialStore cs = ctx.getServiceInstance(CredentialStore.class);
CredentialMap cmap = cs.getCredentialMap("oracle.oim.sysadminMap"); // This statement throws an Access Denied exception
Credential cred = cmap.getCredential("sysadmin");
// Ensure the credential is a Password credential
if (cred instanceof PasswordCredential) {
PasswordCredential pcred = (PasswordCredential) cred;
rawPwd = pcred.getPassword();
password = new String(rawPwd);
userName = pcred.getName();
Am I doing something wrong here or is what I am trying to do not allowed from within a Resource Object's process task?
Thank you for any suggestions.
-Dave Herrmann
Edited by: user552098 on Jul 3, 2012 2:50 PMBikash,
Our Oracle Consultants have told me that I should not make a call to OIMClient.logon() from within an OIM process task. They say that on the server side I should only call Platform.getService() not OIMClient.getService() so I guess I won't be needing any userid/pwds to be stored in the Security Credential Map store.
But then that begs the question: How do I make a security context switch from within a process task java method if I cannot use OIMClient? Is there a way to impersonate another user using OIM APIs?
Any ideas on how to do this?
Thank you for any help.
-Dave -
JSP/SERVLETS NOT UNDERSTANDING JAAS SECURITY CONTEXT
Hi ,
Instead of using the default form action "j_security_check" for form based authentication
.I have a custom JAAS loginmodule which is a servlet that gets calls when the
user clicks on "OK" in the login form..
Scenario1:
I have a servlet(unprotected) which calls a EJB(which is protected).
Depending on who has privileges to execute methods on the EJB bean , the authentication
happens correctly..
Scenario2:
I have a PROTECTED servlet.
When I execute the servlet in the browser , the login-form comes up .Once I click
on OK,what is happening is I call my
custom-loginmodule servlet which then calls the protected servlet.
Now ..from the custom-loginmodule servlet when the request goes to the PROTECTED
servlet ,the login-page again comes up...for some reason the servlets or JSPs'
don't understand that the security context has already been created..
But if the currently protected servlet is made unprotected and if it is made to
call a protected EJB, the EJB bean gets the security context.
I am thinking that security context is propagating but for some reason the JSP/servlet
domain does not seem to get the already created security context.
Another thing I noticed was with the default approach of using form-auth as "j_security_check"
does not seem to work with URL rewriting.
Any hints is greatly appreciated..
Thanx,
krish.
Krishnan.Venkataraman
Symphoni Interactive
Technical Lead.
[email protected]
412 414 5385(mobile)
412 446 2219(Work)
1 800 439 7757 (# 2219) (Work)
412 343 6549(Res)
WEB:http://members.123india.com/krishnanhi,
you may set a <servlet-mapping> in web.xml or you may use
<form action="/servlet/HelloWorldExample" method=post>
instead of
<form action="/HelloWorldExample" method=post>
the <servlet-mapping> should be:
<web>
<servlet>
<servlet-name>HelloWorldExample</servlet-name>
</servlet>
<servlet-mapping>
<servlet-name>HelloWorldExample</servlet-name>
<url-pattern>/helloWorld.html<url-pattern>
<servlet-mapping>
</web>
after you add the servlet-mapping, you can access the servlet with the url-pattearn, that is:
<form action="/helloWorld.html" method=post>
the internal operation of the first and second methods are different, and you should use second one(user servlet-mapping), and the <url-pattern> has may way to use, if you want learn more, see servlet spec. for more. -
Sharing application security context
Hi,
I have two different applications on my weblogic server (one weblogic server). When I am logged into Application B, I need to access application A's page (open up a new window with application A's page and pass appropriate parameter).
Is this functionality possible? If so, I would appreciate any suggestion to achieve this functionality.
(Subject title may be little bit confusing but that is the best I could think offf....)
Thank you for your help,
-RajHi,
depends on what you mean by application security context:
1. policies
set the same name for the application.name in the JPS filter before deploying the application to WLS as explained here
http://docs.oracle.com/cd/E25054_01/core.1111/e10043/devmancfg.htm#BCGFGCGF
This way both applications share the same policies
2. authentication
In this case you either
- use basic authentication in which case the browser ensures you are authenticated when accessing application A
- use Single Sign-On (OAM)
Frank
Maybe you are looking for
-
I just upgraded to Lion. I was trying to set up iCloud and it asked for my "login" keychain password. I've never been asked for the keychain password before. I've tried every password I can think of and nothing works. I'm normally asked for the passw
-
My Ipad 2 Screen Has Gone Black and All The Suggested Solutions Arent Working!
Last night, I went round to my friends. he doesn't live far from me so I walked. Before I set off I put my Ipad 2 in my bag. When I got to my friends, I took it out and the screen only showed black. I didn't know what to do so I attempted a few commo
-
Clone Stamp Confusion in PS CC 2014
Hello, Has anyone else attempted multi-layer clone stamping in the new PS CC 2014? For some reason the layer I am cloning to is getting attached to the mouse and moving around wildly while I try to figure out what is going on. I open the same image i
-
Dear Experts, Can you help me with the below issue, I have created a downpayment request through VF01 mistakenly , Now I wanted to cancel it, could you please let me know what I need to do 1.This DP request was created as a noted item now, 2.I cannot
-
How can I set music to occur every hour in Itunes?
Hi, I would like to set up music to go on every hour for 1 minute and then shut off or perhaps specific hours. Does anyone know how to do this?