Setting cookie path for JSESSIONID cookie for admin console

Similar Messages

• Error occured while searching for users in OIM admin console.

  Hi Experts,
  I deployed code from dev environment in to Test environment using deployment manager in OIM and also completed metadata import using weblogic metadataimport utility.Then when itried to search for users in OIM admin console. I am getting the following error.
  Error messager:
  ADFC-10001: cannot instantiate class 'oracle.iam.identitytaskflow.backing.taskflows.modifyuser.ModifyUserView'
  ADF_FACES-60097:For more information, please see the server's error log for an entry beginning with: ADF_FACES-60096:Server Exception during PPR, #12
  Did any body faced this issue?
  Can u please suggest me on this?
  Thanks,
  Sri.

  I've faced same error !!

• HttpSessionDebug Not Working For Session Monitoring through Admin Console

  Hi,
  I want to Analyze the HttpSession Payload (Size) in the AdminConsole-->Diagnostics-->Log Files -->EventsDataArchive
  I followed the Link http://jayesh-patel.blogspot.com/2008_04_01_archive.html
  I am using "MyDiagnosticEar\META-INF\weblogic-diagnostics.xml" as following:
  <?xml version="1.0" encoding="UTF-8"?>
  <wldf-resource xmlns="http://www.bea.com/ns/weblogic/90/diagnostics">
  <instrumentation>
  <enabled>true</enabled>
  <wldf-instrumentation-monitor>
  <name>HttpSessionDebug</name>
  <enabled>true</enabled>
  </wldf-instrumentation-monitor>
  </instrumentation>
  </wldf-resource>
  I am using a Simple JSP page to set Some Attribute inside the newly Created Session
  MyDiagnosticEar\SimpleActionWebApp\index.jsp
  <%@ page language="java" contentType="text/html;charset=UTF-8"%>
  <%@ page session="false" %>
  <html>
  <body>
  <%
  HttpSession session=request.getSession(true);
  out.println("<h4>Session ID: "+session.getId());
  session.setAttribute("AAAAAAAAA","BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB");
  java.util.Vector v=new java.util.Vector();
  v.add(new java.util.Date());
  v.add(new java.util.ArrayList());
  v.add("AAAAABBCCCC");
  session.setAttribute("EEEEEEEEEEEEEE",v);
  %>
  Data is Set As an Attribute inside the HttpSession:
  session.setAttribute("AAAAAAAAA","BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB");
  session.setAttribute("EEEEEEEEEEEEEE",v);
  <%
  System.out.println((String)request.getSession().getAttribute("AAAAAAAAA"));
  System.out.println(session.getAttribute("EEEEEEEEEEEEEE"));
  %>
  </body>
  </html>
  Please let me know if there is any thing missing.....I have tested it in All WLS9.2, WLS10MP1 and WLS10.3 versions ..But no Success...
  I am not able to see anything After hitting the JSP...in AdminConsole-->Diagnostics-->Log Files -->EventsDataArchive
  But i can see that the Diagnostic Module has been Picked up successfully...
  AdminConsole--->Deployments--->MyDiagnosticEar -->Configuration--->Instrumentation page
  Thanks
  Jay SenSharma

  Hi Raj,
  Thanks for looking into this issue.
  I tried to Configure DiagnosticModule as well from Admin Console but could not make it work...Can u Please elaborate more on this...It will be really helpful.
  Below is the Diagnostic Module...Created using Admin Console....Diagnostics -> Diagnostics Modules.
  <?xml version='1.0' encoding='UTF-8'?>
  <wldf-resource xmlns="http://www.bea.com/ns/weblogic/weblogic-diagnostics" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-diagnostics http://www.bea.com/ns/weblogic/weblogic-diagnostics/1.1/weblogic-diagnostics.xsd">
  <name>Module-0</name>
  <instrumentation>
  <enabled>true</enabled>
  <wldf-instrumentation-monitor>
  <name>Connector_Around_Work</name>
  <description></description>
  </wldf-instrumentation-monitor>
  </instrumentation>
  <harvester>
  <enabled>true</enabled>
  <sample-period>3000</sample-period>
  <harvested-type>
  <name>weblogic.management.runtime.WebAppComponentRuntimeMBean</name>
  <harvested-attribute>SessionMonitoringEnabled</harvested-attribute>
  <harvested-instance>com.bea:ApplicationRuntime=TestDiagnosticsEAR,Name=AdminServer_/TestDiagnostics,ServerRuntime=AdminServer,Type=WebAppComponentRuntime</harvested-instance>
  <namespace>ServerRuntime</namespace>
  </harvested-type>
  </harvester>
  <watch-notification>
  <watch>
  <name>WatchA</name>
  <enabled>true</enabled>
  <rule-type>Harvester</rule-type>
  <rule-expression>(${ServerRuntime//[weblogic.management.runtime.WebAppComponentRuntimeMBean]com.bea:ApplicationRuntime=TestDiagnosticsEAR,Name=AdminServer_/TestDiagnostics,ServerRuntime=AdminServer,Type=WebAppComponentRuntime//SessionMonitoringEnabled} = '')</rule-expression>
  <alarm-type>AutomaticReset</alarm-type>
  <alarm-reset-period>60000</alarm-reset-period>
  </watch>
  </watch-notification>
  </wldf-resource>
  TestDiagnostics
  Thanks
  Jay SenSharma
  Edited by: Jay SenSharma on Jan 8, 2010 10:38 AM

• How do I set a path in an executable for a DLL?

  I wrote a VI that is using a DLL in the Call Function Library Node. I set the parameters to Specify Path In Program in the node. I did this because I am distributing the VI as an executable and the path is obviously not the same as my VI. When running the VI I am using the Current VIs path, Strip Path, and then Build Path to get the directory for the DLL I am calling. It works fine for the VI. Where my problem lies is when I run it as an executable the filename.exe is being used in the build path and the DLL is then not being found. Is there a reason the .exe is acting different than the VI? What would a good solution be to fix this problem? Thanks in advance for any help.

  There's a perfectly good reason and this question gets asked about once a week from people new to the app builder. When you use the current VI's path in the development system, the path might be c:\folder\example.vi. When in a exe or dll, the path to the current VI is c:\folder\program.dll\example.vi. You need an extra strip path. You make it work in both development and the dll by using reading the App.Kind property and wiring the output to a case statement. Put the extra strip path in the run-time case.

• Cisco Secure ACS 4.2 for Windows web-based Admin Console log in problems

  To Whomever Can Assist,
        I am running two deployments of Cisco Secure ACS for Windows 4.2 and I can login into the admin web-console just fine.  However, when I create a new or test user that mirror my configuration that user cannot login to the admin web-console.  The user can login it to devices with the appropriate privileges, but can't administer his/her account within ACS.  This has proven very problematic and needs a remedy.  Thanks for the assistance.

  Bradbryant.dhs,
  Where are you creating the new admin user who should have access to ACS web gui under internal users or administration.
  Internal user and ACS administrator accounts are completely different. 
  Adding administrator account
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/user/guide/ACS4_2UG/Admin.html
  Regards,
  Jatin Katyal
  ** Do rate helpful posts **

• Set up a read only group on the config.xml file through Admin console

  I would like to set up a group which can use Admin console
  (http://ip:7001/console).
  However, this group cannot deploy, modify anything on the configuration. In
  the document, I can add ACL lists. But how? The table of permission
  function on the document is not clear. For example, there is no READ and
  WRITE on the table in the Admin Server guide. Please help.
  If I have guest enable on the Admin console. What is the user name and
  password of a gest to use the Admin console?
  Thanks for help.

  Do you want to expose the Admin app on the same network as the managed app?
  If not, just hide (black hole) the IP/port to the admin server.
  If I have guest enable on the Admin console. What is the user name and
  password of a gest to use the Admin console?I don't think guest has a password. Allowing guest means non-auth'd users
  can access it.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  Clustering Weblogic? You're either using Coherence, or you should be!
  Download a Tangosol Coherence eval today at http://www.tangosol.com/
  "SLC" <[email protected]> wrote in message
  news:3c5dcd78$[email protected]..
  I would like to set up a group which can use Admin console
  (http://ip:7001/console).
  However, this group cannot deploy, modify anything on the configuration.In
  the document, I can add ACL lists. But how? The table of permission
  function on the document is not clear. For example, there is no READ and
  WRITE on the table in the Admin Server guide. Please help.
  If I have guest enable on the Admin console. What is the user name and
  password of a gest to use the Admin console?
  Thanks for help.

• Finding DB details from Admin console

  Hi All,
  We have SOA11g server. Now i want to find the database used for that server from Admin Console.
  please help me in this.
  TIA,
  Bob

  Hi Bob
  1. Basically a SOA Domain by default needs 2 Schemas to store all the meta data. They are SOAINFRA and MDS. They are prefixed like DEV_ or anything you want. And if your SOA Domain also has BAM Reports stuff, there is another schema named ORABAM created.
  2. So you want to know where these schemas are existing like in which database host, port, sid, username.
  3. If you have Admin privileges, login into weblogic console. On left side, expand Services -> Data Sources. Now on right side, you will see bunch of datasources created specifically for SOA Domain. Click one DS named SOADataSource. Click on Connection Pool tab. Here in top you should see db url, db driver and db username. You cannot see the plain text password though. Do the same for other datasource named mds-soa, BAMDataSource (if you have BAM). Do not worry about many datasources. Basically, if you get details for one that is ok. Because most of the times, all the schemas will be in the same database though its not compulsory.
  4. If you have access to the physical location of this domain on the machine, then you can navigate to this folder structure and open the .xml files to see the same details. This is where all the data source xml files are stored. The location is: yourSOADomain/config/jdbc
  Thanks
  Ravi Jegga

• Search users in OIM from Admin Console

  Hi,
  I am trying to search for users logging into admin console as a end user. But my search didnot result any users though there are many users in OIM. I have given all the permissions available to the group in which this user is present and Manage User menu item to that group.
  Can anyone one please let me know, if the end-user will ever be able to search for other users in OIM ?
  PS: If I add the end user group as sub-group to sysadm group, then everythin works fine, But this is not the solution for me!!
  Thanks in Advance

  Permissions to view users are done at the organization level. If you want a specific group of users to be able to search for other users, create a group. then go to manage organizations and select administrative groups from the drop down. Add that group with at least read permissions. Usually if i know requests and such will need to be submitted for other users, i give all users read access to the main organization.
  -Kevin

• How to Set up HTTPOnly and SECURE FLAG for session cookies

  Hi All,
  To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
  I have found the below solutions.
  For setting up the HTTPOnly for the session cookies.
  1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.httponly = true;
  For setting up the secure flag for the session cookies.
  2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.secure = "true"
  Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
  <cfapplication setclientcookies="false" sessionmanagement="true" name="test">
  <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
    <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
    <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
  </cfif>
  But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
  Your timely help is well appreciated.
  Thanks in advance.

  BKBK wrote:
  Abdul L Koyappayil wrote:
  BKBK wrote:
  You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
  I couldnt understand this. I mean how are you relating this with my question.
  When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
       If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
  Name:
  JSESSIONID
  Content:
  782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
  Domain:
  xyz.abc.pqr.com
  Path:
  Send for:
  Any kind of connection
  Accessible to script:
  No (HttpOnly)
  Created:
  Wednesday, September 3, 2014 2:25:10 AM
  Expires:
  When the browsing session ends
  BKBK wrote:
  2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
  Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
       I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
  BKBK wrote:
  3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
  It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
       I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

• Does Firefox have a setting for retaining cookies similar to the 'Preserve Favorites website data' setting found in I.E. so you do not delete cookies from favorited websites when deleting your browsing history?

  In I.E. when you want to delete your browsing history, the Internet Options tab allows you to retain the cookies for the websites that are listed in your 'Favorites'. With this preference enabled, you can delete your browsing history regularly without having to maintenance your cookies that you need. My bank requires that I register my computer for security reasons. The registration process places a cookie on PC. My browsing history is set to delete upon logout and I'm concerned that I will have to re-register my PC every time I log in or I will have to maintenance my browsing history every time I clear it. Does Firefox provide a feature so I can retain certain cookies that I want to keep?

  If you use [[Clear Recent History]] or other means to clear (all) cookies then those specified cookies will be removed, even if there is an allow exception.
  You can let all cookies expire if you close Firefox and make an Allow exception for the ones that you want to keep.
  *Tools > Options > Privacy > Cookies: "Keep until": "I close Firefox"
  *Tools > Options > Privacy > Cookies: "Exceptions"
  Make sure that you do not use [[Clear Recent History]] to clear the "Cookies" and the "Site Preferences"
  See also [[Cookies]] and [[Enabling and disabling cookies]]

• Need best path for super cookie LSO program. Firefox 3.6 can't find one.

  New computer with FF can't provide path/location for Super Cookie. Is it C, Computer, or what? This hasn't happened before.

  Do you mean a program to remove Flash LSO or the location where Flash stores its settings and cookies?
  *BetterPrivacy: https://addons.mozilla.org/firefox/addon/betterprivacy/

• Setting Secure and HttpOnly flags in JSESSIONID cookie

  I have a web app hosted on WebLogic (8.1 I'm afraid!), and want to secure the JSESSIONID cookie by setting the Secure and HttpOnly flags on it. The intention is to prevent cookie theft.
  As regards the Secure flag, I've tried using the myCookie.setSecure(true) method. This works fine when I debug and step through the code , but by the time the cookie gets back to the client, it has been reset to false again (I'm not clear what by though...).
  There isn't a Cookie method to allow you to set HttpOnly.
  I've thought of using a filter to intercept the response and set the flags explicitly, but this seems like a lot of work for something that seems very simple. I can't find anything in the WebLogic documentation that allows me to configure the settings either.
  Does anyone have any bright ideas about how I can do this?
  Thanks
  Geoff

  I don't think there is HTTPOnly support for WebLogic 8.1 or other versions.
  May be you want to send a note to WebLogic support to find out of they are planning this feature in future ?
  Jayesh
  Yagna Sys

• UAG 2010 failing PCI for insecure cookies

  Hi All,
  Don't suppose anybody else is having the same issues please and if so, can anybody provide some guidance on how to sort?
  Many thanks,
  Martin
  Info: Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability
  Workaround: Set the 'secure' attribute for any cookies that are sent over an SSL connection.

  Where did you get the install media from?
  I've seen this on a number of occassions where the install media didn't download properly. Recommend that you download the media again and try. For ref see
  http://blogs.technet.com/b/isablog/archive/2010/07/13/another-tmg-2010-installation-failure-with-error-0x80070643.aspx. I know that this article only says TMG but it still applies.
  Hth, Anders Janson Enfo Zipper

• Using Item UIDRef, can we get data as set in "text on path option" dailog box for each "text on path" item

  Hi all,
  I have a Item UIDRef but facing a problem for getting data as set in "text on path option" dailog box for each "text on path" item.
  What I did:
  - Getting the  pointer "IMainItemTOPData" using item UIDRef as
    InterfacePtr<IMainItemTOPData> mainItemTOPData(shapesUIDRef, UseDefaultIID());
  - This interface has the method GetTOPOptionData () which return ITOPOptionsData pointer
  - But SDK don't have "ITOPOptionsData" class implementation.
  Second Approch:
  - Used "ITextOnPathSelectionSuite" and getting the correct result for Desktop plugin.But I want the correct result in server plugin also.
  Anyone who has an idea how to get this using UIDRef, please let me know.
  Regards,
  Jitendra Kumar Singh

  Hi Pulse,
  Unfortunately, Flex doesn't currently support text on a path. However, I binged it and found this:
  http://blog.tsclausing.com/post/49
  That might be useful.
  -Adam

• How can i set a path for my deployment files in weblogic server 10.3

  Hi
  How can i set the path for my WAR ,JAR files while deploying.i am using the wls10.3 version.
  is there any scripts for this ,please provide me.
  my Application is ADF 11g application.

  By "path", I assume you mean "classpath".
  The simplest way is simply to include the jars you need inside the web application or web module's WEB-INF/lib directory, EJB module's META-INF/lib directory, or EAR lib directory.
  If that's not practical, if you use NodeManager to start your servers, you can go to the "Server Start" tab in the server definition in the WebLogic console and edit the "Classpath" field, which defaults to no value. You can specify a classpath value there. Note that if you specify a value there, it REPLACES the default classpath for the server, it doesn't add to it. If you need to just add to it (a much more likely scenario), if the value references the value "$CLASSPATH" in it, that will reference the original classpath value that the server would have had.
  So, for instance, if you wanted to include the MQ jars in the server classpath, you could set a value like this:
  /usr/java/mq/lib/mq.jar:/usr/java/mq/lib/mqstuff.jar:$CLASSPATH