Soluiton Manager security

Similar Messages

• EJB 3.0 Security with ACEGI and not with Container Managed Security

  Hi,
       Currently we are using EJB 2.0 in our project, We want to use EJB 3.0
       But for security we want to use Spring ACEGI Security and we don�t want to use container managed security (No Portability, Difficult, �)
       ACEGI supports Servlet/JSP security very well (I am able to call isUserInRole(), getUserPrincipal() because ACEGI implements by ServletRequestWrapper in a filter)
       But for EJB, it lacks this feature. (There is no standard EJB interceptor API as there is with servlets (using filters), so there's no generic way of modify in the EJB context for the invocation)
       Without using container managed security, Is there any way to propogate my security context from Servlet Layer to EJB Layer, So that I can use EJB Declartive security and getCallerPrincipal(), isCallerInRole() API.
       For more info please see this thread http://forum.springframework.org/showthread.php?t=26514
       Why don�t you provide standard EJB interceptor API as there is with servlets (using filters), so there I am able add security identity to EJB context.
       I am eagerly waiting for the reply

  Reason: javax.naming.NameNotFoundException: jdbc not bound
  Although i am quite new to this as well i would say that there is a problem with your connection with the database.
  It seems it cannot connect to Mysql.
  have you download the mysql package library and imported it ?
  Also in your deploy folder in you Jboss
  have you altered the jdbc to connect to you database in your dataset ? ( i am not sure about mysql, but postgre reguired this)
  Most probably it would be the same in mysql.
  <connection-url>jdbc:postgresql://127.0.0.1:5432/Dissertation</connection-url>
  Not sure if this is what you reguire, i am new at this my self

• The OMS is not set up for Enterprise Manager Security

  Hi, I'm trying to add an agent to grid control and its not connecting with the management server because i cant secure it...
  bash-2.05$ ../../bin/emctl secure agent <password>
  Oracle Enterprise Manager 10g Release 3 Grid Control 10.2.0.3.0.
  Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
  Agent is already stopped... Done.
  Securing agent... Started.
  Requesting an HTTPS Upload URL from the OMS... Failed.
  The OMS is not set up for Enterprise Manager Security.
  i have tried this on two seperate servers, both do the exact same thing. However, on my repository server where the OMS is housed, i can secure the agent no problem. Does anyone know what the problem could be? My OMS is on a Linux (SuSE 10.2) 32-bit machine.
  heres the emdctl.trc on the agent machine:
  2007-07-11 11:00:20 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:00:21 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:00:21 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:00:21 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:00:21 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:00:22 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:00:22 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:05:10 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:05:10 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:10:08 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:10:08 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  bash-2.05$ lsof | grep 3872
  bash-2.05$
  seems to be failing the connect but nothing is running on the port so i'm not sure why
  Thanks in advance
  Message was edited by:
  user581869

  some further information and hopefully someone can help me...
  I went to the OMS binary folder (fmc45712:$OMS_HOME/bin) and executed the following commands...
  $OMS_HOME/opmn/bin/opmnctl stopall
  $OMS_HOME/bin/emctl stop oms
  $OMS_HOME/bin/emctl secure oms
  $OMS_HOME/bin/emctl start oms
  $OMS_HOME/opmn/bin/opmnctl startall
  then i go to $AGENT_HOME on the OMS machine (fmc45712:$AGENT_HOME/bin) and execute..
  $AGENT_HOME/bin/emctl status agent -secure
  Oracle Enterprise Manager 10g Release 3 Grid Control 10.2.0.3.0.
  Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
  Checking the security status of the Agent at location set in /opt/oracle/OracleHomes/agent10g/sysman/config/emd.properties... Done.
  Agent is secure at HTTPS Port 3872.
  Checking the security status of the OMS at http://fmc45712:4889/em/upload/... Done.
  OMS is secure on HTTPS Port 1159
  I then to go the server i deployed the agent on that i want to get communicating wtih my OMS...
  $AGENT_HOME/bin/emctl status agent -secure
  Oracle Enterprise Manager 10g Release 3 Grid Control 10.2.0.3.0.
  Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
  Checking the security status of the Agent at location set in /u101/em/agent10g/sysman/config/emd.properties... Done.
  Agent is unsecure at HTTP Port 3872.
  Checking the security status of the OMS at http://fmc45712:4889/em/upload/... Done.
  OMS is running but has not been secured. No HTTPS Port available.
  same command, different computer, but on the same network, and it just doesn't work. The OMS is on Linux x86 and the agent on the alternate computer is on HP-UX. If anyone has any help it'd be much appreciated.

• SHA-1 Encryption is not working in Container managed security

  Hi,
  I have to turn to your help after no luck with other possible resource.
  I implemented container managed security on my apps and it works well without the encrypted password(clear text) in the table column. Now I referred OC4J Security guide to implement the password encryption as follows:
  1. Using the DBTableOraDataSourceLoginModule, set the option pw_encoding_class = oracle.security.jazn.login.module.db.util.DBLoginModuleSHA1Encoder
  2. run the following procedure:
  DECLARE
      l_password VARCHAR2(50) := 'welcome';
      l_password_raw RAW(128) := utl_raw.CAST_TO_RAW(l_password);
      l_encrypted_raw RAW(2048);
      l_encrypted_string VARCHAR2(2048);
      l_encrypted_string2 VARCHAR2(2048);
  BEGIN
      dbms_output.put_line('Password in String: ' || l_password);
      dbms_output.put_line('Password in raw: ' || l_password_raw);
      l_encrypted_raw := dbms_crypto.hash(l_password_raw, dbms_crypto.HASH_SH1);
      dbms_output.put_line('SH1: ' || l_encrypted_raw);
      l_encrypted_string := UTL_ENCODE.BASE64_ENCODE(l_encrypted_raw);
      dbms_output.put_line('Base64Encoding: ' || l_encrypted_string);
  END;
  3. update the clear text password with the SHA-1 encrypted password and encoded in Base64Encoding (in my case, it's the parameter "l_encrypted_string")Now I run the application and login says "password not matching!" If anyone know what's going on, please advise me what's wrong...pls
  thanks very much,

  Hi,
  hard to say without knowing the code the OC4J team uses in their login module. I know they based it on a JAAS LoginModule I wrote some years ago, but they did change some parts of it. In the original version. the password was read from the database and then compared with the provided password string. Using encryption it uses a class to encode and decode the password queried from teh database. My guess is that the returned string - after decoding - doesn't meet the password string you provide when authenticating. Since this piece of code is owned by the OC4J team, I suggest to try the Application Server forum or the Security forum
  Frank

• Manage security for a report that lives in multiple folders

  Post Author: EricE
  CA Forum: General
  I am using Crystal Enterprise 10.  (we are about to upgrade to BO XI if
  it matters in the answer)
  As we consider the migration to XI we are thinking about problems with our
  existing system that we have never solved adequately.
  The problem is how to manage
  security of a given report that shows up in multiple places in the tree.
  Example:
  I have a report lives in the Sales folder but also needs to be in a folder at
  the same level called Marketing.
  I want the report to
  exist only once so that if I update it, it gets updated both places.
  To solve that I could put the real report in a folder called u201Call reportsu201D and
  then create short cuts to it in both of the other folders.
  The problem with that method is that
  the users who have rights to the u201CSalesu201D folder donu2019t get rights to the
  shortcut (because the rights don't seem to work on shortcuts).  The rights
  would have to be granted to the real report objectu2026which quickly becomes a mess
  trying to manage rights to each individual report object.
  So I want to manage rights/security
  at the folder level but I also want a given report to live in more than one
  location (but have one real report object) and have its rights administered by the folder it is in.
  Is there any way to do that?

  Post Author: EricE
  CA Forum: General
  yangster:When you set permissions at the folder level all reports within the folder and any subfolder that exist should inherit the parent folders rights.So putting in your report into the sales folder and creating a shortcut to the marketing folder should be fine as long as you have not set any specific right on the actual report itself.Please clarify per my post above this one.  I tried doing exactly what you said to do.  What happened is that the user could SEE the report but could not execute it. User had "view on demand" rights to the folder via a group.  

• Where are the Manage Security Policy Settings Stored

  I want to upgrade from Acrobat Pro 9 to X....and I'm prompted to uninstall 9 first.  I have a ton of passwords saved under Manage Security Policies in Acrobat 9 and I don't want to lose these.  I know they are stored in some file, but I don't know the file.  Can anyone advise the file name?  I assume I can just save this file elsewhere on my computer, uninstall Pro 9...and then when I install X I can just copy this file to the folder for X, right?
  Steve

  C:\Documents and Settings\<username>\Application Data\Sun\Java\Deployment\deployment.properties
  the folder applicationData may be hidden. Hidden files and folders have to be displayed.
  Regards
  Michael

• Container Managed Security on Tomcat - configuring different auth-methods

  I am trying to configure the container managed security on tomcat4. Or rather I am trying to add a further dimension to the configuration that already exists.
  At the moment the entire application uses LDAP authentication and I would like to separate an area that requires further authentication. That is to say I would like everyone using the web application to authenticate using the existing Form-Based LDAP authentication but I would like only certain users to be able to use the data upload facility (whose code is stored in it's own directory).
  This is the authentication bit of my web.xml:
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>qmrae</web-resource-name>
        <url-pattern>*.do</url-pattern>
        <url-pattern>*.jsp</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>*</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Form-Based Authentication Area</realm-name>
      <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/loginError.jsp</form-error-page>
      </form-login-config>
    </login-config>My first hurdle is in understanding exactly how the application knows where to go for its authentication.
  I had guessed that the realm-name would map "areas" of my application to realm configuration defined in my application's context area in Tomcat's web.xml but this doesnt seem to be the case. In fact I have read conflicting explanations as to what the realm-name is for. One source has said that this is only used for BASIC authentication as a way of naming the resulting pop up window - many others say it maps the login-config to the web-resource-name. However the latter doesnt make sense because the authentication works in my application at the moment even though those values are completely different (and indeed are different in most of the examples i've read on the web). Furthermore I can find any other mention of the defined realm-name in any other file (which of course be because i'm looking in the wrong place).
  I was prepared to accept that the realm-name might not actually do anything and so I've been looking for examples of defining a different auth-method for different url-patterns but i've had no luck.
  I know a user can have one or more roles but I dont have access to the LDAP server to set these up and haven't found anything about defining different auth-methods other than one thread in this forum suggesting that is wasnt possible on AIS.
  This thread suggests that you can have more than one security-constraint but again i'm not sure about the auth methods and how you map an auth method to a security-constraint
  http://forum.java.sun.com/thread.jspa?forumID=33&threadID=320918
  To summarise my questions:
  1) What are the functions of the realm-name and web-resource-name? Are they related?
  2) Is it possible to configure different areas of an application to use different authentication methods? and if so, could you point me in the direction of relevant documentation
  3) If (2) is not possible and I have to assign a new role to the privileged LDAP users, is it enough to define a new security-constraint? Could you describe the behaviour I could expect for users that have authenticated once and try to access this super-security area, will they be shown another login form or will it just let them in because the container is already aware of their permissions.
  Many thanks for your attention,
  Rachel

  If you create your own Realm classes - look at JAAS - you can sort out your last login time, just wrap them around the DataSourceRealm.
  As far as 'remind' him is concerned - I'm guessing you mean provider a reminder for the password based on the user name. If you use form based authentication you can put what ever you like on the page.

• ADF Security to J2EE Container Managed Security Problems

  Hi al!
  I had ADF security enabled in my application. I've added roles and users to embedded OC4J Server Preferences..., configured authorization using pageDefs... (following the Introduction to ADF Security in JDeveloper 10.1.3.2 howto).
  For the sake of friendlier user and roles management I decided to go to 2EE Container Managed Security (I want application manager in production environment to be able to manage users in only one place, not in DB table and extra for web app). I followed Frank Nimphius's Database Authentication and Authorization in J2EE Container Managed Security article.
  Now I have some problems. I removed users and roles from embedded OC4J Server Preferences... (I believe this are used only for ADF security, am I right?). I can log to application with admin user account (app index page doesn't have any binds and even pageDef), but when trying to access admin pages I get 401 Unauthorized page.
  What am I doing wrong, probably I've forgotten something? I'm a bit confused now with users and roles settings and ADF and container managed security.
  Part of my web.xml file:
  <servlet>
  <servlet-name>adfAuthentication</servlet-name>
  <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
  <init-param>
  <param-name>success_url</param-name>
  <param-value>/faces/app/index.jspx</param-value>
  </init-param>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
  <servlet-name>adfAuthentication</servlet-name>
  <url-pattern>/adfAuthentication/*</url-pattern>
  </servlet-mapping>
  <security-role>
  <description>Admins</description>
  <role-name>admin_role</role-name>
  </security-role>
  <security-role>
  <description>Users</description>
  <role-name>user_role</role-name>
  </security-role>
  <security-role>
  <role-name>oc4j-administrators</role-name>
  </security-role>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AllAdmins</web-resource-name>
  <url-pattern>faces/admin/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>admin_role</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AllUsers</web-resource-name>
  <url-pattern>faces/app/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>user_role</role-name>
  <role-name>admin_role</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adfAuthentication</web-resource-name>
  <url-pattern>/adfAuthentication</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>oc4j-administrators</role-name>
  <role-name>user_role</role-name>
  <role-name>admin_role</role-name>
  </auth-constraint>
  </security-constraint>
  Do I have to remove this adfAuthentication tags?
  I know I've made things a bit complicated for me now and for anyone to help, but I hope I will get at least some pointers what to do now and maybe some explanation about roles in container managed security? Is it enaugh to have security constraints and roles defined in web.xml file or they have to be defined somewhere else also (beside the database)?
  Thank you in advance!
  Bye
  PS
  Maybe stack trace after login:
  FINE: LoginConfigProvider.ctr: lmm=[LoginModuleManager: jznCfg=[JAZNConfig null], appConfigEntries={oracle.security.jazn.oc4j.CertificateAuthenticator=[javax.security.auth.login.AppConfigurationEntry@3625d0], oracle.security.jazn.tools.Admintool=[javax.security.auth.login.AppConfigurationEntry@eca6e7], oracle.security.jazn.oc4j.WebCoreIDSSOAuthenticator=[javax.security.auth.login.AppConfigurationEntry@c1c7c4], oracle.security.jazn.oc4j.DigestAuthenticator=[javax.security.auth.login.AppConfigurationEntry@221f81], oracle.security.wss.jaas.SAMLAuthManager=[javax.security.auth.login.AppConfigurationEntry@426e05], oracle.security.jazn.oc4j.JAZNUserManager=[javax.security.auth.login.AppConfigurationEntry@145240a], current-workspace-app=[javax.security.auth.login.AppConfigurationEntry@4120aa], oracle.security.wss.jaas.JAASAuthManager=[javax.security.auth.login.AppConfigurationEntry@1c78f98]}]
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option data_source_name = jdbc/TESTDbDS
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option table = APPLICATION_USER
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option groupMembershipTableName = APPLICATION_ROLE
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option usernameField = USR_EMAIL
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option passwordField = USR_PSW
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option groupMembershipGroupFieldName = ROLE_NAME
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option user_pk_column = USR_EMAIL
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option roles_fk_column = USR_EMAIL
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option pw_encoding_class = null
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option realm_column = null
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option application_realm = null
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option casing = toupper
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]login called on DBTableLoginModule
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]Calling callbackhandler ...
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]Username returned by callback = admin
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]Username changed to case as defined by toupper to ADMIN
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]User query string: select USR_EMAIL,USR_PSW from APPLICATION_USER where USR_EMAIL= (?)
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]User primary key value found = ADMIN
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]Password encoded by: oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]User ADMIN authenticated successfully
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]Roles query string: select ROLE_NAME from APPLICATION_ROLE where USR_EMAIL= (?)
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]DBUser Principal Name: ADMIN
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]DBRole Principal Name: admin_role
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]Logon Successful = true
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
  FINE: [DBTableOraDataSourceLoginModule]Subject contains 0 Principals before auth
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
  FINE: [DBTableOraDataSourceLoginModule]Local LM commit succeeded
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
  FINE: [DBTableOraDataSourceLoginModule]Subject contains 2 Principals after auth
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
  FINE: [DBTableOraDataSourceLoginModule]Cleaning internal state!

  Hi there!
  I have another question about this. I've modified a bit DBRolePrincipal class to see what's going on. At the beginning of the equals(Object another) method I added this lines:
  log("method equals start",0);
  log("another type = " + another.getClass(), 0);
  if (another instanceof Principal)
  Principal mine = (Principal)another;
  log("Principal mine.getName() = " + mine.getName(), 0);
  The result is this output (after navigating to page that gives 401 forbidden):
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  Why is the name of ADFRolePrincipal always anyone? When I sign in with this user the output says:
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User query string: select USERNAME,PASSWORD from ACTIVE_APP_USER_V where USERNAME= (?)
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User primary key value found = admin_user
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Password encoded by: oracle.sample.dbloginmodule.util.DBLoginModuleCearTextEncoder
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User admin_user authenticated successfully
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Roles query string: select ROLE_NAME from ACTIVE_APP_ROLE_V where USERNAME= (?)
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] DBRole Principal Name: admin_role
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] DBUser Principal Name: admin_user
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Logon Successful = true
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Subject contains 0 Principals before auth
  07/10/12 08:46:09 [DBUserPrincipal] method equals start
  07/10/12 08:46:09 [DBUserPrincipal] another type = class oracle.sample.dbloginmodule.principals.DBRolePrincipal
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Local LM commit succeeded
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Subject contains 2 Principals after auth
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Cleaning internal state!
  Frank, if you haven't given up on this issue yet could you please try to explain this to me? Why doesn't admin_role principal never get compared in [equals[/i] method?
  Thank you!
  BB

• Solution Manager Security

  Hello,
  I'm responsible to setup Solution Manager to provide Enterprise Support to the customer. I would like my customer to use Solution Manager by using Internet VPN connection. In the middle of preparation, I have some questions for Solution Manager Security. Because our company has very strict security policy, I need to make sure the questions below and make report to the manager.
  1. To follow our companyu2019s security policy, I need to select the port. Could you please let me know which port# do we need to open?  I think port# 80 and 443 are required to use Internet connection. Are there any required port #?
  2. What kind of Standard User Authentication does Solution Manager have? (Basic Authentication, Digest Authentication or other?)
  3. I would like to restrict any unauthorized access. What kind of access control does Solution Manager have? (Like Service Market Place, is there any authentication before entering first screen?)
  4. Is it possible to access both HTTP and HTTPS? If so, is it possible to restrict to HTTP connection? I think HTTPS is much safer.
  I read the Security Guide downloaded from Service Market Place, but still have questions. I really need someoneu2019s help.
  Thank you in advance.
  Best Regards,
  Natsumi

  Hi Natsumi,
  Your question addresses general topics of SAP NetWeaver Web Application Server.
  Please find some answers below and I would recommend to check the standard documentation.
  >
  Natsumi Kimura wrote:
  >1. To follow our companyu2019s security policy, I need to select the port. Could you please let me know which port# do we need to open? I think port# 80 and 443 are required to use Internet connection. Are there any required port #?
  >
  port #80 is the default port for http, port #443 is the default port for https.
  You can define your own port numbers to provide access.
  >
  Natsumi Kimura wrote:
  > 2. What kind of Standard User Authentication does Solution Manager have? (Basic Authentication, Digest Authentication or other?)
  >
  SAP Solution Manager 7.0 is based on SAP NetWeaver and is using the same authentications options.
  >
  Natsumi Kimura wrote:
  > 3. I would like to restrict any unauthorized access. What kind of access control does Solution Manager have? (Like Service Market Place, is there any authentication before entering first screen?)
  >
  The first screen is the logon screen. Users needs to have logon data (user, password) to access the Work Center.
  The URL for the Key User is accessible in the Internet (and may be further restricted to dedicated IP address by additional network infrastructure).
  See section "4.4 Internet Communication Framework" in Security Guide.
  See section "4.5 Secure Socket Layer (SSL) for HTTP Connections" in Security Guide.
  >
  Natsumi Kimura wrote:
  > 4. Is it possible to access both HTTP and HTTPS? If so, is it possible to restrict to HTTP connection? I think HTTPS is much safer.
  >
  Yes, it's possible to offer HTTPS connection, only.
  Helpful links:
  [Application Help - Additional Information on Network Security|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/0a/0a2e12ef6211d3a6510000e835363f/content.htm]
  [Security Guide SAP Solution Manager 7.0 EHP 1 and SP 19 |http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000718044&_OBJECT=011000358700000310012009E]
  [How-To install&configure the SAP Web Dispatcher|http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000722611&_SCENARIO=01100035870000000202&_OBJECT=011000358700000121752008E]
  Best regards,
  Ruediger

• Weblogic.management.security with transactions, Please HELP

  I am using weblogic.management.security.authentication API to programmatically insert/delete users and passwords into/from default security provider on Weblogic Server 8.1. I want to add transactional support to this these actions, I tried using UserTransaction API but without any luck. Does weblogi.managment.security.authenication has no transactional support (rollback-commit) or am I doing something wrong? I very much appreciate your help and looking forward to hearing from you!!!!
  It doesn't rollback, Here is the code:
  UserTransaction transaction = (UserTransaction)ctx.lookup("javax.transaction.UserTransaction");
  transaction.begin();
  UserEditorMBean userEditor = (UserEditorMBean)providers;
  userEditor.createUser(userName, password, description);
  transaction.rollback();

  I do not think you can have transactions over MBean calls as they communicate with relevant object over t3 and this objects are possibly in different class loader.
  -TJ

• Managing Security

  Documentation states,
  "In Shared Services security mode, you use Shared Services Console, MaxL, or the API to manage security. (Some restrictions exist when managing security using MaxL or the API. See the Oracle Essbase Technical Reference and the Oracle Essbase API Reference.)"
  Can anyone outline the limitation of Maxl?

  Here is the text from the 11.1.2.0 user guide for assigning a user to a report:
  Setting Access to View Reports
  You can set access so that users can only see one report in an Integrated Operational Planning
  model. For example, if users need to see a particular report in a model to which they do not
  currently have access, you can configure access to view the report in the model.
  ä To configure access to a particular report in a model:
  1 Create a new analysis type.
  2 Associate the report to the newly-created analysis type.
  3 Add the user to this analysis type.
  The user then inherits the ownership (or visibility) through the analysis type.
  Note: See “Creating an Analysis Type” on page 120.
  D'oh! Found it on page 145 of the 11.1.2.0 User's Guide:
  Assigning Access Privileges
  ä To assign access privileges to a user or group:
  1 In the Users and Groups tab in the Administration Workbench, click a user or a group to select it.
  The Edit User or Edit Group screen is displayed.
  2 In Select Object Type, select Analysis Types, Report Workbooks, or Script Templates.
  The objects for the selected object type are displayed.
  l The analysis types that are displayed are defined in the Analysis Types tab in the Model
  Designer.
  l The report workbooks that are displayed are defined in Workbooks tab in the Model
  Designer.
  l The script templates that are displayed are defined in the Script Templates tab under
  Administration. Only non-system script templates are displayed (the System field on
  the Script Templates tab is set to false).
  3 Click the check box next to an object and select an access option.
  l For Analysis Types, you can provide access to create/update/delete the analysis type.
  l For Report Workbooks, you can provide access to read the report workbook.
  l For Script Templates, you can provided access to execute the script template.
  4 Click OK to save the object access assignments.

• Glassfish 3.1 Container managed security - custom authentication

  I have used custom authentication with tomcat and it works great. I am moving to glassfish 3.1 and want to set it up there now. I haven't found any specifics for glassfish 3.1. Anybody got it working in GF 3.1?
  Thanks,
  John

  To follow up ...
  I am using container managed security and form based authentication. My custom SJSAS login realm, however, never fails to authenticate users. Instead of failing authentication when a username and password match cannot be found, I add the user to an 'unknown-user' group who has no rights to the application.
  I do this because I can then catch 403 errors for users who have failed authentication (because they are not authorized to access any pages), or for users who are not in the right role to access part of the application.
  It's not the way that I would prefer to handle login 'failures', but it works.

• What's prepare to step that i can manage security my of web on SAM

  Hi every body.
  I'm studying Sun Access Manager, I need configure and manage security web application of my company on it. How to step to do that ?
  Can you show me clearly about a step implement it ?
  Thank you very much.
  VinhNN.

  The option to send reset info will be sent to your rescue email address (part of the account's name should appear where you click on) - is that the account that you are checking, and you've checked the spam folder as well as the Inbox ?
  If it's not appearing then you could re-try it (you won't be able to change the address until you can answer 2 of your questions), or you could see if the instructions on this user tip helps : https://discussions.apple.com/docs/DOC-4551

• Planning v11.1.2.1  Manage Security Filter "Create" blew away security

  Was testing security for a Native Directory user id and as 'admin'. Did the following within a Planning application (we have several apps):
  Administration > Manage Security Filter
  - checked the box for the Native Directory ID.
  Here it comes.... clicked "Create".
  I have a Shared Services window that was already opened. I can see that all groups are blown away.
  Other symptoms are that that ADMIN id can no longer see any applications with Workspace, or anything else.
  Also Admin id cannot log into EAS
  O_o.
  We have some old LCM dumps available, but still checking as to whether they have everything.
  Solution ideas.

  Do you not backup the planning applications schema/db, just revert back to a previous back up.
  Then if you can recreate the security being wiped and prove it is nothing wrong with your process then log it with Oracle.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Oracle Project Analytics - Project Manager Security Implementation

  Has anyone implemented a security scenario for Project Managers, such that they can only see the information associated to their projects when using EBS as the source? If so,
  - How did you identify the relationship between project managers and their projects? Did you use an initialization block and pull this information in from EBS?
  - Where did you define the security/filtering configuration so that they were limited on what they could see?
  - Did you create a custom responsibility for 'Project Managers' and have them access a set of Project Manager dashboard/reports that followed the Project Manager security model?
  Thanks in advance.
  k
  Please note that I have posted this same question/thread in the BI Apps forum. I didn't want to duplicate effort, but I know different users may only come to this forum. The link to the original thread is below:
  BI Apps Forum Thread
  Oracle Project Analytics - Project Manager Security Implementation

  Coolmesh84,
  Thanks for the great info and reply. This makes complete sense to me, but I just want to make sure I am clear on a couple points:
  +1. Use an initialization box to filter the user's emp id+
  You mean use an init block to pull the users employee id and store it in a session variable correct? The session variable will then be used later as part of the filter criteria.
  *2. and add a filter to the required dimension table in business layer to filter based on the project_manager_id column for the project manager group.+*
  To implement the step above, would you follow theses steps:
  1. Go to Manage->Security
  2. Under Groups, select the group planned to be utilized for this filter (in this case I double clicked the Project Manager group).
  3. I then Click permissions button for this group
  4. Go to the Filters tab of the window that pops up
  5. Add a filter, go to BMM tab and select the Project dimension and then define a filter for Proj Mgr Id = nqsession.employeeid
  +3. Ideally you should be able to use the OOTB project manager group for this security.+
  This is a good point, but a few more questions here - There are a number of Project related groups (see below) in the out of box Oracle BI Apps RPD and all of them essentially roll up to the super group 'Operating Unit Org-based Security'. Is there a best practice or preferred approach for utilizing these groups as they related to Oracle EBS v12? Is there any good documentation out there to see what the intended use and setup is for these groups? Do all of these groups relate back to an EBS Responsibility? I have read through the OBIA Security Configuration document and basically all it says is to enable the operating unit org initilization block and thats all .. not really all that helpful.
  Thanks again - k
  Project Executives
  - Project Billing Super User
  - Project Costing Super User
  - Project Super User
  - Projects Implementation Super User
  Project Managers
  - Projects Implementation Super User
  - Project Administrator
  - Project Manager
  - Staffing Manager
  - Operations Manager
  - Project Super User
  - Resource Manager
  Project Team Member
  Edited by: user_K on Nov 22, 2010 5:10 PM