Strange behavior of auto-create destionations and access control

I'm noticing some strange behavior that looks like a bug in IMQ 3.5 SP1 (and earlier). I can't find any mention of this in the Sun Bug parade so I thought I'd ask here.
Background:
1) Admin-created queue named 'foo' exists. Verified with imqcmd.
2) User 'bob' wants to access 'foo' as a consumer.
3) accesscontrol.properties, relevant sections:
queue.foo.consume.allow.user=bob
queue.create.deny.user=*
4) When config.properties has:
imq.autocreate.queue=false
then the connection works fine.
5) However when config.properties has:
imq.autocreate.queue=true
the following error is provided when connecting:
com.sun.messaging.jms.JMSSecurityException: [C4077]: Client is not authorized to create destination : foo
My reading of the manual says that user 'bob' should be able to connect to destination 'foo' even though he doesn't have the queue creation privilege because 'foo' is an administratively created queue that already exists.
A short term workaround is to allow all users to have the create privilege. This is not a good thing from a security design standpoint. I want only one user to have this privilege and all others should not have it. Unfortunately, without this privilege, all other users can no longer connect.
Thanks in advance for any help you can provide on this issue.

I've reproduced this and it sure looks like a bug. I've submitted bug:
5024685 ACLs: queue.create.deny.user=* and imq.autocreate.queue=true interact poorly
I think the best workaround is to set imq.autocreate.queue=false
and administratively create all destinations.

Similar Messages

  • I get a strange behavior of the tab bar and of the location bar in Firefox 29.0 for Mac.

    I have just installed Firefox 29.0 for Mac.
    I get a strange behavior of the tab bar and of the location bar with this new version.
    Instead of the location bar, I get two rows of symbols. And it's impossible to write anything in the location bar.
    (I'd like to add a screenshot, but I cannot find a way to do it.)

    Thank you for your tip.
    I found the culprit: it was an extension called RSS Icon 1.0.6.
    I removed it and now Firefox 29.0 is working perfectly.
    Now I'll have to find a replacement for that extension.
    Thank you once again. Your tip was essential.

  • Creating Folder and Accessing Files from Folders in mobile phone

    Hello Friends,
    I am doing my project where I need to create folders and accessing files from those folders in java enabled mobile phones.But I do not know the required tasks for this.Any type of help is highly appreciated.
    Greeting
    Saadi

    You have to get the classname of the Items you receive from getitems.
    There you have only to look for Folder.CLASS_NAME. Example:
    ifsFol sorted by names in ascending order (names of folders and files)
    String[] sort_attributes = {"NAME"};
    //sort will be ascending
    boolean [] sort_orders = {true};
    oracle.ifs.common.SortSpecification sort = new oracle.ifs.common.SortSpecification(sort_attributes, sort_orders);
    ifsFol.setSortSpecification(sort);
    PublicObject[] contents = ifsFol.getItems();
    System.out.println("Here are the names of the items in folder: ");
    for (int i=0; i < contents.length; i++) {
    if (contents.getClassname().equals(Folder.CLASS_NAME)) {
    System.out.println(contents[i].getName());
    null

  • User management and Access Control in HCM Cloud

    Hello,
    Information is scarce about User management and Access Control in Oracle Cloud generally. Today, I have two questions :
    - How can I bridge HCM Cloud user store with my on-premise IDM or security repository in order to allow identty governance to flow to HCM Cloud service ?
    The only information I got was that you can declare manually and by bulk import through files my users. This is not really interresting as I have an automatic IDM with workflows and identity control on provisioning and de-provisioning.
    Is there a SPML or proprietary endpoint to do it automatically ? What are the prerequisites ? Do I have to implement OIM on my side ?
    - Once my users are created, how can I do webSSO from my internal security repositories to the HCM Cloud service ?
    I do not want to distribute new set of login / passwords to my users. Is it possible to do Identity Federation (SAML 2.0 or WS-Fed) with HCM Cloud service ? What are the prerequisites ? Do I have to implement OAM on my side ?
    I accept all pieces of information you can give me on this topic to help me understand the funcitonalites, limits and options offered by Oracle Cloud and more precisely by HCM Cloud service.
    Best regards,

    OIDDAS has limited capability of access control and information hiding. Presently, the permissions and privileges can be set at a realm level, and fine grained access control / information hiding cannot be done.
    At present, the only way to restrict view and access control is by appplying ACLs (which is not the safest bet).

  • Inside Identity and Access Control products

    Hello,
    For the past few months I was working on a blog which can help understanding under the hood of identity and access control products. Please have a look into it and let me know how to improve the contents.
    http://identitycontrol.blogspot.com

    Latest Topics
    1) Video of Federated Access Control
    2) RSA Conference 2007

  • Inside identity and access control products : blog

    Frinends,
    Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
    Latest topic i added is "SAML in action"
    Please post your comments also so I can improve the contents.
    Thanks

    Thanks a lot idmguru!!
    your efforts are simply awesome..
    -Yash Bansal

  • Inside of idm and access control products

    Hello Friends,
    For the past few months I was working on a blog where I shared my past experiences with the IAM products, New technologies and problems faced in the products at a conceptual level. I thought of sharing that with experienced team of technocrats like you. Please have a look into this and let me how how can I improve this.
    blog URL --> http://identitycontrol.blogspot.com/
    Thanks
    idmguru

    Frinends,
    Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
    Latest topic i added is "SAML in action"
    Please post your comments also so I can improve the contents.
    Thanks

  • Computer Lists and Access Control

    Hi
    I've got OS/X Server 10.4.6 setup to a be an OD master and have several linux boxes authenticating to it using kerberos.
    Currently, all OD users can login to all the linux boxes, but I'm trying to restrict access to some boxes to a group of users.
    I've tried creating a computer list and putting a linux server in this list, then adding entries to the 'access tab' but this doesn't seem to work.
    All users can still login to these 'access controlled' servers, in effect the list is ignored.
    Has anyone got this working or can shed some light on what I'm doing wrong ?
    Thanks,
      Mac OS X (10.4.6)  

    Hi, Tropic
    You must to load the class into an jar file
    Then you must to sign out the jar file by means of th jarsigner utility provided bye java SDK
    Hear a sample script to do it.
    javac SomeApplet.java
    jar cvf SomeJarFile.jar SomeApplet.class
    keytool -genkey -keystore SomeStoreFile -keyalg rsa -dname "CN=May BeYour Name, OU=IT Dept., O=Company Name, L=Your Location, ST=Your State, C=Your Country" -alias YourAlias -validity 365 -keypass YourPassowrd -storepass storePasswd
    jarsigner -keystore SomeStoreFile -storepass storePasswd -keypass YourPassowrd -verbose SomeJarFile.jar YourAlias
    Regards,

  • Nintex Workflow and Access Control

    Hello, can anybody help with getting owner permissions on Nintex workflows in Sharepoint 2010 with Powershell.
    I also want to ask your opinion about Access control in Sharepoint 2010. Should all Access Control like AD, Sharepoint, Titus be in the hands of Administrator or some of it like Titus be in the hand of the Developers.
    Best Regards Olafur_s
    Icelandic DBA admin

    Hello
    Hemendra,<o:p></o:p>
    Thank you
    for your answer. I have developers that create sites and lists and they are all Site Collection admin. The problem is that they can go everywhere they want and look into all kinds of sensitive information and do all that they want to do. So basically they
    are running the system. <o:p></o:p>
    I am new to
    Sharepoint as an admin but I have experience in other system like AD, Exchange, SQL. The evolution of this Sharepoint system here brought it to the point that the developers have too much admin rights and the system is not working well. I am trying to
    find the fine line between the Administration part, my work, and the developers part and not steeping on the developers toe's.
    Best regards Olafur_s<o:p></o:p>
    Icelandic DBA admin

  • War file and access control with WebLogic

    I am trying to put some access control on different files in my war-file, but just can't get it to work... It seems like all roles defined in weblogic.properties gives the user access to all files in the war. I just don't understand the connections between the security realm, the weblogicURL.policy file and the web.xml file... If I do not specify a weblogic.security.URLAclFile, no access control is done at all.
    This is how my weblogic.properties file looks like:
    weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
    weblogic.password.koko=kokokoko
    weblogic.password.arnebelinda=arne1234
    weblogic.security.group.ppuseradmins=arnebelinda
    and my weblogicURL.policy:
    deny Principal weblogic.security.acl.GroupImpl "everyone" {
    Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
    and finally, my web.xml-file:
    <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
    "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
    <web-app>
         <session-config>
              <session-timeout>30</session-timeout>
         </session-config>
         <welcome-file-list>
              <welcome-file>index.jsp</welcome-file>
         </welcome-file-list>
         <security-constraint>
              <web-resource-collection>
                   <web-resource-name>admin</web-resource-name>
                   <url-pattern>index.jsp</url-pattern>          </web-resource-collection>
              <auth-constraint>
                   <role-name>ppuseradmins</role-name>
              </auth-constraint>
         </security-constraint>
         <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>WebLogic Server</realm-name>
         </login-config>
         <security-role>
              <role-name>ppuseradmins</role-name>
         </security-role>
    </web-app>
    it does not matter which user is part of the ppuseradmins group. The user koko is not a member, but is given access to my whole .war anyway (after submitting correct username/password). Omitting the <realm-name> does not seem to work either; the default realm is not used, instead null is used.
    Does anybody have a clue? I would really appreciate it!
    I am using WebLogic 5.1 sp 9
    best regards,
    PJ

    In you pocily file entry, you have specified "/admin/-"
    However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
    Could that be the problem ?

  • War file and access control

              I am trying to put some access control on different files in my war-file, but just
              can't get it to work... It seems like all roles defined in weblogic.properties
              gives the user access to all files in the war. I just don't understand the connections
              between the security realm, the weblogicURL.policy file and the web.xml file...
              If I do not specify a weblogic.security.URLAclFile, no access control is done
              at all.
              This is how my weblogic.properties file looks like:
              weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
              weblogic.password.koko=kokokoko
              weblogic.password.arnebelinda=arne1234
              weblogic.security.group.ppuseradmins=arnebelinda
              and my weblogicURL.policy:
              deny Principal weblogic.security.acl.GroupImpl "everyone" {
              Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
              and finally, my web.xml-file:
              <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
              "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
              <web-app>
              <session-config>
              <session-timeout>30</session-timeout>
              </session-config>
              <welcome-file-list>
              <welcome-file>index.jsp</welcome-file>
              </welcome-file-list>
              <security-constraint>
              <web-resource-collection>
              <web-resource-name>admin</web-resource-name>
              <url-pattern>index.jsp</url-pattern> </web-resource-collection>
              <auth-constraint>
              <role-name>ppuseradmins</role-name>
              </auth-constraint>
              </security-constraint>
              <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>WebLogic Server</realm-name>
              </login-config>
              <security-role>
              <role-name>ppuseradmins</role-name>
              </security-role>
              </web-app>
              it does not matter which user is part of the ppuseradmins group. The user koko
              is not a member, but is given access to my whole .war anyway (after submitting
              correct username/password). Omitting the <realm-name> does not seem to work either;
              the default realm is not used, instead null is used.
              Does anybody have a clue? I would really appreciate it!
              I am using WebLogic 5.1 sp 9
              best regards,
              PJ
              

    In you pocily file entry, you have specified "/admin/-"
    However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
    Could that be the problem ?

  • EJB and access controll???

    Hi all,
    I have a question about access control via EJB,
    For example I have a client app�ication and on start I will prompt user for user name and password, and now what to do with this information how to pas it to the ejb server, or??? Or may be some of you have any link to tutorial as an answer? My EJB will access database and I want to use the access control from database.
    Thank you in advance.

    Hi Eshwa,
    thank you for your reply, I found a nice developer guide on the link that you give me, but I steal have a problem with undestanding of practical way to pas user information from client application to ejb server, may be you can give mi a pice of code or an small example, where is geted 2 String (user name and password) and sent to the ejb server to be autentificated, and then to have acces to the resources that is accessable for this user (discribed in the deployment description user - role).
    Anyway thank you again.
    Best regards Alexander Hincu .

  • Standard process for creating Services and accessing Services on EBS 11i

    All,
    Do you have any kind of documentation that explains how we should handle Services in the EBS 11i?
    We have two types of interfaces currently and no one of them uses Services:
    1. We create files in some kind of gateway
    2. We get files generated in a gateway or when it's the case we access different databases via database link.
    I really appreciate your help.
    Thanks,
    Fernando

    Right, but what would be all the standard process for creating a webservice?
    Is there any kind of document that shows in detail how to do that? and also, how we should access webservices from other systems?
    Thanks for your help.
    Fernando

  • Strange behavior since auto upgrade to 10.4.11

    Since an auto update two days ago, I get a dark box appearing on my screen sometimes where I'm typing, sometimes outlining a window, sometimes on the Back arrow in Safari; i don't perceive a real pattern. It doesn't interfere with anything but it's very annoying.
    Also, certain menu items are now duplicated in the Apple menu: Restart, Log Out, and Shut Down appear twice.
    How can I clean these up?

    Check your settings in System Preferences/Universal Access.
    You may have switched on Voice Over accidentally.

  • Doing an insert behavior in Dreamweaver CS five and Access?

    so there I am doing  an Insert Record into a table  in Access. I have used this behavior before and have had no problem. When I am doing a form element type selection (for each field in the record) I have no problem – except for the second field. The default value <ignore >cannot be changed: there is no drop-down list as there is with every other field. I have tried changing the name of the field (from Fullname to Fname) thinking that this might be a reserved word problem, but it is not. What could be the problem and what might be the solution?
    Thanks!
    Ross

    I've attached a screenshot might depict my dilemma a little more thoroughly: about a picture being worth 1000 words? With this I double clicked on the insert behavior. Notice the "insert into column" drop box which has the phrase <ignore > highlighted?I want to have  fname inserts into fullname but I cannot do so. I have tried changing the field name in the  Access database itself but it makes no difference. I have even tried setting it to a bogus value – one on the list – but I get complaints at runtime about the same input field be stuffed into two columns. So how do I get the actual field name for the column, Fullname, instead of the <ignore >??
    Ross

Maybe you are looking for