Strange behavior of auto-create destionations and access control
I'm noticing some strange behavior that looks like a bug in IMQ 3.5 SP1 (and earlier). I can't find any mention of this in the Sun Bug parade so I thought I'd ask here.
Background:
1) Admin-created queue named 'foo' exists. Verified with imqcmd.
2) User 'bob' wants to access 'foo' as a consumer.
3) accesscontrol.properties, relevant sections:
queue.foo.consume.allow.user=bob
queue.create.deny.user=*
4) When config.properties has:
imq.autocreate.queue=false
then the connection works fine.
5) However when config.properties has:
imq.autocreate.queue=true
the following error is provided when connecting:
com.sun.messaging.jms.JMSSecurityException: [C4077]: Client is not authorized to create destination : foo
My reading of the manual says that user 'bob' should be able to connect to destination 'foo' even though he doesn't have the queue creation privilege because 'foo' is an administratively created queue that already exists.
A short term workaround is to allow all users to have the create privilege. This is not a good thing from a security design standpoint. I want only one user to have this privilege and all others should not have it. Unfortunately, without this privilege, all other users can no longer connect.
Thanks in advance for any help you can provide on this issue.
I've reproduced this and it sure looks like a bug. I've submitted bug:
5024685 ACLs: queue.create.deny.user=* and imq.autocreate.queue=true interact poorly
I think the best workaround is to set imq.autocreate.queue=false
and administratively create all destinations.
Similar Messages
-
I have just installed Firefox 29.0 for Mac.
I get a strange behavior of the tab bar and of the location bar with this new version.
Instead of the location bar, I get two rows of symbols. And it's impossible to write anything in the location bar.
(I'd like to add a screenshot, but I cannot find a way to do it.)Thank you for your tip.
I found the culprit: it was an extension called RSS Icon 1.0.6.
I removed it and now Firefox 29.0 is working perfectly.
Now I'll have to find a replacement for that extension.
Thank you once again. Your tip was essential. -
Creating Folder and Accessing Files from Folders in mobile phone
Hello Friends,
I am doing my project where I need to create folders and accessing files from those folders in java enabled mobile phones.But I do not know the required tasks for this.Any type of help is highly appreciated.
Greeting
SaadiYou have to get the classname of the Items you receive from getitems.
There you have only to look for Folder.CLASS_NAME. Example:
ifsFol sorted by names in ascending order (names of folders and files)
String[] sort_attributes = {"NAME"};
//sort will be ascending
boolean [] sort_orders = {true};
oracle.ifs.common.SortSpecification sort = new oracle.ifs.common.SortSpecification(sort_attributes, sort_orders);
ifsFol.setSortSpecification(sort);
PublicObject[] contents = ifsFol.getItems();
System.out.println("Here are the names of the items in folder: ");
for (int i=0; i < contents.length; i++) {
if (contents.getClassname().equals(Folder.CLASS_NAME)) {
System.out.println(contents[i].getName());
null -
User management and Access Control in HCM Cloud
Hello,
Information is scarce about User management and Access Control in Oracle Cloud generally. Today, I have two questions :
- How can I bridge HCM Cloud user store with my on-premise IDM or security repository in order to allow identty governance to flow to HCM Cloud service ?
The only information I got was that you can declare manually and by bulk import through files my users. This is not really interresting as I have an automatic IDM with workflows and identity control on provisioning and de-provisioning.
Is there a SPML or proprietary endpoint to do it automatically ? What are the prerequisites ? Do I have to implement OIM on my side ?
- Once my users are created, how can I do webSSO from my internal security repositories to the HCM Cloud service ?
I do not want to distribute new set of login / passwords to my users. Is it possible to do Identity Federation (SAML 2.0 or WS-Fed) with HCM Cloud service ? What are the prerequisites ? Do I have to implement OAM on my side ?
I accept all pieces of information you can give me on this topic to help me understand the funcitonalites, limits and options offered by Oracle Cloud and more precisely by HCM Cloud service.
Best regards,OIDDAS has limited capability of access control and information hiding. Presently, the permissions and privileges can be set at a realm level, and fine grained access control / information hiding cannot be done.
At present, the only way to restrict view and access control is by appplying ACLs (which is not the safest bet). -
Inside Identity and Access Control products
Hello,
For the past few months I was working on a blog which can help understanding under the hood of identity and access control products. Please have a look into it and let me know how to improve the contents.
http://identitycontrol.blogspot.comLatest Topics
1) Video of Federated Access Control
2) RSA Conference 2007 -
Inside identity and access control products : blog
Frinends,
Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
Latest topic i added is "SAML in action"
Please post your comments also so I can improve the contents.
ThanksThanks a lot idmguru!!
your efforts are simply awesome..
-Yash Bansal -
Inside of idm and access control products
Hello Friends,
For the past few months I was working on a blog where I shared my past experiences with the IAM products, New technologies and problems faced in the products at a conceptual level. I thought of sharing that with experienced team of technocrats like you. Please have a look into this and let me how how can I improve this.
blog URL --> http://identitycontrol.blogspot.com/
Thanks
idmguruFrinends,
Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
Latest topic i added is "SAML in action"
Please post your comments also so I can improve the contents.
Thanks -
Computer Lists and Access Control
Hi
I've got OS/X Server 10.4.6 setup to a be an OD master and have several linux boxes authenticating to it using kerberos.
Currently, all OD users can login to all the linux boxes, but I'm trying to restrict access to some boxes to a group of users.
I've tried creating a computer list and putting a linux server in this list, then adding entries to the 'access tab' but this doesn't seem to work.
All users can still login to these 'access controlled' servers, in effect the list is ignored.
Has anyone got this working or can shed some light on what I'm doing wrong ?
Thanks,
Mac OS X (10.4.6)Hi, Tropic
You must to load the class into an jar file
Then you must to sign out the jar file by means of th jarsigner utility provided bye java SDK
Hear a sample script to do it.
javac SomeApplet.java
jar cvf SomeJarFile.jar SomeApplet.class
keytool -genkey -keystore SomeStoreFile -keyalg rsa -dname "CN=May BeYour Name, OU=IT Dept., O=Company Name, L=Your Location, ST=Your State, C=Your Country" -alias YourAlias -validity 365 -keypass YourPassowrd -storepass storePasswd
jarsigner -keystore SomeStoreFile -storepass storePasswd -keypass YourPassowrd -verbose SomeJarFile.jar YourAlias
Regards, -
Nintex Workflow and Access Control
Hello, can anybody help with getting owner permissions on Nintex workflows in Sharepoint 2010 with Powershell.
I also want to ask your opinion about Access control in Sharepoint 2010. Should all Access Control like AD, Sharepoint, Titus be in the hands of Administrator or some of it like Titus be in the hand of the Developers.
Best Regards Olafur_s
Icelandic DBA adminHello
Hemendra,<o:p></o:p>
Thank you
for your answer. I have developers that create sites and lists and they are all Site Collection admin. The problem is that they can go everywhere they want and look into all kinds of sensitive information and do all that they want to do. So basically they
are running the system. <o:p></o:p>
I am new to
Sharepoint as an admin but I have experience in other system like AD, Exchange, SQL. The evolution of this Sharepoint system here brought it to the point that the developers have too much admin rights and the system is not working well. I am trying to
find the fine line between the Administration part, my work, and the developers part and not steeping on the developers toe's.
Best regards Olafur_s<o:p></o:p>
Icelandic DBA admin -
War file and access control with WebLogic
I am trying to put some access control on different files in my war-file, but just can't get it to work... It seems like all roles defined in weblogic.properties gives the user access to all files in the war. I just don't understand the connections between the security realm, the weblogicURL.policy file and the web.xml file... If I do not specify a weblogic.security.URLAclFile, no access control is done at all.
This is how my weblogic.properties file looks like:
weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
weblogic.password.koko=kokokoko
weblogic.password.arnebelinda=arne1234
weblogic.security.group.ppuseradmins=arnebelinda
and my weblogicURL.policy:
deny Principal weblogic.security.acl.GroupImpl "everyone" {
Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
and finally, my web.xml-file:
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>index.jsp</url-pattern> </web-resource-collection>
<auth-constraint>
<role-name>ppuseradmins</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>WebLogic Server</realm-name>
</login-config>
<security-role>
<role-name>ppuseradmins</role-name>
</security-role>
</web-app>
it does not matter which user is part of the ppuseradmins group. The user koko is not a member, but is given access to my whole .war anyway (after submitting correct username/password). Omitting the <realm-name> does not seem to work either; the default realm is not used, instead null is used.
Does anybody have a clue? I would really appreciate it!
I am using WebLogic 5.1 sp 9
best regards,
PJIn you pocily file entry, you have specified "/admin/-"
However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
Could that be the problem ? -
I am trying to put some access control on different files in my war-file, but just
can't get it to work... It seems like all roles defined in weblogic.properties
gives the user access to all files in the war. I just don't understand the connections
between the security realm, the weblogicURL.policy file and the web.xml file...
If I do not specify a weblogic.security.URLAclFile, no access control is done
at all.
This is how my weblogic.properties file looks like:
weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
weblogic.password.koko=kokokoko
weblogic.password.arnebelinda=arne1234
weblogic.security.group.ppuseradmins=arnebelinda
and my weblogicURL.policy:
deny Principal weblogic.security.acl.GroupImpl "everyone" {
Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
and finally, my web.xml-file:
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>index.jsp</url-pattern> </web-resource-collection>
<auth-constraint>
<role-name>ppuseradmins</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>WebLogic Server</realm-name>
</login-config>
<security-role>
<role-name>ppuseradmins</role-name>
</security-role>
</web-app>
it does not matter which user is part of the ppuseradmins group. The user koko
is not a member, but is given access to my whole .war anyway (after submitting
correct username/password). Omitting the <realm-name> does not seem to work either;
the default realm is not used, instead null is used.
Does anybody have a clue? I would really appreciate it!
I am using WebLogic 5.1 sp 9
best regards,
PJ
In you pocily file entry, you have specified "/admin/-"
However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
Could that be the problem ? -
EJB and access controll???
Hi all,
I have a question about access control via EJB,
For example I have a client app�ication and on start I will prompt user for user name and password, and now what to do with this information how to pas it to the ejb server, or??? Or may be some of you have any link to tutorial as an answer? My EJB will access database and I want to use the access control from database.
Thank you in advance.Hi Eshwa,
thank you for your reply, I found a nice developer guide on the link that you give me, but I steal have a problem with undestanding of practical way to pas user information from client application to ejb server, may be you can give mi a pice of code or an small example, where is geted 2 String (user name and password) and sent to the ejb server to be autentificated, and then to have acces to the resources that is accessable for this user (discribed in the deployment description user - role).
Anyway thank you again.
Best regards Alexander Hincu . -
Standard process for creating Services and accessing Services on EBS 11i
All,
Do you have any kind of documentation that explains how we should handle Services in the EBS 11i?
We have two types of interfaces currently and no one of them uses Services:
1. We create files in some kind of gateway
2. We get files generated in a gateway or when it's the case we access different databases via database link.
I really appreciate your help.
Thanks,
FernandoRight, but what would be all the standard process for creating a webservice?
Is there any kind of document that shows in detail how to do that? and also, how we should access webservices from other systems?
Thanks for your help.
Fernando -
Strange behavior since auto upgrade to 10.4.11
Since an auto update two days ago, I get a dark box appearing on my screen sometimes where I'm typing, sometimes outlining a window, sometimes on the Back arrow in Safari; i don't perceive a real pattern. It doesn't interfere with anything but it's very annoying.
Also, certain menu items are now duplicated in the Apple menu: Restart, Log Out, and Shut Down appear twice.
How can I clean these up?Check your settings in System Preferences/Universal Access.
You may have switched on Voice Over accidentally. -
Doing an insert behavior in Dreamweaver CS five and Access?
so there I am doing an Insert Record into a table in Access. I have used this behavior before and have had no problem. When I am doing a form element type selection (for each field in the record) I have no problem – except for the second field. The default value <ignore >cannot be changed: there is no drop-down list as there is with every other field. I have tried changing the name of the field (from Fullname to Fname) thinking that this might be a reserved word problem, but it is not. What could be the problem and what might be the solution?
Thanks!
RossI've attached a screenshot might depict my dilemma a little more thoroughly: about a picture being worth 1000 words? With this I double clicked on the insert behavior. Notice the "insert into column" drop box which has the phrase <ignore > highlighted?I want to have fname inserts into fullname but I cannot do so. I have tried changing the field name in the Access database itself but it makes no difference. I have even tried setting it to a bogus value – one on the list – but I get complaints at runtime about the same input field be stuffed into two columns. So how do I get the actual field name for the column, Fullname, instead of the <ignore >??
Ross
Maybe you are looking for
-
I am facing problem in CME/CUE , we have two script, first script is Starndard AA ,another is No answer script(for Leave a Msg). a caller interacting with the Cisco UE AA presses the extension of the user when user extension no answer AA script tra
-
Retrieving two dimensional arrays from a text file.
Good evening I am having a problem with reading a text file, and putting this info into a 2D array to be put into a table. I have the table already(but no code to add rows to the table incase the array increases) The array is called Product[a][ b ] w
-
Data services unavailable using just wi-fi
I ve got my first bb just a few months ago and I ve got some problems when trying to access any msg using just a wi-fi connection while I am at my work. I live in Venezuela but I work on a vessel offshore in Angola. At home everything on my bb works
-
My Mac pro shutdown due to over heating. How long before I can turn it on again?
How long before my Mac is usable again?
-
I have no experience of CS5 and need to make a change in my website. My webman usually makes these changes but is not available. I have a website and I need to change the PayPal coding but do not even know where to begin, sorry. I have downloaded