Toplink Proxy Authentication with 10.1.3 problem

Similar Messages

• How to pass Proxy user dynamically in Toplink proxy authentication?

  Hi,
  I'm using Toplink Proxy Authentication with my ADF JSF application and want to pass the Proxy user dynamically to the preLogin(..) method of mySessionEventListener (Currently proxy user is hard coded).
  This is to make my application user as the Proxy user.
  I have tried to do this in two ways:
  1) In my Login screen Backing Bean, I retrieve the session as
  session = sessionFactory.acquireSession(); and set the application user in it as
  session.setProperty("proxyUser1", inputText1.getValue());
  But,
  session.getProperty("proxyUser1") returns null in the preLogin(..) method
  2) I add a loginUser property to the mySessionEventListener class and create a constructor to set it.
  Then I call the constructor from my Login Backing Bean as
  mySessionEventListener eventMgr = new mySessionEventListener(<proxy_user>);
  session.getEventManager().addListener( eventMgr );
  But, the loginUser property seeems to be transient and does not retain value when retrieved in preLogin(..) method.
  Please indicate if anything is wrong. Also, is there any other way to get this done?
  Thanks in advance.
  Vikas

  Hi Vikas,
  Probably your sessions.xml defines a ServerSession, and acquireSession method returns a ClientSession. ServerSession is the object that connects to the database, it may have any number of ClientSessions associated with it - all of them use connections provided by ServerSession's connection pools.
  So if you'd like to alter the serverSession before login, acquireSession is too late - it triggers login of the ServerSession and returns a ClientSession.
  To get the ServerSession before login:
  // the first param indicates that the session shouldn't be connected
  Session serverSession = sessionFactory.getSharedSession(false, false);Now you have a serverSession on which login hasn't been called yet.
  You can set the property into the session, or directly into its login.
  In fact you may choose to do whatever you wanted to do in preLogin right here - in this case no preLogin event would be required of course.
  Finally to get a ClientSession, call the same api did:
  // the first param indicates that the session shouldn't be connected
  Session clientSession = sessionFactory.getSession();On the first such call the ServerSession will be connected.
  Note that because all the ClientSessions will connect through the connections provided by the same ServerSession they will all use proxyUser1.
  If you are interested in using different proxy users for different ClientSessions http://www.oracle.com/technology/products/ias/toplink/doc/1013/main/_html/dblgcfg008.htm#BABDABCF lists several scenarios for that.
  Andrei

• TopLink Proxy authentication issue

  Hello all,
  I tried to use proxy authentication for TopLink for connecting to a database via TopLink in a J2EE application deployed on an Oracle iAS 10.1.2. For doing that, I tried to follow the steps described in the TopLink documentation (http://www.oracle.com/technology/products/ias/toplink/doc/1013/main/_html/dblgcfg008.htm#BABDABCF) with the last scenario, "Server Session uses Proxy Connection".
  According to the previously mentioned documentation, I created a session event handler for the preLoginEvent session event, the preLogin(SessionEvent event) method that I copied below.
  The issue with this is that, when I try to run a TopLink query in a Java DAO class, I obtained some exceptions. There are two cases here:
  1-If the code preLogin(SessionEvent event) is exactly as below, it seems that the queried views/tables cannot be seen. The exception obtained is:
  Exception [TOPLINK-4002] (Oracle TopLink - 10g Release 3 (10.1.3.0.0) (Build 060118)): oracle.toplink.exceptions.DatabaseException
  Internal Exception: java.sql.SQLException: ORA-00942: table or view does not exist
  Error Code: 942
  Call:SELECT count(*) FROM CIFHUB.SCQA_TEMPLATE
  Query:DataReadQuery()
  at oracle.toplink.exceptions.DatabaseException.sqlException(DatabaseException.java:290)
  at oracle.toplink.internal.databaseaccess.DatabaseAccessor.basicExecuteCall(DatabaseAccessor.java:570)
  at oracle.toplink.internal.databaseaccess.DatabaseAccessor.executeCall(DatabaseAccessor.java:442)
  at oracle.toplink.threetier.ServerSession.executeCall(ServerSession.java:453)
  at oracle.toplink.internal.queryframework.DatasourceCallQueryMechanism.executeCall(DatasourceCallQueryMechanism.java:117)
  at oracle.toplink.internal.queryframework.DatasourceCallQueryMechanism.executeCall(DatasourceCallQueryMechanism.java:103)
  at oracle.toplink.internal.queryframework.DatasourceCallQueryMechanism.executeSelectCall(DatasourceCallQueryMechanism.java:174)
  at oracle.toplink.internal.queryframework.DatasourceCallQueryMechanism.executeSelect(DatasourceCallQueryMechanism.java:156)
  at oracle.toplink.queryframework.DataReadQuery.executeNonCursor(DataReadQuery.java:118)
  at oracle.toplink.queryframework.DataReadQuery.executeDatabaseQuery(DataReadQuery.java:110)
  at oracle.toplink.queryframework.DatabaseQuery.execute(DatabaseQuery.java:603)
  at oracle.toplink.queryframework.DataReadQuery.execute(DataReadQuery.java:96)
  at oracle.toplink.publicinterface.Session.internalExecuteQuery(Session.java:2062)
  at oracle.toplink.publicinterface.Session.executeQuery(Session.java:981)
  at oracle.toplink.publicinterface.Session.executeQuery(Session.java:938)
  at oracle.toplink.publicinterface.Session.executeSelectingCall(Session.java:1027)
  at oracle.service.infra.myservlet.ACSProxyTestServlet.callTopLinkQuery3(ACSProxyTestServlet.java:138)
  at oracle.service.infra.myservlet.ACSProxyTestServlet.doGet(ACSProxyTestServlet.java:60)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
  at oracle.service.infra.servlets.SecurityFilter.doFilter(SecurityFilter.java:105)
  at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:663)
  at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
  at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
  at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
  at java.lang.Thread.run(Thread.java:534)
  2 - If in the preLogin(SessionEvent event) code, the line login.setProperty("proxytype", Integer.toString(OracleConnection.PROXYTYPE_USER_NAME)); is uncommented, then another exception is obtained. In this case another exception is obtained: an Invalid User/Password exception is thrown. If I comment this line, the login is successfull, but I obtain the exception at section 1.
  I have to tell you in both cases the parameters of the Data source are properly set. I tested the datasource in another servlet where I created directly the connection based on the same datasource taken from the application server's JNDI.
  Do you have any hint or idea about this issue?
  Thanks a lot in advance!
  Regards,
  Marinel
  public void preLogin(SessionEvent event)
  DatabaseLogin login = event.getSession().getLogin();
  // Make sure that external connection pooling is used
  login.setUsesExternalConnectionPooling(true);
  // Custom code to get the connector
  try
  login.setConnector(new OracleJDBC10_1_0_2ProxyConnector("jdbc/acs_proxyDS"));
  } catch (Exception ex)
  ex.printStackTrace();
  // End of custom code to get connector
  // login.setProperty("proxytype", Integer.toString(OracleConnection.PROXYTYPE_USER_NAME));
  login.setProperty(OracleConnection.PROXY_USER_NAME, "[email protected]");
  login.setProperty(OracleConnection.PROXY_DISTINGUISHED_NAME, "cn=my_name,l=emea,dc=oracle,dc=com");
  String[] roles = new String[1];
  roles[0] = "Manager";
  login.setProperty(OracleConnection.PROXY_ROLES, roles);
  }

  Hi, I am also working on proxy authentication and am having the same problem as Marinel.
  If I use a normal jdbc proxy connection, I can access the table just fine, and using a direct Toplink connection works fine.However, when i try and use proxy authentication via Toplink, i do not have permissions on the table.
  From your last update,it seems that if I want to use DISTINGUISED NAME authentication, I should set "proxytype" to OracleConnection.PROXYTYPE_DISTINGUISHED_NAME, and set OracleConnection.PROXY_DISTINGUISHED_NAME to the full user distinguised name.
  I have temporarily altered my preLogin Event as below to show these two scenarios, to access the table via normal jdbc proxy connection (and this part works), and then below that I try and set up the Toplink proxy session(which fails).
  public void preLogin(SessionEvent event) {
  DatabaseLogin login = event.getSession().getLogin();
  // Make sure that external connection pooling is used
  login.setUsesExternalConnectionPooling(true);
  String urlThin =
  "<jdbc_url>";
  OracleDataSource ds;
  OracleConnection oc = null;
  try {
  // Part 1 - Setup and access the PROXYDUMMY1 table using jdbc proxy sessions
  DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
  ds = new OracleDataSource();
  ds.setURL(urlThin);
  Properties props = new java.util.Properties();
  props.put(OracleConnection.PROXY_DISTINGUISHED_NAME,
  "cn=firstname_lastname,l=emea,dc=oracle,dc=com"); props.put("proxytype",OracleConnection.PROXYTYPE_DISTINGUISHED_NAME);
  ds.setUser("database_account");
  ds.setPassword("database_password");
  oc = (OracleConnection)ds.getConnection();
  oc.openProxySession (OracleConnection.PROXYTYPE_DISTINGUISHED_NAME, props);
  String sql= " SELECT COL1, COL2 FROM PROXYDUMMY1";
  Statement stmt = oc.createStatement();
  ResultSet rSet = stmt.executeQuery(sql);
  System.out.println("==============User requested data=================");
  while ( rSet.next() )
  System.out.println(rSet.getString(1));
  rSet.close();
  stmt.close();
  //Part 2 - set up the proxy session for use by Toplink
  login.setConnector(new OracleJDBC10_1_0_2ProxyConnector(ds));
  login.setProperties(props);
  } catch (Exception e) {
  System.out.println("Exception: ProxyConnection.getConnection: "+e.getMessage());
  e.printStackTrace();
  }

• Proxy Authentication with JDBC Datasource instead of JDBC URL?

  Hello,
  A requirement for my current project (ADF 10g) is that a user should be able to log in with his regular database account. For the moment, this is implemented using Proxy Authentication, as described in the following article:
  http://blogs.oracle.com/jheadstart/2008/01/using_proxy_authentication.html
  For now, we are using a JDBC URL defined in the application module config for the BC. In short: a ProxyAuthConnectionPoolManager class was created that overrides the default ConnectionPoolManagerImpl. The getConnection method has been overridden to create a standard connection (with the username/pw defined on the AM), and additionally, create a proxy connection within this connection with the specific user credentials. The (simplified) code:
      public Connection getConnection(String key, String url, Properties props, String username, String pwd) {
          // first fetch a default connection from the pool through the superclass
          Connection connection = super.getConnection(key, url, props, username, pwd);
          // cast into an OracleConnection
          OracleConnection oraConnection = (OracleConnection) connection;
              // close any proxy sessions that would still exist on the connection
              if (oraConnection.isProxySession()) oraConnection.close(OracleConnection.PROXY_SESSION);
              // get a handle on the session scope
              Map sessionScope = ADFContext.getCurrent().getSessionScope();
              if (sessionScope != null) {
                  // find the user object in the session (the account the user logs in with)
                  ProxyAuthUser user = (ProxyAuthUser) sessionScope.get(ProxyAuthUser.JHS_USER_KEY);
                  if (user != null) {
                      // create a property map with the end user credentials
                      Properties proxyProps = new Properties();
                      proxyProps.put(OracleConnection.PROXY_USER_NAME, user.getDbUsername() + "/" + user.getDbPassword());
                      proxyProps.put(OracleConnection.PROXY_USER_PASSWORD, user.getDbPassword());
                      // open the proxy session
                      oraConnection.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, proxyProps);
              return oraConnection; 
      }Now, this works perfectly when using a JDBC URL. But when I switch the JDBC Datasource the ProxyAuthConnectionPoolManager class is not called anymore. This is all done in code in the Application Server. While using a JDBC Datasource is actually necessary: otherwise for each environment (dev, test, production,...) a different WAR file is needed.
  What class can I override with code similar to the piece above, to open a proxy connection inside the existing connection, when using a JDBC Datasource?
  Your help would be greatly appreciated!
  Chris

  Hello Krasimir,
  Frank Nimphius gave me the solution to this problem. The prepareSession is indeed the best place to put the code:
     private OracleConnection oconn = null;
     public void prepareSession(SessionData SessionData) {
        super.prepareSession(SessionData);
        oconn = ((PrxyTransactionImpl)this.getDBTransaction()).getPrxyConnection();
        // Specify the user that connects through the proxy user and its roles
        Properties prop = new Properties();
        prop.put(OracleConnection.PROXY_USER_NAME,"hr");
        prop.put(OracleConnection.PROXY_USER_PASSWORD,"hr");
        //prop.put(OracleConnection.PROXY_ROLES, roles);
        // Open the proxy session (DB-authenticated users)
        try {
           oconn.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, prop);
        catch (SQLException e) {
           // Close the connection, to avoid connection to remain open after exception
           oconn.abort();
           e.printStackTrace();
     }But Frank also created the following helper classes to extend the ADF BC behavior:
     package oracle.sample.dbprxy.adfbc;
     import oracle.jbo.server.DBTransactionImpl2;
     import oracle.jbo.server.DatabaseTransactionFactory;
      * TransactionFactory that returns PrxTransactionImpl, which is a subclass of
      * DBTransactionImpl2
      * @author Frank Nimphius
     public class PrxyDatabaseTransactionFactory extends DatabaseTransactionFactory {
        public PrxyDatabaseTransactionFactory() {
           super();
         * Override the create method to return an instance of PrxyTransactionImpl instead
         * of DBTransactionImpl2
         * @return PrxyTransactionImpl
        public DBTransactionImpl2 create() {
           return new PrxyTransactionImpl();
     package oracle.sample.dbprxy.adfbc;
     import oracle.jbo.server.DBTransactionImpl2;
     import oracle.jdbc.internal.OracleConnection;
     public class PrxyTransactionImpl extends DBTransactionImpl2 {
        public PrxyTransactionImpl() {
           super();
         * The DBTransactionImpl2 does not expose the connection in a public
         * method. This class is a wrapper to expose the connection to the
         * BC app, so it can be accessed in the ApplicationModuleImpl class
         * @return OracleConnection - SQL Connection
        public OracleConnection getPrxyConnection() {
           return (OracleConnection) this.getJdbcConnection();
     }In the configuration of your Application Module, you have to set the property "TransactionFactory" (normally the last one in the list) to oracle.sample.dbprxy.adfbc.PrxyDatabaseTransactionFactory. This way, the DBTransaction() of your AM will have a getPrxyConnection() method and you will have the connection at your disposal. You won't need the createPreparedStatement in your code anymore.
  To close the connection, this is the code behind my "logout button" on the backing bean. Application Module Pooling and Connection Pooling will take care of the rest for you!
     ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
     HttpSession session = (HttpSession)ectx.getSession(false);
     session.invalidate();Another thing: be sure to set the internalconnection property to a different JDBC Datasource (or file based) than the one you are using to connect to the database (the default value). Otherwise connection pooling will be confused and there will be too much pending database connections.
  This works for me, all sessions are closed in time and logging out seems secure. I do not have my complete, adjusted code here at my disposal, but next week, when I'm back at work, I'll have a look to see if there is anything I forgot to mention. So this should get you started, but I'll keep you posted!
  A huge thank you to Frank again for helping me (/us) out with this problem!! And sorry I forgot to post the answer here sooner. I was too busy with testing it. :-)
  Regards,
  Chris

• Proxy authentication with WebStart

  I am trying to understand how WebStart handles proxy authentication for HTTP between my WebStart client and the server.
  WebStart prompts the user for the proxy userid/password when my application starts. This occurs when WebStart attempts to download the jars.
  However, now my application starts and wants to start communicating with the host. I am using URLConnection to make HTTP requests back to the same server.
  My question is: "How does WebStart help with the proxy authentication for MY http requests?"
  Does it insert the correct Authentication header on every HTTP request I create?

  I am trying to understand how WebStart handles
  WebStart prompts the user for the proxy
  userid/password when my application starts. This
  occurs when WebStart attempts to download the jars.
  However, now my application starts and wants to start
  communicating with the host. I am using URLConnection
  to make HTTP requests back to the same server.
  My question is: "How does WebStart help with the proxy
  authentication for MY http requests?"
  Does it insert the correct Authentication header on
  every HTTP request I create?Let's split this in two topics.
  1. How is proxy authenication supposed to work
  2. What does Web Start
  Easiest way to figure out Web Start's behaviour is to do some network monitoring. On a Unix box use something like tcpdump to monitor the raw packet traffic and strings|grep for URLs. (There is more advanced monitor software available). Fire up Web Start, authenticate. Watch. You need admin priviledges of course.
  Second method would be to analyse Web Start sources, which is available under the Sun community license.
  Now comes the interesting question, who proxy authentication is supposed to work.
  I had this problem some years ago, when our application was tested from within a corporate network that used a proxy that demanded authentication.
  The tricky part was, that our database server asked for an authentication too!
  So one would have to provide a (user:password) pair to the proxy and another (user:password) pair to the web server in front of the database.
  At that time I found no solution.
  To my best knowledge there is only one http-authentication header in the HTTP header section possible, that carries the base64 encoded (user:password) pair. But I would need two and some means to tell which header of the two is for the proxy and which for the destination web server.
  Second, HTTP is a stateless protocol. This means every HTTP request has no state in common with the HTTP requests before and after.
  Analysis of the just open sourced Mozilla code base showed that Netscape handles proxy authentication against this design rule. Netscpae just issues the same HTTP request for the doc two times. The first time with authentication for the proxy, then the proxy seems to memorize that particular request (so much for the statelessness), and when Netscape fires the second HTTP request, this time with authentication for the destination server, the proxy just lets this request through (BIG BIG security hole here) and the authentication is not fished out by the proxy but will arrive at the destination server.
  I was not able to find out at that time, if this behaviour was handled by any standard/RFC. What would happen if 5 proxies with authorization request were between me and the target server?
  Hope this helps somehow.
  Marc

• WWSAPI - Cannot connect to web service via SSL and HTTP proxy authentication with NTLM, errorCode 0x803d0016, HTTP status 407

  Hi,
  I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
  0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
  In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
  a second request with NTLMSSP_AUTH is sent.
  Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
  I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
  Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
  WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
  Any idea?
  Thanks

  Hi,
  I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
  0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
  In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
  a second request with NTLMSSP_AUTH is sent.
  Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
  I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
  Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
  WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
  Any idea?
  Thanks

• Proxy authentication with 5800

  Hi, I've a 5800. With domestic WiFi all works fine. In the university WiFi I need to authenticate to a proxy server but, while the proxy address and port is present in the configuration window, username and password are asked only through web browser. This means that only web browser works while email and other programs (nimbuzz, opera mini, sport tracker, accuweather, ecc, ecc) don't.
  I also tried the simple unix form usernameassword@address instead of the simple address of proxy server but the infos are ignored.
  Is it possible to specify in some way this info as part of the connection? Or at least is it planned to add them in a future firmware release (At the moment I'm using release 21)?
  Thanks
  Walter 

  I totally agree with Walter.
  When the Internet connection you'd like to use has a proxy that REQUIRES AUTHENTICATION, the only online application that can be used is the built-in browser because it asks for user and password.
  This is a shame. It would This kind of configuration should be done at the same place you can specify the proxy address and port.
  Suzuki

• SG300: MAC authentication with Radius VLAN assignment problems

  Hi,
  I just can't get the dynamic vlans working. I've tried everything, switch in L3 mode, switch in L2, several port configs, several tunnel configs in Radius server (freeradius 2.1.1)
  Here's the final switch config:
  config-file-header
  switchf460dc
  v1.3.7.18 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode switch
  file SSD indicator encrypted
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
  no spanning-tree
  vlan database
  vlan 12,100,110,666
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  dot1x system-auth-control
  no bonjour enable
  hostname switchf460dc
  line ssh
  exec-timeout 0
  exit
  encrypted radius-server host 192.168.99.93 key xXx priority 1 usage dot1.x
  logging host 1.2.3.4 severity debugging
  passwords aging 0
  ip ssh server
  snmp-server server
  snmp-server community public ro 192.168.99.93 view Default
  clock timezone " " +1
  clock summer-time web recurring eu
  clock source sntp
  sntp unicast client enable
  sntp server 172.16.1.1
  interface vlan 12
   ip address 192.168.99.170 255.255.255.0
   no ip address dhcp
  interface gigabitethernet5
   dot1x host-mode multi-sessions
   dot1x reauthentication
   dot1x authentication mac
   dot1x radius-attributes vlan static
   dot1x port-control auto
   switchport mode general
   switchport general allowed vlan add 100,110,666 untagged
   no macro auto smartport
  interface gigabitethernet6
   switchport mode access
   switchport access vlan 110
  interface gigabitethernet9
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet10
   switchport trunk allowed vlan add 12,100,110
  exit
  ip default-gateway 192.168.99.1
  On the switch side I would expect VLAN 666 to be set but it's not there:
  switchf460dc#show dot1x users
                            MAC               Auth   Auth   Session        VLAN
  Port     Username         Address           Method Server Time
  gi5      0090dca15880     00:90:dc:a1:58:80 MAC    Remote 01:09:25
  This is the radius users file. It's a simple file for test.
  DEFAULT Auth-Type := Accept
          Tunnel-Type = VLAN,
          Tunnel-Medium-Type = IEEE-802,
          Tunnel-Private-Group-Id = 666
  I am attaching a screenshot of the Radius reply sent by the server.
  I also tried setting "copy_request_to_tunnel = yes" and "use_tunneled_reply = yes" as found in another post, no success.
  It may be that the tag is missing in the Radius reply? If yes, how do I add it?
  Any ideas?
  Thanks.
  Update Dec 11: I tried with FW 1.4.0, and using the same config the switch doesn't perform any Radius requests at all anymore.

  I was wrong when I said that 1.4.0 wouldn't work at all. I simply had a device connected which didn't produce much traffic. My bad.
  So 1.4.0 works as far as the auth is concerned, but no improvement as far as dynamic VLAN is concerned. So there is no improvement over 1.3.7, or there is a config issue.
  I have opened SR 633001533 although the last appointment for WebEx went by without anyone getting back to me. I'll try again on Monday.
  Feel free to get back to me if you need anything to make experiments. I'll keep this thread updated too.

• N-Tier proxy authentication.

  I need to implement N-Tier proxy authentication, could some one point me to right link. I found some on the Oracle Doc, buts not helping me , because it does not provide any code or example.
  http://download-west.oracle.com/docs/cd/B13789_01/network.101/b10777/authuser.htm#1006352
  and
  http://download-west.oracle.com/docs/cd/B10501_01/appdev.920/a96590/adgsec03.htm#1004584
  We have 9iAS, OID and 9iDB Rel2 and some other application server ie Cold Fusion etc, application are written in Cold Fusion and user login , I would like them to be authenticated via OID. I donot want to create a dtabase user for every application user too. We would like to use OID, however, we are also planning to use Fine Grained Security Control ( FGSC) too for row level security.
  Thanks
  Suhail

  Bad news
  Basically it is only supported when via Oracle Portal. I am not sure of the exact implementation and how it may work with providers for oracle portal.
  Now the good news,
  I have a way by implementing a couple of simple internal pl/sql packages that mod_plsql utilizes you can support n-tier proxy authentication with certs with or without Oracle SSO.

• Proxy Authentication Error in Web Service with SAAJ on Weblogic 9.2 MP3

  Hi,
  I have encountered a problem with proxy authentication in SAAJ web service (WS) calls on Weblogic 9.2 MP3.
  My WS client (which uses SAAJ's SOAP classes) should use a proxy that requires authentication to call the external web services.
  However, it does not perform the authentication and receives HTTP Error 407 - Unauthorized.
  The reason seems to be that Weblogic's Http Handler (weblogic.net.http.Handler) ignores the proxy authentication.
  I was able to work around it by setting sun's http handler explicitly in the WS endpoint URL. Sun's handler (sun.net.www.protocol.http.Handler) makes use of the Authenticator class I provided.
  1. Please see my code below and let me know if this is the only solution or if I'm doing something wrong. While testing on Tomcat I did not have to set the handler.
  2. I have seen that there are also System properties for http.proxyUser and http.proxyPasword, however if I use these and ommit setting the SimpleAuthenticator, it also fails (with either handler!). An explanation of that is welcome.
  Thanks in advance.
  Code:
  ===========================================================
  System.setProperty("http.proxySet", "true");
  System.setProperty("http.proxyHost", "localhost");
  System.setProperty("http.proxyPort", "808");
  //System.setProperty("http.proxyUser", "myuser");
  //System.setProperty("http.proxyPassword", "mypw");
  Authenticator.setDefault(new SimpleAuthenticator("myuser", "mypw"));
  String urlString = "http://someurl:8080/webservice..";
  URL endpoint1 = new URL(urlString);
  URL endpoint2 = new URL(null, urlString, new sun.net.www.protocol.http.Handler());
  SOAPConnectionFactory soapfactory = SOAPConnectionFactory.newInstance();
  SOAPConnection connection = soapfactory.createConnection();
  connection.call(message, endpoint1); // Gives Exception with HTTP Error 407
  connection.call(message, endpoint2); // Works and uses the proxy
  For reference:
  ===========================================================
  public class SimpleAuthenticator extends Authenticator {
       private String username, password;
       public SimpleAuthenticator(String username, String password) {
            this.username = username;
            this.password = password;
       protected PasswordAuthentication getPasswordAuthentication() {
            return new PasswordAuthentication(username, password.toCharArray());
  }

  Sorry for the 3 posts.
  Administrator, delete this thread please!!

• SCCM 2012 R2 ADR issue with proxy authentication

  Hi,
  We're migrating SCCM 2007 to SCCM 2012 R2.
  In SCCM 2007, the proxy server is configured with user authentication, and this works.
  In SCCM 2012 R2, the Software Update Point is installed locally and connected with a local WSUS 4.0 (Server 2012)
  We use a proxy with user authentication for Update Deployment. (This user is the same as configured in SCCM 2007.)
  The Proxy Server is Blue Coat SG.
  The proxy account is used for:
  The Synchronization works, but Automatic Deployment Rule (ADR) doesn't work.
  When an Automatic Deployment Rule is started, it tries to authenticate 3 times.
  The Patchdownloader.log shows:
  Trying to connect to the root\SMS namespace on the <servername> machine.        Software Updates Patch Downloader        11/8/2013
  12:19:06        3608 (0x0E18)
  Connected to
  \\<servername>\root\SMS        Software Updates Patch Downloader        11/8/2013 12:19:06        3608
  (0x0E18)
  Trying to connect to the
  \\<servername.domain>\root\sms\site_ECM namespace on the <servername.domain> machine.        Software Updates Patch Downloader        11/8/2013
  12:19:06        3608 (0x0E18)
  Connected to
  \\<servername.domain>\root\sms\site_ECM        Software Updates Patch Downloader        11/8/2013 12:19:06        3608
  (0x0E18)
  Download destination =
  \\<servername.domain>\dp_wks_ms_updates$\3208bb5e-bcd9-4389-a0c9-02ef33ccb998.1\XPSEPSC-x86-en-US.exe .        Software Updates Patch Downloader        11/8/2013 12:19:07        3608
  (0x0E18)
  Contentsource =
  http://wsus.ds.www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/xpsepsc-x86-en-us_7ae70ca1330a099080c6c41c4d5b7f19b30dc0cd.exe .        Software Updates Patch Downloader        11/8/2013
  12:19:07        3608 (0x0E18)
  Downloading content for ContentID = 16819067, 
  FileName = XPSEPSC-x86-en-US.exe.        Software Updates Patch Downloader        11/8/2013 12:19:07        3608 (0x0E18)
  Try username <domain\ProxyAccount>        Software Updates Patch Downloader        11/8/2013 12:19:07        8364
  (0x20AC)
  Proxy enabled proxy server <proxyserver>:8080        Software Updates Patch Downloader        11/8/2013
  12:19:07        8364 (0x20AC)
  HttpSendRequest failed HTTP_STATUS_PROXY_AUTH_REQ        Software Updates Patch Downloader        11/8/2013
  12:19:07        8364 (0x20AC)
  Download
  http://wsus.ds.www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/xpsepsc-x86-en-us_7ae70ca1330a099080c6c41c4d5b7f19b30dc0cd.exe to C:\Windows\TEMP\CAB6FD2.tmp returns 407        Software Updates
  Patch Downloader        11/8/2013 12:19:07        8364 (0x20AC)
  ERROR: DownloadContentFiles() failed with hr=0x80070197        Software Updates Patch Downloader        11/8/2013
  12:19:07        3608 (0x0E18)
  Then the proxy user account is locked:
  Trying to connect to the root\SMS namespace on the <servername> machine.        Software Updates Patch Downloader        11/8/2013
  12:20:11        3608 (0x0E18)
  Connected to \\ <servername>\root\SMS        Software Updates Patch Downloader        11/8/2013
  12:20:11        3608 (0x0E18)
  Trying to connect to the
  \\<servername.domain>\root\sms\site_ECM namespace on the <servername.domain> machine.        Software Updates Patch Downloader        11/8/2013
  12:20:11        3608 (0x0E18)
  Connected to
  \\<servername.domain>\root\sms\site_ECM        Software Updates Patch Downloader        11/8/2013 12:20:11        3608
  (0x0E18)
  Download destination =
  \\<servername.domain>\dp_wks_ms_updates$\e0a54221-3ff2-4129-b7cf-89bf5cd1f726.1\Windows-KB943729-x86-ENU.exe .        Software Updates Patch Downloader        11/8/2013
  12:20:12        3608 (0x0E18)
  Contentsource =
  http://wsus.ds.download.windowsupdate.com/msdownload/update/software/updt/2009/10/windows-kb943729-x86-enu_e174c41ce3dcbd5c8922d6d1c39df1be425a70e0.exe .        Software Updates Patch Downloader        11/8/2013
  12:20:12        3608 (0x0E18)
  Downloading content for ContentID = 16824262, 
  FileName = Windows-KB943729-x86-ENU.exe.        Software Updates Patch Downloader        11/8/2013 12:20:12        3608 (0x0E18)
  Try username <domain\ProxyAccount>        Software Updates Patch Downloader        11/8/2013 12:20:12        12480
  (0x30C0)
  Proxy enabled proxy server <proxyserver>:8080        Software Updates Patch Downloader        11/8/2013
  12:20:12        12480 (0x30C0)
  HttpSendRequest failed HTTP_STATUS_FORBIDDEN or HTTP_STATUS_DENIED        Software Updates Patch Downloader        11/8/2013
  12:20:12        12480 (0x30C0)
  Download
  http://wsus.ds.download.windowsupdate.com/msdownload/update/software/updt/2009/10/windows-kb943729-x86-enu_e174c41ce3dcbd5c8922d6d1c39df1be425a70e0.exe to C:\Windows\TEMP\CAB6E4B.tmp returns 403        Software Updates
  Patch Downloader        11/8/2013 12:20:12        12480 (0x30C0)
  ERROR: DownloadContentFiles() failed with hr=0x80070193        Software Updates Patch Downloader        11/8/2013
  12:20:12        3608 (0x0E18)
  The RuleEngine.log shows:
  Failed to download the update from internet. Error = 403 SMS_RULE_ENGINE 11/8/2013 16:18:25 3608 (0x0E18)
  Failed to download ContentID 16824467 for UpdateID 16819978. Error code = 403 SMS_RULE_ENGINE 11/8/2013 16:18:25 3608 (0x0E18)
  It seems that the ADR uses a wrong password when authenticating with the proxy, but this same user works when synchronizing with WSUS.
  We performed the following actions with no result:
  run the ADR manually and automatic,
  reinstalled WSUS and SUP,
  changed proxy user account.
  Regards,
  Matthias

  Currently, the command shows:
  Current WinHTTP proxy settings:
      Direct access (no proxy server).
  We've been testing with:
  upddwnldcfg.exe /s:<proxyserver>:<port> /u:<user> /allusers
  psexec -i -s iexplore.exe, set Internet Explorer proxy manually
  All with same result, proxy user getting locked when ADR runs.
  (These settings have been removed after the test.)
  I think dekac99 would suggest netsh winhttp set proxy or import proxy.
  then turn off proxy use on the role SUP (this way not SCCM will send auth but all winhttp will use proxy)
  the problems with that for me are:
  - if MS implemented role-based proxy usage, why set at http layer - of course this might work as a workaround for the time being so it might be a good idea but I'm just not sure what unwanted issues it may cause
  - the other thing is where I'm not sure, with set proxy you cannot define authentication account. if you use import from IE and the IE prompted for proxy auth, the stored credential will be used on winhttp layer (though I'm not 100% sure of that) - so this
  is just too uncontrolled for me
  - upddwnldcfg.exe will need to run in the name of system account (it stores credentials under HKCU so far I know it will be a per user based setting)
  --> what confuses me, the catalog synch works which should use the same configured proxy and account(?), only ADR does not work. shouldn't they both use the same process for sending account auth info?

• TopLink Proxy Indirection problem when comitting uow

  We are trying to introduce the use of TopLink proxy indirection into our object model.
  We have run into situations where the uow cannot be committed because proxy indirection is being encountered.
  (See the stack trace provided below).
  What do we need to be aware of and what actions should we take to make it over this hurdle?
  Would ValueHolder cause the same problem, or would TopLink be better able to handle ValueHolder indirection than Proxy Indirection?
  Thanks for any help/hints guidance you can provide.
  2004.09.21 06:09:51.406--UnitOfWork(2820596)--Thread[ExecuteThread: '12' for queue: 'default',5,Thread Group for Queue: 'default']--Before JTS Completion
  2004.09.21 06:09:51.437--UnitOfWork(2820596)--Thread[ExecuteThread: '12' for queue: 'default',5,Thread Group for Queue: 'default']--Exception [TOPLINK-7009] (OracleAS TopLink - 10g (9.0.4.1) (Build 040128)): oracle.toplink.exceptions.ValidationException
  Exception Description: Missing descriptor for [$Proxy98]. Verify that the descriptor has been properly registered with the Session.Local Exception Stack:
  Exception [TOPLINK-7009] (OracleAS TopLink - 10g (9.0.4.1) (Build 040128)): oracle.toplink.exceptions.ValidationException
  Exception Description: Missing descriptor for [$Proxy98]. Verify that the descriptor has been properly registered with the Session.
       at oracle.toplink.exceptions.ValidationException.missingDescriptor(ValidationException.java:599)
       at oracle.toplink.internal.descriptors.DescriptorIterator.getDescriptorFor(DescriptorIterator.java:86)
       at oracle.toplink.internal.descriptors.DescriptorIterator.iterateReferenceObjectForMapping(DescriptorIterator.java:242)
       at oracle.toplink.mappings.ObjectReferenceMapping.iterateOnRealAttributeValue(ObjectReferenceMapping.java:267)
       at oracle.toplink.internal.indirection.IndirectionPolicy.iterateOnAttributeValue(IndirectionPolicy.java:186)
       at oracle.toplink.mappings.ForeignReferenceMapping.iterate(ForeignReferenceMapping.java:503)
       at oracle.toplink.internal.descriptors.ObjectBuilder.iterate(ObjectBuilder.java:1436)
       at oracle.toplink.internal.descriptors.DescriptorIterator.iterateReferenceObjects(DescriptorIterator.java:258)
       at oracle.toplink.internal.descriptors.DescriptorIterator.iterateReferenceObjectForMapping(DescriptorIterator.java:250)
       at oracle.toplink.mappings.ObjectReferenceMapping.iterateOnRealAttributeValue(ObjectReferenceMapping.java:267)
       at oracle.toplink.internal.indirection.IndirectionPolicy.iterateOnAttributeValue(IndirectionPolicy.java:186)
       at oracle.toplink.mappings.ForeignReferenceMapping.iterate(ForeignReferenceMapping.java:503)
       at oracle.toplink.internal.descriptors.ObjectBuilder.iterate(ObjectBuilder.java:1436)
       at oracle.toplink.internal.descriptors.DescriptorIterator.iterateReferenceObjects(DescriptorIterator.java:258)
       at oracle.toplink.internal.descriptors.DescriptorIterator.startIterationOn(DescriptorIterator.java:407)
       at oracle.toplink.publicinterface.UnitOfWork.discoverUnregisteredNewObjects(UnitOfWork.java:1361)
       at oracle.toplink.publicinterface.UnitOfWork.discoverAllUnregisteredNewObjects(UnitOfWork.java:1283)
       at oracle.toplink.publicinterface.UnitOfWork.assignSequenceNumbers(UnitOfWork.java:325)
       at oracle.toplink.publicinterface.UnitOfWork.collectAndPrepareObjectsForCommit(UnitOfWork.java:659)
       at oracle.toplink.publicinterface.UnitOfWork.commitToDatabaseWithChangeSet(UnitOfWork.java:1123)
       at oracle.toplink.publicinterface.UnitOfWork.issueSQLbeforeCompletion(UnitOfWork.java:2465)
       at oracle.toplink.jts.AbstractSynchronizationListener.beforeCompletion(AbstractSynchronizationListener.java:151)
       at weblogic.transaction.internal.ServerSCInfo.callBeforeCompletions(ServerSCInfo.java:540)
       at weblogic.transaction.internal.ServerSCInfo.startPrePrepareAndChain(ServerSCInfo.java:92)
       at weblogic.transaction.internal.ServerTransactionImpl.localPrePrepareAndChain(ServerTransactionImpl.java:1044)
       at weblogic.transaction.internal.ServerTransactionImpl.globalPrePrepare(ServerTransactionImpl.java:1581)
       at weblogic.transaction.internal.ServerTransactionImpl.internalCommit(ServerTransactionImpl.java:237)
       at weblogic.transaction.internal.ServerTransactionImpl.commit(ServerTransactionImpl.java:208)
       at weblogic.transaction.internal.TransactionManagerImpl.commit(TransactionManagerImpl.java:282)

  Hello,
  Could you tell me a little more about what you are trying to do? From the stacktrace it appears that TopLink is searching for all new objects and finding a proxy, and doesn't know that it is uninstantiated.
  Could you show me the piece of code where your unit of work registers and commits this object?

• Is there an issue with the latest version of FF with HTTPS requests and Proxy authentication?

  I'm currently working inside a cope network behind a proxy, which requires authentication.
  When browsing to websites externally to our network I would usually only be promoted once for authentication details; after that I would never see the prompt again until after restating the browser.
  However after the latest update I've found that when visiting HTTPS sites I'm promoted for my login details. But even though I enter the correct information the prompt does not take the details and continually asks until eventually our proxy closes the connection (usually with my account now being locked).
  My other browsers (IE, GC) work fine without problems.
  Any ideas?

  It could be a regression in Firefox 18 that wasn't present in Firefox 17. The developers are known nowadays for including too many experimental changes and my bet is one of them is causing this.
  But to confirm, could you downgrade back to Firefox 17 and still see if it works well with proxy authentication?
  Download link:
  <br> www.mozilla.org/en-US/products/download.html?product=firefox-17.0.1&os=win&lang=en-US

• My app store is not working after installing mavericks. When I open app store it repeatedly asking me to login with apple ID and to provide User name and Password for proxy authentication in a loop.I am a newbie to mac,Please help me.

  My app store is not working after installing mavericks. When I open app store it repeatedly asking me to login with apple ID and to provide User name and Password for proxy authentication in a loop.I am a newbie to mac,Please help me.

  Hmmmm... would appear that you need to be actually logged in to enable the additional menu features.
  Have you tried deletting the plists for MAS?
  This page might help you out...
  http://www.macobserver.com/tmo/answers/how_to_identify_and_fix_problems_with_the _mac_app_store
  Failing that, I will have to throw this back to the forum to see if anyone else can advise further.
  Let me know how you get on?
  Thanks.

• ITunes 10.6 Proxy Authentication Problem

  As all we know, since we've installed iTunes 10.6, we're having issues with proxy authentication. Whenever i want to connect to iTunes Store or open iTunes it always asks me about my username and password even thoug i check Remember Me check box.
  I wonder if you did gave any feedback or answer from Apple?
  Thanks

  same issue, even w/ the 10.6.3 update.
  very disappointing.
  looks like this thread is a duplicate of https://discussions.apple.com/thread/3803634?start=0&tstart=0