URLRequstHeader and Authorization

Similar Messages

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• Multiprovider and Authorizations

  Multiprovider and Authorizations:
  The challenge is to ensure you do not have more access trough the multiprovider then you have trough the sourcecubes.
  example:
  Multiprovider, Joining sourcecube 1 + 2 ( Heterogeneous MP combining data from different infoareas)
  Sourcecube 1: Authorizations for company code X+Y
  Sourcecube 2: Authorizations for company code Y+Z
  What company codes in which source cubes will you have access to report on trough the multiprovider?
  1) XYZ from both cubes ?
  2) X from cube 1 , Y from cube 1+2, Z from cube 1
  3) only the common Y from cube 1 +2
  The expected results is scenario 2. Basically the same access/restriction you would get, if reporting directly on the sourcecube's.
  This can of course be tested with a test user with limited authorizations. The obstacle here though is that the authorization setup is defined with roles and a business unit hierarchy authorization object (consisting of several company codes) that is not fully in place yet. Hence the test will not give you a 100 % liable verification.
  Has anyone else faced the same question, or can verify the expected results? I have not found any good documentation on authorization and multiprovider .
  (PS, With Support package 2 for BW 3.0B a new authorization object is available used to define authorizations on a Multiprovider level. S_RS_MPRO - Multiprovider. This gives more flexibility , but is not the answer to the general question)
  Best regards Per Roar

  It depends. When you create an authorization object you decide on which InfoProviders the authorization object is valid. So if it's valid on Cube 1 it doesn't say anything about authorization on the Multiprov.
  Best regards
     Dirk

• How can I remove the Apple ID authorization only on one computer and authorize another in his place?

  how can I remove the Apple ID authorization only on one computer and authorize another in his place?

  De-authorize the computer in question.
  Then authorize the new computer.
  Or de-authorize all computers and authorize only the ones that actually exist.

• HT1933 I have old email address's I used for iTune music purchases and cannot change password on several old accounts. Now some of the music I purchased I can not download and authorize it on my device. What can I do password security does not match my bi

  I have old email address's I used for iTune music purchases and cannot change password on several old accounts. Now some of the music I purchased I can not download and authorize it on my device. What can I do password security does not match my birthdate on two of the accounts. Apple can not send me email with a password authorization on several current accounts that I have with them. How can I contact Apple with this annoying problem I can not fix.

  settings - app/iTunes store - sign out and sign back in with your new id.
  Note - if your older apps needs an update it will use your old apple id and password, as Apps are tied to the apple id that was used to purchase it.
  You can't merge apple id.

• HT1296 When i attempt to sync my iphone it continues to say this computer is no longer authorized for apps and they will be deleted?? I don't understand?? I put my password and authorize but same message comes up.  What to do??

  When i attempt to sync my iphone it continues to say this computer is no longer authorized for apps and they will be deleted?? I don't understand?? I put my password and authorize but same message comes up.  What to do??

  I found the solution in another post.  By deleting all my apps, I was able to sync the phone.  I hope I don't have to delete all my apps every time I want to sync my phone, but at least now I am able to sync my phone.

• How to get ADF authentication and authorization working on server

  I am having an issue with deployment & ADF authentication and authorization.
  From the below testing results, you can see that I am unable to log in when I have deployed my app to my standalone server with both ADF security authentication and authorization turned on. I have included web.xml, jazn-data.xml and the page/server error I am receiving.
  When making an attempt to log in I get the following results:
  Running Locally with ADF Authentication:                                           Works Fine
  Running Locally with ADF Authentication & Authorization:         Works Fine
  Deployed to server with ADF Authentication:                                    Works Fine
  Deployed to server with ADF Authentication & Authorization:  Doesn’t Work
  What I have already tried: Removed all anonymous grants, using the same database credentials as the app user, deploying app twice (on the redeploy not including the login credentials & app policies at the application properties). Various modifications to web.xml e.g. welcomefilelist etc
  JDeveloper Version: 11.1.2.4
  Server Web Logic: 10.3.6
  Server ADF: 11.1.1.16
  Page Error when trying to log in:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
  Server error when trying to log in:
  Servlet failed with Exception oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'wpd.mobility.view.pageDefs.homePagePageDef' 'VIEW'.
  at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:182)
          at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:162)
          at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:116)
          at oracle.adfinternal.controller.state.ControllerState.checkPermission(ControllerState.java:663)
          at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:700)
          at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:531)
          at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:59)
          at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:530)
          at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:120)
          at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:168)
          at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:131)
          at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:74)
          at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:53)
          at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:447)
          at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:202)
          at javax.faces.webapp.FacesServlet.service(FacesServlet.java:508)
          at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
          at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
          at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
          at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:125)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
          at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:293)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:199)
          at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
          at java.security.AccessController.doPrivileged(Native Method)
          at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
          at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
          at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
          at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
          at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
          at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
          at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
          at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
          at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
          at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
          at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
          at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
          at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
  Web.xml
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
           version="2.5">
    <context-param>
      <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
      <param-value>client</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
      <param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
      <param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <description>Security precaution to prevent clickjacking: bust frames if the ancestor window domain(protocol, host, and port) and the frame domain are different. Another options for this parameter are always and never.</description>
      <param-name>org.apache.myfaces.trinidad.security.FRAME_BUSTING</param-name>
      <param-value>differentOrigin</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_SKIP_XML_INSTRUCTIONS</param-name>
      <param-value>true</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
      <param-value>true</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_DECORATORS</param-name>
      <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfTagDecorator</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
      <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfFaceletsResourceResolver</param-value>
    </context-param>
    <filter>
      <filter-name>JpsFilter</filter-name>
      <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
    </filter>
    <filter>
      <filter-name>trinidad</filter-name>
      <filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
    </filter>
    <filter>
      <filter-name>adfBindings</filter-name>
      <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>JpsFilter</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>INCLUDE</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>trinidad</filter-name>
      <servlet-name>Faces Servlet</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>ERROR</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>adfBindings</filter-name>
      <servlet-name>Faces Servlet</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>adfBindings</filter-name>
      <servlet-name>adfAuthentication</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <listener>
      <listener-class>oracle.adf.mbean.share.connection.ADFConnectionLifeCycleCallBack</listener-class>
    </listener>
    <listener>
      <listener-class>oracle.adf.mbean.share.config.ADFConfigLifeCycleCallBack</listener-class>
    </listener>
    <listener>
      <listener-class>oracle.bc4j.mbean.BC4JConfigLifeCycleCallBack</listener-class>
    </listener>
    <servlet>
      <servlet-name>Faces Servlet</servlet-name>
      <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
      <servlet-name>resources</servlet-name>
      <servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>BIGRAPHSERVLET</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.GraphServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>BIGAUGESERVLET</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.GaugeServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>MapProxyServlet</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.MapProxyServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>adfAuthentication</servlet-name>
      <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
      <init-param>
        <param-name>success_url</param-name>
        <param-value>/faces/Pages/homePage.jspx</param-value>
      </init-param>
      <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
      <servlet-name>Faces Servlet</servlet-name>
      <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/adf/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/afr/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>BIGRAPHSERVLET</servlet-name>
      <url-pattern>/servlet/GraphServlet/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>BIGAUGESERVLET</servlet-name>
      <url-pattern>/servlet/GaugeServlet/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>MapProxyServlet</servlet-name>
      <url-pattern>/mapproxy/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/bi/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>adfAuthentication</servlet-name>
      <url-pattern>/adfAuthentication</url-pattern>
    </servlet-mapping>
    <mime-mapping>
      <extension>swf</extension>
      <mime-type>application/x-shockwave-flash</mime-type>
    </mime-mapping>
    <mime-mapping>
      <extension>amf</extension>
      <mime-type>application/x-amf</mime-type>
    </mime-mapping>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>test</web-resource-name>
        <url-pattern>/faces/pages/*.</url-pattern>
        <url-pattern>/faces/*.</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>valid-users</role-name>
      </auth-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>adfAuthentication</web-resource-name>
        <url-pattern>/adfAuthentication</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>valid-users</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
        <form-login-page>/login.html</form-login-page>
        <form-error-page>/error.html</form-error-page>
      </form-login-config>
    </login-config>
    <security-role>
      <role-name>valid-users</role-name>
    </security-role>
  </web-app>
  Jazn-data.xml
  <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
  <jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data.xsd">
    <jazn-realm default="jazn.com">
      <realm>
        <name>jazn.com</name>
        <users>
          <user>
            <name>*****</name>
            <display-name>*******</display-name>
            <description>******</description>
            <credentials>********<credentials>
          </user>
        </users>
        <roles>
          <role>
            <name>support</name>
            <display-name>support</display-name>
            <members>
              <member>
                <type>user</type>
                <name>mobile</name>
              </member>
            </members>
          </role>
        </roles>
      </realm>
    </jazn-realm>
    <policy-store>
      <applications>
        <application>
          <name> myapp </name>
          <app-roles>
            <app-role>
              <name>mob_mobile_support</name>
              <class>oracle.security.jps.service.policystore.ApplicationRole</class>
              <display-name>mob_mobile_support</display-name>
              <description>support role</description>
              <members>
                <member>
                  <name>mobile</name>
                  <class>oracle.security.jps.internal.core.principals.JpsXmlUserImpl</class>
                </member>
              </members>
            </app-role>
          </app-roles>
          <jazn-policy>
            <grant>
              <grantee>
                <principals>
                  <principal>
                    <name>SUPPORT</name>
                    <class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
                  </principal>
                </principals>
              </grantee>
              <permissions>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.*</name>
                  <actions>view</actions>
                </permission>
              </permissions>
            </grant>
            <grant>
              <grantee>
                <principals>
                  <principal>
                    <name>mob_mobile_support</name>
                    <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                  </principal>
                </principals>
              </grantee>
              <permissions>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.addapplicationPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name>Pages.addappmsgtypPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name>Pages.addoperationPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.homePagePageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.loggingSearchPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name>myapp.view.pageDefs.workHistoryPageDef</name>
                  <actions>view</actions>
                </permission>
              </permissions>
            </grant>
          </jazn-policy>
        </application>
      </applications>
    </policy-store>
  </jazn-data>

  Read Frank's article http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html
  Then you have to check if the user use use to login are defined in the stand alone server. If you server is running in production mode there is no automatic user or role migration. You have to to this by yourself.
  Once you have check that the users are present, you have to check if the enterprise roles are mapped to the corresponding application roles.
  Timo

• Games and music in ITunes on the VIAO. When I try to sync them to the ITOUCH or the IPAD I get a message that I am not authorized-.Go to the ITunes Store and Authorize this computer.

  FIRST there are some games and music in ITunes on the VIAO. When I try to sync them to the ITOUCH or the IPAD I get a message that I am not authorized….Go to the ITunes Store and Authorize this computer. I have completed this procedure several times and receive back the message you are authorized on this computer and I have authorized 2 of 5 devices allowed.
  Why am I not able access the games and music on my machine? How can I sync these items to my ITOUCH and MY IPAD
  SECOND How do I move my music and Games from ITUNES on the G5 to TUNES on the PC so I am able to sync those items to my devices.
  I have inherited my wife’s Laptop a:
  SONY VIAO
  MS Windows XP Home edition V 2002
  Service Pack 3
  ACPI Uniprocessor PC
  Owner dvkpqpg2.
  ITunes 11.01.1.12 updated 12/8/12
  I am both a PC and ITunes Rookie.
  I have some MAC experience and presently use a:
  Mac Dual PowerPC G5
  OS 10.4.11
  2.5GB DDR SDRAM
  ITunes 9.2.1
  ITOUCH MC011LL
  64 GB----57 GB avail
  iOS 5.11
  IPAD MC954LL
  iOS 6.0.1
  16 GB----37 GB avail

  If you want the ability to add music from multiple libraries see this thread.
  If you no longer have access to the computer that has your original library then see Recover your iTunes library from your iPod or iOS device.
  tt2

• HT1420 When I go to move a song from my library I got the message "this computer is not authorized"... if I go to the store pop down and authorize the compter is says "this computer is already authorized".... what's going on?

  When I go to move a song from my library I got the message "this computer is not authorized"... if I go to the store pop down and authorize the compter is says "this computer is already authorized".... what's going on?

  If a small number of your iTunes purchases are affected, delete and redownload them if doing so is free in your country. If you get that message for every item, click here and follow the instructions.
  (69023)

• Authentication and Authorization question.

  Hi All,
  I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
  Authentication.
  1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
  2. The end result of this process is true/false.
  Authorization.
  1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
  2. The end result of this process is true/false.
  Role mapping.
  1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
  2. The end result is list of roles for a user.
  Security policy configuration.
  Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
  Thanks,
  Prashanth Bhat.

  The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
  The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
  The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
  My question is whether thess(DAs and VEs) can also be put
  our datastore for access rights??
  Thanks,
  Prashanth Bhat.

• If I deauthorize my iPad and authorize it with a new Apple ID, will I lose the previously purchased apps?

  I want to deauthorize an iPad and authorize it with a new Apple ID but I dont want to lose the apps that were purchased under the first Apple ID. Will this happen?

  Welcome to the Apple Support Communities
  You won't lose the programmes, but you won't be able to update them as it will ask you for your old Apple ID to update

• Authentication and authorization capability in weblogic application server

  Hi,
  Need input from architecture point of view -
  Requirement is typical - have to build a web center portal application with authentication and authorization capability.
  I can think of three architecture options:
  1. weblogic server (where webcenter portal application will be deployed) with oracle IDM (or any other full blown IDM suite)...
  2. weblogic server with Active Directory (or any other LDAP directory), and a LDAP authenticator is configured in weblogic...
  3. only weblogic server (users created in weblogic admin console)...
  Obviously 1st one is costliest option (product cost, infrastructure cost, maintenance cost) and most flexible. However I am discarding it purely because of cost.
  Confused between 2nd and 3rd.
  2nd option - separate user store, user can be added/deleted without touching application server, cost wise - 1 extra server and 1 LDAP directory product (or open source LDAP server)...
  3rd option - application server becomes very 'heavy' with all users information, you need to access server to add/delete users, probably cheapest option money wise... However it might affect application performance if users grow large...
  Please let me know if I should consider more parameters/points before deciding. Is there any important thing I am missing? Your input appreciated.
  Thanks.

  Hi,
  You are right your first requirement make more costly and complex environment.
  I would recommend to go with Second option instead of the third one.
  In cause in future if you want to use different server also you will have option to use external AD.
  Well now you will think why I recommend you second option instead of the third option.
  external LDAP is more secure than internal one.
  If you have any further query let me know.
  Regards,
  Kal

• Issue in External Table Authentication and Authorization in OBIEE11G

  Hello Gurus,
  Can anyone help me how to configure External Table Authentication and Authorization in OBIEE11g through weblogic server not like in 10g style(Through INIT Blocks).
  I've followed the (Doc ID 1338007.1) document. But when i'm restart the Managed servers and Admin servers after configuring the SQLAuthenticator all my services are showing down.
  I already raised the SR (SR 3-6286054151) on this issue. But still i didn't get any reply from them.
  Can anyone help me out on this issue or can anyone me send the document for "how to configure External Table Authentication and Authorization in OBIEE11g" . It's really appreciate for your quick response.
  my mail ID [email protected]
  Thanks,
  Syam.
  Edited by: 942658 on Oct 13, 2012 10:55 AM

  Hi John,
  Thanks for your quick response.
  We configured "ReadOnlySQL Provider" by following the Oracle's white paper(Doc ID 1338007.1) Please find the below steps what we configured in weblogic console.
  1. Created the Data Source
  2. In the data source specified the Database driver--> *Oracle's Driver Thin for service connections: Versions:9.0.1 and later.
  3. Defined the connection Properties .
  4. Selected targets as Admin server and bi_server.
  Then Activate changes
  5. Created new provider by using ReadOnlySQL Authenticator
  6. In the provider specific tab we given the SQL statements and saved it.
  7. Restarted the Admin and Managed servers.
  After restarted the services when we open the Enterprise Manager page all the services are showed as Undefined - means red.
  Apart from that we followed your suggested link http://askjohnobiee.blogspot.com/2012/09/how-to-oid-authentication-with-groups.html
  For External table authentication do we need to configure BISQLAuthenticator or ReadOnlySQLAuthenticator ?
  If we configure BISQLAuthenticator we just import Groups from database to Console application. Then how can it Authenticated to the User ?
  Please let me know your ideas on this.
  Thanks,
  Syam

• How to implement Custom Authentication and Authorization in Oracle SOA 11g

  Can anyone please tell me, how to implement Custom Authentication in Oracle SOA 11g ?
  Because in Oracle SOA 10.1.3.4 , i have implemented this custom authentication and authorization by implementing BPMAuthenticationService, BPMAuthorizationService, BPMIdentityService to verify againt my database systems.
  implementation classes like the mentioned below
  1).
  public class SampleAuthenticationService extends SampleServiceBase implements BPMAuthenticationService {
  2).
  public class SampleAuthorizationService extends SampleServiceBase implements BPMAuthorizationService {
  3).
  public class SampleIdentityService extends SampleServiceBase implements BPMIdentityService {
  Please help me to implement the authentication and authorization in Oracle SOA 11g .
  thanks in advance

  To start with please go through following document
  http://docs.oracle.com/cd/E21764_01/integration.1111/e10231/adptr_jms.htm
  http://docs.oracle.com/cd/E23943_01/integration.1111/e10231/adptr_file.htm
  Regards
  Arpit

• Use of default XACML with custom role mapper and authorization provider

  Hi,
  Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
  My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
  Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?

  I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
  Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
  The chosen approach depends on where you're getting the role information from.