VPD method?

Hi Everyone,
After reading several VPD whitepapers on the OTN I couldn't get the right method to solve my problem.
It's clear that I've to create a policy function and to define the dbms_rls.add_policy. However, each whitepaper describes a method with a customized threshold.
My problem is focused on the released statistics. Statistics have to be suppressed if the query result in a value of less then 4 (for example).
Let's put my case. A query has only to release the surnames only if it exist in the table four times or more, otherwise suppress the values like: <null>. (<sec_relevant_cols / sec_relevant_cols_opt)
Can you please help me by describing the correct method / the right steps? More detailed information about the function which provides the solution is even appreciated.
Please help me in this bottleneck of the final project.
Regards,
Wim Schouten

Toon,
Let's put an example. http://www.oracle.com/technology/pub/articles/10gdba/week14_10gdba.html
describes us about the VPD - Column Masking method. This is exactly what I want to achieve.
ACCTNO ACCT_NAME BALANCE
1 BILL CAMP 1000
2 TOM CONNOPHY <null>
3 ISRAEL D 1500
In above query result the balance of Tom is suppressed since the user is not supposed to see accounts with balances over 1,600. Note the difference between this threshold and my case in where I want to suppress statistics if the surname doesn't exists in the table (column) for at least four times.
More detailed in what I have to achieve. You can enter a surname and get the next result:
+++
Area Frequency in surnames
Catalunya 10.126 47
Barcelona 6.474 35
Mauresme 8.651 <
< lower then frequency 4.
+++
Is this query result more clear, or is more info necessary?

Similar Messages

VPD in Apex using Standard or XE version of database

I was planning to use the VPD method of security in my APEX application. Some of my sites are using Standard Edition and XE edition of database. Is it true that VPD only works in Enterprise Edition of database? If so, any suggestion on how to implement the same type of security in APEX without VPD?
Thanks!

Bob,
VPD functionality essentially gives the database the ability to dynamically add extra predicate information to your queries at runtime (as a simplification). This is enforced at the database level.
So, you're never going to really be able to implement the same type of security (since you can't develop something that is processed at that same level).
The only way you could really come close to it is by not giving end users direct access to the underlying tables and using either views (combined with application contexts) and/or table API's. If you give your end users access to the underlying tables and you haven't taken additional precautions then all bets are off (for example if you implement your functionality from inside your APEX app, someone could circumvent it by using SQLPlus etc).
I'm a huge fan of VPD (I included a section on it in my Pro Application Express book where I discuss using Application Contexts too), you can roll-your-own to a certain degree, but no you can't come close to the level of functionality true VPD gives you from a database-enforced level anyway.
Also, take a look at this AskTom thread which discusses contexts -
http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:4514782352602
Hope this helps,
John.
Blog: http://jes.blogs.shellprompt.net
Work: http://www.apex-evangelists.com
Author of Pro Application Express: http://tinyurl.com/3gu7cd
REWARDS: Please remember to mark helpful or correct posts on the forum, not just for my answers but for everyone!

Jdeveloper with VPD / FGAC possible ? i.e. oracle portal tables and views

I am trying to create some view objects based on oracle portals views and tables. However I always get the following error.
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06512: at "PORTAL.WWCTX_SSO", line 1407
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06512: at "PORTAL.WWCTX_SSO", line 1216
ORA-06502: PL/SQL: numeric or value error
ORA-06512: at "PORTAL.WWCTX_SSO", line 1469
ORA-06512: at "PORTAL.WWCTX_API", line 152
This is because I have not set the context using plsql. i.e
portal.wwctx_api_private.set_context(p_user_name => 'PORTAL',p_update_flat => true);
Is there a way of using portal views in jdevloper and setting the context first. I am thinking the portal database uses vpd, fine grained access control.
Regards
Orlando

Hi,
using ADF BC you can override the prepare session method on the AM to set the context.
public void prepareSession(Session _session)
super.prepareSession(_session);
// some PLSQL like
String appContext = "Begin ctxhrpckg.set_userinfo('"+getApplicationUserName()+"'); END;";
java.sql.CallableStatement st= null;
try
st = getDBTransaction().createCallableStatement(appContext,0);
st.execute();
} catch (java.sql.SQLException s)
throw new oracle.jbo.JboException(s);
} finally
try
if (st!= null)
st.close();
} catch (java.sql.SQLException s2){}
Frank

Using VPD and Portal

Situation: Trying to implement row level security using VPD for
applications created in PORTAL. using portal's
Light weight users.
Method: Created a fine grain access control policy to build a
predicate based on a Portal user (not database user).
1 Get Portal User (proc: portal30.wwctx_api.get_user)
2 Determine what business rules are setup for this
Portal User
3 Based on the above rules, build predicate for the
Portal User
Problem: In the first step, not retrieving the Portal user -
looks to be getting PUBLIC when the code is part of a
VPD policy. When it is executed on its own, it gets the correct
information back (ie. The portal user not PUBLIC).
The idea is that we want to be able to set the VPD policy based
on the light weight Portal User.
Oracle Database version 8.1.7
Oracle iAS 1.0.2.2.0
There is a work around for this, which is to create a database
schema for each portal user and then associate the
Portal account with this database schema. When we do this, we
get the correct information for use in the VPD policy,
But we actually look for the Proxy Account (database schema the
portal user is associated with) and not the portal
user/session info. This work around in not desirable when we
get a large number of portal users.
I've included the VPD package below where we try to extract the
Portal user acct using the
portal30.wwctx_api.get_user function
we also tried the
WPG_SESSION_PRIVATE.GET_LW_USER function with the same results
When this PLSQL is executed within a portlet, it seems to return
the correct information.
Code:
CREATE OR REPLACE PACKAGE
BODY "P_CORPORATE_SECURITY_CONTEXT" as
function f_company_security (p1 varchar2, p2 varchar2) return
varchar2 is
v_predicate VARCHAR2(4000);
CURSOR cur_company(p_portal_user_name IN
company_wwsec_person.WWSEC_PERSON_USER_NAME%TYPE) IS
SELECT decode(rownum,1,to_char(company_id),','||to_char
(company_id)) company_id
FROM company_wwsec_person
WHERE POLICY = '='
and upper(WWSEC_PERSON_USER_NAME) = upper
(p_portal_user_name);
l_portal_user_name varchar2(256);
l_oracle_user_name varchar2(30);
l_all_policy_cnt number;
l_equal_policy_cnt number;
BEGIN
l_portal_user_name := portal30.wwctx_api.get_user;
-- l_portal_user_name := USER; Commented out since we
want portal user not
database user.
select count(*)
into l_all_policy_cnt
from company_wwsec_person
where upper(WWSEC_PERSON_USER_NAME) = upper
(l_portal_user_name)
and policy = 'ALL';
select count(*)
into l_equal_policy_cnt
from company_wwsec_person
where upper(WWSEC_PERSON_USER_NAME) = upper
(l_portal_user_name)
and policy = '=';
IF l_all_policy_cnt = 0 and l_equal_policy_cnt > 0 THEN
v_predicate := ' company_id in (';
FOR l_company IN cur_company(l_portal_user_name)
LOOP
v_predicate := v_predicate || l_company.company_id;
END LOOP;
v_predicate := v_predicate || ')';
ELSIF l_all_policy_cnt = 0 and l_equal_policy_cnt = 0 THEN
v_predicate := ' 1=2';
ELSE
v_predicate := NULL;
END IF;
-- Uncomment to allow access to everything
-- v_predicate := ' 1=1';
RETURN v_predicate;
END;
END;

Situation: Trying to implement row level security using VPD for
applications created in PORTAL. using portal's
Light weight users.
Method: Created a fine grain access control policy to build a
predicate based on a Portal user (not database user).
1 Get Portal User (proc: portal30.wwctx_api.get_user)
2 Determine what business rules are setup for this
Portal User
3 Based on the above rules, build predicate for the
Portal User
Problem: In the first step, not retrieving the Portal user -
looks to be getting PUBLIC when the code is part of a
VPD policy. When it is executed on its own, it gets the correct
information back (ie. The portal user not PUBLIC).
The idea is that we want to be able to set the VPD policy based
on the light weight Portal User.
Oracle Database version 8.1.7
Oracle iAS 1.0.2.2.0
There is a work around for this, which is to create a database
schema for each portal user and then associate the
Portal account with this database schema. When we do this, we
get the correct information for use in the VPD policy,
But we actually look for the Proxy Account (database schema the
portal user is associated with) and not the portal
user/session info. This work around in not desirable when we
get a large number of portal users.
I've included the VPD package below where we try to extract the
Portal user acct using the
portal30.wwctx_api.get_user function
we also tried the
WPG_SESSION_PRIVATE.GET_LW_USER function with the same results
When this PLSQL is executed within a portlet, it seems to return
the correct information.
Code:
CREATE OR REPLACE PACKAGE
BODY "P_CORPORATE_SECURITY_CONTEXT" as
function f_company_security (p1 varchar2, p2 varchar2) return
varchar2 is
v_predicate VARCHAR2(4000);
CURSOR cur_company(p_portal_user_name IN
company_wwsec_person.WWSEC_PERSON_USER_NAME%TYPE) IS
SELECT decode(rownum,1,to_char(company_id),','||to_char
(company_id)) company_id
FROM company_wwsec_person
WHERE POLICY = '='
and upper(WWSEC_PERSON_USER_NAME) = upper
(p_portal_user_name);
l_portal_user_name varchar2(256);
l_oracle_user_name varchar2(30);
l_all_policy_cnt number;
l_equal_policy_cnt number;
BEGIN
l_portal_user_name := portal30.wwctx_api.get_user;
-- l_portal_user_name := USER; Commented out since we
want portal user not
database user.
select count(*)
into l_all_policy_cnt
from company_wwsec_person
where upper(WWSEC_PERSON_USER_NAME) = upper
(l_portal_user_name)
and policy = 'ALL';
select count(*)
into l_equal_policy_cnt
from company_wwsec_person
where upper(WWSEC_PERSON_USER_NAME) = upper
(l_portal_user_name)
and policy = '=';
IF l_all_policy_cnt = 0 and l_equal_policy_cnt > 0 THEN
v_predicate := ' company_id in (';
FOR l_company IN cur_company(l_portal_user_name)
LOOP
v_predicate := v_predicate || l_company.company_id;
END LOOP;
v_predicate := v_predicate || ')';
ELSIF l_all_policy_cnt = 0 and l_equal_policy_cnt = 0 THEN
v_predicate := ' 1=2';
ELSE
v_predicate := NULL;
END IF;
-- Uncomment to allow access to everything
-- v_predicate := ' 1=1';
RETURN v_predicate;
END;
END;

[Solved] Propagating users from ADF App to DB for VPD, Attn Frank

Hi all,
I've implemented VPD using policies and application contexts on my application. Now I want to propagate the logged in user from the application to the DB in order to apply VPD policies on it. I've used container managed security using DB tables as described in Frank's article.
I know that I must override prepareSession method of the application module for doing this but I don't know the exact procedure.
My VPD function is:
function empPolicy( object_schema varchar2, object_name varchar2 ) return varchar2 is
begin
return
'empno = SYS_CONTEXT(''USER_SECURITY'', ''EMPNO'' )'
end;
and my context setting procedure is called SetSecurity.
I also have a logon trigger which calls SetSecurity to set the context upon each user's logon.
Thanks in advance,
S/\EE|)

Saeed,
have a look
http://www.oracle.com/technology/products/jdev/howtos/bc4j/bc4jvpdjaas.html
String getApplicationUserName()
   String appUserName = getUserPrincipalName();
   return appUserName;
protected void prepareSession (Session _session)
   super.prepareSession(_session);
   String appContext = "Begin exprep_ctx.set_ctx_appuser('"+getApplicationUserName()+"'); END;";
   java.sql.CallableStatement st= null;
   try
      st = getDBTransaction().createCallableStatement(appContext,0);
      st.execute();
   } catch (java.sql.SQLException s)
      throw new oracle.jbo.JboException(s);
   } finally
      try
     if (st!= null)
         st.close();
   } catch (java.sql.SQLException s2)
}Frank

VPD issue affecting scalability of Application

Hi all --
Our reporting application is using VPD to limit access to the data a user can see. Unfortunately, we are seeing scalability issues when using VPD, so we are wondering if any of you have any insight on what we're doing incorrectly. Here's the scenario:
Users may have access to multiple stores, so the VPD policy is returning a predicate that looks like this: branch_code in ('MNWIN','WIMAD'). Unfortunately with each predicate change we are getting a hard parse of the statement leading to degraded performance.
We have been playing with using sys_context to set the predicate and returning a predicate that looks like: branch_code in sys_context('BRANCH_CTX','BRANCH_CODE') but errors get returned from the policy predicate or the context doesn't get set correctly.
So a few questions:
1. Is this the appropriate forum in which to post this?
2. Is it possible to use sys_context in this way
3. What is the preferred method for using VPD in a nonunique environment (ie: users have access to multiple values)
Thanks!
Leigh Johnson
Fastenal Company

You are correct to use bind variables to expedite the SQL processing. From your code, it is failing because you need to double the single quotes:
RETURN 'branch_code in sys_context (''BRANCH_CTX'',''BRANCH_CODE'')';

Forms 9i and VPD

Hi :)
I'm loocking for method how to catch in form policy (VPD) which restrict update or delete on current record.
When I'm performing update/dlete form don't see that policy and normally proceeds update/delete and commit -but after requery there is no change in data (good- policy works) but form don't tells to user "You can't do this".
Please help me resolve this problem -thanks very much.
Artur

Artur,
the problem you describe is one we discussed more often recently.
The situation is that something not in control by Forms performs changes to the actual transaction state (VPD). In fact the policy works, which means that everything is fine as far as the business goes.
Seeing it from the Forms runtime angle: Forms does send its cached records that are marked as dirty to the database for commit. The database doesn't report any errors because there are none and thus Forms puts out a message with the number of records passed as successfully submitted.
To change the message behavior yourself, you will have to raise a PLSQL Exception when Forms commits the data and the policy preventing it.
This then should bubble up to Forms where it is intercepted for proper alerting (haven't tried, but this sounds plausible).
I'll point one of the developers to this question in case I overlooked something.
Frank

Architecture Advice - XMLTYPE, VPD, PL

Hi, apologies if this is off-topic but wasn't sure which forum to pick for general architecture questions...
I've inherited an existing application architecture that we're struggling to scale beyond about 100 concurrent users on small-scale hardware, and would appreciate any advice.
It is a 3-tier web application, using XMLTYPE (CLOB), VPD and with the vast majority of the business logic and workflow coded in PL/SQL.
We're experiencing that the CLOB-based XMLTYPE columns very quickly eat up all available CPU, and our very complex VPD policies tends to slow tables down about 300% above a few thousand rows. Since the data is directly updated in PL/SQL our middle tier (java) can't cache anything.
The expectation is that this architecture should scale to thousands of concurrent users, with reasonablly large data volumes, on relatively small scale (e.g. 2 or 4 CPU) h/w. Our market cannot really afford/have the expertise to use additional Oracle products such as Grid, Partitioning, RAC etc.
I'm not sure where to start - we've tried tuning individual queries but I think we'll need more than that. We're using the latest edition of 10g RDBMS.

I've used a temporary table the way you propose, and it works pretty well. I override a method of my View Object (executeQuery, I think) to call some PL/SQL to load the temporary table before executing the query. Performance is not quite as good, but isn't a show stopper. My particular application was using a read-only VO, with no underlying Entity Object, but I think you could override an EO method to call some PL/SQL to use data from the temporary table to update the real tables.
I've looked at the original version of Avrom Roy-Faderman's framework extension, but I know he substantially revised it since I looked. It is a cool use of the extensible nature of the ADF BC framework. Avrom has placed the framework in samplecode.oracle.com, and now someone else is leading the project.
This should work well for PL/SQL APIs that have only database native types as parameters to the procedures. But it has the same problems as I mentioned before with PL/SQL records and collections, unless you first make them into database object types with CREATE TYPE.
I have also used the JPublisher interface of JDev. This is pretty neat and it can do the CREATE TYPE commands for you and write conversions to and from PL/SQL types. It also generates A LOT of Java code - the problem with it is that as a code generator it has to generate much more code than you would if you wrote it by hand to handle cases that you know won't occur with your data. And the code it writes can be hard to read and maintain. The classes it writes can be integrated into ADF BC objects, but it still is going to need some hand coding to do the job. Or some people abandon ADF BC, and use these as POJOs which can be made into Data Controls.

Apply VPD on this Logic ???

I have to implement VPD on few tables. Table A,B has Depid and other columns which has to be hided. Every user is connected to a unique role. How to get the predicate using the role and Depid. Business logic is connected user should see only his/her data from A,B,.. through VPD.
Using sys_context I can get the logged in user and using a function how should I get the predicate. Any idea where should I start or other feasible methods?
Later this has to be extended to few more tables with out much customization and coding.
Thanks in advance for your time!

Acknowledging your gratitude.
What's your application architecture?Its DSS
The VPD function will then call that context and recover the user's id to generate the SQL predicate.How to get them from dictionary and bind them to get the depid as a predicate through a function?
That is explained in further detail here:?????
There you'll find examples of how to code your context packages/procedures.?????
It seems you want to use column masking for your VPD? Aka: hiding the values for the relevant column (depid) while still displaying the row with its other column values?No, column masking is not needed, just the basic column level VPD
If that's the case, there's a little sample on column masking VPDs here:
http://download.oracle.com/docs/cd/E11882_01/network.112/e10574/vpd.htm#i1014682
From the above link below example depno is hardcoded. Here I need to match the role to the depid(table structure above this thread) by sys context as a predicate. Any other methods welcome to try.
CREATE OR REPLACE FUNCTION hide_sal_comm (
v_schema IN VARCHAR2,
v_objname IN VARCHAR2)
RETURN VARCHAR2 AS
con VARCHAR2 (200);
BEGIN
con := 'deptno=30';
RETURN (con);
END hide_sal_comm;
Thanks!

Using beforeTrigger to implement VPD security model - any suggestions?

Hi,
I'm investigating using the beforeTrigger in a data set to implement VPD security. The idea is that a parameter containing the username would be passed to the beforeTrigger pl/sql function to set the user context for that database session. I got this to work in a small prototype, but ran into a couple of what seem to be significant restrictions.
1) The pl/sql package I name in the dataTemplate defaultPackage must contain a global variable for each report parameter. In my case I'm passing the username to the pl/sql method as an bind variable argument, so I don't need/want any global variables. This is a major problem as we will have lots of reports all with different parameters. I want to bind the parameters using the :PARAM bind variable in the queries themselves.
Is there a way to avoid having to make each parameter a global variable?
2) We will need the ability to call various pl/sql packages in different reports. The following ER makes it sound as if this is not possible - but I haven't actually tested it out:
Bug# 6472921 - ALLOW FUNCTION CALL OUTSIDE OF DEFAULT PACKAGE IN DATA TEMPLATE
Is it required that all of the pl/sql calls for a data set be within the same pl/sql package?
I've included my dataTemplate below for reference.
If anyone has experience establishing VPD security for a data set using this technique or another, I'm interested in hearing what you recommend.
Thanks,
Leslie
<dataTemplate name="TARGET_DATA_TEMPLATE" defaultPackage="MGMT_IP">
<properties>
<property name="debug_mode" value="on"/>
</properties>
<parameters>
<parameter name="EMUSER" dataType="character" defaultValue="THREE"/>
</parameters>
<dataTrigger name="beforeReport" source="MGMT_IP.IPSETUSERCONTEXT(:EMUSER)"/>
<dataQuery>
<sqlStatement name="Q1">select TARGET_TYPE as TARGET_TYPE, TARGET_NAME
as TARGET_NAME from mgmt$target order by TARGET_TYPE</sqlStatement>
</dataQuery>
<dataStructure>
<group name="G1" source="Q1">
<element name="TTTYPE" value="TARGET_TYPE"/>
<element name="TNAME" value="TARGET_NAME"/>
</group>
</dataStructure>
</dataTemplate>

Hi Leslie,
Step 1.
Setup the VPD policy in database,
Create some proxy users, and create data sources and try querying, by login in with the different users.
You should be able to get the different results based on user logged in.
Step 2:
Package in data template.
for each report, you need to create separate package.
And the parameters in the report should be declared as Global variables in the report.
And once the trigger calls the package, then i guess, package has control to call other packages inside the database.
You can write all the function in the default package.
Is it required that all of the pl/sql calls for a data set be within the same pl/sql package?
I guess, yes as of now. if you need anything outside this default, you can call them in the default package like a wrapper may be.
This is what i can think right now.
Will try my luck on this and let you know :) in details.

[SOLVED] - Setting VPD User

We have a requirement to set VPD User to enforce security provided by VPD setup. We plan to use ADF BC components for our data access. As i understand, we have to call some package and supply user id.
Where in Application Module should i do this? Is it "prepareSession" method. We want to use Application Module Pooling with "Stateful" release mode. In this configuration, if AM gets passivated to Database Store and it has to be reactivated, will "prepareSession" be called again?
We are also thinking of setting NLS_LANGUAGE , NLS_TERRITORY values for Database Session. I have same question for those values as well. I would think they will both work similarly.
Chandresh
Message was edited by:
Chandresh

Chandresh,
Some things to consider:
1). Depending upon what browser you are using, your app may be seeing the multiple browser instances as a single instance.
2). The AM pooling always attempts to give you back the same AM instance that you were using before, so if there is no pressure to age things out of the AM pool or passivate them, you may be getting back the same exact AM, meaning (correct me if I'm wrong, Frank) that prepareSession doesn't need to be called again. I strongly recommend that you develop/test with AM pooling turned off so that you avoid this type of issue.
3). By default, the AM does hold on to the DB connection from the pool so that it can re-use parsed statements. However, as I understand it, prepareSession would be called if the AM instance was used by another user first.
Topics 2 & 3 are addressed in the ADF Developer's Guides, so you may find it helpful to have a read there. If you need specific section numbers, let me know.
Hope this helps,
John

Error while calling a method on Bean (EJB 3.0)

I am getting an error while calling a method on EJB. I am using EJB3.0 and my bean is getting properly deployed(i am sure b'cos i can see the successfullly deployed message). Can any body help me
Error is -->
Error while destroying resource :An I/O error has occured while flushing the output - Exception: java.io.IOException: An established connection was aborted by the software in your host machine
Stack Trace:
java.io.IOException: An established connection was aborted by the software in your host machine
at sun.nio.ch.SocketDispatcher.write0(Native Method)
at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:33)
at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:104)
at sun.nio.ch.IOUtil.write(IOUtil.java:75)
at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:302)
at com.sun.enterprise.server.ss.provider.ASOutputStream.write(ASOutputStream.java:138)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at org.postgresql.PG_Stream.flush(PG_Stream.java:352)
at org.postgresql.core.QueryExecutor.sendQuery(QueryExecutor.java:159)
at org.postgresql.core.QueryExecutor.execute(QueryExecutor.java:70)
at org.postgresql.jdbc1.AbstractJdbc1Connection.ExecSQL(AbstractJdbc1Connection.java:482)
at org.postgresql.jdbc1.AbstractJdbc1Connection.ExecSQL(AbstractJdbc1Connection.java:461)
at org.postgresql.jdbc1.AbstractJdbc1Connection.rollback(AbstractJdbc1Connection.java:1031)
at org.postgresql.jdbc2.optional.PooledConnectionImpl$ConnectionHandler.invoke(PooledConnectionImpl.java:223)
at $Proxy34.close(Unknown Source)
at com.sun.gjc.spi.ManagedConnection.destroy(ManagedConnection.java:274)
at com.sun.enterprise.resource.LocalTxConnectorAllocator.destroyResource(LocalTxConnectorAllocator.java:103)
at com.sun.enterprise.resource.AbstractResourcePool.destroyResource(AbstractResourcePool.java:603)
at com.sun.enterprise.resource.AbstractResourcePool.resourceErrorOccurred(AbstractResourcePool.java:713)
at com.sun.enterprise.resource.PoolManagerImpl.putbackResourceToPool(PoolManagerImpl.java:424)
at com.sun.enterprise.resource.PoolManagerImpl.resourceClosed(PoolManagerImpl.java:393)
at com.sun.enterprise.resource.LocalTxConnectionEventListener.connectionClosed(LocalTxConnectionEventListener.java:69)
at com.sun.gjc.spi.ManagedConnection.connectionClosed(ManagedConnection.java:618)
at com.sun.gjc.spi.ConnectionHolder.close(ConnectionHolder.java:163)
at oracle.toplink.essentials.internal.databaseaccess.DatabaseAccessor.closeDatasourceConnection(DatabaseAccessor.java:379)
at oracle.toplink.essentials.internal.databaseaccess.DatasourceAccessor.closeConnection(DatasourceAccessor.java:367)
at oracle.toplink.essentials.internal.databaseaccess.DatabaseAccessor.closeConnection(DatabaseAccessor.java:402)
at oracle.toplink.essentials.internal.databaseaccess.DatasourceAccessor.afterJTSTransaction(DatasourceAccessor.java:100)
at oracle.toplink.essentials.threetier.ClientSession.afterTransaction(ClientSession.java:104)
at oracle.toplink.essentials.internal.sessions.UnitOfWorkImpl.afterTransaction(UnitOfWorkImpl.java:1816)
at oracle.toplink.essentials.transaction.AbstractSynchronizationListener.afterCompletion(AbstractSynchronizationListener.java:161)
at oracle.toplink.essentials.transaction.JTASynchronizationListener.afterCompletion(JTASynchronizationListener.java:87)
at com.sun.ejb.containers.ContainerSynchronization.afterCompletion(ContainerSynchronization.java:174)
at com.sun.enterprise.distributedtx.J2EETransaction.commit(J2EETransaction.java:467)
at com.sun.enterprise.distributedtx.J2EETransactionManagerOpt.commit(J2EETransactionManagerOpt.java:357)
at com.sun.ejb.containers.BaseContainer.completeNewTx(BaseContainer.java:3653)
at com.sun.ejb.containers.BaseContainer.postInvokeTx(BaseContainer.java:3431)
at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:1247)
at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:197)
at com.sun.ejb.containers.EJBObjectInvocationHandlerDelegate.invoke(EJBObjectInvocationHandlerDelegate.java:110)
at $Proxy84.addDepartment(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.sun.corba.ee.impl.presentation.rmi.ReflectiveTie._invoke(ReflectiveTie.java:121)
at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.dispatchToServant(CorbaServerRequestDispatcherImpl.java:650)
at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.dispatch(CorbaServerRequestDispatcherImpl.java:193)
at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequestRequest(CorbaMessageMediatorImpl.java:1705)
at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:1565)
at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleInput(CorbaMessageMediatorImpl.java:947)
at com.sun.corba.ee.impl.protocol.giopmsgheaders.RequestMessage_1_2.callback(RequestMessage_1_2.java:178)
at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:717)
at com.sun.corba.ee.impl.transport.SocketOrChannelConnectionImpl.dispatch(SocketOrChannelConnectionImpl.java:473)
at com.sun.corba.ee.impl.transport.SocketOrChannelConnectionImpl.doWork(SocketOrChannelConnectionImpl.java:1270)
at com.sun.corba.ee.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread.run(ThreadPoolImpl.java:479)
End of Stack Trace
|#]
RAR5035:Unexpected exception while destroying resource. To get exception stack, please change log level to FINE.
EJB5018: An exception was thrown during an ejb invocation on [DepartmentSessionBean]
javax.ejb.EJBException: Unable to complete container-managed transaction.; nested exception is: javax.transaction.SystemException
javax.transaction.SystemException
at com.sun.enterprise.distributedtx.J2EETransaction.commit(J2EETransaction.java:452)
at com.sun.enterprise.distributedtx.J2EETransactionManagerOpt.commit(J2EETransactionManagerOpt.java:357)
at com.sun.ejb.containers.BaseContainer.completeNewTx(BaseContainer.java:3653)
at com.sun.ejb.containers.BaseContainer.postInvokeTx(BaseContainer.java:3431)
at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:1247)
at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:197)
at com.sun.ejb.containers.EJBObjectInvocationHandlerDelegate.invoke(EJBObjectInvocationHandlerDelegate.java:110)
at $Proxy84.addDepartment(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

Means theres an error in XML/ABAP conversion probably due a syntax error...
Regards
Juan

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

Using G_SET_GET_ALL_VALUES Method

Hi,
I need to use the following method. G_SET_GET_ALL_VALUES. But I'm not sure of the data type that it returns.
CALL FUNCTION 'G_SET_GET_ALL_VALUES'
EXPORTING
CLIENT                      = ' '
FORMULA_RETRIEVAL           = ' '
LEVEL                       = 0
    setnr                       = wa_itab_progrp-setname
VARIABLES_REPLACEMENT       = ' '
TABLE                       = ' '
CLASS                       = ' '
NO_DESCRIPTIONS             = 'X'
NO_RW_INFO                  = 'X'
DATE_FROM                   =
DATE_TO                     =
FIELDNAME                   = ' '
tables
    set_values                  = ????????
EXCEPTIONS
SET_NOT_FOUND               = 1
OTHERS                      = 2
IF sy-subrc <> 0.
MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
        WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
ENDIF.
Can anyone please let me know what I should do at the SET_VALUES section.
Thanks
Lilan

Hi,
See the FM Documentation,
This function module determines all the values of a set or its subordinate sets. The required call parameter is the set ID (SETNR). The other parameters are optional:
FORMULA_RETRIEVAL: 'X' => The formulas in the set are also returned (default ' ' requires fewer database accesses)
LEVEL: The default value is 0 and means "expand all levels". Values other than 0 determine the level to which they are to be expanded
VARIABLES_REPLACEMENT: 'X' => The value variables in the set hierarchy are replaced by their default values (this means additional database accesses for each variable)
NO_DESCRIPTIONS: 'X' => The short descriptions of the sets and set lines are not read from the database. For performance reasons you should only set this parameter to ' ' if you need the texts
The values determined are returned to the internal table SET_VALUES.
Thanks.

Clearing values from request in decode method

I am using a custom table paginator. In its decode method I have the next code to control whether next link is clicked:
String pLink = (String)requestMap.get("pLink" + clientId);
if ((pLink != null) && (!pLink.equals(""))) {
     if (pLink.equals("next")) {
     } else if (pLink.equals("previous")) {
}But the next sequence produces some problems:
1.     Initial page load.
2.     Click on next link.
3.     Table navigates ok to next page.
4.     Reload page (push F5).
5.     The previous click still remains in the request, so decode method think next link is pressed again.
6.     Application abnormal behaviour arises.
So, I am trying to clear the next_link key from the request, but next code throws an UnsupportedOperationException:
String pLink = (String)requestMap.get("pLink" + clientId);
if ((pLink != null) && (!pLink.equals(""))) {
     if (pLink.equals("next")) {
     } else if (pLink.equals("previous")) {
     requestMap.put("pLink" + clientId, "");
}Do any of you have some ideas?

Hey, where are you RaymondDeCampo, rLubke, BalusC ... the masters of JSF Universe?
;-)

VPD method?

Similar Messages

Maybe you are looking for