Web App Deploymnet security
I see info on giving actually permissions to serlvets IN a war file but i am not
sure how i set up permissions on the war file itself.
lets say i have app1.war for user A
app2.war for user B
so I would like it so User B cant do ANYTHING to app1.war,(deploy, undelpoy etc..)
i just want to lock it up.
Where / How is this done in Weblogic 7.0?
Thanks!
-R
Hi Andrew,
Even without moderation enabled, any submission made through the BC platform is filtered through our protection engine to prevent XSS. Any type of potentially malicious code is immediately stripped from the submission, and this is not done at a client-side level.
Kind Regards,
Alex
Similar Messages
-
Web-app scoped security policies not working in WL 8
Hi,
I can't get web-app scoped security policies working in WL 8.1
I have a simple web application. It defines a role(ROLE) and security
constraint (on *.jsp).
If I examine the web app in the administration console, I see that it
has created a role (scoped to /*) called "ROLE" just as you would
expect. It has also created a scoped policy (to *.jsp) with constraints
that the user be in the role ROLE. This is as expected, and it works.
However, if I proceed to create my own scoped policy (on *.html) with
constraints (on ALL methods) that the user be in role ROLE, then I get
no security at all. ie. I can go to server:port/foo.html and it will
work - it is not secured.
Any ideas?
On a completely unrelated issue, when I deploy an EAR (exploded) with a
WAR (exploded) and using the admin console expand the application
correpsonding to th EAR, right click on the WAR node, and try and define
a scoped role, then I get an error "There are no appropriate RoleEditor
providers configured". This sounds like a bug. Trying to define a
scoped policy works as expected.
TIA,
JonI can't get web-app scoped security policies working in WL 8.1Well, I can answer this one myself.
WebLogic 8 has a new optimisation (this wasn't present in 7 AFAIK),
available on the Security / Realm / myreal / General tab, which
determines whether or not weblogic considers authorisation of resources
protected by descriptors or not. (ie. it can force only
descriptor-protected authorisation, ignoring admin console policies).
It defaults to ignoring admin console policies, hence my problem.
Jon -
Office Web Apps server security question
Hello,
According to this technet article Microsoft appears to recommend against allowing both external and internal users access to your OWA server.
http://technet.microsoft.com/en-us/library/jj219435(v=office.15).aspx#viewers
"Files that are intended to be viewed through a web browser by using Online Viewers must not require authentication. In other words, the files must be available publicly because Online Viewers can’t perform authentication when it is retrieving files.
We strongly recommend that the Office Web Apps Server farm that you use for Online Viewers is only able to access either the intranet or the Internet, but not both. This is because Office Web Apps Server doesn’t differentiate between requests for intranet
and Internet URLs. Somebody on the Internet could request an intranet URL, for example, causing a security leak if an internal document is viewed."
Just trying to make sense of this. I am building a new Lync 2013 environment and I definitely want my internal users to be able to leverage the OWA server. So does that mean I should not publish that server to the internet? And if I do
not, does that mean my users will not be able to share a powerpoint presentation at all to external users? If this is all true and I'm understanding this correctly, does this mean that most implementations choose one or the other? Or does Lync not
use these "Online Viewers" so I can just disable them and users will still be able to share powerpoint presentations with external users?
Thanks for any help you can provide for this confusion.No, you should publish to both internal and Internet on the same server, it's just how it's done with Lync. You can't really have two with Lync for this purpose anyway. Users will upload PowerPoint presentations to it when it's time to share,
no editing is possible, and the risk is generally minimal. You can shorten the cache time to help if you're concerned.
Regardless, from the article:
http://technet.microsoft.com/en-us/library/jj219442(v=office.15).aspx setting OpenFromUrlEnabled "Turns on or off the ability to use Online Viewers to view Officefiles from a URL or UNC path.". This is set to false and turned off by default.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications -
Guide to developing SECURE TOMCAT/JSP web apps - ??
Hi,
It would be very useful to have a checklist or guidelines to ensure a JSP/tomcat web site one develops is secure, in particular for the scenario where the web application is not huge/complex &/or is developed by part-time developers. That is I guess I'm generally asking for the easiest way of ensuring one develops a secure JSP/tomcat app.
Q1 - Does anyone know of a tutorial/checklist for ensuring a JSP/tomcat web app is secure? The types of things I'm thinking of include the following items, which I've put forward as specific questions to the mail group in their own right.
Q2 - How do you ensure directory's under doc root can't be viewed? (ie users see a directory listings)
- is putting in an index.html in each sub-directory a solid answer?
- can this be handled in one hit via WEB.XML entries? if so an example if possible?
Above and beyond basic User Authentication checking (eg username/password check at beginning of session) what is an easy but secure way of checking -:
Q3 check that user (ie specific) is allowed to access a specific JSP page? (assuming the web app is a totally JSP based solution, ie no controller servlet frontend, ie and that all JSP pages are effectively assessable under docroot). Easy way of doing this?
eg (a) put specific check at beginning of each JSP page?
(b) other?
and
Q4 given that a user is allowed to access that JSP page, check that he is allowed to view the data which he has requested? (ie stop people determining how the URL with parameters is constructed and manually changing the parameters - eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4". Easy way of doing this?
eg (a) put specific check at beginning of JSP page?
(b) other
Q5 Is it generally acceptable, given appropriate precautions are taken, to setup a web site with all JSP files assessable under doc root, and that the manner in which the user navigates around the application is based on direct calls from the browser to the next JSP page with parameters? (again one concern I have is eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4"). If this is not acceptable what is recommended?
(a) as above put a specific check at the beginning of the JSP page
(b) for example having to specifically put a controller servlet as a front end, and then direct to JSP pages which are hidden?
- in this case how can one hide specific directories under doc root?
(c) other??
Q6. Regarding image security I assume one really does have to store them outside doc root and develop a small "getImage" servlet so that requests to images can be verified to ensure that (assuming the app lets users load images) the end user can't see another user's image?
Q7. Any other general checklist items for a simple JSP/tomcat web site re security one should check for???
Thanks in Advance
GregHave you ever looked at the Jakarta struts framework for developing web apps? You could then incorporate your custom designed security both into your own extension of the controller servlet (check if particular user has access to certain pages / actions). You can also design your own custom tags which determine whether a particular user has access to certain parts of the page. You cal also perform additional checks in the actions, to ensure that the user does have access to certain actions (i.e. checking parameters etc.)
-
How to expose Web App data to search engines
Hi Guys - Need direction please
My website contains a business directory (web app)
The web app items are in a secure zone (the client only want registered/paid members to create their business profiles) = customer submitted web app
It is also required that the directory is indexed by "elgooG".
When searching for a type of business on "elgooG", they want the listed business information found, with a link to the actual detail
e.g.: website.com\directory\Joe-blogs-plumbing
First problem, the web app item sits behind a login (secured)
How would you configure this so that we have the Web App item secured (paid), but also visible to search engines and general public?
Much appreciatedThere is no reason for the whole web app to be under a securezone.
Once you assign the owner of the item they can only edit it when they login.
All you need to do is have a listing directory on your site that shows these. IF you do not want that and it only under a securezone of course it will never get indexed by google.
If you want the public listing of these you just need a page and put in the web app module that outputs the list. Things like the edit link wont show unless your logged in. -
Office Web Apps Server - Access is denied
Hello,
I was able to create an Office Web Apps server and was able to create a new farm for that server all without any issues, everything works great.
Unfortunately right after creating the farm, when attempting to run any other related powershell commands such as:
Get-OfficeWebAppsFarm
Remove-OfficeWebAppsFarm
I get this error in powershell:
Get-OfficeWebAppsFarm : Access is denied.
At line:1 char:1
+ Get-OfficeWebAppsFarm
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-OfficeWebAppsFarm], SecurityAccessDeniedException
+ FullyQualifiedErrorId : System.ServiceModel.Security.SecurityAccessDeniedException,Microsoft.Office.Web.Apps.Adm
inistration.GetFarmCommand
Although everything is actually working on the server, I'd like to be able to use those other commands in the future so I can check configurations, use "Remove" for running updates, etc... Unfortunately it appears as though this Access is
denied error may interfere with those activities.
Has anyone seen this before?
Thank youHi,
According to your post, my understanding is that you failed to run any other related powershell commands after creating the farm for Office Web Apps server.
If the account trying to get OfficeWebAppsFarm does not have local admin access on the machine you will simply get an “Access is denied”.
Please make sure you have the permission to run the commands.
More information:
http://www.wictorwilen.se/office-web-apps-2013-securing-your-wac-farm
Thanks,
Linda Li
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Linda Li
TechNet Community Support -
Office Web Apps 2013 + could not establish trust relationship
We currently have a three tier SharePoint 2013 Farm:
1. Web Front End Server (Server 2008 R2 Enterprise) - Servername: TEST2SP013.domain.dom
2. Central Admin Server (Server 2008 R2 Enterprise) - Servername: TEST2SPCA013.domain.dom
3. SQL Server (Server 2012 Datacenter) - Servername: TESTSQL012.domain.dom
All Machines are in the same IP/Subnet.
We are trying to setup a new server (Server 2012 R2 Datacenter) (Servername: TEST022.domain.dom) to run Office Web Apps 2013 in our TEST environment to test the system before rolling in production and have had issues throughout the entire process.
The technet articles we have used are:
http://technet.microsoft.com/en-us/library/jj219435.aspx
http://technet.microsoft.com/en-us/library/ff431687.aspx
http://technet.microsoft.com/en-us/library/jj219627.aspx
We finally have what I thought was a correct setup but anytime we try to edit or view a word, excel, powerpoint document within SharePoint 2013, we receive "Sorry, there was a problem and we can't open this document. If this happens again, try opening
the document in Microsoft Word."
We found a few How-To Setup Office Web Apps sites where other people provided step-by step instructions:
blogs.msdn.com/b/sowmyancs/archive/2012/10/29/install-configure-amp-monitor-office-web-apps-2013-for-sp-2013.aspx
http://www.wictorwilen.se/office-web-apps-2013-securing-your-wac-farm
http://blogs.technet.com/b/justin_gao/archive/2013/06/30/configuring-office-web-apps-server-communication-using-https.aspx
We reviewed the ULS logs and found the following error:
02/14/2014 13:38:40.24 w3wp.exe (0x1C04) 0x1BB4 Office Web Apps
WAC Hosting Interaction adhsk Unexpected WOPI CheckFile: Catch-All Failure [exception:Microsoft.Office.Web.Common.EnvironmentAdapters.UnexpectedErrorException: HttpRequest failed ---> Microsoft.Office.Web.Apps.Common.HttpRequestAsyncException:
No Response in WebException ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate
is invalid according to the validation procedure. at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) --- End of
inner exception stack trace --- at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at Microsoft.Office.Web.Apps.Common.Ht... 7bed0d51-511d-4541-a059-e2f72942e617
None of the article provide specific step-by-step instructions with using HTTPS in a test environment specifically when it comes to Self-Signed Certs through Active Directory Certificate Services.
We tried creating a Self-Signed Cert through IIS on the Office Web Apps Box which did not work.
We tried creating a Cert through Active Directory Certificate Services which did not work.
We tried adding the Cert through Central Admin > Security > Manage Trust which did not help.
We verified "get-spwopizone" is set to internal-https
We can access the Web Apps https://test022/hosting/discovery site and view the XML with no issue on any machine on our network.
We added our domain to the list of approved domains that can use Office Web Apps as well as add "Domain Users" as the security group that can "EDIT" Office Documents through Office Web Apps.
After each step, we tried performing either a system reboot or IIS Reset on the Office Web Appcs and WFE box.
My Question is how do we generate a certificate (either self-signed through IIS on the Office Web Apps Box or through AD) that will allow this application to work? I read that the Fully Qualified Domain Name needs to be in the SAN field of the Cert but when
we request it, I have no way of entering this information. I tried following http://technet.microsoft.com/en-us/library/ff625722 to manually request a certificate with a Custom SAN but that did not work either.
I am assuming the certificate issue is with the New Office Web Apps box. Is this correct?
-ChrisIf internal cert then you will have to add certificate from OWA to tursted certificates in each sharepoint server plus add the certificate from central admin in Sharepoint through manage trust. Also you will need to install p7b file (file that contains
path to root certificate to verify each intermediate certificate) for internal cert to each sharepoint server to not get certificate error.
sachin -
Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basic secure web
app.
I created an App and created a web project. In it, I deleted the controller, etc
and just have index. jsp. All the index.jsp does is: <%= request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>
When I run the app, it just renders the JSP and does not challenge me to login.
Can you please help what is that I am doing wrong here?
Thanks,
John"john hryn" <[email protected]> wrote in message
news:3fce2551$[email protected]..
>
Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
app.
I created an App and created a web project. In it, I deleted thecontroller, etc
and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>I think you should have dealers instead of *
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>And here too.
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment> -
I'm working on the authentication/authorisation aspects of a fairly
large web application using WLS 6.0 (ie allowing users to login and
access resources based on role etc).
Its a standard JSP/Servlet/EJB type architecture and so far it seems
the FORM-based authentication will serve our needs well. However, I've
been instructed (by higher powers) to investigate JAAS authentication.
It looks far more complex to implement so my question is, does it
offer any significant advantages that justify the extra work?
Thanks for your time."john hryn" <[email protected]> wrote in message
news:3fce2551$[email protected]..
>
Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
app.
I created an App and created a web project. In it, I deleted thecontroller, etc
and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>I think you should have dealers instead of *
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>And here too.
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment> -
Web app security exception: Bad URLMatchMap
Can anyone help me diagnose an error? I am simply trying to place a security constraint
on a servlet within an ear-deployed web-application.
The exception occurs as the first POST comes to the servlet I am trying to protect:
<Apr 16, 2001 12:40:09 PM EDT> <Error> <Kernel> <ExecuteRequest failed
java.lang.IllegalArgumentException: bad URLMatchMap path: 'version="1.0"'
at weblogic.servlet.utils.URLMatchMap.get(URLMatchMap.java:196)
at weblogic.servlet.security.internal.WebAppSecurity.getConstraint(WebAp
pSecurity.java:135)
at weblogic.servlet.security.internal.SecurityModule.checkTransport(Secu
rityModule.java:177)
at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSe
curityModule.java:48)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess
(ServletSecurityManager.java:150)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe
rvletContext.java:1250)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm
pl.java:1622)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
>
<?xml version="1.0" ?>
<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN'
'http://java.sun.com/j2ee/dtds/web-app_2.2.dtd'>
<web-app>
<display-name>ANSWeb</display-name>
<description>no description</description>
<servlet>
<servlet-name>UPMessageServlet</servlet-name>
<display-name>UPMessageServlet</display-name>
<description>no description</description>
<servlet-class>com.aether.ans.gateway.up.UPMessageServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>ANSServlet</servlet-name>
<display-name>ANSServlet</display-name>
<description>no description</description>
<servlet-class>com.aether.ans.server.ANSServlet</servlet-class>
<load-on-startup />
</servlet>
<servlet>
<servlet-name>WCTPServlet</servlet-name>
<display-name>WCTPServlet</display-name>
<description>no description</description>
<servlet-class>com.aether.ans.gateway.wctp.WCTPServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>UPMessageServlet</servlet-name>
<url-pattern>/UPMessage</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ANSServlet</servlet-name>
<url-pattern>/Server</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>WCTPServlet</servlet-name>
<url-pattern>/WCTPCallback</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<resource-ref>
<description>no description</description>
<res-ref-name>url/ANS.dtd</res-ref-name>
<res-type>java.net.URL</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Server</web-resource-name>
<url-pattern>/Server</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Client</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>Client</role-name>
</security-role>
<ejb-ref>
<description>no description</description>
<ejb-ref-name>ejb/ANSServer</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>com.aether.ans.server.ANSServerHome</home>
<remote>com.aether.ans.server.ANSServer</remote>
</ejb-ref>
<ejb-ref>
<description>no description</description>
<ejb-ref-name>ejb/Alert</ejb-ref-name>
<ejb-ref-type>Entity</ejb-ref-type>
<home>com.aether.ans.entity.AlertHome</home>
<remote>com.aether.ans.entity.Alert</remote>
</ejb-ref>
</web-app>
<?xml version="1.0" ?>
<!DOCTYPE weblogic-web-app PUBLIC '-//BEA Systems, Inc.//DTD Web Application 6.0//EN'
'http://www.beasys.com/servers/wls600/dtd/weblogic-web-jar.dtd'>
<weblogic-web-app>
<description>no description</description>
<security-role-assignment>
<role-name>Client</role-name>
<principal-name>Client</principal-name>
</security-role-assignment>
<reference-descriptor>
<resource-description>
<res-ref-name>url/ANS.dtd</res-ref-name>
<jndi-name>ans.url.dtd</jndi-name>
</resource-description>
<ejb-reference-description>
<ejb-ref-name>ejb/Alert</ejb-ref-name>
<jndi-name>ejb.Alert</jndi-name>
</ejb-reference-description>
<ejb-reference-description>
<ejb-ref-name>ejb/ANSServer</ejb-ref-name>
<jndi-name>ejb.ANSServer</jndi-name>
</ejb-reference-description>
</reference-descriptor>
</weblogic-web-app>Hi Andrew,
Even without moderation enabled, any submission made through the BC platform is filtered through our protection engine to prevent XSS. Any type of potentially malicious code is immediately stripped from the submission, and this is not done at a client-side level.
Kind Regards,
Alex -
Web app security ... i don't get it
I do not get it how do one configure web.xml
I want every page to be protected against unlogged user and some pages only to some of them
From what I read it's only necessary to have only one root role that every user is part of and then any sub-role is recognized
My use case:
every page should be protected against unauthorized user
<security-constraint>
<display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
<web-resource-collection>
<web-resource-name>JSF Pages</web-resource-name>
<url-pattern>/faces/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>fullaccess</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>and I want that managers only to have access to /managers so I guess that a new </security-constraint> must be issued to allow the users that have managers role to access the resource.
<security-constraint>
<display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
<web-resource-collection>
<web-resource-name>JSF Pages</web-resource-name>
<url-pattern>/faces/manager/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>managers</role-name> ????
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint> What are the roles that must be declared in web.xml knowing that
<security-role-assignment>
<role-name>fullaccess</role-name>
<principal-name>public</principal-name>
</security-role-assignment>
</weblogic-web-app> and in the realm public group has a member 'managers' (that in my opp must not be mapped)?
..on the moment there is only
<security-role>
<description>acces pe toate paginile web</description>
<role-name>fullaccess</role-name>
</security-role>thanks, Florin POPHi guys.
A username and password info to connect to BC is the following:
Username - Your adobe ID email
Password - Your password.
To connect to SFTP its...
Server: Just the address (yoursite.businesscatalyst.com)
username - yoursite.businesscatalyst.com/[email protected]
Password - your password. -
I'm trying to get the security working for a web app. I'm using JAAS and the BASIC
authentication. I don't want to use FORM because the original Perl app (from which
my web app is derived) also used BASIC and I don't want the interface to change.
I've found that the security works great if I go directly to the weblogic server,
so it looks like the problem is with IIS (we're fowarding requests from IIS to
WebLogic). I think the problem lies in my web.xml. It has this in it:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MLV Users Only</realm-name>
</login-config>
From what I can tell, weblogic just uses the realm-name as a label in the dialog
box that pops up, and for nothing else. My guess is that IIS is really trying
to use this as a security realm.
Am I on the right track? Anyone got any hints?
Gary"john hryn" <[email protected]> wrote in message
news:3fce2551$[email protected]..
>
Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
app.
I created an App and created a web project. In it, I deleted thecontroller, etc
and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>I think you should have dealers instead of *
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>And here too.
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment> -
Office Web Apps - Best Practice for App Pool Security Account?
Guys,
I am finalising my testing of Office Web Apps, and ready to move onto deploying it to my live farm.
Generally speaking, I put service applications in their own application pool.
Obviously by doing so this has an overhead on memory and processing, however generally speaking it is best practice from a security perspective when using separate accounts.
I have to create 3 new service applications in order to deploy Office Web Apps, in my test environment these are using the Default SharePoint app pool.
Should I create one application pool for all my office web apps with a fresh service account, or does it make no odds from a security perspective to run them in the default app pool?
Cheers,
Conrad
Conrad Goodman MCITP SA / MCTS: WSS3.0 + MOSS2007i run my OWA under it's own service account (spOWA) and use only one app pool. Just remember that if you go this route, "When
you create a new application pool, you can specify a security account used by the application pool to be either a predefined Network Service account or a managed account. The account must have db_datareader, db_datawriter, and execute permissions for the content
databases and the SharePoint configuration database, and be assigned to the db_owner role for the content databases." (http://technet.microsoft.com/en-us/library/ff431687.aspx) -
We have secure zones that are to display certain web app items to be filtered by Category. The secure zone members need to filter through web app items and edit these items from the list view. We've set it up accordingly and the list view is exactly how it should be when it is simply displaying on a page within the secure zone, however when the web app search/filtering is applied the "edit" tag doesn't display. Is there anyway to have this work or does it simply not? Please tell me it is possible to filter and edit web apps.
Thanks in advance,Hi The Bowery, the edit tag will not show in general web app item search results unless the owner of that web app item is logged in to a secure zone to view it.
However, if you are happy for anyone looking at the website to edit all web app items, you can set that in the properties of the web app itself. Then I think the edit tag will show to anyone looking at the web app items.
If you only want the web app item owner to edit the web app item then you need to set up a secure zone for them to log in and view it.
It will show when the web app item owner is logged in and viewing the web app items, if the edit tag has been added to the layout customisations. So it will only show to the web app item owner.
You need to set up a secure zone for the web app item owners to upload and edit their web app items.
Search results on a webapp use the List template layout for the webapp to show a summary of the search results and the detail Template Layout is what shows when you click on the search result summary item. In webapp setups I usually put the edit tag in the List template -
Ssl and web app server: there's content which is not secure
Hello,
We have implemented ssl in our intranet site ( web front server, Web app server, sql server - everything ) .
Yet, In Https (and I.E) and document library , when I press the "..." , I get an warning: "only secure content is displayed" and the file preview doesn't show anything. If I select "show all content", the file preview shows
the file.
If I press "View in browser", I get the same message. If I press "show all content" I see the file, otherwise the file doesn't show.
Looking at the fiddler, it looks like some connections with the (sharepoint) application server aren't secured.
Sample unsecured http gets are:
http://ApplicationServer.mysite.gr/wv/ResReader.ashx?n=p1.img&WOPIsrc=http%3A%2F%Intranet%2Fsites%2FDNY%2F_vti_bin%2Fwopi.ashx%2Ffiles%2F42da77c08cd94b67a1c413ae39a71c58&access_token=eyJ0eBIgBigToken
http://ApplicationServer.mysite.com/wv/ResReader.ashx?n=p1.img&v=00000000-0000-0000-0000-000000000602&usid=5fae4f7f-d4d6-4a21-a465-2fe24ded9519&WOPIsrc=http%3A%2F%2FIntranetSite%2Fsites%2FDNY%2F_vti_bin%2Fwopi.ashx%2Ffiles%2F42da77c08cd94b67a1c413ae39a71c58&access_token=BIgBigToken
- this one is an image of the file.
Having these unsecure gets, I have problems accepting that the site is totally secured.
is the (sharepoint) application server the source of the problem?
Thank you
ChristosHi,
According to your post, my understanding is that you wanted to show all content after you implemented ssl in intranet site.
Please make sure you configure SSL correctly. You can refer to:
Configure SSL for SharePoint 2013
IE does provide an option which can be configured to automatically display all content, both secure and non-secure content, on web pages that come with mixed content.
You can display all mixed contents in IE to suppress and disable any warning message on secure and/or non-secure content.
More information:
How to Disable Only Secure Content is Displayed in IE (Always Show All Mixed Content)
Stop the "page contains secure and nonsecure items" warning
Best Regards,
Linda Li
Linda Li
TechNet Community Support
Maybe you are looking for
-
Dbms_xmldom.cloneNode always deep ?
Hi, i'm unable to see any difference between : 1. dbms_xmldom.cloneNode( node, false ) 2. dbms_xmldom.cloneNode( node, true ) i always get a complete copy of the original node. Any suggestion ? thanks Alessandro Scotti
-
Hi, I am trying a report in BOBJ. When I run the WEBI report it doubles the Column values as compared to BI report. There are no filters, conditions or anything in the report. Tried purging the data and running the report but no change. has anyone co
-
How to calculate slope of XY curve?
Hi all, I want to calculate the slope of a X-Y curve, for example, amplitude v.s. position. I was trying to use the derivative method but failed. Could anyone help me with this problem? The example vi. is attached. Regards, Nicky. Solved! Go to Solut
-
Keep getting no service since update the iphone to ISO 6.0.2 . We have two iphone 4 and 5, 5 update and no service and 4 it's ok, same network. Apple could you help me with this please ? I do a lot work with phone and now I have phone only works with
-
Need to change the rescue email on my account. Cant remember my security questions & the recue email is my wife's old email address. How do I change my rescue email?