Web App Deploymnet security

Similar Messages

• Web-app scoped security policies not working in WL 8

  Hi,
  I can't get web-app scoped security policies working in WL 8.1
  I have a simple web application. It defines a role(ROLE) and security
  constraint (on *.jsp).
  If I examine the web app in the administration console, I see that it
  has created a role (scoped to /*) called "ROLE" just as you would
  expect. It has also created a scoped policy (to *.jsp) with constraints
  that the user be in the role ROLE. This is as expected, and it works.
  However, if I proceed to create my own scoped policy (on *.html) with
  constraints (on ALL methods) that the user be in role ROLE, then I get
  no security at all. ie. I can go to server:port/foo.html and it will
  work - it is not secured.
  Any ideas?
  On a completely unrelated issue, when I deploy an EAR (exploded) with a
  WAR (exploded) and using the admin console expand the application
  correpsonding to th EAR, right click on the WAR node, and try and define
  a scoped role, then I get an error "There are no appropriate RoleEditor
  providers configured". This sounds like a bug. Trying to define a
  scoped policy works as expected.
  TIA,
  Jon

  I can't get web-app scoped security policies working in WL 8.1Well, I can answer this one myself.
  WebLogic 8 has a new optimisation (this wasn't present in 7 AFAIK),
  available on the Security / Realm / myreal / General tab, which
  determines whether or not weblogic considers authorisation of resources
  protected by descriptors or not. (ie. it can force only
  descriptor-protected authorisation, ignoring admin console policies).
  It defaults to ignoring admin console policies, hence my problem.
  Jon

• Office Web Apps server security question

  Hello,
  According to this technet article Microsoft appears to recommend against allowing both external and internal users access to your OWA server.
  http://technet.microsoft.com/en-us/library/jj219435(v=office.15).aspx#viewers
  "Files that are intended to be viewed through a web browser by using Online Viewers must not require authentication. In other words, the files must be available publicly because Online Viewers can’t perform authentication when it is retrieving files.
  We strongly recommend that the Office Web Apps Server farm that you use for Online Viewers is only able to access either the intranet or the Internet, but not both. This is because Office Web Apps Server doesn’t differentiate between requests for intranet
  and Internet URLs. Somebody on the Internet could request an intranet URL, for example, causing a security leak if an internal document is viewed."
  Just trying to make sense of this.  I am building a new Lync 2013 environment and I definitely want my internal users to be able to leverage the OWA server.  So does that mean I should not publish that server to the internet?  And if I do
  not, does that mean my users will not be able to share a powerpoint presentation at all to external users?  If this is all true and I'm understanding this correctly, does this mean that most implementations choose one or the other? Or does Lync not
  use these "Online Viewers" so I can just disable them and users will still be able to share powerpoint presentations with external users?
  Thanks for any help you can provide for this confusion.

  No, you should publish to both internal and Internet on the same server, it's just how it's done with Lync.  You can't really have two with Lync for this purpose anyway.  Users will upload PowerPoint presentations to it when it's time to share,
  no editing is possible, and the risk is generally minimal.  You can shorten the cache time to help if you're concerned.
  Regardless, from the article:
  http://technet.microsoft.com/en-us/library/jj219442(v=office.15).aspx setting OpenFromUrlEnabled "Turns on or off the ability to use Online Viewers to view Officefiles from a URL or UNC path.".  This is set to false and turned off by default.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Guide to developing SECURE TOMCAT/JSP web apps - ??

  Hi,
  It would be very useful to have a checklist or guidelines to ensure a JSP/tomcat web site one develops is secure, in particular for the scenario where the web application is not huge/complex &/or is developed by part-time developers. That is I guess I'm generally asking for the easiest way of ensuring one develops a secure JSP/tomcat app.
  Q1 - Does anyone know of a tutorial/checklist for ensuring a JSP/tomcat web app is secure? The types of things I'm thinking of include the following items, which I've put forward as specific questions to the mail group in their own right.
  Q2 - How do you ensure directory's under doc root can't be viewed? (ie users see a directory listings)
       - is putting in an index.html in each sub-directory a solid answer?
       - can this be handled in one hit via WEB.XML entries? if so an example if possible?
  Above and beyond basic User Authentication checking (eg username/password check at beginning of session) what is an easy but secure way of checking -:
  Q3 check that user (ie specific) is allowed to access a specific JSP page? (assuming the web app is a totally JSP based solution, ie no controller servlet frontend, ie and that all JSP pages are effectively assessable under docroot). Easy way of doing this?
       eg (a) put specific check at beginning of each JSP page?
       (b) other?
  and
  Q4 given that a user is allowed to access that JSP page, check that he is allowed to view the data which he has requested? (ie stop people determining how the URL with parameters is constructed and manually changing the parameters - eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4". Easy way of doing this?
       eg (a) put specific check at beginning of JSP page?
       (b) other
  Q5 Is it generally acceptable, given appropriate precautions are taken, to setup a web site with all JSP files assessable under doc root, and that the manner in which the user navigates around the application is based on direct calls from the browser to the next JSP page with parameters? (again one concern I have is eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4"). If this is not acceptable what is recommended?
       (a) as above put a specific check at the beginning of the JSP page
       (b) for example having to specifically put a controller servlet as a front end, and then direct to JSP pages which are hidden?
  - in this case how can one hide specific directories under doc root?
       (c) other??
  Q6. Regarding image security I assume one really does have to store them outside doc root and develop a small "getImage" servlet so that requests to images can be verified to ensure that (assuming the app lets users load images) the end user can't see another user's image?
  Q7. Any other general checklist items for a simple JSP/tomcat web site re security one should check for???
  Thanks in Advance
  Greg

  Have you ever looked at the Jakarta struts framework for developing web apps? You could then incorporate your custom designed security both into your own extension of the controller servlet (check if particular user has access to certain pages / actions). You can also design your own custom tags which determine whether a particular user has access to certain parts of the page. You cal also perform additional checks in the actions, to ensure that the user does have access to certain actions (i.e. checking parameters etc.)

• How to expose Web App data to search engines

  Hi Guys - Need direction please
  My website contains a business directory (web app)
  The web app items are in a secure zone (the client only want registered/paid members to create their business profiles) = customer submitted web app
  It is also required that the directory is indexed by "elgooG".
  When searching for a type of business on "elgooG", they want the listed business information found, with a link to the actual detail
  e.g.: website.com\directory\Joe-blogs-plumbing
  First problem, the web app item sits behind a login (secured)
  How would you configure this so that we have the Web App item secured (paid), but also visible to search engines and general public?
  Much appreciated

  There is no reason for the whole web app to be under a securezone.
  Once you assign the owner of the item they can only edit it when they login.
  All you need to do is have a listing directory on your site that shows these. IF you do not want that and it only under a securezone of course it will never get indexed by google.
  If you want the public listing of these you just need a page and put in the web app module that outputs the list. Things like the edit link wont show unless your logged in.

• Office Web Apps Server - Access is denied

  Hello,
  I was able to create an Office Web Apps server and was able to create a new farm for that server all without any issues, everything works great.
  Unfortunately right after creating the farm, when attempting to run any other related powershell commands such as:
  Get-OfficeWebAppsFarm
  Remove-OfficeWebAppsFarm
  I get this error in powershell:
  Get-OfficeWebAppsFarm : Access is denied.
  At line:1 char:1
  + Get-OfficeWebAppsFarm
  + ~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : NotSpecified: (:) [Get-OfficeWebAppsFarm], SecurityAccessDeniedException
      + FullyQualifiedErrorId : System.ServiceModel.Security.SecurityAccessDeniedException,Microsoft.Office.Web.Apps.Adm
     inistration.GetFarmCommand
  Although everything is actually working on the server, I'd like to be able to use those other commands in the future so I can check configurations, use "Remove" for running updates, etc... Unfortunately it appears as though this Access is
  denied error may interfere with those activities.
  Has anyone seen this before?
  Thank you

  Hi,
  According to your post, my understanding is that you failed to run any other related powershell commands after creating the farm for Office Web Apps server.
  If the account trying to get  OfficeWebAppsFarm does not have local admin access on the machine you will simply get an “Access is denied”.
  Please make sure you have the permission to run the commands.
  More information:
  http://www.wictorwilen.se/office-web-apps-2013-securing-your-wac-farm
  Thanks,
  Linda Li                
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Linda Li
  TechNet Community Support

• Office Web Apps 2013 + could not establish trust relationship

  We currently have a three tier SharePoint 2013 Farm:
  1. Web Front End Server (Server 2008 R2 Enterprise) - Servername: TEST2SP013.domain.dom
  2. Central Admin Server (Server 2008 R2 Enterprise) - Servername: TEST2SPCA013.domain.dom
  3. SQL Server (Server 2012 Datacenter) - Servername: TESTSQL012.domain.dom
  All Machines are in the same IP/Subnet.
  We are trying to setup a new server (Server 2012 R2 Datacenter) (Servername: TEST022.domain.dom) to run Office Web Apps 2013 in our TEST environment to test the system before rolling in production and have had issues throughout the entire process.
  The technet articles we have used are:
  http://technet.microsoft.com/en-us/library/jj219435.aspx
  http://technet.microsoft.com/en-us/library/ff431687.aspx
  http://technet.microsoft.com/en-us/library/jj219627.aspx
  We finally have what I thought was a correct setup but anytime we try to edit or view a word, excel, powerpoint document within SharePoint 2013, we receive "Sorry, there was a problem and we can't open this document. If this happens again, try opening
  the document in Microsoft Word."
  We found a few How-To Setup Office Web Apps sites where other people provided step-by step instructions:
  blogs.msdn.com/b/sowmyancs/archive/2012/10/29/install-configure-amp-monitor-office-web-apps-2013-for-sp-2013.aspx
  http://www.wictorwilen.se/office-web-apps-2013-securing-your-wac-farm
  http://blogs.technet.com/b/justin_gao/archive/2013/06/30/configuring-office-web-apps-server-communication-using-https.aspx
  We reviewed the ULS logs and found the following error:
  02/14/2014 13:38:40.24  w3wp.exe (0x1C04)                        0x1BB4 Office Web Apps              
   WAC Hosting Interaction        adhsk Unexpected WOPI CheckFile: Catch-All Failure [exception:Microsoft.Office.Web.Common.EnvironmentAdapters.UnexpectedErrorException: HttpRequest failed ---> Microsoft.Office.Web.Apps.Common.HttpRequestAsyncException:
  No Response in WebException ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate
  is invalid according to the validation procedure.     at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)     at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)     --- End of
  inner exception stack trace ---     at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)     at Microsoft.Office.Web.Apps.Common.Ht... 7bed0d51-511d-4541-a059-e2f72942e617
  None of the article provide specific step-by-step instructions with using HTTPS in a test environment specifically when it comes to Self-Signed Certs through Active Directory Certificate Services.
  We tried creating a Self-Signed Cert through IIS on the Office Web Apps Box which did not work.
  We tried creating a Cert through Active Directory Certificate Services which did not work.
  We tried adding the Cert through Central Admin > Security > Manage Trust which did not help.
  We verified "get-spwopizone" is set to internal-https
  We can access the Web Apps https://test022/hosting/discovery site and view the XML with no issue on any machine on our network.
  We added our domain to the list of approved domains that can use Office Web Apps as well as add "Domain Users" as the security group that can "EDIT" Office Documents through Office Web Apps. 
  After each step, we tried performing either a system reboot or IIS Reset on the Office Web Appcs and WFE box.
  My Question is how do we generate a certificate (either self-signed through IIS on the Office Web Apps Box or through AD) that will allow this application to work? I read that the Fully Qualified Domain Name needs to be in the SAN field of the Cert but when
  we request it, I have no way of entering this information. I tried following http://technet.microsoft.com/en-us/library/ff625722 to manually request a certificate with a Custom SAN but that did not work either.
  I am assuming the certificate issue is with the New Office Web Apps box. Is this correct?
  -Chris

  If internal cert then you will have to add certificate from OWA to tursted certificates in each sharepoint server plus add the certificate from central admin in Sharepoint through manage trust. Also you will need to install p7b file (file that contains
  path to root certificate to verify each intermediate certificate) for internal cert to each sharepoint server to not get certificate error.
  sachin

• Web app security not working

  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basic secure web
  app.
  I created an App and created a web project. In it, I deleted the controller, etc
  and just have index. jsp. All the index.jsp does is: <%= request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>
  When I run the app, it just renders the JSP and does not challenge me to login.
  Can you please help what is that I am doing wrong here?
  Thanks,
  John

  "john hryn" <[email protected]> wrote in message
  news:3fce2551$[email protected]..
  >
  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
  app.
  I created an App and created a web project. In it, I deleted thecontroller, etc
  and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>I think you should have dealers instead of *
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>And here too.
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>

• Web app security + JAAS

  I'm working on the authentication/authorisation aspects of a fairly
  large web application using WLS 6.0 (ie allowing users to login and
  access resources based on role etc).
  Its a standard JSP/Servlet/EJB type architecture and so far it seems
  the FORM-based authentication will serve our needs well. However, I've
  been instructed (by higher powers) to investigate JAAS authentication.
  It looks far more complex to implement so my question is, does it
  offer any significant advantages that justify the extra work?
  Thanks for your time.

  "john hryn" <[email protected]> wrote in message
  news:3fce2551$[email protected]..
  >
  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
  app.
  I created an App and created a web project. In it, I deleted thecontroller, etc
  and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>I think you should have dealers instead of *
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>And here too.
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>

• Web app security exception: Bad URLMatchMap

  Can anyone help me diagnose an error? I am simply trying to place a security constraint
  on a servlet within an ear-deployed web-application.
  The exception occurs as the first POST comes to the servlet I am trying to protect:
  <Apr 16, 2001 12:40:09 PM EDT> <Error> <Kernel> <ExecuteRequest failed
  java.lang.IllegalArgumentException: bad URLMatchMap path: 'version="1.0"'
  at weblogic.servlet.utils.URLMatchMap.get(URLMatchMap.java:196)
  at weblogic.servlet.security.internal.WebAppSecurity.getConstraint(WebAp
  pSecurity.java:135)
  at weblogic.servlet.security.internal.SecurityModule.checkTransport(Secu
  rityModule.java:177)
  at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSe
  curityModule.java:48)
  at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess
  (ServletSecurityManager.java:150)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe
  rvletContext.java:1250)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm
  pl.java:1622)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  >
  <?xml version="1.0" ?>
  <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN'
  'http://java.sun.com/j2ee/dtds/web-app_2.2.dtd'>
  <web-app>
  <display-name>ANSWeb</display-name>
  <description>no description</description>
  <servlet>
  <servlet-name>UPMessageServlet</servlet-name>
  <display-name>UPMessageServlet</display-name>
  <description>no description</description>
  <servlet-class>com.aether.ans.gateway.up.UPMessageServlet</servlet-class>
  </servlet>
  <servlet>
  <servlet-name>ANSServlet</servlet-name>
  <display-name>ANSServlet</display-name>
  <description>no description</description>
  <servlet-class>com.aether.ans.server.ANSServlet</servlet-class>
  <load-on-startup />
  </servlet>
  <servlet>
  <servlet-name>WCTPServlet</servlet-name>
  <display-name>WCTPServlet</display-name>
  <description>no description</description>
  <servlet-class>com.aether.ans.gateway.wctp.WCTPServlet</servlet-class>
  </servlet>
  <servlet-mapping>
  <servlet-name>UPMessageServlet</servlet-name>
  <url-pattern>/UPMessage</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>ANSServlet</servlet-name>
  <url-pattern>/Server</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>WCTPServlet</servlet-name>
  <url-pattern>/WCTPCallback</url-pattern>
  </servlet-mapping>
  <session-config>
  <session-timeout>30</session-timeout>
  </session-config>
  <resource-ref>
  <description>no description</description>
  <res-ref-name>url/ANS.dtd</res-ref-name>
  <res-type>java.net.URL</res-type>
  <res-auth>Container</res-auth>
  </resource-ref>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Protected Server</web-resource-name>
  <url-pattern>/Server</url-pattern>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>Client</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  </login-config>
  <security-role>
  <role-name>Client</role-name>
  </security-role>
  <ejb-ref>
  <description>no description</description>
  <ejb-ref-name>ejb/ANSServer</ejb-ref-name>
  <ejb-ref-type>Session</ejb-ref-type>
  <home>com.aether.ans.server.ANSServerHome</home>
  <remote>com.aether.ans.server.ANSServer</remote>
  </ejb-ref>
  <ejb-ref>
  <description>no description</description>
  <ejb-ref-name>ejb/Alert</ejb-ref-name>
  <ejb-ref-type>Entity</ejb-ref-type>
  <home>com.aether.ans.entity.AlertHome</home>
  <remote>com.aether.ans.entity.Alert</remote>
  </ejb-ref>
  </web-app>
  <?xml version="1.0" ?>
  <!DOCTYPE weblogic-web-app PUBLIC '-//BEA Systems, Inc.//DTD Web Application 6.0//EN'
  'http://www.beasys.com/servers/wls600/dtd/weblogic-web-jar.dtd'>
  <weblogic-web-app>
  <description>no description</description>
  <security-role-assignment>
  <role-name>Client</role-name>
  <principal-name>Client</principal-name>
  </security-role-assignment>
  <reference-descriptor>
  <resource-description>
  <res-ref-name>url/ANS.dtd</res-ref-name>
  <jndi-name>ans.url.dtd</jndi-name>
  </resource-description>
  <ejb-reference-description>
  <ejb-ref-name>ejb/Alert</ejb-ref-name>
  <jndi-name>ejb.Alert</jndi-name>
  </ejb-reference-description>
  <ejb-reference-description>
  <ejb-ref-name>ejb/ANSServer</ejb-ref-name>
  <jndi-name>ejb.ANSServer</jndi-name>
  </ejb-reference-description>
  </reference-descriptor>
  </weblogic-web-app>

  Hi Andrew,
  Even without moderation enabled, any submission made through the BC platform is filtered through our protection engine to prevent XSS. Any type of potentially malicious code is immediately stripped from the submission, and this is not done at a client-side level.
  Kind Regards,
  Alex

• Web app security ... i don't get it

  I do not get it how do one configure web.xml
  I want every page to be protected against unlogged user and some pages only to some of them
  From what I read it's only necessary to have only one root role that every user is part of and then any sub-role is recognized
  My use case:
  every page should be protected against unauthorized user
  <security-constraint>
          <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
          <web-resource-collection>
              <web-resource-name>JSF Pages</web-resource-name>
              <url-pattern>/faces/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
              <role-name>fullaccess</role-name>
          </auth-constraint>
          <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
      </security-constraint>and I want that managers only to have access to /managers so I guess that a new </security-constraint> must be issued to allow the users that have managers role to access the resource.
  <security-constraint>
          <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
          <web-resource-collection>
              <web-resource-name>JSF Pages</web-resource-name>
              <url-pattern>/faces/manager/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
              <role-name>managers</role-name> ????
          </auth-constraint>
          <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
      </security-constraint> What are the roles that must be declared in web.xml knowing that
  <security-role-assignment>
           <role-name>fullaccess</role-name>
           <principal-name>public</principal-name>
       </security-role-assignment>
  </weblogic-web-app> and in the realm public group has a member 'managers' (that in my opp must not be mapped)?
  ..on the moment there is only
    <security-role>
          <description>acces pe toate paginile web</description>
          <role-name>fullaccess</role-name>
      </security-role>thanks, Florin POP

  Hi guys.
  A username and password info to connect to BC is the following:
  Username - Your adobe ID email
  Password - Your password.
  To connect to SFTP its...
  Server: Just the address (yoursite.businesscatalyst.com)
  username - yoursite.businesscatalyst.com/[email protected]
  Password - your password.

• Web app security & IIS?

  I'm trying to get the security working for a web app. I'm using JAAS and the BASIC
  authentication. I don't want to use FORM because the original Perl app (from which
  my web app is derived) also used BASIC and I don't want the interface to change.
  I've found that the security works great if I go directly to the weblogic server,
  so it looks like the problem is with IIS (we're fowarding requests from IIS to
  WebLogic). I think the problem lies in my web.xml. It has this in it:
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>MLV Users Only</realm-name>
  </login-config>
  From what I can tell, weblogic just uses the realm-name as a label in the dialog
  box that pops up, and for nothing else. My guess is that IIS is really trying
  to use this as a security realm.
  Am I on the right track? Anyone got any hints?
  Gary

  "john hryn" <[email protected]> wrote in message
  news:3fce2551$[email protected]..
  >
  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
  app.
  I created an App and created a web project. In it, I deleted thecontroller, etc
  and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>I think you should have dealers instead of *
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>And here too.
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>

• Office Web Apps - Best Practice for App Pool Security Account?

  Guys,
  I am finalising my testing of Office Web Apps, and ready to move onto deploying it to my live farm.
  Generally speaking, I put service applications in their own application pool.
  Obviously by doing so this has an overhead on memory and processing, however generally speaking it is best practice from a security perspective when using separate accounts.
  I have to create 3 new service applications in order to deploy Office Web Apps, in my test environment these are using the Default SharePoint app pool. 
  Should I create one application pool for all my office web apps with a fresh service account, or does it make no odds from a security perspective to run them in the default app pool?
  Cheers,
  Conrad
  Conrad Goodman MCITP SA / MCTS: WSS3.0 + MOSS2007

  i run my OWA under it's own service account (spOWA) and use only one app pool.  Just remember that if you go this route, "When
  you create a new application pool, you can specify a security account used by the application pool to be either a predefined Network Service account or a managed account. The account must have db_datareader, db_datawriter, and execute permissions for the content
  databases and the SharePoint configuration database, and be assigned to the db_owner role for the content databases." (http://technet.microsoft.com/en-us/library/ff431687.aspx)

• Web App {tag_edit} doesn't render in web Web App search results within secure zone?

  We have secure zones that are to display certain web app items to be filtered by Category. The secure zone members need to filter through web app items and edit these items from the list view. We've set it up accordingly and the list view is exactly how it should be when it is simply displaying on a page within the secure zone, however when the web app search/filtering is applied the "edit" tag doesn't display. Is there anyway to have this work or does it simply not? Please tell me it is possible to filter and edit web apps.
  Thanks in advance,

  Hi The Bowery, the edit tag will not show in general web app item search results unless the owner of that web app item is logged in to a secure zone to view it.
  However, if you are happy for anyone looking at the website to edit all web app items, you can set that in the properties of the web app itself. Then I think the edit tag will show to anyone looking at the web app items.
  If you only want the web app item owner to edit the web app item then you need to set up a secure zone for them to log in and view it.
  It will show when the web app item owner is logged in and viewing the web app items, if the edit tag has been added to the layout customisations. So it will only show to the web app item owner.
  You need to set up a secure zone for the web app item owners to upload and edit their web app items.
  Search results on a webapp use the List template layout  for the webapp to show a summary of the search results and the detail Template Layout is what shows when you click on the search result summary item. In webapp setups I usually put the edit tag in the List template

• Ssl and web app server: there's content which is not secure

  Hello,
  We have  implemented ssl in our intranet site ( web front server, Web app server, sql server - everything ) .
  Yet, In Https (and I.E) and document library , when I press the "..." , I get an warning: "only secure content is displayed" and the file preview doesn't show anything. If I select "show all content", the file preview shows
  the file.
  If I press "View in browser", I get the same message. If I press "show all content" I see the file, otherwise the file doesn't show.
  Looking at the fiddler, it looks like some connections with the (sharepoint)  application server aren't secured.
  Sample unsecured http gets are:
  http://ApplicationServer.mysite.gr/wv/ResReader.ashx?n=p1.img&WOPIsrc=http%3A%2F%Intranet%2Fsites%2FDNY%2F_vti_bin%2Fwopi.ashx%2Ffiles%2F42da77c08cd94b67a1c413ae39a71c58&access_token=eyJ0eBIgBigToken
  http://ApplicationServer.mysite.com/wv/ResReader.ashx?n=p1.img&v=00000000-0000-0000-0000-000000000602&usid=5fae4f7f-d4d6-4a21-a465-2fe24ded9519&WOPIsrc=http%3A%2F%2FIntranetSite%2Fsites%2FDNY%2F_vti_bin%2Fwopi.ashx%2Ffiles%2F42da77c08cd94b67a1c413ae39a71c58&access_token=BIgBigToken
  - this one is an image of the file.
  Having these unsecure gets, I have problems accepting that the site is totally secured.
  is the (sharepoint) application server the source of the problem?
  Thank you
  Christos

  Hi,
  According to your post, my understanding is that you wanted to show all content after you implemented ssl in intranet site.
  Please make sure you configure SSL correctly. You can refer to:
  Configure SSL for SharePoint 2013
  IE does provide an option which can be configured to automatically display all content, both secure and non-secure content, on web pages that come with mixed content.
  You can display all mixed contents in IE to suppress and disable any warning message on secure and/or non-secure content.
  More information:
  How to Disable Only Secure Content is Displayed in IE (Always Show All Mixed Content)
  Stop the "page contains secure and nonsecure items" warning
  Best Regards,
  Linda Li
  Linda Li
  TechNet Community Support