Web app security exception: Bad URLMatchMap

Similar Messages

• Web app security not working

  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basic secure web
  app.
  I created an App and created a web project. In it, I deleted the controller, etc
  and just have index. jsp. All the index.jsp does is: <%= request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>
  When I run the app, it just renders the JSP and does not challenge me to login.
  Can you please help what is that I am doing wrong here?
  Thanks,
  John

  "john hryn" <[email protected]> wrote in message
  news:3fce2551$[email protected]..
  >
  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
  app.
  I created an App and created a web project. In it, I deleted thecontroller, etc
  and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>I think you should have dealers instead of *
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>And here too.
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>

• Web app security + JAAS

  I'm working on the authentication/authorisation aspects of a fairly
  large web application using WLS 6.0 (ie allowing users to login and
  access resources based on role etc).
  Its a standard JSP/Servlet/EJB type architecture and so far it seems
  the FORM-based authentication will serve our needs well. However, I've
  been instructed (by higher powers) to investigate JAAS authentication.
  It looks far more complex to implement so my question is, does it
  offer any significant advantages that justify the extra work?
  Thanks for your time.

  "john hryn" <[email protected]> wrote in message
  news:3fce2551$[email protected]..
  >
  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
  app.
  I created an App and created a web project. In it, I deleted thecontroller, etc
  and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>I think you should have dealers instead of *
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>And here too.
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>

• Web app security ... i don't get it

  I do not get it how do one configure web.xml
  I want every page to be protected against unlogged user and some pages only to some of them
  From what I read it's only necessary to have only one root role that every user is part of and then any sub-role is recognized
  My use case:
  every page should be protected against unauthorized user
  <security-constraint>
          <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
          <web-resource-collection>
              <web-resource-name>JSF Pages</web-resource-name>
              <url-pattern>/faces/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
              <role-name>fullaccess</role-name>
          </auth-constraint>
          <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
      </security-constraint>and I want that managers only to have access to /managers so I guess that a new </security-constraint> must be issued to allow the users that have managers role to access the resource.
  <security-constraint>
          <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
          <web-resource-collection>
              <web-resource-name>JSF Pages</web-resource-name>
              <url-pattern>/faces/manager/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
              <role-name>managers</role-name> ????
          </auth-constraint>
          <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
      </security-constraint> What are the roles that must be declared in web.xml knowing that
  <security-role-assignment>
           <role-name>fullaccess</role-name>
           <principal-name>public</principal-name>
       </security-role-assignment>
  </weblogic-web-app> and in the realm public group has a member 'managers' (that in my opp must not be mapped)?
  ..on the moment there is only
    <security-role>
          <description>acces pe toate paginile web</description>
          <role-name>fullaccess</role-name>
      </security-role>thanks, Florin POP

  Hi guys.
  A username and password info to connect to BC is the following:
  Username - Your adobe ID email
  Password - Your password.
  To connect to SFTP its...
  Server: Just the address (yoursite.businesscatalyst.com)
  username - yoursite.businesscatalyst.com/[email protected]
  Password - your password.

• Web app security & IIS?

  I'm trying to get the security working for a web app. I'm using JAAS and the BASIC
  authentication. I don't want to use FORM because the original Perl app (from which
  my web app is derived) also used BASIC and I don't want the interface to change.
  I've found that the security works great if I go directly to the weblogic server,
  so it looks like the problem is with IIS (we're fowarding requests from IIS to
  WebLogic). I think the problem lies in my web.xml. It has this in it:
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>MLV Users Only</realm-name>
  </login-config>
  From what I can tell, weblogic just uses the realm-name as a label in the dialog
  box that pops up, and for nothing else. My guess is that IIS is really trying
  to use this as a security realm.
  Am I on the right track? Anyone got any hints?
  Gary

  "john hryn" <[email protected]> wrote in message
  news:3fce2551$[email protected]..
  >
  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
  app.
  I created an App and created a web project. In it, I deleted thecontroller, etc
  and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>I think you should have dealers instead of *
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>And here too.
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>

• Unable to run a form(FOrms 5.0) on Web. Security exception E

  Hi,
  I am trying to run a simple form developed in Forms 5.0 over our
  intranet.
  Environment: On NT I am using Oracle 8.0.5, Developer/2000
  Server and Internet Information Server 4.0.
  I have created a simple form and deployed on the server.
  (created the virtual directories for Java related directories as
  per some documentation available with me). Made a small html
  document containing the Applet definition to run this form. When
  I tried to execute this, it gives the following security
  exception error.
  ==============================================
  com.ms.security.SecurityExceptionEx
  [oracle/forms/uiClient/v1_4/engine/Runform.initClipboard]:
  Clipboard access denied.
  at com/ms/security/permissions/UIPermission.check
  at com/ms/security/PolicyEngine.deepCheck
  at com/ms/security/PolicyEngine.checkPermission
  at com/ms/security/StandardSecurityManager.chk
  at
  com/ms/security/StandardSecurityManager.checkSystemClipboardAcces
  s
  at com/ms/awt/WToolkit.getSystemClipboard
  at
  oracle/forms/uiClient/v1_4/engine/Runform.initClipboard
  at oracle/forms/uiClient/v1_4/engine/Runform.startRunform
  at oracle/forms/uiClient/v1_4/engine/Runform.run
  at java/lang/Thread.run
  com.ms.security.SecurityExceptionEx
  [oracle/forms/uiClient/v1_4/engine/Runform.initClipboard]:
  Clipboard access denied.:Clipboard access denied.
  Microsoft (R) VM for Java, 4.0 Release 4.79.0.2435
  ==============================================
  ? help
  c clear
  f run finalizers
  g garbage collect
  m memory usage
  q quit
  t thread list
  ==============================================
  Can any body help me, where I might have gone wrong, either in
  the development or deployment.
  I am also, running Oracle Application server 4.0.7 on the
  server, but I am not using the cartridge based deployment of
  forms, beca, I could not find way to create Forms
  application/Cartridge in it. If any one about it please help me.
  Early response is highly appreciated.
  Thanking you in advance ..// Manohar Reddy //
  null

  Hi Mobeen,
  That is one thing that I wanted to know. How do I make Forms
  Server to run as Service. Please explain me the
  procedure/operation.
  I am using IIS 4.0.
  Do you have any Idea, how to implement the Cartridge version of
  the Forms on OAS 4.0
  Thanks for the information though ..// Manohar //
  mobeen (guest) wrote:
  : hi
  : well u can run forms server asa service on NT then even if u
  log
  : out i wont terminate.
  : which web server r u running
  : mobeen
  : Manohar Reddy (guest) wrote:
  : : Thank you Mobeen for your time..
  : : I was able solve the problem.
  : : The problem was, my Forms Server(F50srv32.exe) was
  terminating,
  : : whenever I log out of that box. Now, I need to know, I to
  make
  : : that Process to run continuously, like a servece.
  : : Another issue, which mentioned, in my y'days mail is, How to
  : run
  : : these forms as the CARTRIDGE method ? ..
  : : Does any bdy can help me ..// Manohar //
  : : Mobeen (guest) wrote:
  : : : Hi
  : : : i guesss u have not exported Dev2k.x509 for Developer/2000.
  : : : copy Dev2k.x059 file to ur harddisk from the media
  : : : then
  : : : use javakey -c Developer/2000 true
  : : : javekey -ic Developer/2000 Dev2k.x509
  : : : it would generate identitydb.obj place that file in
  : : /user/profile
  : : : directory.
  : : : plus u have to set forms60_mapping and forms60_output
  : Registry
  : : : Variables
  : : : i hope that would sovle ur problem
  : : : mobeen
  : : : Manohar Reddy (guest) wrote:
  : : : : Hi,
  : : : : I am trying to run a simple form developed in Forms 5.0
  : over
  : : : our
  : : : : intranet.
  : : : : Environment: On NT I am using Oracle 8.0.5,
  Developer/2000
  : : : : Server and Internet Information Server 4.0.
  : : : : I have created a simple form and deployed on the server.
  : : : : (created the virtual directories for Java related
  : directories
  : : : as
  : : : : per some documentation available with me). Made a small
  : html
  : : : : document containing the Applet definition to run this
  form.
  : : : When
  : : : : I tried to execute this, it gives the following security
  : : : : exception error.
  : : : : ==============================================
  : : : : com.ms.security.SecurityExceptionEx
  [oracle/forms/uiClient/v1_4/engine/Runform.initClipboard]:
  : : : : Clipboard access denied.
  : : : : at com/ms/security/permissions/UIPermission.check
  : : : : at com/ms/security/PolicyEngine.deepCheck
  : : : : at com/ms/security/PolicyEngine.checkPermission
  : : : : at com/ms/security/StandardSecurityManager.chk
  : : : : at
  com/ms/security/StandardSecurityManager.checkSystemClipboardAcces
  : : : : s
  : : : : at com/ms/awt/WToolkit.getSystemClipboard
  : : : : at
  : : : : oracle/forms/uiClient/v1_4/engine/Runform.initClipboard
  : : : : at
  oracle/forms/uiClient/v1_4/engine/Runform.startRunform
  : : : : at oracle/forms/uiClient/v1_4/engine/Runform.run
  : : : : at java/lang/Thread.run
  : : : : com.ms.security.SecurityExceptionEx
  [oracle/forms/uiClient/v1_4/engine/Runform.initClipboard]:
  : : : : Clipboard access denied.:Clipboard access denied.
  : : : : Microsoft (R) VM for Java, 4.0 Release 4.79.0.2435
  : : : : ==============================================
  : : : : ? help
  : : : : c clear
  : : : : f run finalizers
  : : : : g garbage collect
  : : : : m memory usage
  : : : : q quit
  : : : : t thread list
  : : : : ==============================================
  : : : : Can any body help me, where I might have gone wrong,
  either
  : : in
  : : : : the development or deployment.
  : : : : I am also, running Oracle Application server 4.0.7 on the
  : : : : server, but I am not using the cartridge based deployment
  : of
  : : : : forms, beca, I could not find way to create Forms
  : : : : application/Cartridge in it. If any one about it please
  : help
  : : : me.
  : : : : Early response is highly appreciated.
  : : : : Thanking you in advance ..// Manohar Reddy //
  null

• Office Web Apps KeyNotFound Exception After December CU

  After applying the December CU to my WAC 2013 farm, documents will no longer open in browser from SharePoint.  The install went smooth.  I followed the instructions to remove the hosts from the farm, install the update and recreate the farm.  The
  secondary server joined the farm without any errors.  When I try to open a document from a SharePoint site, I see the following errors in the logs on the WAC hosts:
  ServiceInstanceFinderAdapter.FindAllServiceInstances() threw an exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Collections.Generic.KeyNotFoundException: The given key was not
  present in the dictionary.    
   at Microsoft.Office.Web.Apps.Environment.WacServer.AFarmTopology.GetMachine(String machineName)    
   at Microsoft.Office.Web.Apps.Environment.WacServer.WSServiceInstanceFinderAdapter..ctor()     -
  -- End of inner exception stack trace ---    
   at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)    
   at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark)    
   at System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark)    
   at System.Activator.CreateInstance(Type type, Boolean nonPublic)    
   at Microsoft.Office.Web.Common.EnvironmentAdapters.HostEnvironment.LoadAdapterInstance(AdapterLoadInformation adapterInfo, Boolean readAppConfigOnly)    
   at Microsoft.Office.Web.Common.EnvironmentAdapters.HostEnvironment.AdapterLoadInformation`1.<>c__DisplayClass17.<BuildInstance>b__16()    
   at System.Lazy`1.CreateValue()    
   at System.Lazy`1.LazyInitValue()    
   at Microsoft.Office.Web.Common.EnvironmentAdapters.HostEnvironment.get_ServiceInstanceFinderAdapter()    
   at Microsoft.Office.Web.Common.ServiceInstanceFinder.RefreshList(Object state)
  I can't find any online documentation about this error in a post update scenario.  Any ideas on my next steps?
  Thanks

  Remove the WOPI binding from SharePoint, remove each OWA server from the farm (and the farm itself), then just recreate the setup. It looks like it is missing a machine name in the farm.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Web App Security Fallback (client-cert then form-based)

  Can you setup a web application to fall back to form-based login if the
  client-cert (i.e. identity assertion token) is not available. I think this
  would be very valuable because once you've configured the web app to use the
  "client-cert" authentication, you can't access the web app directly (i.e.
  browser->weblogic server). You will always need to go through the perimeter
  authenticator so the token gets sent.

  Solution found:
  The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
  In your web.xml, forward your 401 code to login page:
  <error-page>
  <error-code>401</error-code>
  <location>/form_login_page.html</location>
  </error-page>
  There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

• Web App Security Firewall Using Catalyst 6500 w/ CSM

  We are evaluating web application security firewalls. The other products can recognize application level attacks such as SQL insertion and deranged parameters. Some of my colleagues believe that the CSM (which we already have deployed) has these sorts of capabilities.
  While the CSM has some layer 7 capabilities, my read of the specs does not suggest that it is suited to this function.
  Anyone have experience or input?
  Thanks!

  The same as a SYN attack protection feature.
  That's all.
  It does not have content analysis for intrusion detection.
  Regards,
  Gilles.

• Web App Security

  Hello,
  I'll soon be developing a web application in which security is a major concern, and I'd like some advices about some technologies I'm evaluating to get the job done. I couldn't get comparisons on security power offered by each.
  - Web tier: I have some experience on JSP and JS; besides HTTPS, JSF seems to provide better, out-of-the-box, support for some of our requirements (internationalization, better security, AJAX) and some soon-useful fancy features like little html modal boxes; even considering the learning curve to use JSF (I never used it before), is there a better candidate for this layer? (I'm thinking of RichFaces or MyFaces)
  - Business tier: I can use EJB3 or Hibernate + Spring or whatever combinations works best, I simply couldn't be sure if one can be considered safer than the other (I will use roles as well).
  I'll be using JBoss (4.x) and MySQL DB.
  Thanks

  I'm not familar with JSF, only JSP, but here is the run down on security as I understand it (you can suppliment it with further research).
  * Use MVC design where the presentation layer only displays data and submits back to the server (example: update button). There is no business logic or database logic in the JSP page. A JSP tag that queries the database is a bad idea from a security point of view since a hacker may be able to reverse engineer it and alter the query.
  * In your database layer (MVC design), put all your database access. Use only prepared statements (never regular statements). Pass parameters into the prepared statement. Example: update person set person_id=?. You are therefore not subject to SQL injection as is the statement object (research SQL injection if your not familar with it).
  * Use javascript for basic client side validation checks (field cant be null, field is incorrect date format, field has a value too large) and block submitting to the server via update button if not pass. Duplicate the client side validation back on the server, and also provide any advanced valiation checks. This way, a hacker can't bypass your validaiton on the client side and submit bad data. To be really strict, consider every possible keyboard value a user can type in and validate it to determine if those special chars are allowed.
  *Click 'view source' on the browser and look at what HTML was generated by the JSP. Is there any variables on the page that is sensitive that you don't want the user to see? Such as the name of database tables or database fields? If so, you will have to crate an alias on the JSP that maps back to the name of the datbase table or field after you submit the page.
  * Each user should be restircted to a role that limits what JSP pages he can see, and what he can alter on those JSP pages. Example, you have an admin role and endUser role. Note your application has a userID/password to access the database (with a fair amount of access to each table), each user doesn't have his own userID/password to the database (with restricted access to a subset of tables). The userID/password should be stored in the context file of your applicaiton and accessed via JNI. Example, if your application is called myAppl, then the context file under tomcat is called myAppl.xml (its automatically geneated by Eclipse when you launch your application).
  * The end user shouldn't be able to call up a JSP page by navigating directly to that JSP page via its URL (they should be redirected either to the login page or an error page).
  Instead, all urls should have to go through a central servlet to check to see if he's logged in and is within a valid session. The servlet then dispatches to the correct JSP page. This example is not Struts or Spring framework, but instead, a single controller servlet design. You'll have to look up what Struts and Spring alternatively does in such a situation.
  * You should research buffer overflow attack and how to avoid it.
  * For the business layer, I believe its Either EJB3 OR Spring, not both (I could be wrong).
  * Hibernate is used in the database layer. I suggest you you JDBC with DAO instead until you are very familar with it before doing a project in Hibernate. You should know what Hibernate buys you over that of JDBC/DAO before justifying using it.
  * You should allow a new user to create a new password. The password should validated to ensure its a strong password. You should also use SSL to communicate to the server.
  * I think Spring is an alternative to EJB3 and therefore both shouldn't be used. I suggest using only Spring. Create a two or three page JSP page project (with login), refactor the heck out of it (create a clean MVC design), then let your team add all the rest of the project to it.

• Web app security question

  Hi,
  I have a basic question about securing web applications. In our app, we have myRealm
  pointing to an LDAP store. The store has (lets say) a group called 'dealers' and
  it has a user 'dealer1'.
  Now, in WEB-INF/weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>
  Does the role name in weblogic.xml map to the groups called dealers in LDAP? I
  have no specific roles configured in myRealm.
  Thanks,
  John

  "John Hryn" <[email protected]> wrote in message
  news:3fce2328$[email protected]..
  >
  Hi,
  I have a basic question about securing web applications. In our app, wehave myRealm
  pointing to an LDAP store. The store has (lets say) a group called'dealers' and
  it has a user 'dealer1'.
  Now, in WEB-INF/weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>
  Does the role name in weblogic.xml map to the groups called dealers inLDAP? I
  have no specific roles configured in myRealm.
  Yes. http://e-docs.bea.com/wls/docs70/webapp/weblogic_xml.html#1036790
  You can specify groups or individual usernames.

• Web app security in NW

  Hi SDN,
  Can someone suggest or point to help/documentation on any NW settings related to the following three security items:
  1. Cross-site Scripting
  2. MYSAPSSO2 Cookie encryption (as it is, is it secure?),
  3. SQL Injection
  Is there a comprehensive config doc including these issues?
  I will really appreciate any help.
  Shahid

  Hi Shahid,
  For cross site scripting the below link will be helpful
  [http://help.sap.com/saphelp_nw70/helpdata/EN/81/233d54d8c744c09b4434babf7b0879/frameset.htm]
  The SAP Internet Transaction Server (SAP ITS) is integrated into the kernel of the SAP Web Application Server 6.40 as an Structure Internet Communication Framework (ICF) service called the integrated ITS. this needs to be configured and requires kernel and service parameters.
  For MYSAPSSO2 which is a cookie available at service parameters:
  [http://help.sap.com/saphelp_nw70/helpdata/EN/07/496884370b11d480a000c04f99fbf0/frameset.htm]
  For SAP injection
  [http://help.sap.com/saphelp_nw70/helpdata/EN/a8/813dcc006141719086e9f0f27ab8b3/frameset.htm]
  All these are pertaining to secure user intefaces which includes all these three.
  Hope this is heplful
  Regards,
  Shaila

• Office Web Apps server security question

  Hello,
  According to this technet article Microsoft appears to recommend against allowing both external and internal users access to your OWA server.
  http://technet.microsoft.com/en-us/library/jj219435(v=office.15).aspx#viewers
  "Files that are intended to be viewed through a web browser by using Online Viewers must not require authentication. In other words, the files must be available publicly because Online Viewers can’t perform authentication when it is retrieving files.
  We strongly recommend that the Office Web Apps Server farm that you use for Online Viewers is only able to access either the intranet or the Internet, but not both. This is because Office Web Apps Server doesn’t differentiate between requests for intranet
  and Internet URLs. Somebody on the Internet could request an intranet URL, for example, causing a security leak if an internal document is viewed."
  Just trying to make sense of this.  I am building a new Lync 2013 environment and I definitely want my internal users to be able to leverage the OWA server.  So does that mean I should not publish that server to the internet?  And if I do
  not, does that mean my users will not be able to share a powerpoint presentation at all to external users?  If this is all true and I'm understanding this correctly, does this mean that most implementations choose one or the other? Or does Lync not
  use these "Online Viewers" so I can just disable them and users will still be able to share powerpoint presentations with external users?
  Thanks for any help you can provide for this confusion.

  No, you should publish to both internal and Internet on the same server, it's just how it's done with Lync.  You can't really have two with Lync for this purpose anyway.  Users will upload PowerPoint presentations to it when it's time to share,
  no editing is possible, and the risk is generally minimal.  You can shorten the cache time to help if you're concerned.
  Regardless, from the article:
  http://technet.microsoft.com/en-us/library/jj219442(v=office.15).aspx setting OpenFromUrlEnabled "Turns on or off the ability to use Online Viewers to view Officefiles from a URL or UNC path.".  This is set to false and turned off by default.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Web-app scoped security policies not working in WL 8

  Hi,
  I can't get web-app scoped security policies working in WL 8.1
  I have a simple web application. It defines a role(ROLE) and security
  constraint (on *.jsp).
  If I examine the web app in the administration console, I see that it
  has created a role (scoped to /*) called "ROLE" just as you would
  expect. It has also created a scoped policy (to *.jsp) with constraints
  that the user be in the role ROLE. This is as expected, and it works.
  However, if I proceed to create my own scoped policy (on *.html) with
  constraints (on ALL methods) that the user be in role ROLE, then I get
  no security at all. ie. I can go to server:port/foo.html and it will
  work - it is not secured.
  Any ideas?
  On a completely unrelated issue, when I deploy an EAR (exploded) with a
  WAR (exploded) and using the admin console expand the application
  correpsonding to th EAR, right click on the WAR node, and try and define
  a scoped role, then I get an error "There are no appropriate RoleEditor
  providers configured". This sounds like a bug. Trying to define a
  scoped policy works as expected.
  TIA,
  Jon

  I can't get web-app scoped security policies working in WL 8.1Well, I can answer this one myself.
  WebLogic 8 has a new optimisation (this wasn't present in 7 AFAIK),
  available on the Security / Realm / myreal / General tab, which
  determines whether or not weblogic considers authorisation of resources
  protected by descriptors or not. (ie. it can force only
  descriptor-protected authorisation, ignoring admin console policies).
  It defaults to ignoring admin console policies, hence my problem.
  Jon

• Office Web Apps - Best Practice for App Pool Security Account?

  Guys,
  I am finalising my testing of Office Web Apps, and ready to move onto deploying it to my live farm.
  Generally speaking, I put service applications in their own application pool.
  Obviously by doing so this has an overhead on memory and processing, however generally speaking it is best practice from a security perspective when using separate accounts.
  I have to create 3 new service applications in order to deploy Office Web Apps, in my test environment these are using the Default SharePoint app pool. 
  Should I create one application pool for all my office web apps with a fresh service account, or does it make no odds from a security perspective to run them in the default app pool?
  Cheers,
  Conrad
  Conrad Goodman MCITP SA / MCTS: WSS3.0 + MOSS2007

  i run my OWA under it's own service account (spOWA) and use only one app pool.  Just remember that if you go this route, "When
  you create a new application pool, you can specify a security account used by the application pool to be either a predefined Network Service account or a managed account. The account must have db_datareader, db_datawriter, and execute permissions for the content
  databases and the SharePoint configuration database, and be assigned to the db_owner role for the content databases." (http://technet.microsoft.com/en-us/library/ff431687.aspx)