Web App Security Firewall Using Catalyst 6500 w/ CSM

We are evaluating web application security firewalls. The other products can recognize application level attacks such as SQL insertion and deranged parameters. Some of my colleagues believe that the CSM (which we already have deployed) has these sorts of capabilities.
While the CSM has some layer 7 capabilities, my read of the specs does not suggest that it is suited to this function.
Anyone have experience or input?
Thanks!

The same as a SYN attack protection feature.
That's all.
It does not have content analysis for intrusion detection.
Regards,
Gilles.

Similar Messages

  • Do you have any html5 web app examples (not using javascript)?

    Do you have an html5 web app that only uses html5 and CSS?  (and NOT javascript).  I'd just like to see what other people are making because I don't understand how you could make an interactive webapp without using javascript (and I don't want to learn javascript).  I'd like to see what a web app looks like.

    HTML on it's own can't do anything smart. You need JavaScript to know when someone has interacted with the page. For example, clicked on an image, or entered text into a form field. You're going to need to know JavaScript in order to create any kind of apps with HTML 5 and CSS. If you want any interactive things such as geolocation etc it requires JavaScript. It's not hard to learn. I would suggest learning a library like JQuery. It uses CSS ids to allow you to select elements and regions on a page so as you can manipulate them. It's based on JavaScript, but a bit easier to learn. It's easy to add things like loops and chain functions it looks very CSS like so if you come from a design background it might be better for you to learn. You simply download JQuery from the http://jquery.com and store it in a folder with the site and then do a link to it. It's straight forward.

  • Web app security not working

    Hi,
    I am using WebLogic 8.1 platform. I am trying to create a very basic secure web
    app.
    I created an App and created a web project. In it, I deleted the controller, etc
    and just have index. jsp. All the index.jsp does is: <%= request.getRemoteUser()
    %>
    In web.xml I have
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Success</web-resource-name>
    <url-pattern>*.jsp</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>*</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>default</realm-name>
    </login-config>
    <security-role>
    <role-name>*</role-name>
    </security-role>
    In weblogic.xml I have
    <security-role-assignment>
    <role-name>dealers</role-name>
    <principal-name>dealer1</principal-name>
    </security-role-assignment>
    When I run the app, it just renders the JSP and does not challenge me to login.
    Can you please help what is that I am doing wrong here?
    Thanks,
    John

    "john hryn" <[email protected]> wrote in message
    news:3fce2551$[email protected]..
    >
    Hi,
    I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
    app.
    I created an App and created a web project. In it, I deleted thecontroller, etc
    and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
    %>
    In web.xml I have
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Success</web-resource-name>
    <url-pattern>*.jsp</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>*</role-name>I think you should have dealers instead of *
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>default</realm-name>
    </login-config>
    <security-role>
    <role-name>*</role-name>And here too.
    </security-role>
    In weblogic.xml I have
    <security-role-assignment>
    <role-name>dealers</role-name>
    <principal-name>dealer1</principal-name>
    </security-role-assignment>

  • Web app security + JAAS

    I'm working on the authentication/authorisation aspects of a fairly
    large web application using WLS 6.0 (ie allowing users to login and
    access resources based on role etc).
    Its a standard JSP/Servlet/EJB type architecture and so far it seems
    the FORM-based authentication will serve our needs well. However, I've
    been instructed (by higher powers) to investigate JAAS authentication.
    It looks far more complex to implement so my question is, does it
    offer any significant advantages that justify the extra work?
    Thanks for your time.

    "john hryn" <[email protected]> wrote in message
    news:3fce2551$[email protected]..
    >
    Hi,
    I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
    app.
    I created an App and created a web project. In it, I deleted thecontroller, etc
    and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
    %>
    In web.xml I have
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Success</web-resource-name>
    <url-pattern>*.jsp</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>*</role-name>I think you should have dealers instead of *
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>default</realm-name>
    </login-config>
    <security-role>
    <role-name>*</role-name>And here too.
    </security-role>
    In weblogic.xml I have
    <security-role-assignment>
    <role-name>dealers</role-name>
    <principal-name>dealer1</principal-name>
    </security-role-assignment>

  • Web app security ... i don't get it

    I do not get it how do one configure web.xml
    I want every page to be protected against unlogged user and some pages only to some of them
    From what I read it's only necessary to have only one root role that every user is part of and then any sub-role is recognized
    My use case:
    every page should be protected against unauthorized user
    <security-constraint>
            <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
            <web-resource-collection>
                <web-resource-name>JSF Pages</web-resource-name>
                <url-pattern>/faces/*</url-pattern>
                <http-method>GET</http-method>
                <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                <role-name>fullaccess</role-name>
            </auth-constraint>
            <user-data-constraint>
                <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
        </security-constraint>and I want that managers only to have access to /managers so I guess that a new </security-constraint> must be issued to allow the users that have managers role to access the resource.
    <security-constraint>
            <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
            <web-resource-collection>
                <web-resource-name>JSF Pages</web-resource-name>
                <url-pattern>/faces/manager/*</url-pattern>
                <http-method>GET</http-method>
                <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                <role-name>managers</role-name> ????
            </auth-constraint>
            <user-data-constraint>
                <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
        </security-constraint> What are the roles that must be declared in web.xml knowing that
    <security-role-assignment>
             <role-name>fullaccess</role-name>
             <principal-name>public</principal-name>
         </security-role-assignment>
    </weblogic-web-app> and in the realm public group has a member 'managers' (that in my opp must not be mapped)?
    ..on the moment there is only
      <security-role>
            <description>acces pe toate paginile web</description>
            <role-name>fullaccess</role-name>
        </security-role>thanks, Florin POP

    Hi guys.
    A username and password info to connect to BC is the following:
    Username - Your adobe ID email
    Password - Your password.
    To connect to SFTP its...
    Server: Just the address (yoursite.businesscatalyst.com)
    username - yoursite.businesscatalyst.com/[email protected]
    Password - your password.

  • Web app security & IIS?

    I'm trying to get the security working for a web app. I'm using JAAS and the BASIC
    authentication. I don't want to use FORM because the original Perl app (from which
    my web app is derived) also used BASIC and I don't want the interface to change.
    I've found that the security works great if I go directly to the weblogic server,
    so it looks like the problem is with IIS (we're fowarding requests from IIS to
    WebLogic). I think the problem lies in my web.xml. It has this in it:
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>MLV Users Only</realm-name>
    </login-config>
    From what I can tell, weblogic just uses the realm-name as a label in the dialog
    box that pops up, and for nothing else. My guess is that IIS is really trying
    to use this as a security realm.
    Am I on the right track? Anyone got any hints?
    Gary

    "john hryn" <[email protected]> wrote in message
    news:3fce2551$[email protected]..
    >
    Hi,
    I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
    app.
    I created an App and created a web project. In it, I deleted thecontroller, etc
    and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
    %>
    In web.xml I have
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Success</web-resource-name>
    <url-pattern>*.jsp</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>*</role-name>I think you should have dealers instead of *
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>default</realm-name>
    </login-config>
    <security-role>
    <role-name>*</role-name>And here too.
    </security-role>
    In weblogic.xml I have
    <security-role-assignment>
    <role-name>dealers</role-name>
    <principal-name>dealer1</principal-name>
    </security-role-assignment>

  • Help! web.xml security without using WAR files

    I'm currently using the RDBMSRealm and URL ACL security for my app. I would like to use the web.xml descriptor for security so that I can specify login pages and such. We currently are not using WAR files. I've been having alot of trouble setting this up. Is there a way to use the RDBMS realm along with the web.xml security? It looks like it should work, but I can't seem to get it to function. How do I specify the regular document root as a webapp? I'm currently running WLS 5.1 with SP4. Thanks.

    The RDBMSRealm is just the authentication mechanism underneath WLS versus the
    web.xml of the WebApplication which describes all the access control for that WebApp.
    the later being scoped only to that WebApp.
    you don't need to deploy in a war file, you can expand the archive into an identical
    directory structure and then just point us towards the top level of that structure.
    see: http://www.weblogic.com/docs51/classdocs/webappguide.html
    .paul
    chris wrote:
    I'm currently using the RDBMSRealm and URL ACL security for my app. I would like to use the web.xml descriptor for security so that I can specify login pages and such. We currently are not using WAR files. I've been having alot of trouble setting this up. Is there a way to use the RDBMS realm along with the web.xml security? It looks like it should work, but I can't seem to get it to function. How do I specify the regular document root as a webapp? I'm currently running WLS 5.1 with SP4. Thanks.

  • Facelet to crare web app, instead of using JSP; JSF1.2 spec in WebSphere6.1

    Novice to JSF and Facelet. But, I had been using Struts since its inception.
    I am required to use IBM's WebSphere Application Server 6.1 that comes with Servlet 2.4 and JSP 2.0. WebSphere 6.1 App Server limits me to using JSF 1.1. This is because, JSF 1.2 requires Servlet 2.5 and JSP 2.1, that is a part of WebSphere App Server 7.0; not a part of WebSphere 6.1.
    Somebody suggested that it will be possible to use JSF 1.2 in WebSphere 6.1, if I were using Facelet, instead of JSP.
    I am not eager to use JSF 1.1 and may have to forego JSF; unless and until I can use JSF 1.2.
    The hold-up is that I cannot use JSF 1.2 spec in WebSphere 6.1. Is there is any way to use JSF 1.2 in WebSphere 6.1? Can I create an entire application using Facelet (instead of JSP) that will let me use JSF 1.2 spec in WebSphere 6.1? If so, how?
    Here are my questions, especially because I am not very familiar with JSF and Facelet technology:
    1. Can I use JSF 1.2 specification in WebSphere 6.1, if I were using facelet (as opposed to JSP) as my view technology?
    2. Will it be possible to create an entire web app with facelt, instead o fusing any JSP at all? If so, how? Does it mean that all the GUI screens will only use facelet and no JSP at all?
    3. Please explain how I can write a complex web app with 100s of screens using only facelet, instead of using JSP.
    4. Please provide pointer on how JSF and facelet differ, or what are their demarcations boundaries.
    Any comment and pointer will be greatly appreciated.

    Don't doublepost. It's rude. Stick to one topic. Continue here: [http://forums.sun.com/thread.jspa?threadID=5335001].

  • Web App Security Fallback (client-cert then form-based)

    Can you setup a web application to fall back to form-based login if the
    client-cert (i.e. identity assertion token) is not available. I think this
    would be very valuable because once you've configured the web app to use the
    "client-cert" authentication, you can't access the web app directly (i.e.
    browser->weblogic server). You will always need to go through the perimeter
    authenticator so the token gets sent.

    Solution found:
    The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
    In your web.xml, forward your 401 code to login page:
    <error-page>
    <error-code>401</error-code>
    <location>/form_login_page.html</location>
    </error-page>
    There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

  • Web app security exception: Bad URLMatchMap

    Can anyone help me diagnose an error? I am simply trying to place a security constraint
    on a servlet within an ear-deployed web-application.
    The exception occurs as the first POST comes to the servlet I am trying to protect:
    <Apr 16, 2001 12:40:09 PM EDT> <Error> <Kernel> <ExecuteRequest failed
    java.lang.IllegalArgumentException: bad URLMatchMap path: 'version="1.0"'
    at weblogic.servlet.utils.URLMatchMap.get(URLMatchMap.java:196)
    at weblogic.servlet.security.internal.WebAppSecurity.getConstraint(WebAp
    pSecurity.java:135)
    at weblogic.servlet.security.internal.SecurityModule.checkTransport(Secu
    rityModule.java:177)
    at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSe
    curityModule.java:48)
    at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess
    (ServletSecurityManager.java:150)
    at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe
    rvletContext.java:1250)
    at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm
    pl.java:1622)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
    >
    <?xml version="1.0" ?>
    <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN'
    'http://java.sun.com/j2ee/dtds/web-app_2.2.dtd'>
    <web-app>
    <display-name>ANSWeb</display-name>
    <description>no description</description>
    <servlet>
    <servlet-name>UPMessageServlet</servlet-name>
    <display-name>UPMessageServlet</display-name>
    <description>no description</description>
    <servlet-class>com.aether.ans.gateway.up.UPMessageServlet</servlet-class>
    </servlet>
    <servlet>
    <servlet-name>ANSServlet</servlet-name>
    <display-name>ANSServlet</display-name>
    <description>no description</description>
    <servlet-class>com.aether.ans.server.ANSServlet</servlet-class>
    <load-on-startup />
    </servlet>
    <servlet>
    <servlet-name>WCTPServlet</servlet-name>
    <display-name>WCTPServlet</display-name>
    <description>no description</description>
    <servlet-class>com.aether.ans.gateway.wctp.WCTPServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>UPMessageServlet</servlet-name>
    <url-pattern>/UPMessage</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>ANSServlet</servlet-name>
    <url-pattern>/Server</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>WCTPServlet</servlet-name>
    <url-pattern>/WCTPCallback</url-pattern>
    </servlet-mapping>
    <session-config>
    <session-timeout>30</session-timeout>
    </session-config>
    <resource-ref>
    <description>no description</description>
    <res-ref-name>url/ANS.dtd</res-ref-name>
    <res-type>java.net.URL</res-type>
    <res-auth>Container</res-auth>
    </resource-ref>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Protected Server</web-resource-name>
    <url-pattern>/Server</url-pattern>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>Client</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>
    <security-role>
    <role-name>Client</role-name>
    </security-role>
    <ejb-ref>
    <description>no description</description>
    <ejb-ref-name>ejb/ANSServer</ejb-ref-name>
    <ejb-ref-type>Session</ejb-ref-type>
    <home>com.aether.ans.server.ANSServerHome</home>
    <remote>com.aether.ans.server.ANSServer</remote>
    </ejb-ref>
    <ejb-ref>
    <description>no description</description>
    <ejb-ref-name>ejb/Alert</ejb-ref-name>
    <ejb-ref-type>Entity</ejb-ref-type>
    <home>com.aether.ans.entity.AlertHome</home>
    <remote>com.aether.ans.entity.Alert</remote>
    </ejb-ref>
    </web-app>
    <?xml version="1.0" ?>
    <!DOCTYPE weblogic-web-app PUBLIC '-//BEA Systems, Inc.//DTD Web Application 6.0//EN'
    'http://www.beasys.com/servers/wls600/dtd/weblogic-web-jar.dtd'>
    <weblogic-web-app>
    <description>no description</description>
    <security-role-assignment>
    <role-name>Client</role-name>
    <principal-name>Client</principal-name>
    </security-role-assignment>
    <reference-descriptor>
    <resource-description>
    <res-ref-name>url/ANS.dtd</res-ref-name>
    <jndi-name>ans.url.dtd</jndi-name>
    </resource-description>
    <ejb-reference-description>
    <ejb-ref-name>ejb/Alert</ejb-ref-name>
    <jndi-name>ejb.Alert</jndi-name>
    </ejb-reference-description>
    <ejb-reference-description>
    <ejb-ref-name>ejb/ANSServer</ejb-ref-name>
    <jndi-name>ejb.ANSServer</jndi-name>
    </ejb-reference-description>
    </reference-descriptor>
    </weblogic-web-app>

    Hi Andrew,
    Even without moderation enabled, any submission made through the BC platform is filtered through our protection engine to prevent XSS. Any type of potentially malicious code is immediately stripped from the submission, and this is not done at a client-side level.
    Kind Regards,
    Alex

  • Weblogic 10 Probs Start Web App only if using 'Visual Web JavaServer Faces'

    There is no Errormessage in Netbeans IDE when I chose 'build' or 'undeploy and deploy'.
    If I use a simple Webapplication that does not use 'Visual Web JavaServer Faces'
    the war-file that netbeans ide creates and deploys in beas autodeploy directory can be executed in the linked page: http://localhost:7001/WebApplication9/
    But if I chose the option 'Visual Web JavaServer Faces' in the web application project the whole compile and deployment process completes fine, the war-file is distributed in the autodeploy dir, but it can be deployed automatically nor manually.
    In the Bea Weblogic Administration Console I get
    Messages
    An error occurred during activation of changes, please see the log for details.
    Failed to load webapp: 'WebApplication14.war'
    javax.faces.webapp.FacesServlet
    C:\BeaWebLogic\MyDeploy\WebApplication14.war.
    Please make sure that the annotations are valid. The error is javax.faces.webapp.FacesServlet>
    whole Errorlog
    Thanks in advance.
    [LoginFilter]: LoginFilter constructed ...
    <18.04.2008 12.53 Uhr CEST> <Notice> <Log Management> <BEA-170027> <The server i
    nitialized the domain log broadcaster successfully. Log messages will now be bro
    adcasted to the domain log.>
    <18.04.2008 12.53 Uhr CEST> <Notice> <WebLogicServer> <BEA-000365> <Server state
    changed to ADMIN>
    <18.04.2008 12.53 Uhr CEST> <Notice> <WebLogicServer> <BEA-000365> <Server state
    changed to RESUMING>
    <18.04.2008 12.53 Uhr CEST> <Notice> <Security> <BEA-090171> <Loading the identi
    ty certificate and private key stored under the alias DemoIdentity from the jks
    keystore file C:\BEAWEB~1\WLSERV~1.0\server\lib\DemoIdentity.jks.>
    <18.04.2008 12.53 Uhr CEST> <Notice> <Security> <BEA-090169> <Loading trusted ce
    rtificates from the jks keystore file C:\BEAWEB~1\WLSERV~1.0\server\lib\DemoTrus
    t.jks.>
    <18.04.2008 12.53 Uhr CEST> <Notice> <Security> <BEA-090169> <Loading trusted ce
    rtificates from the jks keystore file C:\BEAWEB~1\JROCKI~1\jre\lib\security\cace
    rts.>
    <18.04.2008 12.53 Uhr CEST> <Warning> <Server> <BEA-002611> <Hostname "localhost
    ", maps to multiple IP addresses: 164.24.95.242, 127.0.0.1>
    <18.04.2008 12.53 Uhr CEST> <Warning> <Server> <BEA-002611> <Hostname "W9G01486.
    bonn02.telekom.de", maps to multiple IP addresses: 164.24.95.242, 127.0.0.1>
    <18.04.2008 12.53 Uhr CEST> <Notice> <Server> <BEA-002613> <Channel "Default" is
    now listening on 164.24.95.242:7001 for protocols iiop, t3, ldap, snmp, http.>
    <18.04.2008 12.53 Uhr CEST> <Notice> <Server> <BEA-002613> <Channel "Default[1]"
    is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.>
    <18.04.2008 12.53 Uhr CEST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecu
    re" is now listening on 164.24.95.242:7002 for protocols iiops, t3s, ldaps, http
    s.>
    <18.04.2008 12.53 Uhr CEST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecu
    re[1]" is now listening on 127.0.0.1:7002 for protocols iiops, t3s, ldaps, https
    .>
    <18.04.2008 12.53 Uhr CEST> <Notice> <WebLogicServer> <BEA-000331> <Started WebL
    ogic Admin Server "examplesServer" for domain "wl_server" running in Development
    Mode>
    <18.04.2008 12.53 Uhr CEST> <Notice> <WebLogicServer> <BEA-000365> <Server state
    changed to RUNNING>
    <18.04.2008 12.53 Uhr CEST> <Notice> <WebLogicServer> <BEA-000360> <Server start
    ed in RUNNING mode>
    <18.04.2008 13.13 Uhr CEST> <Warning> <netuix> <BEA-423420> <Redirect is execute
    d in begin or refresh action. Redirect url is /console/console.portal?_nfpb=true
    &_pageLabel=WebAppApplicationOverviewPage&WebAppApplicationOverviewPortlethandle
    =com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3DWebApplicatio
    n14%2CType%3DAppDeployment%22%29.>
    <18.04.2008 13.13 Uhr CEST> <Error> <HTTP> <BEA-101371>
    <There was a failure when processing annotations for application
    C:\BeaWebLogic\MyDeploy\WebApplication14.war.
    Please make sure that the annotations are valid. The error is javax.faces.webapp.FacesServlet>
    <18.04.2008 13.13 Uhr CEST> <Error> <Deployer> <BEA-149265> <Failure occurred in
    the execution of deployment request with ID '1208517199484' for task '0'. Error
    is: 'weblogic.application.ModuleException: Failed to load webapp: 'WebApplicati
    on14.war''
    weblogic.application.ModuleException: Failed to load webapp: 'WebApplication14.w
    ar'
    at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:311)
    at weblogic.application.internal.flow.ScopedModuleDriver.prepare(ScopedM
    oduleDriver.java:176)
    at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(Modu
    leListenerInvoker.java:93)
    at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(Depl
    oymentCallbackFlow.java:360)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineD
    river.java:26)
    Truncated. see log file for complete stacktrace
    java.lang.ClassNotFoundException: javax.faces.webapp.FacesServlet
    at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(Generic
    ClassLoader.java:286)
    at weblogic.utils.classloaders.GenericClassLoader.findClass(GenericClass
    Loader.java:259)
    at weblogic.utils.classloaders.ChangeAwareClassLoader.findClass(ChangeAw
    areClassLoader.java:54)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
    Truncated. see log file for complete stacktrace
    >
    <18.04.2008 13.13 Uhr CEST> <Warning> <Deployer> <BEA-149004> <Failures were det
    ected while initiating distribute task for application 'WebApplication14'.>
    <18.04.2008 13.13 Uhr CEST> <Warning> <Deployer> <BEA-149078> <Stack trace for m
    essage 149004
    weblogic.application.ModuleException: Failed to load webapp: 'WebApplication14.w
    ar'
    at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:311)
    at weblogic.application.internal.flow.ScopedModuleDriver.prepare(ScopedM
    oduleDriver.java:176)
    at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(Modu
    leListenerInvoker.java:93)
    at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(Depl
    oymentCallbackFlow.java:360)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineD
    river.java:26)
    Truncated. see log file for complete stacktrace
    java.lang.ClassNotFoundException: javax.faces.webapp.FacesServlet
    at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(Generic
    ClassLoader.java:286)
    at weblogic.utils.classloaders.GenericClassLoader.findClass(GenericClass
    Loader.java:259)
    at weblogic.utils.classloaders.ChangeAwareClassLoader.findClass(ChangeAw
    areClassLoader.java:54)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
    Truncated. see log file for complete stacktrace
    >
    <18.04.2008 13.13 Uhr CEST> <Error> <Console> <BEA-240003> <Console encountered
    the following error weblogic.application.ModuleException: Failed to load webapp:
    'WebApplication14.war'
    at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:311)
    at weblogic.application.internal.flow.ScopedModuleDriver.prepare(ScopedM
    oduleDriver.java:176)
    at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(Modu
    leListenerInvoker.java:93)
    at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(Depl
    oymentCallbackFlow.java:360)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineD
    river.java:26)
    at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(Dep
    loymentCallbackFlow.java:56)
    at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(Dep
    loymentCallbackFlow.java:46)
    at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.ja
    va:615)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineD
    river.java:26)
    at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.j
    ava:191)
    at weblogic.application.internal.DeploymentStateChecker.prepare(Deployme
    ntStateChecker.java:147)
    at weblogic.deploy.internal.targetserver.AppContainerInvoker.prepare(App
    ContainerInvoker.java:61)
    at weblogic.deploy.internal.targetserver.operations.ActivateOperation.cr
    eateAndPrepareContainer(ActivateOperation.java:189)
    at weblogic.deploy.internal.targetserver.operations.ActivateOperation.do
    Prepare(ActivateOperation.java:87)
    at weblogic.deploy.internal.targetserver.operations.AbstractOperation.pr
    epare(AbstractOperation.java:217)
    at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploym
    entPrepare(DeploymentManager.java:719)
    at weblogic.deploy.internal.targetserver.DeploymentManager.prepareDeploy
    mentList(DeploymentManager.java:1186)
    at weblogic.deploy.internal.targetserver.DeploymentManager.handlePrepare
    (DeploymentManager.java:248)
    at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.pre
    pare(DeploymentServiceDispatcher.java:157)
    at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallb
    ackDeliverer.doPrepareCallback(DeploymentReceiverCallbackDeliverer.java:157)
    at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallb
    ackDeliverer.access$000(DeploymentReceiverCallbackDeliverer.java:12)
    at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallb
    ackDeliverer$1.run(DeploymentReceiverCallbackDeliverer.java:45)
    at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTunin
    gWorkManagerImpl.java:464)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)
    Caused by: java.lang.ClassNotFoundException: javax.faces.webapp.FacesServlet
    at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(Generic
    ClassLoader.java:286)
    at weblogic.utils.classloaders.GenericClassLoader.findClass(GenericClass
    Loader.java:259)
    at weblogic.utils.classloaders.ChangeAwareClassLoader.findClass(ChangeAw
    areClassLoader.java:54)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
    at weblogic.utils.classloaders.GenericClassLoader.loadClass(GenericClass
    Loader.java:179)
    at weblogic.utils.classloaders.ChangeAwareClassLoader.loadClass(ChangeAw
    areClassLoader.java:35)
    at weblogic.servlet.internal.WebAnnotationProcessorImpl.processServlets(
    WebAnnotationProcessorImpl.java:214)
    at weblogic.servlet.internal.WebAnnotationProcessorImpl.processJ2eeAnnot
    ations(WebAnnotationProcessorImpl.java:197)
    at weblogic.servlet.internal.WebAnnotationProcessorImpl.processAnnotatio
    ns(WebAnnotationProcessorImpl.java:93)
    at weblogic.servlet.internal.WebAppServletContext.processAnnotations(Web
    AppServletContext.java:1270)
    at weblogic.servlet.internal.WebAppServletContext.<init>(WebAppServletCo
    ntext.java:408)
    at weblogic.servlet.internal.WebAppServletContext.<init>(WebAppServletCo
    ntext.java:452)
    at weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:402)
    at weblogic.servlet.internal.WebAppModule.registerWebApp(WebAppModule.ja
    va:582)
    at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:298)
    >

    Hi,
    make sure you created the parameter for the bind variable in the ViewObject. It is not enough to only add the bind parameter. It has to be created as well
    Frank

  • Web App Security

    Hello,
    I'll soon be developing a web application in which security is a major concern, and I'd like some advices about some technologies I'm evaluating to get the job done. I couldn't get comparisons on security power offered by each.
    - Web tier: I have some experience on JSP and JS; besides HTTPS, JSF seems to provide better, out-of-the-box, support for some of our requirements (internationalization, better security, AJAX) and some soon-useful fancy features like little html modal boxes; even considering the learning curve to use JSF (I never used it before), is there a better candidate for this layer? (I'm thinking of RichFaces or MyFaces)
    - Business tier: I can use EJB3 or Hibernate + Spring or whatever combinations works best, I simply couldn't be sure if one can be considered safer than the other (I will use roles as well).
    I'll be using JBoss (4.x) and MySQL DB.
    Thanks

    I'm not familar with JSF, only JSP, but here is the run down on security as I understand it (you can suppliment it with further research).
    * Use MVC design where the presentation layer only displays data and submits back to the server (example: update button). There is no business logic or database logic in the JSP page. A JSP tag that queries the database is a bad idea from a security point of view since a hacker may be able to reverse engineer it and alter the query.
    * In your database layer (MVC design), put all your database access. Use only prepared statements (never regular statements). Pass parameters into the prepared statement. Example: update person set person_id=?. You are therefore not subject to SQL injection as is the statement object (research SQL injection if your not familar with it).
    * Use javascript for basic client side validation checks (field cant be null, field is incorrect date format, field has a value too large) and block submitting to the server via update button if not pass. Duplicate the client side validation back on the server, and also provide any advanced valiation checks. This way, a hacker can't bypass your validaiton on the client side and submit bad data. To be really strict, consider every possible keyboard value a user can type in and validate it to determine if those special chars are allowed.
    *Click 'view source' on the browser and look at what HTML was generated by the JSP. Is there any variables on the page that is sensitive that you don't want the user to see? Such as the name of database tables or database fields? If so, you will have to crate an alias on the JSP that maps back to the name of the datbase table or field after you submit the page.
    * Each user should be restircted to a role that limits what JSP pages he can see, and what he can alter on those JSP pages. Example, you have an admin role and endUser role. Note your application has a userID/password to access the database (with a fair amount of access to each table), each user doesn't have his own userID/password to the database (with restricted access to a subset of tables). The userID/password should be stored in the context file of your applicaiton and accessed via JNI. Example, if your application is called myAppl, then the context file under tomcat is called myAppl.xml (its automatically geneated by Eclipse when you launch your application).
    * The end user shouldn't be able to call up a JSP page by navigating directly to that JSP page via its URL (they should be redirected either to the login page or an error page).
    Instead, all urls should have to go through a central servlet to check to see if he's logged in and is within a valid session. The servlet then dispatches to the correct JSP page. This example is not Struts or Spring framework, but instead, a single controller servlet design. You'll have to look up what Struts and Spring alternatively does in such a situation.
    * You should research buffer overflow attack and how to avoid it.
    * For the business layer, I believe its Either EJB3 OR Spring, not both (I could be wrong).
    * Hibernate is used in the database layer. I suggest you you JDBC with DAO instead until you are very familar with it before doing a project in Hibernate. You should know what Hibernate buys you over that of JDBC/DAO before justifying using it.
    * You should allow a new user to create a new password. The password should validated to ensure its a strong password. You should also use SSL to communicate to the server.
    * I think Spring is an alternative to EJB3 and therefore both shouldn't be used. I suggest using only Spring. Create a two or three page JSP page project (with login), refactor the heck out of it (create a clean MVC design), then let your team add all the rest of the project to it.

  • Web app security question

    Hi,
    I have a basic question about securing web applications. In our app, we have myRealm
    pointing to an LDAP store. The store has (lets say) a group called 'dealers' and
    it has a user 'dealer1'.
    Now, in WEB-INF/weblogic.xml I have
    <security-role-assignment>
    <role-name>dealers</role-name>
    <principal-name>dealer1</principal-name>
    </security-role-assignment>
    Does the role name in weblogic.xml map to the groups called dealers in LDAP? I
    have no specific roles configured in myRealm.
    Thanks,
    John

    "John Hryn" <[email protected]> wrote in message
    news:3fce2328$[email protected]..
    >
    Hi,
    I have a basic question about securing web applications. In our app, wehave myRealm
    pointing to an LDAP store. The store has (lets say) a group called'dealers' and
    it has a user 'dealer1'.
    Now, in WEB-INF/weblogic.xml I have
    <security-role-assignment>
    <role-name>dealers</role-name>
    <principal-name>dealer1</principal-name>
    </security-role-assignment>
    Does the role name in weblogic.xml map to the groups called dealers inLDAP? I
    have no specific roles configured in myRealm.
    Yes. http://e-docs.bea.com/wls/docs70/webapp/weblogic_xml.html#1036790
    You can specify groups or individual usernames.

  • Web app security in NW

    Hi SDN,
    Can someone suggest or point to help/documentation on any NW settings related to the following three security items:
    1. Cross-site Scripting
    2. MYSAPSSO2 Cookie encryption (as it is, is it secure?),
    3. SQL Injection
    Is there a comprehensive config doc including these issues?
    I will really appreciate any help.
    Shahid

    Hi Shahid,
    For cross site scripting the below link will be helpful
    [http://help.sap.com/saphelp_nw70/helpdata/EN/81/233d54d8c744c09b4434babf7b0879/frameset.htm]
    The SAP Internet Transaction Server (SAP ITS) is integrated into the kernel of the SAP Web Application Server 6.40 as an Structure Internet Communication Framework (ICF) service called the integrated ITS. this needs to be configured and requires kernel and service parameters.
    For MYSAPSSO2 which is a cookie available at service parameters:
    [http://help.sap.com/saphelp_nw70/helpdata/EN/07/496884370b11d480a000c04f99fbf0/frameset.htm]
    For SAP injection
    [http://help.sap.com/saphelp_nw70/helpdata/EN/a8/813dcc006141719086e9f0f27ab8b3/frameset.htm]
    All these are pertaining to secure user intefaces which includes all these three.
    Hope this is heplful
    Regards,
    Shaila

  • Firewalling vlans on Catalyst 6500 by using Cisco ASA Firewalls

    Hello,
    How to secure vlans on Catalyst 6500 by using Cisco ASA Firewalls?
    There are no free modules on Catalyst 6500 to install a FWSM module.
    What is the best configuration to secure vlans (~80 vlans) by using cisco ASA firewalls (context, hairpining...)?
    Thanks

    Hi Bro
    Just to understand your question once again, you don't have anymore available slots in your present Cat6K, but you want to know how to secure your VLANs or SVIs that has been configured in your Cat6K?
    If you were to ask me, I would not apply a bunch of ACLs in the Cat6K, for starters. You might wanna look into COPP (Control Plane Policing) instead. Furthermore you could also refer to this Cisco document http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801b49a4.shtml
    However, if you do have Cisco ASA FW appliance (not module, I presume from your question), you could enable ACLs, threat-detection feature, IP Audit features, reverse-path policing, capping of the embryonic values etc.
    P/S: If you think this comment is useful, please do rate them nicely :-)

Maybe you are looking for

  • Setting up the name for folder and fi

    I just had to reinstall MediaSource on my system and it reset my settings for the file listings, i.e. Album - Artist - Track Title - Track Number.mp3. It came up when I ripped my first CD but the settings didn't show up right. I looked for the button

  • Old 2005 Video iPod - How do I take music off and add to my iTunes music library?  And battery life issues...

    I bought my husband a Video iPod clear back in 2005.  I bought the 30GB serial No 4V544C1WTXK Model number A1136.  Yes, very, very old.  However, it is an Apple product and therefore should be good forever right?    We actually rarely used it then an

  • Support for file:///~/

    The Bash manual [1] contains references to the home directory of the kind <URL: file:///~/ > but Firefox refuses to display the resources referenced. [1] /usr/share/doc/packages/bash/bash.html

  • Very Slow IPod Updates

    I just moved my music to an external HDD and am now updating. It is taking forever -- about 1/2 hour for 24 songs. Surely this should not be happening? My notebook is a Pentium 1.6GHz; my external drive is Iomega 80GB. My IPod is new 30GB color scree

  • Permissions issue in moss 2007

    Hi , I have site collection under that couple of subsites as well, there are different SP group  foreach  subsite. the group permission level is Contribute. permissions were broken from parent. from one subsite group one of the user is suddenly not g