Web app security ... i don't get it

Similar Messages

• Web app security exception: Bad URLMatchMap

  Can anyone help me diagnose an error? I am simply trying to place a security constraint
  on a servlet within an ear-deployed web-application.
  The exception occurs as the first POST comes to the servlet I am trying to protect:
  <Apr 16, 2001 12:40:09 PM EDT> <Error> <Kernel> <ExecuteRequest failed
  java.lang.IllegalArgumentException: bad URLMatchMap path: 'version="1.0"'
  at weblogic.servlet.utils.URLMatchMap.get(URLMatchMap.java:196)
  at weblogic.servlet.security.internal.WebAppSecurity.getConstraint(WebAp
  pSecurity.java:135)
  at weblogic.servlet.security.internal.SecurityModule.checkTransport(Secu
  rityModule.java:177)
  at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSe
  curityModule.java:48)
  at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess
  (ServletSecurityManager.java:150)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe
  rvletContext.java:1250)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm
  pl.java:1622)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  >
  <?xml version="1.0" ?>
  <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN'
  'http://java.sun.com/j2ee/dtds/web-app_2.2.dtd'>
  <web-app>
  <display-name>ANSWeb</display-name>
  <description>no description</description>
  <servlet>
  <servlet-name>UPMessageServlet</servlet-name>
  <display-name>UPMessageServlet</display-name>
  <description>no description</description>
  <servlet-class>com.aether.ans.gateway.up.UPMessageServlet</servlet-class>
  </servlet>
  <servlet>
  <servlet-name>ANSServlet</servlet-name>
  <display-name>ANSServlet</display-name>
  <description>no description</description>
  <servlet-class>com.aether.ans.server.ANSServlet</servlet-class>
  <load-on-startup />
  </servlet>
  <servlet>
  <servlet-name>WCTPServlet</servlet-name>
  <display-name>WCTPServlet</display-name>
  <description>no description</description>
  <servlet-class>com.aether.ans.gateway.wctp.WCTPServlet</servlet-class>
  </servlet>
  <servlet-mapping>
  <servlet-name>UPMessageServlet</servlet-name>
  <url-pattern>/UPMessage</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>ANSServlet</servlet-name>
  <url-pattern>/Server</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>WCTPServlet</servlet-name>
  <url-pattern>/WCTPCallback</url-pattern>
  </servlet-mapping>
  <session-config>
  <session-timeout>30</session-timeout>
  </session-config>
  <resource-ref>
  <description>no description</description>
  <res-ref-name>url/ANS.dtd</res-ref-name>
  <res-type>java.net.URL</res-type>
  <res-auth>Container</res-auth>
  </resource-ref>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Protected Server</web-resource-name>
  <url-pattern>/Server</url-pattern>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>Client</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  </login-config>
  <security-role>
  <role-name>Client</role-name>
  </security-role>
  <ejb-ref>
  <description>no description</description>
  <ejb-ref-name>ejb/ANSServer</ejb-ref-name>
  <ejb-ref-type>Session</ejb-ref-type>
  <home>com.aether.ans.server.ANSServerHome</home>
  <remote>com.aether.ans.server.ANSServer</remote>
  </ejb-ref>
  <ejb-ref>
  <description>no description</description>
  <ejb-ref-name>ejb/Alert</ejb-ref-name>
  <ejb-ref-type>Entity</ejb-ref-type>
  <home>com.aether.ans.entity.AlertHome</home>
  <remote>com.aether.ans.entity.Alert</remote>
  </ejb-ref>
  </web-app>
  <?xml version="1.0" ?>
  <!DOCTYPE weblogic-web-app PUBLIC '-//BEA Systems, Inc.//DTD Web Application 6.0//EN'
  'http://www.beasys.com/servers/wls600/dtd/weblogic-web-jar.dtd'>
  <weblogic-web-app>
  <description>no description</description>
  <security-role-assignment>
  <role-name>Client</role-name>
  <principal-name>Client</principal-name>
  </security-role-assignment>
  <reference-descriptor>
  <resource-description>
  <res-ref-name>url/ANS.dtd</res-ref-name>
  <jndi-name>ans.url.dtd</jndi-name>
  </resource-description>
  <ejb-reference-description>
  <ejb-ref-name>ejb/Alert</ejb-ref-name>
  <jndi-name>ejb.Alert</jndi-name>
  </ejb-reference-description>
  <ejb-reference-description>
  <ejb-ref-name>ejb/ANSServer</ejb-ref-name>
  <jndi-name>ejb.ANSServer</jndi-name>
  </ejb-reference-description>
  </reference-descriptor>
  </weblogic-web-app>

  Hi Andrew,
  Even without moderation enabled, any submission made through the BC platform is filtered through our protection engine to prevent XSS. Any type of potentially malicious code is immediately stripped from the submission, and this is not done at a client-side level.
  Kind Regards,
  Alex

• Web app security & IIS?

  I'm trying to get the security working for a web app. I'm using JAAS and the BASIC
  authentication. I don't want to use FORM because the original Perl app (from which
  my web app is derived) also used BASIC and I don't want the interface to change.
  I've found that the security works great if I go directly to the weblogic server,
  so it looks like the problem is with IIS (we're fowarding requests from IIS to
  WebLogic). I think the problem lies in my web.xml. It has this in it:
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>MLV Users Only</realm-name>
  </login-config>
  From what I can tell, weblogic just uses the realm-name as a label in the dialog
  box that pops up, and for nothing else. My guess is that IIS is really trying
  to use this as a security realm.
  Am I on the right track? Anyone got any hints?
  Gary

  "john hryn" <[email protected]> wrote in message
  news:3fce2551$[email protected]..
  >
  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
  app.
  I created an App and created a web project. In it, I deleted thecontroller, etc
  and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>I think you should have dealers instead of *
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>And here too.
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>

• Web app security not working

  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basic secure web
  app.
  I created an App and created a web project. In it, I deleted the controller, etc
  and just have index. jsp. All the index.jsp does is: <%= request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>
  When I run the app, it just renders the JSP and does not challenge me to login.
  Can you please help what is that I am doing wrong here?
  Thanks,
  John

  "john hryn" <[email protected]> wrote in message
  news:3fce2551$[email protected]..
  >
  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
  app.
  I created an App and created a web project. In it, I deleted thecontroller, etc
  and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>I think you should have dealers instead of *
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>And here too.
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>

• Web app security + JAAS

  I'm working on the authentication/authorisation aspects of a fairly
  large web application using WLS 6.0 (ie allowing users to login and
  access resources based on role etc).
  Its a standard JSP/Servlet/EJB type architecture and so far it seems
  the FORM-based authentication will serve our needs well. However, I've
  been instructed (by higher powers) to investigate JAAS authentication.
  It looks far more complex to implement so my question is, does it
  offer any significant advantages that justify the extra work?
  Thanks for your time.

  "john hryn" <[email protected]> wrote in message
  news:3fce2551$[email protected]..
  >
  Hi,
  I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
  app.
  I created an App and created a web project. In it, I deleted thecontroller, etc
  and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
  %>
  In web.xml I have
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Success</web-resource-name>
  <url-pattern>*.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>*</role-name>I think you should have dealers instead of *
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>*</role-name>And here too.
  </security-role>
  In weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>

• Web App Security Fallback (client-cert then form-based)

  Can you setup a web application to fall back to form-based login if the
  client-cert (i.e. identity assertion token) is not available. I think this
  would be very valuable because once you've configured the web app to use the
  "client-cert" authentication, you can't access the web app directly (i.e.
  browser->weblogic server). You will always need to go through the perimeter
  authenticator so the token gets sent.

  Solution found:
  The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
  In your web.xml, forward your 401 code to login page:
  <error-page>
  <error-code>401</error-code>
  <location>/form_login_page.html</location>
  </error-page>
  There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

• My credit has been charge for buy in-app purchase but don't get it

  buy 49.99 in-app purchase ( call of mini : double shot ) but don't get it due to game has a bug ( long loading &can't play)
  after type password . i already sent mail to dev but no response . what should i do ?

  I have and before the Credit card Co. could issue a refund Apple refunded the In-App purchases.  Apple has refunded them every time and then I get an email from someone in India telling me how to restrict In-App purchases.  It's apparent that they cannot/do not read the emails sent to them because I WANTED TO MAKE THE IN-APP PURCHASES.... I want them to download to my device also.... Apple is great at charging you for something and then playing stupid when an issue arises.... they acted as though I'm the only person having this issue.... 45 days and counting and still no resolution...
  Gets old quick telling them I want the in-app purchases, getting a credit & being told to make the purchase again only to have the same thing happen again...
  Isn't there a saying that goes: repeating the same process and expecting a different result is the definition of insanity.....

• Web App Security Firewall Using Catalyst 6500 w/ CSM

  We are evaluating web application security firewalls. The other products can recognize application level attacks such as SQL insertion and deranged parameters. Some of my colleagues believe that the CSM (which we already have deployed) has these sorts of capabilities.
  While the CSM has some layer 7 capabilities, my read of the specs does not suggest that it is suited to this function.
  Anyone have experience or input?
  Thanks!

  The same as a SYN attack protection feature.
  That's all.
  It does not have content analysis for intrusion detection.
  Regards,
  Gilles.

• Web App Security

  Hello,
  I'll soon be developing a web application in which security is a major concern, and I'd like some advices about some technologies I'm evaluating to get the job done. I couldn't get comparisons on security power offered by each.
  - Web tier: I have some experience on JSP and JS; besides HTTPS, JSF seems to provide better, out-of-the-box, support for some of our requirements (internationalization, better security, AJAX) and some soon-useful fancy features like little html modal boxes; even considering the learning curve to use JSF (I never used it before), is there a better candidate for this layer? (I'm thinking of RichFaces or MyFaces)
  - Business tier: I can use EJB3 or Hibernate + Spring or whatever combinations works best, I simply couldn't be sure if one can be considered safer than the other (I will use roles as well).
  I'll be using JBoss (4.x) and MySQL DB.
  Thanks

  I'm not familar with JSF, only JSP, but here is the run down on security as I understand it (you can suppliment it with further research).
  * Use MVC design where the presentation layer only displays data and submits back to the server (example: update button). There is no business logic or database logic in the JSP page. A JSP tag that queries the database is a bad idea from a security point of view since a hacker may be able to reverse engineer it and alter the query.
  * In your database layer (MVC design), put all your database access. Use only prepared statements (never regular statements). Pass parameters into the prepared statement. Example: update person set person_id=?. You are therefore not subject to SQL injection as is the statement object (research SQL injection if your not familar with it).
  * Use javascript for basic client side validation checks (field cant be null, field is incorrect date format, field has a value too large) and block submitting to the server via update button if not pass. Duplicate the client side validation back on the server, and also provide any advanced valiation checks. This way, a hacker can't bypass your validaiton on the client side and submit bad data. To be really strict, consider every possible keyboard value a user can type in and validate it to determine if those special chars are allowed.
  *Click 'view source' on the browser and look at what HTML was generated by the JSP. Is there any variables on the page that is sensitive that you don't want the user to see? Such as the name of database tables or database fields? If so, you will have to crate an alias on the JSP that maps back to the name of the datbase table or field after you submit the page.
  * Each user should be restircted to a role that limits what JSP pages he can see, and what he can alter on those JSP pages. Example, you have an admin role and endUser role. Note your application has a userID/password to access the database (with a fair amount of access to each table), each user doesn't have his own userID/password to the database (with restricted access to a subset of tables). The userID/password should be stored in the context file of your applicaiton and accessed via JNI. Example, if your application is called myAppl, then the context file under tomcat is called myAppl.xml (its automatically geneated by Eclipse when you launch your application).
  * The end user shouldn't be able to call up a JSP page by navigating directly to that JSP page via its URL (they should be redirected either to the login page or an error page).
  Instead, all urls should have to go through a central servlet to check to see if he's logged in and is within a valid session. The servlet then dispatches to the correct JSP page. This example is not Struts or Spring framework, but instead, a single controller servlet design. You'll have to look up what Struts and Spring alternatively does in such a situation.
  * You should research buffer overflow attack and how to avoid it.
  * For the business layer, I believe its Either EJB3 OR Spring, not both (I could be wrong).
  * Hibernate is used in the database layer. I suggest you you JDBC with DAO instead until you are very familar with it before doing a project in Hibernate. You should know what Hibernate buys you over that of JDBC/DAO before justifying using it.
  * You should allow a new user to create a new password. The password should validated to ensure its a strong password. You should also use SSL to communicate to the server.
  * I think Spring is an alternative to EJB3 and therefore both shouldn't be used. I suggest using only Spring. Create a two or three page JSP page project (with login), refactor the heck out of it (create a clean MVC design), then let your team add all the rest of the project to it.

• Web app security question

  Hi,
  I have a basic question about securing web applications. In our app, we have myRealm
  pointing to an LDAP store. The store has (lets say) a group called 'dealers' and
  it has a user 'dealer1'.
  Now, in WEB-INF/weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>
  Does the role name in weblogic.xml map to the groups called dealers in LDAP? I
  have no specific roles configured in myRealm.
  Thanks,
  John

  "John Hryn" <[email protected]> wrote in message
  news:3fce2328$[email protected]..
  >
  Hi,
  I have a basic question about securing web applications. In our app, wehave myRealm
  pointing to an LDAP store. The store has (lets say) a group called'dealers' and
  it has a user 'dealer1'.
  Now, in WEB-INF/weblogic.xml I have
  <security-role-assignment>
  <role-name>dealers</role-name>
  <principal-name>dealer1</principal-name>
  </security-role-assignment>
  Does the role name in weblogic.xml map to the groups called dealers inLDAP? I
  have no specific roles configured in myRealm.
  Yes. http://e-docs.bea.com/wls/docs70/webapp/weblogic_xml.html#1036790
  You can specify groups or individual usernames.

• Web app security in NW

  Hi SDN,
  Can someone suggest or point to help/documentation on any NW settings related to the following three security items:
  1. Cross-site Scripting
  2. MYSAPSSO2 Cookie encryption (as it is, is it secure?),
  3. SQL Injection
  Is there a comprehensive config doc including these issues?
  I will really appreciate any help.
  Shahid

  Hi Shahid,
  For cross site scripting the below link will be helpful
  [http://help.sap.com/saphelp_nw70/helpdata/EN/81/233d54d8c744c09b4434babf7b0879/frameset.htm]
  The SAP Internet Transaction Server (SAP ITS) is integrated into the kernel of the SAP Web Application Server 6.40 as an Structure Internet Communication Framework (ICF) service called the integrated ITS. this needs to be configured and requires kernel and service parameters.
  For MYSAPSSO2 which is a cookie available at service parameters:
  [http://help.sap.com/saphelp_nw70/helpdata/EN/07/496884370b11d480a000c04f99fbf0/frameset.htm]
  For SAP injection
  [http://help.sap.com/saphelp_nw70/helpdata/EN/a8/813dcc006141719086e9f0f27ab8b3/frameset.htm]
  All these are pertaining to secure user intefaces which includes all these three.
  Hope this is heplful
  Regards,
  Shaila

• When I download from App Store I don't get asked for my Apple ID password!

  I am having a problem with ensuring my children are not downloading expensive apps on my iphone4 and our older iphone3.  The problem is I am not asked for my Apple ID and password once I've signed.  How can I ensure it comes up every time? 

  JonM2 wrote:
  Right now I have restrictions on for installing apps, but it is a hassle to go back to settings>general>restrictionck s>enter password>turn on install apps>then go back to app store for purchase.  Any suggestions?
  if that is such a hassle then why don't you just tell your kids they are not allowed to download any apps without asking you first?

• Items or messages shared from within apps by email don't get sent but sit in the Mail app outbox until sent manually.

  Many apps, including the Photos app, allow many options for sharing or social networking. When I select to send by the Mail app the message never gets sent as I would expect, but remains in the Mail Outbox until I remember to drill down to the Outbox and send it manually.
  Has anyone else had this problem?
  Is this normal?
  Is there a 'Setting' that causes this?
  Why doesn't the message just go?
  Hope you can help.

  I've been having similar issues with my iPhone 5 and the latest iOS version.  I read somewhere else about an issue with having Exchange and Imap in use with Mail being an issue.  I had both, but had my Exchange connection to Gmail off.  I was still having the issue.
  The solution that worked was to delete my Exchange Gmail account.  Now, emails are being sent immediately.  If you have Exchange and Imap Gmail accounts on your iPhone, pick one and delete the other.  Good luck.

• Web modules don't get deployed to cluster instance directory

  Hi,
  I have a domain with one cluster, which has one instance. Sometimes (!), the web aplications I deploy don't get unpacked in the directory {instanceRoot}/applications/j2ee-modules but only in {domainRoot}/applications/j2ee-modules. When that happens, they don't work and I cannot access them through their URL.
  I deploy them using the web admin console, enable the to the cluster in question. Everything goes ok (or at least the UI says so) and in the domain.xml I have this:
  <web-module availability-enabled="false" context-root="/myapp" directory-deployed="false" enabled="true" location="${com.sun.aas.instanceRoot}/applications/j2ee-modules/myapp" name="myapp" object-type="user"/>
  <server...
  <application-ref disable-timeout-in-minutes="30" enabled="true" lb-enabled="false" ref="myapp"/>
  <cluster...
  <application-ref disable-timeout-in-minutes="30" enabled="true" lb-enabled="false" ref="myapp"/>
  In both the apps the were copied to the instance applications dir and in the ones that remained only in the domain applications dir (and do not work). In the latter, the location dir does not exist.
  Anyone has gone through any similar situation? This deployment process is a bit confusing for me, wrt instances, clusters, domains etc.
  Thanks!
  Jo�o.

  Thanks for the answer.
  But how is this mechanism controlled? Sometimes, the domain just doesn't seem to propagate the changes to the cluster instances (or stand-alone instances). For example, sometimes when I change a property of a data source through the admin gui of the domain, it does not get propagated to the desired instance config, even after restarting the whole system.
  I think that it may have something to do with the manual changes that I have to do sometimes in the domain.xml file (this is neede when you have huge config changes to be replicated in many servers).
  Is there any option to enforce the replication of the config from the domain to the instances? Or at least to make it verbose so that I can realize what is going on underneath.
  Thanks.

• Members regular gift contacts with web apps?

  Hi All,
  Appreciate if anyone can help.  I am building an online gift shop and my customer wants the ability for the regular customers to be able to log in and store their friends and family special dates.  For example, Wife's Engagement, Wife's Birthday, Sister etc..  Once these are stored, the customer can log in and simply choose the gift and select "Wife" and it will automatically add in the address details to an order form.
  I am thinking to do this as a web app, but i have two main questions:
  1. Can a web app be created so that a member can only see and edit those contacts he created?
  2. How can an order form capture these details after the memeber selects "wife" etc..
  Then further on the back of this, say he adds in wifes birthday into the web app, can this then be used by the email marketing to automatcially send an email to customer to remind him about wifes birthday and order gift?
  Thanks for all your help.
  Scott

  To answer your questions about number 1:  You can have a website user login to a secure zone.  Once inside the secure zone you can add a form to add a web app item.  Once the item is submitted by the user while they are in a secure zone it gets "attached" to their account.  When a web app item is attached to a user you can show them a list of their submitted web apps in the secure zone only.   You could list these publicly as well but that's not a good idea if it's a collection of personal information like addresses.
  My concern with this is I know that BC creates a publick URL for each web app item.  This gets included in your sitemap.xml file automatically.  The only way to avoid this is to disable the web app item but that also will disable it from being show to logged in users when you list their submitted web app items.
  Because of this concern I don't think it's possible to achieve what you want.  The web app items are considered public and I don't think there's a way to turn that off.  I hope someone has a way around this, but I can't think of one. And because web of the public nature of web app items I don't think web apps is the way to go.
  You'd think that you could do it with an extended CRM dataset but I'm not sure how you'd go about it.
  Re: Automated emails to your customer.  That is possible.  BC has a set number of fields that email campaigns use to send email campaigns against.  The first one is "Birthday" and the other are open-ended for you to use any type of date-- anniversary, etc.
  Here are some links about automating emails based on dates: http://bcgurus.com/blog/birthday-email-marketing-campaigns
  And: http://forums.adobe.com/docs/DOC-2541
  But, again, there's a set number of fields for anniversary dates right now in BC so they can only add a few of them which might not be applicable for your case.