Web app security & IIS?

I'm trying to get the security working for a web app. I'm using JAAS and the BASIC
authentication. I don't want to use FORM because the original Perl app (from which
my web app is derived) also used BASIC and I don't want the interface to change.
I've found that the security works great if I go directly to the weblogic server,
so it looks like the problem is with IIS (we're fowarding requests from IIS to
WebLogic). I think the problem lies in my web.xml. It has this in it:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MLV Users Only</realm-name>
</login-config>
From what I can tell, weblogic just uses the realm-name as a label in the dialog
box that pops up, and for nothing else. My guess is that IIS is really trying
to use this as a security realm.
Am I on the right track? Anyone got any hints?
Gary

"john hryn" <[email protected]> wrote in message
news:3fce2551$[email protected]..
>
Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
app.
I created an App and created a web project. In it, I deleted thecontroller, etc
and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>I think you should have dealers instead of *
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>And here too.
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>

Similar Messages

  • Web app security not working

    Hi,
    I am using WebLogic 8.1 platform. I am trying to create a very basic secure web
    app.
    I created an App and created a web project. In it, I deleted the controller, etc
    and just have index. jsp. All the index.jsp does is: <%= request.getRemoteUser()
    %>
    In web.xml I have
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Success</web-resource-name>
    <url-pattern>*.jsp</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>*</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>default</realm-name>
    </login-config>
    <security-role>
    <role-name>*</role-name>
    </security-role>
    In weblogic.xml I have
    <security-role-assignment>
    <role-name>dealers</role-name>
    <principal-name>dealer1</principal-name>
    </security-role-assignment>
    When I run the app, it just renders the JSP and does not challenge me to login.
    Can you please help what is that I am doing wrong here?
    Thanks,
    John

    "john hryn" <[email protected]> wrote in message
    news:3fce2551$[email protected]..
    >
    Hi,
    I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
    app.
    I created an App and created a web project. In it, I deleted thecontroller, etc
    and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
    %>
    In web.xml I have
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Success</web-resource-name>
    <url-pattern>*.jsp</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>*</role-name>I think you should have dealers instead of *
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>default</realm-name>
    </login-config>
    <security-role>
    <role-name>*</role-name>And here too.
    </security-role>
    In weblogic.xml I have
    <security-role-assignment>
    <role-name>dealers</role-name>
    <principal-name>dealer1</principal-name>
    </security-role-assignment>

  • Office Web Apps Server IIS site disappeared?

    I deployed an Office Web Apps server on a dedicated VM to be used for Lync 2013. After the initial installation / set up, I confirmed the discovery URL. It worked fine.
    However, after one point in time, PowerPoint Presentations stopped working. When trying to share a PPT presentation, the Lync client popped up a message saying "Sorry, we couldn't upload <ppt file name> because we're having trouble connecting
    to the service. If this keeps happening, try contacting your support team". I've done many many Lync and Office Web Apps install myself previously, and never had a message pop up like the one I saw in this case.
    I tried going to the Web Apps discovery URL again, and it didn't get anywhere. I got on the Web Apps server and all the IIS sites were wiped.
    I tried uninstalling the Office Web Apps server and reinstalling, but from that point on, IIS sites for Web Apps just would not appear under IIS manager.
    Has anyone had similar issue with Office Web Apps?
    Thanks,
    Andrew Shin, TechNet Forum replies

    Hello,
    Maybe the windows update is active and configured to Automatically download and installed update of Office Web Apps and this behavior just breaking your setup.
    Try
    remove the farm of WAC
    Install SP1  
    and start new deployment of farm.
    Link SP1
     http://www.microsoft.com/en-us/download/details.aspx?id=42547
    How update your farm Office Web Apps
     http://technet.microsoft.com/en-us/library/jj966220(v=office.15).aspx
    Hugs[]s
    Robson Hasselhoff - Follow me @Robk9e

  • Web app security + JAAS

    I'm working on the authentication/authorisation aspects of a fairly
    large web application using WLS 6.0 (ie allowing users to login and
    access resources based on role etc).
    Its a standard JSP/Servlet/EJB type architecture and so far it seems
    the FORM-based authentication will serve our needs well. However, I've
    been instructed (by higher powers) to investigate JAAS authentication.
    It looks far more complex to implement so my question is, does it
    offer any significant advantages that justify the extra work?
    Thanks for your time.

    "john hryn" <[email protected]> wrote in message
    news:3fce2551$[email protected]..
    >
    Hi,
    I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
    app.
    I created an App and created a web project. In it, I deleted thecontroller, etc
    and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
    %>
    In web.xml I have
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Success</web-resource-name>
    <url-pattern>*.jsp</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>*</role-name>I think you should have dealers instead of *
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>default</realm-name>
    </login-config>
    <security-role>
    <role-name>*</role-name>And here too.
    </security-role>
    In weblogic.xml I have
    <security-role-assignment>
    <role-name>dealers</role-name>
    <principal-name>dealer1</principal-name>
    </security-role-assignment>

  • Web app security exception: Bad URLMatchMap

    Can anyone help me diagnose an error? I am simply trying to place a security constraint
    on a servlet within an ear-deployed web-application.
    The exception occurs as the first POST comes to the servlet I am trying to protect:
    <Apr 16, 2001 12:40:09 PM EDT> <Error> <Kernel> <ExecuteRequest failed
    java.lang.IllegalArgumentException: bad URLMatchMap path: 'version="1.0"'
    at weblogic.servlet.utils.URLMatchMap.get(URLMatchMap.java:196)
    at weblogic.servlet.security.internal.WebAppSecurity.getConstraint(WebAp
    pSecurity.java:135)
    at weblogic.servlet.security.internal.SecurityModule.checkTransport(Secu
    rityModule.java:177)
    at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSe
    curityModule.java:48)
    at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess
    (ServletSecurityManager.java:150)
    at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe
    rvletContext.java:1250)
    at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm
    pl.java:1622)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
    >
    <?xml version="1.0" ?>
    <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN'
    'http://java.sun.com/j2ee/dtds/web-app_2.2.dtd'>
    <web-app>
    <display-name>ANSWeb</display-name>
    <description>no description</description>
    <servlet>
    <servlet-name>UPMessageServlet</servlet-name>
    <display-name>UPMessageServlet</display-name>
    <description>no description</description>
    <servlet-class>com.aether.ans.gateway.up.UPMessageServlet</servlet-class>
    </servlet>
    <servlet>
    <servlet-name>ANSServlet</servlet-name>
    <display-name>ANSServlet</display-name>
    <description>no description</description>
    <servlet-class>com.aether.ans.server.ANSServlet</servlet-class>
    <load-on-startup />
    </servlet>
    <servlet>
    <servlet-name>WCTPServlet</servlet-name>
    <display-name>WCTPServlet</display-name>
    <description>no description</description>
    <servlet-class>com.aether.ans.gateway.wctp.WCTPServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>UPMessageServlet</servlet-name>
    <url-pattern>/UPMessage</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>ANSServlet</servlet-name>
    <url-pattern>/Server</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>WCTPServlet</servlet-name>
    <url-pattern>/WCTPCallback</url-pattern>
    </servlet-mapping>
    <session-config>
    <session-timeout>30</session-timeout>
    </session-config>
    <resource-ref>
    <description>no description</description>
    <res-ref-name>url/ANS.dtd</res-ref-name>
    <res-type>java.net.URL</res-type>
    <res-auth>Container</res-auth>
    </resource-ref>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Protected Server</web-resource-name>
    <url-pattern>/Server</url-pattern>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>Client</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>
    <security-role>
    <role-name>Client</role-name>
    </security-role>
    <ejb-ref>
    <description>no description</description>
    <ejb-ref-name>ejb/ANSServer</ejb-ref-name>
    <ejb-ref-type>Session</ejb-ref-type>
    <home>com.aether.ans.server.ANSServerHome</home>
    <remote>com.aether.ans.server.ANSServer</remote>
    </ejb-ref>
    <ejb-ref>
    <description>no description</description>
    <ejb-ref-name>ejb/Alert</ejb-ref-name>
    <ejb-ref-type>Entity</ejb-ref-type>
    <home>com.aether.ans.entity.AlertHome</home>
    <remote>com.aether.ans.entity.Alert</remote>
    </ejb-ref>
    </web-app>
    <?xml version="1.0" ?>
    <!DOCTYPE weblogic-web-app PUBLIC '-//BEA Systems, Inc.//DTD Web Application 6.0//EN'
    'http://www.beasys.com/servers/wls600/dtd/weblogic-web-jar.dtd'>
    <weblogic-web-app>
    <description>no description</description>
    <security-role-assignment>
    <role-name>Client</role-name>
    <principal-name>Client</principal-name>
    </security-role-assignment>
    <reference-descriptor>
    <resource-description>
    <res-ref-name>url/ANS.dtd</res-ref-name>
    <jndi-name>ans.url.dtd</jndi-name>
    </resource-description>
    <ejb-reference-description>
    <ejb-ref-name>ejb/Alert</ejb-ref-name>
    <jndi-name>ejb.Alert</jndi-name>
    </ejb-reference-description>
    <ejb-reference-description>
    <ejb-ref-name>ejb/ANSServer</ejb-ref-name>
    <jndi-name>ejb.ANSServer</jndi-name>
    </ejb-reference-description>
    </reference-descriptor>
    </weblogic-web-app>

    Hi Andrew,
    Even without moderation enabled, any submission made through the BC platform is filtered through our protection engine to prevent XSS. Any type of potentially malicious code is immediately stripped from the submission, and this is not done at a client-side level.
    Kind Regards,
    Alex

  • Web app security ... i don't get it

    I do not get it how do one configure web.xml
    I want every page to be protected against unlogged user and some pages only to some of them
    From what I read it's only necessary to have only one root role that every user is part of and then any sub-role is recognized
    My use case:
    every page should be protected against unauthorized user
    <security-constraint>
            <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
            <web-resource-collection>
                <web-resource-name>JSF Pages</web-resource-name>
                <url-pattern>/faces/*</url-pattern>
                <http-method>GET</http-method>
                <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                <role-name>fullaccess</role-name>
            </auth-constraint>
            <user-data-constraint>
                <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
        </security-constraint>and I want that managers only to have access to /managers so I guess that a new </security-constraint> must be issued to allow the users that have managers role to access the resource.
    <security-constraint>
            <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
            <web-resource-collection>
                <web-resource-name>JSF Pages</web-resource-name>
                <url-pattern>/faces/manager/*</url-pattern>
                <http-method>GET</http-method>
                <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                <role-name>managers</role-name> ????
            </auth-constraint>
            <user-data-constraint>
                <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
        </security-constraint> What are the roles that must be declared in web.xml knowing that
    <security-role-assignment>
             <role-name>fullaccess</role-name>
             <principal-name>public</principal-name>
         </security-role-assignment>
    </weblogic-web-app> and in the realm public group has a member 'managers' (that in my opp must not be mapped)?
    ..on the moment there is only
      <security-role>
            <description>acces pe toate paginile web</description>
            <role-name>fullaccess</role-name>
        </security-role>thanks, Florin POP

    Hi guys.
    A username and password info to connect to BC is the following:
    Username - Your adobe ID email
    Password - Your password.
    To connect to SFTP its...
    Server: Just the address (yoursite.businesscatalyst.com)
    username - yoursite.businesscatalyst.com/[email protected]
    Password - your password.

  • Web App Security Fallback (client-cert then form-based)

    Can you setup a web application to fall back to form-based login if the
    client-cert (i.e. identity assertion token) is not available. I think this
    would be very valuable because once you've configured the web app to use the
    "client-cert" authentication, you can't access the web app directly (i.e.
    browser->weblogic server). You will always need to go through the perimeter
    authenticator so the token gets sent.

    Solution found:
    The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
    In your web.xml, forward your 401 code to login page:
    <error-page>
    <error-code>401</error-code>
    <location>/form_login_page.html</location>
    </error-page>
    There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

  • Web App Security Firewall Using Catalyst 6500 w/ CSM

    We are evaluating web application security firewalls. The other products can recognize application level attacks such as SQL insertion and deranged parameters. Some of my colleagues believe that the CSM (which we already have deployed) has these sorts of capabilities.
    While the CSM has some layer 7 capabilities, my read of the specs does not suggest that it is suited to this function.
    Anyone have experience or input?
    Thanks!

    The same as a SYN attack protection feature.
    That's all.
    It does not have content analysis for intrusion detection.
    Regards,
    Gilles.

  • Web app security question

    Hi,
    I have a basic question about securing web applications. In our app, we have myRealm
    pointing to an LDAP store. The store has (lets say) a group called 'dealers' and
    it has a user 'dealer1'.
    Now, in WEB-INF/weblogic.xml I have
    <security-role-assignment>
    <role-name>dealers</role-name>
    <principal-name>dealer1</principal-name>
    </security-role-assignment>
    Does the role name in weblogic.xml map to the groups called dealers in LDAP? I
    have no specific roles configured in myRealm.
    Thanks,
    John

    "John Hryn" <[email protected]> wrote in message
    news:3fce2328$[email protected]..
    >
    Hi,
    I have a basic question about securing web applications. In our app, wehave myRealm
    pointing to an LDAP store. The store has (lets say) a group called'dealers' and
    it has a user 'dealer1'.
    Now, in WEB-INF/weblogic.xml I have
    <security-role-assignment>
    <role-name>dealers</role-name>
    <principal-name>dealer1</principal-name>
    </security-role-assignment>
    Does the role name in weblogic.xml map to the groups called dealers inLDAP? I
    have no specific roles configured in myRealm.
    Yes. http://e-docs.bea.com/wls/docs70/webapp/weblogic_xml.html#1036790
    You can specify groups or individual usernames.

  • Web app security in NW

    Hi SDN,
    Can someone suggest or point to help/documentation on any NW settings related to the following three security items:
    1. Cross-site Scripting
    2. MYSAPSSO2 Cookie encryption (as it is, is it secure?),
    3. SQL Injection
    Is there a comprehensive config doc including these issues?
    I will really appreciate any help.
    Shahid

    Hi Shahid,
    For cross site scripting the below link will be helpful
    [http://help.sap.com/saphelp_nw70/helpdata/EN/81/233d54d8c744c09b4434babf7b0879/frameset.htm]
    The SAP Internet Transaction Server (SAP ITS) is integrated into the kernel of the SAP Web Application Server 6.40 as an Structure Internet Communication Framework (ICF) service called the integrated ITS. this needs to be configured and requires kernel and service parameters.
    For MYSAPSSO2 which is a cookie available at service parameters:
    [http://help.sap.com/saphelp_nw70/helpdata/EN/07/496884370b11d480a000c04f99fbf0/frameset.htm]
    For SAP injection
    [http://help.sap.com/saphelp_nw70/helpdata/EN/a8/813dcc006141719086e9f0f27ab8b3/frameset.htm]
    All these are pertaining to secure user intefaces which includes all these three.
    Hope this is heplful
    Regards,
    Shaila

  • Web App Security

    Hello,
    I'll soon be developing a web application in which security is a major concern, and I'd like some advices about some technologies I'm evaluating to get the job done. I couldn't get comparisons on security power offered by each.
    - Web tier: I have some experience on JSP and JS; besides HTTPS, JSF seems to provide better, out-of-the-box, support for some of our requirements (internationalization, better security, AJAX) and some soon-useful fancy features like little html modal boxes; even considering the learning curve to use JSF (I never used it before), is there a better candidate for this layer? (I'm thinking of RichFaces or MyFaces)
    - Business tier: I can use EJB3 or Hibernate + Spring or whatever combinations works best, I simply couldn't be sure if one can be considered safer than the other (I will use roles as well).
    I'll be using JBoss (4.x) and MySQL DB.
    Thanks

    I'm not familar with JSF, only JSP, but here is the run down on security as I understand it (you can suppliment it with further research).
    * Use MVC design where the presentation layer only displays data and submits back to the server (example: update button). There is no business logic or database logic in the JSP page. A JSP tag that queries the database is a bad idea from a security point of view since a hacker may be able to reverse engineer it and alter the query.
    * In your database layer (MVC design), put all your database access. Use only prepared statements (never regular statements). Pass parameters into the prepared statement. Example: update person set person_id=?. You are therefore not subject to SQL injection as is the statement object (research SQL injection if your not familar with it).
    * Use javascript for basic client side validation checks (field cant be null, field is incorrect date format, field has a value too large) and block submitting to the server via update button if not pass. Duplicate the client side validation back on the server, and also provide any advanced valiation checks. This way, a hacker can't bypass your validaiton on the client side and submit bad data. To be really strict, consider every possible keyboard value a user can type in and validate it to determine if those special chars are allowed.
    *Click 'view source' on the browser and look at what HTML was generated by the JSP. Is there any variables on the page that is sensitive that you don't want the user to see? Such as the name of database tables or database fields? If so, you will have to crate an alias on the JSP that maps back to the name of the datbase table or field after you submit the page.
    * Each user should be restircted to a role that limits what JSP pages he can see, and what he can alter on those JSP pages. Example, you have an admin role and endUser role. Note your application has a userID/password to access the database (with a fair amount of access to each table), each user doesn't have his own userID/password to the database (with restricted access to a subset of tables). The userID/password should be stored in the context file of your applicaiton and accessed via JNI. Example, if your application is called myAppl, then the context file under tomcat is called myAppl.xml (its automatically geneated by Eclipse when you launch your application).
    * The end user shouldn't be able to call up a JSP page by navigating directly to that JSP page via its URL (they should be redirected either to the login page or an error page).
    Instead, all urls should have to go through a central servlet to check to see if he's logged in and is within a valid session. The servlet then dispatches to the correct JSP page. This example is not Struts or Spring framework, but instead, a single controller servlet design. You'll have to look up what Struts and Spring alternatively does in such a situation.
    * You should research buffer overflow attack and how to avoid it.
    * For the business layer, I believe its Either EJB3 OR Spring, not both (I could be wrong).
    * Hibernate is used in the database layer. I suggest you you JDBC with DAO instead until you are very familar with it before doing a project in Hibernate. You should know what Hibernate buys you over that of JDBC/DAO before justifying using it.
    * You should allow a new user to create a new password. The password should validated to ensure its a strong password. You should also use SSL to communicate to the server.
    * I think Spring is an alternative to EJB3 and therefore both shouldn't be used. I suggest using only Spring. Create a two or three page JSP page project (with login), refactor the heck out of it (create a clean MVC design), then let your team add all the rest of the project to it.

  • Large File Upload ~50mb Fails using Firefox/Safari. Upload Limit is 1gig set at Web App. IIS timeout set at 120 seconds.

    Strange issue.  User can upload the file using IE9, but cannot do the same using Safari, Chrome, or FireFox.  The library resides in a Site Collection that was migrated from a 2010 Site Collection.  The timeout on IIS is 120 seconds.Very strange
    indeed.
    Haven't been able to trace the Correlation ID at this point.

    try using rest api for this much file upload if you are using custom solution.
    try below links for reference:
    http://blogs.technet.com/b/praveenh/archive/2012/11/16/issues-with-uploading-large-documents-on-document-library-wss-3-0-amp-moss-2007.aspx
    https://angler.wordpress.com/2012/03/21/increase-the-sharepoint-2010-upload-file-size-limit/
    http://social.technet.microsoft.com/wiki/contents/articles/20299.sharepoint-2010-uploading-large-files-to-sharepoint.aspx
    http://stackoverflow.com/questions/21873475/sharepoint-2013-large-file-upload-1gb
    https://answers.uchicago.edu/page.php?id=24860
    http://sharepoint.stackexchange.com/questions/91767/multiple-file-upload-not-working
    Please mark it as answer if you find it useful happy sharepointing

  • Office Web Apps server security question

    Hello,
    According to this technet article Microsoft appears to recommend against allowing both external and internal users access to your OWA server.
    http://technet.microsoft.com/en-us/library/jj219435(v=office.15).aspx#viewers
    "Files that are intended to be viewed through a web browser by using Online Viewers must not require authentication. In other words, the files must be available publicly because Online Viewers can’t perform authentication when it is retrieving files.
    We strongly recommend that the Office Web Apps Server farm that you use for Online Viewers is only able to access either the intranet or the Internet, but not both. This is because Office Web Apps Server doesn’t differentiate between requests for intranet
    and Internet URLs. Somebody on the Internet could request an intranet URL, for example, causing a security leak if an internal document is viewed."
    Just trying to make sense of this.  I am building a new Lync 2013 environment and I definitely want my internal users to be able to leverage the OWA server.  So does that mean I should not publish that server to the internet?  And if I do
    not, does that mean my users will not be able to share a powerpoint presentation at all to external users?  If this is all true and I'm understanding this correctly, does this mean that most implementations choose one or the other? Or does Lync not
    use these "Online Viewers" so I can just disable them and users will still be able to share powerpoint presentations with external users?
    Thanks for any help you can provide for this confusion.

    No, you should publish to both internal and Internet on the same server, it's just how it's done with Lync.  You can't really have two with Lync for this purpose anyway.  Users will upload PowerPoint presentations to it when it's time to share,
    no editing is possible, and the risk is generally minimal.  You can shorten the cache time to help if you're concerned.
    Regardless, from the article:
    http://technet.microsoft.com/en-us/library/jj219442(v=office.15).aspx setting OpenFromUrlEnabled "Turns on or off the ability to use Online Viewers to view Officefiles from a URL or UNC path.".  This is set to false and turned off by default.
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications

  • Web-app scoped security policies not working in WL 8

    Hi,
    I can't get web-app scoped security policies working in WL 8.1
    I have a simple web application. It defines a role(ROLE) and security
    constraint (on *.jsp).
    If I examine the web app in the administration console, I see that it
    has created a role (scoped to /*) called "ROLE" just as you would
    expect. It has also created a scoped policy (to *.jsp) with constraints
    that the user be in the role ROLE. This is as expected, and it works.
    However, if I proceed to create my own scoped policy (on *.html) with
    constraints (on ALL methods) that the user be in role ROLE, then I get
    no security at all. ie. I can go to server:port/foo.html and it will
    work - it is not secured.
    Any ideas?
    On a completely unrelated issue, when I deploy an EAR (exploded) with a
    WAR (exploded) and using the admin console expand the application
    correpsonding to th EAR, right click on the WAR node, and try and define
    a scoped role, then I get an error "There are no appropriate RoleEditor
    providers configured". This sounds like a bug. Trying to define a
    scoped policy works as expected.
    TIA,
    Jon

    I can't get web-app scoped security policies working in WL 8.1Well, I can answer this one myself.
    WebLogic 8 has a new optimisation (this wasn't present in 7 AFAIK),
    available on the Security / Realm / myreal / General tab, which
    determines whether or not weblogic considers authorisation of resources
    protected by descriptors or not. (ie. it can force only
    descriptor-protected authorisation, ignoring admin console policies).
    It defaults to ignoring admin console policies, hence my problem.
    Jon

  • Office Web Apps - Best Practice for App Pool Security Account?

    Guys,
    I am finalising my testing of Office Web Apps, and ready to move onto deploying it to my live farm.
    Generally speaking, I put service applications in their own application pool.
    Obviously by doing so this has an overhead on memory and processing, however generally speaking it is best practice from a security perspective when using separate accounts.
    I have to create 3 new service applications in order to deploy Office Web Apps, in my test environment these are using the Default SharePoint app pool. 
    Should I create one application pool for all my office web apps with a fresh service account, or does it make no odds from a security perspective to run them in the default app pool?
    Cheers,
    Conrad
    Conrad Goodman MCITP SA / MCTS: WSS3.0 + MOSS2007

    i run my OWA under it's own service account (spOWA) and use only one app pool.  Just remember that if you go this route, "When
    you create a new application pool, you can specify a security account used by the application pool to be either a predefined Network Service account or a managed account. The account must have db_datareader, db_datawriter, and execute permissions for the content
    databases and the SharePoint configuration database, and be assigned to the db_owner role for the content databases." (http://technet.microsoft.com/en-us/library/ff431687.aspx)

Maybe you are looking for

  • Issues connecting to a SQL Anywhere repo from the Designer

    I have installed DS4.2 SP2 on a number of Suse 11.1 Linux VMs using all of the standard settings, and making use of the bundled SQL Anywhere database as my repo. I am getting an error in the Designer when I try to connect to certain repositories in t

  • Airport Utility says Mac connected to unkown Time Capsule

    Hi, I have an issue with Airport Utility (6.3.2) and a Time Capsule in my local network. This is happening at work where I have an iMac connected to the local LAN via an Ethernet connection. Wireless airport is switched off. When I open Airpot Utilit

  • My iPod classic 120 GB is not recognized on MacBook pro

    I have tried all the resets and other recommended remedies but I can't get my MacBook or my hp pc to recognize the iPod. The battery is fully charged, all music plays. What next can I do?

  • G3 B&W performance slowdown

    I have used a G3 B&W running system 9.2, and ever since I got it a couple years ago, it has a tendency to slow down the longer it is on. For example, I turn it on, check my email, launch Adobe Illustrator and do some design, go away for half and hour

  • How to get stuff from Performa HD to newer computer?

    I was surprised (well, stunned) to find that a friend has a Performa and wants to get his files off the 160 MB hard drive to an iBook or something. I don't know the model number, but it looks like the only potentially useful ports they had were SCSI.