Web app security + JAAS

I'm working on the authentication/authorisation aspects of a fairly
large web application using WLS 6.0 (ie allowing users to login and
access resources based on role etc).
Its a standard JSP/Servlet/EJB type architecture and so far it seems
the FORM-based authentication will serve our needs well. However, I've
been instructed (by higher powers) to investigate JAAS authentication.
It looks far more complex to implement so my question is, does it
offer any significant advantages that justify the extra work?
Thanks for your time.

"john hryn" <[email protected]> wrote in message
news:3fce2551$[email protected]..
>
Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
app.
I created an App and created a web project. In it, I deleted thecontroller, etc
and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>I think you should have dealers instead of *
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>And here too.
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>

Similar Messages

Web app security & IIS?

I'm trying to get the security working for a web app. I'm using JAAS and the BASIC
authentication. I don't want to use FORM because the original Perl app (from which
my web app is derived) also used BASIC and I don't want the interface to change.
I've found that the security works great if I go directly to the weblogic server,
so it looks like the problem is with IIS (we're fowarding requests from IIS to
WebLogic). I think the problem lies in my web.xml. It has this in it:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MLV Users Only</realm-name>
</login-config>
From what I can tell, weblogic just uses the realm-name as a label in the dialog
box that pops up, and for nothing else. My guess is that IIS is really trying
to use this as a security realm.
Am I on the right track? Anyone got any hints?
Gary

"john hryn" <[email protected]> wrote in message
news:3fce2551$[email protected]..
>
Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
app.
I created an App and created a web project. In it, I deleted thecontroller, etc
and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>I think you should have dealers instead of *
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>And here too.
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>

Web app security not working

Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basic secure web
app.
I created an App and created a web project. In it, I deleted the controller, etc
and just have index. jsp. All the index.jsp does is: <%= request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>
When I run the app, it just renders the JSP and does not challenge me to login.
Can you please help what is that I am doing wrong here?
Thanks,
John

"john hryn" <[email protected]> wrote in message
news:3fce2551$[email protected]..
>
Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
app.
I created an App and created a web project. In it, I deleted thecontroller, etc
and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>I think you should have dealers instead of *
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>And here too.
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>

Web app security exception: Bad URLMatchMap

Can anyone help me diagnose an error? I am simply trying to place a security constraint
on a servlet within an ear-deployed web-application.
The exception occurs as the first POST comes to the servlet I am trying to protect:
<Apr 16, 2001 12:40:09 PM EDT> <Error> <Kernel> <ExecuteRequest failed
java.lang.IllegalArgumentException: bad URLMatchMap path: 'version="1.0"'
at weblogic.servlet.utils.URLMatchMap.get(URLMatchMap.java:196)
at weblogic.servlet.security.internal.WebAppSecurity.getConstraint(WebAp
pSecurity.java:135)
at weblogic.servlet.security.internal.SecurityModule.checkTransport(Secu
rityModule.java:177)
at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSe
curityModule.java:48)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess
(ServletSecurityManager.java:150)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe
rvletContext.java:1250)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm
pl.java:1622)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
>
<?xml version="1.0" ?>
<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN'
'http://java.sun.com/j2ee/dtds/web-app_2.2.dtd'>
<web-app>
<display-name>ANSWeb</display-name>
<description>no description</description>
<servlet>
<servlet-name>UPMessageServlet</servlet-name>
<display-name>UPMessageServlet</display-name>
<description>no description</description>
<servlet-class>com.aether.ans.gateway.up.UPMessageServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>ANSServlet</servlet-name>
<display-name>ANSServlet</display-name>
<description>no description</description>
<servlet-class>com.aether.ans.server.ANSServlet</servlet-class>
<load-on-startup />
</servlet>
<servlet>
<servlet-name>WCTPServlet</servlet-name>
<display-name>WCTPServlet</display-name>
<description>no description</description>
<servlet-class>com.aether.ans.gateway.wctp.WCTPServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>UPMessageServlet</servlet-name>
<url-pattern>/UPMessage</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ANSServlet</servlet-name>
<url-pattern>/Server</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>WCTPServlet</servlet-name>
<url-pattern>/WCTPCallback</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<resource-ref>
<description>no description</description>
<res-ref-name>url/ANS.dtd</res-ref-name>
<res-type>java.net.URL</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Server</web-resource-name>
<url-pattern>/Server</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Client</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>Client</role-name>
</security-role>
<ejb-ref>
<description>no description</description>
<ejb-ref-name>ejb/ANSServer</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>com.aether.ans.server.ANSServerHome</home>
<remote>com.aether.ans.server.ANSServer</remote>
</ejb-ref>
<ejb-ref>
<description>no description</description>
<ejb-ref-name>ejb/Alert</ejb-ref-name>
<ejb-ref-type>Entity</ejb-ref-type>
<home>com.aether.ans.entity.AlertHome</home>
<remote>com.aether.ans.entity.Alert</remote>
</ejb-ref>
</web-app>
<?xml version="1.0" ?>
<!DOCTYPE weblogic-web-app PUBLIC '-//BEA Systems, Inc.//DTD Web Application 6.0//EN'
'http://www.beasys.com/servers/wls600/dtd/weblogic-web-jar.dtd'>
<weblogic-web-app>
<description>no description</description>
<security-role-assignment>
<role-name>Client</role-name>
<principal-name>Client</principal-name>
</security-role-assignment>
<reference-descriptor>
<resource-description>
<res-ref-name>url/ANS.dtd</res-ref-name>
<jndi-name>ans.url.dtd</jndi-name>
</resource-description>
<ejb-reference-description>
<ejb-ref-name>ejb/Alert</ejb-ref-name>
<jndi-name>ejb.Alert</jndi-name>
</ejb-reference-description>
<ejb-reference-description>
<ejb-ref-name>ejb/ANSServer</ejb-ref-name>
<jndi-name>ejb.ANSServer</jndi-name>
</ejb-reference-description>
</reference-descriptor>
</weblogic-web-app>

Hi Andrew,
Even without moderation enabled, any submission made through the BC platform is filtered through our protection engine to prevent XSS. Any type of potentially malicious code is immediately stripped from the submission, and this is not done at a client-side level.
Kind Regards,
Alex

Web app security ... i don't get it

I do not get it how do one configure web.xml
I want every page to be protected against unlogged user and some pages only to some of them
From what I read it's only necessary to have only one root role that every user is part of and then any sub-role is recognized
My use case:
every page should be protected against unauthorized user
<security-constraint>
        <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
        <web-resource-collection>
            <web-resource-name>JSF Pages</web-resource-name>
            <url-pattern>/faces/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>fullaccess</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>and I want that managers only to have access to /managers so I guess that a new </security-constraint> must be issued to allow the users that have managers role to access the resource.
<security-constraint>
        <display-name>Restrictie de vizualizare pe orice pagina jsf</display-name>
        <web-resource-collection>
            <web-resource-name>JSF Pages</web-resource-name>
            <url-pattern>/faces/manager/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>managers</role-name> ????
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint> What are the roles that must be declared in web.xml knowing that
<security-role-assignment>
         <role-name>fullaccess</role-name>
         <principal-name>public</principal-name>
     </security-role-assignment>
</weblogic-web-app> and in the realm public group has a member 'managers' (that in my opp must not be mapped)?
..on the moment there is only
<security-role>
        <description>acces pe toate paginile web</description>
        <role-name>fullaccess</role-name>
    </security-role>thanks, Florin POP

Hi guys.
A username and password info to connect to BC is the following:
Username - Your adobe ID email
Password - Your password.
To connect to SFTP its...
Server: Just the address (yoursite.businesscatalyst.com)
username - yoursite.businesscatalyst.com/[email protected]
Password - your password.

Web App Security Fallback (client-cert then form-based)

Can you setup a web application to fall back to form-based login if the
client-cert (i.e. identity assertion token) is not available. I think this
would be very valuable because once you've configured the web app to use the
"client-cert" authentication, you can't access the web app directly (i.e.
browser->weblogic server). You will always need to go through the perimeter
authenticator so the token gets sent.

Solution found:
The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
In your web.xml, forward your 401 code to login page:
<error-page>
<error-code>401</error-code>
<location>/form_login_page.html</location>
</error-page>
There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

Web App Security Firewall Using Catalyst 6500 w/ CSM

We are evaluating web application security firewalls. The other products can recognize application level attacks such as SQL insertion and deranged parameters. Some of my colleagues believe that the CSM (which we already have deployed) has these sorts of capabilities.
While the CSM has some layer 7 capabilities, my read of the specs does not suggest that it is suited to this function.
Anyone have experience or input?
Thanks!

The same as a SYN attack protection feature.
That's all.
It does not have content analysis for intrusion detection.
Regards,
Gilles.

Web app security question

Hi,
I have a basic question about securing web applications. In our app, we have myRealm
pointing to an LDAP store. The store has (lets say) a group called 'dealers' and
it has a user 'dealer1'.
Now, in WEB-INF/weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>
Does the role name in weblogic.xml map to the groups called dealers in LDAP? I
have no specific roles configured in myRealm.
Thanks,
John

"John Hryn" <[email protected]> wrote in message
news:3fce2328$[email protected]..
>
Hi,
I have a basic question about securing web applications. In our app, wehave myRealm
pointing to an LDAP store. The store has (lets say) a group called'dealers' and
it has a user 'dealer1'.
Now, in WEB-INF/weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>
Does the role name in weblogic.xml map to the groups called dealers inLDAP? I
have no specific roles configured in myRealm.
Yes. http://e-docs.bea.com/wls/docs70/webapp/weblogic_xml.html#1036790
You can specify groups or individual usernames.

Web app security in NW

Hi SDN,
Can someone suggest or point to help/documentation on any NW settings related to the following three security items:
1. Cross-site Scripting
2. MYSAPSSO2 Cookie encryption (as it is, is it secure?),
3. SQL Injection
Is there a comprehensive config doc including these issues?
I will really appreciate any help.
Shahid

Hi Shahid,
For cross site scripting the below link will be helpful
[http://help.sap.com/saphelp_nw70/helpdata/EN/81/233d54d8c744c09b4434babf7b0879/frameset.htm]
The SAP Internet Transaction Server (SAP ITS) is integrated into the kernel of the SAP Web Application Server 6.40 as an Structure Internet Communication Framework (ICF) service called the integrated ITS. this needs to be configured and requires kernel and service parameters.
For MYSAPSSO2 which is a cookie available at service parameters:
[http://help.sap.com/saphelp_nw70/helpdata/EN/07/496884370b11d480a000c04f99fbf0/frameset.htm]
For SAP injection
[http://help.sap.com/saphelp_nw70/helpdata/EN/a8/813dcc006141719086e9f0f27ab8b3/frameset.htm]
All these are pertaining to secure user intefaces which includes all these three.
Hope this is heplful
Regards,
Shaila

Web App Security

Hello,
I'll soon be developing a web application in which security is a major concern, and I'd like some advices about some technologies I'm evaluating to get the job done. I couldn't get comparisons on security power offered by each.
- Web tier: I have some experience on JSP and JS; besides HTTPS, JSF seems to provide better, out-of-the-box, support for some of our requirements (internationalization, better security, AJAX) and some soon-useful fancy features like little html modal boxes; even considering the learning curve to use JSF (I never used it before), is there a better candidate for this layer? (I'm thinking of RichFaces or MyFaces)
- Business tier: I can use EJB3 or Hibernate + Spring or whatever combinations works best, I simply couldn't be sure if one can be considered safer than the other (I will use roles as well).
I'll be using JBoss (4.x) and MySQL DB.
Thanks

I'm not familar with JSF, only JSP, but here is the run down on security as I understand it (you can suppliment it with further research).
* Use MVC design where the presentation layer only displays data and submits back to the server (example: update button). There is no business logic or database logic in the JSP page. A JSP tag that queries the database is a bad idea from a security point of view since a hacker may be able to reverse engineer it and alter the query.
* In your database layer (MVC design), put all your database access. Use only prepared statements (never regular statements). Pass parameters into the prepared statement. Example: update person set person_id=?. You are therefore not subject to SQL injection as is the statement object (research SQL injection if your not familar with it).
* Use javascript for basic client side validation checks (field cant be null, field is incorrect date format, field has a value too large) and block submitting to the server via update button if not pass. Duplicate the client side validation back on the server, and also provide any advanced valiation checks. This way, a hacker can't bypass your validaiton on the client side and submit bad data. To be really strict, consider every possible keyboard value a user can type in and validate it to determine if those special chars are allowed.
*Click 'view source' on the browser and look at what HTML was generated by the JSP. Is there any variables on the page that is sensitive that you don't want the user to see? Such as the name of database tables or database fields? If so, you will have to crate an alias on the JSP that maps back to the name of the datbase table or field after you submit the page.
* Each user should be restircted to a role that limits what JSP pages he can see, and what he can alter on those JSP pages. Example, you have an admin role and endUser role. Note your application has a userID/password to access the database (with a fair amount of access to each table), each user doesn't have his own userID/password to the database (with restricted access to a subset of tables). The userID/password should be stored in the context file of your applicaiton and accessed via JNI. Example, if your application is called myAppl, then the context file under tomcat is called myAppl.xml (its automatically geneated by Eclipse when you launch your application).
* The end user shouldn't be able to call up a JSP page by navigating directly to that JSP page via its URL (they should be redirected either to the login page or an error page).
Instead, all urls should have to go through a central servlet to check to see if he's logged in and is within a valid session. The servlet then dispatches to the correct JSP page. This example is not Struts or Spring framework, but instead, a single controller servlet design. You'll have to look up what Struts and Spring alternatively does in such a situation.
* You should research buffer overflow attack and how to avoid it.
* For the business layer, I believe its Either EJB3 OR Spring, not both (I could be wrong).
* Hibernate is used in the database layer. I suggest you you JDBC with DAO instead until you are very familar with it before doing a project in Hibernate. You should know what Hibernate buys you over that of JDBC/DAO before justifying using it.
* You should allow a new user to create a new password. The password should validated to ensure its a strong password. You should also use SSL to communicate to the server.
* I think Spring is an alternative to EJB3 and therefore both shouldn't be used. I suggest using only Spring. Create a two or three page JSP page project (with login), refactor the heck out of it (create a clean MVC design), then let your team add all the rest of the project to it.

Office Web Apps server security question

Hello,
According to this technet article Microsoft appears to recommend against allowing both external and internal users access to your OWA server.
http://technet.microsoft.com/en-us/library/jj219435(v=office.15).aspx#viewers
"Files that are intended to be viewed through a web browser by using Online Viewers must not require authentication. In other words, the files must be available publicly because Online Viewers can’t perform authentication when it is retrieving files.
We strongly recommend that the Office Web Apps Server farm that you use for Online Viewers is only able to access either the intranet or the Internet, but not both. This is because Office Web Apps Server doesn’t differentiate between requests for intranet
and Internet URLs. Somebody on the Internet could request an intranet URL, for example, causing a security leak if an internal document is viewed."
Just trying to make sense of this. I am building a new Lync 2013 environment and I definitely want my internal users to be able to leverage the OWA server. So does that mean I should not publish that server to the internet? And if I do
not, does that mean my users will not be able to share a powerpoint presentation at all to external users? If this is all true and I'm understanding this correctly, does this mean that most implementations choose one or the other? Or does Lync not
use these "Online Viewers" so I can just disable them and users will still be able to share powerpoint presentations with external users?
Thanks for any help you can provide for this confusion.

No, you should publish to both internal and Internet on the same server, it's just how it's done with Lync. You can't really have two with Lync for this purpose anyway. Users will upload PowerPoint presentations to it when it's time to share,
no editing is possible, and the risk is generally minimal. You can shorten the cache time to help if you're concerned.
Regardless, from the article:
http://technet.microsoft.com/en-us/library/jj219442(v=office.15).aspx setting OpenFromUrlEnabled "Turns on or off the ability to use Online Viewers to view Officefiles from a URL or UNC path.". This is set to false and turned off by default.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications

Web-app scoped security policies not working in WL 8

Hi,
I can't get web-app scoped security policies working in WL 8.1
I have a simple web application. It defines a role(ROLE) and security
constraint (on *.jsp).
If I examine the web app in the administration console, I see that it
has created a role (scoped to /*) called "ROLE" just as you would
expect. It has also created a scoped policy (to *.jsp) with constraints
that the user be in the role ROLE. This is as expected, and it works.
However, if I proceed to create my own scoped policy (on *.html) with
constraints (on ALL methods) that the user be in role ROLE, then I get
no security at all. ie. I can go to server:port/foo.html and it will
work - it is not secured.
Any ideas?
On a completely unrelated issue, when I deploy an EAR (exploded) with a
WAR (exploded) and using the admin console expand the application
correpsonding to th EAR, right click on the WAR node, and try and define
a scoped role, then I get an error "There are no appropriate RoleEditor
providers configured". This sounds like a bug. Trying to define a
scoped policy works as expected.
TIA,
Jon

I can't get web-app scoped security policies working in WL 8.1Well, I can answer this one myself.
WebLogic 8 has a new optimisation (this wasn't present in 7 AFAIK),
available on the Security / Realm / myreal / General tab, which
determines whether or not weblogic considers authorisation of resources
protected by descriptors or not. (ie. it can force only
descriptor-protected authorisation, ignoring admin console policies).
It defaults to ignoring admin console policies, hence my problem.
Jon

Office Web Apps - Best Practice for App Pool Security Account?

Guys,
I am finalising my testing of Office Web Apps, and ready to move onto deploying it to my live farm.
Generally speaking, I put service applications in their own application pool.
Obviously by doing so this has an overhead on memory and processing, however generally speaking it is best practice from a security perspective when using separate accounts.
I have to create 3 new service applications in order to deploy Office Web Apps, in my test environment these are using the Default SharePoint app pool.
Should I create one application pool for all my office web apps with a fresh service account, or does it make no odds from a security perspective to run them in the default app pool?
Cheers,
Conrad
Conrad Goodman MCITP SA / MCTS: WSS3.0 + MOSS2007

i run my OWA under it's own service account (spOWA) and use only one app pool. Just remember that if you go this route, "When
you create a new application pool, you can specify a security account used by the application pool to be either a predefined Network Service account or a managed account. The account must have db_datareader, db_datawriter, and execute permissions for the content
databases and the SharePoint configuration database, and be assigned to the db_owner role for the content databases." (http://technet.microsoft.com/en-us/library/ff431687.aspx)

Web App {tag_edit} doesn't render in web Web App search results within secure zone?

We have secure zones that are to display certain web app items to be filtered by Category. The secure zone members need to filter through web app items and edit these items from the list view. We've set it up accordingly and the list view is exactly how it should be when it is simply displaying on a page within the secure zone, however when the web app search/filtering is applied the "edit" tag doesn't display. Is there anyway to have this work or does it simply not? Please tell me it is possible to filter and edit web apps.
Thanks in advance,

Hi The Bowery, the edit tag will not show in general web app item search results unless the owner of that web app item is logged in to a secure zone to view it.
However, if you are happy for anyone looking at the website to edit all web app items, you can set that in the properties of the web app itself. Then I think the edit tag will show to anyone looking at the web app items.
If you only want the web app item owner to edit the web app item then you need to set up a secure zone for them to log in and view it.
It will show when the web app item owner is logged in and viewing the web app items, if the edit tag has been added to the layout customisations. So it will only show to the web app item owner.
You need to set up a secure zone for the web app item owners to upload and edit their web app items.
Search results on a webapp use the List template layout for the webapp to show a summary of the search results and the detail Template Layout is what shows when you click on the search result summary item. In webapp setups I usually put the edit tag in the List template

Ssl and web app server: there's content which is not secure

Hello,
We have implemented ssl in our intranet site ( web front server, Web app server, sql server - everything ) .
Yet, In Https (and I.E) and document library , when I press the "..." , I get an warning: "only secure content is displayed" and the file preview doesn't show anything. If I select "show all content", the file preview shows
the file.
If I press "View in browser", I get the same message. If I press "show all content" I see the file, otherwise the file doesn't show.
Looking at the fiddler, it looks like some connections with the (sharepoint) application server aren't secured.
Sample unsecured http gets are:
http://ApplicationServer.mysite.gr/wv/ResReader.ashx?n=p1.img&WOPIsrc=http%3A%2F%Intranet%2Fsites%2FDNY%2F_vti_bin%2Fwopi.ashx%2Ffiles%2F42da77c08cd94b67a1c413ae39a71c58&access_token=eyJ0eBIgBigToken
http://ApplicationServer.mysite.com/wv/ResReader.ashx?n=p1.img&v=00000000-0000-0000-0000-000000000602&usid=5fae4f7f-d4d6-4a21-a465-2fe24ded9519&WOPIsrc=http%3A%2F%2FIntranetSite%2Fsites%2FDNY%2F_vti_bin%2Fwopi.ashx%2Ffiles%2F42da77c08cd94b67a1c413ae39a71c58&access_token=BIgBigToken
- this one is an image of the file.
Having these unsecure gets, I have problems accepting that the site is totally secured.
is the (sharepoint) application server the source of the problem?
Thank you
Christos

Hi,
According to your post, my understanding is that you wanted to show all content after you implemented ssl in intranet site.
Please make sure you configure SSL correctly. You can refer to:
Configure SSL for SharePoint 2013
IE does provide an option which can be configured to automatically display all content, both secure and non-secure content, on web pages that come with mixed content.
You can display all mixed contents in IE to suppress and disable any warning message on secure and/or non-secure content.
More information:
How to Disable Only Secure Content is Displayed in IE (Always Show All Mixed Content)
Stop the "page contains secure and nonsecure items" warning
Best Regards,
Linda Li
Linda Li
TechNet Community Support

Web app security + JAAS

Similar Messages

Maybe you are looking for