Web application security best practice?

Similar Messages

• Web Intelligence Security Best Practices

  Hi All,
  We are in the process of starting to use web intelligence. I am puttng together a security model for it and I have some questions around best practices. We have a fairly simple two tier security model so far, end users and creators. Creators will be able to create reports in certain folders and everyone else will be able to run and refresh those reports they can see.
  I was going to create a group for all the creators and assign them to a custom access level in the web intelligence application. Then they would also need to be in another creator group for the particular folder. So they would be able to the create reports in that folder and execute reports in another.
  For all the end users, they need to be able to view and refresh reports, drilling, data tracking, etc. if they have access to them. Is the best practice then to just assign the Everyone group the out of the box view on demand access level?
  I have been digging around looking for resources and welcome anyone's input or ideas on the subject.
  Thanks in advance for any assistance provided.

  Thank you for your prompt reply.
  But that means that the same security groups will need to be creaed on both palces, web intelligence application and at the folder level?
  I was thinking if I create a developer group for the web intelligence application level, all developers would go into there. Then at the folder level I could create another folder level security group for developers to access the folder.
  Would that not simplify the maintenance at the application level? Or would that not work?

• SAP and BOBJ XI 3.x Integrated Security Best Practice

  I am trying to find any information around SAP and BOBJ XI 3.x Integrated Security Best Practice.
  So far i think it is uninversally agred that you should :
  1. Utilise the Business Objects platform security model to secure applications, folders and reports.
  2. Use BEx queries as the data source for Business Objects Universes and keep the number BEx queries to a minimum
  3. Use SAP authorisations over the BEx queries to secure report data at a row level.
  Has anyone seen any formal SAP Best Practice document or have any info to add ?
  Andrew

  Hi,
  those three items are all correct. In terms of security you can find lots of material in the standard BW help.
  in terms of query design / universe:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/008d15dc-f76c-2b10-968a-fafe5a121129
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0320722-741c-2c10-afab-93b5c0fc7e96
  ingo

• Any known security best practices to follow for FMS deployment

  Hi all,
  We have recently deployed Flash Media Streaming server 3.5.2 and Flash Media Encoder on a Windows 2003 machine. Do you guys know of any security best practices to follow for the FMS server deployment on a Windows machine, could you please point me to that resource.

  Hi
  I will add some concepts, I am not sure how all of them work technically but there should be enough here for you to
  dig deeper, and also alot of this is relevant to your environment and how you want to deploy it.
  I have done a 28 server deployment, 4 origin and 24 edge servers.
  All the Edge servers on the TCP/IP properties we disabled file and printer sharing. Basically this is a way in for hackers and we disabled this only on the edge servers as these are the ones presented to the public.
  We also only allowed ports 1935, 80, 443 on our NICs. Protocol numbers are 6 and 17, this means that you are allowing UDP and TCP. So definitely test out your TCP/IP port filtering until you are confortable that all your connection types are working and secure.
  Use RTMPE over RTMP, as it is there to be used and I am surprised not more people use it. The problem as with any other encryption protocol, it may cause higher overhead on resources of the servers holding the connections.
  You may want to look at SWF verification. In my understanding, it works as the following. You publish a SWF file on a website. This is a source code that your player uses for authentication. If you enable your edge servers to only listen for authentication requests from that SWF file, then hopefully you are really lessening the highjacking possibilities on your streams.
  If you are doing encoding via FME then I would suggest that you download the authentication plugin that is available on the Flash Media Encoder download site.
  There are other things you can look at making it more secure like adaptor.xml, using a front end load balancer, HTML domains, SWF domains,
  Firewalls and DRM.
  I hope this helps you out.
  Roberto

• Remoting Security: Best Practice

  I am exploring Remoting and I am curious about security best practice. By default, Enable-PSRemoting will configure an HTTP listener that listens to all addresses. Initially I thought this address was the addresses of the computer making
  the demoting request, but it isn't, it's the address on the local machine that is doing the listening. My reason for thinking this was the controller machine IP was that I thought I might want to limit successful remote requests to just the one machine. From
  a security standpoint this seemed better than letting any machine initiate a remote session. I know that the remote session is limited by the permissions of the user initiating, so any real threat is only because I have already been breached anyway. But still,
  I wonder if there is a way, and value, in limiting remoting to a subset of machines?
  Or is the default here really fine from a security standpoint as well?
  Thanks!
  Gordon

  It is most secure to configure remoting and restrict it using Group Policy.  GP will let you define subnets for both ends of the conversation network wide.
  \_(ツ)_/

• Users And Security Best Practice

  Dear Experts
  I am designing an application with almost fifty users scattered in different places. Each users should access tables according to his/her criteria. For example salessam, salesjug can see only the sales related tables. purchasedon should access only purchase related tables. i have the following problems
  Is it a best practice to create 50 users in the DB i.e. 50 Schemas are going to be created? Where are these users normally created?
  or is it better for me to maintain a table of users and their passwords in my design itself and i regulate through the front end. seems that this would be risky and a cumbersome process.
  Please advice
  thanks
  Manish Sawjiani

  You would normally create a single schema to own the
  objects and 50 users to use them. You would use roles
  and object privileges to control access.Well, this is the classic 'Oracle' approach to do this. I might say it depends a bit on what you want to achieve. Let's call this approach A.
  The other option was to have your own user/pwd table. You can create your own custom authentication but I would go for the built-in Application Express Users - authentication scheme. You can manage the users via the frontend (Application builder > manage Application Express Users) . There you can manage the groups and end users which you can leverage in your Apex app. You can even use the APIs to create the users programmatically. It is all done for you. Let's call this approach B.
  Some things to consider:
  1) You want to create a web application and also other applications that access the data stored in Oracle (another PHP / Oracle Forms / Perl ) or allow access via SQL/Plus. Then you should use approach A. This way you don't need to reimplement security for these different approaches.
  2) You want to create one (or multiple) Apex applications only. This will be the only mechanism the users will access your data. Then I would go for approach B.
  3) When using approach A some users didn't like that all users will have access to their workspace, including the sql command line and having the capability of building applications and possibly being able to change the data they have access to through the Oracle roles. Locking down this capability is possible but it takes some effort and requires an Apache as a proxy.
  4) When using approach A you will need DBA privileges to manage the users and assign the roles. This might not always be possible nor desired. Depends on who will manage the Oracle XE instance.
  5) Moving the application including the end users to another machine is a bit easier using approach B since they are exported via the application export mechanism. Using approach A you would have to do it yourself. Be aware that the passwords are lost when you install the users into a different Oracle XE instance.
  6) If you design the application using approach B you will have to design security in a way that doesn't rely on the Oracle roles / grants security mechanisms. This makes it easier to change the authentication scheme later. For example, later you want to use a LDAP directory, a different custom authentication scheme or even SSO (SSO is not available out of the box but feasible). This is directly possible.
  Using approach A you would have to recode the security mechanisms (which user is allowed to update/delete which data).
  Hope that clarifies your options a bit.
  ~Dietmar.
  Message was edited by:
  Dietmar Aust
  Corrected a typo in (5): Approach B instead of approach A , sorry.
  Message was edited by:
  Dietmar Aust

• Jdev101304 SU5 - ADF Faces - Web app deployment best practice|configuration

  Hi Everybody:
  1.- We have several web applications that provides a service/product used for public administration purposes.
  2.- the apps are using adf faces adf bc.
  2.- All of the apps are participating on javaSSO.
  3.- The web apps are deployed in ondemand servers.
  4.- We have notice, that with the increase of users on this dates, the sessions created by the middle tier in the database, are staying inactive but never destroyed or removed.
  5.- Even when we only sing into the apps using javasso an perform no transacctions (like inserting or deleting something), we query the v$sesisons in the database, and the number of inactive sessions is always increasing, until the server colapse.
  So, we want to know, if this is an issue of the configurations made on the Application Module's properties. And we want to know if there are some "best practices" that you could provide us to configure a web application and avoid this behavior.
  The only configurations that we found recomended for web apps is set the jbo.locking.mode to optimistic, but this doesn't correct the "increasing inactive sessions" problem.
  Please help us to get some documentation or another resource to correct configure our apps.
  Thnks in advance.
  Edited by: alopez on Jan 8, 2009 12:27 PM

  hi alopez
  Maybe this can help, "Understanding Application Module Pooling Concepts and Configuration Parameters"
  see http://www.oracle.com/technology/products/jdev/tips/muench/ampooling/index.html
  success
  Jan Vervecken

• Web application security. Getting username and password from database

  Hi!
  I need to write the following web application (I write it using java server faces):
  1) User enters his username/password on the login page
  2) Program goes to database where there are tens of thousands of usernames/passwords, and verifies it.
  3) If user and password exist in DB, user gets access to the other pages of the application
  Maybe I don't understand some point. I tried to use j_security_check(it's very easy to configure secured pages in web.xmp). The problem is that it works(as far as I understand) only with roles defined on server before the application runs. I can't add ALL these usernames to the roles on server. The best way, as I see it, is to go to DB, check username/password, create new role for the time of session, go to j_security_check where the j_username and j_password get the values from db and get the access to secured pages(as far as the roles have been dinamically added).
  Am I right and this should be the algorithm?
  How can I implement it?
  I've read about JAAS. How can it help to solve the problem? Do I need j_security_check if I use JAAS? How should I configure my application if I use it?
  Could you please give me some code example?
  All this must work on IIS (for now, I develope it in Netbeans and run it on Java Application Server)
  Please help.
  Edited by: nemaria on Jul 7, 2008 2:39 AM

  Hi,
  Any security constrained url pattern which calls the action j_security_check passes the parameter to the realm mentioned in the server.xml.If the realm is set as JAAS,then the authenticate method of the jaasrealm does the basic validation like non empty field value from the input form.The appname set as the realm parameter points to the one or more loginmodules which has the life cycle methods like initialize(...),login(),commit(),abort() and logout().Once the basic validation is done in the JaasRealm class of the webcontainer,the LoginContext is created and user is autheticated (against DB username/password) via the login().Then the user is authourised in the commit().Then Jaasrealm takes care of creating the LoginContext,calling login(),creating Subject with principals,credentials added and setting that in the session.
  I have a big trouble in accessing the HttpServletRequest object in the LoginModules.i.e getting the j_username and j_password in the LoginModules or in the CallBackHandlers.PolicyContext doesn't work for me.Is there any other way?
  Regards,
  Ganesh

• SAP HANA Security - Best Practice for Access to Schemas??

  Hi,
  Currently we don'y have a defined Security model in HANA Studio.Neither there is no defined duties of a BASIS / Security / Developers.
  I want to understand what best practices are followed at other customers for defining security for Schema.
  1. Who should be creating the schema for Developers / Modelers?
  2. Should we use our own ID's to create/maintain these Schema or a Generic ID?
  Right now, when developers log in to Studio, by default they are assigned to their own schema (User ID) and they create objects under that.
  We(Security team), face issues when other developers need access to schema of another user as they want to develop objects under schema of different user
  Also, who should be owning the "SYSTEM" user ID and what steps needs to be done whenever a new schema is created.
  Thanks for the help in advance.

  Hi,
  I created a project (JDeveloper) with local xsd-files and tried to delete and recreate them in the structure pane with references to a version on the application server. After reopening the project I deployed it successfully to the bpel server. The process is working fine, but in the structure pane there is no information about any of the xsds anymore and the payload in the variables there is an exception (problem building schema).
  How does bpel know where to look for the xsd-files and how does the mapping still work?
  This cannot be the way to do it correctly. Do I have a chance to rework an existing project or do I have to rebuild it from scratch in order to have all the references right?
  Thanks for any clue.
  Bette

• Workflow & Web Dynpro integration - best practice?

  Hi,
  I am working on ECC6 and EP7 and looking at building some workflow approval scenarios for Travel Management.  I need to move away from the SAP supplied approval scenarios to meet our business requirements.
  What I'm looking for is a 'best practice' for integrating a Web Dynpro application (for ABAP) which will be the basis of our approval workitem.  I have seen a number of presentations which talk about integrating the user decision task (BOR object DECISION) into a web dynpro application.  I have also seen an approach where the FM WDY_EXECUTE_IN_PLACE is used to call a Web Dynpro application from within a BOR object method. 
  I guess I'm wondering if there is an approach that provides a cleaner integration then either of the above approaches as they both appear (well to me anyway!) to have limitations.  Is there a way for example of implementing an ABAP class method as the basis of the approval task that cleanly integrates with the Web Dynpro application?
  Any suggestions would be greatly appreciated.
  Thanks in advance
  Michael Arter

  Hello,
  Are you going to use the Universal worklist in your portal? If yes, that will bring you more possibilitites. Then you don't have to code anything into your business object - instead in portal (UWL configuration) you can define what which WD application is launched when the user clicks the task in UWL.
  If you are going to use business workplace and just launch WD applications from there, then you probably just need to use WDY_EXECUTE_IN_PLACE (or any other suitable way to launch WD application from ABAP).
  >Is there a way for example of implementing an ABAP class method as the basis of the approval task that cleanly integrates with the Web Dynpro application?
  Yes, but what is really the need for this? Did you know that you can replace the methods of your BO as methods of an ABAP class? Just implement the IF_WORKFLOW interface for your class, and you can use it in your workflow then just like the BO. If you want to "replace" the whole BO with your ABAP class, just take a look to Jocelyn Dart's blog series about the subject. But as I said, it is not really necessary to do this - especially if you already have lot of custom code in your custom business object - then it is probably a good idea to continue using it for your custom stuff.
  Regards,
  Karri

• Internet Sales application 2007 - Best Practice

  Hi Gurus
  Has anyone completed a successful CRM 2007 Internet Sales (ISA not ICSS) configuration exercise.
  If anyone has completed the set-up please could you inform me of the documents you referenced in order to achieve this.
  Many Thanks
  Babu.

  SAP has confirmed to me that there is NOT a CRM6/7 ISA Best Practices guide.
  We used the C14_BB_ConfigGuide from our CRM4 Best Practices install and made some assumptions on what had changed.  I do not think this is still available here and am not sure if I am able to send it to anyone.  Someone from SAP or an Admin can tell us.
  I also found here the following docs that have bits and pieces of the puzzle.
  ECO_Authorizations.CRM5.0  - I think I found this on Sateesh's site, but probably a link around here for it. - CRM E-Commerce Authorizations
  Release 5.0
  SAP_ISA60_DevAndExt  - SAP E-Commerce
  6.0 u2013 Landscape, Basics and Concepts.
  Web AS  - Web Application Development
  Title: Working with Java Server Pages and Servlets
  Benny Schaich

• Security best practices?

  I'm not sure if this is the right group to post this questions but...
  Our current architecture consists of seperate web server (iPlanet) and java server
  (WLS 5.1). Each server is in a seperate DMZ with a secure network containing our
  DB. The webserver only has ports 80 and 443 available from the outside and only
  the WLS ports to the WLS. The WLS only in the only one that can talk to our DB.
  Our developers are working on a new design with Weblogic 6.1. They have been planning
  on keeping it on 1 server (using weblogic web services). We feel this is a security
  risk to have a server in the outside DMZ talking to a DB server inside our network.
  Does anyone know where I can find a white paper on best practices for security?
  Should we keep it as 2 servers or combine them into 1 server?
  Thank you for your time!
  Brett

  Hi.
  You might have better luck posting this question on the security newsgroup -
  weblogic.developer.interest.security.
  Regards,
  Michael
  BJones wrote:
  I'm not sure if this is the right group to post this questions but...
  Our current architecture consists of seperate web server (iPlanet) and java server
  (WLS 5.1). Each server is in a seperate DMZ with a secure network containing our
  DB. The webserver only has ports 80 and 443 available from the outside and only
  the WLS ports to the WLS. The WLS only in the only one that can talk to our DB.
  Our developers are working on a new design with Weblogic 6.1. They have been planning
  on keeping it on 1 server (using weblogic web services). We feel this is a security
  risk to have a server in the outside DMZ talking to a DB server inside our network.
  Does anyone know where I can find a white paper on best practices for security?
  Should we keep it as 2 servers or combine them into 1 server?
  Thank you for your time!
  Brett--
  Michael Young
  Developer Relations Engineer
  BEA Support

• JEE5 Application Architecture Best Practice.

  Hi Everybody
  I am going to redesign a moderate size application (not v big but larger then normal).
  Now I have few Question in my mind.
  I am using JSF as front-end, EJB3 Session Bean for Business Logic and last but not the least JPA as domain model.
  1 - With JPA we have a domain classes. Now its better to use entity as manage-bean for JSF or manage bean should be saperate.
  2 - Using DTO (Data Transfer Object) is good practice or not in JEE5.
  3 - Simplicity or Complexity but with EntityManager I feel no need of DAO but I am used to with DAO pattern. So again as best practice I have to make 1 session bean as DAO and call it from all the session bean where I write business logic or forget about DAO session bean and call EntityManager from all session bean everywhere.
  4 - For initializing EJB JNDI is 1 way other way is
  @EJB EJBCLASSNAME ejbclassobject; //this auto initialize and create object.
  Initializing like above is standard or it is an extended support from some app server.

  Hi,
  Follow my opinion:
  1 - With JPA we have a domain classes. Now its better to use entity as manage-bean for JSF or manage bean should be saparated.
  >> I think that Managed-Bean must be separated, because you can need to bind you Visual Components to it too.
  2 - Using DTO (Data Transfer Object) is good practice or not in JEE5.
  >> You can put your Entity as a member of you Managed Bean.
  3 - Simplicity or Complexity but with EntityManager I feel no need of DAO but I am used to with DAO pattern. So again as best practice I have to make 1 session bean as DAO and call it from all the session bean where I write business logic or forget about DAO session bean and call EntityManager from all session bean everywhere.
  >> For CRUD operation I don't create a additional class, but for complex business logic, you can use a separated class (Business Manager)
  Best regards

• SAP Business One 2007 - SQL Security best practice

  I have a client with a large user base running SAP Business One 2007. 
  We are concerned over the use of the sql sa user and the ability to change the password of this ID from the logon of SAP Business One.
  We therefore want to move to use Windows Authentication (ie Trusted Connection) from the SAP BO logon.  It appears however that this can only work by granting the window IDs (of the SAP users) sysadmin access in SQL.
  Does anyone have a better method of securing SAP Business One or is there a recommended best practice.  Any help would be appreciated.
  Damian

  See Administrators Guide for best practise.
  U can use SQL Authentication mode Don't tick Remember password.
  Also check this thread
  SQL Authentication Mode
  Edited by: Jeyakanthan A on Aug 28, 2009 3:57 PM

• Looking for Security Best Practices documentation for Sybase ASE 15.x

  Hello, I'm looking for SAP/Sybase best practice documentation speaking to security configurations for Sybase ASE 15.x. Something similar to this:
  Sybase ASE 15 Best Practices: Query Processing & Optimization White Paper-Technical: Database Management - Syba…
  Thanks!

  Hi David,
  This is something I found on the Sybase site:
  Database Encryption Design Considerations and Best Practices for ASE 15
  http://www.sybase.com/files/White_Papers/ASE-Database-Encryption-3pSS-011209-wp.pdf
  ASE Encryption Best Pracites:
  http://www.sybase.com/files/Product_Overviews/ASE-Encryption-Best-Practices-11042008.pdf
  If these do not help, you can search for others at:
  www.sybase.com > serach box on the top right.
  I searched "best pracitces security"
  Can also run advanced search > I typed in "ssl" into exact phrase.
  Hope this helps,
  Ryan