Web Application Security - User authentication and registration

Similar Messages

• PHP_MySQL version of a high security user authentication web app.

  Since you folks deal with PHP Application Development, I am posting this here.
  For a demo of the PHP_MySQL version of the UltraSuite High Security User Authentication Web Application, you can sign up at http://bit.ly/hgNjek.
  It  offers a multi-layered approach security approach towards protecting  important information like user authentication credentials.  Protection from dictionary attacks, rainbow table attacks, brute force attacks, SQL injection attacks and much more.
  I hope your feedback will help make the application even more useful and secure.
  Thank you!
  J.S.

  Hi,
  could you or someone tell me if ADDT supports protection against these methods you mention:
  Protection from dictionary attacks, rainbow table attacks, brute force attacks, SQL injection attacks and much more??
  And can this system work alongside ADDT?
  thanks again

• Please guide me for user authentication and authorization in WebDynPro App

  Hi,
      I just study the WebDynPro to develop the SAP Portal. I've ever developed the Web-based App using J2EE. So when i developed the Web-based App i have to develop the control of the user authentication and authorization on each page for example ,checking the session of the user whether they can access this page or whether session is expired or not,. So i have no idea with the WebDynPro and the SAP Portal because i never had experience for both WebDynPro and Portal.
  I need to ask you some question to clarify my doubt :
  1. SAP Portal  is web page that include every enterprise application with in one page and user log-in to them just on time, isn't it?
  2. If i integrate WebDynPro with SAP Portal, which one will do the authentication and authorization?. I mean that, Do i have to develop the code to check authentication and authorization in the WebDynPro App or Let the SAP Portal manage them?
  3.Could you please suggest the best practice for authentication and authorization in webDynPro.
  Many Thanks
  Noppong J

  in most case you don't have to write code to deal with session, authentication and authorization.
  1. yes,
  2. no, no code needed. you just set an attribute to your application, which make the the authentication required. when user access this page, portal will display the logon page
  3 you can put some authorization related code in web dynpro for specific requirement, search this doc "Protecting Access to the Web Dynpro Car Rental Application Using UME Permissions"

• What is difference in WEB application designer in bw and bi

  what is difference in WEB application designer in bw and bi
  new features available in bi

  Hi Naman,
  Please go through this wonderful link:
  bw 7.0
  Hope this helps...
  Regards,
  Habeeb
  Assign points if helpfu...

• Web application security. Getting username and password from database

  Hi!
  I need to write the following web application (I write it using java server faces):
  1) User enters his username/password on the login page
  2) Program goes to database where there are tens of thousands of usernames/passwords, and verifies it.
  3) If user and password exist in DB, user gets access to the other pages of the application
  Maybe I don't understand some point. I tried to use j_security_check(it's very easy to configure secured pages in web.xmp). The problem is that it works(as far as I understand) only with roles defined on server before the application runs. I can't add ALL these usernames to the roles on server. The best way, as I see it, is to go to DB, check username/password, create new role for the time of session, go to j_security_check where the j_username and j_password get the values from db and get the access to secured pages(as far as the roles have been dinamically added).
  Am I right and this should be the algorithm?
  How can I implement it?
  I've read about JAAS. How can it help to solve the problem? Do I need j_security_check if I use JAAS? How should I configure my application if I use it?
  Could you please give me some code example?
  All this must work on IIS (for now, I develope it in Netbeans and run it on Java Application Server)
  Please help.
  Edited by: nemaria on Jul 7, 2008 2:39 AM

  Hi,
  Any security constrained url pattern which calls the action j_security_check passes the parameter to the realm mentioned in the server.xml.If the realm is set as JAAS,then the authenticate method of the jaasrealm does the basic validation like non empty field value from the input form.The appname set as the realm parameter points to the one or more loginmodules which has the life cycle methods like initialize(...),login(),commit(),abort() and logout().Once the basic validation is done in the JaasRealm class of the webcontainer,the LoginContext is created and user is autheticated (against DB username/password) via the login().Then the user is authourised in the commit().Then Jaasrealm takes care of creating the LoginContext,calling login(),creating Subject with principals,credentials added and setting that in the session.
  I have a big trouble in accessing the HttpServletRequest object in the LoginModules.i.e getting the j_username and j_password in the LoginModules or in the CallBackHandlers.PolicyContext doesn't work for me.Is there any other way?
  Regards,
  Ganesh

• Access Denied Web Application with Claims authentication NTLM only when using secondary URL

  I have a SharePoint 2010 server farm with 2 web front ends, an application server and a database server.  Both front ends are internal to
  our network and are not behind a load balancer.
  NOTE THAT I HAD TO SUBSTITUTE hzzp with hzzp so that I had no links in the body of this post since I am not verified
  I setup a new web application called "SharePoint 41171" with:
  Public URL:
  hzzp://testserver1:41171
  Claims authentication
  NTLM only: no forms auth
  No SSL
  New web site "SharePoint 41171"
  New app pool
  New content database
  I create a top level site collection and name mydomain\myusername as the primary site collection admin
  I am able to access this site as expected at
  hzzp://testserver1:41171 with the aforementioned site collection owner id: mydomain\myusername
  I add an alternate access mapping for a secondary URL for this web application in the Intranet zone:
  hzzp://iwatest.mydomain.com
  So my AAMs for the site read as:
  hzzp://testserver1:41171    
  Default     hzzp://testserver1:41171
  hzzp://iwatest.mydomain.com    
  Intranet     hzzp://iwatest.mydomain.com
  When I attempt to log on to
  hzzp://iwatest.mydomain.com with the same user name and password, I get "access denied".
  I can access this site using
  hzzp://iwatest.mydomain.com if I log in as the farm account.  This is the only account that seems to work.
  Side Note: If I create a separate web application without claims - just NTLM and create the same AAMs, I can login fine with the same secondary
  URL and the same user name
  IP address properly maps to this machine.
  I reviewed the ULS logs and find the following:
  10/30/2012 16:20:23.45              w3wp.exe (0x0E78)                      
                  0x1724       SharePoint Foundation              Monitoring                   
                  nasq                        Medium    Entering
  monitored scope (Request (GET:hzzp://iwatest.mydomain.com:80/_layouts/AccessDenied.aspx?Source=hzzp%3A%2F%2Fiwatest%2Emydomain%2Ecom))                
  10/30/2012 16:20:23.45              w3wp.exe (0x0E78)                      
                  0x1724       SharePoint Foundation              Logging Correlation Data     
        xmnv                        Medium    Name=Request (GET:hzzp://iwatest. mydomain.com:80/_layouts/AccessDenied.aspx?Source=hzzp%3A%2F%2Fiwatest%2Emydomain%2Ecom)      
  8f313b5e-8476-4dd4-9abe-0cb6dbe024b6
  10/30/2012 16:20:23.45              w3wp.exe (0x0E78)                      
                  0x1724       SharePoint Foundation              Logging Correlation Data     
        xmnv                        Medium    Site=/          8f313b5e-8476-4dd4-9abe-0cb6dbe024b6
  10/30/2012 16:20:23.45              w3wp.exe (0x0E78)                      
                  0x1724       SharePoint Foundation              General                      
                     8e2s                        Medium 
    Unknown SPRequest error occurred. More information: 0x80070005       8f313b5e-8476-4dd4-9abe-0cb6dbe024b6
  10/30/2012 16:20:23.45              w3wp.exe (0x0E78)                      
                  0x1724       SharePoint Foundation              Monitoring                   
                  b4ly                        Medium    Leaving
  Monitored Scope (Request (GET:hzzp://iwatest.mydomain.com:80/_layouts/AccessDenied.aspx?Source=hzzp%3A%2F%2Fiwatest%2Emydomain%2Ecom)). Execution Time=8.66003919492561   8f313b5e-8476-4dd4-9abe-0cb6dbe024b6
  Basically it tells me that access is denied.  I didnt see anything that stood out here.
  I found this article:
  hzzp://social.technet.microsoft.com/Forums/en-US/sharepointadminprevious/thread/ded9188b-ee03-4ef0-bb50-3ad138110e0c, which pointed me in the direction of ensuring that the portal
  super user and portal reader accounts were properly added to my web application.  I followed the every popular article on doing this:
  hzzp://technet.microsoft.com/en-us/library/ff758656.aspx, but still no luck.  As per the thread, I added the 2 domain accounts to the user policy with appropriate privilege
  and then set them as the super user and super reader accounts via powershell, and yes I did prefix those names with "i:0#.w|mydomain\".  To be exta sure, I repeated this for all web applications on this server with slightly different powershell steps
  depending on wether or not claims was enabled on the web application.
  The Claims to Windows Token Service is running.
  I saw some mention of ensuring that the secure token service is running with a proper application pool account, but we are not running that service
  and I cant imagine what that would have to do with my situation.
  I have deleted and readded the web application and repeated these steps to no better effect.
  I gave the mydomain\myusername full control for the web application through the user policy, ensured that it was indeed the primary site collection
  owner and added it to the default site owners group.  None of this helped.
  I changed the application pool account to the farm account.  No change in behavior.
  Rebooted IIS and the machines many times along the way.
  Further, when I attempt to sign in as a different user after being denied, I get "an unexpected error has occured message.  I found the following
  in ULS:
  10/30/2012 11:19:03.71 w3wp.exe (0x182C)                      
  0x1210  SharePoint Foundation                 Logging Correlation Data                     
  xmnv     Medium               Name=Request (GET:hzzp://iwatest.mydomain.com:80/_layouts/accessdenied.aspx?loginasanotheruser=true&Source=hzzp%3A%2F%2Fiwatest%2Emydomain%2Ecom)
  cc409ec2-4889-42fa-aa7d-9cc4535e4f0e
  10/30/2012 11:19:03.71 w3wp.exe (0x182C)                      
  0x1210  SharePoint Foundation                 Logging Correlation Data                     
  xmnv     Medium               Site=/    cc409ec2-4889-42fa-aa7d-9cc4535e4f0e
  10/30/2012 11:19:03.72 w3wp.exe (0x182C)                      
  0x1210  SharePoint Foundation                 General                      
           8e2s                Medium               Unknown SPRequest error occurred.
  More information: 0x80070005      cc409ec2-4889-42fa-aa7d-9cc4535e4f0e
  10/30/2012 11:19:03.72 w3wp.exe (0x182C)                      
  0x1210  SharePoint Foundation                 Runtime                      
          tkau                Unexpected       System.NullReferenceException: Object reference not set to an instance
  of an object.    at Microsoft.SharePoint.ApplicationPages.AccessDeniedPage.LogInAsAnotherUser()     at Microsoft.SharePoint.ApplicationPages.AccessDeniedPage.OnLoad(EventArgs e)     at System.Web.UI.Control.LoadRecursive()    
  at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)            cc409ec2-4889-42fa-aa7d-9cc4535e4f0e
  10/30/2012 11:19:03.74 w3wp.exe (0x182C)                      
  0x1210  SharePoint Foundation                 Monitoring                        
  b4ly                Medium               Leaving Monitored Scope (Request (GET:hzzp://iwatest.mydomain.com:80/_layouts/accessdenied.aspx?loginasanotheruser=true&Source=hzzp%3A%2F%2Fiwatest%2Emydomain%2Ecom)).
  Execution Time=22.5439266722447           cc409ec2-4889-42fa-aa7d-9cc4535e4f0e
  By the way, this occurs for the farm account also after a successful login and an attempt to sign in as a different user.
  Any help would be greatly appreciated

  Thanks spadminspadmin:
  I have, though I am not sure that what I've added there is correct:
  The URL that I am trying to use to access the web application's IIS site is hxxp://iwatest.mydomain.com.  I added a binding to the IIS site as follows:
  Type    Host name                      port        IP address
  http     iwatest.mydomain.com     41171     *
  Is that correct?

• Accessing web application from users' PC

  Hi there,
  My server is up and running, appsets are working nicely and everything works perfectly. But I have an issue when accessing the web application from a user PC on the same domain, and I'm not sure if it's down to me or not.
  From the users' PC, with BPC for Excel open, I click on the link for BPC Web, and Internet Explorer opens and attempts to take me to the web app. But if the address contains the server name, it doesn't work. If I manually type the IP address in instead it works.
  Why is this? Have I forgotten to do something, or is it a DNS problem, or other local IT issue?
  I'm sure I've missed something really silly, but can't figure out what!
  Any ideas appreciated!
  Thanks a lot,
  Jason

  Hi Akim,
  I think this is actually part of a wider problem - I have been testing this on my local PC (over the clients' VPN) and now it works fine. But I just logged onto the clients PC using Webex and I can't get into ANYTHING! Not the Admin client, not BPC for Office, not the web application - nothing.
  I think I need to go there on monday and actually go through this with one of their network guys - I'm not convinced that it's a problem with the server anymore!
  Thanks for your help - I will keep you posted!
  Jason

• Web application security best practice?

  Hi guys,
  I am developing web app using JSF + Spring + Hibernate. I got a user backing bean which handling user login and logout session. Hence if user sign-in successfully, I will just set userLogIn=true in the userBean.java. I really don;t know if this is the best practice for handling user login session. Any security probelm here? Please advice, Thanks !
  regards,
  kmthien

  hi
  you can also find a lot of info about security handling and JSF if you search the forum.
  thanks.

• SPSiteCollection.Add in WCF service for FBA web application throws "user not found"

  Hi,
  I use SharePoint 2010 SP2. Programmatically I can create a FBA-based web application and now I want to add a new site collection ("/") subsequently. Everything is done in a WCF web service with its own application pool and web
  application. In extracts my code looks like this:
  const uint cLID = 1031;
  const string cSiteWebTemplate = "BLANKINTERNETCONTAINER#0";
  const string cAdminName = "i:0#.f|user|username";
  const string cDisplayName = "username";
  const string cSiteAdminEmail = "[email protected]";
  SPWebApplication webApplication = SPWebApplication.Lookup(new Uri("https://www.someurl.com"));
  using (SPSite newSite = webApplication.Sites.Add("/", "some title", "some site collection comment", cLID, cSiteWebTemplate, cAdminName, cDisplayName, cSiteAdminEmail, null, null, null, false))
  I also have a Windows forms based application where the exactly same code (except the changes required for WCF services) runs smooth, no exceptions or errors.
  Now every time the webApplication.Sites.Add-method is called inside the WCF service by any client I get the following exception (it is in German, English
  translation in square brackets):
  Microsoft.SharePoint.SPException: Der Benutzer kann nicht gefunden werden. [user cannot be found]
    bei [at] Microsoft.SharePoint.Administration.SPSiteCollection.Add(SPContentDatabase database, SPSiteSubscription siteSubscription, String siteUrl, String title, String description, UInt32 nLCID, String webTemplate, String ownerLogin, String ownerName,
  String ownerEmail, String secondaryContactLogin, String secondaryContactName, String secondaryContactEmail, String quotaTemplate, String sscRootWebUrl, Boolean useHostHeaderAsSiteName)
    bei Microsoft.SharePoint.Administration.SPSiteCollection.Add(SPSiteSubscription siteSubscription, String siteUrl, String title, String description, UInt32 nLCID, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, String secondaryContactLogin,
  String secondaryContactName, String secondaryContactEmail, Boolean useHostHeaderAsSiteName)
    bei Microsoft.SharePoint.Administration.SPSiteCollection.Add(String siteUrl, String title, String description, UInt32 nLCID, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, String secondaryContactLogin, String secondaryContactName,
  String secondaryContactEmail, Boolean useHostHeaderAsSiteName)
  The process user is the same both for my Windows forms based application and my WCF service and I expect the code runs the same in both cases. I did not find any matching forum entry and I have no idea why a WCF service does not execute
  the same way as a Windows forms application. Additionally, before applying SP2, I used an ASMX service with a similar code snippet and it also worked fine.
  Can anyone please tell me why calling
  webApplication.Sites.Add-method by a WCF service does not work? Is there anything I can do to make it work properly?

  The creation of a new web application using SharePoint API works in WCF service. I also lined out that...
  SPWebApplication webApplication = SPWebApplication.Lookup(new Uri(https://www.someurl.com));
  ... works in WCF service. In return I really get the very web application that I requested. Also exactly the same code snippet is called by exactly the same user context both in WCF Service and Windows forms application. Only for Windows forms
  application it does not throw the exception but in WCF Service it does. I had some WCF Service specialist colleague looking through the code and web.config and he stated it looks ok (unfortunately he does not have any experience with SharePoint).
  If you state "It's not, then your WCF config is wrong" what do you think I need to add or change in web.config in order to make it work? BTW: I did not modify app.config in my Windows forms application, so I thought I do not need to modify my web.config.

• User Authentication and User Authorization

  We have a scenario where the B2B customers are being provided EP user ids so that they can access certain data and create certain transactions. there are two issues out here:
  (1) For multiple EP users, there will be one single SAP Backend user mapped (which is allowed by EP). However these multiple EP users would have different authorization based on which sales area/product they access/buy and this needs to be controlled via one SAP Backend user?
  (2) Under the above user mapping model, is it possible to have authentication at EP level and  authorization at SAP Backend?
  (3) Once the customer accesses the EP system, then the SAP Backend system is exposed to him? Are there possibilities of having any further layer of security between EP and SAP Backend?
  Looking for response to this or any documentation which addresses the above. My mail id is [email protected]

  This is a broad topic, let me try to point out some key issues: (I asume, B2B means actual SRM these days.)
  (1) The user that is mapped is the generic EBP/SRM user.
  Therefore, the SRM does only know this specific user. There is no way to pass additional data to the SRM. Once the authentication is done, the role assignement is done by SRM (i.e. derived from the generic SRM user, not the EP User) Whenever you want to pass extra context values from the EP to SRM, you can only do this with tricks.
  My experience is, that SAP wants to have a 1:1 relationship between portal users and EBP, even if the bundled mapping is "allowed". (Rather grey'ish area).
  The trick copuld be to set a cookie in the portal and use a BADI together with a Javascript, to  make addiional mappings. But this would count as modification, at the end.
  (2) The authentication is mappped from EP to SRM via SSO2-Ticket, which is accepted by the SRM as authentication. The authorization (role assignement etc) is done solely by the SRM.
  (3) The Backend is exposed to the usual content - the EP via https is considered secure, so is the connection via https to the SRM - you can harden the rfc connection between the srm and the backend as well.

• May 2 web applications share user session info ?

  I have 2 web application (app1.war and app2.war).
  app1 set user session info.
  I wish app2 to read that user session info.
  Is this possible ?
  Thank you.

  As far as I understood, SSO needs an Infrastructure or (OID) installed. If the original idea of LDAP is to help the enterrprise centralized their User information, makes management of the commonly used information easier. Why Oracle requires its own OID to do SSO?
  Now, say, in an environment, if an organization has already had an LDAP server (such as MS AD, or Sun's iPlanet AD) in place, why should they install the Oracle's Internet Directory?
  This is big headache for management just trying to configure and keep different LDAP servers synchronized.
  Sharing user session info is a very common requirement for integrating. Is there a simple way (other than SSO) to achieve this? Will Servlet Filter be able to handle this?
  Thanks.

• Open Directory: user authentication and logining takes a lot of time

  We have Mac OS X Server Snow Leopard 10.6.8 with OpenDirectory and some iMacs with Mac OS X Snow Leopard 10.6.8. After adding Network Account Server in iMacs (System Preferences->Accounts->Login Options->Network Account Server Edit) OD works normally and users authenticate and login their accounts rather fast (5-10 seconds). But some days or weeks later the time for authentication and logining takes for about 5 minutes. If I re-add Network Account Server, then all works greatly again. What's the matter? How to avoid this re-adding?

  Hello,
  can you tell us what is the size of this Universe in terms of:
  number of tables, number of objects, size of the .unv file?
  Also, is this behaviour specific to this universe or you have other universes having the same problem?
  Last, are you 'opening it' as in File/Open or importing it as in 'File/Import...' ?
  Thanks
  PPaolo

• Developing a web application in Dreamweaver,MySql and PHP

  I have two questions:
  1.  Am developing a web application on a windows 7 platform.
  I have an insertion form where I have to always eneter the geographical details for some one. I.e District, County, Sub County and village.
  So what I want is to have these pre entered in the database before I revock this form such that when I select a certain village on the form, it automatyically displays its District, Subcounty and County in the following textfiled. This saves time than typing them manually all the time.
  I need help on how to do this.
  2.  On the same form, I have a textfield for capturing date of Birth. I need help on to insert a calender in this field such that when some one clicks on it, a calender pops up and he selects the date which is then inserted in the text field other than  tytping it manually.
  Thank u.

  1. Have a look here http://labs.adobe.com/technologies/spry/samples/data_region/DataSetMasterDetailSample.html
  2. Have a look here http://www.adobe.com/cfusion/exchange/index.cfm?event=extensionDetail&loc=en_us&extid=2137 022
  I hope this helps.
  Ben
  PS For more support on these products go to the Spry Forum here http://forums.adobe.com/community/labs/spry

• Simple Web Application - To display list and then details

  Hello All,
  I am trying to build simple classifieds web application using - JSP, MySQL.
  I am little confused how to achieve following using JSP - for example -
  Craigslist can display list of classifieds and when clicked on individual classified - the record is shown as Static HTML file -
  http://newyork.craigslist.org/mnh/cpg/708366015.html
  http://newyork.craigslist.org/mnh/cpg/708343755.html
  How can i achieve the same results dynamically - i mean, how can i create a static HTML page using information in database and put that static HTML file on server so it can be picked up by search engines ...
  I am new to java guys .. so please show me some light or explain me how do i code this using JSP.
  Thank you,
  Jagdish

  How can i achieve the same results dynamically - i mean, how can i create a static HTML page using information in database
  and put that static HTML file on server so it can be picked up by search engines ...By definition a dynamic html page doesn't exist, so how would a search engine find something that doesn't exist?

• Web application in linux server and windows clients

  Hi,java expert and experienced developer, i need your advise and experience sharing.
  I have project, which the server is RedHat Linux and clients be Windows. The application is a web application. The database used is MySQL. My question are:
  1) Should i use JDK from blackdown or sun?
  2) If i install blackdown JRE in Server(Linux), then is it ok that the clients(Windows) installs the Sun JRE?
  3) Is there any issues Jakarta Struts in Linux?
  Thanks in advance.

  If your application is different, and does a lot of updating, , you
  may want to look elsewhere.Yes, that why i say performance issue....
  Ok, MySQL however will enable stored procedure in version 5.0, but when the release will be available?
  PostgreSQL may be another option look to. Any opinion in term of:
  -performance
  -reliability
  -usage experience
  thanks in advance