Web Elements Security

Hello,We are using Crystal Reports in a .net Business Objects Enterprise environment and have successfully done so for few years now. We are very interested in the new web page features that WebElements offer and have read the installation guidance which refers to the security risks of Pass Through HTML. Not being an HTML gurus we have approached our ICT system/web security colleagues for advice on the security risks of implementing WebElements. We operate both the BOXIR2 server and the MS SQL server entirely within our own domain on a firewalled internet. Approximately 250-300 are members of our domain but only 40-50 with access to the BO server.Our ICT colleagues recommended that if the server were open to the Internet they would not advise implementing WebElements but as we are operating on a closed intranet then providing we accepted the risk then it should be OK.My problem is I'm trying to guage just what the risk is! Is it possible direct access to the SQL server data for any domain members that could execute pass through HTML, even with permissions set on the tables, views etc., on the server? Or would the risk be much lower, i.e. controlled by the SQL server permissions. Or is the access to the SQL data set at the same read only level of the BO server pemissions on the SQL.My apologies if this sounds very general but we are trying to get our heads around the scale of the risk. Any advice, practical experience of risk a similar configuration would be very welcome.Many thanks,Dave

hello,please see this forum...<a href="/node/2099">http://diamond.businessobjects.com/node/2099</a>jw

Similar Messages

Web Services Security Problem

hi all,
I am publishling the BC4J Component(Application module) as a webservice. The particular web service method will be as follows. The method is returning the element object.
public Element getEmp(String searchString,String selectedItem, int pageNoInput)
return (Element)hits.writeXML(1,Row.XML_OPT_LIMIT_RANGE);
I am securing the web service by the instructions which are given in the following link
http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html
Then i am creating the proxy client. when i run the proxy client it gives me the following exception
javax.xml.rpc.soap.SOAPFaultException: SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
     at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:553)
     at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:390)
     at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:111)
     at aptuitclient.runtime.ReviewProtocolAppModuleServiceSoapHttp_Stub.getEmp(ReviewProtocolAppModuleServiceSoapHttp_Stub.java:91)
     at bc4jaswebservice.server.webservice.ReviewProtocolAppModuleServiceSoapHttpPortClient.getEmp(ReviewProtocolAppModuleServiceSoapHttpPortClient.java:58)
     at bc4jaswebservice.server.webservice.ReviewProtocolAppModuleServiceSoapHttpPortClient.main(ReviewProtocolAppModuleServiceSoapHttpPortClient.java:44)
When i am removing the security for the web service it is giving the Element object.
The Problem is when i am securing the web service it is giving the above said exception.
Please help me regarding this... this is very urgent...
rgds
Parameswaran

Hello,
When you are using WS-Security you need to secure the client too. So in your case the client is the ADF Data Control.
The way you should configure your data control is documented here:
- Web Services Security and ADF Data Control
Regards
Tugdual Grall

SOAP Request with Web Service Security

Hi masters of XI,
the Oasis standard for web services security saids that exists three levels of security for web services, at higher level is Encryption, middle level is signature and at lower level is authentication with username and password inside the soap envelope.
I need to do a SOAP Request signed with a X.509 certificate and username and password too in SAP PI 7.0 SP11. I can sign the request with X.509 certificate without problems but i can't authenticate the request with username and password in usernametoken element like saids the Oasis standard
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>XXXX</wsse:Username>
<wsse:Password>XXXXXXXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
How can we send UserNameToken's elements inside SOAP web service envelope
signing with X.509 certificate also? There are any way to do it in the
receiver agreement or receiver SOAP adapter?
thanks.

Hi,
thank you very much for your answers.
I have solved the SSL comunication and i can sign with X.509 certificates. My problem is that in the SOAP envelope of resquest signed only travels the X.509 certificate and I need to send the username security token (wsse:UsernameToken) also.
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>XXXX</wsse:Username>
<wsse:Password>XXXXXXXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
I can't find the solution to do it. The Netweaver documentation says that Netweaver is able to sign SOAP request with X.509 certificates and is able too for using UsernameToken as part of Oasis standard for web service security. In abap stack of NW you can assign a security profile to a web service call for signing the message or authenticate it with username/password inside SOAP envelope, but in java stack of XI i think that there is no way to do it.
This is my Request:
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
 <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-71968700">MIIHdTCCBl2gAwIBAgIQOq4nmg5zi4NGsIGjPUZVuTANBgkqhkiG9w0BAQUFADCCAT4xCzAJBgNVBAYTAkVTMTswOQYDVQQKEzJBZ...8d4pAJYk=</wsse:BinarySecurityToken>
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-104376803">
 <ds:SignedInfo>
 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
 <ds:Reference URI="#id-104309952">
 <ds:Transforms>
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
 <ds:DigestValue>R6WE9gs+l496jHCgslgALWswEnE=</ds:DigestValue>
 </ds:Reference>
 <ds:Reference URI="#Timestamp-104310599">
 <ds:Transforms>
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
 <ds:DigestValue>aiCTZ0WwiZQEv8zVmmf8GLu/bYA=</ds:DigestValue>
 </ds:Reference>
 </ds:SignedInfo>
 <ds:SignatureValue>YR9Q5oUA6kFFmPYOIOQPTOgTgapMbkmgdlDM/TZJ2CS8ENAntfsnmpEbpUgOPUVMkgaECog0OKvlADHP0HvJtPdm2NJljZNCCgrk3hlmmtkXkRauVuH5KRiHE5NeWT4+Uspp3ashebu0IuOO66zt4Q=</ds:SignatureValue>
 <ds:KeyInfo Id="KeyId-104377209">
 <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-104377346">
 <wsse:Reference URI="#CertId-71968700" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
 </wsse:SecurityTokenReference>
 </ds:KeyInfo>
 </ds:Signature>
 <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-104310599">
 <wsu:Created>2008-01-16T21:28:44.081Z</wsu:Created>
 <wsu:Expires>2008-01-16T21:33:44.081Z</wsu:Expires>
 </wsu:Timestamp>
 </wsse:Security>
</soapenv:Header>
And this is the request I need:
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
 <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-71968700">MIIHdTCCBl2gAwIBAgIQOq4nmg5zi4NGsIGjPUZVuTANBgkqhkiG9w0BAQUFADCCAT4xCzAJBgNVBAYTAkVTMTswOQYDVQQKEzJBZ...8d4pAJYk=</wsse:BinarySecurityToken>
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-104376803">
 <ds:SignedInfo>
 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
 <ds:Reference URI="#id-104309952">
 <ds:Transforms>
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
 <ds:DigestValue>R6WE9gs+l496jHCgslgALWswEnE=</ds:DigestValue>
 </ds:Reference>
 <ds:Reference URI="#Timestamp-104310599">
 <ds:Transforms>
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
 <ds:DigestValue>aiCTZ0WwiZQEv8zVmmf8GLu/bYA=</ds:DigestValue>
 </ds:Reference>
 </ds:SignedInfo>
 <ds:SignatureValue>YR9Q5oUA6kFFmPYOIOQPTOgTgapMbkmgdlDM/TZJ2CS8ENAntfsnmpEbpUgOPUVMkgaECog0OKvlADHP0HvJtPdm2NJljZNCCgrk3hlmmtkXkRauVuH5KRiHE5NeWT4+Uspp3ashebu0IuOO66zt4Q=</ds:SignatureValue>
 <ds:KeyInfo Id="KeyId-104377209">
 <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-104377346">
 <wsse:Reference URI="#CertId-71968700" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
 </wsse:SecurityTokenReference>
 </ds:KeyInfo>
 </ds:Signature>

<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-104312926">
 <wsse:Username>xxxxxxx</wsse:Username>
 <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"/>
 </wsse:UsernameToken>

<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-104310599">
 <wsu:Created>2008-01-16T21:28:44.081Z</wsu:Created>
 <wsu:Expires>2008-01-16T21:33:44.081Z</wsu:Expires>
 </wsu:Timestamp>
 </wsse:Security>
</soapenv:Header>

Web.xml: security-constraint [un]usable in JSF?

<security-constraint> in web.xml is a simple, effective and portable method of declaring a web application�s security policies.
It's been noted, however, in an earlier topic (http://forum.java.sun.com/thread.jspa?threadID=747919&messageID=4279347) that it has it�s limitations in the context of jsf.
A reasonable solution would be to consult <security-constraint> elements in one�s own web.xml when rendering <h:commandLink>'s on a page according to the security policy.
Unfortunately, there is no standard method of reading web.xml, other than what�s available from the ServletContext.
I found some container specific-implementations in the Cargo project from the http://cargo.codehaus.org,
but I�m looking for a portable solution. Any thoughts?
Thanks, y�all!

Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
Bean code:
this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
 <security-role>
 <role-name>Local Admin Group</role-name>
 </security-role>
 <security-role>
 <role-name>DBA Group</role-name>
 </security-role>
 
 <servlet>
 <servlet-name>Faces Servlet</servlet-name>
 <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
 <security-role-ref>
 <role-name>admin</role-name>
 <role-link>DBA Group</role-link>
 </security-role-ref>
 <security-role-ref>
 <role-name>admin</role-name>
 <role-link>Local Admin Group</role-link>
 </security-role-ref>
 </servlet>

How to make my Portal Web Service SECURED?

Hi Experts,
I created one portal Service and exposed it as Portal Web Service.
Everything is working fine, as i deployed my Portal Web Service on to the SAP J2EE Engine ie SAP Server.
I m able to access functions of Web Service from my StandAlone Java Application.
but the problem is my Web Service is not SECURED.
How can i make my Portal Web Service SECURED?
Please help me out.
Help will be appreciated and rewarded!!!!!

user13046122 wrote:
I have an old pl/sql "helper" package, originally written to make SOAP Web Service calls from the database - it uses UTL_HTTP to invoke the target services.
I now need to make SOAP Web Service calls - from an 8.1.7.4 database
But the version of UTL_HTTP inside 8.1.7.4 does not contain the functions needed in the helper package
Can anybody suggest a means of making SOAP Web Service calls from an 8.1.7.4 database ?I think you'll be very lucky to find anyone here who still has access to a version of Oracle that is that old.... I mean... that's like what? 15 years old at least? I'm surprised you've still got hardware that can run that.
It would probably help if you could post what code you've got and explain which function(s) it's complaining about, as I doubt people will want to guess.

Web service security with active directory

Hi,
i want to protect my webservice by using active directory for authentication.
(i am using jdeveloper 10.1.3.1 and bundled OC4J)
i follow the document web service developer guide (section External LDAP Security Providers) and set up the LDAP security provider...
in the OC4J web admin security page...i have press the 'test ldap authorization'
button to CONFIRM the ldap connection is correctly set.
but when i call the web service, deployed in that OC4J container,
operation fail with the following message :
javax.xml.rpc.soap.SOAPFaultException: UnsupportedCallbackException: oracle.security.jazn.callback.IdentityCallback@19f410 not available to gather authentication information from the user
at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
at test.proxy.ws1.runtime.MyWebService1SoapHttp_Stub.getUserNameYY(MyWebService1SoapHttp_Stub.java:134)
at test.proxy.ws1.MyWebService1SoapHttpPortClient.getUserNameYY(MyWebService1SoapHttpPortClient.java:50)
at test.proxy.ws1.MyWebService1SoapHttpPortClient.main(MyWebService1SoapHttpPortClient.java:33)
could anybody help me?
thank you very much

actually i use the default setting provided by oracle's configuration
wizard for active directory
User:
LDAP User Name Attribute: sAMAccountName
LDAP User Object Class : inetOrgPersion
User Search Scope: subtree
User Search Base: dc=xxx, dc=com
Groups:
LDAP Group Name Attribute: cn
LDAP Group Object Class: group
LDAP Group Member Attribute: member
Group Search Scope: subtree
Group Membership Search Scope: direct
Group Search Base: dc=xxx, dc=com
using the same user, user searchbase, i can search the AD using other
tools.
could anybody help me ?
thank yous.

Web Service Security Question

I have created a web service in the NetWeaver portal using a Portal Service. I have marked the service as requiring basic http authentication. However, when I call the web service from the Enterprise Portal Web Services Checker in NWDS it just let's me supply the params of the web service and no authentication. Any ideas?
I also noticed that my web service does not appear under the Web Services Container or Web Services Security section in Visual Administrator. Anybody have any idea why this is?
Thanks in advance.
Curtis

Hi Curtis,
My guess is that since you are logged into the Portal while calling this web service, it will use the current session cookie to authenticate automatically. I'm not sure on the second question, tried a restart?
Regards,
Raj

Web Service Security with SAML - Invalid XML signature

Hello together,
we want to build a scenario where we want to use Web Service Security with SAML.
The scenario will be
WS Client (Java Application) -> WS Adapter -> Integration Engine -> WS Adapter-> CRM (Web AS ABAP 7.01 SP 3)
SAP PI release is 7.11 (SP Level 4)
We want to use the SAML Authentification from WS Client to PI and from PI to Web AS ABAP.
The SAML authentifications between the WS Client and PI works when there is no SAML auth between PI and CRM.
But we get following error at calling the CRM system when we want to communicate with SAML:
<E_TEXT>CX_WS_SECURITY_FAULT:Invalid XML signature</E_TEXT>
Has somebody an idea of the possible reason for the error.
Thanks in advance
Stefan

Error Messages in the Trace/Log Viewer:
CX_WS_SECURITY_FAULT : Invalid XML signature | program: CL_ST_CRYPTO==================CP include: CL_ST_CRYPTO==================CM00G line: 48
A SOAP Runtime Core Exception occurred in method CL_ST_CRYPTO==================CM00G of class CL_ST_CRYPTO==================CP at position id 48 with internal error id 1001 and error text CX_WS_SECURITY_FAULT:Invalid XML signature (fault location is 1 ).
Invalid XML signature

Web App Security Firewall Using Catalyst 6500 w/ CSM

We are evaluating web application security firewalls. The other products can recognize application level attacks such as SQL insertion and deranged parameters. Some of my colleagues believe that the CSM (which we already have deployed) has these sorts of capabilities.
While the CSM has some layer 7 capabilities, my read of the specs does not suggest that it is suited to this function.
Anyone have experience or input?
Thanks!

The same as a SYN attack protection feature.
That's all.
It does not have content analysis for intrusion detection.
Regards,
Gilles.

Year in drop down appears using web elements as decimal

Year field in database as number. I used crystal web element and deployed report in Infoview. But LOV for Year appear as decimal eg: 2,011.00. How to convert to number format as eg: 2011

Hi,
I am using the below code in sub report:
stringvar field4:=left(replace(cstr({AllData.SLS_YR}),",",""),4);
And using the below code in main report
WESelect ("Year", P1L4,P1L4,cstr(year(CurrentDate)),MultiSelectfont)
I am getting drop down with out decimals but current year is not appearing on top instead 2010 appears in infoview.
Any help appreciated.

How to populate data dynamically in WSelect web element.

How to populate data dynamically in WSelect web element. what is the syntax of WSelect web element to populate data from the database

Hi Jamie,
There is no Url to download ackage, instead the link is taking here
Crystal Reports webElements
Can you give me correct link?

Details for 'Is Web service security available?'

Hi i am working on scenario rfc to webservice.Its as secued webserivce i need to do ssl configuration.
In component monitoring..for the integration engine its in yellow...
Details for 'Is Web service security available?'
Communication error Proxy calls on the sender or receiver side are not permitted on the IS (client)
can any one please help me out..
Thanks
sriram

I have already installed certificates on the j2ee engine & i have given the paramaters for keystore entry & keystore value.Still i have the same error
In component monitoring
For integration engine
Details for 'Is Web service security available?'
Communication error Proxy calls on the sender or receiver side are not permitted on the IS (client)
In message monitoring
Audit Log for Message: f614df00-e9e0-11da-95ef-0004ac577b32
Time Stamp Status Description
2006-05-22 15:18:58 Success The message was successfully received by the messaging system. Profile: XI URL: http://saptst01:51000/MessagingSystem/receive/AFW/XI
2006-05-22 15:18:58 Success Using connection AFW. Trying to put the message into the request queue.
2006-05-22 15:18:58 Success Message successfully put into the queue.
2006-05-22 15:18:58 Success The message was successfully retrieved from the request queue.
2006-05-22 15:18:58 Success The message status set to DLNG.
2006-05-22 15:18:58 Success Delivering to channel: ZCH_VERISIGNPPGR
2006-05-22 15:18:58 Success SOAP: request message entering the adapter
2006-05-22 15:18:58 Success SOAP: call failed
2006-05-22 15:18:58 Error SOAP: error occured: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: illegal parameter
2006-05-22 15:18:58 Error Exception caught by adapter framework: Peer sent alert: Alert Fatal: illegal parameter
Can any one please help me out.
Thanks
sriram

Add web element in Crystal report for SAP system

Hi all,
I have added web element in Crystal report for SAP system (BI or R/3) . But it does not show the control. It shows only scipt.It does not render the HTML.
But if I add the webelement for Excel sheet ,It shows the control.
How can I add web element for SAP System? Can't we use web controls in SAP system ?
Help me in this regard.

Hi All,
i have the same issue on crystal report add-ins. Have you able to solve this without upgrading our sap business one to the latest version or patch level? Please see details below.
OS: MS Windows 7 SP1
SAP Business One 8.82 pl7
Crystal report 2011
Crystal report integration package installed under B1_SHare/Client
But still the problem persist on the workstation.
Please help me solve this problem.
Thank you,
ana

Pass values from report1 to report2 but without displaying the web element

Need to pass a string value from report1 to report2.This can be done by using web elements. But in that case the web element is showing up when we run report1.So what is the way to avoid display of web element but still pass the value to report 2.
Thanks

if you have no need for webelements controls on a report and just need a simple hyperlink, use opendocument syntax in conjunction with an object's hyperlink properties in the formatting editor.
see your online help for more info on opedocument.

Crystal Web Elements in XI 3.0

Hi All,
Has anyone been able to get the Crystal Web Elements to work on XI 3.0.
For R2 the steps are simple to add the parameters in the web.xml file. I have tried the same for XI 3.0 and when the report is run it ain't working.
Is it still supported on XI 3.0 ????
Thanks in advance
Jacques

Try the following post:
Re: Web elements installation on 3.1
It worked for me to get HTML passthrough working on BOE XI R3.1 SP2 on .NET (WACS).
Regards,
Geoff.

Web Elements Security

Similar Messages

Maybe you are looking for