Web server–based authentication user security example

This question was posted in response to the following article: http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSc3ff6d0ea77859461172e0811cbec22c24 -7c35.html

Any chance of a working example?

Similar Messages

Form based authentication problem - security constraint in web.xml

Hi ,
I have j_security_check in my login page
<form name="loginForm" id="loginForm" method="post" action="j_security_check">
     <table id="login" align="center" cellspacing="0" cellpadding="0">
               <tr>
                    <td class="label">Name</td>
                    <td class="value"><input id="j_username" name="j_username" value="" type="text" ></td>
               </tr>
               <tr>
                    <td class="label">Password</td>
                    <td class="value"><input name="j_password" type="password"></td>
               </tr>
               <tr>
                    <td colspan="2" class="submit"><input type="submit" name="Submit" value="Log in >>"></td>
               </tr>
     </table>
     </form>
And my web.src consists the following
<security-constraint>
          <web-resource-collection>
               <web-resource-name>EP</web-resource-name>
               <url-pattern>/*</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
</web-resource-collection>
          <auth-constraint>
               <role-name>EP</role-name>
          </auth-constraint>
          <user-data-constraint>
               <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
     </security-constraint>
<login-config>
          <auth-method>EPULSE</auth-method>
          <realm-name>AuditManager</realm-name>
          <form-login-config>
               <form-login-page>/login.jsp</form-login-page>
               <form-error-page>/error.jsp</form-error-page>
          </form-login-config>
     </login-config>
After I start the tomcat server I can go to the login page, however when I enter the username and password and press enter..
http://localhost:8443/au/j_security_check ...
Can you please advise me whether there is a problem in this?
Manisha

Please read the Servlet specification for details on how to specify url-patterns (see section 11.2). Your "index.*" is not a legal pattern. You can only end in "/*" or "*.foo". See Servlet spec.
If after fixing that you have more questions, please include the actual sequence of requests (and responses), preferably from a network snoop.

Form based authentication - users stored in db.

I must use form based authentication and the users are stored in an oracle table.
How can I configure OC4J to get this thing working ?
I have search some days on the internet and came up with nothing ... Oracle seems to be offering so much security options that I don't know what to choose from.
A simple example should be welcome ...
Please help, I'm really getting desperate ...
Thanks a lot in advance !

Hi Partner:
I'm having the some problem as you
configuring a JDBC security.
I yo have found some useful solution please
let me know.
Thank you.
Roger.
[email protected]
[email protected]

Web form based authentication. HOW ????

So , I've read almost all the forums and the specs that I could find and I still dont get it.
How do you form based authenticate a user ?
The unclear part is how/where is "j_security_check" mapped to ??
Is the Web Container taking care of that?
If it does, how do I configure the web container to access the database (all the username/password are in there)?
If not, I suppose I need a custom servlet that will pull the username/password from the db. The question is how do I tell the web container that the user credentials are verified??
Any suggestions or code samples are welcome!
Thanks,
mihut_m

If you're using Tomcat, try:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#JDBCRealm
and
http://www.onjava.com/pub/a/onjava/2001/07/24/tomcat.html
Basically you:
1) create a login and an error page. The form for the login must post with an action of "j_security_check" with a field named "j_username" and anoter named "j_password"
2) you tell tomcat (in server.xml) what realm to use and you configure it accordingly
3) in WEB-INF/web.xml you set the parameter for your security constraints.
Patrick

Windows 2008 server OS authenticated user keeps failing

I have a new server that has windows 2008 server installed, 64-bit. I've installed oracle 11gR2 64-bit and have created my database. Now I need to create two oracle accounts that are OS authenticated and I can't seem to get this right. I've set os_authent_prefix in my spfile and I've created the user (example) OS$<domain>\<username> in the database. In Windows, the account name equals <username> and that account belongs to Administrators and ora_dba groups. I've tried creating the oracle user with <domain> in caps and lowercase, but both fail. On the server, the domain is all lower case.
So in SQL> create user "OS$my.domain.mil\user1" identified externally; (user created)
Grant connect to "OS$my.domain.mil\user1";
Log out of sqlplus, pull up command prompt in Windows 2008 server as 'user1' and type in "sqlplus /"
Invalid username or password.
What am I missing here? Any help appreciated.
SA feedback: "Finally, Windows Server 2008 R2 Operating System has a tighter security scheme than that of previous Windows OS.
Also, it would be helpful if I remove the AD domain controller role from this server. This may require reinstallation of this server (worst case). Let me know when I can do this so you can proceed with your configuration."
Edited by: wolfeet on Jun 21, 2011 5:02 PM

Hello Ricardo,
You may want to reference SAP Note 1054740 - SAP System Installation on Windows Server 2008
and ensure you are on SAP Netweaver 7.0 SR3 or above, and it will also tell you if the product you are installing is supported in Windows 2008 Server.
For database and SAP product combinations that are already
supported by SAP to run on Windows Server 2008, see the Product
Availability Matrix at: http://service.sap.com/pam
Also check the following: in Regedit.
SYSTEM\CurrentControlSet\Services\gpsvc
Right click on it and select "Permissions" in the context menu.
Provide "Full Control" for sidadm
Does the installation user has full administrative rights and belongs
to the group of LocalAdministrators and to Global Administrators also
when you are doing a domain installation ?
Please ensure the user <sid>adm has the access rights
to change the file system permission.
Regards,
Paul

Request a file from server as authenticated user?

I am working on a file uploade system for my project. It is important that the files not be visible to an anonymous user who may be able to guess a URL. My project is hosted on an IIS server, so I have set "allow anonymous access" to false for the directory I upload to. Trying to access a valid URL results in a 401 error.
That solves my privacy/security problem, but leaves me with the question of how in my Flex app to access files in the upload directory.
As an example, I have a simple Image control embedded in my app with its .source property pointing to a URL within the upload directory. When I run the app, my browser asks for a name and password. I need to provide that data to the server when the app starts up, so the user doesn't see the login box.
Can anyone give me some pointers?
Thanks.
Paul

Got it.
My image source URL is now in this format and loads properly:
http://username:[email protected]/privatedirectory/theimage.jpg

Dynamically configure different DNS server based on user login.

I've got two young sons and I'm looking to reconfigure the 'Family' desktop to give the older son his own user account.
I've only recently started with Arch on my personal netbook so the family desktop is still running Ubuntu. That will likely change next clean install though.
I'd like to set the DNS to OpenDNS 'family shield' for his usage but allow full access via a different DNS server such as google DNS (for example) for parental use without filtering.
I'd like this to switch auto magically based on the user login credentials if possible.
I understand the limitations of DNS filtering but my oldest son has never even heard of DNS much less being able to figure out how to circumvent it yet. I'll deal with that in several years when it becomes an issue...
Can anyone point me in the right direction?

bergersau wrote:Thanks,
It looks like I might have to set up a squid proxy with Dan's Guardian. I was hoping for a simpler solution though.
Dan's Guardian is going to be a whole lot simpler than hacking the system resolver to use different servers for different users.
You MIGHT be able to hack something with iptables, the NAT table and a DNAT in conjunction with the 'owner' module... Something like:
Set your "unrestricted" DNS server in /etc/resolv.conf and a rule like below...
I'll assume you set the Google servers; 8.8.8.8 and 8.8.4.4 and your son's usernames are 'brad' and 'tony'
iptables -t nat -A POSTROUTING -d 8.8.8.8 -m owner --uid-owner brad -j dnat --to 208.67.222.222
iptables -t nat -A POSTROUTING -d 8.8.4.4 -m owner --uid-owner brad -j dnat --to 208.67.220.220
iptables -t nat -A POSTROUTING -d 8.8.8.8 -m owner --uid-owner tony -j dnat --to 208.67.222.222
iptables -t nat -A POSTROUTING -d 8.8.4.4 -m owner --uid-owner tony -j dnat --to 208.67.220.220
Untested and I don't guarantee that will work. You could tidy it up and bit using subchains etc, but I'll leave that as an exercise for the reader.... And I'd still recommend a filtering proxy over the above....

Web Services with Authentication - User Name and Password.

How to create a web service and web service client where the need is to authenticate using SOAP Header based authentiacation. The authentication is to be based on UserName and Password in the SOAP Header.
Regards
Pramod.

Dear Pierluigi Vernetto
What is meant when they say to include SOAPHeader with the parameters UserName, Password for Authentication. How this type of authentication is done.Can you please provide some code snipped to facilitate. I am new to the web services and did successfully a web service generation and client generation using WSDL.
WSDL Snippet :
- <wsdl:operation name="RegisterService">
<soap12:operation soapAction="http://www.abc.com/webservices/RegisterService" style="document" />
- <wsdl:input>
<soap12:body use="literal" />
<soap12:header message="tns:RegisterServiceAuthenticate_Info" part="Authenticate_Info" use="literal" />
</wsdl:input>
- <wsdl:output>
<soap12:body use="literal" />
</wsdl:output>
</wsdl:operation>
- <wsdl:types>
- <s:schema elementFormDefault="qualified" targetNamespace="http://www.abc.com/webservices/">
- <s:element name="RegisterService">
- <s:complexType>
- <s:sequence>
- <s:element minOccurs="0" maxOccurs="1" name="InputText">
- <s:complexType>
- <s:sequence>
<s:any />
</s:sequence>
</s:complexType>
</s:element>
</s:sequence>
</s:complexType>
</s:element>
- <s:element name="RegisterServiceResponse">
- <s:complexType>
- <s:sequence>
- <s:element minOccurs="0" maxOccurs="1" name="RegisterServiceResult">
- <s:complexType>
- <s:sequence>
<s:any />
</s:sequence>
</s:complexType>
</s:element>
</s:sequence>
</s:complexType>
</s:element>
<s:element name="Authenticate_Info" type="tns:Authenticate_Info" />
- <s:complexType name="Authenticate_Info">
- <s:sequence>
<s:element minOccurs="0" maxOccurs="1" name="UserName" type="s:string" />
<s:element minOccurs="0" maxOccurs="1" name="Password" type="s:string" />
</s:sequence>
<s:anyAttribute />
</s:complexType>
If i simply create the web service using the WSDL , will the Authenticate_Info will be taken care of.
What needs to be done for the Client side .jsp code and how this information of UserName and Password will be passed while making the call to the web service.
regards
Pramod.

How to get folder/webi reports based on user rights in BOX3.1

Hi ,
We are using java SDK to interface with BOXI3.1.In our project users will login through J2EE Screen after login users needs to see what are webi reports they are having access.
It is very greatful for me if you provide sql query/java code to get reports based on access.
Thanks,
Subash

first of all with your user previllages you can test which folders or reports can be seen at http://[SERVERIP]:[PORT]/AdminTools/ web application. After login process you can prepare a query or you can try "SELECT * from CI_INFOOBJECTS WHERE SI_KIND='Folder' " with this query you can see a list of folders for the user who you logged the application.
For java samples code I can send in a one or two days

SQL Server 2012 Always ON routing to particular server based on User Name

I have configured SQL Server 2012 with AlwaysON availability groups. I could route my connections to Secondary node when I put the applicationintent = readonly on the connection string. However I would like to route all of my connections from particular
user name to my read only node. How can I accomplish this without changing connection string (Reason is I would like to be able to route connections for read only query to some older application client that doesn't support applicationintent parameter).

Hello,
There is nothing built in that will allow you to dynamically re-route connections based on usernames. This may be achieved outside of SQL Server through some sort of network appliance, but I can't say for sure.
Would it be possible to upgrade the SQL Client (to 2012+) for the old application and then change the connection string?
Sean Gallardy | Blog |
Twitter

Can iDSIE (Meta-directory) be used as a single authentication point from iPlanet Web Server for multiple databases using direct "or" indirect connectors?

Basically, the latest release of iPlanet Web Server forces the user/group information source to be an LDAP database. Currently, the user accounts are in Active Directory, NT, Oracle and NetWare Directory Service in this heterogeneous environment.
What I am looking for is a meta-directory product which can do two things:
1-Single authentiation point for users in mulitple databases from iPlanet Web Server.
2-Single administration point for all of the databases listed above.
For example, can I add/modify/delete a user account at the meta-directory level and have this propagate to all of the databases listed above reducing the administration to one meta-directory product?

With an Virtual Directory solution, you can authenticate Iplanet Web Server against nearly anything including any LDAPv3 Directory Server, Microsoft Active Directory, Windows NT Domains, Oracle RDBMS, IBM DB2 RDBMS, Microsoft SQL, and others.
All of this is done dynamically and doesn't require any heavyweight synchronization process. The Virtual Directory acts as a dynamic schema / DIT / data translation engine for different types of repositories.
OctetString's Virtual Directory Engine is one such example. You can download a 30 day evaluation copy at:
http://www.octetstring.com
It will take you all of 30 minutes to get iPlanet Web Server authenticated against and using groups from things like Oracle RDBMS, Windows NT Domains, or Active Directory.

Tacacs+ authentication/authorization based on user's subnet

Hi Guys/Girls
We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.
I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.
In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.
So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.
Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.
Your feedback will be appreciated and rated.
Thanks
Rizwan Rafeek

Riswan,
This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.
Here is an example of how the tacacs authentication is performed.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
thanks and I hope that helps,
Tarik Admani
*Please rate helpful posts*

Dynamic charting in J2ME using SVG - based on SQL query from a web server

Hi
I am creating a J2ME application which needs to generate dynamic charts for the user.
The data for generating the charts is stored on a web server. In order to have minimal computations on the mobile device, I want to generate the charts on the web server itself.
I have written a code which generates svg (svg tiny) charts dynamically on a web server based on sql queries on a database . Now I want a J2ME client app to be able to retrieve this data through a web service.
Can someone guide me as to how to return svg files from a java web service.
Any help would be greatly appreciated.
Regards
Sparsh

Hi
Actually, I am developing my application using Netbeans 6. In order to connect to my web service , I am using the J2ME client to web service as the type of my project and that uses the above mentioned API's.
My question is how do I enable my web service to return a SVG file , and then how do I retrieve it in the J2ME client. Any example application that anyone knows online would be really helpful

Imp:How to find out whether client authentication Enabled on the Web Server

Hi,
I am trying to find out whether the Client Authentication Enabled on the Web Server or not.
Reason for doing this, if we have two certificates in the key store which will authenticate the Web Server, JSSE Authentication will always take the first cert from the keystore. If the first Certificate is Expired, it will fail while doing the HandShake.
So if I can find out whether Client Authentication is Enabled or not, then I can prompt a dialog for the user to select the Certificate for the Hand Shake.
Thanks in advance for any Response,
Krish.

AUTH_TYPE will tell you only if it SSL or not. It won't say whether the Client Certificates Required for SSL Connection.
Also, AUTH_TYPE is not part of the Http Headers.
If there is any other solution, greatly appreciated.
Thanks
Krish.

Web Service authentication by security role

I define an web service with authentication by security role.
I access web service via web dynpro model in EP7.
It appear below error:
<b>Exception on execution of web service with WSDL URL 'http://XXX:50000/XXX/Config1?wsdl ' with operation 'XXXXXXXX' in interface 'XXXVi_Document'</b>
how should i do to solve this problem ?

Hi WU,
            Use this code with ur webservice & check the error in log file.May be we will get some more info abt this.
This code will be in execute method
Request_XXX reqData = new Request_XXXdbModel);
reqData.wdSetInvocationLogEnabled(true);
in the catch block give this
logger.traceThrowableT(
     Severity.ERROR,
     wdComponentAPI.getApplication().getDeployableObjectPart().getName(),
     ex);
     //if (logger.beDebug()) {
     logger.fatalT(requestModel.wdGetRequestLog());
     logger.fatalT(requestModel.wdGetResponseLog());
     logger.fatalT(requestModel.associatedModelClassInfo().getModelInfo().toString());
     logger.fatalT(requestModel.toString());
request model is ue model & ex is the exception in catch block.
execute the application after this change & check the server log.In case u r not able to find out the problem,send the stach trace.
regards
Sumit

Web server–based authentication user security example

Similar Messages

Maybe you are looking for