Web.xml security

Let�s say that I have 2 main groups, group USER and group ADMIN.
Now let�s say that I have 3 other groups, groups A, B, and C.
The structure in OCS would look something like this.
group USER has members group A, group B, group C and group ADMIN
group ADMIN has members that are just users, no groups
From our application to perform a isUserInRole(group B) would group B have to appear in the web.xml file or should I only have to have group USER in the web.xml file?

Hi,
the web.xml file contains all groups that you reference in URL constraints in teh web.xml or call via isUserInRole(). Note that you also can use different names in isUserInRole() but then you need to use the role-ref element to map it to a role that exists in web.xml.
Note that J2EE doesn't support RBAC in the web.xml, which means that there is no role that is a member of a role. OC4J supports this from the security provider site, but still this isn't the case for J2EE itself.
Frank

Similar Messages

  • Web.xml - security constraint question

    I want to make a kind of inverted security constraint. I want to ALLOW access to one specific page over HTTP. All other pages should be HTTPS.
    Is that possible???

    Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
    Bean code:
    this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
            <security-role>
              <role-name>Local Admin Group</role-name>
         </security-role>
         <security-role>
              <role-name>DBA Group</role-name>
         </security-role>
        <!-- Faces Servlet -->
        <servlet>
            <servlet-name>Faces Servlet</servlet-name>
            <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
            <security-role-ref>
                  <role-name>admin</role-name>
                  <role-link>DBA Group</role-link>
           </security-role-ref>
            <security-role-ref>
                  <role-name>admin</role-name>
                  <role-link>Local Admin Group</role-link>
           </security-role-ref>
        </servlet>

  • Help! web.xml security without using WAR files

    I'm currently using the RDBMSRealm and URL ACL security for my app. I would like to use the web.xml descriptor for security so that I can specify login pages and such. We currently are not using WAR files. I've been having alot of trouble setting this up. Is there a way to use the RDBMS realm along with the web.xml security? It looks like it should work, but I can't seem to get it to function. How do I specify the regular document root as a webapp? I'm currently running WLS 5.1 with SP4. Thanks.

    The RDBMSRealm is just the authentication mechanism underneath WLS versus the
    web.xml of the WebApplication which describes all the access control for that WebApp.
    the later being scoped only to that WebApp.
    you don't need to deploy in a war file, you can expand the archive into an identical
    directory structure and then just point us towards the top level of that structure.
    see: http://www.weblogic.com/docs51/classdocs/webappguide.html
    .paul
    chris wrote:
    I'm currently using the RDBMSRealm and URL ACL security for my app. I would like to use the web.xml descriptor for security so that I can specify login pages and such. We currently are not using WAR files. I've been having alot of trouble setting this up. Is there a way to use the RDBMS realm along with the web.xml security? It looks like it should work, but I can't seem to get it to function. How do I specify the regular document root as a webapp? I'm currently running WLS 5.1 with SP4. Thanks.

  • Web.xml: security-constraint [un]usable in JSF?

    <security-constraint> in web.xml is a simple, effective and portable method of declaring a web application�s security policies.
    It's been noted, however, in an earlier topic (http://forum.java.sun.com/thread.jspa?threadID=747919&messageID=4279347) that it has it�s limitations in the context of jsf.
    A reasonable solution would be to consult <security-constraint> elements in one�s own web.xml when rendering <h:commandLink>'s on a page according to the security policy.
    Unfortunately, there is no standard method of reading web.xml, other than what�s available from the ServletContext.
    I found some container specific-implementations in the Cargo project from the http://cargo.codehaus.org,
    but I�m looking for a portable solution. Any thoughts?
    Thanks, y�all!

    Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
    Bean code:
    this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
            <security-role>
              <role-name>Local Admin Group</role-name>
         </security-role>
         <security-role>
              <role-name>DBA Group</role-name>
         </security-role>
        <!-- Faces Servlet -->
        <servlet>
            <servlet-name>Faces Servlet</servlet-name>
            <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
            <security-role-ref>
                  <role-name>admin</role-name>
                  <role-link>DBA Group</role-link>
           </security-role-ref>
            <security-role-ref>
                  <role-name>admin</role-name>
                  <role-link>Local Admin Group</role-link>
           </security-role-ref>
        </servlet>

  • Web.xml security configuration (struts)

    Hi all
    i want to restrict the access for the following URL:
    http://localhost:8080/InventoryManager/Usermanagement/addUser.do?methodToCall=addInvUser
    But if i define it like that in web.xml it doesn't work:
    <security-constraint>
    <display-name>User</display-name>
    <web-resource-collection>
    <web-resource-name>user creation</web-resource-name>
    <url-pattern>/Usermanagement/addUser.do?methodToCall=addInvUser*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>create_user</role-name>
    </auth-constraint>
    </security-constraint>
    All other restrictions i created to far are working, but mostly this is restricted for a URL and not a struts action like above.
    Could somebody tell me how i can restrict the access to the method addInvUser or the action mapping addUser.do ?
    Thanks
    Angela

    Perhaps it's not possible (to use HTTP params) as a restricted URL.
    But you can always chek user role programmatically.
    best regards,
    Maris Orbidans
    SCJP SCWCD SCBCD

  • Web.xml security-constraint order matters?

    After a long and frustrating debuggin session I've just discovered that the order in which <security-constraint>
    entries are added to the web.xml file matters to OC4J.
    That is if a more laxed rule is matched first the rest
    (even though they might be more precise or even an
    exact match won't be applied.
    Is this normal behaviour?
    EXAMPLE BELOW WORKS - INVERT ENTRIES AND IT WILL FAIL
    <security-constraint>
        <web-resource-collection>
          <web-resource-name>Protected</web-resource-name>
          <url-pattern>/admin*.uix</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>DSMSuperUser</role-name>
        </auth-constraint>
      </security-constraint>
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>Secure</web-resource-name>
          <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>DSMUser</role-name>
        </auth-constraint>
      </security-constraint>

    Here is an excerpt from the servlet spec stating the proper behavior:
    The container matches URL patterns defined in security constraints
    using the same algorithm described in this specification for matching client
    requests to servlets and static resources as described in SRV.11.1
    SRV.11.1 Use of URL Paths
    Upon receipt of a client request, the web container determines the web application
    to which to forward it. The web application selected must have the the longest
    context path that matches the start of the request URL. The matched part of the URL
    is the context path when mapping to servlets.
    The web container next must locate the servlet to process the request using the
    path mapping procedure described below:
    The path used for mapping to a servlet is the request URL from the request
    object minus the context path. The URL path mapping rules below are used in
    order. The first successful match is used with no further matches attempted:
    1. The container will try to find an exact match of the path of the request to the
    path of the servlet. A successful match selects the servlet.
    2. The container will recursively try to match the longest path-prefix: This is done
    by stepping down the path tree a directory at a time, using the ’/’ character as
    a path separator. The longest match determines the servlet selected.
    3. If the last segment in the URL path contains an extension (e.g. .jsp), the servlet
    container will try to match a servlet that handles requests for the extension.
    An extension is defined as the part of the last segment after the last ’.’ character.
    4. If neither of the previous three rules result in a servlet match, the container will
    attempt to serve content appropriate for the resource requested. If a "default"
    servlet is defined for the application, it will be used.
    The container must use case-sensitive string comparisons for matching.
    So this is STILL an issue w/ 10.1.2.0.2...
    EXAMPLE BELOW WORKS - INVERT ENTRIES AND IT WILL FAIL
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>oemAdmin</web-resource-name>
    <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>OEM_ADMIN</role-name>
    </auth-constraint>
    <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>allOem</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>OEM_USER</role-name>
    </auth-constraint>
    <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    If I don't find a SR for this issue I'll open one b/c this is not acceptable.

  • Web.xml security-constraint

    Hi,
    Anybody has any idea about this one:
    In web.xml I have:
         <security-constraint>
              <web-resource-collection>
                   <web-resource-name>members</web-resource-name>
                   <url-pattern>/members/*</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                   <role-name>REGISTERED_USERS</role-name>
              </auth-constraint>
              <user-data-constraint>
                   <description>SSL is required</description>
                   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
         </security-constraint>
         <security-constraint>
    when using the above one, every time when i click any link in /members, the weblogic
    first treat the user as guest at the beginning, then change to the real logined
    user.
    After I changed it to :
         <security-constraint>
              <web-resource-collection>
                   <web-resource-name>members</web-resource-name>
                   <url-pattern>/members/</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                   <role-name>REGISTERED_USERS</role-name>
              </auth-constraint>
              <user-data-constraint>
                   <description>SSL is required</description>
                   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
         </security-constraint>
         <security-constraint>
    i click the links in /members, the weblogic treat the user as the real logined
    user.
    Any idea what is the * 's meaning or any clue where this difference is mentioned
    in weblogic or SUN's documentation?
    BTW: I am using weblogic 5.1 with sp11.
    Thx,
    dliu

    Hi,
    Please provide a "WEB-INF/weblogic.xml" file as well like following:
    *"weblogic.xml"*
    <?xml version='1.0' encoding='UTF-8'?>
    <weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <security-role-assignment>
    <role-name>BMOUser</role-name>
    <principal-name>BMOUser</principal-name>
    </security-role-assignment>
    </weblogic-web-app>
    Thanks
    Jay SenSharma
    http://weblogic-wonders.com (WebLogic Wonders Are here)

  • Web.xml Security LoginPage / LoginTF does not work

    Hi Guys,
    In JDev 11.1.1.5, using the WebCenter extension we get some strange behaviour I cannot explain.
    I have a feeling I am missing some small step, but I cannot see what step, so I thought to ask :).
    Here are the steps we took:
    We use:
    -     JDeveloper 11.1.1.5
    -     WebCenter extension
    Steps we took, within an WebCenter Portal application:
    1.     Create an index.html which is the default start point of the application.
    2.     index.html redirects to faces/pages_home.
    3.     In pages.xml our home is an landingPage.
    4.     This landingPage is configured for authenticated-role only in pages.xml.
    5.     Configure a custom login-TF with .jspx loginPage on it.
    6.     In the web.xml on the security tab, we configure Form-Based Authentication with our custom login-TF as Login Page.
    7.     In the jazn-data.xml we configure this TF and grant the anonymous-role.
    8.     Run the application, we get an 404.
    I would expect the following:
    1. Application tries to reach the home page.
    2. The home page is only available for authenticated users.
    3. The login mechanism (from the web.xml) starts to work.
    4. The TF/page configured in the web.xml gets launched.
    Some how, as said we get a 404 instead of our loginTF/Page.
    In an Jdevelloper 11.1.1.2 application, this seems to work fine with the same configuration, but now in 11.1.1.5 we get a 404 error.
    Did we miss a configuration / Overlook some setting?
    Why does this not work?
    If anybody has any tips on where to look or what to do, this would be helpful :)
    I have a test case in which I can reproduce this problem, both within an WCP application as in a pure ADF application.
    I can provide this if anyone is interested :)
    Regards,
    Richard Olrichs

    Hmmm, apparently you have to put “/faces/adf.task-flow?adf.tfId=login-TF&amp;adf.tfDoc=/” in front of the TF, which results in the following web.xml tag:
    <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
    <form-login-page>/faces/adf.task-flow?adf.tfId=login-TF&amp;adf.tfDoc=/WEB-INF/login-TF.xml</form-login-page>
    <form-error-page>/WEB-INF/error.html</form-error-page>
    </form-login-config>
    </login-config>
    I don't know why, but now it redirects correctly to our custom login-TF.
    Can someone explain this behaviour?
    Anyhow, help is not needed anymore :P
    Cheers,
    Richard
    Edited by: Richard Olrichs on Feb 21, 2012 8:41 AM

  • Security constaint in Oracle 10.1.2 - Web.xml

    hi,
    I can access my URL in both http and https .
    1) http://myURL.com
    2) https://myURL.com:4444
    But I want this logic to be contained in Web.xml where in only for some resource , I need to use https. I put the following in Web.xml ...But it is not working . As soons as i hit welcome.jsp , IE is trying to download the page to my Harddrive.( ???) .
    following is code in web.xml
    ========
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>
    test
    </web-resource-name>
    <url-pattern>/Welcome.jsp</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    ====
    what is wrong with this code ?
    PLUS I cannot access the site as https://myURL.com with out port number . I always have to append 4444 . Is there any way to autmatically add the port .
    Thanks
    Message was edited by:
    user526264

    Hi,
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    doesn't redirect to SSL but shows an http error if access is not with SSL
    Frank

  • Weblogic 10 jaas and login.jsp and web.xml/weblogic.xml security constaints

    Hello,
    I struggled through and got the examples.security.jaas.SampleCallbackHandler.java and examples.common.utils.ExampleUtils.java/ExampleConstants.java into eclipse where they compile. A bean I made can call SambleCallbackHandler like such:
    mybean.logmein(username,password,url). I can then do a mybean.getStatus() or even a mybean.returnCode(). It does seem to correctly identlify that it is authenticating me (I see in stdout logs that it shows success or failures. The problem I have is I do not know how to apply this weblogic and web.xml/weblogic.xml so that if authentication works it redirects me to the page requiring the authentication. In web.xml I have the following set up:
    <security-role>
         <role-name>Admins</role-name>
    </security-role>
    <login-config>
         <auth-method>FORM</auth-method>
         <realm-name>default</realm-name>
         <form-login-config>
              <form-login-page>/login.jsp</form-login-page>
              <form-error-page>/badlogin.html</form-error-page>
         </form-login-config>
    </login-config>
    <security-constraint>
         <web-resource-collection>
              <web-resource-name>empower</web-resource-name>
              <description>These pages are only accessible by authorized users.</description>
              <url-pattern>/admin/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
         </web-resource-collection>
    <auth-constraint>
    <description>These are the roles who have access</description>
    <role-name>Administrators</role-name>
    </auth-constraint>
         <user-data-constraint>
         <description>This is how the user data must be transmitted</description>
         <transport-guarantee>NONE</transport-guarantee>
         </user-data-constraint>
    </security-constraint>
    My weblogic.xml has:
    <?xml version="1.0" encoding="UTF-8"?>
    <wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
    <wls:security-role-assignment>
    <wls:role-name>Admins</wls:role-name>
    <wls:principal-name>Administrators</wls:principal-name>
    <wls:principal-name>dashap</wls:principal-name>
    </wls:security-role-assignment>
    </wls:weblogic-web-app>
    With this set up, if I try to go to a page in /admin folder in my application, it correctly pops up the login page. The jaas in the bean is doing a loginContext.login(), which I thought does authentication too, but it never goes back to the /admin page I was going to that needed the authentication. With jaas, can I not use the web.xml FORM security option? Do I Need to use j_security in the login.jsp's form's action= option and j_username and j_password for the input type names? How do I use j_username/j_password things if I am using jaas? I could just ignore using the web.xml security stuff and put something in the pages that need authentication, but it would be easier if I could use jaas with the security featurs without doing all that. Note that my code above is using a realm called default just because that was what was in the example I got from the web. Does that need to be something else?

    Hi John,
    I would like magic of course. However, in this case I want something special: my authentication provider uses special means and contents of headers, cookies and service from external identity management systems to determine the user's identity.
    I do not want the application to present the login dialog! I want to derive the identity and the fact that the user is logged in from whatever the authentication provider returns in terms of Subject.
    Ideally, the flow is something like:
    - user accesses an unprotected resource - resource is shown, no interaction with authentication provider
    - user presses a link or button that takes him/her to a protected resource
    - the authentication provider is contacted to work with the identity asserter to establish the identity of the current user and create a subject object for this user
    - the application can access the subject and principals
    - ADF Security recognizes the identity and the roles (based on the principals) and coordinates access based on this.
    the authentication method is client certificate. presumably this prompts WebLogic/OPS to use an identity asserter to work with custom headers and cookies ("... when you configure a web application to use CLIENT-CERT authentication. In this case, WebLogic can perform identity assertion based on values from request headers and cookies. If the header name or cookie name matches the active token type for the provider, the value is passed to the provider."). No login form should be presented to the user, as all information required to perform the authentication is already available.
    I am trying to understand what I must do to have the ADF application adopt the subject set by the authentication provider - if anything?!
    If you more ideas to share - I would love to hear them.
    best regards,
    Lucas

  • Web.xml, struts and ssl

    Hi there,
    on our projects web pages we use struts, to combine the html of our pages with the java code behind. To enable SSL I added a security constraint to the web.xml:
         <security-constraint>
              <display-name>SSL Constraint</display-name>
              <web-resource-collection>
                   <web-resource-name>secured login resource</web-resource-name>
                   <description></description>
                   <url-pattern>/index.html</url-pattern>
                   <url-pattern>*.do</url-pattern>
                   <http-method>GET</http-method>
                   <http-method>PUT</http-method>
                   <http-method>POST</http-method>
              </web-resource-collection>
              <auth-constraint>
                   <description></description>
                   <role-name>authenticatedUser</role-name>
              </auth-constraint>
              <user-data-constraint>
                   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
         </security-constraint> Some of our web pages need to use no SSL. So I added (for first testing) a second security constraint to the web.xml and defined which pages should be without SSL:
         <security-constraint>
              <display-name>No-SSL Constraint</display-name>
              <web-resource-collection>
                   <web-resource-name>businesstransaction resource</web-resource-name>
                   <description></description>
                   <url-pattern>*.go</url-pattern>
                   <http-method>GET</http-method>
                   <http-method>PUT</http-method>
                   <http-method>POST</http-method>
              </web-resource-collection>
              <auth-constraint>
                   <description></description>
                   <role-name>authenticatedUser</role-name>
              </auth-constraint>
              <user-data-constraint>
                   <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
         </security-constraint>As you can see, I exchanged *.do with *.go for testing. I simply defined all actions I want to be used without SSL with a .go instead of a .do in the struts.config.
    In principle it works, but there is a problem: The default behaviour for struts seems to be that the name of the new action is posted in the url at the end of the standard starting url.
    Our url starts with https://localhost:9443/client-web/, and whatever action I start, this url text in the browser window never changes, regardless of wether the next action would be protected or not.
    First I thought my url pattern would be wrong, or the user or whatever. But then I found out, that when changing the url in the browser window by hand to http://localhost:9080/client-web/ it works. The web page then is without SSL active. And when I manually change the url while viewing a page that is meant to be SSL protected, the browser automatically changes to the SSL adress.
    But then again, moving to a page without SSL does not enforce the browser to change its adress to the no SSL String. So again, SSL is active though a non secure access would be allowed.
    Anybody has any idea how to change this default behaviour? It would be important to not only tell the server that non secure would be ok, but to actually USE non secure connection automatically.
    The internet explorer is not able to upload files in SSL mode (though any other browser is able to), and our customer insists on using IE. And to tell the users "oh, just edit the line there in the window manually and reload the page will help ... or use Firefox" will not be a suitable solution.
    Regards, Rommie.

    There is a plugin called sslext which will do most of what you need.
    http://sslext.sourceforge.net/
    I think the last time I used it I made some changes to the plugin source so that I could force non-ssl to be the default behavour unless SSL was explictily stated in struts.config, but can't remember for sure. Bottom line is it will do most of what you need and can probably be modified to do the rest without too much trouble.

  • J_security_check and web.xml

    Hi,
    I've set up a web application with form authentication
    Here's part of my web.xml:
    <security-role>
       <description>user</description>
       <role-name>user</role-name>
    </security-role>
      <!-- Login Authentication -->
      <security-constraint>
        <display-name>Secure User Pages</display-name>
        <web-resource-collection>
          <web-resource-name>SecureUserPages</web-resource-name>
          <url-pattern>/jsp/welcome.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
             <description>user</description>
             <role-name>user</role-name>
        </auth-constraint>
      </security-constraint>
      <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
          <form-login-page>/jsp/login.jsp</form-login-page>
          <form-error-page>/jsp/loginError.jsp</form-error-page>
        </form-login-config>
      </login-config>When I request welcome.jsp, I'm taken to login.jsp.
    If I enter an incorrect login/password combo, the contents of loginError.jsp show up, but the url says http://hostname:port/appname/jsp/j_security_check
    How can I make it so that the url does not show 'j_security_check', but 'loginError.jsp'?
    Second, if I enter a correct login/password combo, I am not taken to the page I requested - I stay on the login page, but the information in the form fields gets wiped out. According to my logs, it says that I logged in correctly.
    Can someone shed some light on these one or both of these issues?
    Thanks in advance,
    C

    To answer you,
    1. j_security_check servlet forwards the request to loginError.jsp on login failure. Hence you don't see any change in URL at the address bar. Use redirect at your application level to see the change in URL at the address bar.
    If you want to attain some more flexibility at the login level, probably JAAS can help you out.
    2. _"Second, if I enter a correct login/password combo, I am not taken to the page I requested - I stay on the login page, but the information in the form fields gets wiped out. According to my logs, it says that I logged in correctly"_
    If you're really sure about correctness of your log, i think, you have directly invoked login.jsp from your browser and then you must have entered a valid username/password.May be this is the reason you get to see login.jsp again on successful login.
    Solution, would be to directly invoke welcome.jsp from browser.Provide valid username and password and then see whether you really get to see welcome.jsp or not?

  • Web Service Security with SAML - Invalid XML signature

    Hello together,
    we want to build a scenario where we want to use Web Service Security  with SAML.
    The scenario will be
    WS Client (Java Application) -> WS Adapter -> Integration Engine ->  WS Adapter-> CRM (Web AS ABAP 7.01 SP 3)
    SAP PI release is 7.11 (SP Level 4)
    We want to use the SAML Authentification from WS Client to PI and from PI to Web AS ABAP.
    The SAML authentifications between the WS Client and PI works when there is no SAML auth between PI and CRM.
    But we get following error at calling the CRM system when we want to communicate with SAML:
      <E_TEXT>CX_WS_SECURITY_FAULT:Invalid XML signature</E_TEXT>
    Has somebody an idea of the possible reason for the error.
    Thanks in advance
    Stefan

    Error Messages in the Trace/Log Viewer:
    CX_WS_SECURITY_FAULT : Invalid XML signature | program: CL_ST_CRYPTO==================CP include: CL_ST_CRYPTO==================CM00G line: 48
    A SOAP Runtime Core Exception occurred in method CL_ST_CRYPTO==================CM00G of class CL_ST_CRYPTO==================CP at position id 48  with internal error id 1001  and error text CX_WS_SECURITY_FAULT:Invalid XML signature (fault location is 1  ).
    Invalid XML signature

  • Need api for changing security role in web.xml !!

    My requirement is to change the value of the deployment descriptor "security-role" (in web.xml) through an api and inturn to persist the new value in web.xml. Also I need to know if this change is automatically redeployed or an explicit redeployment is needed ? In that case how do I redeploy using an api call ?
    I found a lot of apis related to roles like createRole, removeRole etc.. But there are no apis to change the name of the role and inturn persist in web.xml.
    Do I need to provide any more information ? Let me know
    Thanks,
    Karthick

    why and when do you change security-role? try to use ant task (perhaph you need xpath also). it´s the better when you perform task about life´s cycle of application.
    please, describe your problem.
    of course in you change web.xml you must restart the application.

  • Error creating acl for (resource). I get this error when entering security info in web.xml.

    We're using iWS 6.0. Is there some security configuration that needs to be done in order to use standard security directives in our web application's web.xml?
    Thanks!

    Hi ,
    I have tried adding the following into web.xml but the security feature just doesnt work and the user can go to any page without any restriction.
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Declarative Security Test</web-resource-name>
    <url-pattern>/SuperServlet</url-pattern>
    <url-pattern>/*</url-pattern>
    <http-method>post</http-method>
    <http-method>get</http-method>
    </web-resource-collection>
    <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
    <auth-constraint>
    <role-name>guest</role-name>
    <role-name>member</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>
    <security-role>
    <role-name>guest</role-name>
    <role-name>member</role-name>
    </security-role>
    The roles mentioned above have been added correctly into tomcat-users.xml..The version of tomcat I am using is tomcat5.0.28.Please help.

Maybe you are looking for

  • Address Book Server and iOS Default Account Issue

    I have a really strange issue with a Lion Server. 10.7.5 There are several user accounts on the machine some are local, some are OD accounts. For the most part they work just fine. Mail and Calendar accounts seem to be ok and indeed when you set up t

  • I can't get ical events to overlap

    I can't get ical events to overlap. I prefer overlap as opposed to side-by-side. Help as to how to get overlap?

  • IBase linking with Account Identification

    Hello, Can I know the configuration involved if I'd like the Account be linked to the IBase in WebClient? Meaning to say, when an IBase is confirmed, it auto populates the Account information or when an Account is confirmed, the IBase related to the

  • Simple Deploy Question

    Can I deploy a application using UIX and BC4J developed in JDeveloper 9.0.3.1 to and Oracle 9iAS v 9.0.2 server.

  • SAP Workflow question

    Hello, I would like to know how to change a soft stop to a hard stop on SAP Workflow. Currently when we receive duplicate PO we perfome a soft stop and we would like to change this to a hard stop. Is this something that needs to be changed on the Tas