Weblogic security & EJB role based access

Similar Messages

• Role Based Access Control in Java

  Hi,
  we are designing a software solution that makes use of the Role Based Access Control pattern to control access of functions, EJBs, Servlets to certain users based on their "role".
  I have not been able to understand clearly how that pattern can be implemented in Java. In addition, I stumbled on the java.security.acl and I wondering how will the package work together with RBAC pattern (Or is the pattern already implemented in some package)?
  Does any1 have any comments on this? Thnx
  Dave

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• Role Based Access problem in forms

  This would be a long reading.
  I'm having a problem with forms Role Based Access.
  We have two databases, one in London and one in Zurich. We have installed
  application server and oracle forms on London database. We have implemented
  Role Based Access to forms. For this we have created a database role (say ZUR_USER)
  in both databases. The view FRM50_ENABLED_ROLES which is used by forms role based access control
  is also created in both databases with a 'grant select to public'.
  Our form system has a menu and forms under that menu. Both menu and the underlying forms have been
  assigned Menu Security/Item Roles to the above mentioned ZUR_USER role and the role is assigned
  to various users.
  Now a Zurich user is trying to login to Zurich database using the URL for forms installation
  in London server. He can login successfully and can see the menu heading in the main screen but
  when he clicks the menu he doesn't see the underlying forms list.
  When we try the same user id and database from London (using the same URL) we see all the forms.
  Any idea what are we missing. The Menu Security is setup at menu level as well as the form level under
  that menu. User can see the menu but not the form under that menu from Zurich. No such problem while
  login from London.

  I'm using the Forms 10g
  and yes the only difference is between login from Zurich and London.
  Problem definitely is due to Role Based Access setup.
  The user in Zurich can see the Menu but not the items under that menu.
  I have set the security set up at both menu and menu item(i.e. form name) level.

• ADF UIX Role Based Access Control Implementation

  Hi,
  Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
  The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
  Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
  Thanks a lot.
  Sathya

  Brenden,
  I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
  If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
  1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
  The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
  2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
  The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
  1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
  Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
  Two links that you might be interested in to read are:
  http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
  http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
  Frank

• Any best practice to apply role based access control?

  Hi,
  I am starting to apply the access permissions for new users as being set by admin. I am choosing Role Based Access Control for this task.
  Can you please share the best practices or any built-in feature in JSF to achieve my goal?
  Regards,
  Faysi

  Hi,
  The macro pattern is my work. I've received a lot of help from forums as this one and from the Java developers community in general and I am very happy to help others and share my work.
  Regarding the architect responsibility of defining the pages according to the roles that have access to them : there is the enterprise.software infrastructure.facade
  java package.
  Here I implemented the Facade GoF software design pattern in the GroupsAndRolesAccessFacade java class. Thus, this is the only class the developer uses in order to define groups and roles of users and to define their access as per page.
  This is according to Java EE 6 tutorial, section VII Security, page 471.
  A group, role or user is created with an Identity Management application or by a custom application.
  Pages of the application and their sections are defined or modified together with the group, role or user who has access to them.
  For this u can use the createActiveGroup and createActiveRole methods of the GroupsAndRolesAccessFacade class.
  I've been in situations where end users very strict about the functionality of the application.
  If you try to abstract web development, u can think of writing to database, reading from database and modifying the database as actions.
  Each of these actions should have suggester, approver and implementor.
  Thus u can't call the createActiveGroup method for example, without calling first the requestActiveGroupCreationHelper and then the approveOrDeclineActiveGroupCreationHelper method.
  After the pages a group has access to have been defined with the createActiveGroup method, a developer can find out the pages and their sections a group has access to by calling the getMinimumInformationAboutGroup method.
  Further more, if the application is very strict, that is if every action which envolves writing to the database must be recorded, this concept of suggester, approver and implementor is available throught the recordActiveGroupAction method.
  For example, there is a web shop, its managers can change the prices of the products, but the boss will want to know who had the dared to lower prices.
  This action of lowering prices, is an action of modifying the information in the database and u can save in the database who suggested it, who approved it and who implemented it.
  Now that I write about the functionality of the macro pattern, I realise that some methods should have more proper names and I haven't had time to write documentation in the API, but this will be a complete when I add the web pages for the architect to use for defining access control and for the end users to view who and what is doing with their application.

• Portal and role based access

  We have a requirement to provide role based access to our portal. Employees require full portal access, partners require access to specific applications and resources, while guests should be provided access only to the Internet. People suggested SSL VPN from vendors like Array Networks, Juniper, Portwise etc.
  We are trying to kind of use our portal as a web VPN. Also we wanted to use strong access control.... Are there any ideas other than using SSL VPN's.
  -thanks

  1. You can configure your portal on HTTPS (SSL). That keeps it on secure SSL layer.
  2. Have SSO to distinguish between authenticated_users (logged in users like your employees, partners, etc) and un-authenticated_users (Guest).
  3. Use Groups for translating roles for your users. i.e., Make Groups for your users based on what you called as roles in your message.
  4. Assign access privileges available in portals for pages and portal objects according to your needs to these Groups.
  I dont think VPN will be needed when you are having an extranet-portal (as you hinted internet for guests).
  You can have a darn strong access control using this mechanism.
  hope that helps!
  AMN

• To run OHS at port 80 using solaris role based access control

  Hi.
  I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
  On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
  /etc/user_attr:
  oracle::::type=normal;defaultpriv=basic,net_privaddr
  Change OHS httpd.conf Listen from port 8888 to port 80.
  However, opmnctl startproc process-type=OHS
  failed as below with nothing showing in the diag logs:
  opmnctl startproc: starting opmn managed processes...
  ================================================================================
  opmn id=truffle:6701
  0 of 1 processes started.
  ias-instance id=asinst_1
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  ias-component/process-type/process-set:
  ohs1/OHS/OHS/
  Error
  --> Process (index=1,uid=187636255,pid=25563)
  failed to start a managed process after the maximum retry limit
  Thx,
  Ken

  Just to add my two cents here.
  The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
  # usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
  Restart the opmnctl daemond.
  After that OHS/Apache user can bind to lower TCP ports.
  Regards.
  Edited by: Tuelho on Oct 9, 2012 6:05 AM

• Role Based Access in Struts

  Hi,
  I wanted to know how to include Role Based Access in my Struts application.
  Does Struts provide any mechanism to accomplish it?
  If yes then,how can it be done
  Thanks
  kurt

  Hi Velu,
  Yes, this is exactly what Access Manager (now called OpenSSO, btw) can do.
  In your first use case, you would simply create two policies. The first one would allow only users in the admin group access to the admin application (e.g. https://someserver.example.com/admin/*). The second would allow users in the employee group access to the remaining two applications (e.g. https://someserver.example.com/app1/*, https://someotherserver.example.com/app2/*).
  In your second use case, the policies would be similar - first policy would allow users in the admin group to access https://someserver.example.com/app3/*, second policy would allow users in the employee group to access only https://someserver.example.com/app3/employees/*.
  Cheers,
  Pat

• AAA and Role based access (NPS)

  Hi
  I authenticate all my cisco switches and routers with AAA + NPS + AD
  A server runs NPS service with cisco attribute shell:priv-lvl=15 or 5, depending of AD group.
  But I'd like configure role based with IOS view.
  When I issue the enable view command,  I get
  Password:
  I tried with my AD password, enable configurated password, and always gets
  % Authentication failed
  Mi line vty config
  line vty 0 4
  authorization exec VTY-AAA
  login authentication VTY-AAA
  transport input ssh

  Have you gone through the below listed parser view configuration example. Please check here
  View authentication is performed by an external authentication server via the new attribute "cli-view-name" so you need to use cisco-av-pair as cli-view-name=xxxx
  AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.
  In case you still have any issues, run debug parser view and share the output, I'll try to help.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• RBAC (Roles Based Access Control) "Broken" in WCS

  In my opinion, RBAC in WCS is broken. They have taken a good concept and implemented it wrong. The way it is currently working is as follows. Roles are defined in WCS. In ACS (or whatever Radius server you want to use), you have to first set up a new "Service" in the TACACS "Interface" configuration called "Wireless-WCS". All this is good. In WCS you then have to go to the "role" or Group that you want, click on task list and it will give you both a TACACs and Radius output that you have to take and then paste into the "Wireless-WCS" custom attribute box in ACS. An example for "SuperUser" role would be a list like below, note the real list is 48 different "tasks", I shortened it here.
  role0=SuperUsers
  task0=Users and Groups
  task46=Auto Provisioning
  task47=Voice Audit Report
  Here is the problem. Why, if you have the role defined in WCS, do you have to repeat its definition in ACS? Why can't you simply pass the first line ("role0=SuperUsers") and have it use the defined role in WCS? This just seems silly. They changed the role of the "SuperUser" in the new 5.0 code too, which means if you assigned these at the user level, you would have to potentially go update a ton of User accounts in ACS so people would have access to their appropriate roles.
  The last time I complained I was told that the reason for it was "The reason it had to be done that way is b/c WCS is not IOS based and the code dictates that it must be done that way.". Seems like a silly reason for not doing things in a good way...
  Just letting everyone know so they can complain when they come across it. Maybe with enough complaints they'll fix it.. 8-)

  Hi,
  I believe all your questions are answered in "System Administrator's Guide - Security" manual.
  Applications Releases 11i and 12
  http://www.oracle.com/technology/documentation/applications.html
  You may also review this document.
  Note: 753979.1 - E-Business Suite Diagnostics RBAC Basics
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=753979.1
  Regards,
  Hussein

• Role Based Access through business roles? Switch b/w business roles?

  Hey Guruz:
  We have a situation where we want to really chop down on what the user should see in UI.
  What this basically means is that we want to define job based business roles. In essence a user should only see what he is allowed to execute as part of his job function.
  One solution would have been to create 1 business role and control everything through the pfcg role. But, this will be a very unfriendly approach, as the user would never really know what is part of job profile and what not till he clicks on it to find out that it doesnt work and is not authorized for it.
  To avoid the above situation, we want to give managers and users the liberty to pick out their own combination of business roles which suits a users job profile. I know this would mean we might have to create quite a few business roles, but atleast it avoids reduntant access.
  Any thoughts are welcome.
  Questions:
  If a user is assigned multiple business roles how to switch without really logging off?
  Can we have tabs or something on the header or nav bar which allows a user to switch b/w business roles?
  Can the net affect of multiple business roles be combined when assigned to a user ?
  Thanks
  KT

  Hi KT
  The whole concept around assigning a Business Roles is to provide a specific set of functions to a specific user or user group.
  There should not be any reason for a User to log off from one role and then log in with another.
  If for example you want a user to have some Sales Professional access as well as some Service Professional access then you would copy Sales Professional Role to you own custom role, remove the Sales Professional attributes that you do not want, then add in the required Service Professional attirbutes required.
  The WEB UI views can then be configured for that particular Custom role you have created.
  Hope this helps
  Arden

• Role Based Access Control and FIM

  Hi,
  Would these statements about RBAC and FIM (not BHOLD) be true:
  RBAC in FIM Sync is essentially governed by the built-in FIM Groups (e.g. FIMSyncAdmins, etc)
  RBAC in FIM Portal is essentially governed by FIM Portal Sets & MPRs
  Thanks,
  SK
  PS. not looking at BHOLD above, just FIM

  This can be true in a narrow sense. If we are just thinking of access to FIM and not on the managed organizational resources.
  FIM Synch:-
  Through FIM Synch groups, we are just controlling the access to FIM Synch service. We are not separating access based on roles(say organizational role).
  For FIM Portal, again it can be true if we are thinking of access to FIM Portal only and not the managed organizational resources.
  Thanks,
  Mann

• SCCM 2012 R2 Role Based Access Control Weird Issue

  Thank you in advance. I have 3 security groups added for remote control operators role. Users within all three groups are available and imported in to the SCCM users collection and verified. users in 1 group works fine without any issue. But users in the
  other 2 groups having trouble where when they try to connect SCCM console using their computers, it fails. Even i tried adding the user directly assigning full administrator role. But still it fails.
  It is weird because it kind of loads the SCCM console administration tab and suddenly shows the error message. the error is a generic error saying verify below things. Any advice would be appreciated.

  To clarify, you have three Active Directory groups, all of which are assigned the remote control operators role in ConfigMgr?
  If they are only remote control operators, what are they using in the administration workspace?
  What does the SmsAdminUI.log show on one of the PCs? Based on what you describe, it is unclear whether this is an RBAC issue or not.
  Jeff

• Setting role based access in JHeadstart app?

  Hi, I need to setup my app that certain pages allow some roles read only access, while other roles also have update access. If every role had the same type of access then it's straight forward just add a comma separated list of all the roles that should have access. Giving different users different types of access is causing problems as I somehow have to specify in a EL expression which roles also have update access - is this possible? Thanks

  Thanks. Yes, but is it possible to do it with hard-coded roles and not use permissions? (Strange I know - its a requirement :) )

• Role based access control

  Hello ,
   Is there a RBAC in Windows 2012 R2?

  My client has a specific requirement like 
  Schema Management
  Management of the Schema
  Forest Configuration Operator
  Management of Functional Levels, domains, trusts, Operations Master roles
  Domain Operator
  DC Installation, Management of FSMO, OU
  Domain Controller Administrator
  Installing Software, Service Packs and hotfixes, Managing Sysvol, Starting up and stopping DCs.
  Security Policy Management
  Management of GPOs
  Service Admin Management
  Management of Service Management Role Membership
  DNS Management
  Installing DNS on DCs, configuring root hints, configuring and maintaining zones
  Replication Management
  Configuration of Replication Topology
  Replication Monitoring
  Monitoring of Replication Status and Performance
  Backup Operator
  Backup and Restore AD
  I wonder if there is such a customization possible in win 2012 !