WebStart, custom security policy and debugging

Similar Messages

• GRC 10.1 custom security policy

  On GRC Java system, I am not able to create custom security policy under UME->Configuration->Security Policy. I am able to create on all other systems except GRC and NWDI system   I it related to support pack level or facility is not available on these releases
  Thanks Shankar

  Shailendra:
  Might be because there is no Java stack.  AC and PC now run on the ABAP stack and I think SAP recommends not using dual stack.  The only Java stack in the GRC 10.0 landscape that I'm aware of is for ADS.
  Thanks.
  Matt

• Difficulties loading custom security Policy object.....

  I just finished reading the white paper entitled �When java.policy Just Isn�t Good Enough� and I found a lot of good information for creating my own extension of java.security.Policy. I�m having a difficult time figuring out how to (best) load the policy, and I�ll explain why, but first I�d like to make sure that I�m extending the Policy class correctly. Don�t worry, I�ll be as brief as possible. My class looks something like this with a few more permissions than what i've included here (for brevity):
  public class MyPolicy extends Policy {
              private static MyPolicy INSTANCE = new MyPolicy();
              private PermissionCollection perms = new Permissions();
              private MyPolicy() {
                          constructPerms();
              public static MyPolicy getInstance() {
                          return INSTANCE;
              public PermissionCollection getPermissions(CodeSource arg0) {
                          return perms;
              public void refresh() {
                          // permissions won't change, so nothing necessary here!
              public void constructPerms() {
                          // I�m adding other permissions, but here are a few basic ones just for the idea:
                          perms.add(new PropertyPermission("java.version", "read"));
                          perms.add(new PropertyPermission("java.vendor", "read"));
                          perms.add(new PropertyPermission("java.vendor.url", "read"));
  }I have this class in a package that will reside inside of a jar on the target machine. The jar will be wrapped in an executable, and we�ll be distributing a JRE directory that will reside in the same (installation) directory as the executable. I�m not sure how to specify this as my Policy implementation on startup of the JVM. For security reasons, I want to rely as little as possible on security stuff outside of my exe-wrapped-jarfile. I can pass whatever parameters I want to the JVM, including �Xbootclasspath, but I�m not sure what I need to get things working this way.
  I tried another approach. I don�t really like it, but I just wanted to try it this way to test my Policy implementation. I edited my java.policy file to look like this:
  grant {
              // Custom permissions to allow app to load
              // and then set MyPolicy as Policy object:
              permission java.security.SecurityPermission "getPolicy";
              permission java.security.SecurityPermission "setPolicy";
              permission java.util.PropertyPermission "stuff.*", "read,write";
  };And then in my main() method, I loaded it like this:
  Policy myPolicy = MyPolicy.getInstance();
  Policy.setPolicy(myPolicy);But that doesn�t seem to work because I�m getting an AccessControlException: access denied (java.awt.AWTPermission replaceKeyboardFocusManager)
  Even though I have this permission in my implementation:
  perms.add(new AWTPermission("replaceKeyboardFocusManager"));Do you have any ideas what I�m doing wrong, or how I could fix them? Any information would be greatly appreciated. Thanks in advance!
  Steve

  Hey
  I have just finished such a policy implemention - boy could I have done with your help!
  I've never seen the java.security.debug property before - not to say it doesn't exist, but don't confuse system properties and security properties. Try setting it programmatically via Security.setProperty() or the Java Admin console [if you can], or even in the JRE WebStart uses via the java.security file.
  When you run it locally with security switched on, do you observe the 3-to-1 behaviour also? I'm not sure if this is important - depends on your answer. As for the checks being performed from the same stack frame, the AC iterates over the protection domains as it checks them; the 3-to-1 behaviour is the result of there being 3 extra frames to check, possibly due to the fact your executing from JWS [although I'd expect JWS to be considered system code]. If the execution in AC gets to return null; then Debug.isOn("failure") must evaluate to true [...I'd slump in my chair at this point] but there's no way to figure out accurately what the semantics of this is AS THERE'S NO FRICKIN SRC AVAILABLE [...this really annoys me]. The only thing I can suggest for that is to not try and switch debugging on.
  I suspect you are using JAAS [hence the dynamic policy need]? I have an idea if you are.
  I totally know what you mean about the sleepless nights mate - I'm glad I done it all now, learnt all about security within Java which I knew nothing about 6 months ago.
  Warm regads,
  D

• Accessing Custom Security Realm and NotOwnerException.

  I have installed the RDBMS example security realm, which appears to work fine. However when I attempt to access this realm from a Servlet via Realm.getRealm("name") I get an NotOwnerException being thrown.
  Ideas ?
  regards,
  Jeff.

  We did something similar in a past project, and it turned out to be more of a mess than
  it was worth it (not only the "chicken-egg" dilemma with system, guest, administrator
  users, etc., but also with various lookup and threading issues.) We ended up ripping
  out the code and writing a new one which does not use an EJB.
  EJB are supposed to be written in terms of container services (which security being one
  of the services the container provides) but in this scenario you'd be writing one of the
  container services in terms of EJBs, so it "breaks" the proper layering.
  In our case, we wanted to "encapsulate" our security code from Weblogic's propreitary
  realm mechanism, at the end we still achieved without having to create a session bean
  (sometimes regular Java classes work just fine) :-)
  regards,
  -Ade
  "watscheck" <[email protected]> wrote in message news:[email protected]..
  >
  Hi,
  i want to use a sessonEJB as my security store for the custom security realm in
  weblogic server 6.1.
  Has anyone experience with that?
  First i have to pass all filerealm users through my custom realm (csr) because
  it is not possible to authenticate the system and guest users before the sessionEJB
  itself is loaded.
  OK, but my problem is the authentication of the csr at the sessionEJB, which is
  itself secured by method-permission in it's assemblydesciptor. So i have to get
  an initialcontext with an authorized user for the sessionEJB an invoke all protected
  methods with this principal.
  But Bea WLS has a problem with propagating this user back to the actual application.
  Is there a way that the application (web-app and ejbs) is not affected by the
  authentification of the csr at the sessionEJB (security store)?
  And is it right that the new initialcontext in the csr always overrides the bea
  context and with that the servlet request of the web-app?
  thanks in advance
  watscheck

• Invoke a business service base in a WSDL with customer WS-Security Policy

  Customer write a Web service (Refer to the attachment file “HTTPS_PartyServicePortType.WSDL”)which declare a WS-Security Policy and apply this it to WS binding ,How can I generate a business service base in this WSDL and invoke it successfully?
  When create a business service in OSB, we get a error with below messages
  [[OSB Kernel:398133]The service is based on WSDL with Web Services Security Policies that are not natively supported by Oracle Service Bus. Please select OWSM Policies - From OWSM Policy Store option and attach equivalent OWSM security policy. For the Business Service, either you can add the necessary client policies manually by clicking Add button or you can let Oracle Service Bus automatically pick and add compatible client policies by clicking Add Compatible button.
  After enhanced the OSB domain with OWSM extension, we found the OOTB OWSM defined cannot support the HttpsToken and OSB cannot support below WS-Policy defined in OWSM, refer to http://docs.oracle.com/cd/E21764_01/doc.1111/e15866/owsm.htm#OSBDV1681
  51.2.8.1 Unsupported Assertion
  •     binding-permission-authorization
  •     http-security
  •     OptimizedMimeSerialization (MTOM)
  •     RMAssertion (Reliable Messaging)
  •     sca-component-authorization
  •     sca-component-permission-authorization
  •     UsingAddressing
  •     wss-saml-token-bearer-over-ssl (Authentication)
  it means that we cannot generate a web service with customer WS-security Policy
  The WS-Security Policy is shown as below:
  <wsp:Policy wsu:Id="WSHttpBinding_IPartyServicePortType_policy">
  <wsp:ExactlyOne>
  <wsp:All>
  <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  <wsp:Policy>
  <sp:TransportToken>
  <wsp:Policy>
  <sp:HttpsToken RequireClientCertificate="false"/>
  </wsp:Policy>
  </sp:TransportToken>
  <sp:AlgorithmSuite>
  <wsp:Policy><sp:Basic256/></wsp:Policy>
  </sp:AlgorithmSuite>
  <sp:Layout><wsp:Policy><sp:Strict/></wsp:Policy></sp:Layout>
  </wsp:Policy>
  </sp:TransportBinding>
  <wsaw:UsingAddressing/>
  </wsp:All>
  </wsp:ExactlyOne>
  </wsp:Policy>
  BestRegards!
  Simon

  Hi
  According to
  http://e-docs.bea.com/wls/docs90/webserv/annotations.html#1050414
  If you are going to publish the policy file in the Web Service archive, the policy XML file must be located in either the META-INF/policies or WEB-INF/policies directory of the EJB JAR file (for EJB implemented Web Services) or WAR file (for Java class implemented Web Services), respectively.
  Can you make sure the policy file is in there?
  Also there is a sample from the developer at http://dev2dev.bea.com/blog/jlee/archive/2005/09/how_to_use_anno.html
  Vimala-

• Create new Security Policy in UME is not available

  Hello,
  We are on NW CE 7.1 EHP1 and MII 12.1.7 build 47.
  I have MII Super Administrator role, few custom roles and I also have Action "Manage_All" and I am able to perform most of the activities on UME but I don't see any option to create new security policies all I can do is modify the Default Security Policy and save it.
  It never shows me an option to create new security policy and I am not sure what roles or actions I am missing.
  1) Are there any roles or actions that my profile needs to have?
  2) Is it something to do with NW CE version or MII version?
  3) Has something gone wrong or have we missed some configuration while installing NW CE or MII?
  Any suggestions will be of great help
  Thanks,
  Adarsh

  Adarsh,
  I am not a NW UME expert, but I know this issue has nothing to do with MII.  Not sure if you have rights but providing the Administrators Group for the UME database should allow you to do this. 
  I would try posting this thread on the NW UME Forum.  Modifying policies in NW has nothing to do with MII. 
  Just to verify what policies are you trying to change, I am assuming they are in NW UME and not MII, is this correct?  If they are in MII can you be more specific.
  Good luck.

• Option to Create new Security Policy in UME is not available

  Hello,
  We are on NW CE 7.1 EHP1 and MII 12.1.7 build 47.
  I have "Administrator" role, "MII Super Administrator" role, few custom roles and I also ensured that "Administrator" role has Action "Manage_All" and I am able to perform all of the activities on UME except that I don't see any option to create new security policies, all I can do is modify the Default Security Policy and save it.
  It never shows me an option to create new security policy and I am not sure what roles or actions I am missing.
  I need have different security polices for different users based on their roles.
  1) Are there any roles or actions that my profile needs to have?
  2) Is it something to do with NW CE version?
  3) Has something gone wrong or have we missed some configuration while installing NW CE?
  I had posted similar question in MII forum but was recommended to post in NW forums.
  So any suggestions will be of great help
  Thanks,
  Adarsh

  what is Security Policy ?

• Activating Security Policy at Portal Logon Page

  Hi @ll,
  Iu2019m not able to activate the password security policy check at portal logon page. For this purpose, I have already checked the Enforce Password Security Policy at Logon (System Administration->System Configuration->UME Configuration->Security Policy) and restarted the server too. But it is failed to appear at logon page.
  Plesae suggest me to resolve this problem.
  Thanks
  Gautam Singh

  Hi Gautam Singh,
  You say you are customizing the portal logon screen. Are you doing a simple modification by just changing UME properties as described in [Logon Screen Customization|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/43/fc3ae22adb025fe10000000a1553f7/frameset.htm] or are you actually changing .par files and creating your own logon application?
  Are you using config tool, the user management configuration Web Dynpro UI, or visual admin  to change the properties?
  Have you assigned the UME actions Logon_Help and Selfregister_User to the Anonymous Users group?
  -Michael

• How to get domain name in java code/custom security provider

  Hi all,
  I've developed a custom security provider and deployed it in WL_HOME/server/lib/mbeantypes folder. I also have multiple domain created and running in the same machine. now if a user logs in from a specific domain, say, t3://localhost:7005, how do I retrieve the domain name in my custom security provider?
  I found the following code could do it, but this code needs to know the port number in advance
  Hashtable env = new Hashtable();
  env.put(Context.PROVIDER_URL,"t3://localhost:7101");
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  "weblogic.jndi.WLInitialContextFactory");
  env.put(Context.SECURITY_PRINCIPAL,"weblogic");
  env.put(Context.SECURITY_CREDENTIALS,"weblogic1");
  Context ctx = new InitialContext(env);
  MBeanHome home = (MBeanHome)ctx.lookup(MBeanHome.ADMIN_JNDI_NAME);
  String domainName = home.getDomainName();
  System.out.println(domainName);
  Any help is greatly appreciated...
  Thanks,
  Philip
  Edited by: VivaCuba on Nov 14, 2010 9:43 AM

  Check out methods in the following classes: LegacyDirectoryLocator and DirectoryLocator.
  Jonathan
  http://jonathanhult.com

• Migrating SSRS custom security from 2008 R2 to SQL Server 2012

  Hi,
  We have built custom security in SSRS 2008 R2 and now we are migrating it to SSRS 2012. We are facing an issue, it always throws Security exception below and when we are changing
  web.config file to below line we are getting "500 Internal server error". Tried everything, no luck... can someone please assist here whether we need to rewrite entire custom security code and then migrate it to SSRS 2012 custom
  security. Any help here much appreciated
  <authentication mode="Forms">
        <forms loginUrl="logon.aspx" name="sqlAuthCookie" timeout="60" path="/"></forms>
      </authentication>   
      <identity impersonate="false" />
  Regards,
  Harish 

  Hi yashmitl,
  In your case, please running the following command to check the current URL reservations on http.sys.
  netsh http show urlacl
  Then, please delete the URL reservation by executing the following command try to resolve the issue.
  netsh http delete urlacl <url>
  There is a similar issue, you can refer to it.
  http://social.technet.microsoft.com/Forums/en-US/d5204dd3-e26d-4592-8ef0-a94005fc46a5/the-url-has-already-been-reserved?forum=sqlreportingservices
  Hope this helps.
  Regards,
  Alisa Tang
  Alisa Tang
  TechNet Community Support

• Unable to save changes in console for a custom security provider

  I built a custom security provider and dropped it in the mbeantypes folder. This gets picked up by weblogic. I then try to modify the control flags and make it SUFFICIENT. I reboot the server but when i log back in the control flag is reset to OPTIONAL. It not saving the data to the xml file. We are running it on a UNIX box.

  Hi,
  I solved the problem by myself.
  The log area was at 100%, that's why the configtool wasn't able to save my changes.
  Now I changed the backup properties for the log files to AutoLog (in the Backup Wizard) and it works fine.
  Best regards,
  Christian

• OSB 10.3 and custom signing policy

  Good morning.
  I had several problems receiving signed messages from a customer. We have an active intermediary proxy, with a custom policy based on "Sign.xml" to require signing of message body.
  But out customer is signing using a third-party solution, so our proxy can't validate his message. We are trying to create a custom policy without "bea" namespaces, that is:
  <?xml version="1.0"?>
  <wsp:Policy
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    wsu:Id="firma"
    >
    <sp:SignedParts>
      <sp:Body/>
    </sp:SignedParts>
  </wsp:Policy>This policy seems to be ok, but when we try to attach this as a "Custom policy" in the proxy, it is not in the list of custom policies.
  Can't Oracle process non-propietary policy file?.
  Thanks.

  Please refer section "Creating and Using Custom WS-Policy Statements" at -
  http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html
  Regards,
  Anuj

• Service level accounts and security policy

  Hello Experts,
  We would like to roll out production environment at a customer. The documentation does not provide very good solution for the scenario when service level accounts are changing.
  Customer's security policy requires all administrative accounts to be named e.g. firstname.lastname@domain. Generic productadmin@domain which are not identifiable can not be used on production servers.
  It is understood that the BPC application server runs using the permissions granted to the user ID which was used during installation (access to the Windows AD, SQL Server &c.
  If specific domain user is also member of local administrators group, he/she can indstall the product. However, if this particular account is made redundant and the administrator's role is appointed to another employee, the latter can not access the system with administrative rights.
  Moreover, if the BPC administrator's account is disabled for whatever reasons, the system fails.
  Is there any good suggestions for this kind of scenario?
  Thanks

  Thanks Scott,
  This is what I have suggested but the problem is that the customer's policy does not allow anonymous accounts controlling their production systems, the administrative accounts can only be personal accounts like firstname.lastname@domain.
  It seems that the only solution is to use administrator's personal credentials and in case those change, they need to go through the Ops guide and change everything manually.
  Lucikly there is a bit simpler way to do this. Instead of manually changing credentials for every COM+ app as Ops Guide suggests, you can olny change three of those:
  OsoftDatabaseADMIN
  OsoftDatabaseSYSADMIN
  OsoftDatabaseUSER
  Then use Service Manager password reset function and it will update all COM+ apps in one go.

• How to create a custom java client Security Policy File?

  I have a stand-alone java client which invokes a .NET WSE 3.0 enabled web service. The web service SOAP header requires username token to be passed from my java client.
  Could some one kindly provide a sample of a client-side Security Policy File?
  Your help is very much appreciated.
  Mike

  This is still a workaround...
  But if you put checks on all your forms to see if the user has accepted the terms (assumes there is an attribute tracking this) then you can redirect the user to the terms/conditions forms. Still not spoof-proof, but it would be bookmark proof. (and a pain if you have too many forms)

• [svn] 1053: Basic and custom security-constraint samples were added to the team app mainly for the doc team to have a reference .

  Revision: 1053
  Author: [email protected]
  Date: 2008-04-01 11:35:28 -0700 (Tue, 01 Apr 2008)
  Log Message:
  Basic and custom security-constraint samples were added to the team app mainly for the doc team to have a reference. The custom authentication sample uses the new ChannelSet.login and ChannelSet.logout methods.
  Modified Paths:
  blazeds/branches/3.0.x/apps/team/WEB-INF/flex/remoting-config.xml
  blazeds/branches/3.0.x/apps/team/WEB-INF/flex/services-config.xml
  Added Paths:
  blazeds/branches/3.0.x/apps/team/features/security-constraints/
  blazeds/branches/3.0.x/apps/team/features/security-constraints/README.txt
  blazeds/branches/3.0.x/apps/team/features/security-constraints/securityConstraint_Basic.m xml
  blazeds/branches/3.0.x/apps/team/features/security-constraints/securityConstraint_Custom. mxml
  Removed Paths:
  blazeds/branches/3.0.x/apps/team/features/remoting/remoting_AMF_SecurityConstraint_Basic. mxml

  Congrats to Carmelo!
   Windows Phone and Windows Store Apps Technical Guru - February 2015  
  Carmelo La Monica
  Windows Phone 8: control Nokia Maps (Part 3)
  JH: "Part 3 of the series how to work with the Nokia maps control. As the previous articles this one contains a lot of code snippets and some pictures. Good work!"
  Ed Price: "A great topic, a fantastic breakdown of sections with clear descriptions, and a nice mix of code formatting and helpful images! Another stellar article from Carmelo! Great job including the link back at the end to the portal
  article!"
  Ed Price, Azure & Power BI Customer Program Manager (Blog,
  Small Basic,
  Wiki Ninjas,
  Wiki)
  Answer an interesting question?
  Create a wiki article about it!