Without restart/reload - web.xmlupdate security constraints, is it possible

Is there a way to make use of the 9ias/j2ee security framework, where add/modify security constrains; change roles and url-patterns etc, in web.xml without having to restart/reload the webapp. Doesn�t Restart/reload remove existing user sessions from the container?.
Any thoughts or code pointers would be appreciated.
-Mohammad Abed

Handlers are java-classes so I would say yes.
Classes (including BC4J View and Entity objects) must
be recompiled and your server should be restarted.
Anything XML-related (including UIX) does not immediately
force you to restart OC4J, although the MVC Framework
descriptor-xml should be reloaded by for instance re-
entering the service you changed. This is where those
home-page services become handy.
Note that setting existing BC4J-attributes to (in)visible
or wider/smaller mostly just changes the BC4J Jheadstart
metadata and generates new UIX, so it doesn't change
anything in the java-classes.

Similar Messages

  • Web.xml - security constraint question

    I want to make a kind of inverted security constraint. I want to ALLOW access to one specific page over HTTP. All other pages should be HTTPS.
    Is that possible???

    Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
    Bean code:
    this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
            <security-role>
              <role-name>Local Admin Group</role-name>
         </security-role>
         <security-role>
              <role-name>DBA Group</role-name>
         </security-role>
        <!-- Faces Servlet -->
        <servlet>
            <servlet-name>Faces Servlet</servlet-name>
            <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
            <security-role-ref>
                  <role-name>admin</role-name>
                  <role-link>DBA Group</role-link>
           </security-role-ref>
            <security-role-ref>
                  <role-name>admin</role-name>
                  <role-link>Local Admin Group</role-link>
           </security-role-ref>
        </servlet>

  • Web.xml security-constraint order matters?

    After a long and frustrating debuggin session I've just discovered that the order in which <security-constraint>
    entries are added to the web.xml file matters to OC4J.
    That is if a more laxed rule is matched first the rest
    (even though they might be more precise or even an
    exact match won't be applied.
    Is this normal behaviour?
    EXAMPLE BELOW WORKS - INVERT ENTRIES AND IT WILL FAIL
    <security-constraint>
        <web-resource-collection>
          <web-resource-name>Protected</web-resource-name>
          <url-pattern>/admin*.uix</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>DSMSuperUser</role-name>
        </auth-constraint>
      </security-constraint>
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>Secure</web-resource-name>
          <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>DSMUser</role-name>
        </auth-constraint>
      </security-constraint>

    Here is an excerpt from the servlet spec stating the proper behavior:
    The container matches URL patterns defined in security constraints
    using the same algorithm described in this specification for matching client
    requests to servlets and static resources as described in SRV.11.1
    SRV.11.1 Use of URL Paths
    Upon receipt of a client request, the web container determines the web application
    to which to forward it. The web application selected must have the the longest
    context path that matches the start of the request URL. The matched part of the URL
    is the context path when mapping to servlets.
    The web container next must locate the servlet to process the request using the
    path mapping procedure described below:
    The path used for mapping to a servlet is the request URL from the request
    object minus the context path. The URL path mapping rules below are used in
    order. The first successful match is used with no further matches attempted:
    1. The container will try to find an exact match of the path of the request to the
    path of the servlet. A successful match selects the servlet.
    2. The container will recursively try to match the longest path-prefix: This is done
    by stepping down the path tree a directory at a time, using the ’/’ character as
    a path separator. The longest match determines the servlet selected.
    3. If the last segment in the URL path contains an extension (e.g. .jsp), the servlet
    container will try to match a servlet that handles requests for the extension.
    An extension is defined as the part of the last segment after the last ’.’ character.
    4. If neither of the previous three rules result in a servlet match, the container will
    attempt to serve content appropriate for the resource requested. If a "default"
    servlet is defined for the application, it will be used.
    The container must use case-sensitive string comparisons for matching.
    So this is STILL an issue w/ 10.1.2.0.2...
    EXAMPLE BELOW WORKS - INVERT ENTRIES AND IT WILL FAIL
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>oemAdmin</web-resource-name>
    <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>OEM_ADMIN</role-name>
    </auth-constraint>
    <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>allOem</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>OEM_USER</role-name>
    </auth-constraint>
    <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    If I don't find a SR for this issue I'll open one b/c this is not acceptable.

  • Web.xml: security-constraint [un]usable in JSF?

    <security-constraint> in web.xml is a simple, effective and portable method of declaring a web application�s security policies.
    It's been noted, however, in an earlier topic (http://forum.java.sun.com/thread.jspa?threadID=747919&messageID=4279347) that it has it�s limitations in the context of jsf.
    A reasonable solution would be to consult <security-constraint> elements in one�s own web.xml when rendering <h:commandLink>'s on a page according to the security policy.
    Unfortunately, there is no standard method of reading web.xml, other than what�s available from the ServletContext.
    I found some container specific-implementations in the Cargo project from the http://cargo.codehaus.org,
    but I�m looking for a portable solution. Any thoughts?
    Thanks, y�all!

    Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
    Bean code:
    this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
            <security-role>
              <role-name>Local Admin Group</role-name>
         </security-role>
         <security-role>
              <role-name>DBA Group</role-name>
         </security-role>
        <!-- Faces Servlet -->
        <servlet>
            <servlet-name>Faces Servlet</servlet-name>
            <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
            <security-role-ref>
                  <role-name>admin</role-name>
                  <role-link>DBA Group</role-link>
           </security-role-ref>
            <security-role-ref>
                  <role-name>admin</role-name>
                  <role-link>Local Admin Group</role-link>
           </security-role-ref>
        </servlet>

  • Web.xml security-constraint

    Hi,
    Anybody has any idea about this one:
    In web.xml I have:
         <security-constraint>
              <web-resource-collection>
                   <web-resource-name>members</web-resource-name>
                   <url-pattern>/members/*</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                   <role-name>REGISTERED_USERS</role-name>
              </auth-constraint>
              <user-data-constraint>
                   <description>SSL is required</description>
                   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
         </security-constraint>
         <security-constraint>
    when using the above one, every time when i click any link in /members, the weblogic
    first treat the user as guest at the beginning, then change to the real logined
    user.
    After I changed it to :
         <security-constraint>
              <web-resource-collection>
                   <web-resource-name>members</web-resource-name>
                   <url-pattern>/members/</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                   <role-name>REGISTERED_USERS</role-name>
              </auth-constraint>
              <user-data-constraint>
                   <description>SSL is required</description>
                   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
         </security-constraint>
         <security-constraint>
    i click the links in /members, the weblogic treat the user as the real logined
    user.
    Any idea what is the * 's meaning or any clue where this difference is mentioned
    in weblogic or SUN's documentation?
    BTW: I am using weblogic 5.1 with sp11.
    Thx,
    dliu

    Hi,
    Please provide a "WEB-INF/weblogic.xml" file as well like following:
    *"weblogic.xml"*
    <?xml version='1.0' encoding='UTF-8'?>
    <weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <security-role-assignment>
    <role-name>BMOUser</role-name>
    <principal-name>BMOUser</principal-name>
    </security-role-assignment>
    </weblogic-web-app>
    Thanks
    Jay SenSharma
    http://weblogic-wonders.com (WebLogic Wonders Are here)

  • Javascript development on Apex - How to show changes on the Javascript on Apex without restarting the web server?

      Hi,
    I am working on a Javascript for Apex. The changes are not reflected and I was told to restart the app server. Is there a better way for Apex to process the changed Javascript? Thanks.

    Hi,
    I assume you store JavaScript to web server folder and browser caches your file.
    Use query string end of file name like
    /my.js?v=0.0.1
    And when you change file, change query string value
    Templates JavaScript help says:
    File reference using a query string in the URL referencing the application version, such that when the application is upgraded
    (and the version is incremented), the browser will be instructed to always load the new file and ignore any previously cached files.
    /myjs/main.js?version=#APP_VERSION#

  • Setting security constraint for web App

    Hai all!
    I am new to bea and i am trying to set up security constraints for my webaplication..
    I want user to be authenticated before he access any of the pages in browser..
    All i did was adding following entries to web.xml
    <security-constraint>
              <web-resource-collection>
                   <web-resource-name>
                        webresources
                   </web-resource-name>
                   <url-pattern>
                   </url-pattern>
              </web-resource-collection>           
              <login-config>          
                   <auth-method>
                   BASIC
                   </auth-method>          
              </login-config>
         </security-constraint>
    But no such thing is happening,,
    I know i am doing wrong but donno where exactly i am wrong..
    Pls guide me in sequnece of steps regarding what to do to accomplish what i want..
    Thanks and Regards
    Manohar

    I guess you need to set the role that is allowed to log into your application.
    try this in web.xml:
         <security-constraint>
              <display-name>Whatever</display-name>
              <web-resource-collection>
                   <web-resource-name>resource</web-resource-name>
                   <description>Desc</description>
                   <url-pattern>/*</url-pattern>
                   <http-method>GET</http-method>
                   <http-method>POST</http-method>
              </web-resource-collection>
              <auth-constraint>
                   <description>desc</description>
                   <role-name>MyRole</role-name>
              </auth-constraint>
                   <user-data-constraint>
                   <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
         </security-constraint>
         <login-config>
              <auth-method>BASIC</auth-method>
         </login-config>
         <security-role>
              <description>desc</description>
              <role-name>MyRole</role-name>
         </security-role>
    and map the role with a group/user in weblogic.xml:
         <security-role-assignment>
              <role-name>MyRole</role-name>
              <principal-name>MyGroupOfUsers</principal-name>
         </security-role-assignment>
    Hope this helps.
    Xavi
    "Manohar" <[email protected]> wrote:
    >
    Hai all!
    I am new to bea and i am trying to set up security constraints for my
    webaplication..
    I want user to be authenticated before he access any of the pages in
    browser..
    All i did was adding following entries to web.xml
    <security-constraint>
              <web-resource-collection>
                   <web-resource-name>
                        webresources
                   </web-resource-name>
                   <url-pattern>
                   </url-pattern>
              </web-resource-collection>           
              <login-config>          
                   <auth-method>
                   BASIC
                   </auth-method>          
              </login-config>
         </security-constraint>
    But no such thing is happening,,
    I know i am doing wrong but donno where exactly i am wrong..
    Pls guide me in sequnece of steps regarding what to do to accomplish
    what i want..
    Thanks and Regards
    Manohar

  • Is it possible to re-register with WINS without restarting?

    We're switching out our WINS servers, and I would like to register my Netware servers with the new servers without restarting CIFS or the server. Is this possible? The servers are also in DNS, so is it a big deal if they aren't registered in WINS for an extended period?

    kristow,
    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)
    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.novell.com/faq.php
    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Forums Team
    http://forums.novell.com

  • Reload web-inf/web.xml file without restarting tomcat

    Please help me if any one have a solution .
    I am doing development in jsp, servlet. I am using tomcat5 as a webserver.
    i want to reload web-inf/web.xml file without restarting tomcat.

    From the tomcat admin page you can stop/start and refresh individual applications. See the tomcat documentation. Which, when you have a question about tomcat, you should always do first.

  • Security constraint in Web.xml of tomcat

    Hi
    I have a web-application running on tomcat . Inside the context folder i have several directories having some pre-defined configuration files . But the user is able to directly access them by typing the path including the fileName in the URL ( I have disabled the listings property however)
    How can i prevent accessing the specific files .... I tried using
    <security-constraint>
    <display-name>Security constarint</display-name>
    <web-resource-collection>
    <web-resource-name>Java Application</web-resource-name>
    <url-pattern>/folder/*</url-pattern>
    <auth-constraint>
    <role-name>tomcat</role-name>
    </auth-constraint>
    </web-resource-collection>
    <auth-constraint>
    <role-name>tomcat</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>OnJava Application</realm-name>
    </login-config>
    This seems to be working fine , but when the user enters the wrong security info thrice , 401 error page is coming instead i want my custom page . Hence i configured an error page for 401 code which overwrited the earlier behavaiour ie.. that BASIC authentication popup is not coming
    Can any one let me know how to go about this

    Hi ,
    I have tried adding the following into web.xml but the security feature just doesnt work and the user can go to any page without any restriction.
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Declarative Security Test</web-resource-name>
    <url-pattern>/SuperServlet</url-pattern>
    <url-pattern>/*</url-pattern>
    <http-method>post</http-method>
    <http-method>get</http-method>
    </web-resource-collection>
    <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
    <auth-constraint>
    <role-name>guest</role-name>
    <role-name>member</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>
    <security-role>
    <role-name>guest</role-name>
    <role-name>member</role-name>
    </security-role>
    The roles mentioned above have been added correctly into tomcat-users.xml..The version of tomcat I am using is tomcat5.0.28.Please help.

  • Web service proxy and security constraint

    I've placed a security constraint on my web service and set the login-config auth-method as BASIC. When I run the Workshop test and the (Test View) browser begins to appear I am prompted for my username and password since it is protected --- great, it's working.
    Here's my problem, when I create the Java Proxy and try to access the web service using the proxy in another application I am never prompted for my username and password and thus the request fails. Anyway to fix this so I can be promted using the proxy??
    thanks in advance,
    Steve Touw

    Hi Shay Shmeltzer,
    Thanks for the reply.
    I tried in HTTP Analyzer in JDeveloper and there also it is not working. My concern is :-
    There are many other web services deployed on the same SOA server in same partition and they are working fine in HTTP analyzer and I am able to create and use the web service proxy as well. So as per my understanding there is nothing like network issues between SOA server and jDeveloper.
    1 more thing When I am creating the proxy for this web service and requesting from the proxy's main method SOA is getting proper input (which I am providing in the main method) and SOA is returning proper output I have checked the SOA instance in em. So there is no problem in SOA side. The problem is jDeveloper is not able to get back that response which SOA is returning.
    Please Help.
    -- NavinK

  • Using security-constraint in web.xml; not recognizing url-pattern tag

    I am creating a very simple jsp application within JDeveloper 10.1.3.1. I have 2 jsp files...a readData.jsp and a maintainData.jsp. I would like to deploy this application to Oracle Application Server 10.1.2.2. I would like to use Oracle Internet Directory with Single Sign on enabled. The deployment to OAS works fine. For the security, I would like an administrator user to get to both pages...and a user to only be able to see the readData.jsp. I used the security constraints on the properties of the web.xml file within JDeveloper. Here is my web.xml file:
    <?xml version = '1.0' encoding = 'windows-1252'?>
    <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
    <web-app>
    <description>Empty web.xml file for Web Application</description>
    <session-config>
    <session-timeout>35</session-timeout>
    </session-config>
    <mime-mapping>
    <extension>html</extension>
    <mime-type>text/html</mime-type>
    </mime-mapping>
    <mime-mapping>
    <extension>txt</extension>
    <mime-type>text/plain</mime-type>
    </mime-mapping>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>adm_full_access</web-resource-name>
    <url-pattern>*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>adm_all</role-name>
    </auth-constraint>
    </security-constraint>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>usr_access</web-resource-name>
    <url-pattern>readData.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>usr_all</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>
    <security-role>
    <role-name>usr_all</role-name>
    </security-role>
    <security-role>
    <role-name>adm_all</role-name>
    </security-role>
    </web-app>
    When I deploy to OAS I added an OID account to the adm_all role...this works fine I can log on as that user and get to both jsps. But, when I add my user to the usr_all role within OAS I try to log on to the app...I then enter my SSO username and password and I get Access Denied errors from my browser when trying to access either page. I am confused about the <url-pattern> tag...is that relative to a directory within my deployment? Most of the examples I have seen use servlets...so I was wondering if I can even use the <url-pattern> tag to restrict/allow access to individual jsps? If someone could point me to some documentation on this set-up I would appreciate it!
    Thank you.

    I was able to get this to work. By doing the following:
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>adm_full_access</web-resource-name>
    <url-pattern>*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>adm_all</role-name>
    </auth-constraint>
    </security-constraint>
    I was restricting access to all other groups by uisng <url-pattern>*</url-pattern>. Any other security-constraints set-up after that will not work. So saying * requires usr_all will restrict ALL webpages to ONLY adm_all, regardless of what future constraints say. So, my first security-constraints lists all directories or pages that every user can access. My next security-constraint then list resources that only my admins (adm_all) can acess. Any other security constraints then are set-up for each user role that I have...if adm_all should have access to these then the <role-name>adm_all</role-name> is added to each security constraint.

  • Reload a jar in weblogic server without restart

    Hi All,
    We are using weblogic version '10.0.1.0' and have 'reports.jar' file in server for reports.
    If we change any existing class file under 'reports.jar' then we are using below steps in order to recognize a modified jar by weblogic
    1) We need to recreate a jar using eclipse in local IDE and
    2) Copy the 'reports.jar' into server
    3) Need to restart server inorder to recognize the modified jar
    Is there any alternative solution to reload a jar in weblogic server without restart?
    Please do the needful.
    Thanks & Regards,
    Gangadhar

    Hi,
    If this is for weblogic running on development mode, then you can go for auto-deployment feature where weblogic will auto-deploy modified application from autodeploy directory.
    For production mode, you can go for production-redeployment feature of weblogic where it uses application versioning. So for example you deployed webapp1 with version app1.0 and then for new release you will deploy webapp1 with version app2.0 adding a retirement policy to retire old application after said time and start using webapp1 with app2.0.
    Refer to link for mode detail - http://middlewaresupport.wordpress.com/2013/03/21/production-redeployment-feature-in-weblogic/
    rank it if found useful
    Thanks,
    Ranjan

  • Web.xml and security constraints

    Hi,
    I have several web services deployed. I only want to protect one of these web services.
    If I use "/services/*" in <security-constraint> of my web.xml file, all my deployed web services are protected.
    If I use "/services/aaaWebService" in <security-constraint> of my web.xml file, aaaWebService web service is NOT protected.
    Please let me know what I should use for teh <url-pattern> to protect only aaaWebService.
    Thanks /dan

    What about "/services/aaaWebService*"?
    I think whithout an asterisk service parameters don't match your pattern.
    Vovencij

  • What is the use of security-constraint tag in web.xml

    what is the use of following tag , and how to use that, and where to use that tag.
    <web-resource-collection>
    <web-resource-name>SecureOrderJSP</web-resource-name>
    <descrip<url-pattern>/order/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name></role-name>
    </auth-constraint>
    </security-constraint>tion>Protect the Order JSP Pages </description>

    Hi,
    You can refer this link
    http://www.whizlabs.com/tutorial/scwcd/j-scwcd-7-5.html
    give the complete description of your doubt
    Thanks,
    Snigdha Sivadas

Maybe you are looking for

  • Java.sql.SQLException: General error

    Hi i got this error message: java.sql.SQLException: General error at sun.jdbc.odbc.JdbcOdbc.createSQLException(Unknown Source) at sun.jdbc.odbc.JdbcOdbc.standardError(Unknown Source) at sun.jdbc.odbc.JdbcOdbc.SQLExecDirect(Unknown Source) at sun.jdbc

  • Multiple users on Mail

    Hi - this is probably a silly question. My wife and I share our mac. when we set it up we did not set up multiple accounts as was too complicated to share photos in iphoto, addresses etc. would like though to be able to "split" our use of mail. can e

  • BAPI which creates a PO from Shopping cart

    Hello All, Irrespective of any scenario, How is that the PO is getting created out of an ordered shopping cart? Is it a BAPI, if so, where can we see this ? I mean which trans code should we use  in the GUI? Thanks in advance, Nagarajan

  • Phone won't turn on, just vibrates when plugged in

    Last night, I plugged my phone in before bed.  It showed on the battery icon that it was charging, and the red charge indicator light was on once the display turned off.  However, by the time I woke up, the phone was dead, though still plugged in.  I

  • How can I place a MP4 into Dreamweaver and have it autostart when you load a web page?

    Hi All I am trying to place a MP4 video/music clip into a webpage. I would like it to auto start once you click on the page, play and then the page loads. Is this even possible? Thanks in advance to all those who will be able to help