Without restart/reload - web.xmlupdate security constraints, is it possible
Is there a way to make use of the 9ias/j2ee security framework, where add/modify security constrains; change roles and url-patterns etc, in web.xml without having to restart/reload the webapp. Doesn�t Restart/reload remove existing user sessions from the container?.
Any thoughts or code pointers would be appreciated.
-Mohammad Abed
Handlers are java-classes so I would say yes.
Classes (including BC4J View and Entity objects) must
be recompiled and your server should be restarted.
Anything XML-related (including UIX) does not immediately
force you to restart OC4J, although the MVC Framework
descriptor-xml should be reloaded by for instance re-
entering the service you changed. This is where those
home-page services become handy.
Note that setting existing BC4J-attributes to (in)visible
or wider/smaller mostly just changes the BC4J Jheadstart
metadata and generates new UIX, so it doesn't change
anything in the java-classes.
Similar Messages
-
Web.xml - security constraint question
I want to make a kind of inverted security constraint. I want to ALLOW access to one specific page over HTTP. All other pages should be HTTPS.
Is that possible???Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
Bean code:
this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
<security-role>
<role-name>Local Admin Group</role-name>
</security-role>
<security-role>
<role-name>DBA Group</role-name>
</security-role>
<!-- Faces Servlet -->
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<security-role-ref>
<role-name>admin</role-name>
<role-link>DBA Group</role-link>
</security-role-ref>
<security-role-ref>
<role-name>admin</role-name>
<role-link>Local Admin Group</role-link>
</security-role-ref>
</servlet> -
Web.xml security-constraint order matters?
After a long and frustrating debuggin session I've just discovered that the order in which <security-constraint>
entries are added to the web.xml file matters to OC4J.
That is if a more laxed rule is matched first the rest
(even though they might be more precise or even an
exact match won't be applied.
Is this normal behaviour?
EXAMPLE BELOW WORKS - INVERT ENTRIES AND IT WILL FAIL
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/admin*.uix</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>DSMSuperUser</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>DSMUser</role-name>
</auth-constraint>
</security-constraint>Here is an excerpt from the servlet spec stating the proper behavior:
The container matches URL patterns defined in security constraints
using the same algorithm described in this specification for matching client
requests to servlets and static resources as described in SRV.11.1
SRV.11.1 Use of URL Paths
Upon receipt of a client request, the web container determines the web application
to which to forward it. The web application selected must have the the longest
context path that matches the start of the request URL. The matched part of the URL
is the context path when mapping to servlets.
The web container next must locate the servlet to process the request using the
path mapping procedure described below:
The path used for mapping to a servlet is the request URL from the request
object minus the context path. The URL path mapping rules below are used in
order. The first successful match is used with no further matches attempted:
1. The container will try to find an exact match of the path of the request to the
path of the servlet. A successful match selects the servlet.
2. The container will recursively try to match the longest path-prefix: This is done
by stepping down the path tree a directory at a time, using the ’/’ character as
a path separator. The longest match determines the servlet selected.
3. If the last segment in the URL path contains an extension (e.g. .jsp), the servlet
container will try to match a servlet that handles requests for the extension.
An extension is defined as the part of the last segment after the last ’.’ character.
4. If neither of the previous three rules result in a servlet match, the container will
attempt to serve content appropriate for the resource requested. If a "default"
servlet is defined for the application, it will be used.
The container must use case-sensitive string comparisons for matching.
So this is STILL an issue w/ 10.1.2.0.2...
EXAMPLE BELOW WORKS - INVERT ENTRIES AND IT WILL FAIL
<security-constraint>
<web-resource-collection>
<web-resource-name>oemAdmin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>OEM_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>allOem</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>OEM_USER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
If I don't find a SR for this issue I'll open one b/c this is not acceptable. -
Web.xml: security-constraint [un]usable in JSF?
<security-constraint> in web.xml is a simple, effective and portable method of declaring a web application�s security policies.
It's been noted, however, in an earlier topic (http://forum.java.sun.com/thread.jspa?threadID=747919&messageID=4279347) that it has it�s limitations in the context of jsf.
A reasonable solution would be to consult <security-constraint> elements in one�s own web.xml when rendering <h:commandLink>'s on a page according to the security policy.
Unfortunately, there is no standard method of reading web.xml, other than what�s available from the ServletContext.
I found some container specific-implementations in the Cargo project from the http://cargo.codehaus.org,
but I�m looking for a portable solution. Any thoughts?
Thanks, y�all!Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
Bean code:
this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
<security-role>
<role-name>Local Admin Group</role-name>
</security-role>
<security-role>
<role-name>DBA Group</role-name>
</security-role>
<!-- Faces Servlet -->
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<security-role-ref>
<role-name>admin</role-name>
<role-link>DBA Group</role-link>
</security-role-ref>
<security-role-ref>
<role-name>admin</role-name>
<role-link>Local Admin Group</role-link>
</security-role-ref>
</servlet> -
Web.xml security-constraint
Hi,
Anybody has any idea about this one:
In web.xml I have:
<security-constraint>
<web-resource-collection>
<web-resource-name>members</web-resource-name>
<url-pattern>/members/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>REGISTERED_USERS</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL is required</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
when using the above one, every time when i click any link in /members, the weblogic
first treat the user as guest at the beginning, then change to the real logined
user.
After I changed it to :
<security-constraint>
<web-resource-collection>
<web-resource-name>members</web-resource-name>
<url-pattern>/members/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>REGISTERED_USERS</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL is required</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
i click the links in /members, the weblogic treat the user as the real logined
user.
Any idea what is the * 's meaning or any clue where this difference is mentioned
in weblogic or SUN's documentation?
BTW: I am using weblogic 5.1 with sp11.
Thx,
dliuHi,
Please provide a "WEB-INF/weblogic.xml" file as well like following:
*"weblogic.xml"*
<?xml version='1.0' encoding='UTF-8'?>
<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<security-role-assignment>
<role-name>BMOUser</role-name>
<principal-name>BMOUser</principal-name>
</security-role-assignment>
</weblogic-web-app>
Thanks
Jay SenSharma
http://weblogic-wonders.com (WebLogic Wonders Are here) -
Hi,
I am working on a Javascript for Apex. The changes are not reflected and I was told to restart the app server. Is there a better way for Apex to process the changed Javascript? Thanks.Hi,
I assume you store JavaScript to web server folder and browser caches your file.
Use query string end of file name like
/my.js?v=0.0.1
And when you change file, change query string value
Templates JavaScript help says:
File reference using a query string in the URL referencing the application version, such that when the application is upgraded
(and the version is incremented), the browser will be instructed to always load the new file and ignore any previously cached files.
/myjs/main.js?version=#APP_VERSION# -
Setting security constraint for web App
Hai all!
I am new to bea and i am trying to set up security constraints for my webaplication..
I want user to be authenticated before he access any of the pages in browser..
All i did was adding following entries to web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>
webresources
</web-resource-name>
<url-pattern>
</url-pattern>
</web-resource-collection>
<login-config>
<auth-method>
BASIC
</auth-method>
</login-config>
</security-constraint>
But no such thing is happening,,
I know i am doing wrong but donno where exactly i am wrong..
Pls guide me in sequnece of steps regarding what to do to accomplish what i want..
Thanks and Regards
ManoharI guess you need to set the role that is allowed to log into your application.
try this in web.xml:
<security-constraint>
<display-name>Whatever</display-name>
<web-resource-collection>
<web-resource-name>resource</web-resource-name>
<description>Desc</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>desc</description>
<role-name>MyRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<description>desc</description>
<role-name>MyRole</role-name>
</security-role>
and map the role with a group/user in weblogic.xml:
<security-role-assignment>
<role-name>MyRole</role-name>
<principal-name>MyGroupOfUsers</principal-name>
</security-role-assignment>
Hope this helps.
Xavi
"Manohar" <[email protected]> wrote:
>
Hai all!
I am new to bea and i am trying to set up security constraints for my
webaplication..
I want user to be authenticated before he access any of the pages in
browser..
All i did was adding following entries to web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>
webresources
</web-resource-name>
<url-pattern>
</url-pattern>
</web-resource-collection>
<login-config>
<auth-method>
BASIC
</auth-method>
</login-config>
</security-constraint>
But no such thing is happening,,
I know i am doing wrong but donno where exactly i am wrong..
Pls guide me in sequnece of steps regarding what to do to accomplish
what i want..
Thanks and Regards
Manohar -
Is it possible to re-register with WINS without restarting?
We're switching out our WINS servers, and I would like to register my Netware servers with the new servers without restarting CIFS or the server. Is this possible? The servers are also in DNS, so is it a big deal if they aren't registered in WINS for an extended period?
kristow,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Forums Team
http://forums.novell.com -
Reload web-inf/web.xml file without restarting tomcat
Please help me if any one have a solution .
I am doing development in jsp, servlet. I am using tomcat5 as a webserver.
i want to reload web-inf/web.xml file without restarting tomcat.From the tomcat admin page you can stop/start and refresh individual applications. See the tomcat documentation. Which, when you have a question about tomcat, you should always do first.
-
Security constraint in Web.xml of tomcat
Hi
I have a web-application running on tomcat . Inside the context folder i have several directories having some pre-defined configuration files . But the user is able to directly access them by typing the path including the fileName in the URL ( I have disabled the listings property however)
How can i prevent accessing the specific files .... I tried using
<security-constraint>
<display-name>Security constarint</display-name>
<web-resource-collection>
<web-resource-name>Java Application</web-resource-name>
<url-pattern>/folder/*</url-pattern>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>OnJava Application</realm-name>
</login-config>
This seems to be working fine , but when the user enters the wrong security info thrice , 401 error page is coming instead i want my custom page . Hence i configured an error page for 401 code which overwrited the earlier behavaiour ie.. that BASIC authentication popup is not coming
Can any one let me know how to go about thisHi ,
I have tried adding the following into web.xml but the security feature just doesnt work and the user can go to any page without any restriction.
<security-constraint>
<web-resource-collection>
<web-resource-name>Declarative Security Test</web-resource-name>
<url-pattern>/SuperServlet</url-pattern>
<url-pattern>/*</url-pattern>
<http-method>post</http-method>
<http-method>get</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>guest</role-name>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>guest</role-name>
<role-name>member</role-name>
</security-role>
The roles mentioned above have been added correctly into tomcat-users.xml..The version of tomcat I am using is tomcat5.0.28.Please help. -
Web service proxy and security constraint
I've placed a security constraint on my web service and set the login-config auth-method as BASIC. When I run the Workshop test and the (Test View) browser begins to appear I am prompted for my username and password since it is protected --- great, it's working.
Here's my problem, when I create the Java Proxy and try to access the web service using the proxy in another application I am never prompted for my username and password and thus the request fails. Anyway to fix this so I can be promted using the proxy??
thanks in advance,
Steve TouwHi Shay Shmeltzer,
Thanks for the reply.
I tried in HTTP Analyzer in JDeveloper and there also it is not working. My concern is :-
There are many other web services deployed on the same SOA server in same partition and they are working fine in HTTP analyzer and I am able to create and use the web service proxy as well. So as per my understanding there is nothing like network issues between SOA server and jDeveloper.
1 more thing When I am creating the proxy for this web service and requesting from the proxy's main method SOA is getting proper input (which I am providing in the main method) and SOA is returning proper output I have checked the SOA instance in em. So there is no problem in SOA side. The problem is jDeveloper is not able to get back that response which SOA is returning.
Please Help.
-- NavinK -
Using security-constraint in web.xml; not recognizing url-pattern tag
I am creating a very simple jsp application within JDeveloper 10.1.3.1. I have 2 jsp files...a readData.jsp and a maintainData.jsp. I would like to deploy this application to Oracle Application Server 10.1.2.2. I would like to use Oracle Internet Directory with Single Sign on enabled. The deployment to OAS works fine. For the security, I would like an administrator user to get to both pages...and a user to only be able to see the readData.jsp. I used the security constraints on the properties of the web.xml file within JDeveloper. Here is my web.xml file:
<?xml version = '1.0' encoding = 'windows-1252'?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<description>Empty web.xml file for Web Application</description>
<session-config>
<session-timeout>35</session-timeout>
</session-config>
<mime-mapping>
<extension>html</extension>
<mime-type>text/html</mime-type>
</mime-mapping>
<mime-mapping>
<extension>txt</extension>
<mime-type>text/plain</mime-type>
</mime-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>adm_full_access</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>adm_all</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>usr_access</web-resource-name>
<url-pattern>readData.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>usr_all</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>usr_all</role-name>
</security-role>
<security-role>
<role-name>adm_all</role-name>
</security-role>
</web-app>
When I deploy to OAS I added an OID account to the adm_all role...this works fine I can log on as that user and get to both jsps. But, when I add my user to the usr_all role within OAS I try to log on to the app...I then enter my SSO username and password and I get Access Denied errors from my browser when trying to access either page. I am confused about the <url-pattern> tag...is that relative to a directory within my deployment? Most of the examples I have seen use servlets...so I was wondering if I can even use the <url-pattern> tag to restrict/allow access to individual jsps? If someone could point me to some documentation on this set-up I would appreciate it!
Thank you.I was able to get this to work. By doing the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>adm_full_access</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>adm_all</role-name>
</auth-constraint>
</security-constraint>
I was restricting access to all other groups by uisng <url-pattern>*</url-pattern>. Any other security-constraints set-up after that will not work. So saying * requires usr_all will restrict ALL webpages to ONLY adm_all, regardless of what future constraints say. So, my first security-constraints lists all directories or pages that every user can access. My next security-constraint then list resources that only my admins (adm_all) can acess. Any other security constraints then are set-up for each user role that I have...if adm_all should have access to these then the <role-name>adm_all</role-name> is added to each security constraint. -
Reload a jar in weblogic server without restart
Hi All,
We are using weblogic version '10.0.1.0' and have 'reports.jar' file in server for reports.
If we change any existing class file under 'reports.jar' then we are using below steps in order to recognize a modified jar by weblogic
1) We need to recreate a jar using eclipse in local IDE and
2) Copy the 'reports.jar' into server
3) Need to restart server inorder to recognize the modified jar
Is there any alternative solution to reload a jar in weblogic server without restart?
Please do the needful.
Thanks & Regards,
GangadharHi,
If this is for weblogic running on development mode, then you can go for auto-deployment feature where weblogic will auto-deploy modified application from autodeploy directory.
For production mode, you can go for production-redeployment feature of weblogic where it uses application versioning. So for example you deployed webapp1 with version app1.0 and then for new release you will deploy webapp1 with version app2.0 adding a retirement policy to retire old application after said time and start using webapp1 with app2.0.
Refer to link for mode detail - http://middlewaresupport.wordpress.com/2013/03/21/production-redeployment-feature-in-weblogic/
rank it if found useful
Thanks,
Ranjan -
Web.xml and security constraints
Hi,
I have several web services deployed. I only want to protect one of these web services.
If I use "/services/*" in <security-constraint> of my web.xml file, all my deployed web services are protected.
If I use "/services/aaaWebService" in <security-constraint> of my web.xml file, aaaWebService web service is NOT protected.
Please let me know what I should use for teh <url-pattern> to protect only aaaWebService.
Thanks /danWhat about "/services/aaaWebService*"?
I think whithout an asterisk service parameters don't match your pattern.
Vovencij -
What is the use of security-constraint tag in web.xml
what is the use of following tag , and how to use that, and where to use that tag.
<web-resource-collection>
<web-resource-name>SecureOrderJSP</web-resource-name>
<descrip<url-pattern>/order/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name></role-name>
</auth-constraint>
</security-constraint>tion>Protect the Order JSP Pages </description>Hi,
You can refer this link
http://www.whizlabs.com/tutorial/scwcd/j-scwcd-7-5.html
give the complete description of your doubt
Thanks,
Snigdha Sivadas
Maybe you are looking for
-
Java.sql.SQLException: General error
Hi i got this error message: java.sql.SQLException: General error at sun.jdbc.odbc.JdbcOdbc.createSQLException(Unknown Source) at sun.jdbc.odbc.JdbcOdbc.standardError(Unknown Source) at sun.jdbc.odbc.JdbcOdbc.SQLExecDirect(Unknown Source) at sun.jdbc
-
Hi - this is probably a silly question. My wife and I share our mac. when we set it up we did not set up multiple accounts as was too complicated to share photos in iphoto, addresses etc. would like though to be able to "split" our use of mail. can e
-
BAPI which creates a PO from Shopping cart
Hello All, Irrespective of any scenario, How is that the PO is getting created out of an ordered shopping cart? Is it a BAPI, if so, where can we see this ? I mean which trans code should we use in the GUI? Thanks in advance, Nagarajan
-
Phone won't turn on, just vibrates when plugged in
Last night, I plugged my phone in before bed. It showed on the battery icon that it was charging, and the red charge indicator light was on once the display turned off. However, by the time I woke up, the phone was dead, though still plugged in. I
-
How can I place a MP4 into Dreamweaver and have it autostart when you load a web page?
Hi All I am trying to place a MP4 video/music clip into a webpage. I would like it to auto start once you click on the page, play and then the page loads. Is this even possible? Thanks in advance to all those who will be able to help