XML communication - security

Similar Messages

• Java interface with xml communication

  Hello everybody,
  For a project i need to make a java interface with xml communication.
  For example ; from 1 laptop I press on a java button and then i need to get a text message on the other laptop.
  The java interface is already created now the xml code for communication.
  I hope someone can help me how to start with the xml code.
  Are there any templates that i can use?

  I need to use XML for this, cause it is in the
  assignment.As far as communication is concerned, it doesn't matter that you are sending XML. You can send any kind of data. So first find out how to send data, then send data which is XML.
  I only want to know if its possible to send data/text
  from 1 laptop (windowsxp prof) to the other laptop
  (also windows xp prof).Provided the other laptop is running a server that can receive that data.
  Maybe its easier if I send data to a specific IP
  address?Provided there is a server running at that IP address that can receive that data. You can use an IP address to connect to a server but that has nothing to do with sending the data.
  Its important that the communication between 2 system
  is in XML language.XML is not a programming language. XML is a format for storing data. You can certainly send XML-formatted data between two computers.
  So i hope u have a solution for my problem.The solution would be for you to learn how communication between two computers works in the real world. If you have an assignment that says you have to make communication work, surely there was something taught to you before about how to do it?

• RC communication security

  Hi people, I need some help with RC security. I need to secure the communication over the RC, does anybody know how to do that? Some code samples would be perfect. Thanks

  There is one system which is site for search, sale, light box and so on images, video and music.
  There will be interface which will comunicate(search, download, may be sale and so on) with other systems on the base of XML. May be the other systems will use Web services, i don't know now. How ever when there are requests for download(or even may be sending credit card details to other system, if the sale must be made trough their system, not our) then i need secure communication, may be encrypted xml or SSL. BUT i don't like the idea all requests to be https, because they are slower and this will cause slower search, which must be fast.
  My idea for now is when an image from other system is bought to persist it in our database with may be user id, image id, system id, random string code and when logged in user requests download to check this in the database and if there is such record to allow download.
  Advise some better ideas please :)

• How do I get the flash site to load an XML without security

  I made a music mp3 player but now the XML wont load and the
  music player says undefined. I changed security settings in Adobe
  Flash Player. But I dont want to have everybody who views it have
  to change settings. Is there some type of ActionScript code that
  will allow the XML to load without security problems. I have the
  XML on the same server folder as the .SWF file. The site url is :
  www.eternityfocus.com/test_flash.html

  you should use a crossdomain.xml policy file.

• JAAS, jazn.xml, & oracle.security.jazn.config

  I have a swing application using LDAP to authenticate users that will typically be launched via Java Web Start, thus the application is deploy using a jar file.
  I can run this application from JDev or from the command-line when the jazn.xml file is located in the root (start-in) directory.
  Unfortunately, when the jazn.xml file is only in the jar file (as it would be when launched via JWS) the application cannot find it and throws an exception:
  oracle.security.jazn.JAZNInitException: d:\path\.\jazn-data.xml (The system cannot find the file specified).
  I found some documentation that indicates that I can specify the path to the jazn.xml file with
  System.setProperty("oracle.security.jazn.config", "path/to/jazn/xml/file");
  If I set it to a relative path without the filename on the end (ex. "./my/path" or "my/path") I get the above exception.
  If I set it to a relative path with the filename (ex. "./my/path/jazn.xml" or "my/path/jazn.xml") it works.
  What I can't figure out is how to tell it that it is in a jar file that is in my classpath. It doesn't find it from the path examples above. I've tried things like "client.jar/jazn.xml", "d:/my/path/client.jar/jazn.xml", and a host of other things with the jazn.xml filename on the end.
  Oddly enough, when I set it to "d:/my/path/client.jar" I get a different exception:
  Caused by: oracle.security.jazn.JAZNInitException: no protocol: "ldap://hostname.com:389">
       at oracle.security.jazn.spi.xml.FSXMLStore.<init>(FSXMLStore.java:128)
       ... 59 more
  Caused by: java.net.MalformedURLException: no protocol: "ldap://hostname.com:389">
       at java.net.URL.<init>(URL.java:537)
       at java.net.URL.<init>(URL.java:434)
       at java.net.URL.<init>(URL.java:383)
  So it seems like it read the file but parsed it incorrectly. Any ideas?

  Thanks for the reply Yvonne. Sorry I haven't updated this after my testing. I think you're close to correct.
  I did some more testing and figured out that any time the protocol is included in a path (protocol://d:/my/path/client.jar) that jazn does not understand. When the referenced file (jazn.xml) is in a jar file, it includes the protocol in the path. For example the path to the jazn.xml file (the value that the java.security.auth.policy property needs to be set to) would be jar:file://my/path/client.jar!/my/path/jazn.xml
  I think the oracle.security.jazn.spi.PolicyProvider (the value of the java.security.auth.policy.provider property) causes the jazn.xml file to be read. That class is, I think, what fails to find that file because it doesn't understand when the protocol (jar:file:) is included in the path to the file. That's my guess anyway.
  I did figure out a work around and it goes like this:
  1. create a new jazn.xml file
  File tmp = new File ("jazn.xml");
  2. and set it to be deleted on exit
  tmp.deleteOnExit();
  3. get a ByteArrayInputStream for the jazn.xml file and read it out of the jar file.
  4. then write the stream to the tmp file
  5. then set the system property
  System.setProperty("java.security.auth.policy", tmp.toURL().getPath());
  It is kind of a pain since I have to check to see if the property I'm setting is "jazn.xml", but it seems to work.
  I think the oracle.security.jazn.spi.PolicyProvider problem is a defect, which I'll report on meta-link.
  tcoker

• Web.xml and security constraints

  Hi,
  I have several web services deployed. I only want to protect one of these web services.
  If I use "/services/*" in <security-constraint> of my web.xml file, all my deployed web services are protected.
  If I use "/services/aaaWebService" in <security-constraint> of my web.xml file, aaaWebService web service is NOT protected.
  Please let me know what I should use for teh <url-pattern> to protect only aaaWebService.
  Thanks /dan

  What about "/services/aaaWebService*"?
  I think whithout an asterisk service parameters don't match your pattern.
  Vovencij

• 10g: Bug with XML\Jazn Security

  For days I've been trying to get my migrated apps (from 9.0.3.1) to run with the internal JDev OC4J using JAZN security. I've been able to deploy to the packaged OC4J just fine, yet whenever I run it internally, it's never accepted my username and password.
  I just now found that JDev added a...
  <jazn provider="XML" location="[AppName]-jazn-data.xml" default-realm="jazn.com"/>
  to my App-oc4j-app.xml. I'm guessing this is for the Current Workspace settings, which is fine... however, for the Global settings, JDev never looks into system9.0.5.0.0.1375 \ oc4j-config for the global jazn-data.xml file when you run your app. (It will obfuscate passwords and everything, just won't look up your credentials)
  To fix the problem, I ended up copying my global jazn-data.xml file to my app's main directory (where App-oc4j-app.xml exists) from the system directory, then changing the location of the jazn provider in the App-oc4j-app.xml file to jazn-data.xml. (I suppose I could have just changed the location to point to the System directory as well).
  Anyways, figured this might help someone.

  I have the same problem. My app works fine with Stand alone OC4J. I tried to migrate my app into 10g Env.
  But I had the problem the JAZN Authentication. I tried all solutions, it still failed. I decided to create
  very simple EJB project to test Embedded OC4J debugging.
  I create a simple Test Workspace and testEJB project.
  I followed the steps to create a simple TestSesssionEJB with one method: insert.
  I right clicked on the TestSesssionEJB to generate New Sample EJB Client, named TestSessionEJBClient.
  1) To start the debug EJB, I right cliked the TestSesssionEJB and selected Degug TestSesssionEJB.
  2) Embedded OC4J Server started fine.
  3) I ran TestSessionEJBClient I got javax.naming.AuthenticationException
  javax.naming.NamingException: Lookup error: javax.naming.AuthenticationException: Invalid username/password for current-workspace-app (admin); nested exception is:
       javax.naming.AuthenticationException: Invalid username/password for current-workspace-app (admin). Root exception is javax.naming.AuthenticationException: Invalid username/password for current-workspace-app (admin)
       at com.evermind.server.rmi.RMIConnection.connect(RMIConnection.java:2298)
       at com.evermind.server.rmi.RMIConnection.connect(RMIConnection.java:2129)
       at com.evermind.server.rmi.RMIConnection.lookup(RMIConnection.java:1665)
       at com.evermind.server.rmi.RMIServer.lookup(RMIServer.java:680)
       at com.evermind.server.rmi.RMIContext.lookup(RMIContext.java:134)
       at javax.naming.InitialContext.lookup(InitialContext.java:347)
       at test.TestSessionEJBClient.main(TestSessionEJBClient.java:17)
  Here is TestSessionEJBClient generated by JDeveloper
  package test;
  import javax.naming.Context;
  import javax.naming.InitialContext;
  import javax.rmi.PortableRemoteObject;
  import test.TestSessionEJB;
  import test.TestSessionEJBHome;
  import javax.naming.NamingException;
  public class TestSessionEJBClient
  public static void main(String [] args)
  TestSessionEJBClient testSessionEJBClient = new TestSessionEJBClient();
  try
  Context context = getInitialContext();
  TestSessionEJBHome testSessionEJBHome = (TestSessionEJBHome)PortableRemoteObject.narrow(context.lookup("TestSessionEJB"), TestSessionEJBHome.class);
  TestSessionEJB testSessionEJB;
  // Use one of the create() methods below to create a new instance
  testSessionEJB = testSessionEJBHome.create();
  // Call any of the Remote methods below to access the EJB
  // testSessionEJB.insertClob( );
  catch(Throwable ex)
  ex.printStackTrace();
  private static Context getInitialContext() throws NamingException
  // Get InitialContext for Embedded OC4J.
  // The embedded server must be running for lookups to succeed.
  return new InitialContext();
  Test-oc4j-app.xml content
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <!DOCTYPE orion-application PUBLIC "-//Evermind//DTD J2EE Application runtime 1.2//EN" "http://xmlns.oracle.com/ias/dtds/orion-application.dtd">
  <orion-application>
  <ejb-module path="file:/C:/jdev905WorkSpaces/testEJB/classes/"/>
  <library path="C:\jdev905WorkSpaces\testEJB\classes">jdev-generated</library>
  <library path="C:\Tools\oracle\jdev905\jdev\system9.0.5.0.1349\oc4j-config\.client">jdev-generated</library>
  <library path="C:\Tools\oracle\jdev905\lib\xmlparserv2.jar">jdev-generated</library>
  <library path="C:\Tools\oracle\jdev905\lib\xmlcomp.jar">jdev-generated</library>
  <log>
  <file path="Test-oc4j-app.log"/>
  </log>
  <jazn provider="XML" location="Test-jazn-data.xml" default-realm="jazn.com"/>
  <data-sources path="Test-data-sources.xml"/>
  </orion-application>
  Test-jazn-data.xml content
  <jazn-data>
  <jazn-realm>
  <realm>
  <name>jazn.com</name>
  <users>
  <user>
  <name>jdevuser</name>
  <credentials>!jdevuser</credentials>
  </user>
  </users>
  <roles>
  <role>
  <name>jdevrole</name>
  </role>
  </roles>
  </realm>
  </jazn-realm>
  </jazn-data>
  .../system9.0.5.0.1349\oc4j-config/server.xml
  <application-server application-directory="applications" deployment-directory="application-deployments" connector-directory="connectors" transaction-log="log/transaction.state" recovery-procedure="ignore" taskmanager-granularity="5000" taskmanager-interval="5000" auto-unpack-applications="true">
       <rmi-config path="./rmi.xml"/>
       <sep-config path="./internal-settings.xml"/>
       <!-- JMS-server config link, uncomment to activate the JMS service -->
       <jms-config path="./jms.xml"/>
       <log>
            <file path="log/server.log"/>
       </log>
  <java-compiler name="ojc" in-process="false" bindir="C:\Tools\oracle\jdev905\jdev\bin\"/>
       <global-application name="default" path="application.xml"/>
  <application name="bc4j" path="C:\Tools\oracle\jdev905\jdev\system9.0.5.0.1349\oc4j-config\applications\bc4j.ear"/>
  <application name="larcis" path="C:\larcis3\jdev905\larcis3-oc4j-app.xml"/>
  <application name="current-workspace-app" path="C:\jdev905WorkSpaces\Test-oc4j-app.xml"/>
       <global-web-app-config path="global-web-application.xml"/>
       <!-- <web-site path="./secure-web-site.xml" /> -->
       <web-site default="true" path="./default-web-site.xml"/>
       <!-- Compiler, activate this to specify an alternative compiler such
            as jikes for EJB/JSP compiling. -->
       <!-- <compiler executable="jikes" classpath="/myjdkdir/jre/lib/rt.jar" /> -->
  </application-server>
  I think this is a bug in XML/JAZN that Tim mentioned in the first post.
  I also tried the solution suggested by Tim. But it still did not work.
  Any one have another suggestion?

• Web.xml form security login

  I am using formed based security in a web.xml file. I was wondering if there is
  anyway to limit logins, for example...
  I logon with a uid "peterc" and a password of "car", I don't want anyone else
  to then be able to login using the same uid and password while the session is
  active. We are using a custom built realm the extends the abstractManagableRealm,
  and Netscape Directory server for our LDAP tree, Weblogic Application Server 5.1
  sp8. Is there a tag in the web.xml file we can set, or do we need to add code
  to the realm? Or could there be another simple solution?

  Chris,
  I think you have to do this on your own - I know of no standard or proprietay way of
  limiting how many simultaneous times a user is logged in.
  Chris wrote:
  I am using formed based security in a web.xml file. I was wondering if there is
  anyway to limit logins, for example...
  I logon with a uid "peterc" and a password of "car", I don't want anyone else
  to then be able to login using the same uid and password while the session is
  active. We are using a custom built realm the extends the abstractManagableRealm,
  and Netscape Directory server for our LDAP tree, Weblogic Application Server 5.1
  sp8. Is there a tag in the web.xml file we can set, or do we need to add code
  to the realm? Or could there be another simple solution?--
  Tom Mitchell
  [email protected]
  Very Current Stoneham, MA Weather
  http://www.tom.org

• XML.sendAndLoad - (Security-related) Error Opening URL

  Hi All,
  I know this is a common problem (I've searched), but I'm
  hoping you can help me out.
  1. What my Application Does
  My Flash app uses XML.sendAndLoad() to communicate with a
  Java Servlet on the same domain, in the same webapp.
  2. What happens when I run it on my (developer) machine
  It works.
  I connect to a url "
  http://localhost:8080/webapp1/servlet/FlashServlet"
  perfectly and pass around XML between Flash and Java
  3. What Happens on the Real Machine
  The Real Machines equivalent URL is
  http://int-tzn:8101/webapp1/servlet/FlashServlet
  The XML.sendAndLoad() cannot connect, with a "Error Opening
  URL" error.
  4. What I've Tried
  4.1. Using a
  crossdomain.xml on Real Machine
  (not sure if I've got in correct place, but i
  can see it at
  http://int-tzn:8101/crossdomain.xml
  4.2. Tried a StandAlone (Projector) WITH Network Access
  4.3. Tried using
  LocalContentUpdater to confirm and set
  network access
  4.4. Have set in my ActionScript :
  System.security.allowDomain("*");
  Please help.
  This needs to go into a large Production Environment in 2
  days and there are large amounts of money behind it.
  Thanks in advance.
  - Laven Pillay

  OK the deal is:
  When using TLF, a user visiting your webpage will download the TLF's SWZ file, if the user already has that file it will be downloaded from the adobe site, if the adobe site is down then it will search the .swz from where the website is hosted on.
  Have a read here:
  http://help.adobe.com/en_US/flash/cs/using/WSb03e830bd6f770ee-4b0db644124bbdb363d-8000.htm l#WSb03e830bd6f770ee72b69dc71257a25aa72-8000

• How to map user-defined fields in XML communication on SRM site

  Hi All!
  We use the External sourcing scenario and we transfer requirements from ERP  in SRM through XI (PurchaseRequestERPSourcingRequest_In)
  We should transfer the user-defined fields, but we can not map it in SRM site.
  We have enhanced enterprise service in XI, have realized BADI PUR_SE_PRERPSOURCINGRQCO_ASYN on ERP site.
  I see the XML message with ours z-fields in tr.  SXI_MONITOR (into SRM), but I can not find it in BBP_PDISC.
  We try to use BADI BBP_SAPXML1_IN_BADI (there is no method for SC), and BADI /SAPSRM/BD_SOA_MAPPING (z-fields is empty)
  Someone can tell how to map user-defined field for SC?
  Thanks in advance
  Evgeny Ilchenko

  Hello, Julia
  We have found solution our problem
  We have enhanced standard service in a new enhancement name space and defined own enhancement elements in our namespaces. Then these enhancement elements refered to the SAP standard Enterprise Service.
  But In our new interfaces were different  XML namespaces
  When we have correct an error we could use the next BADI
  on ERP site: PUR_SE_PRERPSOURCINGRQCO_ASYN
  on SRM site: /SAPSRM/BD_SOA_MAPPING
  BR,
  Evgeny

• BOBJ XI Communication Security Blackberry

  Hi all, i need to test out BOBJ installation , with the blackberry as the explorer, i have try to look for information on the Security., on how to secure data communicaton between the handheld to the  BOBJ Server, is it handled by the applicaiton default, ot there is sort of security need to be deployed

  Hello Barry,
  please see the [BusinessObjects Enterprise Administrator's Guide for XI R3|http://help.sap.com/businessobject/product_guides/boexir3/en/xi3_bip_admin_en.pdf] chapter 17 onwards starting page 569.
  Please find more docu [ here|https://websmp110.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000713358&_SCENARIO=01100035870000000202&].
  I recommend to post further question in the [dedicated BO Enterprise Admin|BI Platform; forum.
  That forum is monitored by qualified technicians and you will get a faster response there.
  Best regards
  Falk

• Inter Applet Communication Security Issues

  Hello,
  Given that applets, contained on a card, can communicate with each other: Has anyone found any articles relating to any possible security issues this feature may present?
  If you have any ideas on possible security threats, please share. It would be great to bounce some ideas around, no matter how radical, unusual or "done to death."
  Thankyou in advance,
  Joanne : )

  I found a very interesting article regarding this subject written by Michael Montgomery and Ksheerabdhi Krishna, Austin Product Center, Schlumberger.
  http://www.usenix.org/publications/library/proceedings/smartcard99/montgomery.html
  Best regards
  Jonas Nilsson

• Weblogic 10 jaas and login.jsp and web.xml/weblogic.xml security constaints

  Hello,
  I struggled through and got the examples.security.jaas.SampleCallbackHandler.java and examples.common.utils.ExampleUtils.java/ExampleConstants.java into eclipse where they compile. A bean I made can call SambleCallbackHandler like such:
  mybean.logmein(username,password,url). I can then do a mybean.getStatus() or even a mybean.returnCode(). It does seem to correctly identlify that it is authenticating me (I see in stdout logs that it shows success or failures. The problem I have is I do not know how to apply this weblogic and web.xml/weblogic.xml so that if authentication works it redirects me to the page requiring the authentication. In web.xml I have the following set up:
  <security-role>
       <role-name>Admins</role-name>
  </security-role>
  <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>default</realm-name>
       <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/badlogin.html</form-error-page>
       </form-login-config>
  </login-config>
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>empower</web-resource-name>
            <description>These pages are only accessible by authorized users.</description>
            <url-pattern>/admin/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
  <auth-constraint>
  <description>These are the roles who have access</description>
  <role-name>Administrators</role-name>
  </auth-constraint>
       <user-data-constraint>
       <description>This is how the user data must be transmitted</description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  My weblogic.xml has:
  <?xml version="1.0" encoding="UTF-8"?>
  <wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
  <wls:security-role-assignment>
  <wls:role-name>Admins</wls:role-name>
  <wls:principal-name>Administrators</wls:principal-name>
  <wls:principal-name>dashap</wls:principal-name>
  </wls:security-role-assignment>
  </wls:weblogic-web-app>
  With this set up, if I try to go to a page in /admin folder in my application, it correctly pops up the login page. The jaas in the bean is doing a loginContext.login(), which I thought does authentication too, but it never goes back to the /admin page I was going to that needed the authentication. With jaas, can I not use the web.xml FORM security option? Do I Need to use j_security in the login.jsp's form's action= option and j_username and j_password for the input type names? How do I use j_username/j_password things if I am using jaas? I could just ignore using the web.xml security stuff and put something in the pages that need authentication, but it would be easier if I could use jaas with the security featurs without doing all that. Note that my code above is using a realm called default just because that was what was in the example I got from the web. Does that need to be something else?

  Hi John,
  I would like magic of course. However, in this case I want something special: my authentication provider uses special means and contents of headers, cookies and service from external identity management systems to determine the user's identity.
  I do not want the application to present the login dialog! I want to derive the identity and the fact that the user is logged in from whatever the authentication provider returns in terms of Subject.
  Ideally, the flow is something like:
  - user accesses an unprotected resource - resource is shown, no interaction with authentication provider
  - user presses a link or button that takes him/her to a protected resource
  - the authentication provider is contacted to work with the identity asserter to establish the identity of the current user and create a subject object for this user
  - the application can access the subject and principals
  - ADF Security recognizes the identity and the roles (based on the principals) and coordinates access based on this.
  the authentication method is client certificate. presumably this prompts WebLogic/OPS to use an identity asserter to work with custom headers and cookies ("... when you configure a web application to use CLIENT-CERT authentication. In this case, WebLogic can perform identity assertion based on values from request headers and cookies. If the header name or cookie name matches the active token type for the provider, the value is passed to the provider."). No login form should be presented to the user, as all information required to perform the authentication is already available.
  I am trying to understand what I must do to have the ADF application adopt the subject set by the authentication provider - if anything?!
  If you more ideas to share - I would love to hear them.
  best regards,
  Lucas

• 2nd Post : Security using JAZN-DATA.xml vs OID ?

  Hi All,
  From what I read, we can implement JAZN security either with JAZN-DATA.xml
  or OID. The question is :
  1) In term of security, what are the benefits of using OID compared to use
  JAZN-Data.xml ?
  2) If we do not have OID (because we only use IAS SE, not EE), so we can
  only use JAZN-Data.xml, is it secure / reliable enough for production ?
  Thank you for your help,
  xtanto

  Xtanto,
  1) In term of security, what are the benefits of using OID compared to use
  JAZN-Data.xml ?
  - Security policies that work across application server instances and that are the same for all applications
  - Central user management
  - Integration with Identity Management for enterprise wide security management
  2) If we do not have OID (because we only use IAS SE, not EE), so we can
  only use JAZN-Data.xml, is it secure / reliable enough for production ?
  - Sure
  Frank

• JDev 10g - Security - web.xml - URL pattern matching

  Hello,
  I use JDeveloper 10.1.3.4. It's 4 hours I try to figure out what is going on:
  I set security constraint in web.xml:
  &lt;security-constraint&gt;
  &lt;web-resource-collection&gt;
  &lt;web-resource-name&gt;books&lt;/web-resource-name&gt;
  &lt;url-pattern&gt;faces/app/books/*&lt;/url-pattern&gt;
  &lt;url-pattern&gt;faces/*/app/books/*&lt;/url-pattern&gt;
  &lt;/web-resource-collection&gt;
  &lt;auth-constraint&gt;
  &lt;role-name&gt;books&lt;/role-name&gt;
  &lt;/auth-constraint&gt;
  &lt;/security-constraint&gt;
  User is logged in with role "books" for sure.
  http://192.168.0.109:8988/lib/faces/app/books/page.jspx can be seen
  but dialogs can't be seen, url is : http://192.168.0.109:8988/lib/faces/__ADFv__?_afPfm=1.5&_t=fred&_vir=/app/books/Search.jspx&loc=en&_rtrnId=2it redirects to login page.
  Another thing, when I set only one url pattern : faces/app/books/*.jspx
  I can't even see faces/app/books/page.jspx page!
  It's very curious, have to be something else somewhere to set, because in SRDemo app this 2 cases don't cause problems.
  Bart
  snowface.net - snowboard equipement reviews

  Hi,
  dialogs are not opened by a GET request, which is what container managed authorization looks at. It basically bypasses this kind of security, which means that developers should check manually on teh command component that launches teh dialog if the authenticated user is allowed to do this. Also note that the default JSfnavigation is by postback which means you have to set all navigation to use the redirect flag to make it work with container managed security
  Frank