XML Security for Peoplesoft

Similar Messages

• Location of security xml files for groups

  We are having some issues migrating security(only) from one sysmte to another in EPM 11.1.2 for a planning application. Is there any other way to migrate security?
  Where are the xmls for each group's security stored?

  John,
  We are working with Oracle on an MSAD issue in one of our environments. One of their suggestions is to recreate the essbase.sec file. Since all security needs to be rebuilt from scratch after this happens(and we have A LOT of security), we were wondering if we could somehow save all the groups etc if we locate the xml's for the same. Would it be possible to save all the security for groups etc in shared services somehow?

• Web.xml - security constraint question

  I want to make a kind of inverted security constraint. I want to ALLOW access to one specific page over HTTP. All other pages should be HTTPS.
  Is that possible???

  Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
  Bean code:
  this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
          <security-role>
            <role-name>Local Admin Group</role-name>
       </security-role>
       <security-role>
            <role-name>DBA Group</role-name>
       </security-role>
      <!-- Faces Servlet -->
      <servlet>
          <servlet-name>Faces Servlet</servlet-name>
          <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
          <security-role-ref>
                <role-name>admin</role-name>
                <role-link>DBA Group</role-link>
         </security-role-ref>
          <security-role-ref>
                <role-name>admin</role-name>
                <role-link>Local Admin Group</role-link>
         </security-role-ref>
      </servlet>

• Help! web.xml security without using WAR files

  I'm currently using the RDBMSRealm and URL ACL security for my app. I would like to use the web.xml descriptor for security so that I can specify login pages and such. We currently are not using WAR files. I've been having alot of trouble setting this up. Is there a way to use the RDBMS realm along with the web.xml security? It looks like it should work, but I can't seem to get it to function. How do I specify the regular document root as a webapp? I'm currently running WLS 5.1 with SP4. Thanks.

  The RDBMSRealm is just the authentication mechanism underneath WLS versus the
  web.xml of the WebApplication which describes all the access control for that WebApp.
  the later being scoped only to that WebApp.
  you don't need to deploy in a war file, you can expand the archive into an identical
  directory structure and then just point us towards the top level of that structure.
  see: http://www.weblogic.com/docs51/classdocs/webappguide.html
  .paul
  chris wrote:
  I'm currently using the RDBMSRealm and URL ACL security for my app. I would like to use the web.xml descriptor for security so that I can specify login pages and such. We currently are not using WAR files. I've been having alot of trouble setting this up. Is there a way to use the RDBMS realm along with the web.xml security? It looks like it should work, but I can't seem to get it to function. How do I specify the regular document root as a webapp? I'm currently running WLS 5.1 with SP4. Thanks.

• How to establish WS Security for BPEL processes running on Web Logic

  We are running SOA Suite 10.1.3.4 on Web Logic Server 9.2.
  I have built BPEL processes and now want to implement WS Security for them, "Wssp1.2-Wss1.0-UsernameToken-Plain-X509-Basic256.xml" in particular. Have been researching but could not find any document for a Web Logic scenario; can any of you please give me some directions or blogs which might be helpul.
  Appreciate your help in advance.
  Thanks!

  Hi
  Check the Link
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/526bd490-0201-0010-038e-d3ff7eb1d16e
  Regards ,
  Venkat

• Weblogic 10 jaas and login.jsp and web.xml/weblogic.xml security constaints

  Hello,
  I struggled through and got the examples.security.jaas.SampleCallbackHandler.java and examples.common.utils.ExampleUtils.java/ExampleConstants.java into eclipse where they compile. A bean I made can call SambleCallbackHandler like such:
  mybean.logmein(username,password,url). I can then do a mybean.getStatus() or even a mybean.returnCode(). It does seem to correctly identlify that it is authenticating me (I see in stdout logs that it shows success or failures. The problem I have is I do not know how to apply this weblogic and web.xml/weblogic.xml so that if authentication works it redirects me to the page requiring the authentication. In web.xml I have the following set up:
  <security-role>
       <role-name>Admins</role-name>
  </security-role>
  <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>default</realm-name>
       <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/badlogin.html</form-error-page>
       </form-login-config>
  </login-config>
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>empower</web-resource-name>
            <description>These pages are only accessible by authorized users.</description>
            <url-pattern>/admin/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
  <auth-constraint>
  <description>These are the roles who have access</description>
  <role-name>Administrators</role-name>
  </auth-constraint>
       <user-data-constraint>
       <description>This is how the user data must be transmitted</description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  My weblogic.xml has:
  <?xml version="1.0" encoding="UTF-8"?>
  <wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
  <wls:security-role-assignment>
  <wls:role-name>Admins</wls:role-name>
  <wls:principal-name>Administrators</wls:principal-name>
  <wls:principal-name>dashap</wls:principal-name>
  </wls:security-role-assignment>
  </wls:weblogic-web-app>
  With this set up, if I try to go to a page in /admin folder in my application, it correctly pops up the login page. The jaas in the bean is doing a loginContext.login(), which I thought does authentication too, but it never goes back to the /admin page I was going to that needed the authentication. With jaas, can I not use the web.xml FORM security option? Do I Need to use j_security in the login.jsp's form's action= option and j_username and j_password for the input type names? How do I use j_username/j_password things if I am using jaas? I could just ignore using the web.xml security stuff and put something in the pages that need authentication, but it would be easier if I could use jaas with the security featurs without doing all that. Note that my code above is using a realm called default just because that was what was in the example I got from the web. Does that need to be something else?

  Hi John,
  I would like magic of course. However, in this case I want something special: my authentication provider uses special means and contents of headers, cookies and service from external identity management systems to determine the user's identity.
  I do not want the application to present the login dialog! I want to derive the identity and the fact that the user is logged in from whatever the authentication provider returns in terms of Subject.
  Ideally, the flow is something like:
  - user accesses an unprotected resource - resource is shown, no interaction with authentication provider
  - user presses a link or button that takes him/her to a protected resource
  - the authentication provider is contacted to work with the identity asserter to establish the identity of the current user and create a subject object for this user
  - the application can access the subject and principals
  - ADF Security recognizes the identity and the roles (based on the principals) and coordinates access based on this.
  the authentication method is client certificate. presumably this prompts WebLogic/OPS to use an identity asserter to work with custom headers and cookies ("... when you configure a web application to use CLIENT-CERT authentication. In this case, WebLogic can perform identity assertion based on values from request headers and cookies. If the header name or cookie name matches the active token type for the provider, the value is passed to the provider."). No login form should be presented to the user, as all information required to perform the authentication is already available.
  I am trying to understand what I must do to have the ADF application adopt the subject set by the authentication provider - if anything?!
  If you more ideas to share - I would love to hear them.
  best regards,
  Lucas

• Use XML Digital Signature(Apache XML security) with Applet

  I have problem when I use xml-security-1_2_1 library from Apache with applet and access denied errors occur.
  6 May 2005 10:06:45 org.apache.xml.security.Init init
  SEVERE: Bad:
  java.security.AccessControlException: access denied (java.util.PropertyPermission org.apache.xml.security.resource.config read)
  bla bla....
  How should I do ? Please! T_T and thank you ..

  An applet cannot read the local file system, connect to any other computer than the one
  it came from or read properties it's not supposed to read. And I think it cannot write to any
  property.
  If you sign the applet or set up a policy for it the applet can do the same as an application
  allthough the jre will still check the stack trace if the entire stack has the same privileges
  as you signed applet.
  http://forum.java.sun.com/thread.jsp?forum=63&thread=524815
  second post and last post for the java class file

• XML Secure Documents

  Is it possible to ensure a XML document is secure for different users. In other words can you password protect diferent areas of a document to be posted on the Web. Only valid users can gain access to one XML document for their details. Ie one file , many secure different locations on this document for the users. Possible ???
  null

  Did you solve this? If so, could you please share?

• Web.xml: security-constraint [un]usable in JSF?

  <security-constraint> in web.xml is a simple, effective and portable method of declaring a web application�s security policies.
  It's been noted, however, in an earlier topic (http://forum.java.sun.com/thread.jspa?threadID=747919&messageID=4279347) that it has it�s limitations in the context of jsf.
  A reasonable solution would be to consult <security-constraint> elements in one�s own web.xml when rendering <h:commandLink>'s on a page according to the security policy.
  Unfortunately, there is no standard method of reading web.xml, other than what�s available from the ServletContext.
  I found some container specific-implementations in the Cargo project from the http://cargo.codehaus.org,
  but I�m looking for a portable solution. Any thoughts?
  Thanks, y�all!

  Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
  Bean code:
  this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
          <security-role>
            <role-name>Local Admin Group</role-name>
       </security-role>
       <security-role>
            <role-name>DBA Group</role-name>
       </security-role>
      <!-- Faces Servlet -->
      <servlet>
          <servlet-name>Faces Servlet</servlet-name>
          <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
          <security-role-ref>
                <role-name>admin</role-name>
                <role-link>DBA Group</role-link>
         </security-role-ref>
          <security-role-ref>
                <role-name>admin</role-name>
                <role-link>Local Admin Group</role-link>
         </security-role-ref>
      </servlet>

• XML example for testing query with soapui

  Hello,
  I am trying to build a query using XML with the downloaded Contact Custom.wsdl.
  I did get a msg complaining about that there were no session. I've looked into the Web Services.pdf doc and see the description about session, etc.
  I'd appreciate if I could get a XML example for doing the authentication / session ... If you have a query example would be nice too...
  Txs. a lot.

  Hello,
  Here is a sample QueryPage request for the Contact object containing the UserName and password tokens:
  <?xml version="1.0" encoding="utf-8"?>
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"><soap:Header>
  <wsse:Security>
  <wsse:UsernameToken>
  <wsse:UserName>[username]</wsse:UserName>
  <wsse:Password>[password]</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </soap:Header>
  <soap:Body>
  <ContactWS_ContactQueryPage_Input xmlns="urn:crmondemand/ws/contact/10/2004">
  <UseChildAnd>true</UseChildAnd>
  <PageSize>100</PageSize>
  <ListOfContact>
  <Contact>
  <ContactId></ContactId>
  <ContactFirstName></ContactFirstName>
  <ContactLastName></ContactLastName>
  </Contact></ListOfContact>
  <StartRowNum>0</StartRowNum></ContactWS_ContactQueryPage_Input></soap:Body></soap:Envelope>
  Thanks,
  Sean

• Does anyone have a good server.xml file for tomcat?

  I am trying to link apache and tomcat on a RedHat 9 computer. I previously posted a message stating that I could not get tomcat to "automagically" make the configuration files (mod_jk.conf-auto) that all the manuals promised it would. However, I found that my problem was the lack of an ApacheConfig tag in the server.xml file. After looking at my server.xml file, I found that it was much more simplistic than I would hoped = it did not have enough comments or commented out options. It had none of the directives that the manuals said it included by default.
  In short, does anyone who has apache and tomcat linked have a server.xml file that I can look at so that I can figure out what I must add to mine to get tomcat working with apache? I would greatly appreciate it if you could copy and paste the whole thing here.
  Thank you very much in advance.
  Edward S. Rice

  Hi!
  I am having the Apache-Tomcat4.0 version installed on a Win2000 machine. I am pasting here my server.xml. Hope it will be useful to you. I even didnot do much modifications to my server.xml except for adding a context.
  Please come back if problem persists.
  <!-- Example Server Configuration File -->
  <!-- Note that component elements are nested corresponding to their
  parent-child relationships with each other -->
  <!-- A "Server" is a singleton element that represents the entire JVM,
  which may contain one or more "Service" instances. The Server
  listens for a shutdown command on the indicated port.
  Note: A "Server" is not itself a "Container", so you may not
  define subcomponents such as "Valves" or "Loggers" at this level.
  -->
  <Server port="8005" shutdown="SHUTDOWN" debug="0">
  <!-- A "Service" is a collection of one or more "Connectors" that share
  a single "Container" (and therefore the web applications visible
  within that Container). Normally, that Container is an "Engine",
  but this is not required.
  Note: A "Service" is not itself a "Container", so you may not
  define subcomponents such as "Valves" or "Loggers" at this level.
  -->
  <!-- Define the Tomcat Stand-Alone Service -->
  <Service name="Tomcat-Standalone">
  <!-- A "Connector" represents an endpoint by which requests are received
  and responses are returned. Each Connector passes requests on to the
  associated "Container" (normally an Engine) for processing.
  By default, a non-SSL HTTP/1.1 Connector is established on port 8080.
  You can also enable an SSL HTTP/1.1 Connector on port 8443 by
  following the instructions below and uncommenting the second Connector
  entry. SSL support requires the following steps (see the SSL Config
  HOWTO in the Tomcat 4.0 documentation bundle for more detailed
  instructions):
  * Download and install JSSE 1.0.2 or later, and put the JAR files
  into "$JAVA_HOME/jre/lib/ext".
  * Execute:
  %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
  $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)
  with a password value of "changeit" for both the certificate and
  the keystore itself.
  By default, DNS lookups are enabled when a web application calls
  request.getRemoteHost(). This can have an adverse impact on
  performance, so you can disable it by setting the
  "enableLookups" attribute to "false". When DNS lookups are disabled,
  request.getRemoteHost() will return the String version of the
  IP address of the remote client.
  -->
  <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
  <Connector className="org.apache.catalina.connector.http.HttpConnector"
  port="8080" minProcessors="5" maxProcessors="75"
  enableLookups="true" redirectPort="8443"
  acceptCount="10" debug="0" connectionTimeout="60000"/>
  <!-- Note : To disable connection timeouts, set connectionTimeout value
  to -1 -->
  <!-- Define an SSL HTTP/1.1 Connector on port 8443 -->
  <!--
  <Connector className="org.apache.catalina.connector.http.HttpConnector"
  port="8443" minProcessors="5" maxProcessors="75"
  enableLookups="true"
       acceptCount="10" debug="0" scheme="https" secure="true">
  <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
  clientAuth="false" protocol="TLS"/>
  </Connector>
  -->
  <!-- Define an AJP 1.3 Connector on port 8009 -->
  <!--
  <Connector className="org.apache.ajp.tomcat4.Ajp13Connector"
  port="8009" minProcessors="5" maxProcessors="75"
  acceptCount="10" debug="0"/>
  -->
  <!-- Define a Proxied HTTP/1.1 Connector on port 8081 -->
  <!-- See proxy documentation for more information about using this. -->
  <!--
  <Connector className="org.apache.catalina.connector.http.HttpConnector"
  port="8081" minProcessors="5" maxProcessors="75"
  enableLookups="true"
  acceptCount="10" debug="0" connectionTimeout="60000"
  proxyPort="80"/>
  -->
  <!-- Define a non-SSL HTTP/1.0 Test Connector on port 8082 -->
  <!--
  <Connector className="org.apache.catalina.connector.http10.HttpConnector"
  port="8082" minProcessors="5" maxProcessors="75"
  enableLookups="true" redirectPort="8443"
  acceptCount="10" debug="0"/>
  -->
  <!-- An Engine represents the entry point (within Catalina) that processes
  every request. The Engine implementation for Tomcat stand alone
  analyzes the HTTP headers included with the request, and passes them
  on to the appropriate Host (virtual host). -->
  <!-- Define the top level container in our container hierarchy -->
  <Engine name="Standalone" defaultHost="localhost" debug="0">
  <!-- The request dumper valve dumps useful debugging information about
  the request headers and cookies that were received, and the response
  headers and cookies that were sent, for all requests received by
  this instance of Tomcat. If you care only about requests to a
  particular virtual host, or a particular application, nest this
  element inside the corresponding <Host> or <Context> entry instead.
  For a similar mechanism that is portable to all Servlet 2.3
  containers, check out the "RequestDumperFilter" Filter in the
  example application (the source for this filter may be found in
  "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters").
  Request dumping is disabled by default. Uncomment the following
  element to enable it. -->
  <!--
  <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
  -->
  <!-- Global logger unless overridden at lower levels -->
  <Logger className="org.apache.catalina.logger.FileLogger"
  prefix="catalina_log." suffix=".txt"
  timestamp="true"/>
  <!-- Because this Realm is here, an instance will be shared globally -->
  <Realm className="org.apache.catalina.realm.MemoryRealm" />
  <!-- Replace the above Realm with one of the following to get a Realm
  stored in a database and accessed via JDBC -->
  <!--
  <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
  driverName="org.gjt.mm.mysql.Driver"
  connectionURL="jdbc:mysql://localhost/authority?user=test;password=test"
  userTable="users" userNameCol="user_name" userCredCol="user_pass"
  userRoleTable="user_roles" roleNameCol="role_name" />
  -->
  <!--
  <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
  driverName="oracle.jdbc.driver.OracleDriver"
  connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL?user=scott;password=tiger"
  userTable="users" userNameCol="user_name" userCredCol="user_pass"
  userRoleTable="user_roles" roleNameCol="role_name" />
  -->
  <!--
  <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
  driverName="sun.jdbc.odbc.JdbcOdbcDriver"
  connectionURL="jdbc:odbc:CATALINA"
  userTable="users" userNameCol="user_name" userCredCol="user_pass"
  userRoleTable="user_roles" roleNameCol="role_name" />
  -->
  <!-- Define the default virtual host -->
  <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true">
  <!-- Normally, users must authenticate themselves to each web app
  individually. Uncomment the following entry if you would like
  a user to be authenticated the first time they encounter a
  resource protected by a security constraint, and then have that
  user identity maintained across all web applications contained
  in this virtual host. -->
  <!--
  <Valve className="org.apache.catalina.authenticator.SingleSignOn"
  debug="0"/>
  -->
  <!-- Access log processes all requests for this virtual host. By
  default, log files are created in the "logs" directory relative to
  $CATALINA_HOME. If you wish, you can specify a different
  directory with the "directory" attribute. Specify either a relative
  (to $CATALINA_HOME) or absolute path to the desired directory.
  -->
  <Valve className="org.apache.catalina.valves.AccessLogValve"
  directory="logs" prefix="localhost_access_log." suffix=".txt"
  pattern="common"/>
  <!-- Logger shared by all Contexts related to this virtual host. By
  default (when using FileLogger), log files are created in the "logs"
  directory relative to $CATALINA_HOME. If you wish, you can specify
  a different directory with the "directory" attribute. Specify either a
  relative (to $CATALINA_HOME) or absolute path to the desired
  directory.-->
  <Logger className="org.apache.catalina.logger.FileLogger"
  directory="logs" prefix="localhost_log." suffix=".txt"
       timestamp="true"/>
  <!-- Define properties for each web application. This is only needed
  if you want to set non-default properties, or have web application
  document roots in places other than the virtual host's appBase
  directory. -->
  <!-- Tomcat Root Context -->
  <!--
  <Context path="" docBase="ROOT" debug="0"/>
  -->
            <Context path="/vijay" docBase="D:\Java\servlets" debug="0"/>
  <!-- Tomcat Manager Context -->
  <Context path="/manager" docBase="manager"
  debug="0" privileged="true"/>
  <!-- Tomcat Examples Context -->
  <Context path="/examples" docBase="examples" debug="0"
  reloadable="true">
  <Logger className="org.apache.catalina.logger.FileLogger"
  prefix="localhost_examples_log." suffix=".txt"
       timestamp="true"/>
  <Ejb name="ejb/EmplRecord" type="Entity"
  home="com.wombat.empl.EmployeeRecordHome"
  remote="com.wombat.empl.EmployeeRecord"/>
  <!-- PersistentManager: Uncomment the section below to test Persistent
            Sessions.
  saveOnRestart: If true, all active sessions will be saved
  to the Store when Catalina is shutdown, regardless of
  other settings. All Sessions found in the Store will be
  loaded on startup. Sessions past their expiration are
  ignored in both cases.
  maxActiveSessions: If 0 or greater, having too many active
  sessions will result in some being swapped out. minIdleSwap
  limits this. -1 means unlimited sessions are allowed.
  0 means sessions will almost always be swapped out after
  use - this will be noticeably slow for your users.
  minIdleSwap: Sessions must be idle for at least this long
  (in seconds) before they will be swapped out due to
  maxActiveSessions. This avoids thrashing when the site is
  highly active. -1 or 0 means there is no minimum - sessions
  can be swapped out at any time.
  maxIdleSwap: Sessions will be swapped out if idle for this
  long (in seconds). If minIdleSwap is higher, then it will
  override this. This isn't exact: it is checked periodically.
  -1 means sessions won't be swapped out for this reason,
  although they may be swapped out for maxActiveSessions.
  If set to >= 0, guarantees that all sessions found in the
  Store will be loaded on startup.
  maxIdleBackup: Sessions will be backed up (saved to the Store,
  but left in active memory) if idle for this long (in seconds),
  and all sessions found in the Store will be loaded on startup.
  If set to -1 sessions will not be backed up, 0 means they
  should be backed up shortly after being used.
  To clear sessions from the Store, set maxActiveSessions, maxIdleSwap,
  and minIdleBackup all to -1, saveOnRestart to false, then restart
  Catalina.
  -->
            <!--
  <Manager className="org.apache.catalina.session.PersistentManager"
  debug="0"
  saveOnRestart="true"
  maxActiveSessions="-1"
  minIdleSwap="-1"
  maxIdleSwap="-1"
  maxIdleBackup="-1">
  <Store className="org.apache.catalina.session.FileStore"/>
  </Manager>
            -->
  <Environment name="maxExemptions" type="java.lang.Integer"
  value="15"/>
  <Parameter name="context.param.name" value="context.param.value"
  override="false"/>
  <Resource name="jdbc/EmployeeAppDb" auth="SERVLET"
  type="javax.sql.DataSource"/>
  <ResourceParams name="jdbc/EmployeeAppDb">
  <parameter><name>user</name><value>sa</value></parameter>
  <parameter><name>password</name><value></value></parameter>
  <parameter><name>driverClassName</name>
  <value>org.hsql.jdbcDriver</value></parameter>
  <parameter><name>driverName</name>
  <value>jdbc:HypersonicSQL:database</value></parameter>
  </ResourceParams>
  <Resource name="mail/Session" auth="Container"
  type="javax.mail.Session"/>
  <ResourceParams name="mail/Session">
  <parameter>
  <name>mail.smtp.host</name>
  <value>localhost</value>
  </parameter>
  </ResourceParams>
  </Context>
  </Host>
  </Engine>
  </Service>
  <!-- The MOD_WEBAPP connector is used to connect Apache 1.3 with Tomcat 4.0
  as its servlet container. Please read the README.txt file coming with
  the WebApp Module distribution on how to build it.
  (Or check out the "jakarta-tomcat-connectors/webapp" CVS repository)
  To configure the Apache side, you must ensure that you have the
  "ServerName" and "Port" directives defined in "httpd.conf". Then,
  lines like these to the bottom of your "httpd.conf" file:
  LoadModule webapp_module libexec/mod_webapp.so
  WebAppConnection warpConnection warp localhost:8008
  WebAppDeploy examples warpConnection /examples/
  The next time you restart Apache (after restarting Tomcat, if needed)
  the connection will be established, and all applications you make
  visible via "WebAppDeploy" directives can be accessed through Apache.
  -->
  <!-- Define an Apache-Connector Service -->
  <Service name="Tomcat-Apache">
  <Connector className="org.apache.catalina.connector.warp.WarpConnector"
  port="8008" minProcessors="5" maxProcessors="75"
  enableLookups="true"
  acceptCount="10" debug="0"/>
  <!-- Replace "localhost" with what your Apache "ServerName" is set to -->
  <Engine className="org.apache.catalina.connector.warp.WarpEngine"
  name="Apache" debug="0" appBase="webapps">
  <!-- Global logger unless overridden at lower levels -->
  <Logger className="org.apache.catalina.logger.FileLogger"
  prefix="apache_log." suffix=".txt"
  timestamp="true"/>
  <!-- Because this Realm is here, an instance will be shared globally -->
  <Realm className="org.apache.catalina.realm.MemoryRealm" />
  </Engine>
  </Service>
  </Server>

• Apache XML Security

  hi
  i use Apache XML Security API for document sign
  sig.addDocument("file:/d:/test.xml", transforms, Constants.ALGO_ID_DIGEST_SHA1);
  how i can sign a pdf ,docx .... with Apache XML Security API ?
  it does not work
  sig.addDocument("file:/d:/test.pdf"...
  which java APIs you advice for me sign pdf ,doc,giff and more with around XADES?
  please help

  please read my post before replying...i stated that that page has a link to the docs yes...click it...404

• Web.xml / weblogic.xml security

  Let's say I define security constraints in the web.xml file for my web application
  using the security-constraint,auth-constraint, and security-role tags. Does this
  mean that in order to add a new user I must modify weblogic.xml and specify a
  new security-role-assignment? Can I specify a group name as a principal, or is
  there a way to programatically add new users? Any help would be greatly appreciated.
  Thank you.

  yes, you can use groups as principals in weblogic.xml. then permissions are
  managed through the user-group relationship.
  "Leonard Pham" <[email protected]> wrote in message
  news:3b657f8a$[email protected]..
  >
  Let's say I define security constraints in the web.xml file for my webapplication
  using the security-constraint,auth-constraint, and security-role tags.Does this
  mean that in order to add a new user I must modify weblogic.xml andspecify a
  new security-role-assignment? Can I specify a group name as a principal,or is
  there a way to programatically add new users? Any help would be greatlyappreciated.
  Thank you.

• Weblogic.xml.security.SecurityConfigurationException running encrypt example

  Hi,
  I am trying to run the tutorial examples that are detailed at http://webservice.bea.com.
  I am having problems running the encrypt SOAP messages example.
  The command line client version works fine (the full transaction goes smoothly,
  returning me the string I sent using the encryption). The browser version, though
  , gives me an error.
  (See attached).
  I am using WLS 8.1. sp2.
  I configured the server keystore and client keystore using the command line utilities
  included
  in the zipped example.
  I configured the servers default identity asserter as well as the ssl & keystore
  according to the
  instructions of the zipped file.
  Thanks in advance.

  i meet the same problem as Juan Campos'.
  the error information as follow:
  Request sent to the server
  <!--REQUEST.................-->
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <env:Header>
  </env:Header>
  <env:Body>
  <env:Fault>
  <faultcode>env:Server</faultcode>
  <faultstring>Exception during processing: weblogic.xml.security.SecurityConfigurationException: Service requires signed requests, but no Token was provided (see Fault Detail for stacktrace)</faultstring>
  <detail>
  <bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webservice/fault/1.0.0">weblogic.xml.security.SecurityConfigurationException: Service requires signed requests, but no Token was provided
       at weblogic.webservice.core.handler.WSSEClientHandler.processSpecs(WSSEClientHandler.java:325)
       at weblogic.webservice.core.handler.WSSEClientHandler.handleRequest(WSSEClientHandler.java:101)
       at weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:143)
       at weblogic.webservice.core.ClientDispatcher.send(ClientDispatcher.java:231)
       at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:143)
       at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:457)
       at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:423)
       at weblogic.webservice.server.servlet.ServletBase.invokeMultiOutput(ServletBase.java:349)
       at weblogic.webservice.server.servlet.WebServiceServlet.invokeMultiOutput(WebServiceServlet.java:354)
       at weblogic.webservice.server.servlet.ServletBase.invokeOperation(ServletBase.java:300)
       at weblogic.webservice.server.servlet.WebServiceServlet.invokeOperation(WebServiceServlet.java:344)
       at weblogic.webservice.server.servlet.ServletBase.handleGet(ServletBase.java:266)
       at weblogic.webservice.server.servlet.ServletBase.doGet(ServletBase.java:158)
       at weblogic.webservice.server.servlet.WebServiceServlet.doGet(WebServiceServlet.java:255)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:971)
       at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:402)
       at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:305)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6350)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
       at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3635)
       at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2585)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
  </bea_fault:stacktrace>
  </detail>
  </env:Fault>
  </env:Body>
  </env:Envelope>
  Response from the server
  <!--RESPONSE.................-->
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <env:Header>
  </env:Header>
  <env:Body>
  <env:Fault>
  <faultcode>env:Server</faultcode>
  <faultstring>Exception during processing: weblogic.xml.security.SecurityConfigurationException: Service requires signed requests, but no Token was provided (see Fault Detail for stacktrace)</faultstring>
  <detail>
  <bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webservice/fault/1.0.0">weblogic.xml.security.SecurityConfigurationException: Service requires signed requests, but no Token was provided
       at weblogic.webservice.core.handler.WSSEClientHandler.processSpecs(WSSEClientHandler.java:325)
       at weblogic.webservice.core.handler.WSSEClientHandler.handleRequest(WSSEClientHandler.java:101)
       at weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:143)
       at weblogic.webservice.core.ClientDispatcher.send(ClientDispatcher.java:231)
       at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:143)
       at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:457)
       at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:423)
       at weblogic.webservice.server.servlet.ServletBase.invokeMultiOutput(ServletBase.java:349)
       at weblogic.webservice.server.servlet.WebServiceServlet.invokeMultiOutput(WebServiceServlet.java:354)
       at weblogic.webservice.server.servlet.ServletBase.invokeOperation(ServletBase.java:300)
       at weblogic.webservice.server.servlet.WebServiceServlet.invokeOperation(WebServiceServlet.java:344)
       at weblogic.webservice.server.servlet.ServletBase.handleGet(ServletBase.java:266)
       at weblogic.webservice.server.servlet.ServletBase.doGet(ServletBase.java:158)
       at weblogic.webservice.server.servlet.WebServiceServlet.doGet(WebServiceServlet.java:255)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:971)
       at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:402)
       at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:305)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6350)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
       at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3635)
       at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2585)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
  </bea_fault:stacktrace>
  </detail>
  </env:Fault>
  </env:Body>
  </env:Envelope>
  i try Bruce Stephens' advise,but don't know exactly how to do,(which certificate should be imported?)will someone please tell the details?

• XML Security - How to sign a single TAG

  Hello there!
  Well, recently I start to develp some apps, using XML Security from OSDT (Oracle Security Developer Tools), I got the sample code for:
  SimpleSing
  SignAndEncrypt
  I understand how this works, based on W3C standard for XML Digial Signature. I can did my app works fine ...
  By now, i get some doubts about some issues, It's possible to do a signature for only one TAG from the original XML, i.e.:
  &lt;?xml version="1.0"?&gt;
  &lt;account&gt;
  &lt;name&gt;My Name&lt;/name&gt;
  &lt;id&gt;231233&lt;/id&gt;
  &lt;amount&gt;2313.00&lt;/amount&gt;
  &lt;location&gt;US&lt;/location&gt;
  &lt;account&gt;
  I need to know if i can apply a Digital Signature for only TAG <amount>.
  This is possible? I read few documents about Signatures, but i didnt get lucky.
  thanks in advance
  VieL.
  Edited by: user2051378 on Nov 20, 2008 2:59 PM
  Edited by: user2051378 on Nov 20, 2008 3:03 PM

  Ok, I got other solution, the elegant solution :)
  I just read the [XML Signature XPath Filter 2.0|http://www.w3.org/TR/xmldsig-filter2/|XML Signature XPath Filter 2.0] recommendation and I can apply this using the OSDT API.
  And I just need to specify a XPath expression (like ram* said, and without extra-steps) in the Transform Element, like this:
  XSSignature sig = XSSignature.newInstance(doc, "Sig");
  XSReference ref = sig.createReference();
  XSAlgorithmIdentifier est = sig.createXPathTransform("dsig", XMLURI.ns_xmldsig, "{color:#ff0000}ancestor-or-self::_*aTagName*_{color}");
  ref.addTransform(est);
  and this generate a XML Signature like this:
  &lt;dsig:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="Sig"&gt;
  &lt;dsig:SignedInfo Id="Sig.SigInfo"&gt;
  &lt;dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/&gt;
  &lt;dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/&gt;
  &lt;dsig:Reference Id="Sig.Ref" URI=""&gt;
  &lt;dsig:Transforms&gt;
  &lt;dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"&gt;
  &lt;dsig:XPath&gt;{color:#ff0000}ancestor-or-self::_aTagName_{color}&lt;/dsig:XPath&gt;
  &lt;/dsig:Transform&gt;
  &lt;/dsig:Transforms&gt;
  &lt;dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/&gt;
  &lt;dsig:DigestValue&gt;HKlJpmpS5AhpC95I4EG9yN53vxk=&lt;/dsig:DigestValue&gt;
  &lt;/dsig:Reference&gt;
  &lt;/dsig:SignedInfo&gt;
  &lt;dsig:SignatureValue Id="EnvelopedSig.SigValue"&gt;
  GLsrWNnKR1EgVHTLgCxPZtEx/wk18MvOcG7wd2ua066jAaT5xn10qXuU66tgozt6M2AERvgbh6+ZXUwMvyNcPw==
  &lt;/dsig:SignatureValue&gt;
  &lt;dsig:KeyInfo Id="Sig.KeyInfo"&gt;
  &lt;dsig:KeyValue&gt;
  &lt;dsig:RSAKeyValue&gt;
  &lt;dsig:Modulus&gt;
  xyKQm6k42cha9kAt5SlT/Lg2iZhz7t3tV3Ow7TCgoN3YH2sIIC4dEjMbIPwkLpVwMSLUDCcu0sEI6JK4bgt0EQ==
  &lt;/dsig:Modulus&gt;
  &lt;dsig:Exponent&gt;AQAB&lt;/dsig:Exponent&gt;
  &lt;/dsig:RSAKeyValue&gt;
  &lt;/dsig:KeyValue&gt;
  &lt;/dsig:KeyInfo&gt;
  &lt;/dsig:Signature&gt;
  The recommendation said that there are 3 kinds of Filters, intersect, substract and union. Well to can sign just a TAG I used the intersect filter.
  Now, It's more easy to sign a part of a XML ...
  Rgds
  VieL.