XWS-Security, JAAS and role-based authorization

What is my best bet to try to authorize users to use certain web services? For example, let's say a user logs into a web application A, who connects to a web application B implementing Web Services and XWSS.
A passes along the userNameToken, and B authenticates it (let's say, using JAAS). Now it needs to authorize the user to use the actual web service. Can I do this with JAAS? What is the best way to define the policies? Does it mean I have to create PrivilegedActions for every webservice? What are my other alternatives besides JAAS?
Thanks in advance.

Alternatively, is there a way to see which web service the client is requesting from the SecurityEnvironmentHandler (callbackHandler)?

Similar Messages

  • NxOS and Role Based Authorization

    Guys,
    Basic setup - using default default user admin I login and no problems - commands such as show mod and config changes, no problem: role =
    network-admin
    I create a user account with the same role as the admin user and I cannot issue the same commands - permission denied?
    Stumped - any ideas what's missing here?
    Thanks

    Out of desperation, I tried combinations of shorter usernames, similar to the admin username
    The result - for whatever reason it seems (I cannot confirm as such) if you use usernames for authentication locally in excess of 8 characters you cannot get full network-admin role privilidges
    even though when you do a show user-account, it displays your full username and the correct role.
    It seems almost as if the authenticaion element works, but the the role categorisation seems to fail for whatever reason (what I would call authorisation).
    Feels like a bug to me, anyway putting it on tacacs tomorrow hopefully with different results
    I am running 4.2(1)SV1(4) on an nexus 1000v.  I hope this saves you some time.
    Apologies if this is a known issue or "feature" - but I was not aware of it. 

  • How to set role based Authorization in JAAS

    how to set role based Authorization in JAAS
    i had user name , password and role in FileLogin
    thanks
    arun .v.

    http://dev2dev.bea.com/pub/a/2003/04/Kemp_Helton.html?page=last

  • Custom security JHeadstart 11gTP1 -Use Role-based Authorization is missing

    In JHeadstart 11g TP1 the option Use Role-based Authorization is missing.
    Will this option only be available in de production release of JHeadstart 11g? What is the reason why this is missing? Is it still possible to use CUSTOM authorization in JHeadstart 11g TP1?

    It is not missing.
    If you turn on custom authorization, you can specify your own roles against groups to access them, and use role names in the insert allowed/update allowed and delete allowed expressions.
    Steven Davelaar,
    JHeadstart Team.

  • Can't use role-based authorization

    We can't use role-based authorization because the permissions
    and their assignments change frequently. Is there any alternative
    where we can still use WLS to handle security?

    Dave,
    If you're using WLS6 the console supports dynamic user updates so you could
    change each users configuration as needed.
    Alex
    Dave <[email protected]> wrote in message
    news:3a672c81$[email protected]..
    >
    We can't use role-based authorization because the permissions
    and their assignments change frequently. Is there any alternative
    where we can still use WLS to handle security?

  • Difference between ID and Role based Administration - Firefighter 5.3

    In GRC AC 5.3 Firefighter, security guide, there are two sections for role design,
    1. Firefighter Role based Administration
    2. Firefighter ID based Administration
    Can someone explain what is the difference between the two?
    I have read the documentation, but it does not have a clear description of the
    differences between the two.
    Please help.
    Thanks

    HI Prakash,
    Though both of them eventually achieve the same function, that is giving access rights to the user for a certain period under monitring these differ based on the following:
    1. Firefighter Role based Administration
    You identlfy a particular role as a firefighter role and give it to the user.
    2. Firefighter ID based Administration
    You create a separate user altogether and give the normal dialog user, the access to this user's authorization.
    For the implication that both of these have and the differences or comparisons between using 1 & 2, I would suggest you do a bit of Mock testing for both of these. Also, there are a lot of posts related to this on the forum already, which you can refer to, for getting a more detailed idea on this topic. Unlimately, it depends on organization to organization which methodology they folow as per what suits them, according to features which both have. But generally what is preferred is Number 2.
    Regards,
    Hersh.

  • Privileges and Roles Based Views

    Hello,
    I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great.  I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view.  I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
    Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!!  fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
    How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
    I hope someone can help with the config:
    Below is the config I use on the 2960's and 3750's and also what I use on the radius servers.  I guess I would need ot use a priv 15 setup and a custom view called priv3?
    Priv3 radius user settings
    cisco av-pair cli-view-name=priv3
    Priv 15 or root user settings
    cisco av-pair shell:priv-lvl=15
    cisco av-pair shell:cli-view-name=root
    Config:
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname 3750
    boot-start-marker
    boot-end-marker
    logging buffered 64000
    logging console informational
    logging monitor informational
    enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
    username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
    username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
    aaa new-model
    aaa authentication login default group radius local
    aaa authentication enable default line
    aaa authorization console
    aaa authorization exec default group radius local
    aaa session-id common
    clock timezone GMT 0
    clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
    switch 1 provision ws-c3750g-12s
    switch 2 provision ws-c3750g-12s
    system mtu routing 1500
    udld aggressive
    no ip domain-lookup
    ip domain-name CB-DI
    login on-failure log
    login on-success log
    crypto pki trustpoint TP-self-signed-3817403392
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3817403392
    revocation-check none
    rsakeypair TP-self-signed-3817403392
    crypto pki certificate chain TP-self-signed-3817403392
    certificate self-signed 01
      removed
      quit
    archive
    log config
      logging enable
      logging size 200
      notify syslog contenttype plaintext
      hidekeys
    spanning-tree mode rapid-pvst
    spanning-tree extend system-id
    spanning-tree vlan 10 priority 8192
    vlan internal allocation policy ascending
    ip ssh version 2
    interface GigabitEthernet1/0/1
    interface GigabitEthernet1/0/24
    interface Vlan1
    description ***Default VLAN not to be used***
    no ip address
    no ip route-cache
    no ip mroute-cache
    shutdown
    interface Vlan10
    description ****
    ip address 10.10.150.11 255.255.255.0
    no ip route-cache
    no ip mroute-cache
    ip default-gateway 10.10.150.1
    ip classless
    no ip http server
    ip http secure-server
    logging trap notifications
    logging facility local4
    logging source-interface Vlan10
    logging 10.10.21.8
    logging 172.23.1.3
    access-list 23 permit 10.10.1.65
    snmp-server community transm1t! RO
    snmp-server trap-source Vlan10
    radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
    radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
    radius-server vsa send accounting
    radius-server vsa send authentication
    line con 0
    exec-timeout 60 0
    logging synchronous
    line vty 0 4
    access-class 23 in
    exec-timeout 60 0
    logging synchronous
    transport input ssh
    line vty 5 14
    access-class 23 in
    no exec
    transport input ssh
    parser view priv3
    secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
    ! Last configuration change at 16:34:56 BST Fri Apr 13 2012
    commands interface include shutdown
    commands interface include no shutdown
    commands interface include no
    commands configure include interface
    commands exec include configure terminal
    commands exec include configure
    commands exec include show ip interface brief
    commands exec include show ip interface
    commands exec include show ip
    commands exec include show arp
    commands exec include show privilege
    commands exec include show interfaces status
    commands exec include show interfaces Vlan10 status
    commands exec include show interfaces Vlan1 status
    commands exec include show interfaces GigabitEthernet2/0/12 status
    commands exec include show interfaces GigabitEthernet2/0/11 status
    commands exec include show interfaces GigabitEthernet2/0/10 status
    commands exec include show interfaces GigabitEthernet2/0/9 status
    commands exec include show interfaces GigabitEthernet2/0/8 status
    commands exec include show interfaces GigabitEthernet2/0/7 status
    commands exec include show interfaces GigabitEthernet2/0/6 status
    commands exec include show interfaces GigabitEthernet2/0/5 status
    commands exec include show interfaces GigabitEthernet2/0/4 status
    commands exec include show interfaces GigabitEthernet2/0/3 status
    commands exec include show interfaces GigabitEthernet2/0/2 status
    commands exec include show interfaces GigabitEthernet2/0/1 status
    commands exec include show interfaces GigabitEthernet1/0/12 status
    commands exec include show interfaces GigabitEthernet1/0/11 status
    commands exec include show interfaces GigabitEthernet1/0/10 status
    commands exec include show interfaces GigabitEthernet1/0/9 status
    commands exec include show interfaces GigabitEthernet1/0/8 status
    commands exec include show interfaces GigabitEthernet1/0/7 status
    commands exec include show interfaces GigabitEthernet1/0/6 status
    commands exec include show interfaces GigabitEthernet1/0/5 status
    commands exec include show interfaces GigabitEthernet1/0/4 status
    commands exec include show interfaces GigabitEthernet1/0/3 status
    commands exec include show interfaces GigabitEthernet1/0/2 status
    commands exec include show interfaces GigabitEthernet1/0/1 status
    commands exec include show interfaces Null0 status
    commands exec include show interfaces
    commands exec include show configuration
    commands exec include show
    commands configure include interface GigabitEthernet1/0/1
    commands configure include interface GigabitEthernet1/0/2
    commands configure include interface GigabitEthernet1/0/3
    commands configure include interface GigabitEthernet1/0/4
    commands configure include interface GigabitEthernet1/0/5
    commands configure include interface GigabitEthernet1/0/6
    commands configure include interface GigabitEthernet1/0/7
    commands configure include interface GigabitEthernet1/0/8
    commands configure include interface GigabitEthernet1/0/9
    commands configure include interface GigabitEthernet1/0/10
    commands configure include interface GigabitEthernet1/0/11
    commands configure include interface GigabitEthernet1/0/12
    commands configure include interface GigabitEthernet2/0/1
    commands configure include interface GigabitEthernet2/0/2
    commands configure include interface GigabitEthernet2/0/3
    commands configure include interface GigabitEthernet2/0/4
    commands configure include interface GigabitEthernet2/0/5
    commands configure include interface GigabitEthernet2/0/6
    commands configure include interface GigabitEthernet2/0/7
    commands configure include interface GigabitEthernet2/0/8
    commands configure include interface GigabitEthernet2/0/9
    commands configure include interface GigabitEthernet2/0/10
    commands configure include interface GigabitEthernet2/0/11
    commands configure include interface GigabitEthernet2/0/12
    ntp logging
    ntp clock-period 36028961
    ntp server 10.10.1.33
    ntp server 10.10.1.34
    end
    Thanks!!!!

    DBelt --
    Hopefully this example suffices.
    Setup
    SQL> CREATE USER test IDENTIFIED BY test;
    User created.
    SQL> GRANT CREATE SESSION TO test;
    Grant succeeded.
    SQL> GRANT CREATE PROCEDURE TO test;
    Grant succeeded.
    SQL> CREATE ROLE test_role;
    Role created.
    SQL> GRANT CREATE SEQUENCE TO test_role;
    Grant succeeded.
    SQL> GRANT test_role TO test;
    logged on as Test
    SQL> CREATE OR REPLACE PACKAGE definer_rights_test
      2  AS
      3          PROCEDURE test_sequence;
      4  END definer_rights_test;
      5  /
    Package created.
    SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
      2  AS
      3          PROCEDURE test_sequence
      4          AS
      5          BEGIN
      6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
      7          END;
      8  END definer_rights_test;
      9  /
    Package body created.
    SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
      2  AUTHID CURRENT_USER
      3  AS
      4          PROCEDURE test_sequence;
      5  END invoker_rights_test;
      6  /
    Package created.
    SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
      2  AS
      3          PROCEDURE test_sequence
      4          AS
      5          BEGIN
      6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
      7          END;
      8  END invoker_rights_test;
      9  /
    Package body created.
    SQL> EXEC definer_rights_test.test_sequence;
    BEGIN definer_rights_test.test_sequence; END;
    ERROR at line 1:
    ORA-01031: insufficient privileges
    ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
    ORA-06512: at line 1
    SQL> EXEC invoker_rights_test.test_sequence;
    PL/SQL procedure successfully completed.
    SQL> SELECT test_seq.NEXTVAL from dual;
                 NEXTVAL
                       1

  • BlazeDS role based authorization

    Hi,
    I'm half the way in developing a POC for using flex as the front end of our application and I'm having some security issues.
    I'm using JBoss with JAAS and I figured that using BlazeDS just uses JAAS login module to perform authentication.
    * Will it use JAAS for authorization too? Will EJB method level permission will still apply?
    * How can I use the Subject/Principals/Policies in the client side flex application to inflect some UI restrictions on unauthorized operations?
    Thanks,
    Eyal

    Hey Jiby,
    I already posted this question to the forum http://swforum.sun.com/jive/thread.jspa?threadID=44893&tstart=15 prior to opening this ticket with Sun
    Regards
    Matthew Key

  • Portal and role based access

    We have a requirement to provide role based access to our portal. Employees require full portal access, partners require access to specific applications and resources, while guests should be provided access only to the Internet. People suggested SSL VPN from vendors like Array Networks, Juniper, Portwise etc.
    We are trying to kind of use our portal as a web VPN. Also we wanted to use strong access control.... Are there any ideas other than using SSL VPN's.
    -thanks

    1. You can configure your portal on HTTPS (SSL). That keeps it on secure SSL layer.
    2. Have SSO to distinguish between authenticated_users (logged in users like your employees, partners, etc) and un-authenticated_users (Guest).
    3. Use Groups for translating roles for your users. i.e., Make Groups for your users based on what you called as roles in your message.
    4. Assign access privileges available in portals for pages and portal objects according to your needs to these Groups.
    I dont think VPN will be needed when you are having an extranet-portal (as you hinted internet for guests).
    You can have a darn strong access control using this mechanism.
    hope that helps!
    AMN

  • AAA and Role based access (NPS)

    Hi
    I authenticate all my cisco switches and routers with AAA + NPS + AD
    A server runs NPS service with cisco attribute shell:priv-lvl=15 or 5, depending of AD group.
    But I'd like configure role based with IOS view.
    When I issue the enable view command,  I get
    Password:
    I tried with my AD password, enable configurated password, and always gets
    % Authentication failed
    Mi line vty config
    line vty 0 4
    authorization exec VTY-AAA
    login authentication VTY-AAA
    transport input ssh

    Have you gone through the below listed parser view configuration example. Please check here
    View authentication is performed by an external authentication server via the new attribute "cli-view-name" so you need to use cisco-av-pair as cli-view-name=xxxx
    AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.
    In case you still have any issues, run debug parser view and share the output, I'll try to help.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • OBIEE SSO enabling and role based reporting

    Hi,
    I had installed SOA10.1.3.1.0 and OBIEE10.1.3.4.0 already on my WINDOWS. I understand that I need to install 10.1.4 infrastructure to enable SSO in OBIEE, can you please tell me what is 10.1.4 infrastructure? is it equivelent to Oracle Identity Management Infrastructure and Oracle Identity Federation 10.1.4? I tried to download this from OTN since last night, but the page is always unaccessible. Where can I download 10.1.4 infrastructure except otn?
    I have another question regarding to the role based reporting with SSO. We want users to see different reports based on their roles once they login. What options do we have to implement this? From my understanding, we need to maintain a user role mapping table in our database, create groups in OBIEE and map the user role with the group in OBIEE? Is it true? Are there other options? Is there a existing product we can use to implement this?
    Thanks,
    Meng

    have a look on page 137 and further http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/b31770.pdf

  • Jaas and Form-based

    Hi everybody, I want to know if somebody has information to integrate jaas with form-based, i am using tomcat 5.5
    Thanks in advance..

    Hi, You may like to go through the following link.
    http://developinjava.com/readarticle.php?article_id=6

  • Role based authorization in initiative

    Hi,
    We can assign default authorization for role types in Projects. For example a the role PM can be assigned Admin auth and the person assigned to PM role gets admin role.
    We want the same functionality in initiatives but it is not working. Has anyone tried DFM or any other method to solve this?
    Thanks and Regards,
    Anuradha

    Hi Anuradha,
    Thanks for the information.
    We are not able to access this note, it says 'Document is not released'. Are you able to view this note.
    Is this customer specific note?
    Regards,
    Ravi

  • JAAS and form-based webtier authentication

    Hi, I would like to know if it is possible to use form-based authentication with
    JAAS in a webapp. I would appreciate if you could show me some sample code.
    Thanks /Chris

    Hi, You may like to go through the following link.
    http://developinjava.com/readarticle.php?article_id=6

  • JHeadStart Security problem-error page cannot be found- role based security

    JHeadStart Security problem-error page cannot be found- role based security
    Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
    Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

    Thand you very much for your reply! Unfortunately there is a specific restriction-convention in the project I work in. I am supposed to perform role based security with my own tables and no by the jheadstart’s ones. Could you find out what is my fault with the steps I follow trying to perform the process?
    To remind you my steps I paste the following again:
    JHeadStart Security problem-error page cannot be found- role based security
    Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
    Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

Maybe you are looking for

  • Artwork not showing up

    For some reason my iPod doesn't display the artwork I have in iTunes. There's no error messages or anything like that it just doesnt show up. I've double checked my preferences on iTunes and it should be displaying the artwork, but for whatever reaso

  • Hi, updated to ios 8.02. I do not want the health, podcast or tips on the phone.  How do I delete them?

    How do I delete new apps that 'came' with ios 8.0?

  • Desktop Freezing..

    Hi all, I am experiencing this issue on both my Mac Pro and Macbook. After the system is up and operating for an hour or two the desktop freezes up and becomes inacecssible. I see icons on the screen and I can draw a selection box, but I can't click

  • Saving part of fillable form as non-fillable pdf

    I have created a form in LiveCycle Designer. The top part of the form needs to be filled in by one office, and then once the fields are filled in they need to be "locked" for editing and sent on to a third party. The third party needs to have the opt

  • What *Can't* I export into a .swf file?

    Hey all! I have a short, 5 slide presentation which includes a few slide transitions, some text animation (dissolves, disappears, timing) an aiff file and a little QT movie at the end. When I export the movie and throw it to Freeway Pro, all I see is