Search Results

Search found 12717 results on 509 pages for 'ouaf security'.

Page 23/509 | < Previous Page | 19 20 21 22 23 24 25 26 27 28 29 30  | Next Page >

  • Using OAuth along with spring security, grails

    - by GroovyUser
    I have grails app which runs on the spring security plugin. It works with no problem. I wish I could give the users the way to connect with Facebook and social networking site. So I decided to use Spring Security OAuth plugin. I have configured the plugin. Now I want user can access both via normal local account and also the OAuth authentication. More precisely I have a controller like this: @Secured(['IS_AUTHENTICATED_FULLY']) def test() { render "Home page!!!" } Now I want this controller to be accessed with OAuth authentication too. Is that possible to do so?

    Read the article

  • Understanding CGI and SQL security from the ground up

    - by Steve
    This question is for learning purposes. Suppose I am writing a simple SQL admin console using CGI and Python. At http://something.com/admin, this admin console should allow me to modify a SQL database (i.e., create and modify tables, and create and modify records) using an ordinary form. In the least secure case, anybody can access http://something.com/admin and modify the database. You can password protect http://something.com/admin. But once you start using the admin console, information is still transmitted in plain text. So then you use HTTPS to secure the transmitted data. Questions: To describe to a learner, how would you incrementally add security to the least secure environment in order to make it most secure? How would you modify/augment my three (possibly erroneous) steps above? What basic tools in Python make your steps possible? Optional: Now that I understand the process, how do sophisticated libraries and frameworks inherently achieve this level of security?

    Read the article

  • KB Articles on My Oracle Support

    - by Anthony Shorten
    My Oracle Support is a valuable resource for product information and how to's. It is not just about bug fixes and service packs. To find articles pertaining to any Oracle Utilities product you logon to My Oracle Support (your DBA shoud have access at least) and use the following path to Navigate to the articles: Knowledge - More Applications - Industry Solutions - Utilities You are then presented with a list of products, just select the one that you are interested in. You are then pressented with a list of articles available (25 per page). You can also search on keywords for articles. Here is a list of ones I find useful (with KB ID in []): Customer Care and Billing V2.2.0 Unix Installation Questions [ID 844645.1] Known Framework (FW) Errors [ID 783823.1] Weblogic 10 MP2 CCB Support Question [ID 1119383.1] CCB v2.2.0 Performance Problem Under Heavy Concurrent User Load [ID 808233.1] - This is a description of a patch for performance What Is The Meaning Of The TRUE And FALSE Setting For REL_CBL_THREAD_MEM Within OUAF For Oracle Utilities CCB, BI & ETM [ID 783444.1] Oracle Utilities Framework Support Utility [ID 1079640.1] How to customize XAI error messages? [ID 1061394.1] Oracle Utilities Application Framework - Patch Installation [ID 974985.1] Action Plan for Creating a Weblogic Custom Authentication Provider [ID 954417.1] How to set up XAI service on multiple servers to provide redundancy? [ID 854215.1] The first one is very useful and answer lots of how to questions for installation.

    Read the article

  • Making files generally available on Linux system (when security is relatively unimportant)?

    - by Ole Thomsen Buus
    Hi, I am using Ubuntu 9.10 on a stationary PC. I have a secondary 1 TB harddrive with a single big logical partition (currently formatted as ext4). It is mounted as /usr3 with options user, exec in /etc/fstab. I am doing highspeed imaging experiments. Well, only 260fps, but that still creates many individual files since each frames is saved as one png-file. The stationary is not used by anyone other than me which is why the default security model posed by ubuntu is not necessary. What is the best way to make the entire contents of /usr3 generally available on all systems. In case I need to move the harddrive to another Ubuntu 9.x or 10.x machine? When grabbing image with the firewire camera I use a selfmade grabbing software-utility (console based) in sudo-mode. This creates all files with root as owner and group. I am logged in as user otb and usually I do the following when having to make files generally available to otb: sudo chown otb -R * sudo chgrp otb -R * sudo chmod a=rwx -R * This takes some time since the disk now contains individual ~200000 files. After this, how would linux behave if I moved the harddrive to another system where the user otb is also available? Would the files still be accessible without sudo use?

    Read the article

  • [GEEK SCHOOL] Network Security 2: Preventing Disaster with User Account Control

    - by Ciprian Rusen
    In this second lesson in our How-To Geek School about securing the Windows devices in your network, we will talk about User Account Control (UAC). Users encounter this feature each time they need to install desktop applications in Windows, when some applications need administrator permissions in order to work and when they have to change different system settings and files. UAC was introduced in Windows Vista as part of Microsoft’s “Trustworthy Computing” initiative. Basically, UAC is meant to act as a wedge between you and installing applications or making system changes. When you attempt to do either of these actions, UAC will pop up and interrupt you. You may either have to confirm you know what you’re doing, or even enter an administrator password if you don’t have those rights. Some users find UAC annoying and choose to disable it but this very important security feature of Windows (and we strongly caution against doing that). That’s why in this lesson, we will carefully explain what UAC is and everything it does. As you will see, this feature has an important role in keeping Windows safe from all kinds of security problems. In this lesson you will learn which activities may trigger a UAC prompt asking for permissions and how UAC can be set so that it strikes the best balance between usability and security. You will also learn what kind of information you can find in each UAC prompt. Last but not least, you will learn why you should never turn off this feature of Windows. By the time we’re done today, we think you will have a newly found appreciation for UAC, and will be able to find a happy medium between turning it off completely and letting it annoy you to distraction. What is UAC and How Does it Work? UAC or User Account Control is a security feature that helps prevent unauthorized system changes to your Windows computer or device. These changes can be made by users, applications, and sadly, malware (which is the biggest reason why UAC exists in the first place). When an important system change is initiated, Windows displays a UAC prompt asking for your permission to make the change. If you don’t give your approval, the change is not made. In Windows, you will encounter UAC prompts mostly when working with desktop applications that require administrative permissions. For example, in order to install an application, the installer (generally a setup.exe file) asks Windows for administrative permissions. UAC initiates an elevation prompt like the one shown earlier asking you whether it is okay to elevate permissions or not. If you say “Yes”, the installer starts as administrator and it is able to make the necessary system changes in order to install the application correctly. When the installer is closed, its administrator privileges are gone. If you run it again, the UAC prompt is shown again because your previous approval is not remembered. If you say “No”, the installer is not allowed to run and no system changes are made. If a system change is initiated from a user account that is not an administrator, e.g. the Guest account, the UAC prompt will also ask for the administrator password in order to give the necessary permissions. Without this password, the change won’t be made. Which Activities Trigger a UAC Prompt? There are many types of activities that may trigger a UAC prompt: Running a desktop application as an administrator Making changes to settings and files in the Windows and Program Files folders Installing or removing drivers and desktop applications Installing ActiveX controls Changing settings to Windows features like the Windows Firewall, UAC, Windows Update, Windows Defender, and others Adding, modifying, or removing user accounts Configuring Parental Controls in Windows 7 or Family Safety in Windows 8.x Running the Task Scheduler Restoring backed-up system files Viewing or changing the folders and files of another user account Changing the system date and time You will encounter UAC prompts during some or all of these activities, depending on how UAC is set on your Windows device. If this security feature is turned off, any user account or desktop application can make any of these changes without a prompt asking for permissions. In this scenario, the different forms of malware existing on the Internet will also have a higher chance of infecting and taking control of your system. In Windows 8.x operating systems you will never see a UAC prompt when working with apps from the Windows Store. That’s because these apps, by design, are not allowed to modify any system settings or files. You will encounter UAC prompts only when working with desktop programs. What You Can Learn from a UAC Prompt? When you see a UAC prompt on the screen, take time to read the information displayed so that you get a better understanding of what is going on. Each prompt first tells you the name of the program that wants to make system changes to your device, then you can see the verified publisher of that program. Dodgy software tends not to display this information and instead of a real company name, you will see an entry that says “Unknown”. If you have downloaded that program from a less than trustworthy source, then it might be better to select “No” in the UAC prompt. The prompt also shares the origin of the file that’s trying to make these changes. In most cases the file origin is “Hard drive on this computer”. You can learn more by pressing “Show details”. You will see an additional entry named “Program location” where you can see the physical location on your hard drive, for the file that’s trying to perform system changes. Make your choice based on the trust you have in the program you are trying to run and its publisher. If a less-known file from a suspicious location is requesting a UAC prompt, then you should seriously consider pressing “No”. What’s Different About Each UAC Level? Windows 7 and Windows 8.x have four UAC levels: Always notify – when this level is used, you are notified before desktop applications make changes that require administrator permissions or before you or another user account changes Windows settings like the ones mentioned earlier. When the UAC prompt is shown, the desktop is dimmed and you must choose “Yes” or “No” before you can do anything else. This is the most secure and also the most annoying way to set UAC because it triggers the most UAC prompts. Notify me only when programs/apps try to make changes to my computer (default) – Windows uses this as the default for UAC. When this level is used, you are notified before desktop applications make changes that require administrator permissions. If you are making system changes, UAC doesn’t show any prompts and it automatically gives you the necessary permissions for making the changes you desire. When a UAC prompt is shown, the desktop is dimmed and you must choose “Yes” or “No” before you can do anything else. This level is slightly less secure than the previous one because malicious programs can be created for simulating the keystrokes or mouse moves of a user and change system settings for you. If you have a good security solution in place, this scenario should never occur. Notify me only when programs/apps try to make changes to my computer (do not dim my desktop) – this level is different from the previous in in the fact that, when the UAC prompt is shown, the desktop is not dimmed. This decreases the security of your system because different kinds of desktop applications (including malware) might be able to interfere with the UAC prompt and approve changes that you might not want to be performed. Never notify – this level is the equivalent of turning off UAC. When using it, you have no protection against unauthorized system changes. Any desktop application and any user account can make system changes without your permission. How to Configure UAC If you would like to change the UAC level used by Windows, open the Control Panel, then go to “System and Security” and select “Action Center”. On the column on the left you will see an entry that says “Change User Account Control settings”. The “User Account Control Settings” window is now opened. Change the position of the UAC slider to the level you want applied then press “OK”. Depending on how UAC was initially set, you may receive a UAC prompt requiring you to confirm this change. Why You Should Never Turn Off UAC If you want to keep the security of your system at decent levels, you should never turn off UAC. When you disable it, everything and everyone can make system changes without your consent. This makes it easier for all kinds of malware to infect and take control of your system. It doesn’t matter whether you have a security suite or antivirus installed or third-party antivirus, basic common-sense measures like having UAC turned on make a big difference in keeping your devices safe from harm. We have noticed that some users disable UAC prior to setting up their Windows devices and installing third-party software on them. They keep it disabled while installing all the software they will use and enable it when done installing everything, so that they don’t have to deal with so many UAC prompts. Unfortunately this causes problems with some desktop applications. They may fail to work after you enable UAC. This happens because, when UAC is disabled, the virtualization techniques UAC uses for your applications are inactive. This means that certain user settings and files are installed in a different place and when you turn on UAC, applications stop working because they should be placed elsewhere. Therefore, whatever you do, do not turn off UAC completely! Coming up next … In the next lesson you will learn about Windows Defender, what this tool can do in Windows 7 and Windows 8.x, what’s different about it in these operating systems and how it can be used to increase the security of your system.

    Read the article

  • New Big Data Appliance Security Features

    - by mgubar
    The Oracle Big Data Appliance (BDA) is an engineered system for big data processing.  It greatly simplifies the deployment of an optimized Hadoop Cluster – whether that cluster is used for batch or real-time processing.  The vast majority of BDA customers are integrating the appliance with their Oracle Databases and they have certain expectations – especially around security.  Oracle Database customers have benefited from a rich set of security features:  encryption, redaction, data masking, database firewall, label based access control – and much, much more.  They want similar capabilities with their Hadoop cluster.    Unfortunately, Hadoop wasn’t developed with security in mind.  By default, a Hadoop cluster is insecure – the antithesis of an Oracle Database.  Some critical security features have been implemented – but even those capabilities are arduous to setup and configure.  Oracle believes that a key element of an optimized appliance is that its data should be secure.  Therefore, by default the BDA delivers the “AAA of security”: authentication, authorization and auditing. Security Starts at Authentication A successful security strategy is predicated on strong authentication – for both users and software services.  Consider the default configuration for a newly installed Oracle Database; it’s been a long time since you had a legitimate chance at accessing the database using the credentials “system/manager” or “scott/tiger”.  The default Oracle Database policy is to lock accounts thereby restricting access; administrators must consciously grant access to users. Default Authentication in Hadoop By default, a Hadoop cluster fails the authentication test. For example, it is easy for a malicious user to masquerade as any other user on the system.  Consider the following scenario that illustrates how a user can access any data on a Hadoop cluster by masquerading as a more privileged user.  In our scenario, the Hadoop cluster contains sensitive salary information in the file /user/hrdata/salaries.txt.  When logged in as the hr user, you can see the following files.  Notice, we’re using the Hadoop command line utilities for accessing the data: $ hadoop fs -ls /user/hrdataFound 1 items-rw-r--r--   1 oracle supergroup         70 2013-10-31 10:38 /user/hrdata/salaries.txt$ hadoop fs -cat /user/hrdata/salaries.txtTom Brady,11000000Tom Hanks,5000000Bob Smith,250000Oprah,300000000 User DrEvil has access to the cluster – and can see that there is an interesting folder called “hrdata”.  $ hadoop fs -ls /user Found 1 items drwx------   - hr supergroup          0 2013-10-31 10:38 /user/hrdata However, DrEvil cannot view the contents of the folder due to lack of access privileges: $ hadoop fs -ls /user/hrdata ls: Permission denied: user=drevil, access=READ_EXECUTE, inode="/user/hrdata":oracle:supergroup:drwx------ Accessing this data will not be a problem for DrEvil. He knows that the hr user owns the data by looking at the folder’s ACLs. To overcome this challenge, he will simply masquerade as the hr user. On his local machine, he adds the hr user, assigns that user a password, and then accesses the data on the Hadoop cluster: $ sudo useradd hr $ sudo passwd $ su hr $ hadoop fs -cat /user/hrdata/salaries.txt Tom Brady,11000000 Tom Hanks,5000000 Bob Smith,250000 Oprah,300000000 Hadoop has not authenticated the user; it trusts that the identity that has been presented is indeed the hr user. Therefore, sensitive data has been easily compromised. Clearly, the default security policy is inappropriate and dangerous to many organizations storing critical data in HDFS. Big Data Appliance Provides Secure Authentication The BDA provides secure authentication to the Hadoop cluster by default – preventing the type of masquerading described above. It accomplishes this thru Kerberos integration. Figure 1: Kerberos Integration The Key Distribution Center (KDC) is a server that has two components: an authentication server and a ticket granting service. The authentication server validates the identity of the user and service. Once authenticated, a client must request a ticket from the ticket granting service – allowing it to access the BDA’s NameNode, JobTracker, etc. At installation, you simply point the BDA to an external KDC or automatically install a highly available KDC on the BDA itself. Kerberos will then provide strong authentication for not just the end user – but also for important Hadoop services running on the appliance. You can now guarantee that users are who they claim to be – and rogue services (like fake data nodes) are not added to the system. It is common for organizations to want to leverage existing LDAP servers for common user and group management. Kerberos integrates with LDAP servers – allowing the principals and encryption keys to be stored in the common repository. This simplifies the deployment and administration of the secure environment. Authorize Access to Sensitive Data Kerberos-based authentication ensures secure access to the system and the establishment of a trusted identity – a prerequisite for any authorization scheme. Once this identity is established, you need to authorize access to the data. HDFS will authorize access to files using ACLs with the authorization specification applied using classic Linux-style commands like chmod and chown (e.g. hadoop fs -chown oracle:oracle /user/hrdata changes the ownership of the /user/hrdata folder to oracle). Authorization is applied at the user or group level – utilizing group membership found in the Linux environment (i.e. /etc/group) or in the LDAP server. For SQL-based data stores – like Hive and Impala – finer grained access control is required. Access to databases, tables, columns, etc. must be controlled. And, you want to leverage roles to facilitate administration. Apache Sentry is a new project that delivers fine grained access control; both Cloudera and Oracle are the project’s founding members. Sentry satisfies the following three authorization requirements: Secure Authorization:  the ability to control access to data and/or privileges on data for authenticated users. Fine-Grained Authorization:  the ability to give users access to a subset of the data (e.g. column) in a database Role-Based Authorization:  the ability to create/apply template-based privileges based on functional roles. With Sentry, “all”, “select” or “insert” privileges are granted to an object. The descendants of that object automatically inherit that privilege. A collection of privileges across many objects may be aggregated into a role – and users/groups are then assigned that role. This leads to simplified administration of security across the system. Figure 2: Object Hierarchy – granting a privilege on the database object will be inherited by its tables and views. Sentry is currently used by both Hive and Impala – but it is a framework that other data sources can leverage when offering fine-grained authorization. For example, one can expect Sentry to deliver authorization capabilities to Cloudera Search in the near future. Audit Hadoop Cluster Activity Auditing is a critical component to a secure system and is oftentimes required for SOX, PCI and other regulations. The BDA integrates with Oracle Audit Vault and Database Firewall – tracking different types of activity taking place on the cluster: Figure 3: Monitored Hadoop services. At the lowest level, every operation that accesses data in HDFS is captured. The HDFS audit log identifies the user who accessed the file, the time that file was accessed, the type of access (read, write, delete, list, etc.) and whether or not that file access was successful. The other auditing features include: MapReduce:  correlate the MapReduce job that accessed the file Oozie:  describes who ran what as part of a workflow Hive:  captures changes were made to the Hive metadata The audit data is captured in the Audit Vault Server – which integrates audit activity from a variety of sources, adding databases (Oracle, DB2, SQL Server) and operating systems to activity from the BDA. Figure 4: Consolidated audit data across the enterprise.  Once the data is in the Audit Vault server, you can leverage a rich set of prebuilt and custom reports to monitor all the activity in the enterprise. In addition, alerts may be defined to trigger violations of audit policies. Conclusion Security cannot be considered an afterthought in big data deployments. Across most organizations, Hadoop is managing sensitive data that must be protected; it is not simply crunching publicly available information used for search applications. The BDA provides a strong security foundation – ensuring users are only allowed to view authorized data and that data access is audited in a consolidated framework.

    Read the article

  • Connection to Google, Yahoo, Bing, Ask, etc. compromised via all devices on my home network - How?

    - by jt0dd
    I'm a very computer savvy guy (although not very networking savvy), and I may still be wrong about this, but I think my home network may be compromised somehow. I'd like to know if it's possible for someone to have hijacked my network's connection to Google.com and other popular websites. Update: The issue seems to take effect with all popular websites. I can connect to small (non-popular) websites without issue, but Facebook, Google, Yahoo, and Bing cannot be accessed by any device on my home network. On all devices using my home network, I'm being shown http://www.google.com WARNING! Internet Explorer is currently out of date. Please update to continue. when I attempt to connect to google.com. I wouldn't be surprised by this at all if it were just the laptop. It's the fact that this is happening on all devices on my network that confuses me. Here's the screenshot from my iPhone, for reference. Can my home network be compromised? Is that even possible? How can something like this happen across all platforms on all devices in the same way? I wouldn't imagine every device / platform on the network would get the same virus. Should I assume that my network's security is totally compromised? Update: All mobile devices and laptops on my home network are experiencing the same alert when attempting to connect to google.com.

    Read the article

  • What steps should I take to secure Tomcat 6.x?

    - by PAS
    I am in the process of setting up an new Tomcat deployment, and want it to be as secure as possible. I have created a 'jakarta' user and have jsvc running Tomcat as a daemon. Any tips on directory permissions and such to limit access to Tomcat's files? I know I will need to remove the default webapps - docs, examples, etc... are there any best practices I should be using here? What about all the config XML files? Any tips there? Is it worth enabling the Security manager so that webapps run in a sandbox? Has anyone had experience setting this up? I have seen examples of people running two instances of Tomcat behind Apache. It seems this can be done using mod_jk or with mod_proxy... any pros/cons of either? Is it worth the trouble? In case it matters, the OS is Debian lenny. I am not using apt-get because lenny only offers tomcat 5.5 and we require 6.x. Thanks!

    Read the article

  • OWSM custom security policy for JAX-WS, GenericFault

    - by sachin
    Hi, I tried creating custom security and policy as given here: http://download.oracle.com/docs/cd/E15523_01/relnotes.1111/e10132/owsm.htm#CIADFGGC when I run the service client custom assertion is executed, returning successfully. public IResult execute(IContext context) throws WSMException { try { System.out.println("public execute"); IAssertionBindings bindings = ((SimpleAssertion)(this.assertion)).getBindings(); IConfig config = bindings.getConfigs().get(0); IPropertySet propertyset = config.getPropertySets().get(0); String valid_ips = propertyset.getPropertyByName("valid_ips").getValue(); String ipAddr = ((IMessageContext)context).getRemoteAddr(); IResult result = new Result(); System.out.println("valid_ips "+valid_ips); if (valid_ips != null && valid_ips.trim().length() > 0) { String[] valid_ips_array = valid_ips.split(","); boolean isPresent = false; for (String valid_ip : valid_ips_array) { if (ipAddr.equals(valid_ip.trim())) { isPresent = true; } } System.out.println("isPresent "+isPresent); if (isPresent) { result.setStatus(IResult.SUCCEEDED); } else { result.setStatus(IResult.FAILED); result.setFault(new WSMException(WSMException.FAULT_FAILED_CHECK)); } } else { result.setStatus(IResult.SUCCEEDED); } System.out.println("result "+result); System.out.println("public execute complete"); return result; } catch (Exception e) { System.out.println("Exception e"); e.printStackTrace(); throw new WSMException(WSMException.FAULT_FAILED_CHECK, e); } } Console output is: public execute valid_ips 127.0.0.1,192.168.1.1 isPresent true result Succeeded public execute complete but, webservice throws GenericFault . Arguments: [void] Fault: GenericFault : generic error I have no clue what could be wrong, any ideas? here is the full stack trace: Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: GenericFault : generic error at com.sun.xml.internal.ws.fault.SOAP12Fault.getProtocolException(SOAP12Fault.java:210) at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:119) at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:108) at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78) at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:107) at $Proxy30.sayHello(Unknown Source) at creditproxy.CreditRatingSoap12HttpPortClient.main(CreditRatingSoap12HttpPortClient.java:21) Caused by: javax.xml.ws.soap.SOAPFaultException: GenericFault : generic error at weblogic.wsee.jaxws.framework.jaxrpc.TubeFactory$JAXRPCTube.processRequest(TubeFactory.java:203) at weblogic.wsee.jaxws.tubeline.FlowControlTube.processRequest(FlowControlTube.java:99) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:604) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:563) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:548) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:445) at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:275) at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:454) at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:250) at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:140) at weblogic.wsee.jaxws.HttpServletAdapter$AuthorizedInvoke.run(HttpServletAdapter.java:319) at weblogic.wsee.jaxws.HttpServletAdapter.post(HttpServletAdapter.java:232) at weblogic.wsee.jaxws.JAXWSServlet.doPost(JAXWSServlet.java:310) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at weblogic.wsee.jaxws.JAXWSServlet.service(JAXWSServlet.java:87) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:326) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3592) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2202) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2108) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1432) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201) at weblogic.work.ExecuteThread.run(ExecuteThread.java:173) Process exited with exit code 1.

    Read the article

  • Spring Security session-management setting and IllegalStateException

    - by JayL
    I'm trying to add <session-management> in my Spring Security namespace configuration so that I can provide a different message than the login page when the session times out. As soon as I add it to my configuration it starts throwing "IllegalStateException: Cannot create a session after the response has been committed" when I access the app. I'm using Spring Security 3 and Tomcat 6. Here's my configuration: <http> <intercept-url pattern="/go.htm" access="ROLE_RESPONDENT" /> <intercept-url pattern="/complete.htm" access="ROLE_RESPONDENT" /> <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <form-login login-processing-url="/j_spring_security_check" login-page="/login.htm" authentication-failure-url="/login.htm?error=true" default-target-url="/go.htm" /> <anonymous/> <logout logout-success-url="/logout_message.htm"/> <session-management invalid-session-url="/login.htm" /> </http> Everything works great until I add in the <session-management> line. What am I missing?

    Read the article

  • security policy error iphone ipod touch issue

    - by Joey
    I'm getting an "Error from Debugger: Error launching remote program: security policy error" when I try to run my app on my ipod touch. The provisions look in order, and the app builds to my iphone 3gs just fine. The app used to build just fine to my ipod touch, so I'm flustered what could have changed and wondering if anyone has any thoughts on what might be causing this issue. The build logs are below. Mon Mar 15 14:25:54 unknown com.apple.debugserver-43[449] : Connecting to com.apple.debugserver service... Mon Mar 15 14:25:55 unknown SpringBoard[24] : Unable to launch com.yourcompany.Unearthed because it has an invalid code signature, inadequate entitlements or its profile has not been explicitly trusted by the user. Mon Mar 15 14:25:55 unknown com.apple.debugserver-43[449] : error: unable to launch the application with CFBundleIdentifier 'com.yourcompany.Unearthed' sbs_error = 9 Mon Mar 15 14:25:55 unknown com.apple.debugserver-43[449] : 1 [01c1/0903]: RNBRunLoopLaunchInferior DNBProcessLaunch() returned error: '' Mon Mar 15 14:25:55 unknown com.apple.debugserver-43[449] : error: failed to launch process (null): security policy error Mon Mar 15 14:26:03 unknown MobileSafari[72] : void SendDelegateMessage(NSInvocation*): delegate (webView:decidePolicyForNavigationAction:request:frame:decisionListener:) failed to return after waiting 10 seconds. main run loop mode: UITrackingRunLoopMode

    Read the article

  • How to access/use custom attribute in spring security based CAS client

    - by Bill Li
    I need send certain attributes(say, human readable user name) from server to client after a successful authentication. Server part was done. Now attribute was sent to client. From log, I can see: 2010-03-28 23:48:56,669 DEBUG Cas20ServiceTicketValidator:185 - Server response: [email protected] <cas:proxyGrantingTicket>PGTIOU-1-QZgcN61oAZcunsC9aKxj-cas</cas:proxyGrantingTicket> <cas:attributes> <cas:FullName>Test account 1</cas:FullName> </cas:attributes> </cas:authenticationSuccess> </cas:serviceResponse> Yet, I don't know how to access the attribute in client(I am using Spring security 2.0.5). In authenticationProvider, a userDetailsService is configured to read db for authenticated principal. <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider"> <sec:custom-authentication-provider /> <property name="userDetailsService" ref="clerkManager"/> <!-- other stuff goes here --> </bean> Now in my controller, I can easily do this: Clerk currentClerk = (Clerk)SecurityContextHolder.getContext().getAuthentication().getPrincipal(); Ideally, I can fill the attribute to this Clerk object as another property in some way. How to do this? Or what is recommended approach to share attributes across all apps under CAS's centralized nature?

    Read the article

  • How do I use WS-Security with WCF?

    - by Jonathan Allen
    Below is the style of header I need to create. I am expected to use either a public/private key or a SSL style certificate. I don't know for certain, but I think my counter-party is using some form of Java. <soap-env:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#secinfo"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>xxxxxxxxxxxxx</ds:DigestValue> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> <ds:XPath>//*[@id='secinfo']/child::*/text()</ds:XPath> </ds:Transform> </ds:Transforms> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>xxxxxxxxxxds:SignatureValue> <ds:KeyInfo> <ds:KeyName>xxxxxxx</ds:KeyName> </ds:KeyInfo> </ds:Signature> <t:UsernameToken xmlns:t="http://schemas.xmlsoap.org/ws/2002/04/secext" id="secinfo"> <t:UserInfo>USER=xxxx;CORR=xxxx;TIMESTAMP=201003161916</t:UserInfo> </t:UsernameToken> </wsse:Security> </soap-env:Header>

    Read the article

  • IE Security Warning with widgets

    - by superexsl
    Hey I'm creating an ASP.NET application which uses Facebook Connect and fbml tags. It also uses the LinkedIn widget. When I run this app in any browser, there are no warnings and everything works. However, in IE, a message like this comes up: Security Warning: The current webpage is trying to open a site in your Trusted sites list. Do you want to allow this? Current site:http://www.facebook.com Trusted site:http://localhost (same for LinkedIn.com). I know how to fix this from a client perspective and to stop the security warning showing up. However, is it possible to ensure this message doesn't come up as it could be off putting for users who don't know how to suppress this warning? I haven't tried uploading it to my webhost, so not sure if this message will appear for everyone in production. However, I always get it on my local machine. (None of my pages use SSL, so I don't think that's the issue. I tried using FB's HTTPS urls but that didn't make a difference). Thanks

    Read the article

  • Flash Security Error Accessing URL with crossdomain.xml

    - by user163757
    Hello, I recently deployed a Flash application to a server, and am now experiencing errors when making HTTPService requests. I have put what I believe to be the most permissive crossdomain.xml possible in the wwwroot folder, and still get the errors. Interestingly enough, the error only seems to occur when the request is made from a direct user interaction (i.e. button click). The application makes other requests that are initiated by other means(i.e creationComplete) , and they seem to work as expected. Anyone see anything wrong with the crossdomain.xml, or have any other suggestions? ERROR MESSAGE [RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"] at mx.rpc::AbstractInvoker/http://www.adobe.com/2006/flex/mx/internal%3A%3AfaultHandler() at mx.rpc::Responder/fault() at mx.rpc::AsyncRequest/fault() at DirectHTTPMessageResponder/securityErrorHandler() at flash.events::EventDispatcher/dispatchEventFunction() at flash.events::EventDispatcher/dispatchEvent() at flash.net::URLLoader/redirectEvent() <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="all" /> <allow-access-from domain="*" secure="false" /> <allow-http-request-headers-from domain="*" headers="*" secure="false" /> </cross-domain-policy>

    Read the article

  • Game login authentication and security.

    - by Charles
    First off I will say I am completely new to security in coding. I am currently helping a friend develop a small game (in Python) which will have a login server. I don't have much knowledge regarding security, but I know many games do have issues with this. Everything from 3rd party applications (bots) to WPE packet manipulation. Considering how small this game will be and the limited user base, I doubt we will have serious issues, but would like to try our best to limit problems. I am not sure where to start or what methods I should use, or what's worth it. For example, sending data to the server such as login name and password. I was told his information should be encrypted when sending, so in-case someone was viewing it (with whatever means), that they couldn't get into the account. However, if someone is able to capture the encrypted string, wouldn't this string always work since it's decrypted server side? In other words, someone could just capture the packet, reuse it, and still gain access to the account? The main goal I am really looking for is to make sure the players are logging into the game with the client we provide, and to make sure it's 'secure' (broad, I know). I have looked around at different methods such as Public and Private Key encryption, which I am sure any hex editor could eventually find. There are many other methods that seem way over my head at the moment and leave the impression of overkill. I realize nothing is 100% secure. I am just looking for any input or reading material (links) to accomplish the main goal stated above. Would appreciate any help, thanks.

    Read the article

  • Restricting dynamically loaded classes and jars based on a security policy

    - by Max
    Hi, I would like to dynamically load a set of jars or classes (i.e. plugins loaded at runtime). At the same time, I would like to restrict what these plugins are able to do in the JVM. For a test case, I would like to restrict them to pretty much everything (right now I'm just allowing one System.getProperty value to be read). I am currently using a security policy file, but I'm having difficulty specifying a policy for one folder or package in my codeBase, but not another. Here is how my policy looks now: grant codeBase "file:/home/max/programming/java/plugin/plugins/" { permission java.util.PropertyPermission "java.version", "read"; }; grant codeBase "file:/home/max/programming/java/plugin/api/" { permission java.security.AllPermission; }; Where (for testing purposes), all files in the plugins package and folder are restricted, but the classes in the api folder are not. Is this possible? Do I have to create a custom class loader? Is there a better way to go about doing this? Thanks.

    Read the article

  • Calling a SLSB with Seam security from a servlet

    - by wilth
    Hello, I have an existing application written in SEAM that uses SEAM Security (http://docs.jboss.org/seam/2.1.1.GA/reference/en-US/html/security.html). In a stateless EJB, I might find something like this: @In Identity identity; ... if(identity.hasRole("admin")) throw new AuthException(); As far as I understand, Seam injects the Identity object from the SessionContext of the servlet that invokes the EJB (this happens "behind the scenes", since Seam doesn't really use servlets) and removes it after the call. Is this correct? Is it now possible to access this EJB from another servlet (in this case, that servlet is the server side of a GWT application)? Do I have to "inject" the correct Identity instance? If I don't do anything, Seam injects an instance, but doesn't correctly correlate the sessions and instances of Identity (so the instances of Identity are shared between sessions and sometimes calls get new instances etc.). Any help and pointers are very welcome - thanks! Technology: EJB3, Seam 2.1.2. The servlets are actually the server-side of a GWT app, although I don't think this matters much. I'm using JBoss 5.

    Read the article

  • OpenPeak Flash app XMLSocket Security Problem

    - by Kira
    We're trying to create an app for OpenPeak. The Flash app will act as a client to a Java server on another computer on another domain. The Flash app client connects via XMLSocket. The Java Server uses ServerSocket to receive a request and send back a message. In order to trust the server, the Flash client needs a socket master policy file to tell it that the server comes from a trustworthy domain. According to an article on Adobe, when a connection has succeeded, the Flash client automatically requests the cross-domain policy or socket master policy file on port 843. Still, even when we implement it according to the tutorials and recommendations we have read, the Flash client continues to throw the following security error: SecurityErrorEvent type="securityError" bubbles=false cancelable=false eventPhase=2 text="Error #2048" We've tried logging the policy file request during testing to see if there was any call made to port 843. There was not. Interestingly, even without a policy file, the Flash client still manages to send the first data message to the server successfully. It's just when the server tries to send back a reply that the entire thing hangs for about 10 seconds before the security error above is displayed. Any ideas / suggestions?

    Read the article

  • Spring security and authentication provider

    - by Pascal
    I'm trying to implement Spring 3 Security in a project, but I can not get rid of the following error: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_authenticationManager': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: No authentication providers were found in the application context This seems weird, as I did provide an authentication provider! I've added these lines to web. <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> And this is my applicationContext-security.xml: <http auto-config="false"> <intercept-url pattern="/**" access="ROLE_USER" /> <http-basic /> </http> <authentication-manager alias="authenticationManager"> <authentication-provider> <user-service> <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN"/> <user name="bob" password="bobspassword" authorities="ROLE_USER"/> </user-service> </authentication-provider> </authentication-manager> Google couldn't help me much further, nor could the official documentation.

    Read the article

  • ASP.NET webservice API security.

    - by Tejaswi Yerukalapudi
    Hi, I have an iPhone app accessing an ASP.NET Webservice for data. Since I'm building both the ASP.NET end and the iPhone part of the app, and we'll shortly be publishing it in the Appstore, I'd like to know what security checks I need to make. The basic flow of the program (without divulging too much info about it) is as follows - . Login (Enter Username, pass on the app) . Primary screen where the data is loaded from a webservice and presented . And post data back after a few updates by the user I'm using POST to send the data to the Webservice via HTTPS. I'm sanitizing the inputs, checking for length of the inputs, but that's the limit of my knowledge as far as security goes. Any other tips are greatly appreciated! Edit: I should probably add that our service needs to be subscribed to separately and the iPhone component of it cannot be used alone. So the average user will not have login credentials. And the app itself has healthcare data in it, so I'd rather not have anyone trying attacks from my login page. Thanks, Teja.

    Read the article

  • Setting directory security to allow user and deny all

    - by Rita
    I have winforms app, in which I need to access a secured directory. I'm using impersonation and create WindowsIdentity to access the folder. My problem is writing unit tests to test the directory security; I'd like to a write a code that creates a directory secured to only ONE user, which isn't the current user running the UT (or else the test would be worthless). I know how to add permissions to a certain user, but how can I deny the rest, including admins? (in case the user running the UT is an admin) (will this be a wise thing to do?) DirectoryInfo directoryInfo = new DirectoryInfo(path); DirectorySecurity directorySecurity = directoryInfo.GetAccessControl(); directorySecurity.AddAccessRule(new FileSystemAccessRule("Domain\SecuredUser", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow)); directorySecurity.RemoveAccessRule(new FileSystemAccessRule("??", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Deny)); directoryInfo.SetAccessControl(directorySecurity); This isn't working. I don't know who am I supposed to deny. Domain\Admins, Domain\Administrators, me... No one is being denied, and when I check folder's security - The SecuredUser has access to the folder, but the permissions are not checked, even though I specified FullControl. Basically I want to code this: <authorization> <allow users ="Domain\User" /> <deny users="*" /> </authorization> I was thinking about impersonating UT run with a weak user with no permissions, but this would result in: Impersonate - Run UT - Impersonate - Access folder, and I'm not sure if this is the right design. Help would be greatly appreciated, thank you.

    Read the article

  • ASP.NET membership db using integrated security problem

    - by rem
    I published ASP.NET MVC web site to a server on a virtual machine (Hyper-V). SQL Server Express installed on the same server. The problem is that ASP.Net Membership system doesn't work in integrated mode. When Web.config file contains records as follows: <connectionStrings> <remove name="LocalSqlServer" /> <add name="MyDBConnectionString" connectionString="data source=vm-1\SQLEXPRESS;Initial Catalog=testdb;Integrated Security=SSPI;" providerName="System.Data.SqlClient"/> </connectionStrings> I get an error when trying to register and login to the site. If I change connection string this way: <connectionStrings> <remove name="LocalSqlServer" /> <add name="MyDBConnectionString" connectionString="data source=vm-1\SQLEXPRESS;Initial Catalog=testdb;User ID=XX;Password=XXXXXXX;" providerName="System.Data.SqlClient"/> </connectionStrings> I could register and login without any problem. What could cause the problem with using ASP.NET membership database in integrated security mode?

    Read the article

  • Looking for resources to explain a security risk.

    - by Dave
    I've a developer which has given users the ability to download a zip archive which contains an html document which references a relative javascript file and flash document. The flash document accepts as one of it's parameters a url which is embedded in the html document. I believe that this archive is meant to be used as a means to transfer an advertisement to someone who would use the source to display the ad on their site, however the end user appears to want to view it locally. When one opens the html document the flash document is presented and when the user clicks on the flash document it redirects to this embedded url. However, if one extracts the archive on the desktop and opens the html document in a browser and clicks the flash object, nothing observable happens, they will not be redirected to the external url. I believe this is a security risk because one is transferring from the local computer zone to an external zone. I'm trying to determine the best way to explain this security risk in the simplest of terms to a very end user. They simply believe it's "broken" when it's not broken, they're being protected from a known vulnerability. The developer attempted to explain how to copy the files to a local iis instance, which I highly doubt is running on the users machine, and I do not consider this to be a viable explanation.

    Read the article

  • Security considerations processing emails

    - by Timmy O' Tool
    I have process that will be reading emails from an account. The objective of the process is saving to a database those emails with image(s) as attachments. I will be saving sender, subject body and image path (the image will be saved on the process). I will be showing this information on a page so I would like to know all (or most of them :) ) security aspects to cover. I plan to sanitize the subject and body of the email. I can remove most of the tags, probably it would be enough keeping the <p> tag. I'm not sure if I can trust just in a sanitizer. I would like to HTML encode everything except for the <p> tag after sanitize, just in case. Any suggestion? I'm only accepting images as attachment as I said above, any security risk I have to take into account in relation to the attachment? Thanks!

    Read the article

< Previous Page | 19 20 21 22 23 24 25 26 27 28 29 30  | Next Page >