Search Results

Search found 15648 results on 626 pages for 'wcf security'.

Page 10/626 | < Previous Page | 6 7 8 9 10 11 12 13 14 15 16 17  | Next Page >

  • Security in OBIEE 11g, Part 2

    - by Rob Reynolds
    Continuing the series on OBIEE 11g, our guest blogger this week is Pravin Janardanam. Here is Part 2 of his overview of Security in OBIEE 11g. OBIEE 11g Security Overview, Part 2 by Pravin Janardanam In my previous blog on Security, I discussed the OBIEE 11g changes regarding Authentication mechanism, RPD protection and encryption. This blog will include a discussion about OBIEE 11g Authorization and other Security aspects. Authorization: Authorization in 10g was achieved using a combination of Users, Groups and association of privileges and object permissions to users and Groups. Two keys changes to Authorization in OBIEE 11g are: Application Roles Policies / Permission Groups Application Roles are introduced in OBIEE 11g. An application role is specific to the application. They can be mapped to other application roles defined in the same application scope and also to enterprise users or groups, and they are used in authorization decisions. Application roles in 11g take the place of Groups in 10g within OBIEE application. In OBIEE 10g, any changes to corporate LDAP groups require a corresponding change to Groups and their permission assignment. In OBIEE 11g, Application roles provide insulation between permission definitions and corporate LDAP Groups. Permissions are defined at Application Role level and changes to LDAP groups just require a reassignment of the Group to the Application Roles. Permissions and privileges are assigned to Application Roles and users in OBIEE 11g compared to Groups and Users in 10g. The diagram below shows the relationship between users, groups and application roles. Note that the Groups shown in the diagram refer to LDAP Groups (WebLogic Groups by default) and not OBIEE application Groups. The following screenshot compares the permission windows from Admin tool in 10g vs 11g. Note that the Groups in the OBIEE 10g are replaced with Application Roles in OBIEE 11g. The same is applicable to OBIEE web catalog objects.    The default Application Roles available after OBIEE 11g installation are BIAdministrator, BISystem, BIConsumer and BIAuthor. Application policies are the authorization policies that an application relies upon for controlling access to its resources. An Application Role is defined by the Application Policy. The following screenshot shows the policies defined for BIAdministrator and BISystem Roles. Note that the permission for impersonation is granted to BISystem Role. In OBIEE 10g, the permission to manage repositories and Impersonation were assigned to “Administrators” group with no control to separate these permissions in the Administrators group. Hence user “Administrator” also had the permission to impersonate. In OBI11g, BIAdministrator does not have the permission to impersonate. This gives more flexibility to have multiple users perform different administrative functions. Application Roles, Policies, association of Policies to application roles and association of users and groups to application roles are managed using Fusion Middleware Enterprise Manager (FMW EM). They reside in the policy store, identified by the system-jazn-data.xml file. The screenshots below show where they are created and managed in FMW EM. The following screenshot shows the assignment of WebLogic Groups to Application Roles. The following screenshot shows the assignment of Permissions to Application Roles (Application Policies). Note: Object level permission association to Applications Roles resides in the RPD for repository objects. Permissions and Privilege for web catalog objects resides in the OBIEE Web Catalog. Wherever Groups were used in the web catalog and RPD has been replaced with Application roles in OBIEE 11g. Following are the tools used in OBIEE 11g Security Administration: ·       Users and Groups are managed in Oracle WebLogic Administration console (by default). If WebLogic is integrated with other LDAP products, then Users and Groups needs to managed using the interface provide by the respective LDAP vendor – New in OBIEE 11g ·       Application Roles and Application Policies are managed in Oracle Enterprise Manager - Fusion Middleware Control – New in OBIEE 11g ·       Repository object permissions are managed in OBIEE Administration tool – Same as 10g but the assignment is to Application Roles instead of Groups ·       Presentation Services Catalog Permissions and Privileges are managed in OBI Application administration page - Same as 10g but the assignment is to Application Roles instead of Groups Credential Store: Credential Store is a single consolidated service provider to store and manage the application credentials securely. The credential store contains credentials that either user supplied or system generated. Credential store in OBIEE 10g is file based and is managed using cryptotools utility. In 11g, Credential store can be managed directly from the FMW Enterprise Manager and is stored in cwallet.sso file. By default, the Credential Store stores password for deployed RPDs, BI Publisher data sources and BISystem user. In addition, Credential store can be LDAP based but only Oracle Internet Directory is supported right now. As you can see OBIEE security is integrated with Oracle Fusion Middleware security architecture. This provides a common security framework for all components of Business Intelligence and Fusion Middleware applications.

    Read the article

  • What’s New In Microsoft Security Essentials 2.0 And How To Upgrade To 2.0

    - by Gopinath
    Since Microsoft released Microsoft Security Essentials(MSE) couple of years ago, I stopped worrying about antivirus programs on all my Windows PCs. MSE is just awesome and it’s the best free antivirus available in the market. Microsoft released version 2.0 of MSE yesterday with enhanced security features and more love for Windows users. New features introduced in this version are New protection engine - Heuristic scanning engine is introduced to bump the virus detection and cleaning mechanism. Network inspection system to monitor network traffic as we browse and protects us from malicious scripts and programs. Better integration with Windows Firewall With this upgrade, MSE is irresistible antivirus application to have on every Windows PC. How To Upgrade MSE 1.0 to 2.0 Generally upgrading Microsoft applications are kids play. All one would require to upgrade is to go to Help->Check for upgrades menu option and follow the wizard to complete upgrade process. Microsoft Security Essentials 1.0 to 2.0 upgrade is also expected to be this way, but somehow it’s not working for me in India. May be I guess, MSE 2.0 is not released for Indian users. What ever may be the reason, it’s very easy to upgrade MSE 1.0 to 2.0  manually. Just download the installer from Microsoft(link given below) and run the installer. Choose Upgrade option when the installer is executing to have MSE 2.0 installed on your PC. MSE 2.0 Download Link You can download Microsoft Security Essentials 2.0 at Microsoft Download Center. This article titled,What’s New In Microsoft Security Essentials 2.0 And How To Upgrade To 2.0, was originally published at Tech Dreams. Grab our rss feed or fan us on Facebook to get updates from us.

    Read the article

  • Steps to Mitigate Database Security Worst Practices

    - by Troy Kitch
    The recent Top 6 Database Security Worst Practices webcast revealed the Top 6, and a bonus 7th , database security worst practices: Privileged user "all access pass" Allow application bypass Minimal and inconsistent monitoring/auditing Not securing application data from OS-level user No SQL injection defense Sensitive data in non-production environments Not securing complete database environment These practices are uncovered in the 2010 IOUG Data Security Survey. As part of the webcast we looked at each one of these practices and how you can mitigate them with the Oracle Defense-in-Depth approach to database security. There's a lot of additional information to glean from the webcast, so I encourage you to check it out here and see how your organization measures up.

    Read the article

  • SQLAuthority News – 2 Security Updates for SQL Server 2000 SP 4 Users

    - by pinaldave
    If you are using SQL Server 2000 still today my very first recommendation to you is to upgrade to SQL Server 2012. SQL Server 2000 is now 12 years old product and since then many new enhancements as well features which are relevant to current growth and progress in Informational Industry. Now is the time to catch up with the latest trends. Here is one more point for you to notice if this helps you consider to upgrade to the latest version. One can’t upgrade directly from SQL Server 2000 to SQL Server 2012. You need to first upgrade to either SQL Server 2005/2008/R2 and then further plan to upgrade to SQL Server 2012. There is no direct upgrade path for SQL Server 2000 to SQL Server 2012. I strongly believe this is the time to upgrade to the latest version. Well, also there is a rule that to let something continue if it is not broken and working fine. If you are following that rule and still using SQL Server 2000 I strongly suggest that you upgrade your SQL Server 2000 SP4 and update it with latest Security updates. Here are two important SQL Server Security Updates. Security Update for SQL Server 2000 Service Pack 4 (KB983811) Security Update for SQL Server 2000 Service Pack 4 (KB983812) As we are talking about SQL Server 2000 let me ask you a quick question – how many of you are still using SQL Server 2000 or earlier version in a production system on at least one server? Reference: Pinal Dave (http://blog.sqlauthority.com) Filed under: PostADay, SQL, SQL Authority, SQL Download, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology

    Read the article

  • Web security course ?

    - by vtortola
    I'd like to do a course about web security. I've seen some certifications that could be interesting: CIW Web Security Professional CISSP® - Certified Information Systems Security Professional Certified Secure Software Lifecycle Professional What do you know about these certifications? are they recognized? I'm not trying to become a hacker, I just want to ensure I have enough knowledge about web security to cope with today internet. From my inexpert point of view, "Certified Secure Software Lifecycle Professional" looks exactly as I want, the problem is that it cost more than 500 bucks! Why certification? well, I want to learn but I would like also have a way to demonstrate to a future employer/customer that I had to study and pass exams, not only attend to a course. Regards.

    Read the article

  • Security aspects of an ASP.NET that can be pointed out to the client

    - by Maxim V. Pavlov
    I need to write several passages of text in an offer to the client about the security layer in ASP.NET MVC web solution. I am aware of security that comes along with MVC 3 and an improvements in MVC 4. But all of them are non conceptual, except for AntiForgeryToken (AntiXSS) and built-in SQL Injection immunity (with a little of encoding needed by hand). What would be the main point of ASP.NET security I can "show off" in an offer to the client?

    Read the article

  • Open Source Security packages for Rails

    - by Edwin
    I'm currently creating a complete web application using Rails 3 to familiarize myself with its inner workings and to gain a better appreciation of a working web application's moving parts. (Plus, since I'm still working on my degree, I hope that it will give me a better idea of what's BS in my education requirements and which weaknesses/skills I should focus on.) The example application I'm working on is an ecommerce site, and I've already configured the backend, routes, controllers, and so on. As part of the application, I'd like to integrate a second layer of security on top of the one Rails already provides for user authentication. However, I've been unable to find any on Google, with the exception of OAuth - which, from my understanding, is meant to secure API calls. While I could roll my own secure authentication system, I'm only in my second year of college and recognize that A) I know little about security, and B) there are developers that know much more about security that are working on open-source projects. What are some actively developed open-source security packages or frameworks that can be easily added to Rails? Pros and cons are not necessary, as I can do the research myself. P.S. I'm not sure whether I posted this in the right SE site; please migrate to SO or Security if it is more appropriate there.

    Read the article

  • j2ee implementing security and using a framwork pros and cons

    - by Ismail Marmoush
    I'm a newbie to j2ee security, and i'm not j2ee expert either, though i'm really willing to put some effort and learn I've an application that i'm about to develop on Google App Engine (GAE) --with no time constraints. As you know GAE handles a lot of web container security issues for you, also I will be using openID for authentication exclusively (sessions will be handled by provider). GAE supports SSL which will help with confidentiality and integrity maybe. Authorization can be done through filters. I know reinventing the wheel is a mess, but I was looking forward to learn something about security and implement that in my new app. so what the pros and cons of using a framework like shiro, spring security, jguard etc or filling the rest of gaps on my own ?

    Read the article

  • Weaknesses of 3-Strike Security

    - by prelic
    I've been reading some literature on security, specifically password security/encryption, and there's been one thing that I've been wondering: is the 3-strike rule a perfect solution to password security? That is, if the number of password attempts is limited to some small number, after which all authentication requests will not be honored, will that not protect users from intrusion? I realize gaining access or control over something doesn't always mean going through the authentication system, but doesn't this feature make dictionary/brute-force attacks obsolete? Is there something I'm missing?

    Read the article

  • Monday, Oct 1 at OpenWorld - Database Security Must See Sessions

    - by Troy Kitch
    TIME TITLE LOCATION 12:15 - 1:15 PM Database Security Inside-Out: Latest Innovations in Database Security (CON8686) Moscone South - 102 3:15 - 4:15 PM Oracle Database Security Solutions Customer Panel: Real-World Case Studies (CON8674) Moscone South - 270 4:45 - 5:45 PM Latest Innovations and Best Practices for Oracle Database Auditing (CON8661) Moscone South - 303

    Read the article

  • WCF Test Client Service Failed to Invoke

    - by renjucool
    I'm connection IBM.Iseries database in a c# application using ADO.NET iSeries drivers. My WCF service is throwing the error as "HTTP could not register URL http://+:80/Temporary_Listen_Addresses/771be107-8fa3-46f9-ac01-12c4d503d01e/ because TCP port 80 is being used by another application." <system.serviceModel> <client> <endpoint address="http://localhost:8080/Design_Time_Addresses/DataAccessLayer/POEngine/" binding="wsDualHttpBinding" bindingConfiguration="" contract="POServiceReference.IPOEngine" name="MyPoBindings"> <identity> <dns value="localhost" /> </identity> </endpoint> <endpoint address="http://localhost:8080/Design_Time_Addresses/DataAccessLayer/POEngine/" binding="wsDualHttpBinding" bindingConfiguration="PoBindings1" contract="POServiceReference.IPOEngine" name="PoBindings"> <identity> <dns value="localhost" /> </identity> </endpoint> </client> <bindings> <wsDualHttpBinding> <binding name="PoBindings1" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <reliableSession ordered="true" inactivityTimeout="00:10:00" /> <security mode="Message"> <message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" /> </security> </binding> </wsDualHttpBinding> <wsHttpBinding> <binding name="PoBindings" /> </wsHttpBinding> </bindings> <services> <service behaviorConfiguration="DataAccessLayer.POEngineBehavior" name="DataAccessLayer.POEngine"> <endpoint address="" binding="wsDualHttpBinding" bindingConfiguration="" name="PoBindings" contract="DataAccessLayer.IPOEngine"> <identity> <dns value="localhost" /> </identity> </endpoint> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> <host> <baseAddresses> <add baseAddress="http://localhost:8080/Design_Time_Addresses/DataAccessLayer/POEngine/" /> </baseAddresses> </host> </service> </services> <behaviors> <endpointBehaviors> <behavior name="NewBehavior" /> </endpointBehaviors> <serviceBehaviors> <behavior name="DataAccessLayer.Service1Behavior"> <serviceMetadata httpGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="false" /> </behavior> <behavior name="DataAccessLayer.POEngineBehavior"> <serviceMetadata httpGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="false" /> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel> Having the problem also without using any IBM data access. A normal Hello World is also throwing the error.Where i need to change the port address

    Read the article

  • MEX issues using WCF Test Client over net.pipe

    - by Beaud.
    I'm trying to make use of WCF Test Client along with named pipes but I get the following error: Error: Cannot obtain Metadata from net.pipe://localhost/MyService Here's my web.config: <system.serviceModel> <services> <service name="MyNamespace.MyService" behaviorConfiguration="MEX"> <endpoint address="net.pipe://localhost/MyService" binding="netNamedPipeBinding" contract="MyNamespace.MyService.IMyService" /> <endpoint address="net.pipe://localhost/MEX" binding="mexNamedPipeBinding" contract="IMetadataExchange" /> </service> </services> <client> <endpoint address="net.pipe://localhost/MyService" binding="netNamedPipeBinding" contract="MyNamespace.MyService.IMyService" /> </client> <behaviors> <serviceBehaviors> <behavior name="MEX"> <serviceMetadata /> </behavior> </serviceBehaviors> </behaviors> What's wrong? I have tried both net.pipe://localhost/MyService and net.pipe://localhost/MEX. Any help would be appreciated, thanks!

    Read the article

  • WCF Service Layer in n-layered application: performance considerations

    - by Marconline
    Hi all. When I went to University, teachers used to say that in good structured application you have presentation layer, business layer and data layer. This is what I heard for more than 5 years. When I started working I discovered that this is true but sometimes is better to have more than just three layers. Two or three days ago I discovered this article by John Papa that explain how to use Entity Framework in layered application. According to that article you should have: UI Layer and Presentation Layer (Model View Pattern) Service Layer (WCF) Business Layer Data Access Layer Service Layer is, to me, one of the best ideas I've ever heard since I work. Your UI is then completely "diconnected" from Business and Data Layer. Now when I went deeper by looking into provided source code, I began to have some questions. Can you help me in answering them? Question #0: is this a good enterpise application template in your opinion? Question #1: where should I host the service layer? Should it be a Windows Service or what else? Question #2: in the source code provided the service layer expose just an endpoint with WSHttpBinding. This is the most interoperable binding but (I think) the worst in terms of performances (due to serialization and deserializations of objects). Do you agree? Question #3: if you agree with me at Question 2, which kind of binding would you use? Looking forward to hear from you. Have a nice weekend! Marco

    Read the article

  • WCF 3.5 to 3.0 backwards compatibility with callback services

    - by Miral
    I have a set of existing WCF services hosted in a .NET 3.0 app. They're using the WSHttp bindings and no security. I need to connect to these from a .NET 3.5 client. This seems to be working fine for the one-way services, but I also have some callback services (with CallbackContract and SessionMode = Required, using WSDualHttpBinding); these fail to connect with a timeout somewhere in the ReliableSession code. The service side cannot be changed (it's a historic version issue). Can I modify something on the client side to get this working? (I can connect with a .NET 3.0 client just fine, but I'd rather not be forced to try that path.) The open operation did not complete within the allotted timeout of 00:00:09.9410000. The time allotted to this operation may have been a portion of a longer timeout. Server stack trace: at System.ServiceModel.Channels.ReliableRequestor.ThrowTimeoutException() at System.ServiceModel.Channels.ReliableRequestor.Request(TimeSpan timeout) at System.ServiceModel.Channels.ClientReliableSession.Open(TimeSpan timeout) at System.ServiceModel.Channels.ClientReliableDuplexSessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

    Read the article

  • WCF Service Impersonation

    - by robalot
    Good Day Everyone... Apparently, I'm not setting-up impersonation correctly for my WCF service. I do NOT want to set security on a method-by-method basis (in the actual code-behind). The service (at the moment) is open to be called by everyone on the intranet. So my questions are… Q: What web-config tags am I missing? Q: What do I need to change in the web-config to make impersonation work? The Service Web.config Looks Like... <configuration> <system.web> <authorization> <allow users="?"/> </authorization> <authentication mode="Windows"/> <identity impersonate="true" userName="MyDomain\MyUser" password="MyPassword"/> </system.web> <system.serviceModel> <services> <service behaviorConfiguration="wcfFISH.DataServiceBehavior" name="wcfFISH.DataService"> <endpoint address="" binding="wsHttpBinding" contract="wcfFISH.IFishData"> <identity> <dns value="localhost"/> </identity> </endpoint> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name="wcfFISH.DataServiceBehavior"> <serviceMetadata httpGetEnabled="false"/> <serviceDebug includeExceptionDetailInFaults="false"/> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel> </configuration>

    Read the article

  • RESTful WCF Data Service Authentication

    - by Adrian Grigore
    Hi, I'd like to implement a REST api to an existing ASP.NET MVC website. I've managed to set up WCF Data services so that I can browse my data, but now the question is how to handle authentication. Right now the data service is secured via the site's built in forms authentication, and that's ok when accessing the service from AJAX forms. However, It's not ideal for a RESTful api. What I would like as an alternative to forms authentication is for the users to simply embed the user name and password into the url to the web service or as request parameters. For example, if my web service is usually accessible as http://localhost:1234/api.svc I'd like to be able to access it using the url http://localhost:1234/api.svc/{login}/{password} So, my questions are as follows: Is this a sane approach? If yes, how can I implement this? It seems trivial redirecting GET requests so that the login and password are attached as GET parameters. I also know how to inspect the http context and use those parameters to filter the results. But I am not sure if / how the same approach could be applied to POST, PUT and DELETE requests. Thanks, Adrian

    Read the article

  • WCF 3.5 Service and multiple http bindings

    - by mortenvpdk
    Hi I can't get my WCF service to work with more than one http binding. In IIS 7 I have to bindings http:/service and http:/service.test both at port 80 In my web.config I have added the baseAddressPrefixFilters but I can't add more than one <serviceHostingEnvironment> <baseAddressPrefixFilters> <add prefix="http://service"/> <add prefix="http://service.test"/> </baseAddressPrefixFilters> </serviceHostingEnvironment> This gives almost the same error "This collection already contains an address with scheme http. There can be at most one address per scheme in this collection. " as if no filers were specified at all (This collection already contains an address with scheme http. There can be at most one address per scheme in this collection. Parameter name: item) If I add only one filter then the service works but only responds on the added filter address. I've also tried with specifing multiple endpoints like (and only one filter): <endpoint address="http://service.test" binding="basicHttpBinding" bindingConfiguration="" contract="IService" /> <endpoint address="http://service" binding="basicHttpBinding" bindingConfiguration="" contract="IService" /> Then still only the address also specified in the filter works and the other returns this error: Server Error in Application "ISPSERVICE" HTTP Error 400.0 - Bad Request Regards Morten

    Read the article

  • How to pass multiple parameter in DomainService - WCF

    - by S.Amani
    Hi, Let's say I have a window which should submit 3 model in client side (Silverlight Client Application). My problem is each time I submit the form, data on the server side which I passed them from client are empty. I've used nested class which contains my models, instead of passing multiple object as parameter, but it didn't work again. My Personnel Data Transfer Object Code is something like this : [DataContract] public class PersonnelDTO : EntityObject { [Key] [DataMember] public int PersonnelId { get; set; } [Include] [DataMember] [Association("Personnel_ID", "PersonnelId", "Personnel_ID")] public Personnel Personnel { get; set; } [Include] [DataMember] [Association("Personnel_Info_ID", "PersonnelId", "Personnel_Info_ID")] public Personnel_Info PersonnelInfo { get; set; } } I fill up this model to pass data from client to server (DomainService). and also my domain service code is : [Invoke] public void AddPersonnel(PersonnelDTO personnelDTO) { // Model are EMPTY in DTO ObjectContext.AddToPersonnels(personnelDTO.Personnel); ObjectContext.AddToPersonnel_Info(personnelDTO.PersonnelInfo); ObjectContext.SaveChanges(); } I don't know if there is a way to pass multiple parameter in WCF Service method include Generic List. Any advice will be graceful. Thanks.

    Read the article

  • WCF events in server-side

    - by Eisenrich
    Hi all, I'm working on an application in WCF and want to receive events in the server side. I have a web that upon request needs to register a fingerprint. The web page request the connection of the device and then every second for 15 seconds requests the answer. The server-side code is apparently "simple" but doesn't work. Here is it: [ServiceContract] interface IEEtest { [OperationContract] void EEDirectConnect(); } class EETest : IEEtest { public void EEDirectConnect() { CZ ee = new CZ(); // initiates the device dll ee.Connect_Net("192.168.1.200", 4011); ee.OnFinger += new _IEEEvents_OnFingerEventHandler(ee_OnFinger); } public void ee_OnFinger() { //here i have a breakpoint; } } every time I put my finger, it should fire the event. in fact if I static void Main() { EETest pp = new EETest(); pp.EEDirectConnect(); } It works fine. but from my proxy it doesn't fire the event. do you have any tips, recommendations, or can you see the error? Thanks everyone.

    Read the article

  • Spring security request matcher is not working with regex

    - by Felipe Cardoso Martins
    Using Spring MVC + Security I have a business requirement that the users from SEC (Security team) has full access to the application and FRAUD (Anti-fraud team) has only access to the pages that URL not contains the words "block" or "update" with case insensitive. Bellow, all spring dependencies: $ mvn dependency:tree | grep spring [INFO] +- org.springframework:spring-webmvc:jar:3.1.2.RELEASE:compile [INFO] | +- org.springframework:spring-asm:jar:3.1.2.RELEASE:compile [INFO] | +- org.springframework:spring-beans:jar:3.1.2.RELEASE:compile [INFO] | +- org.springframework:spring-context:jar:3.1.2.RELEASE:compile [INFO] | +- org.springframework:spring-context-support:jar:3.1.2.RELEASE:compile [INFO] | \- org.springframework:spring-expression:jar:3.1.2.RELEASE:compile [INFO] +- org.springframework:spring-core:jar:3.1.2.RELEASE:compile [INFO] +- org.springframework:spring-web:jar:3.1.2.RELEASE:compile [INFO] +- org.springframework.security:spring-security-core:jar:3.1.2.RELEASE:compile [INFO] | \- org.springframework:spring-aop:jar:3.0.7.RELEASE:compile [INFO] +- org.springframework.security:spring-security-web:jar:3.1.2.RELEASE:compile [INFO] | +- org.springframework:spring-jdbc:jar:3.0.7.RELEASE:compile [INFO] | \- org.springframework:spring-tx:jar:3.0.7.RELEASE:compile [INFO] +- org.springframework.security:spring-security-config:jar:3.1.2.RELEASE:compile [INFO] +- org.springframework.security:spring-security-acl:jar:3.1.2.RELEASE:compile Bellow, some examples of mapped URL path from spring log: Mapped URL path [/index] onto handler 'homeController' Mapped URL path [/index.*] onto handler 'homeController' Mapped URL path [/index/] onto handler 'homeController' Mapped URL path [/cellphone/block] onto handler 'cellphoneController' Mapped URL path [/cellphone/block.*] onto handler 'cellphoneController' Mapped URL path [/cellphone/block/] onto handler 'cellphoneController' Mapped URL path [/cellphone/confirmBlock] onto handler 'cellphoneController' Mapped URL path [/cellphone/confirmBlock.*] onto handler 'cellphoneController' Mapped URL path [/cellphone/confirmBlock/] onto handler 'cellphoneController' Mapped URL path [/user/update] onto handler 'userController' Mapped URL path [/user/update.*] onto handler 'userController' Mapped URL path [/user/update/] onto handler 'userController' Mapped URL path [/user/index] onto handler 'userController' Mapped URL path [/user/index.*] onto handler 'userController' Mapped URL path [/user/index/] onto handler 'userController' Mapped URL path [/search] onto handler 'searchController' Mapped URL path [/search.*] onto handler 'searchController' Mapped URL path [/search/] onto handler 'searchController' Mapped URL path [/doSearch] onto handler 'searchController' Mapped URL path [/doSearch.*] onto handler 'searchController' Mapped URL path [/doSearch/] onto handler 'searchController' Bellow, a test of the regular expressions used in spring-security.xml (I'm not a regex speciality, improvements are welcome =]): import java.util.Arrays; import java.util.List; public class RegexTest { public static void main(String[] args) { List<String> pathSamples = Arrays.asList( "/index", "/index.*", "/index/", "/cellphone/block", "/cellphone/block.*", "/cellphone/block/", "/cellphone/confirmBlock", "/cellphone/confirmBlock.*", "/cellphone/confirmBlock/", "/user/update", "/user/update.*", "/user/update/", "/user/index", "/user/index.*", "/user/index/", "/search", "/search.*", "/search/", "/doSearch", "/doSearch.*", "/doSearch/"); for (String pathSample : pathSamples) { System.out.println("Path sample: " + pathSample + " - SEC: " + pathSample.matches("^.*$") + " | FRAUD: " + pathSample.matches("^(?!.*(?i)(block|update)).*$")); } } } Bellow, the console result of Java class above: Path sample: /index - SEC: true | FRAUD: true Path sample: /index.* - SEC: true | FRAUD: true Path sample: /index/ - SEC: true | FRAUD: true Path sample: /cellphone/block - SEC: true | FRAUD: false Path sample: /cellphone/block.* - SEC: true | FRAUD: false Path sample: /cellphone/block/ - SEC: true | FRAUD: false Path sample: /cellphone/confirmBlock - SEC: true | FRAUD: false Path sample: /cellphone/confirmBlock.* - SEC: true | FRAUD: false Path sample: /cellphone/confirmBlock/ - SEC: true | FRAUD: false Path sample: /user/update - SEC: true | FRAUD: false Path sample: /user/update.* - SEC: true | FRAUD: false Path sample: /user/update/ - SEC: true | FRAUD: false Path sample: /user/index - SEC: true | FRAUD: true Path sample: /user/index.* - SEC: true | FRAUD: true Path sample: /user/index/ - SEC: true | FRAUD: true Path sample: /search - SEC: true | FRAUD: true Path sample: /search.* - SEC: true | FRAUD: true Path sample: /search/ - SEC: true | FRAUD: true Path sample: /doSearch - SEC: true | FRAUD: true Path sample: /doSearch.* - SEC: true | FRAUD: true Path sample: /doSearch/ - SEC: true | FRAUD: true Tests Scenario 1 Bellow, the important part of spring-security.xml: <security:http entry-point-ref="entryPoint" request-matcher="regex"> <security:intercept-url pattern="^.*$" access="ROLE_SEC" /> <security:intercept-url pattern="^(?!.*(?i)(block|update)).*$" access="ROLE_FRAUD" /> <security:access-denied-handler error-page="/access-denied.html" /> <security:form-login always-use-default-target="false" login-processing-url="/doLogin.html" authentication-failure-handler-ref="authFailHandler" authentication-success-handler-ref="authSuccessHandler" /> <security:logout logout-url="/logout.html" success-handler-ref="logoutSuccessHandler" /> </security:http> Behaviour: FRAUD group **can't" access any page SEC group works fine Scenario 2 NOTE that I only changed the order of intercept-url in spring-security.xml bellow: <security:http entry-point-ref="entryPoint" request-matcher="regex"> <security:intercept-url pattern="^(?!.*(?i)(block|update)).*$" access="ROLE_FRAUD" /> <security:intercept-url pattern="^.*$" access="ROLE_SEC" /> <security:access-denied-handler error-page="/access-denied.html" /> <security:form-login always-use-default-target="false" login-processing-url="/doLogin.html" authentication-failure-handler-ref="authFailHandler" authentication-success-handler-ref="authSuccessHandler" /> <security:logout logout-url="/logout.html" success-handler-ref="logoutSuccessHandler" /> </security:http> Behaviour: SEC group **can't" access any page FRAUD group works fine Conclusion I did something wrong or spring-security have a bug. The problem already was solved in a very bad way, but I need to fix it quickly. Anyone knows some tricks to debug better it without open the frameworks code? Cheers, Felipe

    Read the article

  • Do not use “using” in WCF Client

    - by oazabir
    You know that any IDisposable object must be disposed using using. So, you have been using using to wrap WCF service’s ChannelFactory and Clients like this: using(var client = new SomeClient()) {. ..} Or, if you are doing it the hard and slow way (without really knowing why), then: using(var factory = new ChannelFactory<ISomeService>()) {var channel= factory.CreateChannel();...} That’s what we have all learnt in school right? We have learnt it wrong! When there’s a network related error or the connection is broken, or the call is timed out before Dispose is called by the using keyword, then it results in the following exception when the using keyword tries to dispose the channel: failed: System.ServiceModel.CommunicationObjectFaultedException : The communication object, System.ServiceModel.Channels.ServiceChannel, cannot be used for communication because it is in the Faulted state. Server stack trace: at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at System.ServiceModel.ICommunicationObject.Close(TimeSpan timeout) at System.ServiceModel.ClientBase`1.System.ServiceModel.ICommunicationObject.Close(TimeSpan timeout) at System.ServiceModel.ClientBase`1.Close() at System.ServiceModel.ClientBase`1.System.IDisposable.Dispose() There are various reasons for which the underlying connection can be at broken state before the using block is completed and the .Dispose() is called. Common problems like network connection dropping, IIS doing an app pool recycle at that moment, some proxy sitting between you and the service dropping the connection for various reasons and so on. The point is, it might seem like a corner case, but it’s a likely corner case. If you are building a highly available client, you need to treat this properly before you go-live. So, do NOT use using on WCF Channel/Client/ChannelFactory. Instead you need to use an alternative. Here’s what you can do: First create an extension method. public static class WcfExtensions{ public static void Using<T>(this T client, Action<T> work) where T : ICommunicationObject { try { work(client); client.Close(); } catch (CommunicationException e) { client.Abort(); } catch (TimeoutException e) { client.Abort(); } catch (Exception e) { client.Abort(); throw; } }} Then use this instead of the using keyword: new SomeClient().Using(channel => { channel.Login(username, password);}); Or if you are using ChannelFactory then: new ChannelFactory<ISomeService>().Using(channel => { channel.Login(username, password);}); Enjoy!

    Read the article

  • Callback Contract in WCF

    Callback contracts are a very powerful concept that is easily implemented in WCF. Using this, it is very easy to achieve event-like behavior between a service and client (duplex operations).

    Read the article

  • ADO.NET (WCF) Data Services Query Interceptor Hangs IIS

    - by PreMagination
    I have an ADO.NET Data Service that's supposed to provide read-only access to a somewhat complex database. Logically I have table-per-type (TPT) inheritance in my data model but the EDM doesn't implement inheritance. (Limitation of EF and navigation properties on derived types. STILL not fixed in EF4!) I can query my EDM directly (using a separate project) using a copy of the query I'm trying to run against the web service, results are returned within 10 seconds. Disabling the query interceptors I'm able to make the same query against the web service, results are returned similarly quickly. I can enable some of the query interceptors and the results are returned slowly, up to a minute or so later. Alternatively, I can enable all the query interceptors, expand less of the properties on the main object I'm querying, and results are returned in a similar period of time. (I've increased some of the timeout periods) Up til this point Sql Profiler indicates the slow-down is the database. (That's a post for a different day) But when I enable all my query interceptors and expand all the properties I'd like to have the IIS worker process pegs the CPU for 20 minutes and a query is never even made against the database. This implies to me that yes, my implementation probably sucks but regardless the Data Services "tier" is having an issue it shouldn't. WCF tracing didn't reveal anything interesting to my untrained eye. Details: Data model: Agent-Person-Student Student has a collection of referrals Students and referrals are private, queries against the web service should only return "your" students and referrals. This means Person and Agent need to be filtered too. Other entities (Agent-Organization-School) can be accessed by anyone who has authenticated. The existing security model is poorly suited to perform this type of filtering for this type of data access, the query interceptors are complicated and cause EF to generate some entertaining sql queries. Sample Interceptor [QueryInterceptor("Agents")] public Expression<Func<Agent, Boolean>> OnQueryAgents() { //Agent is a Person(1), Educator(2), Student(3), or Other Person(13); allow if scope permissions exist return ag => (ag.AgentType.AgentTypeId == 1 || ag.AgentType.AgentTypeId == 2 || ag.AgentType.AgentTypeId == 3 || ag.AgentType.AgentTypeId == 13) && ag.Person.OrganizationPersons.Count<OrganizationPerson>(op => op.Organization.ScopePermissions.Any<ScopePermission> (p => p.ApplicationRoleAccount.Account.UserName == HttpContext.Current.User.Identity.Name && p.ApplicationRoleAccount.Application.ApplicationId == 124) || op.Organization.HierarchyDescendents.Any<OrganizationsHierarchy>(oh => oh.AncestorOrganization.ScopePermissions.Any<ScopePermission> (p => p.ApplicationRoleAccount.Account.UserName == HttpContext.Current.User.Identity.Name && p.ApplicationRoleAccount.Application.ApplicationId == 124))) > 0; } The query interceptors for Person, Student, Referral are all very similar, ie they traverse multiple same/similar tables to look for ScopePermissions as above. Sample Query var referrals = (from r in service.Referrals .Expand("Organization/ParentOrganization") .Expand("Educator/Person/Agent") .Expand("Student/Person/Agent") .Expand("Student") .Expand("Grade") .Expand("ProblemBehavior") .Expand("Location") .Expand("Motivation") .Expand("AdminDecision") .Expand("OthersInvolved") where r.DateCreated >= coupledays && r.DateDeleted == null select r); Any suggestions or tips would be greatly associated, for fixing my current implementation or in developing a new one, with the caveat that the database can't be changed and that ultimately I need to expose a large portion of the database via a web service that limits data access to the data authorized for, for the purpose of data integration with multiple outside parties. THANK YOU!!!

    Read the article

  • WCF Service, Java JApplet client, transport error 405

    - by Juan Zamudio
    Hi all, I'm having a problem with a WCF Service and Java Client, I will try to give as much information as i can, thanks for your time. The Endpoint of the server is BasicHttpBinding, I tried hosting the server as a Windows Service and in IIS but nothing changed. The weird thing is that the Client works great if I use a simple class, in the moment I switch the class to an JApplet I get the problem mentioned. I'm using Eclipse as an IDE, I tried Axis and Metro to generate the stub with the same bad results. Here is an example of the Java class where everything is working public class TestSoaMetro { public String TestMethod(){ String result=null; IDigitalSignatureService aa = new DigitalSignatureService().getBasicHttpBindingEndpoint(); try { result= aa.getData("1", "id002962"); } catch (IDigitalSignatureServiceGetDataArgumentExceptionFaultFaultMessage e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (IDigitalSignatureServiceGetDataInvalidOperationExceptionFaultFaultMessage e) { // TODO Auto-generated catch block e.printStackTrace(); } return result; } } Here is the example of the JApplet where I get the error: public class TestSoaMetroApplet extends JApplet { public void init() { Container content = getContentPane(); content.setBackground(Color.white); content.setLayout(new FlowLayout()); String result= this.TestMethod(); JLabel label = new JLabel(result); content.add(label); } public String TestMethod(){ String result=null; IDigitalSignatureService aa = null; try { aa = new DigitalSignatureService().getBasicHttpBindingEndpoint(); result= aa.getData("1", "id002962"); } catch (IDigitalSignatureServiceGetDataArgumentExceptionFaultFaultMessage e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (IDigitalSignatureServiceGetDataInvalidOperationExceptionFaultFaultMessage e) { // TODO Auto-generated catch block e.printStackTrace(); } return result; } } In the moment the Applet loads I get the error, is the exact same call so I don't understand why I get the exception using the Applet. I Also tried to call this from a Silverlight client and I was getting a security exception, this is where I found out about clientaccesspolicy.xml and crossdomain.xml, I added clientaccesspolicy.xml to the service and the Silverlight Client works great, so I decided to try crossdomain.xml and nothing, the Applet still does not work. I will put the stack trace at the end, thanks all for your time. Juan Zamudio javax.xml.ws.WebServiceException: org.apache.axis2.AxisFault: Transport error: 405 Error: Method not allowed at org.apache.axis2.jaxws.ExceptionFactory.createWebServiceException(ExceptionFactory.java:175) at org.apache.axis2.jaxws.ExceptionFactory.makeWebServiceException(ExceptionFactory.java:70) at org.apache.axis2.jaxws.ExceptionFactory.makeWebServiceException(ExceptionFactory.java:128) at org.apache.axis2.jaxws.core.controller.impl.AxisInvocationController.execute(AxisInvocationController.java:559) at org.apache.axis2.jaxws.core.controller.impl.AxisInvocationController.doInvoke(AxisInvocationController.java:118) at org.apache.axis2.jaxws.core.controller.impl.InvocationControllerImpl.invoke(InvocationControllerImpl.java:82) at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHandler.invokeSEIMethod(JAXWSProxyHandler.java:317) at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHandler.invoke(JAXWSProxyHandler.java:159) at $Proxy12.getData(Unknown Source) at TestSoaMetroApplet.TestMethod(TestSoaMetroApplet.java:28) at TestSoaMetroApplet.init(TestSoaMetroApplet.java:19) at sun.applet.AppletPanel.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: org.apache.axis2.AxisFault: Transport error: 405 Error: Method not allowed at org.apache.axis2.transport.http.HTTPSender.handleResponse(HTTPSender.java:295) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:190) at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:389) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:222) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:435) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:402) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165) at org.apache.axis2.jaxws.core.controller.impl.AxisInvocationController.execute(AxisInvocationController.java:554) ... 9 more

    Read the article

< Previous Page | 6 7 8 9 10 11 12 13 14 15 16 17  | Next Page >