Search Results

Search found 13404 results on 537 pages for 'adf security'.

Page 7/537 | < Previous Page | 3 4 5 6 7 8 9 10 11 12 13 14  | Next Page >

  • Oracle Virtual Developer Day: Oracle Fusion Development

    - by rituchhibber
    Get up to date and learn everything you wanted to know about Oracle ADF & Fusion Development plus live Q&A chats with Oracle technical staff. Oracle Application Development Framework (ADF) is the standards based, strategic framework for Oracle Fusion Applications and Oracle Fusion Middleware. Oracle ADF's integration with the Oracle SOA Suite, Oracle WebCenter and Oracle BI creates a complete productive development platform for your custom applications. Join us at this FREE virtual event and learn the latest in Fusion Development including: Is Oracle ADF development faster and simpler than Forms, Apex or .Net? Mobile Application Development with ADF Mobile Oracle ADF development with Eclipse Oracle WebCenter Portal and ADF Development Application Lifecycle Management with ADF Building Process Centric Applications with ADF and BPM Oracle Business Intelligence and ADF Integration Live Q&A chats with Oracle technical staff Developer lead, manager or architect - this event has something for everyone. Don't miss this opportunity. December 11th, 2012, at 9:00 – 13:00 GMT/ 10:00 - 14:00 CET Register online now for this FREE event! Agenda 9:00 am - 9:30 am Opening 9:30 am - 10:00 am Keynote Oracle Fusion Development Track 1 Introduction to Fusion Development Track 2 What's New in Fusion Development Track 3 Fusion Development in the Enterprise Track 4 Hands On Lab - WebCenter Portal and ADF Lab w/ JDeveloper 10:00 am - 11:00 am Is Oracle ADF development faster and simpler than Forms, Apex or .Net? Mobile Application Development with ADF Mobile Oracle WebCenter Portal and ADF Development Lab materials can be found on event wiki here. Q&A about the lab is available throughout the event. 11:00 am - 12:00 pm Rich Web UI made simple - an ADF Faces Overview Oracle Enterprise Pack for Eclipse - ADF Development Building Process Centric Applications with ADF and BPM 12:00 pm - 1:00 pm Next Generation Controller for JSF Application Lifecycle Management for ADF Oracle Business Intelligence and ADF Integration Click here to view session Abstracts. We look forward to welcoming you at this free event!

    Read the article

  • top tweets WebLogic Partner Community – November 2012

    - by JuergenKress
    Send us your tweets @wlscommunity #WebLogicCommunity and follow us on twitter http://twitter.com/wlscommunity Please feel free to send us your news! Andrejus Baranovskis ADF BC View Accessor To Centralize Business Logic Processing http://fb.me/ZdH3reTC OracleBlogs? Devoxx Coming Up! http://ow.ly/2t855p OTNArchBeat Webcast: #JMX with #Oracle #WebLogic Server 12c - featuring @FrankMunz Nov 13 10am PT 1pm ET http://pub.vitrue.com/ulyl OracleSupport_ Detailed nomenclature of #weblogic logging services http://pub.vitrue.com/LwLK WebLogic Community Java Management Extensions with Oracle WebLogic Server 12c&ndash;Webcast Nocember 13th 2012 http://wp.me/p1LMIb-oH Andrejus Baranovskis? Difference Between Initialized and New Mode in ADF BC http://fb.me/1d00veJLm Oracle Technet? Ondrej Brejla shares information on the release of NetbBeans IDE 7.3 Beta 2. http://pub.vitrue.com/Q0Ji OracleBlogs? Oracle ADF Essentials & ADF training material now on the iPad By Grant Ronald http://ow.ly/2t6m7y Markus Eisele #NetBeans 7.3 Beta2 is Out! https://blogs.oracle.com/netbeansphp/entry/netbeans_7_3_beta2_is … WebLogic Community Oracle ADF Essentials & ADF training material now on the iPad By Grant Ronald http://wp.me/p1LMIb-oj Frank Munz? Also next week, Tue, 10am PST: @Oracle devcast about WLS 12c JMX ecosystem 4 DevOps. Join now: http://goo.gl/oikWX Oracle WebLogic #EclipseLink #JPA deployed on #webLogic using #Eclipse #WTP very detailed tutorial http://pub.vitrue.com/tckQ Middleware Magic Middleware Magic Completes 2 year of spreading its Magic http://goo.gl/fb/8vdA4 #Weblogic #J2EE #news Adam Bien? Interview In The "Java Spotlight Episode 107" Podcast: I had a nice chat during the JavaOne 2012 conference in ... http://bit.ly/VBLiij OracleSupport_WLS? #WebLogic 12c example code projects with a focus on #Java EE 6 http://pub.vitrue.com/Og8C JDeveloper & ADF? ADF Insider: Angels in the ADF Architecture http://dlvr.it/2RYBjq Andreas Koop [blog post] ADF: Smart Input Date Client Converter: EnvironmentTested with JDeveloper / ADF 11.1.2.3(Should also... http://bit.ly/SIValJ Steven Davelaar Added 16 new ADF samples from @andrejusb http://java.net/projects/smuenchadf/pages/ADFSamplesAuthorABA1 … JDeveloper & ADF? Transaction Level ADF BC Entity Validation http://dlvr.it/2QWN7K Oracle Exalogic? Do you know the secret to Exalogic's speed? It's called Exabus. More at the OTN Garage - http://youtu.be/dreH2XmplyA OracleSupport_WLS New tutorial: configure and administrate #clusters http://pub.vitrue.com/Gduy JDeveloper & ADF? Workaround for an Xcode/iOS SDK Issue http://dlvr.it/2QTRlJ Masoud Kalali? #GlassFish trunk will switch to require JDK 7 to build, details at GlassFish #JDK 7 Switch FAQ: https://wikis.oracle.com/display/GlassFish/JDK+7+Switch+FAQ … ADF Code Corner? ADF Oracle Magazine Article "Master and Commander" about global command pattern strategy for regions with ctx events http://bit.ly/PLvxUL Maciej Gruszka? @wlscommunity Cloud Application Foundation webcast about OOW announcements soon avail for replay Adam Bien? Real World Java EE Patterns Book ("Green Edition") is available for lending. For unlimited time and free: http://www.amazon.com/gp/feature.html/?ie=UTF8&camp=1789&creative=390957&docId=1000739811&linkCode=ur2&tag=wwwadambienco-20 … WebLogic Community Slides for todays #WebLogicCommunity are uploaded to the workspace. Not yet a member http://www.oracle.com/partners/goto/wls-emea … #weblogic Adam Bien? My (unprepared) night hacking starts at 11 AM CET: http://nighthacking.com WebLogic Community We will start our ExaLogic webcast in 5 minutes http://weblogiccommunity.wordpress.com/2012/10/31/join-us-for-our-weblogic-communtiy-webcast-on-november-2nd-2012-oow-update-weblogic-exalogic/ … Gertjan van het Hof? WebLogic Communtiy webcast on November 2nd 2012 11:00 CET! OOW update WebLogic & ExaLogic « WebLogic Community http://weblogiccommunity.wordpress.com/2012/10/31/join-us-for-our-weblogic-communtiy-webcast-on-november-2nd-2012-oow-update-weblogic-exalogic/ … GlassFish? Java EE 7 scheduled posted http://java.net/projects/javaee-spec/pages/Home … slated for final release on 4/29/2013 OracleSupport_WLS? Updating #EclipseLink in #WebLogic http://pub.vitrue.com/j2wc WebLogic Community Join us for our WebLogicCommunity Webcast tomorrow November 2nd. Ge tan update an all OOW announcements http://weblogiccommunity.wordpress.com/2012/10/31/join-us-for-our-weblogic-communtiy-webcast-on-november-2nd-2012-oow-update-weblogic-exalogic/ … #wlscommunity OTNArchBeat? Oracle ADF Mobile - Login Functionality | @AndrejusB http://pub.vitrue.com/Wqqk WebLogic Community? OpenWorld General Session 2012: Middleware & JavaOne http://wp.me/p1LMIb-oe OracleSupport_WLS? How to use RDA to generate #Weblogic thread dumps at specified Intervals? http://pub.vitrue.com/auuP OracleBlogs? Join us for our WebLogic Communtiy webcast on November 2nd 2012! OOW update WebLogic & ExaLogic http://ow.ly/2sXAel OracleSupport_WLS? Monitoring #Spring in #WebLogic - #Middleware magic blog post http://pub.vitrue.com/OcSq ultan? Oracle Launches Mobile Applications User Experience Design Patterns https://blogs.oracle.com/userassistance/entry/oracle_launches_mobile_applications_user … @odtug @adf_emg @tapadoo #xcake #android WebLogic Community? Managing EclipseLink using JMX http://wp.me/p1LMIb-oh WebLogic Community? WebLogic Partner Community Newsletter October 2012 http://wp.me/p1LMIb-n5 Simon Haslam? #ukoug Oracle Scene mag: "Getting to Know Oracle Fusion Middleware" into by @wlscommunity & myself http://viewer.zmags.com/publication/81b2adef#/81b2adef/30 … Andrejus Baranovskis LOV Validation and Programmatic Row Insert Performance http://fb.me/167ehvEBL Andrejus Baranovskis? ADF Project Development Time Distribution http://fb.me/zMijgiKF Edwin Biemond? Using JSON-REST in ADF Mobile: In the current version of ADF Mobile the ADF DataControls ( URL and WS ) only sup... http://bit.ly/Rdr9IX WebLogic Community Oracle Enterprise Manager Cloud Control 12c: Best Practices for Middleware Management http://wp.me/p1LMIb-mA WebLogic Community? Tuxedo 12c http://wp.me/p1LMIb-my Lucas Jellema? Online and free: ADF Advanced eCourses from Oracle - http://download.oracle.com/tutorials/jtcd3/ecourse_adf_part1/html/temp_frameset/index.htm … and http://download.oracle.com/tutorials/jtcd3/ecourse_adf_part2/html/temp_frameset/index.htm … Lucas Jellema? Finally Luc can tell all his stories on ADF Mobile - he is Mr ADF Mobile after all. On the AMIS Blog: http://technology.amis.nl/2012/10/22/adf-mobile-is-now-generally-available/ … with more coming! Gerkmann-Bartels [blog] ADF Mobile Samples are still there... http://maybe-interesting.blogspot.de/ Markus Eisele Do you know the #Oracle #Parcel #Service? A #weblogic #JavaEE6 example app on #github! http://bit.ly/XNVnqS by @jeffreyawest ! Contribute! WebLogic Community? Distribute the WebLogic Community newsletter October editoin - read it! or register for #wlscommunity http://www.oracle.com/partners/goto/wls-emea … #opn #oracle OracleBlogs? Getting Started with ADF Mobile Sample Apps http://ow.ly/2sOJOi Pieter Kranenburg? Oracle Forms Modernization? Checkout: http://forms.qafe.com for retainment of investment, knowledge and being future proof #OracleForms Markus Eisele [blog] Review: "Java EE 6 Cookbook for Securing, Tuning, and Extending Enterprise... http://dlvr.it/2MWGCq #packtpub #javaee #review Gertjan van het Hof ADF Mobile HTML5 is available. https://blogs.oracle.com/fusionmiddleware/ … Adam Bien? My (Adam Bien) JavaOne Session Videos and Resources: CON3896 - Interactive Onstage Java EE Overengineering, Mond... http://bit.ly/XNpSNm Torsten Winterberg? #ADF Mobile is GA now on OTN: http://www.oracle.com/technetwork/developer-tools/adf/overview/adf-mobile-096323.html … Finally! Oracle WebLogic? New Blog Post: Instructions on how to configure a WebLogic Cluster and use it with Oracle Http Server http://ow.ly/2sOdPJ luc bors? #Oracle #ADF Mobile is production Download the extension here http://bit.ly/TChziZ WebLogic Community? Move Data into the Grid for Scalable, Predictable Response Times http://wp.me/p1LMIb-mw Andrejus Baranovskis? Why Oracle ADF Developers are Sensitive People http://fb.me/209osORtC Lucas Jellema? Article by Edwin Biemond on the AMIS blog on Configuring FMW Servers using Puppet - http://technology.amis.nl/2012/10/13/configure-fmw-servers-with-puppet/ … - integration of WebLogic in Puppet Oracle UsableApps Must Read: New Oracle Applications UX White Paper: Research and Design Process: http://www.oracle.com/webfolder/ux/applications/Fusion/whitePapers.html … @oracle #usableapps Sten Vesterli? You know ADF Security is missing from the free ADF Essentials? Check out a solution by @andrejusb: http://andrejusb.blogspot.com/2012/10/adf-essentials-security-implementation.html … Oracle WebLogic Monitoring #Spring in #WebLogic - #Middleware magic blog post http://pub.vitrue.com/uT69 WebLogic Community Java Cloud Service for developers http://wp.me/p1LMIb-mu Gerkmann-Bartels #MUST read 4 #WLS Admins: How to Analyze Java Thread WebLogic Community? top tweets WebLogic Partner Community &ndash; October 2012 http://wp.me/p1LMIb-ob Andrejus Baranovskis? ADF Mobile - Login Functionality http://fb.me/2gxwZV9jc WebLogic Community? “@MaciejGruszka: Another #WebLogic bootcamp for #Oracle partners. Right now - Copenhagen Denmark” THANKs trainings at https://blogs.oracle.com/emeapartnerweblogic/ … Dumps http://zite.to/RKyx2x OracleBlogs? top tweets WebLogic Partner Community October 2012 http://ow.ly/2sXuAn eclipsecon? Today is the Call for Papers early bird deadline. Submit a session now! http://eclipsecon.org/2013/early-talk-selection … WebLogic Community? Join us for our WebLogic Communtiy webcast on November 2nd 2012! OOW update WebLogic & ExaLogic http://wp.me/p1LMIb-oA WebLogic Partner Community For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center. Blog Twitter LinkedIn Mix Forum Wiki Technorati Tags: twitter,WebLogic,WebLogic Community,Oracle,OPN,Jürgen Kress

    Read the article

  • First steps with Oracle ADF Mobile for iOS and Android

    - by Bruno.Borges
    Oracle announced recently its new Mobile development platform, called Oracle ADF Mobile. With it, you can build truly Java applications, deploy and run real Java code on both Android and iOS with its self-contained Java runtime. It also comes with PhoneGap. which allows you to use any feature your phone offers, like sensors and camera. It's probably the most complete solution for mobile development out there, simply because with Oracle ADF Mobile, you can write Native, Hybrid or Web applications for your smartphone and tablet. Do you want to take a quick look on what can be done with it? Check out this video!  Now, to start with Oracle ADF Mobile, here are the first steps you will have to go through. Download Oracle JDeveloperGo to this link and download the install file for your environment (Windows, Linux-32bit or Generic) Install JDeveloper (of course)If you need help on this, look at the documentation (if you've downloaded 11gR2, click here) Download Oracle ADF Mobile BundleThis is the download page for Oracle ADF Mobile. Accept the license as usual at the top, and follow with the Download button. It will take you to another page, where you will see a table containing a download link. Click on it and it will start downloading a ZIP file. Start JDeveloperStart Oracle JDev. It may self update. Restart the IDE if you are asked to. Go to Help > Check for updates Click Next and make sure you are at the "Source" tab Select "Install From Local File" Select the Oracle ADF Mobile ZIP you downloaded on step 3 Finish the process   Now you have JDeveloper with Oracle ADF Mobile sucessfully installed! There are two great tutorials to start coding with ADF Mobile. Just choose your platform! Android Tutorial iOS Tutorial And have fun! :-) 

    Read the article

  • [GEEK SCHOOL] Network Security 8: Keep Your System Updated for Security and Stability

    - by Ciprian Rusen
    Another important step in securing any computer or device is setting up automated updates. Your device’s security relies on your operating system, apps, plug-ins, and programs always being up to date. For example, using outdated Internet browsers and plug-ins like Adobe Flash, Java, or Silverlight represents a big security problem. There are many websites on the Internet that exploit security bugs in your browser or the plug-ins you have installed.Click Here to Continue Reading

    Read the article

  • Oracle ADF Mobile

    - by rituchhibber
    We are happy to announce that Oracle ADF Mobile is now available for our customers.Oracle ADF Mobile enables developer to build applications that install and run on both iOS and Android devices from one source code.Development is done with JDeveloper and ADF and leverages Java and HTML5 technologies, while keeping the same visual and declarative approach ADF is known for.Please Click here to read more about the Oracle ADF Mobile release and learn more on our OTN Page. Feature Highlights: Java - Oracle brings a Java VM embedded with each application so you can develop all your business logic in the platform neutral language you know and love! (Yes, even iOS!) JDBC - Since we give you Java, we also provide JDBC along with a SQLite driver and engine that also supports encryption out of the box. Multi-Platform - Truly develop your application only once and deploy to multiple platforms. iOS and Android platforms are supported for both phone and tablet. Flexible - You can decide how to implement the UI: Use existing server-based UI framework like JSF. Use your own favorite HTML5 framework like JQuery. Use our declarative HTML5 component set provided with the framework. Device Feature Access - You can get access to device features from either Java or JavaScript to invoke features like camera, GPS, email, SMS, contacts, etc. Secure - ADF Mobile provides integrated security that works with your server back-end as well. Whether you’re using remote URLs, local HTML or AMX, you can secure any/all of your features with a single consistent login page. Since we also give you SQLite encryption, we are assured that your data is safe. Rapid - Using the same development techniques that ADF developers are already used to, you can quickly create mobile applications without ever learning another language!ADF Mobile XML or AMX for short, provides all the normal input and layout controls you expect and we also add charts/maps/gauges along with it to provide a very comprehensive UI controls. You can also mix and match any of the three for ultimate flexibility!

    Read the article

  • Deploying Oracle ADF Essentials Applications to Glassfish

    - by Shay Shmeltzer
    With the new Oracle ADF Essentials offering you can now deploy applications that leverage Oracle ADF on the open source Glassfish 3.1 server. Deployment is documented in the official JDeveloper and ADF documentation (here) but below is a summary of the steps and a video of the steps you'll need to take to get a basic Oracle ADF Essentials application to work on GlassFish. Note - to make starting/stopping GlassFish easier for my demo I used my GlassFish extension that you can get here. First we'll install some ADF Runtime libraries on GlassFish Download and install Glassfish (Note - if you also have an Oracle DB on the same machine, you'll want to switch GlassFish's HTTP port to something else instead of 8080). Download the Oracle ADF Essentials packaging - this will get you an adf_essentials.zip file. Copy the adf_essentials.zip to the lib directory of your Glassfish domain - on a default windows install this would be: C:\glassfish3\glassfish\domains\domain1\lib Go the the above lib directory and issue a unzip -j adf_essentials.zip This will extract the ADF libraries to the directory. Now you can start the Glassfish server. Now let's configure Glassfish to handle applications of the ADF type: Invoke the admin console of glassfish (http://localhost:4848) and log into your admin account. Go to Configurations->Server-config->JVM Settings and choose the JVM Options tab Add the following entries: -XX:MaxPermSize=512m (note this entry should already exist so just make sure it has a big enough value) -Doracle.mds.cache=simple While we are in the admin console, we can also define JDBC connections that will be used by our application. Go into Resources->JDBC->JDBC Connection Pools and click to create a New one Give it a name and choose the resource type to be javax.sql.XADataSource and choose Oracle as the Database Driver vendor. Click Next Scroll down to the Additional Properties section and start filling in the information for your database. The values for an Oracle XE will be (user=hr, databaseName = XE, Password=hr, ServerName=localhost, DriverType=thin, PortNumber=1521) Click Finish Click Ping to check your connection works. Now define a new JDBC Resource that will use the pool you just defined. In my example I called the resource jdbc/HRDS You will need this name to match the name in your Application Module connection configuraiton.Now you can re-start the Glassfish server for the changes to take effect. Get an ADF application going (you can use the regular Fusion Application template for this) Go into the project properties of your viewController project, under the deployment section click to edit the deployment profile that is defined there. Go to Platform and choose Glassfish 3.1 from the drop down list. Click ok to go back to your project. Go to Application -> Application Properties-> Deployment Go to Platform and choose Glassfish 3.1 from the drop down list. Click ok to go back to your project. This step will make sure that JDeveloper will autoamtically add the necessary ADF libraries to the EAR file that is being generated for deployment on Glassfish  Go to your Application->Deploy and deploy either to an EAR file or directly to a Glassfish server connection that you created. Things should just work, but if they don't then look up the server.log in the log directory and check out what error is in there. Here is a video demo of the various steps: Note - right now the deployment of an ADF application takes about 2 minutes on my machine we are hoping to be able to improve this timing in the future. People who are more familiar with Glassfish might want to explore using exploded directory deployment and see if they can get it to work.

    Read the article

  • Anyone have BlazeDS working with WebLogic Security (j_security_check) ??

    - by Brian
    I'm working on a Flex implementation (currently using SDK 3.5) on WebLogic 10.3 (11G.) We originally used Glassfish v2.1.1 with zero issues (there was an active directory group lookup bug but it did not hinder our progress.) Since transitioning to WebLogic we have an issue where the flexsession is invalidated after logging in using j_security_check: [BlazeDS]Unexpected error encountered in Message Broker servlet flex.messaging.LocalizedException: The FlexSession is invalid. at flex.messaging.FlexSession.checkValid(FlexSession.java:943) at flex.messaging.FlexSession.getUserPrincipal(FlexSession.java:254) at flex.messaging.HttpFlexSession.getUserPrincipal(HttpFlexSession.java:286) at flex.messaging.MessageBrokerServlet.service(MessageBrokerServlet.java:296) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3594) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2202) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2108) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1432) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201) at weblogic.work.ExecuteThread.run(ExecuteThread.java:173) I've tried almost every option in services-config.xml: [security [login-command class="flex.messaging.security.WeblogicLoginCommand" server="Weblogic"/> [!-- Uncomment the correct app server [login-command class="flex.messaging.security.TomcatLoginCommand" server="JBoss"> [login-command class="flex.messaging.security.JRunLoginCommand" server="JRun"/> [login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat"/> [login-command class="flex.messaging.security.WebSphereLoginCommand" server="WebSphere"/> --> [/security> I've even completely removed this section with no luck. The login functions correctly from a non-BlazeDS perspective. It authenticates the user correctly. Without authentication, BlazeDS works fine (no errors for any remote calls.) Together its a big ball of fail (invalid flexsession every time.) Has anyone got this working? Any tips?

    Read the article

  • Applied Security for Oracle Business Intelligence Podcast

    - by Tim Dexter
    Listen to BI Security Meister, Bryan Wise talk about his recent book Applied Oracle Security and learn about the cutting edge techniques for Oracle Business Intelligence from a leading security expert. http://www.oracle.com/podcasts/author-podcasts.html - Applied Security for Oracle Business Intelligence Well worth the listen and of course the book is available at all discerning bookstores!

    Read the article

  • Oracle Security Inside Out Newsletter – June Edition

    - by Troy Kitch
    This month’s Information In Depth Newsletter, Security Inside Out Edition is now available. In this edition we look at the Gartner Security and Risk Management Summit 2011, discuss safeguarding data from threats with Oracle Database Vault, and reveal the latest database security webcasts, videos, training, events and more. If you don’t have a subscription to this bi-monthly security information update, you can sign up here at the bottom of the page.

    Read the article

  • Taking the fear out of a Cloud initiative through the use of security tools

    - by user736511
    Typical employees, constituents, and business owners  interact with online services at a level where their knowledge of back-end systems is low, and most of the times, there is no interest in knowing the systems' architecture.  Most application administrators, while partially responsible for these systems' upkeep, have very low interactions with them, at least at an operational, platform level.  Of greatest interest to these groups is the consistent, reliable, and manageable operation of the interfaces with which they communicate.  Introducing the "Cloud" topic in any evolving architecture automatically raises the concerns for data and identity security simply because of the perception that when owning the silicon, enterprises are not able to manage its content.  But is this really true?   In the majority of traditional architectures, data and applications that access it are physically distant from the organization that owns it.  It may reside in a shared data center, or a geographically convenient location that spans large organizations' connectivity capabilities.  In the end, very often, the model of a "traditional" architecture is fairly close to the "new" Cloud architecture.  Most notable difference is that by nature, a Cloud setup uses security as a core function, and not as a necessary add-on. Therefore, following best practices, one can say that data can be safer in the Cloud than in traditional, stove-piped environments where data access is segmented and difficult to audit. The caveat is, of course, what "best practices" consist of, and here is where Oracle's security tools are perfectly suited for the task.  Since Oracle's model is to support very large organizations, it is fundamentally concerned about distributed applications, databases etc and their security, and the related Identity Management Products, or DB Security options reflect that concept.  In the end, consumers of applications and their data are to be served more safely in a controlled Cloud environment, while realizing the many cost savings associated with it. Having very fast resources to serve them (such as the Exa* platform) makes the concept even more attractive.  Finally, if a Cloud strategy does not seem feasible, consider the pros and cons of a traditional vs. a Cloud architecture.  Using the exact same criteria and business goals/traditions, and with Oracle's technology, you might be hard pressed to justify maintaining the technical status quo on security alone. For additional information please visit Oracle's Cloud Security page at: http://www.oracle.com/us/technologies/cloud/cloud-security-428855.html

    Read the article

  • Internet Explorer Security: How to Configure Settings

    Before jumping into the steps that are needed to configure Internet Explorer's security settings, let us first take a closer look at the four separate security zones that Microsoft has established for the browser. You will be able to tweak the settings of each of these four zones when we get into the configuration part of this tutorial, so it is best that you learn what they represent first. Internet Explorer Security Zones Internet Zone This Internet Explorer security zone refers to websites that are not on your computer or are not designated to your local intranet, which we will discuss in ...

    Read the article

  • Spring Security Configuration Leads to Perpetual Authentication Request

    - by Sammy
    Hello, I have configured my web application with the following config file: <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" /> <!-- Filter chain; this is referred to from the web.xml file. Each filter is defined and configured as a bean later on. --> <!-- Note: anonumousProcessingFilter removed. --> <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy"> <security:filter-chain-map path-type="ant"> <security:filter-chain pattern="/**" filters="securityContextPersistenceFilter, basicAuthenticationFilter, exceptionTranslationFilter, filterSecurityInterceptor" /> </security:filter-chain-map> </bean> <!-- This filter is responsible for session management, or rather the lack thereof. --> <bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> <property name="securityContextRepository"> <bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"> <property name="allowSessionCreation" value="false" /> </bean> </property> </bean> <!-- Basic authentication filter. --> <bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="authenticationEntryPoint" ref="authenticationEntryPoint" /> </bean> <!-- Basic authentication entry point. --> <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint"> <property name="realmName" value="Ayudo Web Service" /> </bean> <!-- An anonymous authentication filter, which is chained after the normal authentication mechanisms and automatically adds an AnonymousAuthenticationToken to the SecurityContextHolder if there is no existing Authentication held there. --> <!-- <bean id="anonymousProcessingFilter" class="org.springframework.security.web.authentication.AnonymousProcessingFilter"> <property name="key" value="ayudo" /> <property name="userAttribute" value="anonymousUser, ROLE_ANONYMOUS" /> </bean> --> <!-- Authentication manager that chains our main authentication provider and anonymous authentication provider. --> <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> <property name="providers"> <list> <ref local="daoAuthenticationProvider" /> <ref local="inMemoryAuthenticationProvider" /> <!-- <ref local="anonymousAuthenticationProvider" /> --> </list> </property> </bean> <!-- Main authentication provider; in this case, memory implementation. --> <bean id="inMemoryAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="propertiesUserDetails" /> </bean> <security:user-service id="propertiesUserDetails" properties="classpath:operators.properties" /> <!-- Main authentication provider. --> <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="userDetailsService" /> </bean> <!-- An anonymous authentication provider which is chained into the ProviderManager so that AnonymousAuthenticationTokens are accepted. --> <!-- <bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider"> <property name="key" value="ayudo" /> </bean> --> <bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> <property name="dataSource" ref="dataSource" /> </bean> <bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter"> <property name="authenticationEntryPoint" ref="authenticationEntryPoint" /> <property name="accessDeniedHandler"> <bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl" /> </property> </bean> <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <property name="securityMetadataSource"> <security:filter-security-metadata-source use-expressions="true"> <security:intercept-url pattern="/*.html" access="permitAll" /> <security:intercept-url pattern="/version" access="permitAll" /> <security:intercept-url pattern="/users/activate" access="permitAll" /> <security:intercept-url pattern="/**" access="isAuthenticated()" /> </security:filter-security-metadata-source> </property> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="accessDecisionManager" /> </bean> <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <property name="decisionVoters"> <list> <bean class="org.springframework.security.access.vote.RoleVoter" /> <bean class="org.springframework.security.web.access.expression.WebExpressionVoter" /> </list> </property> </bean> As soon as I run my application on tomcat, I get a request for username/password basic authentication dialog. Even when I try to access: localhost:8080/myapp/version, which is explicitly set to permitAll, I get the authentication request dialog. Help! Thank, Sammy

    Read the article

  • top tweets WebLogic Partner Community – June 2012

    - by JuergenKress
    Send your tweets @wlscommunity #WebLogicCommunity and follow us at http://twitter.com/wlscommunity OTNArchBeat? Free Virtual Developer Day: Oracle ADF and Oracle Fusion Middleware Development http://bit.ly/MxuNAg AMIS, Oracle & Java? Checklist veearts nu ook op iPad. @amis_services Mobile integratie met Oracle Fusion Middleware http://dld.bz/buwsM #OSB #SOA WhitehorsesWhiteblog: Troubleshoot JVM crashes of Weblogic: CompilerThread (http://bit.ly/KcGzZK) Jon petter hjulstad E-vita is now Apps Grid Specialized! ODTUG Fusion Middleware Sessions RT @OTNArchBeat: ODTUG Kscope12 - June 24-28 - San Antonio, TX http://bit.ly/LlWkNV OTNArchBeat? Free Event: Modern #Java Development, in/outside the Enterprise - May 30 - Redwood Shores, CA http://bit.ly/LfB79a ADF Community DE? Oracle Advanced ADF 11g Partner Workshop Düsseldorf /Germany (english) June 26-29, click here to see Nicolas Lorain? Best Practices for #JavaFX 2 Enterprise Applications (Part Two) http://buff.ly/Lk1DBn by Jim Weaver shay shmeltzer? #Oracle Developers in #Israel - don't miss the free #ADF workshop July 2nd - get hands-on with Oracle ADF -here OTNArchBeat? Java at JAXconf | Tori Wieldt http://bit.ly/LdoLS2 Anand Akela? #Oracle Customers and Partners – Get your free pass to @CloudExpo in New York, June 11 to 14, http://goo.gl/RpYFT <- Stop by booth #511 OracleSupport_WLS? Did you know that since 3/15/12 #WebLogic Server 12.1.1.0 is certified for production with JDK 7? http://bit.ly/IYJE0L Sharat? Highly useful #JavaFX best practices blog by @JavaFXpert More details here ADF EMG How to set up a productive ADF Dev Env - discussion started by @baigsorcl. Click here to Read and comment. OracleSupport_WLS Upcoming #webcast: Diagnosing #weblogic performance issues through #java thread dumps http://bit.ly/M4O9qF My Oracle Support? New to Oracle Support? - Webcast on Support Basics webcast May 22 10:30 Central Europe. Register @ http://bit.ly/J8o0WG Mohamad Afshar? Cloud Expo – Oracle Customers and Partners – get your free pass to Cloud Expo in New York, June 11 to 14, http://goo.gl/RpYFT OTNArchBeat Oracle VM 3.1 is here | @Ronenkofman http://bit.ly/JriWTq Oracle Exalogic? RT @D0uglasPhillips: ExalogicTV New Video Introducing Oracle Secure Global Desktop for #Exalogic!! http://bit.ly/nwkrCu OracleBlogs? Java EE6 and WebLogic YouTube video channels http://ow.ly/1jVcYJ Oracle WebLogic RT @aleftik: Excited to spend some time today playing around with the WebSockets SDK http://bit.ly/NoTtri WebLogic Community Java EE6 and WebLogic YouTube video channels http://wp.me/p1LMIb-h0 OracleSupport_WLS New tutorial! How to use the #JMS #API to create a message producer with #GlassFish and #NetBeans http://bit.ly/Juqjn JDeveloper & ADF? Tip when installing JDeveloper 11.1.2.2.0 version http://dlvr.it/1b48s1 WebLogic Community Middleware Oracle Excellence Awards 2012 – HAPPY NEW YEAR! Click here to read WebLogicCommunity #opn #oracle#Specialization #opnaward Steven Davelaar? Improve performance of your ADF app using lazy, on-demand querying of detail view objects: Click here OracleBlogs? Middleware Oracle Excellence Awards 2012 & HAPPY NEW YEAR! http://ow.ly/1kahzZ OracleSupport_WLS Upgrading from #weblogic 9.2.x to 10.3.x? http://bit.ly/Kqzl9N AMIS, Oracle & Java “@JDeveloper: Logout from an ADF application http://dlvr.it/1fQBnm” WebLogic Community UK OUG call for papers–your middleware success! Click here #UKOUG #soacommunity #OPN Whitehorses Whiteblog: Enterprise Manager: Manage your Fusion Middleware logfiles (http://bit.ly/KQlZkR) WebLogic Community? @Jphjulstad HI Jon, should we send Pizza when you go in production with your WebLogic 12c project? Whish you success! #WebLogicCommunity Sabine Leitner ADF Einsteigerworkshops je 2 Tage im Juni in HAM, BLN, HANN #Oracle #WLS http://bit.ly/LcOIzB @OracleWebLogic @OracleAppGrid@soacommunity Andreas Koop new post Java Heap Monitor in JDeveloper http://bit.ly/LgSk85 Sabine Leitner? #Oracle Kundentag mit Vorträgen von Sparkasse, Schufa, LBBW, Allianz über FMW & Exa Lösungen! 21.06. FRA http://bit.ly/JtwE3v @wlscommunity NetBeans Team RT @chadlung: Installing and configuring #NetBeans 7.1.2 and the #Java JDK 1.7 on OS X: http://www.giantflyingsaucer.com/blog/p=3760 #osx WebLogic Community Happy New Year #WeblogicCommunity thanks for the business! Time for a drink http://pic.twitter.com/K34KFbvH WebLogic Community UK OUG call for papers&ndash;your middleware success! http://wp.me/p1LMIb-gU WebLogic Community? Middleware Oracle Excellence Awards 2012 - HAPPY NEW YEAR! http://wp.me/p1LMIb-h6 Oracle WebLogic? RT @wlscommunity: WebLogic World Record Two Processor Result with SPECjEnterprise2010 Benchmark Click here to read #weblogic #sunfire #li Marc? Relocate wlst script for all the logfiles in your domain @wlscommunity, http://tinyurl.com/btbjcco WebLogic Community WebLogic World Record Two Processor Result with SPECjEnterprise2010 Benchmark Click here #WebLogicCommunity #weblogic #sunfire Oracle WebLogic MIss a WebLogic Devcast webinar? Catch any of the replays in the series on-demand! #WebLogic #JavaEE #coherence http://bit.ly/LNGa4p JDeveloper & ADF? Bean DataControl - Edit table records http://dlvr.it/1ZWqCx Justin Kestelyn? Contents of "Virtual Developer Day: Java SE 7 and JavaFX 2.0" are now avail on demand; no reg http://tinyurl.com/78nxnyo Frank Nimphius? Preparing 12c new features for DOAG 2012 Development - June 14th in Bonn (http://development.doag.org) WebLogic Community? Middleware Oracle Excellence Awards 2012&ndash;HAPPY NEW YEAR! http://wp.me/p1LMIb-he JDeveloper & ADF Placeholder Watermarks with ADF 11.1.2 http://dlvr.it/1ZWDc9 Oracle ACE Program? May edition #ACE newsletter now available online. http://bit.ly/LKA2de chriscmuir New blog post: Which JDeveloper is right for me? http://bit.ly/J8sj9e GlassFish? Transactional Interceptors in Java EE 7 - Request for feedback: Linda described how EJB's container-managed tr http://bit.ly/KKuGNJ OracleEnterpriseMgr Oracle Application Testing Suite 12.1 Debuts at StarEast 2012 http://ow.ly/aXcv8 #em12c JAX London First set of speaker session announced for #JAXLondon see: http://bit.ly/L0HSME OTNArchBeat? Oracle Cloud Conference: dates and locations worldwide http://bit.ly/JgNeID NetBeans Team? Video: Create and debug a TestNG test class in #NetBeans IDE: http://ow.ly/b7NEW NetBeans Team #NetBeans tip: Code Template for #Kohana #PHP Framework: http://ow.ly/aWIvY Robin? Started to use the #Oracle #WebLogic Server #Maven Plugin. Really awesome to install a complete #WLS with "mvn wls:install" !@wlscommunity OTNArchBeat? Free Event: Modern #Java Development, in/outside the Enterprise - May 30 - Redwood Shores, CA http://bit.ly/JIN9tf OracleBlogs WebLogic Partner Community Newsletter May 2012 http://ow.ly/1k5TeG Java Certification? Java SE 7 Fundamentals course now available On Demand. Watch a preview now: http://ow.ly/aWYgD Whitehorses Whiteblog: Native IO in WebLogic on Solaris 11 X64 (http://bit.ly/KGM4mp) NetBeans Team? Quick video of FindBugs Integration in #NetBeans IDE 7.2: http://ow.ly/aNece NetBeans Team #JavaFX Scene Builder Docs Updated for 2.2 and #NetBeans 7.2 dev builds: http://ow.ly/b7Nie Duncan Mills? New blog posting on implementing input field watermarks with ADF Faces 11.1.2 Click here #adf WebLogic Community? WebLogic Partner Community Newsletter May 2012 http://wp.me/p1LMIb-h4 OracleBlogs? UK OUG call for papersyour middleware success! http://ow.ly/1jNs49 Nicolas Lorain? Java tip: Deploying #JavaFX apps to multiple environments - JavaWorld http://buff.ly/KDADvu Adam Bien? Java EE and How to Specify The Unconventional With Convention Over Configuration [Free Article]: The free http://bit.ly/JEUkUf Owen Hughes and team?#Oracle #Exalogic #Performance: What? How? Why? Click here GlassFish? SecuritEE in the Cloud: Java EE 7 and the Cloud theme continue to move full steam ahead. In a PaaS environment http://bit.ly/K2RPte JDeveloper & ADF? How to Align Managed Bean Scope and Bean Data Control in Oracle ADF http://dlvr.it/1dngxQ Andrejus Baranovskis Missing New Feature in JDev (11.1.2.2.0) - ADF Methods Security http://fb.me/1jQM1enls OracleSupport_WLS? Tutorial on managing #HTTP Sessions in a #Weblogic #Cluster http://bit.ly/JshESe Oracle WebLogic? ZeroTurnaround developer report: #Spring keeps getting heavier, and #Java EE keeps getting lighter http://bit.ly/JDmKy2 JDeveloper & ADF? How to Search in Views - Part 4 || Oracle ADF http://dlvr.it/1dpDjZ WebLogic Community Java Message Service with Java and Spring Framework on Oracle WebLogic; Webcast May 15th 2012 http://wp.me/p1LMIb-gS Andreas Koop? new post ADF Bug or Feature? Non-Breaking Space outside required icon style http://bit.ly/KDZnUo Oracle WebLogic? Don't miss this month's WebLogic DevCast: WebLogic JMS and Spring JMS http://bit.ly/J6g2ST Tuesday May 15th 10:00am PT JDeveloper & ADF How To Disable SELECT COUNT Execution for ADF Table Rendering http://dlvr.it/1dqKH6 OracleSupport_WLS? #SSL and security has its own Information Center, http://bit.ly/LP8Vil for troubleshooting, install, config and more NetBeans Team? Featured #NetBeans plugin is @Codename_One for creating native apps for major mobile platforms: http://plugins.netbeans.org/ JDeveloper & ADF? Using JDeveloper HTTP Analyser to intercept/forward requests http://dlvr.it/1Yzl4J Nicolas Lorain? Create native looks for JavaFX applications: JavaFX-CSS-Themes · http://buff.ly/M0jel0 by Gregg Setzer Devoxx? Want to make the world a better place? Then get involved in Random Hacks of Kindness on June 2 - 3 in Belgium @ http://www.rhok.be #RHoK WebLogic Community top tweets WebLogic Partner Community – May 2012 Click here #WebLogicCommunity Michel Schildmeijer Oracle Traffic Director 11g http://lnkd.in/-mm3Vy Andrejus Baranovskis? Proactively Monitoring JDeveloper 11g IDE Heap Memory http://fb.me/16YZErPrx Arun Gupta? 80+ attendees building a #javaee6 application using NetBeans/WebLogic at Java Day, Istanbul fun times! http://pic.twitter.com/odY19daW A. Chatziantoniou? Just registered for the Oracle FMW Summer Camp in Lisbon. Looking forward to learn, meet friends and try to buy ice cream on the beach OTNArchBeat Another Myth Debunked: 200 Continuous Redeployments with WebLogic|@munz http://bit.ly/JiPyM7 Oracle WebLogic? Need to learn more on #WebLogic Server #JVM performance tuning? http://bit.ly/MN UxHx GlassFish? Dukes Choice Awards 2012 Nominations Are Open: 2012 Duke's Choice Award are open for nominations. These awards http://bit.ly/Ksk4U3 Justin Kestelyn? Major cloud-related announcements from Larry Ellison and Mark Hurd on June 6 http://bit.ly/KTJiII Nicolas Lorain Transparent Windows (Stage) with #JavaFX 2 : Adam Bien's Weblog http://j.mp/INgq8K WebLogic Community Web Services with JAX and Spring on WebLogic–Webcast May 30th 2012 #WebLogicCommunity #weblogic #opn JDeveloper & ADF Oracle ADF - How to work with Dates http://dlvr.it/1Y70zw OracleBlogs Web Services with JAX and Spring on WebLogicWebcast May 30th 2012 http://ow.ly/1k2WtO Adam Bien? Summer Java EE Workshops: 23.05, Amsterdam Airport Java EE Hacking, Without Airport. The dutch version of Airport http://bit.ly/JeP6hV JDeveloper & ADF ADF 11g: BC4J or EJB3. http://bit.ly/JVVFZF ADF EMG? Great discussion with JSF guru Andy Schwartz on the forum - 38 posts! Check it out: here Devoxx? Oracle (http://www.oracle.com ) joins Devoxx 2012 as the first Premium partner, welcome aboard! Nicolas Lorain Developing a Simple Todo Application using #JavaFX, #Java and #MongoDB- Part-1JavaBeat http://j.mp/IDGxLA Nicolas Lorain Preview of JavaFX 2.2 canvas feature > Harmonic Code: Death bitmaps could be beautiful... Part I http://buff.ly/KyAXg5 #JavaFX OTNArchBeat?? New York Coherence Special Interest Group (NYCSIG) - May 24 - NYC http://bit.ly/JzJcbT WebLogic Community iAS upgrade to WebLogic watch #C2B2 online seminar http://youtu.be/5m2CNUjBIGQ #WebLogicCommunity Ruth Collett? Join Oracle in #Joburg on May 21 for OTN Developer Day - sessions on #Java #JavaEE 6/7 and much more! http://bit.ly/IENwnD WebLogic Community? Sending out invitations to our advanced Fusion Middleware Summer Camps! Want to learn more register for the community Ruth Collett? Join @ArunGupta in Istanbul this Monday to hear the latest on #JavaEE 6/7 http://bit.ly/Je63cc GlassFish? NetBeans 7.2 Beta - Built for Speed, Deploy Apps to Oracle Cloud: NetBeans 7.2 Beta is now available. The http://bit.ly/LxMMTK Lucas Jellema My latest SlideShare upload : Java ain't scary - introducing Java to PL/SQ. here via @slideshare JDeveloper & ADF? #Developer #free#ADF training in #Scotland - June 13. More information: http://bit.ly/LbPLlf AMIS, Oracle & Java? AMIS behaalt als eerste in Nedeland de Oracle ADF specialisatie - Channelworld nieuwsChannelconnect: http://bit.ly/JzAcB4 WebLogic Community Web Services with JAX and Spring on WebLogic&ndash;Webcast May 30th 2012 http://wp.me/p1LMIb-gX Nicolas Lorain?@ JavaFX-based SimpleDateFormat Demonstrator http://j.mp/KFCVOi #JavaFX via Dustin Marx Oracle Exalogic? Are you an Oracle partner? There's news on the Oracle Partner Network about #Exalogic specializations - http://bit.ly/Mt3ANY JDeveloper & ADF Shorter URL for your ADF application http://dlvr.it/1XqNLY OTNArchBeat? Bay Area Coherence Special Interest Group (BACSIG) Meeting June 7 http://bit.ly/JAa0Lx OTNArchBeat? Java EE 6 Sample Application on WebLogic 12c: Conference Planner | @arungupta http://bit.ly/LPvof4 JDeveloper & ADF? Excellent example of Oracle ADF - Google Maps/Earth integration http://dlvr.it/1cbc80 JDeveloper & ADF Setting Up JDeveloper's Embedded WLS for MySQL http://dlvr.it/1c4b8P JDeveloper & ADF? Solution for Sharing Global User Data in ADF BC http://dlvr.it/1cc7SJ Java? Java Magazine May/June #javaee #javafx #javame #openJDK #hotspot #wicket #lotsmore http://ow.ly/aX07v Oracle WebLogic? http://bit.ly/JxQsnS if you have trouble finding the right #patchset when doing an upgrade to your #weblogic server OracleEnterpriseMgr 15 minutes to go before we start our Application Testing Suite 12.1 webcast. http://bit.ly/JHyTEe Learn from the lead PM what's new. #em12c Sten Vesterli Eating your own dog food - Oracle support site finally in ADF: http://lnkd.in/s6hg_p Adam Bien Project: "Jenever" (=poison) checked-in with GIT:here CU at http://workshops.adam-bien.com. Thanks for attending! OTNArchBeat Web Service Development with NetBeans and Testing with WebLogic Admin Console | @munz http://bit.ly/JcWk34 Please feel free to send us your news! And add your blog to our SOA blog wiki

    Read the article

  • What is New in ASP.NET 4.0 Code Access Security

    - by Xiaohong
    ASP.NET Code Access Security (CAS) is a feature that helps protect server applications on hosting multiple Web sites, ASP.NET lets you assign a configurable trust level that corresponds to a predefined set of permissions. ASP.NET has predefined ASP.NET Trust Levels and Policy Files that you can assign to applications, you also can assign custom trust level and policy files. Most web hosting companies run ASP.NET applications in Medium Trust to prevent that one website affect or harm another site etc. As .NET Framework's Code Access Security model has evolved, ASP.NET 4.0 Code Access Security also has introduced several changes and improvements. The main change in ASP.NET 4.0 CAS In ASP.NET v4.0 partial trust applications, application domain can have a default partial trust permission set as opposed to being full-trust, the permission set name is defined in the <trust /> new attribute permissionSetName that is used to initialize the application domain . By default, the PermissionSetName attribute value is "ASP.Net" which is the name of the permission set you can find in all predefined partial trust configuration files. <trust level="Something" permissionSetName="ASP.Net" /> This is ASP.NET 4.0 new CAS model. For compatibility ASP.NET 4.0 also support legacy CAS model where application domain still has full trust permission set. You can specify new legacyCasModel attribute on the <trust /> element to indicate whether the legacy CAS model is enabled. By default legacyCasModel is false which means that new 4.0 CAS model is the default. <trust level="Something" legacyCasModel="true|false" /> In .Net FX 4.0 Config directory, there are two set of predefined partial trust config files for each new CAS model and legacy CAS model, trust config files with name legacy.XYZ.config are for legacy CAS model: New CAS model: Legacy CAS model: web_hightrust.config legacy.web_hightrust.config web_mediumtrust.config legacy.web_mediumtrust.config web_lowtrust.config legacy.web_lowtrust.config web_minimaltrust.config legacy.web_minimaltrust.config   The figure below shows in ASP.NET 4.0 new CAS model what permission set to grant to code for partial trust application using predefined partial trust levels and policy files:    There also some benefits that comes with the new CAS model: You can lock down a machine by making all managed code no-execute by default (e.g. setting the MyComputer zone to have no managed execution code permissions), it should still be possible to configure ASP.NET web applications to run as either full-trust or partial trust. UNC share doesn’t require full trust with CASPOL at machine-level CAS policy. Side effect that comes with the new CAS model: processRequestInApplicationTrust attribute is deprecated  in new CAS model since application domain always has partial trust permission set in new CAS model.   In ASP.NET 4.0 legacy CAS model or ASP.NET 2.0 CAS model, even though you assign partial trust level to a application but the application domain still has full trust permission set. The figure below shows in ASP.NET 4.0 legacy CAS model (or ASP.NET 2.0 CAS model) what permission set to grant to code for partial trust application using predefined partial trust levels and policy files:     What $AppDirUrl$, $CodeGen$, $Gac$ represents: $AppDirUrl$ The application's virtual root directory. This allows permissions to be applied to code that is located in the application's bin directory. For example, if a virtual directory is mapped to C:\YourWebApp, then $AppDirUrl$ would equate to C:\YourWebApp. $CodeGen$ The directory that contains dynamically generated assemblies (for example, the result of .aspx page compiles). This can be configured on a per application basis and defaults to %windir%\Microsoft.NET\Framework\{version}\Temporary ASP.NET Files. $CodeGen$ allows permissions to be applied to dynamically generated assemblies. $Gac$ Any assembly that is installed in the computer's global assembly cache (GAC). This allows permissions to be granted to strong named assemblies loaded from the GAC by the Web application.   The new customization of CAS Policy in ASP.NET 4.0 new CAS model 1. Define which named permission set in partial trust configuration files By default the permission set that will be assigned at application domain initialization time is the named "ASP.Net" permission set found in all predefined partial trust configuration files. However ASP.NET 4.0 allows you set PermissionSetName attribute to define which named permission set in a partial trust configuration file should be the one used to initialize an application domain. Example: add "ASP.Net_2" named permission set in partial trust configuration file: <PermissionSet class="NamedPermissionSet" version="1" Name="ASP.Net_2"> <IPermission class="FileIOPermission" version="1" Read="$AppDir$" PathDiscovery="$AppDir$" /> <IPermission class="ReflectionPermission" version="1" Flags ="RestrictedMemberAccess" /> <IPermission class="SecurityPermission " version="1" Flags ="Execution, ControlThread, ControlPrincipal, RemotingConfiguration" /></PermissionSet> Then you can use "ASP.Net_2" named permission set for the application domain permission set: <trust level="Something" legacyCasModel="false" permissionSetName="ASP.Net_2" /> 2. Define a custom set of Full Trust Assemblies for an application By using the new fullTrustAssemblies element to configure a set of Full Trust Assemblies for an application, you can modify set of partial trust assemblies to full trust at the machine, site or application level. The configuration definition is shown below: <fullTrustAssemblies> <add assemblyName="MyAssembly" version="1.1.2.3" publicKey="hex_char_representation_of_key_blob" /></fullTrustAssemblies> 3. Define <CodeGroup /> policy in partial trust configuration files ASP.NET 4.0 new CAS model will retain the ability for developers to optionally define <CodeGroup />with membership conditions and assigned permission sets. The specific restriction in ASP.NET 4.0 new CAS model though will be that the results of evaluating custom policies can only result in one of two outcomes: either an assembly is granted full trust, or an assembly is granted the partial trust permission set currently associated with the running application domain. It will not be possible to use custom policies to create additional custom partial trust permission sets. When parsing the partial trust configuration file: Any assemblies that match to code groups associated with "PermissionSet='FullTrust'" will run at full trust. Any assemblies that match to code groups associated with "PermissionSet='Nothing'" will result in a PolicyError being thrown from the CLR. This is acceptable since it provides administrators with a way to do a blanket-deny of managed code followed by selectively defining policy in a <CodeGroup /> that re-adds assemblies that would be allowed to run. Any assemblies that match to code groups associated with other permissions sets will be interpreted to mean the assembly should run at the permission set of the appdomain. This means that even though syntactically a developer could define additional "flavors" of partial trust in an ASP.NET partial trust configuration file, those "flavors" will always be ignored. Example: defines full trust in <CodeGroup /> for my strong named assemblies in partial trust config files: <CodeGroup class="FirstMatchCodeGroup" version="1" PermissionSetName="Nothing"> <IMembershipCondition    class="AllMembershipCondition"    version="1" /> <CodeGroup    class="UnionCodeGroup"    version="1"    PermissionSetName="FullTrust"    Name="My_Strong_Name"    Description="This code group grants code signed full trust. "> <IMembershipCondition      class="StrongNameMembershipCondition" version="1"       PublicKeyBlob="hex_char_representation_of_key_blob" /> </CodeGroup> <CodeGroup   class="UnionCodeGroup" version="1" PermissionSetName="ASP.Net">   <IMembershipCondition class="UrlMembershipCondition" version="1" Url="$AppDirUrl$/*" /> </CodeGroup> <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="ASP.Net">   <IMembershipCondition class="UrlMembershipCondition" version="1" Url="$CodeGen$/*"   /> </CodeGroup></CodeGroup>   4. Customize CAS policy at runtime in ASP.NET 4.0 new CAS model ASP.NET 4.0 new CAS model allows to customize CAS policy at runtime by using custom HostSecurityPolicyResolver that overrides the ASP.NET code access security policy. Example: use custom host security policy resolver to resolve partial trust web application bin folder MyTrustedAssembly.dll to full trust at runtime: You can create a custom host security policy resolver and compile it to assembly MyCustomResolver.dll with strong name enabled and deploy in GAC: public class MyCustomResolver : HostSecurityPolicyResolver{ public override HostSecurityPolicyResults ResolvePolicy(Evidence evidence) { IEnumerator hostEvidence = evidence.GetHostEnumerator(); while (hostEvidence.MoveNext()) { object hostEvidenceObject = hostEvidence.Current; if (hostEvidenceObject is System.Security.Policy.Url) { string assemblyName = hostEvidenceObject.ToString(); if (assemblyName.Contains(“MyTrustedAssembly.dll”) return HostSecurityPolicyResult.FullTrust; } } //default fall-through return HostSecurityPolicyResult.DefaultPolicy; }} Because ASP.NET accesses the custom HostSecurityPolicyResolver during application domain initialization, and a custom policy resolver requires full trust, you also can add a custom policy resolver in <fullTrustAssemblies /> , or deploy in the GAC. You also need configure a custom HostSecurityPolicyResolver instance by adding the HostSecurityPolicyResolverType attribute in the <trust /> element: <trust level="Something" legacyCasModel="false" hostSecurityPolicyResolverType="MyCustomResolver, MyCustomResolver" permissionSetName="ASP.Net" />   Note: If an assembly policy define in <CodeGroup/> and also in hostSecurityPolicyResolverType, hostSecurityPolicyResolverType will win. If an assembly added in <fullTrustAssemblies/> then the assembly has full trust no matter what policy in <CodeGroup/> or in hostSecurityPolicyResolverType.   Other changes in ASP.NET 4.0 CAS Use the new transparency model introduced in .Net Framework 4.0 Change in dynamically compiled code generated assemblies by ASP.NET: In new CAS model they will be marked as security transparent level2 to use Framework 4.0 security transparent rule that means partial trust code is treated as completely Transparent and it is more strict enforcement. In legacy CAS model they will be marked as security transparent level1 to use Framework 2.0 security transparent rule for compatibility. Most of ASP.NET products runtime assemblies are also changed to be marked as security transparent level2 to switch to SecurityTransparent code by default unless SecurityCritical or SecuritySafeCritical attribute specified. You also can look at Security Changes in the .NET Framework 4 for more information about these security attributes. Support conditional APTCA If an assembly is marked with the Conditional APTCA attribute to allow partially trusted callers, and if you want to make the assembly both visible and accessible to partial-trust code in your web application, you must add a reference to the assembly in the partialTrustVisibleAssemblies section: <partialTrustVisibleAssemblies> <add assemblyName="MyAssembly" publicKey="hex_char_representation_of_key_blob" />/partialTrustVisibleAssemblies>   Most of ASP.NET products runtime assemblies are also changed to be marked as conditional APTCA to prevent use of ASP.NET APIs in partial trust environments such as Winforms or WPF UI controls hosted in Internet Explorer.   Differences between ASP.NET new CAS model and legacy CAS model: Here list some differences between ASP.NET new CAS model and legacy CAS model ASP.NET 4.0 legacy CAS model  : Asp.net partial trust appdomains have full trust permission Multiple different permission sets in a single appdomain are allowed in ASP.NET partial trust configuration files Code groups Machine CAS policy is honored processRequestInApplicationTrust attribute is still honored    New configuration setting for legacy model: <trust level="Something" legacyCASModel="true" ></trust><partialTrustVisibleAssemblies> <add assemblyName="MyAssembly" publicKey="hex_char_representation_of_key_blob" /></partialTrustVisibleAssemblies>   ASP.NET 4.0 new CAS model: ASP.NET will now run in homogeneous application domains. Only full trust or the app-domain's partial trust grant set, are allowable permission sets. It is no longer possible to define arbitrary permission sets that get assigned to different assemblies. If an application currently depends on fine-tuning the partial trust permission set using the ASP.NET partial trust configuration file, this will no longer be possible. processRequestInApplicationTrust attribute is deprecated Dynamically compiled assemblies output by ASP.NET build providers will be updated to explicitly mark assemblies as transparent. ASP.NET partial trust grant sets will be independent from any enterprise, machine, or user CAS policy levels. A simplified model for locking down web servers that only allows trusted managed web applications to run. Machine policy used to always grant full-trust to managed code (based on membership conditions) can instead be configured using the new ASP.NET 4.0 full-trust assembly configuration section. The full-trust assembly configuration section requires explicitly listing each assembly as opposed to using membership conditions. Alternatively, the membership condition(s) used in machine policy can instead be re-defined in a <CodeGroup /> within ASP.NET's partial trust configuration file to grant full-trust.   New configuration setting for new model: <trust level="Something" legacyCASModel="false" permissionSetName="ASP.Net" hostSecurityPolicyResolverType=".NET type string" ></trust><fullTrustAssemblies> <add assemblyName=”MyAssembly” version=”1.0.0.0” publicKey="hex_char_representation_of_key_blob" /></fullTrustAssemblies><partialTrustVisibleAssemblies> <add assemblyName="MyAssembly" publicKey="hex_char_representation_of_key_blob" /></partialTrustVisibleAssemblies>     Hope this post is helpful to better understand the ASP.Net 4.0 CAS. Xiaohong Tang ASP.NET QA Team

    Read the article

  • Does the "security" repository provides anything not found in the "updates" repository?

    - by netvope
    For the limited number of package I looked at (e.g. apache), I found that the package version in the updates repository is always newer than or equal to the version available in the security repository (provided that they exist). This gives me the impression that all security patches posted to the security repository are also posted to the updates repository. If this is true, I can remove all <release_name>-security entries in my apt sources.list and the <release_name>-updates entries will still give me the security patches. This will speed up apt-get update quite a bit. The best documentation I can found regarding the repositories is on the community help page "Important Security Updates (raring-security)". Patches for security vulnerabilities in Ubuntu packages. They are managed by the Ubuntu Security Team and are designed to change the behavior of the package as little as possible -- in fact, the minimum required to resolve the security problem. As a result, they tend to be very low-risk to apply and all users are urged to apply security updates. "Recommended Updates (raring-updates)". Updates for serious bugs in Ubuntu packaging that do not affect the security of the system. However, it does not mention whether the updates repository also includes everything in the security repository. Can anyone confirm (or disconfirm) this?

    Read the article

  • WCF WS-Security and WSE Nonce Authentication

    - by Rick Strahl
    WCF makes it fairly easy to access WS-* Web Services, except when you run into a service format that it doesn't support. Even then WCF provides a huge amount of flexibility to make the service clients work, however finding the proper interfaces to make that happen is not easy to discover and for the most part undocumented unless you're lucky enough to run into a blog, forum or StackOverflow post on the matter. This is definitely true for the Password Nonce as part of the WS-Security/WSE protocol, which is not natively supported in WCF. Specifically I had a need to create a WCF message on the client that includes a WS-Security header that looks like this from their spec document:<soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken wsu:Id="UsernameToken-8" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>TeStUsErNaMe1</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" >TeStPaSsWoRd1</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" >f8nUe3YupTU5ISdCy3X9Gg==</wsse:Nonce> <wsu:Created>2011-05-04T19:01:40.981Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> Specifically, the Nonce and Created keys are what WCF doesn't create or have a built in formatting for. Why is there a nonce? My first thought here was WTF? The username and password are there in clear text, what does the Nonce accomplish? The Nonce and created keys are are part of WSE Security specification and are meant to allow the server to detect and prevent replay attacks. The hashed nonce should be unique per request which the server can store and check for before running another request thus ensuring that a request is not replayed with exactly the same values. Basic ServiceUtl Import - not much Luck The first thing I did when I imported this service with a service reference was to simply import it as a Service Reference. The Add Service Reference import automatically detects that WS-Security is required and appropariately adds the WS-Security to the basicHttpBinding in the config file:<?xml version="1.0" encoding="utf-8" ?> <configuration> <system.serviceModel> <bindings> <basicHttpBinding> <binding name="RealTimeOnlineSoapBinding"> <security mode="Transport" /> </binding> <binding name="RealTimeOnlineSoapBinding1" /> </basicHttpBinding> </bindings> <client> <endpoint address="https://notarealurl.com:443/services/RealTimeOnline" binding="basicHttpBinding" bindingConfiguration="RealTimeOnlineSoapBinding" contract="RealTimeOnline.RealTimeOnline" name="RealTimeOnline" /> </client> </system.serviceModel> </configuration> If if I run this as is using code like this:var client = new RealTimeOnlineClient(); client.ClientCredentials.UserName.UserName = "TheUsername"; client.ClientCredentials.UserName.Password = "ThePassword"; … I get nothing in terms of WS-Security headers. The request is sent, but the the binding expects transport level security to be applied, rather than message level security. To fix this so that a WS-Security message header is sent the security mode can be changed to: <security mode="TransportWithMessageCredential" /> Now if I re-run I at least get a WS-Security header which looks like this:<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <s:Header> <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <u:Timestamp u:Id="_0"> <u:Created>2012-11-24T02:55:18.011Z</u:Created> <u:Expires>2012-11-24T03:00:18.011Z</u:Expires> </u:Timestamp> <o:UsernameToken u:Id="uuid-18c215d4-1106-40a5-8dd1-c81fdddf19d3-1"> <o:Username>TheUserName</o:Username> <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" >ThePassword</o:Password> </o:UsernameToken> </o:Security> </s:Header> Closer! Now the WS-Security header is there along with a timestamp field (which might not be accepted by some WS-Security expecting services), but there's no Nonce or created timestamp as required by my original service. Using a CustomBinding instead My next try was to go with a CustomBinding instead of basicHttpBinding as it allows a bit more control over the protocol and transport configurations for the binding. Specifically I can explicitly specify the message protocol(s) used. Using configuration file settings here's what the config file looks like:<?xml version="1.0"?> <configuration> <system.serviceModel> <bindings> <customBinding> <binding name="CustomSoapBinding"> <security includeTimestamp="false" authenticationMode="UserNameOverTransport" defaultAlgorithmSuite="Basic256" requireDerivedKeys="false" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"> </security> <textMessageEncoding messageVersion="Soap11"></textMessageEncoding> <httpsTransport maxReceivedMessageSize="2000000000"/> </binding> </customBinding> </bindings> <client> <endpoint address="https://notrealurl.com:443/services/RealTimeOnline" binding="customBinding" bindingConfiguration="CustomSoapBinding" contract="RealTimeOnline.RealTimeOnline" name="RealTimeOnline" /> </client> </system.serviceModel> <startup> <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/> </startup> </configuration> This ends up creating a cleaner header that's missing the timestamp field which can cause some services problems. The WS-Security header output generated with the above looks like this:<s:Header> <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <o:UsernameToken u:Id="uuid-291622ca-4c11-460f-9886-ac1c78813b24-1"> <o:Username>TheUsername</o:Username> <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" >ThePassword</o:Password> </o:UsernameToken> </o:Security> </s:Header> This is closer as it includes only the username and password. The key here is the protocol for WS-Security:messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" which explicitly specifies the protocol version. There are several variants of this specification but none of them seem to support the nonce unfortunately. This protocol does allow for optional omission of the Nonce and created timestamp provided (which effectively makes those keys optional). With some services I tried that requested a Nonce just using this protocol actually worked where the default basicHttpBinding failed to connect, so this is a possible solution for access to some services. Unfortunately for my target service that was not an option. The nonce has to be there. Creating Custom ClientCredentials As it turns out WCF doesn't have support for the Digest Nonce as part of WS-Security, and so as far as I can tell there's no way to do it just with configuration settings. I did a bunch of research on this trying to find workarounds for this, and I did find a couple of entries on StackOverflow as well as on the MSDN forums. However, none of these are particularily clear and I ended up using bits and pieces of several of them to arrive at a working solution in the end. http://stackoverflow.com/questions/896901/wcf-adding-nonce-to-usernametoken http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/4df3354f-0627-42d9-b5fb-6e880b60f8ee The latter forum message is the more useful of the two (the last message on the thread in particular) and it has most of the information required to make this work. But it took some experimentation for me to get this right so I'll recount the process here maybe a bit more comprehensively. In order for this to work a number of classes have to be overridden: ClientCredentials ClientCredentialsSecurityTokenManager WSSecurityTokenizer The idea is that we need to create a custom ClientCredential class to hold the custom properties so they can be set from the UI or via configuration settings. The TokenManager and Tokenizer are mainly required to allow the custom credentials class to flow through the WCF pipeline and eventually provide custom serialization. Here are the three classes required and their full implementations:public class CustomCredentials : ClientCredentials { public CustomCredentials() { } protected CustomCredentials(CustomCredentials cc) : base(cc) { } public override System.IdentityModel.Selectors.SecurityTokenManager CreateSecurityTokenManager() { return new CustomSecurityTokenManager(this); } protected override ClientCredentials CloneCore() { return new CustomCredentials(this); } } public class CustomSecurityTokenManager : ClientCredentialsSecurityTokenManager { public CustomSecurityTokenManager(CustomCredentials cred) : base(cred) { } public override System.IdentityModel.Selectors.SecurityTokenSerializer CreateSecurityTokenSerializer(System.IdentityModel.Selectors.SecurityTokenVersion version) { return new CustomTokenSerializer(System.ServiceModel.Security.SecurityVersion.WSSecurity11); } } public class CustomTokenSerializer : WSSecurityTokenSerializer { public CustomTokenSerializer(SecurityVersion sv) : base(sv) { } protected override void WriteTokenCore(System.Xml.XmlWriter writer, System.IdentityModel.Tokens.SecurityToken token) { UserNameSecurityToken userToken = token as UserNameSecurityToken; string tokennamespace = "o"; DateTime created = DateTime.Now; string createdStr = created.ToString("yyyy-MM-ddThh:mm:ss.fffZ"); // unique Nonce value - encode with SHA-1 for 'randomness' // in theory the nonce could just be the GUID by itself string phrase = Guid.NewGuid().ToString(); var nonce = GetSHA1String(phrase); // in this case password is plain text // for digest mode password needs to be encoded as: // PasswordAsDigest = Base64(SHA-1(Nonce + Created + Password)) // and profile needs to change to //string password = GetSHA1String(nonce + createdStr + userToken.Password); string password = userToken.Password; writer.WriteRaw(string.Format( "<{0}:UsernameToken u:Id=\"" + token.Id + "\" xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" + "<{0}:Username>" + userToken.UserName + "</{0}:Username>" + "<{0}:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">" + password + "</{0}:Password>" + "<{0}:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">" + nonce + "</{0}:Nonce>" + "<u:Created>" + createdStr + "</u:Created></{0}:UsernameToken>", tokennamespace)); } protected string GetSHA1String(string phrase) { SHA1CryptoServiceProvider sha1Hasher = new SHA1CryptoServiceProvider(); byte[] hashedDataBytes = sha1Hasher.ComputeHash(Encoding.UTF8.GetBytes(phrase)); return Convert.ToBase64String(hashedDataBytes); } } Realistically only the CustomTokenSerializer has any significant code in. The code there deals with actually serializing the custom credentials using low level XML semantics by writing output into an XML writer. I can't take credit for this code - most of the code comes from the MSDN forum post mentioned earlier - I made a few adjustments to simplify the nonce generation and also added some notes to allow for PasswordDigest generation. Per spec the nonce is nothing more than a unique value that's supposed to be 'random'. I'm thinking that this value can be any string that's unique and a GUID on its own probably would have sufficed. Comments on other posts that GUIDs can be potentially guessed are highly exaggerated to say the least IMHO. To satisfy even that aspect though I added the SHA1 encryption and binary decoding to give a more random value that would be impossible to 'guess'. The original example from the forum post used another level of encoding and decoding to string in between - but that really didn't accomplish anything but extra overhead. The header output generated from this looks like this:<s:Header> <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <o:UsernameToken u:Id="uuid-f43d8b0d-0ebb-482e-998d-f544401a3c91-1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <o:Username>TheUsername</o:Username> <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ThePassword</o:Password> <o:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" >PjVE24TC6HtdAnsf3U9c5WMsECY=</o:Nonce> <u:Created>2012-11-23T07:10:04.670Z</u:Created> </o:UsernameToken> </o:Security> </s:Header> which is exactly as it should be. Password Digest? In my case the password is passed in plain text over an SSL connection, so there's no digest required so I was done with the code above. Since I don't have a service handy that requires a password digest,  I had no way of testing the code for the digest implementation, but here is how this is likely to work. If you need to pass a digest encoded password things are a little bit trickier. The password type namespace needs to change to: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#Digest and then the password value needs to be encoded. The format for password digest encoding is this: Base64(SHA-1(Nonce + Created + Password)) and it can be handled in the code above with this code (that's commented in the snippet above): string password = GetSHA1String(nonce + createdStr + userToken.Password); The entire WriteTokenCore method for digest code looks like this:protected override void WriteTokenCore(System.Xml.XmlWriter writer, System.IdentityModel.Tokens.SecurityToken token) { UserNameSecurityToken userToken = token as UserNameSecurityToken; string tokennamespace = "o"; DateTime created = DateTime.Now; string createdStr = created.ToString("yyyy-MM-ddThh:mm:ss.fffZ"); // unique Nonce value - encode with SHA-1 for 'randomness' // in theory the nonce could just be the GUID by itself string phrase = Guid.NewGuid().ToString(); var nonce = GetSHA1String(phrase); string password = GetSHA1String(nonce + createdStr + userToken.Password); writer.WriteRaw(string.Format( "<{0}:UsernameToken u:Id=\"" + token.Id + "\" xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" + "<{0}:Username>" + userToken.UserName + "</{0}:Username>" + "<{0}:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#Digest\">" + password + "</{0}:Password>" + "<{0}:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">" + nonce + "</{0}:Nonce>" + "<u:Created>" + createdStr + "</u:Created></{0}:UsernameToken>", tokennamespace)); } I had no service to connect to to try out Digest auth - if you end up needing it and get it to work please drop a comment… How to use the custom Credentials The easiest way to use the custom credentials is to create the client in code. Here's a factory method I use to create an instance of my service client:  public static RealTimeOnlineClient CreateRealTimeOnlineProxy(string url, string username, string password) { if (string.IsNullOrEmpty(url)) url = "https://notrealurl.com:443/cows/services/RealTimeOnline"; CustomBinding binding = new CustomBinding(); var security = TransportSecurityBindingElement.CreateUserNameOverTransportBindingElement(); security.IncludeTimestamp = false; security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256; security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; var encoding = new TextMessageEncodingBindingElement(); encoding.MessageVersion = MessageVersion.Soap11; var transport = new HttpsTransportBindingElement(); transport.MaxReceivedMessageSize = 20000000; // 20 megs binding.Elements.Add(security); binding.Elements.Add(encoding); binding.Elements.Add(transport); RealTimeOnlineClient client = new RealTimeOnlineClient(binding, new EndpointAddress(url)); // to use full client credential with Nonce uncomment this code: // it looks like this might not be required - the service seems to work without it client.ChannelFactory.Endpoint.Behaviors.Remove<System.ServiceModel.Description.ClientCredentials>(); client.ChannelFactory.Endpoint.Behaviors.Add(new CustomCredentials()); client.ClientCredentials.UserName.UserName = username; client.ClientCredentials.UserName.Password = password; return client; } This returns a service client that's ready to call other service methods. The key item in this code is the ChannelFactory endpoint behavior modification that that first removes the original ClientCredentials and then adds the new one. The ClientCredentials property on the client is read only and this is the way it has to be added.   Summary It's a bummer that WCF doesn't suport WSE Security authentication with nonce values out of the box. From reading the comments in posts/articles while I was trying to find a solution, I found that this feature was omitted by design as this protocol is considered unsecure. While I agree that plain text passwords are rarely a good idea even if they go over secured SSL connection as WSE Security does, there are unfortunately quite a few services (mosly Java services I suspect) that use this protocol. I've run into this twice now and trying to find a solution online I can see that this is not an isolated problem - many others seem to have struggled with this. It seems there are about a dozen questions about this on StackOverflow all with varying incomplete answers. Hopefully this post provides a little more coherent content in one place. Again I marvel at WCF and its breadth of support for protocol features it has in a single tool. And even when it can't handle something there are ways to get it working via extensibility. But at the same time I marvel at how freaking difficult it is to arrive at these solutions. I mean there's no way I could have ever figured this out on my own. It takes somebody working on the WCF team or at least being very, very intricately involved in the innards of WCF to figure out the interconnection of the various objects to do this from scratch. Luckily this is an older problem that has been discussed extensively online and I was able to cobble together a solution from the online content. I'm glad it worked out that way, but it feels dirty and incomplete in that there's a whole learning path that was omitted to get here… Man am I glad I'm not dealing with SOAP services much anymore. REST service security - even when using some sort of federation is a piece of cake by comparison :-) I'm sure once standards bodies gets involved we'll be right back in security standard hell…© Rick Strahl, West Wind Technologies, 2005-2012Posted in WCF  Web Services   Tweet !function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs"); (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = 'https://apis.google.com/js/plusone.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })();

    Read the article

  • Do you develop with security in mind?

    - by MattyD
    I was listening to a podcast on Security Now and they mentioned about how a lot of the of the security problems found in Flash were because when flash was first developed it wasdn't built with security in mind because it didn't need to thus flash has major security flaws in its design etc. I know best practices state that you should build secure first etc. Some people or companies don't always follow 'best practice'... My question is do you develop to be secure or do you build with all the desired functionality etc then alter the code to be secure (Whatever the project maybe) (I realise that this question could be a possible duplicate of Do you actively think about security when coding? but it is different in the fact of actually process of building the software/application and design of said software/application)

    Read the article

  • ODTUG is Looking for your ADF Feedback

    - by Shay Shmeltzer
    While we at Oracle are busy planning next month's Oracle OpenWorld - which should have one of the busiest schedule ever for ADF developers - another conference is also looking to know what you would like to learn about Oracle ADF. ODTUG is well on their way planning the upcoming KScope 13 conference - and they would like to better understand the needs of developers who are already working with ADF or of developers who are about to embark on their ADF road. They have put up a new short survey to collect your thoughts here. And while we are talking about KScrope it is worth mentioning that one easy way to get a free pass to that conference is to get accepted as a speaker and their call for papers is now open. Check it out and submit your ADF abstracts. And one last point about ODTUG - they just added several web seminars about ADF to their upcoming schedule of free online seminars - check it out and register now - membership is not required for attending the seminars.

    Read the article

  • Even More New ADF Bloggers

    - by Shay Shmeltzer
    A couple of weeks back I posted an entry about new ADF related blogs that I found out about. Well as they say "when it rain it pours"  - and over the past few days I came across several other new bloggers that cover ADF. So here are a few others that you might want to add to your ADF blog aggregator: http://adfplus.blogspot.com - Paco van der Lindenhttps://blogs.oracle.com/aramamoo/ - Arunhttp://e20labs.org - Chad Thompsonhttp://oracleadfhowto.blogspot.com/ - Vinay Agarwalhttp://javaosdev.blogspot.com - Donovan Sherriffs https://blogs.oracle.com/prajkumar - Phil Wanghttp://oracle-itself.tumblr.com - Wael Abdeenhttps://blogs.oracle.com/adfthoughts - Raphael Rodriguehttp://adfwithejb.blogspot.com - Prateek Kumar shaw And here are a few more that are not just about ADF but do have the occasional ADF related entry:http://yonaweb.be - Yannick Ongenahttp://blog.whitehorses.nl - whitehorseshttps://blogs.oracle.com/imc - ISV Migration Center Team and the usual reminder here: To keep track of all things new in the ADF blog world follow the JDeveloper twitter or like JDeveloper on facebook to get notified of the latest entries we find for you around the world.

    Read the article

  • Oracle ADF Mobile is Now Available!

    - by Michelle Kimihira
    We are happy to announce availability of Oracle ADF Mobile, part of Oracle ADF (Application Development Framework). Oracle ADF is an HTML5 & Java-based framework that enables developers to build and deploy to iOS and Android devices from one application code base. By using open standards like HTML5 for a cross-platform consistent interface and Java for the application logic, companies can readily leverage existing skill and resources to develop mobile applications for iOS and Android.  There’s no need to learn a new platform specific programming language for each device.  With Oracle ADF Mobile -  you simply write once, deploy to many! Read the press release here.     On Wednesday, we will be featuring a blog on developing mobile applications and exploring the different options: Web, Native, or Hybrid. Additional Information Blog: ADF Blog Product Information on OTN: ADF Mobile Product Information on Oracle.com: Oracle Fusion Middleware Follow us on Twitter and Facebook Subscribe to our regular Fusion Middleware Newsletter

    Read the article

  • Announcing the ADF Architecture Square at OOW12

    - by Chris Muir
    The ADF product management team are happy to announce at Oracle Open World the publication of the ADF Architecture Square: Over the last number of years Oracle has recognized that many customers have matured their ADF skills and are now looking for information on advanced concepts beyond the how-do-I-get-this-poplist-to-work type questions.  In order to satisfy this demand we've devised the ADF Architecture Square where papers, presentations and demos will consider such broad software engineering concepts as ADF architecture, development and testing, building and deployment, and infrastructure.   If you have a look at the site right now it's a rather modest affair, but we hope to continue to expand the content to give further guidance and information to help shortcut your ADF project needs.  Either watch the website or follow our dedicated @adfarchsquare twitter feed.

    Read the article

  • Java Spotlight Episode 106: Java Security Update @spoofzu

    - by Roger Brinkley
    Java security update with Bruce Lowenthal and Milton Smith. Right-click or Control-click to download this MP3 file. You can also subscribe to the Java Spotlight Podcast Feed to get the latest podcast automatically. If you use iTunes you can open iTunes and subscribe with this link:  Java Spotlight Podcast in iTunes. Show Notes News Apple's Java Mac OS X 2012-006 Update NightHacking Tour Across Europe Four New Java Champions Oracle Announces Availability of Oracle Solaris 11.1 and Oracle Solaris Cluster 4.1 Oracle Announces General Availability of Oracle Application Development Framework Mobile Bean Validation 1.1 Early Draft JSR 107 Early Draft JCP Elections - Meet the Candidates GlassFish switching to JDK-7 only build Events Oct 30-Nov 1, Arm TechCon, Santa Clara, United States of America Oct 31, JFall, Hart van Holland, Netherlands Nov 2-3, JMaghreb, Rabat, Morocco Nov 5-9, Øredev Developer Conference, Malmö, Sweden Nov 13-17, Devoxx, Antwerp, Belgium Nov 20-22, DOAG 2012, Nuremberg, Germany Dec 3-5, jDays, Göteborg, Sweden Dec 4-6, JavaOne Latin America, Sao Paolo, Brazil Dec 14-15, IndicThreads, Pune, India Feature InterviewMilton Smith leads the security program for Java products at Oracle. His responsibilities span from tactical to strategic: definition and communication of the security vision for Java, working with engineering teams and researchers, as well as industry at large. He has over 20+ years of industry experience with emphasis in programming and computer security. Milton previous employer was Yahoo where he lead security for the User Data Analytics(UDA) property.Bruce Lowenthal is the Senior Director of Security Alerts at Oracle Corporation. What’s Cool Andrew Haley on an OpenJDK ARM64 Port Joe Darcy - JDK bug migration: bugs.sun.com now backed by JIRA Marcus Hirt on Using the Mission Control DTrace Plug-in

    Read the article

< Previous Page | 3 4 5 6 7 8 9 10 11 12 13 14  | Next Page >