I'm trying to call Apache ActiveMQ NMS Version 1.6.0 from my code ('IntPub') that must run in a sandbox in a .NET 4.0 environment for security reasons. The program that creates the sandbox makes my code 'partially trusted' and therefore 'security-transparent' which seems to mean that it can't create a ConnectionFactory (see error log below) because NMS seems to be 'security-critical'. Here's the code that's causing this error:
connecturi = new Uri("tcp://my.server.com:61616");
var connectionFactory = new ConnectionFactory(connecturi);
I also tried this instead with similar results:
connecturi = new Uri("activemq:tcp://my.server.com:61616");
var connectionFactory = NMSConnectionFactory.CreateConnectionFactory(connecturi);
Since I can't change the security level of my assembly (the sandbox prevents it) is there a way to make NMS run as 'safe-critical' so it can be called by 'security-transparent' code? Would I have to recompile it to do so, or does NMS do some operation that would never be considered 'safe-critical?
I appreciate any help or suggestions...
Assembly 'IntPub, Version=1.0.0.0, Culture=neutral, PublicKeyToken=6fa620743b8dc60a' is partially trusted, which causes the CLR to make it entirely security transparent regardless of any transparency annotations in the assembly itself. In order to access security critical code, this assembly must be fully trusted.Detail:
<OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
<ErrorCode>-2147220956</ErrorCode>
<ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
<Message>Unexpected exception from plug-in (Execute): Test.Client: System.MethodAccessException: Attempt by security transparent method 'Test.Client.Execute(System.IServiceProvider)' to access security critical method 'Apache.NMS.ActiveMQ.ConnectionFactory..ctor(System.Uri)' failed.
From the error message attributes, it looks like you're running a Dynamics CRM 2011 plugin in sandbox mode, which has some very specific rules about what you can and can't do. In particular, you're only allowed to make network connections via HTTP and HTTPS, so attempting raw TCP sockets will definitely fail.
Take a look at this MSDN page on Plug-in Isolation, Trusts, and Statistics. It looks like there may be a way to relax the network restrictions by modifying a system registry entry to include tcp, etc, in the regex value. Below is an excerpt from the page. Note: I have not done this myself, so can't say for sure it'll work.
Sandboxed plug-ins and custom workflow activities can access the
network through the HTTP and HTTPS protocols. This capability provides
support for accessing popular web resources like social sites, news
feeds, web services, and more. The following web access restrictions
apply to this sandbox capability.
Only the HTTP and HTTPS protocols are allowed.
Access to localhost (loopback) is not permitted.
IP addresses cannot be used. You must use a named web address that requires DNS name resolution.
Anonymous authentication is supported and recommended. There is no provision for prompting the logged on user for credentials or saving those credentials.
These default web access restrictions are defined in a registry key on
the server that is running the Microsoft.Crm.Sandbox.HostService.exe
process. The value of the registry key can be changed by the System
Administrator according to business and security needs. The registry
key path on the server is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM\SandboxWorkerOutboundUriPattern
The key value is a regular expression string that defines the web access restrictions.
The default key value is:
"^http[s]?://(?!((localhost[:/])|([.])|([0-9]+[:/])|(0x[0-9a-f]+[:/])|(((([0-9]+)|(0x[0-9A-F]+)).){3}(([0-9]+)|(0x[0-9A-F]+))[:/]))).+";*
By changing this registry key value, you can change the web access for sandboxed plug-ins.
Related
After Configuration server Juddi in Eclipse and create environment variable
we get Problem to access to page Gui user and admin and tomcat interface :
I think you are looking at something like :
message java.lang.IllegalStateException: No output folder
I would check the Tomcat logs, the permissions of the user you are running tomcat under, and check the directory that you have installed your tomcat into.
Do not even try to use UDDI
these days. People are moving towards semantic web services ,UDDI is out of the scene.
WSMO and OWL-s are major initiatives for semantic web services. These solutions can provide more precise results.
Here's a few
mDNS/Bonjour/Avahi - can be used to share endpoint information for a web service, or anything else using a TXT record
WS-Discovery - supported by CXF and WCF, shares implementation of a specific interface
ebXML - had a component similar to UDDI
visite this link
I'm using ActiveMQ 5.10 and would like to create a user that has read-only access through the web console.
Red Hat published this article, mentioning that it's not really read only due to a bug in ActiveMQ.
According to the bug report AMQ-4567, the bug is fixed as of ActiveMQ 5.9. However, I'm not seeing it work appropriately.
I have tried a number of different configurations, with the most recent being two separate JAAS implementations, one for Jetty and one for ActiveMQ. The relevant property files are excerpted below.
I can mostly log in to the web console using the "system" user. But the guest user doesn't work at all. The application user (appuser) doesn't need access to the web console at all.
My authN/authZ needs are pretty trivial: one admin user, one application account, and one read-only monitoring account.
Is there any good way to get this working with a recent version of ActiveMQ (>= 5.9.0)?
groups.properties
admins=system
users=appuser,admin
guests=guest
users.properties
system={password redacted}
appuser=appuser
guest=guest
jetty-realm.properties
system: MD5:46cf1b5451345f5176cd70713e0c9e07,user,admin
guest: guest,guest
As an aside, I used the Jetty tutorial and the Rundeck instructions to figure out the jetty-realm.properties file and chapter 6 of ActiveMQ in Action to work out the ActiveMQ JAAS.
I was finally able to get to what I wanted by deploying the web console to an external Tomcat instance. I assume that when it runs out of process, it can't bypass security and so has to use whatever credentials you provide. In this case, I gave the Tomcat instance the read-only JMX user credentials.
It's not great, as there is no security trimmed UI. You can still attempt to create new destinations, delete destinations, etc. When you try with a read-only user, you get an error. That gets a "D" for UX, but a "B" for security.
I hosted silverlight application iis and that can be accessed in multiple ways..
When I access using Qualified name of server IP address IT WORKS fine:
http://[QUALIFIEDNAME]/WebUAT/App.aspx
When I access using IP address like below:
http://[IPADDRESS]/WebUAT/App.aspx
It gives error below:
[Async_ExceptionOccurred]
Arguments:
Debugging resource strings are unavailable. Often the key and arguments provide sufficient information to diagnose the problem. See http://go.microsoft.com/fwlink/?linkid=106663&Version=5.1.20913.00&File=System.dll&Key=Async_ExceptionOccurred StackTrace : at System.ComponentModel.AsyncCompletedEventArgs.RaiseExceptionIfNecessary()
Follow these,
(i) Try to use fiddler and find the request which is making crossdomainpolicy xml request.
(ii)Check whether it is failing, if so add the crossdomain and clientaccesspolicy to the root folder of your Application
(iii)Check whether the service which is invoked by your application is blocked by firewall.
So, I have recently acquired a new project: meaning I cannot answer any design decisions. I'm supposed to put some finishing touches on this app. Before I get with my BA to discuss time estimations I thought it would be prudent to familiarize myself with some code and walk through some breakpoints to give better estimates for the new release.
The problem? I can't run the app.
I get
"An invalid or incomplete configuration was used while creating a SessionFactory. Check PotentialReasons collection, and InnerException for more detail."
Inner exception is {"Login failed for user 'domain\computername$'."}
This app seems to require being hosted on a local IIS to run locally, so I added the windows feature and enabled windows security. I confirmed to make sure that this is not an intentional part of the design.
<add name=name connectionString="Data Source=localhost;Initial Catalog=dbName;Integrated Security=SSPI;"/>
Obviously the database I'm pointed at has changed due to the localhost, but still shouldn''t be trying to hit anything with the computer name.
Integrated Security should pick up on your Windows identity (ie, your user name). Check the application pool of the web app. Under Advanced Settings you can change the identity that the application runs under (normally ApplicationPoolIdentity). Maybe that is set to your computer name. That is the only thing that makes even remote sense.
I'm writing a Winsock LSP (Layered Service Provider) DLL that needs to communicate with a windows service.
The communication is done using memory mapped files and events for synchronization. Everything works fine if the application is not running as a service but if it does it cannot find any events or file mappings (I get ERROR_FILE_NOT_FOUND error on OpenEvent).
I suspect this happens because when running as a service, the application runs as SYSTEM user and LSP is loaded by applications that run as local user.
I think that this could be solved by using a proper SECURITY_DESCRIPTOR but I don't know what should it be set to.
Any ideas on how to make this work?
Thanks,
Depending on the OS, it might be a problem of sessions. If you take another look at documentation for CreateEvent, CreateMemoryMapping etc., you will notice GLOBAL\ prefix to object name. This prefix (among with SESSION\x\ prefix) define visibility scope of the object. GLOBAL prefixes are seen across the whole system, while objects without prefix in the name are local to specific (current if the \SESSION prefix is omitted) session. Sessions appeared in Terminal Services for Windows XP, then got themselves into the OS in Windows 2003 Server and later.