I am a newbie, so bear with me. I have a SQL Server database located on a remote server. In Visual Studio 2010, I was able to create an entity data model (which contained user credentials so it designed remote database schema) and a simple WCF service. In localhost, I was able to fetch and retrieve data. But, after I published the ASP.NET project, I noticed that I can't query the same database. Both the database and the application files are now on the same server.
What could be the reason as to why the local environment can query the remote server but the deployed app can't? Do I need to reconfigure the data model or something else?
Check the connectionstring placed in the web.config for the following:
userid and password> Are they filled?
data source> Does this point to the server?
Check the error messages. What message does the WCF service return?
Silverlight crossdomain access file.
Create a new textfile and name it clientaccesspolicy.xml and put it in the root of your webproject.
File content:
(This allowed all and everyone, must be tweaked off course :D)
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
Related
I am trying to run an adobe flex based application outside browser. Application is compiled using 'services-config.xml' file as parameter. In services-config.xml file the channels were configured as
<channel-definition id="my-secure-amf" class="mx.messaging.channels.SecureAMFChannel">
<endpoint url="http://{server.host}:{server.port}/{context.root}/messagebroker/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
<properties>
<add-no-cache-headers>false</add-no-cache-headers>
<polling-enabled>true</polling-enabled>
<polling-interval-millis>0</polling-interval-millis>
<wait-interval-millis>-1</wait-interval-millis>
<max-waiting-poll-requests>0</max-waiting-poll-requests>
</properties>
</channel-definition>
and so on to pick host and port dynamically.
Now I have downloaded adobe_content_debugger.exe which allows me to run .swf file outside browser. However all the requests that are made to server go to http://localhost/contextRoot/messagebroker/amf. The {server.host} is picked up as localhost and {server.port} as empty value. Hence I cannot interact with backend server. How can we overcome this problem ?
Solutions I tried...
1) https://www.adobe.com/devnet/livecycle/articles/externalize_serviceconfig.html
This post asks you programatically create AMFChannel/channelset and add it to RemoteObject.
var channel:AMFChannel = new AMFChannel("my-amf", amfEndpoint);
channelSet.addChannel(channel);
_serviceControl.channelSet = channelSet;
_serviceControl.channelSet.addChannel(channel);
where _serviceControl is the remoteObject. But even after this the request is made to http://localhost/contextRoot/messagebroker/amf. I tried multiple combinations but only in vain. Will programatically creating channelSet make settings comming from services-config file redundant ? services-config file refers other files like 'remoting-config.xml', 'proxy-config.xml', 'messaging-config.xml' which contains information on 'destinations'
Solution 2)
Change services-config.xml as
<channel-definition id="my-secure-amf" class="mx.messaging.channels.SecureAMFChannel">
<endpoint url="http://example.com/8556/{context.root}/messagebroker/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
<properties>
<add-no-cache-headers>false</add-no-cache-headers>
<polling-enabled>true</polling-enabled>
<polling-interval-millis>0</polling-interval-millis>
<wait-interval-millis>-1</wait-interval-millis>
<max-waiting-poll-requests>0</max-waiting-poll-requests>
</properties>
</channel-definition>
Then just map example.com to server IP in host file. This is a workaround but now the port is hard-coded and cannot be changed. Unless a proxy server is introduced.
Can someone help ?
I would like to hand over a webapplication to some people but these people should not allowed to has access to the database with some tools. Using the webapplicaton and in the background the database is ok.
Wildfly has a config with these code:
<xa-datasource jndi-name="java:jboss/datasources/ExampleXADS" pool-name="ExampleXADS">
<driver>h2</driver>
<xa-datasource-property name="URL">jdbc:h2:mem:test</xa-datasource-property>
<xa-pool>
<min-pool-size>10</min-pool-size>
<max-pool-size>20</max-pool-size>
<prefill>true</prefill>
</xa-pool>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</xa-datasource>
As you can see, there is also the username and password available. How is it possible to exclude / encrypt these, so only the administrator know the password for the database.
The same also for the whole application server - there are also users and password.
How can I do this?
EDIT:
The "customer" will get the whole application inclusive the webserver configuration. (Wilfly and .war - file)
It´s only for saving the software key in the database.
The first time if the "customer" start the web application, he will be prompted so enter the licence key.
After entering the license key a Webservice will be called. The return code is "false" or "true" (is key valid or is key not valid)
My first idea was to store the flag in the database. But if a user has access to the database, he can manipulate this flag on his own.
Is there any other possibility to set a flag for "the software key is valid" instead saving the flag in the database.
Any ideas?
You can use security domain to get over this, there could be some specific changes for Wildfly but for JBoss 7.1.1 here is what you need to do.
Find the location of jboss-logging-3.1.0.GA.jar in your JBoss/Widlfy server. In case of JBoss 7.1.1 it should be something like - modules\org\jboss\logging\main\jboss-logging-3.1.0.GA.jar
Find the location of picketbox-4.0.7.Final.jar
Check if the picketbox jar has org.picketbox.datasource.security.SecureIdentityLoginModule class.
Run the following command from JBoss server root folder to encrypt your datasource connection password
java -cp modules\org\jboss\logging\main\jboss-logging-3.1.0.GA.jar;modules\org\picketbox\main\picketbox-4.0.7.Final.jar org.picketbox.datasource.security.SecureIdentityLoginModule PasswordXYZ
Get the output text and in the standalone.xml add following security domain under elements:
<security-domain name="encrypted-ds-WASM2" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="WASM2"/>
<module-option name="password" value="89471a19022f8af"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=MySqlDS_Pool"/>
</login-module>
</authentication>
</security-domain>
Use this security domain in the datasource element as follows:
<datasource jta="false" jndi-name="java:jboss/jdbc/JNDIDS" pool-name="OFS1" enabled="true" use-ccm="false">
<connection-url>jdbc:oracle:thin:#x.x.x.x:1521:xxxx</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<driver>oracle</driver>
<security>
<security-domain>encrypted-ds-WASM2</security-domain>
</security>
<validation>
<validate-on-match>false</validate-on-match>
<background-validation>false</background-validation>
<background-validation-millis>1</background-validation-millis>
</validation>
<statement>
<prepared-statement-cache-size>0</prepared-statement-cache-size>
<share-prepared-statements>false</share-prepared-statements>
</statement>
</datasource>
Reference Link: http://middlewaremagic.com/jboss/?p=1026
It is not possible. If the web application has to be able to decrypt the password to use the database, anyone on the server can do the same.
If you want to restrict access, keep the server under your control and let them access it only through a web front end.
(And even if it was possible to usefully encrypt, if they have server access they can trivially copy the database files onto their workstations, or add new user accounts to the database server).
I cannot connect to SQL Server database.
When I run the aspnet_regsql.exe utility, I get the following error message:
Setup failed.
Exception:
Unable to connect to SQL Server database.
Details of failure
System.Web.HttpException: Unable to connect to SQL Server database. ---> System.Data.SqlClient.SqlException: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
Also, I am unable to use the ASP.NET Website Administration Tool. When I click on the Security tab I receive the following error:
There is a problem with your selected data store. This can be caused by an invalid server name or credentials, or by insufficient permission. It can also be caused by the role manager feature not being enabled. Click the button below to be redirected to a page where you can choose a new data store.
The following message may help in diagnosing the problem: Unable to connect to SQL Server database.
So, I click on the 'Choose Data Store' button as instructed, which allows me to select a a Provider. The provider is named 'AspNetSqlProvider', it has a Test link beside it. I click on Test and receive the following error message:
Could not establish a connection to the database.
If you have not yet created the SQL Server database, exit the Web Site Administration tool, use the aspnet_regsql command-line utility to create and configure the database, and then return to this tool to set the provider.
I have lost overtime for this problem, but i cannot fix it. I hope everybody can help me.
I look forward receive the good answer as soon as possible. Sincerely thanking you very much for your help.
I encounter the same problem in my ASP.NET MVC project as you, when using the ASP.NET Website Administration Tool. The solution is to check and modify your web.config file. I just change the following attributes (add a field):
1) from
<profile>
<providers>...</providers>
to
<profile defaultProvider="DefaultProfileProvider">
<providers>...</providers>
2) from
<membership>
<providers>...</providers>
to
<membership defaultProvider="DefaultMembershipProvider">
<providers>...</providers>
3) from
<roleManager>
<providers>...</providers>
to
<roleManager defaultProvider="DefaultRoleProvider">
<providers>...</providers>
And, be sure to have something like:
<connectionStrings>
<add name="DefaultConnection" providerName="System.Data.SqlClient" connectionString="Data Source=(LocalDb)\v11.0;Initial Catalog=aspnet-MvcApplication1-20160111151822;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\aspnet-MvcApplication1-20160111151822.mdf" />
</connectionStrings>
and the "DefaultConnection" has a corresponding field connectionStringName="DefaultConnection" under <profile>,<memebership>and <roleManager> tags, which are modified as stated above.
If you still have problems in your MVC project, just create a new full ASP.NET MVC Web Application template, compare the web.config file with yours, and modify your web.config file.
I have an ASP.NET web application that is trying to read a remote share with the impersonated user. Specifically, I am trying to use the following code to read the directories on the remote share..
DirectoryInfo rootDir = new DirectoryInfo(strPath);
foreach (DirectoryInfo dir in rootDir.EnumerateDirectories())
{
TreeNode folderNode = new TreeNode(dir.Name, dir.FullName);
folderNode.PopulateOnDemand = true;
folderNode.ImageUrl = "~/img/Folder.png";
nodeList.Add(folderNode);
}
When the webpage runs this code, I get the following error message...
Access to the path '\remoteserver\remoteshare\' is denied.
Here is my web.config...
<authentication mode="Windows"/>
<identity impersonate="true" />
<authorization>
<deny users="?"/>
</authorization>
When I log onto the website, I know that impersonation is working because I can do an HttpContext.Current.User.Identity.Name and see my username. I am running this application on a domain under IIS 7.5. I also know that this can't be a Kerberos "double-hop" issue because I can connect to a remote SQL server (from the web server) and pass the Windows Authenticated credentials through just fine and return results from a query.
I am using Process Monitor on the web server to figure out which credentials are being passed over to the remote share. When I look at the capture where the ACCESS DENIED is showing, it gives me this description...
Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: DOMAIN\username
Where DOMAIN\username is my impersonated username from the web server.
Process Monitor is also showing that NT AUTHORITY\NETWORK SERVICE is the user on the web server that is making the request, which makes me think that the web server is NOT, in fact, passing over the impersonated user to read the remote file share. It's almost like there is a "double hop" issue for remote file share access specifically.
I have also configured the web server to "Trust this computer for delegation to any service (Kerberos only)". Again, this can't be a double-hop issue if I can access a remote SQL server from the web server, or can it? Any help or pointers would be greatly appreciated, I have spent 2 days looking at possible solutions and nothing works.
I'm using as3httpclientlib to post data to my web service, but I'm continually
getting the following security violation. Does anyone know how to resolve this?
My crossdomain.xml file is below the security violation notice.
NOTE: I'm using apache to proxy requests to the web service, therefore the target url/port and the url/port serving the applet are the same -- i.e. http://192.168.100.101. Also, the crossdomain.xml file is located in the root of the web app which serves the applet rather the web service; however, since the requests are proxied the url for the file is http://192.168.100.101/crossdomain.xml
* Security Sandbox Violation * Connection to 192.168.100.101:80
halted - not permitted from
http://192.168.100.101/com-web/flex/ComUi.swf Error: Request for resource at
xmlsocket://192.168.100.101:80 by
requestor from
http://192.168.100.101/com-web/flex/ComUi.swf
is denied due to lack of policy file
permissions.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
<allow-access-from domain="*" to-ports="80, 8080" />
</cross-domain-policy>
Thanks.
Did you tried to debug it with WireShark, see if the app sends the request on port 843 and if the server sends back the response via socket? It was not totally clear in your post if you already use a server app to serve the policy file, if not, you should, either the way, the link below should help.
If you need more info about how things work, you can check out this