In OIM 11gR2 PS3, When creating a user I want to save the String entered in the Justification box of the request. When creating the user I have no workflow set, because I don't need any approvals. Do you know any way to do this??
Thank you
I found out that the best way to retrieve the justification of the request on create user is not through the API, but querying the DB and getting the justification field from there, given the login of the user. I also ordered the results by date, in order to retrieve the most recent request.
Related
What i want todo with Java and Javascript:
If a user try to register an Account, after he write the Login name and klick in the next field, there should be an immediately check, if the Login Name already exist.
My Question is now, what is the best performance way.
I know, how i can check the username in the database, that is no Problem.
But is it possible to cache the List of users in a Application wide variable ?
If yes, how or where should i create a such variable ? I use tomcat as server.
But no idea how i can do that.
Or is it just fine, todo a check on the DB Server.
I want something similar like the Registration from hotmail
Thanks
Two ways to do it (and not thinking very hard). First - before loading the page, on the server side retrieve all user names, put the in a list and put the list in the request. Now you have all your user in the page and can check if the entered name exists (must do it in javascript). The second method - after typing the name make an ajax call to the server and check in DB if exists. Hope this helps.
It's not a good idea to cache all login names. First because at every http session, you need to refresh the whole cache. Second because it's possible to have multiple http sessions (multiple user trying to create an account) and you need to refresh the whole cache to verify new registrations login names. Third it's not a good practice to store temporary the whole user names table in such a variables.. imagine you have 10000000 login names!
With a cache, if two users want to register at the same time, and enters the same user login, both user login pass the validation!
Just query your database with an ajax request or a servlet and make sure your login name column has an index!
I'm using Spring Roo, and Spring MVC.
I have Set up Spring Security to use a MySQL database and auth using the standard schema, table users, table authority.
What I have is a webapp to take orders from our sales people in the field. Simply they just fill in the form and submit it to the database.
The ROO generated MVC pages are fine to start, but I need to make some changes and I'm not sure exactly how to do it. I'm just getting my feet wet learning java.
What I need is for our sales order form to capture the username, and the submitted record would be tagged with their username, and then filter the view so that the sales person can only see the records that they themselves have submitted.
Also I would like to implement a stylus signature capture at the bottom of the form. I tried to figure out how to use http://thomasjbradley.ca/lab/signature-pad/#howto but I'm getting lost on where to put the code. I assume in src\main\views\salesorders\create.jspx
I understand this part is off-topic to my original post.
You will need a table in your database that holds the order forms. An important part of this table will be each row will need to contain a way to map back to the user that submitted it. This will most likely be easiest to implement with a column that is a foreign key to the user table.
When it comes time to fetch for forms for a specific user, you will need to query the order forms table and use a WHERE clause that restricts the rows to just the current user.
As for your second question, it will likely be more worthwhile for you to ask in another question on stackoverflow, as it doesn't really pertain to the original question at all.
I am using Hibernate in Spring MVC 3.05 and an Oracle database.
I have a transaction in which I insert a new record into two tables: User and Registration.
Registration contains a UserId (meaning a user may have many registrations).
When I commit the transaction, I can query my database and see that the new rows were successfully inserted.
The problem
After the transaction commits successfully, I redirect the user to a confirmation page, where I would like to show some information about the registration that was just inserted. On the confirmation page, I do a Hibernate query by userId to get the User that was just inserted. I then use the following properties to populate my model:
User.getName()
User.getEmail()
User.getBlah()
User.getReigstrations().iterator.next()
The one in bold throws an exception "NoSuchElementException" because there are no items in the set. There should be one Registration in the set. If I close the browser, start a new one, and direct myself back to the same link that threw the exception, IT WORKS! There is a Registration in the set.
My guess is that it's not reloading related table objects when I query for my User, but is either pulling from cache or assuming that nothing more had been added since the User was saved. Does anyone know of a way to force Hibernate to reload this data?
Unfortunately I can't just get a Registration by UserId because it maps UserId to the entire User object (via object generation because User is a foreign key).
Hope this makes sense. Any help is appreciated. I am open to a different approach to accomplishing this as well. Thanks!
It's hard to diagnose the exact problem because you don't say when you close sessions, and in which session/transaction you get your User. But I guess the problem comes from the fact that you don't maintain the two sides of the relationship when inserting a new registration.
You should set the user in the registration, and add the registration to the list of registrations of the user.
I got similar domain model
1) User. Every user got many cities. #OneToMany(targetEntity=adv.domain.City.class...)
2) City. Every city got many districts #OneToMany(targetEntity=adv.domain.Distinct.class)
3) Distintc
My goal is to delete distinct when user press delete button in browser. After that controller get id of distinct and pass it to bussiness layer. Where method DistinctService.deleteDistinct(Long distinctId) should delegate deliting to
DAO layer.
So my question is where to put security restrictions and what is the best way to accomplish it. I want to be sure that i delete distinct of the real user, that is the real owner of city, and city is the real owner of distinct.
So nobody exept the owner can't delete ditinct using simple url like localhost/deleteDistinct/5.
I can get user from httpSession in my controller and pass it to bussiness layer.
After that i can get all cities of this user and itrate over them to be sure, that of the citie.id == distinct.city_id and then delete distinct.
But it's rather ridiculous in my opinion.
Also i can write sql query like this ...
delete from
t_distinct
where
t_distinct.city_id in (
select
t_city.id
from
t_city
left join t_user on t_user.id = t_city.owner_id
where
t_user.id = ?
)
and t_distinct.id = ?
So what is the best practice to add restrictions like this.
I'm using Hibernate, Spring, Spring MVC by the way..
Thank you
What you're asking for is not SQL Injection prevention. You need to ensure the user attempting the deletion is authorized.
As long as you check that the user accessing the page has the rights to delete the row your trying to delete (this would be checked in the Business layer), and ONLY allow the delete command if the user is authenticated and authorized to perform the action.
With hibernate you don't have to worry about sql injection. It always uses prepared statements, so you are safe.
As for your concrete case, this is not an sql injection. But to prevent it, make validation in the controller - whether the currently logged user owns the desired ID.
Depending on the size of the application, you can implement some general security scheme, with ownership settings, and apply it (using AOP).
I understand that i want to be sure, the the user is real owner of Book The question was how to accomplish it. And yes, i know that user is authenticated and authorized. But another authorized user can easy delete pages of another user.
This can be done like this...
User userFromHttpSession ...
Long bookId = load page, get bookId, load book, get bookId
List books = userFromHttpSession.getBooks();
... iterate over books and find out if one of the book.id == bookId
... then if book owner is owner of httpSession, then proceed Delete
It's like too many sql queries, and too many code, probably there are better solution. Anyway thank you for your answers
Just use your head, quote-escape* everything from an outside (or inside for that matter) source before it gets put in an SQL statement, and check data as it goes in. Or, use prepared statements.
*Edit: By "quote-escape" I meant functions like PHP's mysql_escape_string()
So, here's the situation. We'd like to be able to query active directory for a user's roles/group memberships, etc. Now, I can already do that using standard Java API (javax.naming), but I need a username, domain server name/address, and a password to do it. Users also have limited rights, so I can't use any external calls to fancy administrative tools.
In Java, is there a way that I can get that information with just the username and domain server name/address? I'm also open to 3rd party packages to do this. Alternatively, you could provide me with (or point me to) information on what to configure in AD to allow this.
Hopefully that makes sense. I'm not an AD guru, so the more info the better.
Your problem of needing to login first is because AD does not allow anonymous querying. Before you can query the database you must login ("bind" in LDAP terms) as a valid user with sufficient rights to issue the query.
If your AD admin is willing, you could have them create a special user (we call ours "ldapquery") that is permitted to bind and query the database. The userid and password for that user would become configuration values in your code.
Okay, so expounding on what others have told me and the vast research I had to do with the clues given here, it appears that I'd just use my "special user" as the login info in my code, transparent to the user, and then perform the query using their credentials. So: in the code, bind using the "special user", then perform the query with the current user as a query parameter (sAMAccountName=username).
Thanks all, for your input.