Suppose that I'm running a web-based exchange and a new customer signs up. I give that customer a new CompID and now I want to add that CompID to my acceptor. Do I have to restart my acceptor or can that be done dynamically?
It doesn't seem very scalable to have to agree on the CompID ahead of time and then sticking it in a configuration somewhere.
I've seen some examples which supposedly do that, but they seem to simply change the configuration to pretty much ignore the Sender/Target CompID's by setting them to *. Any other ways to do that?
Take a look at the DynamicAcceptorSessionProvider and how it's used in the Executor example. The Executor example reads session "templates" from the settings file and associates these with the acceptor endpoint IP address. An acceptor template is identified by the "AcceptorTemplate=true" setting. Any of the session ID fields, including the FIX version, can be wildcarded, not just the SenderCompID.
See the executor_dynamic.cfg for an example of how session templates are defined. In this configuration, both the SenderCompID and TargetCompID are wildcarded and templates for various FIX versions are defined (to specify the appropriate data dictionary file).
When a message arrives for an unknown session ID, the DynamicAcceptorSessionProvider will try to match the session ID with a template's wildcarded sessionID. If it finds a match, the new session will be created automatically and added to the acceptor as if it had been explicitly defined in the settings. The new session will have the settings defined in the acceptor session template.
The DynamicAcceptorSessionProvider is an AcceptorSessionProvider implementation that uses the settings file to support dynamic session creation. However, you could also implement a custom AcceptorSessionProvider that could dynamically create sessions based on database information, for example.
I think you want to fix the TargetCompID and send a unique SenderCompID for each user to use. Then you set the SenderCompID in your acceptor config to *. This will allow the acceptance of all SenderCompIDs. However you will need to have somewhere in your code the facility to check each order against your database of users. If the user(SenderCompID) is not valid then you will send a reject message. Many implementations will also use tunnels and whitelisted IP addresses as well to make sure no unwanted connections are coming in.
Related
Currently I'm using ComponentRenderers in my Vaadin application, but I would like to change it to LitRenderer (for better performance).
I read the documentation and I'm not sure about the "Note". Does it mean that the whole Person bean is exposed to the client, or only the Address bean from the example? I'm asking because I would like to use it for User bean which contains passwords...
https://vaadin.com/docs/latest/components/grid/flow#using-lit-renderers
As stated in the notes you have screenshoted. Only / all properties of the address is send to the client. If you would supply the user instance, the whole user instance' properties would be available in the client.
Our application is deployed as a servlet war to multiple tomcat servers under multiple customer contexts:
customer#application.war
We're using log4j2 as our logging and alert email mechanism. So far, everything is working great and our fatal errors are being sent. However, as we deploy to new contexts, it's becoming less clear which customer is generating the error.
So far, it appears that the subject value is static and set in the config file and the system variables are loaded when the logger is built:
subject="[${applicationname}] Fatal Error ${hostname}:${sys:pwd}"
While it appears that there is a way to ascertain the name of our deployed context via the servlet API, we have yet to determine how to introduce this value in the email subject programmatically and dynamically at run time.
This would greatly reduce the time it takes to research an error. Any tips?
So far we've considered the following:
Custom war file with custom log4j2 config for each customer context (very hackish)
Update all log.fatal calls to include the context info from the servlet (horrid)
Custom SmtpAppender (final and protected so that's out)
Custom SmtpManager and override the subject in the MimeMessage object (seems workable but the documentation does not show how to implement)
TIA!!
Piko
This is actually a known issue in Log4j2 as of 2.9.1. The problem is that a MimeMessage is cached and the subject becomes a fixed value. A simple solution would be to stop caching.
There is an open ticket to address this: Log4j2-1450. (Related: Log4j2-1192, which implemented pattern lookups but didn’t fix that MimeMessages are cached.)
If you can provide a patch or a pull request it would greatly increase the chances of this being addressed speedily.
Update: looking my old comment in that ticket:
Looks like subject already supports $$ runtime lookups. The following
attributes are used for each email that is sent, and it should be
possible to support runtime lookups for these attributes:
* from
* replyto
* to
* cc
* bcc
* subject (already a runtime lookup)
It should be possible to configure the subject to be a system properties lookup like this:
subject = "$${sys:email.subject}"
Then you set system property email.subject to a different subject and send an email with a different subject. Can you try this?
Update 2:
If system properties are not suitable, you can also create a custom lookup, this is only a few lines of code.
As the title says. In PHP for example I can set the session id manually to handle the session with some logic based on it. I have generated hash code from some workflow and would like to set it as the session id. I know some implied this could be bad practice if not careful but as team member I was directed to look and try to do this task.
So could session ID set manually ?
Note that I mean the actual session ID not just the cookie named JSESSIOINID that being set on first request. I need the session as it is with only session id set manually.
Update: I'm using JBoss but I'd appreciate any generic answer or at the very least for JBoss EAP.
For Tomcat, you may be able to create a custom session manager (see this). You would then have access to the Tomcat Session object and could call setId(java.lang.String id).
No standardized way to it. Only custom way through the container's own API
Is there a way to verify a multi-tenant environment USER account is enabled or disabled using WS ?
getUserClaimValue
IS the only one I could see !, unfortunately it asks for User credentials !
Cant we do it at admin level ?
Its not even storing into ldap-attributes. How can I get this verified as super-admin.
Claim URI :
http://wso2.org/claims/identity/accountDisabled
Worked out to get the claim as 'ref'.
How to get the value from this 'ref' direct using LDAP with JAVA ?
Any claims which has the pattern http://wso2.org/claims/identity/XXXXX is considered as a special claim. Hence they are ignored by getUserClaimValue (and by setUserClaimValue when setting value).
You'll need to use either getUserClaimValues or getUserClaimValuesForClaims for the above purpose (And setUserClaimValues to set).
Update
Due to the tenant separation model it is not allowed to get claim details by other tenant admins (Even for super tenant admin). In case you really need that, one possible option would be to write a custom admin service extending the org.wso2.carbon.um.ws.service.UserStoreManagerService class (which reflects RemoteUserStoreManagerService) where it will start a tenant flow for the user's tenant, and call super class method to get the claim value.
I am working on a legacy (struts 1.1 running in jdk 1.4 , tomcat 6)application and need advice for implementing user role based security.
A user u1 has a read/view permission while user u2 has write permission on certain action. E.g
Url for user u1 :
http://www.somedomain.com:8080/app?key=12
(It shows the content related with key 12 from DB).
Url for user u2 :
http://www.somedomain.com:8080/app?key=12¬e=some note test
(It basically insert note value in DB for key 12)
Suppose if user u1 who has view rights, come to know the url used by u2, he can insert any malicious value for particular key, which he is not suppose to do.
Even though role based access to struts action class is in place , here the action class used by both users are same and only difference is url parameter.
Now I have to fix this issue, which is spread across thousands of action classes.So adding checking conditions in each and every action class will not be feasible.
I am thinking of writing a filter class which will read user role and allowed request parameter(with possible values like action='save' action='view') from a configuration file.
Are there any alternative solution approach?
your best choice is to modify the action class and implement some check inside called method (you can mixup container role-based permissions)
public void perform(HttpServletRequest request)
{
String note = request.getParameter("note");
if(!request.isUserInRole("writer") && note != null) throw new SecurityException("not allowed");
...
}
Without knowing much about your application, but I would try to apply java declarative security for my role based solution as much as possible.
If it is easy for you to use the java ee declarative security then go for it.
It is simple, flexible and using standards which will give you the safety you request and the ability to port your solution to different java web server providers.
Maybe a url rewriter (apache in front of the web application can help to reorganize); can split the destinations, and for that in your java web server set the url patterns which will expect different user roles for the read/view and update/write grantings permissions.
This will need some few changes to achieve, but you would definitely not need to change your 4k codebase and you will by this reach a clean solution.
Search for e.g. setting up role based security or java declarative security
some reading with demo...
http://www.thecoderscorner.com/team-blog/hosting-servers/17-setting-up-role-based-security-in-tomcat#.Us0eShoeK-Y