Implementing a security policy without an RDBMS

Similar Messages

• How to implement a security sub-system?

  Hi Everyone,
  I got the following task below from my team leader. I don't know where to start to get the following task done. If you have any idea on how to get the following task done, please give me the steps on how to complete the following task. Or give me some links (websites) which can get me start on getting the following task done. Thanks for your time and help in advance!
  Your next task is depicted in the case scenario as follows:
  Some remote process is able to view a directory listing of the files on the directory and then selects a JSP file to execute. It runs without any enforced permission on the server and the remote process is able to view the output or that the JSP file is executed without the proper caller - a DocIt system process (JSP, Javabean). How can we solve this problem?
  For one thing the directory listing permissions should only be permitted explicitly by the server "system security/permission objects" (configured by the administrator/root) on win32/Linux. Second, all JSP files must include a security module as part of it's code base before even a single line of code is written by the programmer. This ensures that at least the caller is allowed certain permissions to execute the code residing in the JSP file. The granularity of the permissions depend directly on the type of caller. Is it a "user", a "power user", a "system admin", a "pre-defined DocIt system object" (forms subsystem), and so on. We need a powerful yet flexible security system as it is important to register the permitted objects to execute only the rightful code determined by the DocIt system security policy.
  This task is less specific and thus you have more flexibility to provide a solution. Please describe and analyze a security policy to prevent any executable code from running without its proper caller for the case scenario above. Be creative in determining the requirements for identifying the calling object and the code that checks for the proper credentials before permitting execution of the code. Say you have an hierarchy of inheritable permission objects. The code must be able to check that the caller belongs to the set of permission objects. Please use diagrams, cases scenarios, and other designs to provide a basis for implementation. After the designs are reviewed along side any other requirements we will implement this security sub-system in the near future

  You may also want to look at JAAS. http://java.sun.com/developer/technicalArticles/Security/jaasv2/
  It's probably a tad overkill for some JSP applications, but it would give you an additional layer of protection for documents, i.e., you can control access to actual files based on roles. I say it's a bit of overkill because Tomcat incorporates most of the ideas into their realms.

• Application error while using security.policy feature

  I am learning Java by reading http://java.sun.com/docs/books/tutorial/
  While studying the "Security/Quick Tour of Controlling Applications" part I compile GetProps.java example:
  import java.lang.*;
  import java.security.*;
  class GetProps {
  public static void main(String[] args) {
  String s;
  try {
  System.out.println("About to get os.name property value");
  s = System.getProperty("os.name", "not specified");
  System.out.println(" The name of your operating system is: " + s);
  System.out.println("About to get java.version property value");
  s = System.getProperty("java.version", "not specified");
  System.out.println(" The version of the JVM you are running is: " + s);
  System.out.println("About to get user.home property value");
  s = System.getProperty("user.home", "not specified");
  System.out.println(" Your user home directory is: " + s);
  System.out.println("About to get java.home property value");
  s = System.getProperty("java.home", "not specified");
  System.out.println(" Your JRE installation directory is: " + s);
  } catch (Exception e) {
  System.err.println("Caught exception " + e.toString());
  When I run it without security manger it prints all the property as it has to:
  E:\Test>java -jar GetProps.jar
  About to get os.name property value
  The name of your operating system is: Windows XP
  About to get java.version property value
  The version of the JVM you are running is: 1.6.0_03
  About to get user.home property value
  Your user home directory is: C:\Documents and Settings\mikhail
  About to get java.home property value
  Your JRE installation directory is: C:\Program Files\Java\jdk1.6.0_03\jre
  When I run it with security manager it prints the first two properties only and throws AccessControlException on user.home property as it has to either:
  E:\Test>java -Djava.security.manager -jar GetProps.jar
  About to get os.name property value
  The name of your operating system is: Windows XP
  About to get java.version property value
  The version of the JVM you are running is: 1.6.0_03
  About to get user.home property value
  Caught exception java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)
  But when I run it with security manager and security policy allowing access to user.home and java.home properties it nevertheless throws AccessControlException, in spite of that mypolicy file grants access to these properties:
  E:\Test>java -Djava.security.manager -Djava.security.policy=mypolicy -jar GetProps.jar
  About to get os.name property value
  The name of your operating system is: Windows XP
  About to get java.version property value
  The version of the JVM you are running is: 1.6.0_03
  About to get user.home property value
  Caught exception java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)
  Here is content of mypolicy file which I created by using policytool utility:
  grant codeBase "file:/E:/Test/" {
  permission java.util.PropertyPermission "java.home", "read";
  permission java.util.PropertyPermission "user.home", "read";
  My system:
  MS WindowsXP Professional, Servis Pack 2
  Sun SE JDK 1.6.0_03
  What am I doing wrong?
  Thank you, Mikhail.

  The last two days have been frustrating. The error above also appeared when I was trying to view one of the relationships in one of my entities.
  What seems to have been happening is Designer showed a relationship existing after it had been deleted. This seems to be a bug in Designer. These rouge links can be deleted in the RON (although if you try to look at their details the RON will crash with the error in original query). After this cleanup everything worked like clockwork.
  Hannah Fraser

• Invoke a business service base in a WSDL with customer WS-Security Policy

  Customer write a Web service (Refer to the attachment file “HTTPS_PartyServicePortType.WSDL”)which declare a WS-Security Policy and apply this it to WS binding ,How can I generate a business service base in this WSDL and invoke it successfully?
  When create a business service in OSB, we get a error with below messages
  [[OSB Kernel:398133]The service is based on WSDL with Web Services Security Policies that are not natively supported by Oracle Service Bus. Please select OWSM Policies - From OWSM Policy Store option and attach equivalent OWSM security policy. For the Business Service, either you can add the necessary client policies manually by clicking Add button or you can let Oracle Service Bus automatically pick and add compatible client policies by clicking Add Compatible button.
  After enhanced the OSB domain with OWSM extension, we found the OOTB OWSM defined cannot support the HttpsToken and OSB cannot support below WS-Policy defined in OWSM, refer to http://docs.oracle.com/cd/E21764_01/doc.1111/e15866/owsm.htm#OSBDV1681
  51.2.8.1 Unsupported Assertion
  •     binding-permission-authorization
  •     http-security
  •     OptimizedMimeSerialization (MTOM)
  •     RMAssertion (Reliable Messaging)
  •     sca-component-authorization
  •     sca-component-permission-authorization
  •     UsingAddressing
  •     wss-saml-token-bearer-over-ssl (Authentication)
  it means that we cannot generate a web service with customer WS-security Policy
  The WS-Security Policy is shown as below:
  <wsp:Policy wsu:Id="WSHttpBinding_IPartyServicePortType_policy">
  <wsp:ExactlyOne>
  <wsp:All>
  <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  <wsp:Policy>
  <sp:TransportToken>
  <wsp:Policy>
  <sp:HttpsToken RequireClientCertificate="false"/>
  </wsp:Policy>
  </sp:TransportToken>
  <sp:AlgorithmSuite>
  <wsp:Policy><sp:Basic256/></wsp:Policy>
  </sp:AlgorithmSuite>
  <sp:Layout><wsp:Policy><sp:Strict/></wsp:Policy></sp:Layout>
  </wsp:Policy>
  </sp:TransportBinding>
  <wsaw:UsingAddressing/>
  </wsp:All>
  </wsp:ExactlyOne>
  </wsp:Policy>
  BestRegards!
  Simon

  Hi
  According to
  http://e-docs.bea.com/wls/docs90/webserv/annotations.html#1050414
  If you are going to publish the policy file in the Web Service archive, the policy XML file must be located in either the META-INF/policies or WEB-INF/policies directory of the EJB JAR file (for EJB implemented Web Services) or WAR file (for Java class implemented Web Services), respectively.
  Can you make sure the policy file is in there?
  Also there is a sample from the developer at http://dev2dev.bea.com/blog/jlee/archive/2005/09/how_to_use_anno.html
  Vimala-

• "Security policy error" while setting up "Microsoft Exchange Hosted Services" Exchange Account (corporate user)

  I'm a corporate user with a very large company that is using Microsoft Hosted Exchange services actually hosted by Microsoft employees at their facilities.  I called Palm support and they were clueless and zero help.  The lady pointed me to some Palm KB article that I had already read and only remotely had anything to do with my problem.  I see nothing on this error message in the forums and google searches. Sprint has even replaced my palm pre due to other reasons and the same error occurs after I configure the exchange account. I'm also seeing the error when I configure my account on my wifes brand new pixi. Both our pre and pixi already have exchange accounts successfully configured on our phones that are hosted by sherweb. The sherweb exchange accounts work without issue. I have tried configuring this microsoft hosted exchange account 5-6 times with the same result. It accepts my configuration information and adds it to the list of available email accounts in the pre. However, it keeps popping up this message stating "Security policy error: "Exchange... Tap for details" (with a yellow exclamation mark). Then it says "Security Policy Error" The account Exchange (first part of my email address) is disabled because security policies cannot be set." "Leave it disabled" or "Remove Account". I know something is working because it enforced a Password or Pin policy on to my phone which is not required unless this account has been added. I can also see it in the "Mobile Devices" section of web outlook when I login. This is the place in web outlook where you can see the last time the device synced, where you can remote wipe the phone etc. If anyone has any idea how to resolve my issue please post. Any ideas? I'm fresh out of ideas on this problem and very frustrated with Palm Developers. Just another example of poor development and testing practices by Palm. I hope they correct this issue on subsequent releases but I am only marginally optimistic that they will ever get this exchange mail support to the level necessary to support large corporations. What I do know is that my Microsoft Hosted Exchange account works fine on a Windows Mobile phone and a iPhone 3GS (confirmed by other coworks who have configured their phones using our exchange services). As a result, I have no choice but to blame Palm for this problem instead of Microsoft. Palm please fully support microsoft exchange mail users!!!!
  Post relates to: Pre p100eww (Sprint)
  This question was solved.
  View Solution.

  From my understanding of EAS and PDA devices, if the server as a policy to enforce and the device cannot provide that policy then the server will not allow the device to connect. The KB I gave you has a listing of what policies the devices supports, if your server supports more than that then it could deny the connection. As for what the iPhone does and does not do we cannot answer that due to we are not iPhone.
  I did find an article that may explain a little better for PDA and exchange: http://www.infoworld.com/d/mobilize/how-avoid-smartphone-exchange-policy-lie-004

• Process security headers without removing them

  Does anyone know whether it is possible to have OSB process security headers without removing the headers from the message?
  I would like to be able to validate the signature and grab the principal from the certificate in order to determine whether the request should be allowed to continue on. However, the signature cannot be removed from the message because the business service requires requests to be signed (and the requests must be signed by the original requester, not an intermediary).
  See Process security headers without removing them also
  Helmar

  I don't know a way of doing this with OSB, I mean having the bus do it for you. It's either process all security headers or none. If the service bus is acting as a pass-through, not processing the headers, you could read them yourself inside the proxy pipeline. But you would have to implement the decryption yourself, this won't be done by the bus. You could do this with a java callout, but I imagine it won't be trivial task.
  I'd think this is pretty standard. The headers normally are intended for a service (maybe going through various intermediaries), hence the actor property of the headers, and that service should remove them after processing them. But I'm not familiar with Oracle's ESB to know if this is possible with it.

• Security.policy issue when running javarmi server.

  hi guys,
  i am trying to run a sample javarmi applications.
  the code as follows:
  file name : myRMIInterface.java
  //package my_rmi_classes;
  public interface myRMIInterface extends java.rmi.Remote {
  public java.util.Date getDate() throws java.rmi.RemoteException;
  //implementation program
  // package my_rmi_classes;
  import java.rmi.*;
  import java.rmi.server.UnicastRemoteObject;
  public class myRMIImpl extends UnicastRemoteObject implements myRMIInterface
  public myRMIImpl(String name) throws RemoteException
       super();
       try
            Naming.rebind(name,this);
       catch(Exception e)
            System.out.println("Exception occured:"+e);
  public java.util.Date getDate()
       return new java.util.Date();
  application : myRMIServer.java
  //package my_rmi_classes;
  import java.rmi.*;
  import java.rmi.server.UnicastRemoteObject;
  public class myRMIServer {
  * @param args the command line arguments
  public static void main(String[] argv)
  // TODO code application logic here
  System.setSecurityManager(new RMISecurityManager());
  try
       myRMIImpl implementation = new myRMIImpl("myRMIimplInstance");
  catch(Exception e)
       System.out.println("satish exception occured :" +e);
  steps which i follow to run this applicatons:
  step 1: complie all the applications.
  step 2: create myRMIImpl_Stub.class file by running RMIC
  step 3: start rmiregistry
  step 4: i download a policy file from sun website and i place that file in my source code folder.
  i use 3 types of policy files which are as follows,,,
  type 1:
  grant{
  permission java.net.SocketPermission "localhost:1099", "connect, resolve";
  permission java.net.SocketPermission "localhost:1024-", "connect, resolve";
  permission java.net.SocketPermission "localhost:1024-", "accept, resolve";
  type 2:
  grant codeBase "C:/week_project/rmi server files/" {
  permission java.security.AllPermission;
  note: all my java files(source code) files are in the folder (rmi server files). i copy all policy files in the same folder.
  type 3:
  grant {
       // Allow everything for now
       permission java.security.AllPermission;
  step 5:
  a:) C:\week_project\rmi server files\java -Djava.security.policy=(policy name).policy myRMIServer
  b:) C:\week_project\rmi server files\java -Djava.security.policy=C:\........\(policy name).policy myRMIServer
  when i work with type-1 policy file i got error message as follows
  ERROR:
  Exception occured:java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:1099 connect,resolve)
  type -2 policy file
  ERROR
  java.security.policy: error adding Entry:
  java.net.MalformedURLException.AccessControlException : access denied(java.net.SocketPermission 127.0.0.1:1099 connect,resolve)
  type-3 policy file
  ERROR
  exception occured; java.rmi.connectexception : connection refused to host :127.0.0.1; nested exception is :
  java.net.connectexception : connection refused : connect
  i am trying to solve this from last week but i can't
  so, please help me
  with regards
  satish

  what ever it is
  hi guys,
  i am trying to run a sample javarmi applications.
  the code as follows:
  file name : myRMIInterface.java
  //package my_rmi_classes;
  public interface myRMIInterface extends java.rmi.Remote {
  public java.util.Date getDate() throws java.rmi.RemoteException;
  }//implementation program
  // package my_rmi_classes;
  import java.rmi.*;
  import java.rmi.server.UnicastRemoteObject;
  public class myRMIImpl extends UnicastRemoteObject implements myRMIInterface
  public myRMIImpl(String name) throws RemoteException
  super();
  try
  Naming.rebind(name,this);
  catch(Exception e)
  System.out.println("Exception occured:"+e);
  public java.util.Date getDate()
  return new java.util.Date();
  }application : myRMIServer.java
  //package my_rmi_classes;
  import java.rmi.*;
  import java.rmi.server.UnicastRemoteObject;
  public class myRMIServer {
  * @param args the command line arguments
  public static void main(String[] argv)
  // TODO code application logic here
  System.setSecurityManager(new RMISecurityManager());
  try
  myRMIImpl implementation = new myRMIImpl("myRMIimplInstance");
  catch(Exception e)
  System.out.println("satish exception occured :" +e);
  }steps which i follow to run this applicatons:
  step 1: complie all the applications.
  step 2: create myRMIImpl_Stub.class file by running RMIC
  step 3: start rmiregistry
  step 4: i download a policy file from sun website and i place that file in my source code folder.
  i use 3 types of policy files which are as follows,,,
  type 1:
  grant{
  permission java.net.SocketPermission "localhost:1099", "connect, resolve";
  permission java.net.SocketPermission "localhost:1024-", "connect, resolve";
  permission java.net.SocketPermission "localhost:1024-", "accept, resolve";
  type 2:
  grant codeBase "C:/week_project/rmi server files/" {
  permission java.security.AllPermission;
  note: all my java files(source code) files are in the folder (rmi server files). i copy all policy files in the same folder.
  type 3:
  grant {
  // Allow everything for now
  permission java.security.AllPermission;
  step 5:
  a:) C:\week_project\rmi server files\java -Djava.security.policy=(policy name).policy myRMIServer
  b:) C:\week_project\rmi server files\java -Djava.security.policy=C:\........\(policy name).policy myRMIServer
  when i work with type-1 policy file i got error message as follows
  ERROR:
  Exception occured:java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:1099 connect,resolve)
  type -2 policy file
  ERROR
  java.security.policy: error adding Entry:
  java.net.MalformedURLException.AccessControlException : access denied(java.net.SocketPermission 127.0.0.1:1099 connect,resolve)
  type-3 policy file
  ERROR
  exception occured; java.rmi.connectexception : connection refused to host :127.0.0.1; nested exception is :
  java.net.connectexception : connection refused : connect
  i am trying to solve this from last week but i can't
  so, please help me
  with regards
  satish

• How to resolve Issues while implement gateway security by using reginfo,secinfo?

  Hi,
  I want to implement gateway security using  gw/reg_info,  gw/sec_info,  gw/reg_no_conn_info.
  so far I have created reginfo and secinfo files to allow all internal traffic and I kept gw/reg_no_conn_info=11, gw/acl_mode=1
  reginfo
  ======
  #VERSION=2
  P TP=*,HOST=local
  P TP=*,HOST=internal
  P TP=*,HOST=*.abc.com
  with the above setting I believe all the programs with in sap systems(including app servers), also system from domain abc.com can register programs with out having any issues.
  secinfo:
  ======
  #VERSION=2
  P TP=* USER=* USER-HOST=local HOST=local
  P TP=* USER=* USER-HOST=internal HOST=internal
  similarly  as per secinfo content I believe that all the internal traffic can go with out any issue with in sap system.
  beside that I have activated gateway logging to find the rejecting connections if any.
  I have following questions:
  ===================
  1)As the reginfo,secinfo files maintained can I remove gw/acl_mode=1 parameter ?
  2)if I want to add a specific programs to register from 3rd party system, suppose a program called "zram" from system "172.198.10.1" where I suppose to add it. Do I need to add that IP to secinfo along with reginfo?
  3)when I set parameter gw/reg_no_conn_info=11 when convert to binary it equals to 00001011
  what exactly this means from the following definitions from note 1444282
  1 1298433 Bypassing security in reginfo & secinfo
  2 1434 117 Bypassing sec_info without reg_info
  4 1465129 CANCEL registered programs
  8 1473017 Uppercase/lowercase in the files reg_info and sec_info
  will that means 8+2+1 means satisfying the above 3 lines except condition 4 ?
  4) I enabled  gateway logging, how could I catch rejecting connections from third party systems?
  5)From simulation mode I got to know that It will satisfy reginfo,secinfo restrictions and it will allow all other traffic.so what is the added advantage with this when activate?
  6)is there any sap native tools which help while preparing reginfo, secinfo files?
  Regards,
  Koteswararao.Davuluri(Koti).

  Hi,
  Here is answers for questions 4 and 5.
  4) I enabled  gateway logging, how could I catch rejecting connections from third party systems?
  SMGW->Goto->Expert functions->logging
  In the above path if you select security->(under that)->Rejected access only
  when you select that it should show you the connections getting rejected.
  5)For simulation mode you have 2 options. you can activate directly from the above path.Other option  if you maintain gw/sim_mode = 1  that will make the permanent simulation mode. But once after all the entries set in reginfo you have to disable simulation mode. with secinfo you will not have much problems.
  After doing steps 4, 5 you can see rejected entries in Gateway log.

• Default security policy 802.1x

  Folks,
  I just installed a 2100 controller and added a WLAN. I noticed that the default L2 security policy is 802.1x which is using WEP 104 keys. My question is where do we define the wep key on the controller. does that mean no client will be able to connect to the AP, unless he adds the key to the SSID?

  Does 802.1x always require a radius server? With a fully redundant network implementation I could see a Windows Radius server being the weakest link.
  For port security for a project I am working on I am searching for the best solution. I will shutdown unused ports. Allow only one mac-address (need to learn how to do this). I am also researching the cost effectiveness of implementing 802.1x security.
  James

• Socket and Security Policy

  I've tried to set experiment with Socket communication in Flex, but I keep hitting problems. Approach 1: in a Flex web app, I load a crossdomain security policy from a server. I then open a socket and write a few bytes to the server. In my server, I do not get the expected output on the stream--in fact, I get nothing at all--until I close the Flex application, at which point I get a seemingly inifinite stream of the bytes '0xEFBFBF'. Here's a hexdump view of a fragment of the data Flash Player sends to the server after I close the Flex app:
  00000130  ef bf bf ef bf bf ef bf  bf ef bf bf ef bf bf ef  |................|
  00000140  bf bf ef bf bf ef bf bf  ef bf bf ef bf bf ef bf  |................|
  00000150  bf ef bf bf ef bf bf ef  bf bf ef bf bf ef bf bf  |................|
  Approach 2: I then tried it in air, but although the connection seems to initiate properly and I can go through the above trivial client-server interaction, after a few seconds, I get a SecurityErrorEvent. From what I've been able to follow of the docs, Air applications are trusted in this respect, and should not need to load security policy, right? I tried to add a call to Security.loadPolicy(), but it seems to be ignored. This is the message flow:
  Received [class Event] connect
  Received [class ProgressEvent] socketData
  Received [class Event] close
  Received [class SecurityErrorEvent] securityError
  Security error: Error #2048: Security sandbox violation: app:/main.swf cannot load data from localhost:5432.
  The Air version of my client code is below:
  <?xml version="1.0" encoding="utf-8"?>
  <mx:WindowedApplication xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute">
  <mx:Script>
      <![CDATA[
          var str:Socket;
          private function handleClick(e:Event):void {
              Security.loadPolicyFile("xmlsocket://localhost:2525");           
              str = new Socket('localhost', 5555);
              var message:String = 'hello';
              for (var i:int = 0; i < message.length; i++) {
                  str.writeByte(message.charCodeAt(i));               
              str.writeByte(0);
              str.flush();
              str.addEventListener(Event.ACTIVATE, handleEvent);
              str.addEventListener(Event.CLOSE, handleEvent);
              str.addEventListener(Event.CONNECT, handleEvent);
              str.addEventListener(Event.DEACTIVATE, handleEvent);
              str.addEventListener(IOErrorEvent.IO_ERROR, handleEvent);
              str.addEventListener(ProgressEvent.SOCKET_DATA, handleEvent);
              str.addEventListener(SecurityErrorEvent.SECURITY_ERROR, handleEvent);           
          private function handleEvent(e:Event):void {
               trace("Received", Object(e).constructor, e.type);
               if (e is ProgressEvent) {
                   var strBytes:Array = [];
                   while(str.bytesAvailable > 0) {
                       var byte:int = str.readByte();
                       strBytes.push(byte);
                   trace(String.fromCharCode.apply(null, strBytes));
               } else if (e is SecurityErrorEvent) {
                   trace("Security error:", SecurityErrorEvent(e).text);
      ]]>
  </mx:Script>
  <mx:Button label="test" click="handleClick(event)"/>   
  </mx:WindowedApplication>
  The server is in Java and is as follows:
  import java.net.*;
  import java.io.*;
  public class DeadSimpleServer implements Runnable {
      public static void main(String[] args) throws Exception {
          if (args.length != 2) {
              throw new Exception("Usage: DeadSimpleServer policy-port service-port");
          int policyPort = Integer.parseInt(args[0]);
          int servicePort = Integer.parseInt(args[1]);
          new Thread(new DeadSimpleServer(policyPort,
                                          "<?xml version=\"1.0\"?>\n" +
                                          "<cross-domain-policy>\n" +
                                          "<allow-access-from domain=\"*\" to-ports=\"" + servicePort + "\"/>\n" +
                                          "</cross-domain-policy>\n"
                     ).start();
          new Thread(new DeadSimpleServer(servicePort, "world")).start();
          while (true) Thread.sleep(1000);
      private int port;
      private String response;
      public DeadSimpleServer(int port, String response) {
          this.port = port;
          this.response = response;
      public String getName() {
          return DeadSimpleServer.class.getName() + ":" + port;
      public void run() {
          try {
              ServerSocket ss = new ServerSocket(port);
              while (true) {
                  Socket s = ss.accept();
                  System.out.println(getName() + " accepting connection to " + s.toString());
                  OutputStream outStr = s.getOutputStream();
                  InputStream inStr = s.getInputStream();
                  int character;
                  System.out.print(getName() + " received request: ");
                  while ((character = inStr.read()) != 0) {
                      System.out.print((char) character);
                  System.out.println();
                  Writer out = new OutputStreamWriter(outStr);
                  out.write(response);
                  System.out.println(getName() + " sent response: ");
                  System.out.println(response);
                  System.out.println(getName() + " closing connection");
                  out.flush();
                  out.close();
                  s.close();
          } catch (Exception e) {
              System.out.println(e);
  Am I missing something? From what I understand, either of these approaches should work, but I'm stuck with both. I have Flash Player 10,0,15,3 and am working with Flex / Air 3.0.0 under Linux.

  So... apparently, with the Air approach, this is what I was missing: http://www.ultrashock.com/forums/770036-post10.html
  It'd be nice if FlashPlayer gave us a nicer error here.
  I'm still trying to figure out what the heck is going on in the web app (i.e., non-Air Flex) example. If anyone has any suggestions, that would be very helpful.

• Implementing port security

  i have about a dozen2960 that i wish to implement port security. Some users tend to bring their own router and cause mayhem to the network. I've tried DHCP snooping, dont seem to work and port security testing on a few ports work well.
  What are the recommended steps? All are connected with users and all ports are already in use.
  - Some ports already have a few mac address in the tables thus i cant say do a across the board implement say "switchport port-security maximum 3".
  - It's tedious to go switch by switch, port by port
  - Any mechnism that can convert sticky to static with "switchport port-security mac-address sticky" first then convert them to static since the network is ok now.

  The poster above raised some excellent points about an "IT Acceptable Policy". I wouldn't want people allowed to bring in random network eqiupment just plugging it in all willy nilly.
  With DHCP Snooping, you need to understand, that all ports will be untrusted by default. So you need to make sure the only ports that are trusted are trunk ports, that lead to a DHCP server, and the port connected to the DHCP server. Also, you may or may not have to deal with Option 82, which you have two options. You can either turn if off from being checked at the router, or instruct the switch to not install the option to being with in DHCP Discover packets.
  When you enable DHCP Snooping, this will create teh DHCP Snooping database, which will keep track of the DHCP assigned IP address, and the MAC address assigned to each port.
  If you have users who bring in their own switches, find out who they are, and just watch the MAC addresses associated with the port, and then you can adjust port security appropraitely.
  It sounds like you may have a hard time, since they don't seem to really care about security at this place.
  Personally, if it were me, all ports would have BPDU Guard that should, at a minimum. You can always setup 'errdisable recovery' to deal with the recovering of ports that have been disabled automatically.

• Three part blog about Reducing the Cost to Implement a Security Plan

  Part 3 of a great blog done by in AlienVault Support who has "heard it all" about the problems SMBs have in implementing a security plan with small budgets. Kenneth offers lots of practical and helpful advice for IT and security practitioners.
  https://www.alienvault.com/blogs/security-essentials/third-step-in-reducing-the-cost-to-implement-a-...
  This topic first appeared in the Spiceworks Community

  hi Elistariel -
  With no texting plan, it is 25 cents per picture message. The LG VX5500 (same phone my daughter has) does not use a memory card, so you can try two different programs on your computer (both free) and see if either one will get the pics off and saved on your computer; from there you can upload to your online album without a per picture charge.
  You can try Verizon's VCast media manager - download and install it on your computer, then use the USB cable to link the phone to the computer and transfer the pics with VCast.
  Here's a link
  A third party program called BitPim will also work, but it's more technical and does a lot more than just transfer your media. It can also brick your phone if you don't know what you are doing, so it's "use at your own risk", as Verizon won't cover any losses due to using BitPim. It does work though--I have used it, very cautiously!

• Difficulties loading custom security Policy object.....

  I just finished reading the white paper entitled �When java.policy Just Isn�t Good Enough� and I found a lot of good information for creating my own extension of java.security.Policy. I�m having a difficult time figuring out how to (best) load the policy, and I�ll explain why, but first I�d like to make sure that I�m extending the Policy class correctly. Don�t worry, I�ll be as brief as possible. My class looks something like this with a few more permissions than what i've included here (for brevity):
  public class MyPolicy extends Policy {
              private static MyPolicy INSTANCE = new MyPolicy();
              private PermissionCollection perms = new Permissions();
              private MyPolicy() {
                          constructPerms();
              public static MyPolicy getInstance() {
                          return INSTANCE;
              public PermissionCollection getPermissions(CodeSource arg0) {
                          return perms;
              public void refresh() {
                          // permissions won't change, so nothing necessary here!
              public void constructPerms() {
                          // I�m adding other permissions, but here are a few basic ones just for the idea:
                          perms.add(new PropertyPermission("java.version", "read"));
                          perms.add(new PropertyPermission("java.vendor", "read"));
                          perms.add(new PropertyPermission("java.vendor.url", "read"));
  }I have this class in a package that will reside inside of a jar on the target machine. The jar will be wrapped in an executable, and we�ll be distributing a JRE directory that will reside in the same (installation) directory as the executable. I�m not sure how to specify this as my Policy implementation on startup of the JVM. For security reasons, I want to rely as little as possible on security stuff outside of my exe-wrapped-jarfile. I can pass whatever parameters I want to the JVM, including �Xbootclasspath, but I�m not sure what I need to get things working this way.
  I tried another approach. I don�t really like it, but I just wanted to try it this way to test my Policy implementation. I edited my java.policy file to look like this:
  grant {
              // Custom permissions to allow app to load
              // and then set MyPolicy as Policy object:
              permission java.security.SecurityPermission "getPolicy";
              permission java.security.SecurityPermission "setPolicy";
              permission java.util.PropertyPermission "stuff.*", "read,write";
  };And then in my main() method, I loaded it like this:
  Policy myPolicy = MyPolicy.getInstance();
  Policy.setPolicy(myPolicy);But that doesn�t seem to work because I�m getting an AccessControlException: access denied (java.awt.AWTPermission replaceKeyboardFocusManager)
  Even though I have this permission in my implementation:
  perms.add(new AWTPermission("replaceKeyboardFocusManager"));Do you have any ideas what I�m doing wrong, or how I could fix them? Any information would be greatly appreciated. Thanks in advance!
  Steve

  Hey
  I have just finished such a policy implemention - boy could I have done with your help!
  I've never seen the java.security.debug property before - not to say it doesn't exist, but don't confuse system properties and security properties. Try setting it programmatically via Security.setProperty() or the Java Admin console [if you can], or even in the JRE WebStart uses via the java.security file.
  When you run it locally with security switched on, do you observe the 3-to-1 behaviour also? I'm not sure if this is important - depends on your answer. As for the checks being performed from the same stack frame, the AC iterates over the protection domains as it checks them; the 3-to-1 behaviour is the result of there being 3 extra frames to check, possibly due to the fact your executing from JWS [although I'd expect JWS to be considered system code]. If the execution in AC gets to return null; then Debug.isOn("failure") must evaluate to true [...I'd slump in my chair at this point] but there's no way to figure out accurately what the semantics of this is AS THERE'S NO FRICKIN SRC AVAILABLE [...this really annoys me]. The only thing I can suggest for that is to not try and switch debugging on.
  I suspect you are using JAAS [hence the dynamic policy need]? I have an idea if you are.
  I totally know what you mean about the sleepless nights mate - I'm glad I done it all now, learnt all about security within Java which I knew nothing about 6 months ago.
  Warm regads,
  D

• WebStart, custom security policy and debugging

  Hi,
  Please forgive the long post, it's an obscure problem.
  A year ago I implemented a custom instance-centric security policy that uses a database for storing permission data. It has served our needs very well on the server side. Now, however, I need to reuse it in a client application deployed to about 50 users via WebStart (there are more similar applications coming which will take the user base to about 200).
  For some reason, the permissions are not being properly evaluated under WebStart. Tracing through my policy code, I can see that calls to imply() return with expected true/false values, however, when the internals of Java's underlying security API aggregate the results, calls to AccessController.checkPermission() don't raise exceptions when and where they are expected to.
  This is really a hard problem to debug/trace. When I run the application locally, I have no problems with security checks even if I run it under a security manager (via -D.java.security.manager). Tracing to standard helps to a point and I can see that there is a difference: during the local runs, calls to MyCustomPolicy.implies(Permission, Domain) are made once per every AccessController.checkPermission() call made from the business layer. Under WebStart, there are three calls to MyCustomPolicy.implies() per every call to AccessController.checkPermission(). All three calls seem to come from the same stack frame. All three return 'false', yet AccessController.checkPermission() doesn't raise an exception.
  Analyzing stack's state at the point MyCustomPolicy.implies() is been called, I think the answer to my problem may lie in the following code snippet of AccessControlContext.checkPermission(Permission):
          for (int i=0; i< context.length; i++) {
              if (context[i] != null &&  !context.implies(perm)) {
  if (debug != null) {
  debug.println("access denied "+perm);
  if (Debug.isOn("failure")) {
  Thread.currentThread().dumpStack();
  final ProtectionDomain pd = context[i];
  final Debug db = debug;
  AccessController.doPrivileged (new PrivilegedAction() {
  public Object run() {
  db.println("domain that failed "+pd);
  return null;
  throw new AccessControlException("access denied "+perm, perm);
  I believe that somehow one of the iterations gets to "return null" line, but at the moment I have no way of verifying this.
  I'm finally getting to my question. In order for me to understand what's going on, I need to enable debugging of AccessControlContext. I can do this by setting java.security.debug system property. Again, I have no problem enabling debugging on a local system, but not under WebStart.
  Here's what the relevant markup in the .jnlp file looks like:
  <resources>
  <j2se version="1.5" max-heap-size="128m" initial-heap-size="32m" java-vm-args="-Djava.security.debug=all">
  </j2se>
  <!-- a bunch of jar declarations -->
  <property name="java.security.auth.login.config" value="jar:swing-app-SNAPSHOT.jar!/jaas_login.properties">
  </property>
  <property name="java.security.debug" value="all">
  </property>
  </resources>
  this seems to have no effect and no debugging output appears. Any ideas why? Is there anything else I can do to enable debugging of AccessControlContext under WebStart?
  I don't expect too many replies to my post (unless 3 sleepless weeks made me miss something really obvious), but if anyone can offer a hit/hit/insightful comment :), that would be great.
  Dmitry

  Hey
  I have just finished such a policy implemention - boy could I have done with your help!
  I've never seen the java.security.debug property before - not to say it doesn't exist, but don't confuse system properties and security properties. Try setting it programmatically via Security.setProperty() or the Java Admin console [if you can], or even in the JRE WebStart uses via the java.security file.
  When you run it locally with security switched on, do you observe the 3-to-1 behaviour also? I'm not sure if this is important - depends on your answer. As for the checks being performed from the same stack frame, the AC iterates over the protection domains as it checks them; the 3-to-1 behaviour is the result of there being 3 extra frames to check, possibly due to the fact your executing from JWS [although I'd expect JWS to be considered system code]. If the execution in AC gets to return null; then Debug.isOn("failure") must evaluate to true [...I'd slump in my chair at this point] but there's no way to figure out accurately what the semantics of this is AS THERE'S NO FRICKIN SRC AVAILABLE [...this really annoys me]. The only thing I can suggest for that is to not try and switch debugging on.
  I suspect you are using JAAS [hence the dynamic policy need]? I have an idea if you are.
  I totally know what you mean about the sleepless nights mate - I'm glad I done it all now, learnt all about security within Java which I knew nothing about 6 months ago.
  Warm regads,
  D

• Using beforeTrigger to implement VPD security model - any suggestions?

  Hi,
  I'm investigating using the beforeTrigger in a data set to implement VPD security. The idea is that a parameter containing the username would be passed to the beforeTrigger pl/sql function to set the user context for that database session. I got this to work in a small prototype, but ran into a couple of what seem to be significant restrictions.
  1) The pl/sql package I name in the dataTemplate defaultPackage must contain a global variable for each report parameter. In my case I'm passing the username to the pl/sql method as an bind variable argument, so I don't need/want any global variables. This is a major problem as we will have lots of reports all with different parameters. I want to bind the parameters using the :PARAM bind variable in the queries themselves.
  Is there a way to avoid having to make each parameter a global variable?
  2) We will need the ability to call various pl/sql packages in different reports. The following ER makes it sound as if this is not possible - but I haven't actually tested it out:
  Bug# 6472921 - ALLOW FUNCTION CALL OUTSIDE OF DEFAULT PACKAGE IN DATA TEMPLATE
  Is it required that all of the pl/sql calls for a data set be within the same pl/sql package?
  I've included my dataTemplate below for reference.
  If anyone has experience establishing VPD security for a data set using this technique or another, I'm interested in hearing what you recommend.
  Thanks,
  Leslie
  <dataTemplate name="TARGET_DATA_TEMPLATE" defaultPackage="MGMT_IP">
  <properties>
  <property name="debug_mode" value="on"/>
  </properties>
  <parameters>
  <parameter name="EMUSER" dataType="character" defaultValue="THREE"/>
  </parameters>
  <dataTrigger name="beforeReport" source="MGMT_IP.IPSETUSERCONTEXT(:EMUSER)"/>
  <dataQuery>
  <sqlStatement name="Q1">select TARGET_TYPE as TARGET_TYPE, TARGET_NAME
  as TARGET_NAME from mgmt$target order by TARGET_TYPE</sqlStatement>
  </dataQuery>
  <dataStructure>
  <group name="G1" source="Q1">
  <element name="TTTYPE" value="TARGET_TYPE"/>
  <element name="TNAME" value="TARGET_NAME"/>
  </group>
  </dataStructure>
  </dataTemplate>

  Hi Leslie,
  Step 1.
  Setup the VPD policy in database,
  Create some proxy users, and create data sources and try querying, by login in with the different users.
  You should be able to get the different results based on user logged in.
  Step 2:
  Package in data template.
  for each report, you need to create separate package.
  And the parameters in the report should be declared as Global variables in the report.
  And once the trigger calls the package, then i guess, package has control to call other packages inside the database.
  You can write all the function in the default package.
  Is it required that all of the pl/sql calls for a data set be within the same pl/sql package?
  I guess, yes as of now. if you need anything outside this default, you can call them in the default package like a wrapper may be.
  This is what i can think right now.
  Will try my luck on this and let you know :) in details.