Object vs Class base authorization concepts with J2EE/JAAS

Similar Messages

• Authorization issue with J2EE Policy Agent for AS7

  Following the documentaion I have created a simple J2EE application with a servlet and 2 jsp's. The 2 JSP's customer.jsp and admin.jsp are mapped to /customer and /admin. The entire web application is subject to a filter like:
  <filter>
  <filter-name>Agent</filter-name>
  <display-name>Agent</display-name>
  <description>SunTM ONE Idenitity Server Policy Agent for SunTM ONE Application Server 7.0</description>
  <filter-class>com.sun.amagent.as.filter.AgentFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>Agent</filter-name>
  <url-pattern>/*</url-pattern>
  </filter-mapping>
  The two resources /customer and /admin are subjected security constraints like:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>col2</web-resource-name>
  <url-pattern>/customer</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>customer</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  The role-to-principal mapping is done in the sun-web.xml like:
  <security-role-mapping>
  <role-name>customer</role-name>
  <group-name>customer</group-name>
  <principal-name>amAdmin</principal-name>
  </security-role-mapping>
  <security-role-mapping>
  <role-name>admin</role-name>
  <group-name>admin</group-name>
  <principal-name>amAdmin</principal-name>
  </security-role-mapping>
  Two roles 'customer' and admin are created via the identity server console and users are added to these roles.
  The application deploys OK, when the app is accesed the user is redirected to the identity server and is authenticated fine. The user is directed to the main servlet and is allowed to access the the two jsp's. All is good till now, when the user access one these links say /customer, access is denied (403). The server logs prints out:
  [21/May/2003:10:34:24] FINE ( 6036): servletPath = /customer
  [21/May/2003:10:34:24] FINE ( 6036): pathInfo = null
  [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Process request for '/idssample/customer'
  [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Checking for SSO cookie
  [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: SSO cookie is not present
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Security checking request GET /idssample/customer
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: We have cached auth type PROGRAMMATIC for principal amAdmin
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> false
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> true
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Subject to constraint SecurityConstraint[col2]
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling checkUserData()
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User data constraint has no restrictions
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling authenticate()
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User authentication is not required
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling accessControl()
  [21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL : amAdmin hasRole?: customer
  [21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL TABLE: {}
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Failed accessControl() test
  [21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin)
  [21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin) => java.util.Vector$1@bb60ad
  Now, snooping around I have found that the AgentRealm.getGroupNames(userdn) does
  return the correct grops viz. customer,admin,anyone.
  PLEASE HELP

  -- Second Update --
  After policy installation I got several problems with PeopleSoft configuration. Which finally were solved.
  1. Some URL's has to be defined as not enforced.
  com.sun.am.policy.amFilter.notenforcedList[1]=/ps/images/*
  com.sun.am.policy.amFilter.notenforcedList[2]=*.css
  com.sun.am.policy.amFilter.notenforcedList[3]=*.ico
  2. In versions older than PeopleSoft 8.4.2 the policy agent modified the file
  /opt/fs/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/ps/configuration.properties to add the properties:
  byPassSignon=TRUE
  defaultUserid="DEFAULT_USER"
  defaultPWD="your password"
  signon_page=amsignin.html
  signonError_page=amsignin.html
  logout_page=amsignin.html
  expire_page=amsignin.html
  However, in the newer versions of PeopleSoft this properties are controled from the online Peoplesoft console. Which are set on:
  PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Security --> In section "Public Users" the parameters that has to be changed are:
  Allow Public Access (cheked)
  User ID : DEFAULT_USER
  Password : your password
  HTTP Session Inactivity : (SSO TIMEOUT)
  and:
  PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Look and Feel -->
  In section "SignOn/Logout" set the following values:
  Signon Page : amsignin.html
  Signon Error Page : amerror.html
  Logout Page : amsignout.html
  Note: After making any changes on the console; restart PIA (weblogic instance).
  With this the SSO with PeopleSoft is working Ok.
  Message was edited by:
  LpzYlnd

• Not clear with the Authorization concept for Marketing Plan

  Hi All,
  I am new to CRM and was going through some of the prescribed document for CRM marketing
  when i encounter with the authorization concept in marketing plan,for example how
  can i restrict a user with a campaign manager role from changing marketing plan.please
  provide the step by step procedure.
  Regards,
  Sanju

  Hi Sanju
  User with a campaign manager role can be restricted for changing marketing plan using authorization group.
  We define authorization groups for use in the Marketing Planner. Authorization groups can be maintained at both marketing plan level and campaign or trade promotion level. Authorization groups enable us to control which users are authorized to change which of these two types of marketing project. We could, for example, define one authorization group to be assigned to a marketing plan, then define further authorization groups to be assigned to the different campaigns within the marketing plan. In the Marketing Planne.
  Follow below steps
  1. Define authorization group using following IMG Path
  Customer Relationship Management / Marketing / General Settings / Define Authorization Group.
  2. In authorization object CRM_CPGAGR of the role Campaign manager maiantian activity 01, 02, 03 ,06 (this will allow user to create, change, display and delete)
  3. IMG defined authorization group ex: ABC can be seen under the tabstrip Basic Data of marketing plan.
  4. Now user have to choose the Authorization group ABC from the drop down in Basic tab to create a marketing plan. User will get the change access for all the marketing plan which have the authorization object ABC.
  Hope this will help...
  Rgds
  Mallikarjun

• Calling a object of class from other class's function with in a package

  Hello Sir,
  I have a package.package have two classes.I want to use object of one class in function of another class of this same package.
  Like that:
  one.java
  package co;
  public class one
  private String aa="Vijay";  //something like
  }main.java:
  package co;
  import java.util.Stack;
  public class main extends Stack
  public void show(one obj)
  push(obj);
  public static void main(String args[])
  main oo=new main();
  }when I compile main class, Its not compile.
  Its give error.can not resolve symbol:
  symbol: class one
  location: class co.main
  public void show(one obj)
                            ^Please help How that compile "Calling a object of class from other class's function with in a package" beacuse I want to use this funda in an application

  kumar.vijaydahiya wrote:
  .It is set in environment variable.path=C:\bea\jdk141_02\bin;.,C:\oraclexe\app\oracle\product\10.2.0\server\bin;. command is:
  c:\Core\co\javac one.javaIts compiled already.
  c:\Core\co\javac main.javaBut it give error.
  Both java classes in co package.Okay, open a command prompt and execute these two commands:
  // to compile both classes:
  javac -cp c:\Core c:\Core\co\*.java
  // to run your main-class:
  java -cp c:\Core co.main

• Association of authorization group with authorization object

  Dear Colleagues,
  We are using ECC 6.0 system. There is a transaction EMMAC2 where in the user would pick the case categories & view/make changes as required in the cases.
  However, we would like to have a user to pick only those case categories for which he/she is authorized & view/change the data.
  This EMMAC2 is controlled by authorization object B_EMMA_CAS & this authorization object has field BRGRU (Authorization Group) along with ACTVT (activity).
  We would like to control this via authorization groups
  We would like to create authorizations groups based on case categories & those authorization groups would be assigned in this BRGRU field.
  Meaning, the end result should be such that, when that new authorization group is added in BRGRU field & that role is assigned to an end user, the user should be able to see data only for those case categories for which the new authorization group has been created
  If I use SE54 to create authorization group, it automatically associates itself with authorization object S_TABU_DIS & this does not solve my purpose.
  But we would like to create a new authorization group & associate it with authorization object B_EMMA_CAS.
  Can someone please let me know the steps on how to achieve it or any other method to achieve it(for above underlined text)?
  Does a developer or functional consultant also need to be involved in this?
  PS: I tried to search in Google & our forums but could not get any answers

  Dear Aninda,
  Thanks for the help.
  I created an auth group via SE16 in table TBRG & associated to B_EMMA_CAS
  A case category was then assigned to this auth group
  We tested it - below are the results:-
  1. The user is allowed to 'change' and 'display' the case for the case category for which the user is authorized: this works as per requirement.
  2. The user is not allowed to 'change' case for the case category for which the user is not authorized: this works as per requirement.
  3. However, he is able to 'display' cases for the case category for which the user is not authorized: this we do not want.
  If I remove activty 03 (display), then the user is unable to display the case for the case category for which the user is  authorized.
  How to resolve this?

• Assign Object to class with characteristic values ?

  Hi All,
  I want to assign object to class with characteristic values. I found CL20N transaction for performing the same. Is there any BDC , BAPI to upload the same.
  Thanks & Regards,
  Navneeth K.

  Hi,
  try as below
      CALL FUNCTION 'CLAF_CLASSIFICATION_OF_OBJECTS'
        EXPORTING
          classtext            = 'X'
          classtype            = w_classtype  "Class type
          language             = sy-langu
          object               = w_object     "Object Matnr + Batch
          objecttable          = 'MARA'     "As requirement
          change_service_clf   = 'X'
          inherited_char       = ' '
          change_number        = ' '
        TABLES
          t_class              = t_class
          t_objectdata         = t_objectdata
          i_sel_characteristic = i_sel_characteristic
          t_no_auth_charact    = t_no_auth_charact.
      IF sy-subrc <> 0.
      ENDIF.
  *     Create with reference-----------------------
        w_objectkeynew = wa_inputfile-to_matnr.
        CALL FUNCTION 'BAPI_OBJCL_CREATE'
          EXPORTING
            objectkeynew    = w_objectkeynew
            objecttablenew  = 'MARA'
            classnumnew     = w_classnum
            classtypenew    = w_classtype
          TABLES
            allocvaluesnum  = t_allocvaluesnum
            allocvalueschar = t_allocvalueschar
            allocvaluescurr = t_allocvaluescurr
            return          = t_lreturn.
  "or
  BAPI_OBJCL_CHANGE              Classification BAPI: Change Assignment
  Prabhudas

• Reload Classes with J2EE

  Hello,
  Tomcat reloads automatically the classes when you modify them.
  With J2EE, when I modify a class I have to redeploy the application to reload my new classes or my modified classes.
  Somebody knows if we can reload automatically classes in J2EE ???
  Thanks

  to redeploy WebApp classes without restarting tomcat...
  - copy classes to [TOMCAT_HOME]\webapps\{YourWebApp}\WEB-INF\classes
  - go to Tomcat Web Application Manager (http://host:8080/manager/html)
  - select 'Reload' for your webapp
  This will bin the old WebApp classloader and create a new one, using the new class versions.
  Simply copying classes to the webapps directory doesn't seem to trigger this (and the new classes can't be reloaded into the existing ClassLoader).
  (Win XP Pro / tomcat 4.1.18)

• Switching BW authorization concept back and forth on the fly

  After upgrading to BW 7.0, we are currently developing the BW authorizations from scratch with the new analytical authorizations. The system is currently set to the legacy RSR authorization objects. The idea is now to define two timeframes on our development system, one for the users working with old authorizations, and a second timeframe for testing the new analytical authorizations.
  Can we switch the authorization concept back and forth on the fly, or are there any obstacles?
  Thanks in advance!

  Andreas,
  The latest version of BW is 7.3 which is also Analysis authorization concept like 7.0. So please clarify from the system status what level are you upgrading to.
  Under 7.0, the RSR objects were still available i.e. you can switch the concept back and forth on the fly, it will trigger a transport. AFAIK - In 7.3 however there is no support for RSR anymore in fact even the object class is not visible and so does the switch for the concept and even RSR objects (Z-objects) do not show up in PFCG either.
  So if you are moving to 7.0 switch is possible, 7.3 it is not. But in either case, you should be upgrading using a dual landscape with upgrade work being done & tested in separate boxes than daily production support landscape. It will come in handy at the time of testing also.
  Regards,
  Shivraj Singh

• Basic Authorization  concept

  Hi Friends,
  I want to be clear in basic authorization terminologies.
  Can any one give the definition for the each below mentioned basic authorization terminologies with some example?
  1.Object class
  2.Authorization
  3.Authorization Object
  4.Authorization Field
  5.Field Value
  6.Profile
  7.Role
  8.Composite role
  9.Reference role
  10.Derived role
  Thanks in advance.
  Regards,
  Venu

  Hi Venu,
  Lets come from the top to bottom ...
  at the highest level you have the Role. A role can be defined as follows.
  <b>Role</b>
  The collection of activities that a person performs to participate in one or more business scenarios in an organization.
  Access to the transactions, reports, Web-based applications, and other objects contained in roles is through user menus.
  Also in a simple manner can be defined as a set of transaction codes in one bundle.
  Note : when a Tcode is assigned to a Role hte related authorization objects get autmaticaly assigned to the role. I hope its clear until now.
  So every Tcode i sassigned to a specific set pof Authorization objects and every authorization object has a set of Auth fields assigned to it. They can be che3cked in any role in transaction PFCG.
  for better programming SAP has classified a set of authorization objects into OBJECT classess. its not much of importance to you as its a system thing.
  One more thing is every role has a profile assigned to it when its created and Generated. Usually profiles are the concept until 4.0 system of SAP...later the roles concept came into existence and hence they are defunct exept a few standard SAP profiles like SAP_ALL and stuff which can be assigned to Users directlky. Else Profiles are also automatic assignment and get linked to a uswer once a user is assigned a particular properly generated role.
  Coming to other terms, a group of single roles can be bundles into a single <b>composite role</b>. Hence its justa group of single roles.
  In authorization concept, wehave the Parent Child relations hip in roles.
  That is... when a Role is created we call it the master role and its properties can be inherited by a cild role.
  the scenario is if we r having 4 company codes in an org, and i am supposed to create roles for each comp code seperately..so i try to create a master role and create 5 child roles with inheritance properties. this way any change to master role gets drilled down to child roles without having to change all the rolese seperately.
  This is the concept of <b>derived roles</b>.
  i wish this info has helpfed you...
  Br,
  Sri
  Thanks for the points...

• Bw upgrade - Authorization concept

  Hi,
  We have just completed the BW3.5 upgrade to BI7.3.
  I'm trying to work out the authorization concept in our system again.
  I've created one simple query on a multiprovider with only 1 characteristic and 1 KF.
  -Authorization object S_RS_MPRO for this multiprovider given.
  -User has one role which has the basic  0TCAACTVT , 0TCAIPROV,0TCAVALID
  -Basic BW end user authorization for RS Class is available.(S_RS_COMP,S_RS_COMP1,S_RS_FOLD,S_RS_HIER,S_RS_ICUBE
  S_RS_IOBJ,S_RS_ISET,S_RS_ODSO)
  Now when i run the query, i have 'No authorization'.
  Display authorization check shows authorization check failed for S_RS_AUTH with object 0BI_ALL.
  From my understanding 0BI_ALL should be given to user who is allowed to access all queries.
  Appreciate advice from anyone whos familiar on this. Is it safe to give 0BI_ALL or there is some other object which i am not assigning?
  Thank you.
  Regards
  Maili

  Hi,
  With NW2004s, a new concept was introduced to check analysis authorizations. You can activate this using Transaction RSCUSTV23 or the IMG entry "Analysis authorizations: Select concept".
  To do this, select the "Current procedure with analysis authorizations"
  option. For detailed information, refer to the following link:
  http://help.sap.com/saphelp_nw04s/helpdata/de/80/d71042f664e22ce10000000
  a1550b0/frameset.htm
  Using the new analysis authorizations, the check of the MultiProvider authorization is not carried out any longer.
  If you cannot use the new analysis authorizations, assign corresponding
  authorizations for the "Data Warehousing Workbench - MultiProvider"
  authorization object (S_RS_MPRO).
  The settings of Transaction RSCUSTV16 listed above are obsolete as of
  Release NW2004s and are not analyzed any longer. Instead, the
  MultiProvider authorization is always checked when you execute queries
  using the usual authorization concept.
  Please refer notes
  820183     New authorization concept in BI
  727354    Colon authorization during query execution
  1122407   dealing with prerequisits for message processing in OLAP!!
  Thanks,
  Venkat

• How to get Class Name given along with java.exe

  Hi friends,
  I am Mukesh, currently facing one problem
  On command prompt to execute any java program we give :
  C : \.-- > java ClassName
  This ClassName I need in my application, I want to do some post processing on that.
  Actually see what I want :
  public class Base
  static Base object;
  public static void main(String[] args) throws Exception
  object=(Base)Class.forName("Derived Class Name").newInstance();
  void main()
  public class Derived extends Base
  void main()
  System.out.println("Hello World");
  I am trying to Run Derived Class, since there is no entry point found, default JVM invoke the Base class's entry point, there I want to load
  Derived Class, but I am not getting any identity of derived class in Base class.
  I found one temporary solution to this problem :
  C: \ -- >java Derived Derived
  & in Base class, I have loaded class
  object=Class.forName(args[0]).newInstance();
  But I dont want to write the same thing twise just to know the Class name which is given along with java.exe.
  Is there any way to get the ClassName supplied with java.exe
  I have tried a lot, still I am trying !!!
  If any one knows the answer, help me.
  Regards.
  Mukesh.

  Multiple post. Please continue in other thread
  http://forum.java.sun.com/thread.jspa?threadID=5196980&tstart=0

• Urgent! Serious problem with J2EE Classloader!

  Hi all,
  I'm having a serious problem with j2ee Classloading.
  I have "inherited" a J2EE application where all business classes (invoked by the EJB) are placed in the Application's Server classpath (Weblogic 8.1.4).
  Very bad because every time a class is changed the a.s. must be restarted.
  So I re-enginereed the package putting the business classes in a jar that is referenced by the EJB's MANIFEST file.
  This way all the classes would be loaded by the EJB classloader and no need to start/stop weblogic.
  Unfortunately it's not such !! I discovered that all business classes are loaded via REFLECTION
  Object objCommand = objClass.newInstance();
  Object[] param = new Object[1];
  param[0] = aDataContainer;
  objDataContainerReturn = (DataContainer) objMethod.invoke(objCommand,param);
  and the application server cannot find them using the standard J2EE Classloader mechanism.
  java.lang.reflect.InvocationTargetException
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:324)
  at irma.business.Dispatcher.callService(Dispatcher.java:70)
  Caused by: java.lang.NoClassDefFoundError: irma/utility/log/LogPrintStream
  at irma.business.service.LoginService.login(LoginService.java:79)
  On the other hand they're found if I put the classes on the application server classpath.
  Has anybody got advice for this ? Should I refactor the application giving up reflection ?
  Thanks a lot in advance.

  Reflection uses the classloader as well so it should work fine.
  A common cause of a NoClassDefFoundError is something in a parent classloader that refers to something only available in a child loader.
  For instance, do you have any of your application classes which are in the $CLASSPATH but reference something that is only (now) in the business.jar in your ear?
  -- Rob
  -- Rob
  WLS Blog http://dev2dev.bea.com/blog/rwoollen/

• Characteristic base authorization in DMS

  Hi Friends,
  I need a characteristic base authorization in DMS.
  User should be able to maintain/change a value of char for which he is authorized.
  I tried a auth object in classification  C_CABN_GRP but that is not working in DMS.It only works in tcode CT04.
  Note:- Mr Saikrishna had such a problem and he solved it tru authorization group.If Saikrishna is watching this thread kindly provide the solution.
  Regards
  Abhijit A. Pachgade

  Our request is that all the users can display all the characteriscs values, but some users can modify certain characterics values.
  The authorisation object  C_TCLS_MNT may be a solution.
  *in class master date, define the organisatioal area (SICHT)
  *for the characteristics assigned to a class, assigne the organisational area defined for the class
  *user autorisation object C_TCLS_MNT in one autorisation role.
  But the "stupid" point is that there is only 23-Maintain in the  "Actvitiy" area of object C_TCLS_MNT. In this case, an user who has the "23" in autorisation for a certain organisational area can display and modify characteristics valeur, an user who does not have "23" for a organisation area can not even display the characterics value.
  So in my point of view, object C_TCLS_MNT is not a good solution to limit characterics valuation.

• Authentication & Authorization with SSO, JAAS and Database Tables mix

  Hi,
  I'm looking for how manage Authentication & Authorization in a J2EE ADF+Struts+JSP application.
  I'm interested in use SSO for authentication (I just did it programatically & dynamically already), and now I would like to could define authorization using database tables with users, groups, profiles, individual permissions, ..., (maitanined dynamically by web application admin) throught JAZN (JAAS or however is said) but not statically defining roles, groups, users, ... in jazn xml files.
  I saw that exists the possibility to create a custom DataSourceUserManager class to manage all this, and this gave me the idea that this could be possible to do (I was thinking in make a custom Authorization API over my application tables, without JAZN) but what is better that use and extended and consolidated aprox like JAZN.
  Anybody could tell me if my idea could be possible, and realizable, and maybe give me some orientation to build this approach.
  A lot of thanks in advanced.
  And sorry, excuse my so bad english.
  See you.

  Marcel,
  Originally the idea was to create a post to only explain how to do authentication using a Servlet filter. However,
  I have recently added code to the JHeadstart runtime and generators to enable both JAAS and 'Custom' authentication AND authorization in generated applications. Therefore, this post will be made after we have released the next patch release, as it will depend on these code changes.
  We currently plan to have the patch release available sometime in the second half of May.
  Kind regards,
  Peter Ebell
  JHeadstart Team

• Objects and classes

  Hi All
  I am new to ABAP Objects and i feel lil difficult  to under the concept and classes..can any one please give me with small example to easily understand about the tole of objects and classes..
  Thanks and Regards,
  Arun joseph

  Hi arun,
  These are very simple concepts.There is no need to worry about it.
  Object is an instance of a class.Class is an abstract description of an object. Class is a set of instructions that is used to build an object.  Class represents  properties of an object.
  eg: Vehical, Car,Bird,Box,Student
  Object represents a properties of real time entity  like
  engine, color,marks, legs,height,width etc.
  The following links provide more information with examples.   
  Link:[http://help.sap.com/saphelp_nw70/helpdata/EN/c3/225b5c54f411d194a60000e8353423/frameset.htm]
  Link:[http://help.sap.com/saphelp_nw70/helpdata/EN/c3/225b5c54f411d194a60000e8353423/frameset.htm]
  if any more doubts, come to me with your doubts.
  if it useful, reward points.
  Thank you,
  Prasad G.V.K