Use of Security Level on ASA with ACLs
Hi,
On my configuration, I'm using extended on the inbound of my 3 interfaces (inside,dmz,outside). I was wondering if there I should remove the security levels or if they are of any use since I have ACL in place already.
Hi,
After you have attached an ACL inbound to an interface it controls the traffic for networks behind that interface. So security-levels dont have a major role anymore.
Though you should consider that there are still situations where the "security-level" might come into the picture.
If you have identical "security-level" interfaces and you want to allow traffic between them then ACLs wont be enough but you also need to use the "same-security-traffic permit " format command to allow the traffic.
Atleast in software 8.2 there is still some limitations regarding NAT depending on the "security-level" of the source and destination of the interface. I think for example you need to do Dynamic NAT/PAT between interfaces you cant do this from lower to higher direction.
Best bet is to refer to your current software level Cisco documents. Both the Command Reference and Configuration Guide PDFs found online provide good information on these commands
Please rate if the information was helpfull and/or ask more questions if needed
- Jouni
Similar Messages
-
How to use java security in a servelt with weblogic as a servlet engine?
Hi,
i want to use standard java security with a user defined permission in
servlet with wls 5.1 (Win nt) as a servelt engine.
WL-Home: f:\weblogic
Server: f:\weblogic\elan
Servlet: f:\weblogic\elan\elan\ServletGropsTest.class
The Servlet is registered in weblogic.properties:
weblogic.httpd.register.elan.ServletGropsTest=elan.ServletGropsTest
i've added this to the weblogic.policy:
grant codebase "file:f:/weblogic/elan/elan/" {
permission java.security.AllPermission;
The servlet code is:
SecurityManager m = System.getSecurityManager();
if (m != null) m.checkPermission(new AndisPermission("x","y"));
WLS throws the permission-exception:
Do Jul 18 11:54:54 GMT+02:00 2002:<E> <ServletContext-General> Servlet
failed with Exception
java.security.AccessControlException: access denied
(elan.AndisPermission x y)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java,
Compiled Code)
at java.lang.Exception.<init>(Exception.java, Compiled Code)
at java.lang.RuntimeException.<init>(RuntimeException.java,
Compiled Cod
at elan.ServletGropsTest.doGet(ServletGropsTest.java, Compiled
Code)
can anyone help?
regards
Andyran_t wrote:
...I am using java 1.3.Why are you using an utterly obsolete version of Java?
My program using log4j jar.
When i put the log4j.jar in a path that include spaces like "c:\Program files\",Try it as c:\Program%20files\ -
SOAP Adapter with Security Levels - HTTP & HTTPS
We have a successfully working interface scenario where SAP XI is hosting a web service and the partner systems calling it using SOAP Adapter URL http://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel with Security Level HTTP on the SOAP Sender Communication channel.
Going forward, for other similar interfaces (SAP XI hosting Web Service and partner systems calling it), we would like to use HTTPS and/or certificates.
If we enable HTTPS on XI J2EE server as per the guide How to configure the [SAP J2EE Engine for using SSL - Notes - PDF|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc]....
can partner systems still use the URL http://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel or should they switch to https://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel?
can we continue to have the existing interface working using HTTP Security Level i.e. partners not having to send the certificate with each message?
If we use HTTPS security level, is it mandatory for the partner system need to send the certificate? Is it possible to have an HTTPS scenario w/o certificates?
What is the difference between Security Levels 'HTTPS Without Client Authentication' & 'HTTPS with Client Authentication'?
I appreciate your inputs on this.
thx in adv
praveen
PS: We are currently on SAP PI 7.0 SP17Hi Praveen,
There is no need to change the interface and It is manditory for the partners to send certificates in order to validate each other. Use the https in url.
HTTPS With Client authentication:
The HTTPS client identifies itself with a certificate that is to be verified by the server. To validate the HTTPS clientu2019s certificate, the HTTPS server must have a corresponding CA certificate that validates this certificate. After validation of the clientu2019s certificate, the server maps the certificate to an actual system user executing the HTTP request.
and check this link.
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
Regards,
Prasanna -
ASA 5505 Interface Security Level Question
I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.
I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.
The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)
Can someone show me what I did wrong?
Thank you for any help!
To create the VLAN, I did the following:
int vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
no shutdown
int Ethernet0/1
switchport trunk allowed vlan 1 5
switchport trunk native vlan 1
switchport mode trunk
no shutdown
below is the whole config.
Result of the command: "sho run"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password zGs7.eQ/0VxLuSIs encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport trunk allowed vlan 1,5
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address <External IP/Mask>
interface Vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside_Server1_80
host <Inside_server1_IP>
object network Inside_Server1_25
host <Inside_server1_IP>
object network Inside_Server1_443
host <Inside_server1_IP>
object network Inside_Server1_RDP
host <Inside_server1_IP>
object service RDP
service tcp destination eq 3389
object network Outside_Network1
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network TERMINALSRV_RDP
host <Inside_server2_IP>
object network Inside_Server2_RDP
host <Inside_Server2_IP>
object-group network Outside_Network
network-object object Outside_Network1
network-object object Outside_Network2
object-group network RDP_Allowed
description Group used for hosts allowed to RDP to Inside_Server1
network-object object <Outside_Network_3>
group-object Outside_Network
object-group network SBS_Services
network-object object Inside_Server1_25
network-object object Inside_Server1_443
network-object object Inside_Server1_80
object-group service SBS_Service_Ports
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services
access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP
access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0
access-list Guest-VLAN_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Inside_Server1_80
nat (inside,outside) static interface service tcp www www
object network Inside_Server1_25
nat (inside,outside) static interface service tcp smtp smtp
object network Inside_Server1_443
nat (inside,outside) static interface service tcp https https
object network Inside_Server1_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network TERMINALSRV_RDP
nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389
object network Inside_Server2_RDP
nat (inside,outside) static interface service tcp 3389 3390
nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Guest-VLAN_access_in in interface Guest-VLAN
route outside 0.0.0.0 0.0.0.0 <Public_GW> 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN
dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN
dhcpd lease 43200 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.30 prefer
username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect icmp
inspect icmp error
inspect pptp
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7f5d70668ebeb94f49f312612f76c943
: endHi,
To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.
One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.
What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.
Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni -
Hi All
I have just started working on Cisco ASAs and working on following scenario:
3 Depts having 3 separate Networks given following names
Finance
Accounts
HR
Communication Between them should be restricted and allowed on specfic host and services. My approach is that I have assigned security level of "0"
to each of them and also enabled "same-security-traffic permit inter-interface", so that they can communicate with each other. Now what I have observed is that as soon as I enable same-security-traffic permit inter-interface traffic starts flowing among them without the need for any access-list. But as soon as I create an access list for some specific host , traffic stops flowing for all other hosts except for the one which was granted access in access-list.
Is my approach right? Please do advise, and also Is this a default behaviour of ASA to implicitly deny traffic for all host as soon as I place a acl after enabling same-security-traffic permit inter-interface.
Thanks and RegardsHello,
If all of the networks zone have the same security level for your company then you can use the same one on them.
Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.
Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.
Regards,
Rate all the helpful pots
Julio
Security Engineer -
Can ASA have ACLs with FQDNs?
Hello,
2 things if I may.
I have upgraded our ASA 5520 from 8.2 > 8.4 > 9.1.3 and I was wondering if I can now create rules where the destination can be a FQDNs rather than an IP? We have some hosted clusters in the 'Cloud' and using a FQND would make life much easier as they keep changing the IP's in the cluster, if so how?
Also I now notice ACLs can have users assigned to them, what is this feature all about?
ThanksHi,
Yes, you can use FQDN in the ACLs.
First you will need to enable the ASA to do DNS lookups so it can dynamically learn the correct public IP address corresponding to the FQDN in the ACL.
Example configuration from my ASA
dns domain-lookup WAN
DNS server-group DefaultDNS
name-server 8.8.8.8
object network GOOGLE
fqdn www.google.com
access-list LAN-IN extended permit ip any object GOOGLE
When we look at the ACL we see this (in my case)
ASA# sh access-list LAN-IN
access-list LAN-IN; 19 elements; name hash: 0xefdd5a99
access-list LAN-IN line 1 extended permit ip any object GOOGLE 0x585b04df
access-list LAN-IN line 1 extended permit ip any fqdn www.google.com (resolved) 0x4cd6ac30
access-list LAN-IN line 1 extended permit ip any host 109.232.83.91 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.106 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.90 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.95 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.123 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.112 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.102 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.99 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.110 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.84 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.113 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.121 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.101 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.117 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.80 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.88 (www.google.com) (hitcnt=0) 0x585b04df
You can then also use these commands to show some DNS information that the ASA has received
show dns
show dns-hosts
Output of one of the above commands
ASA# show dns-hosts
Host Flags Age Type Address(es)
www.google.com (temp, OK) 0 IP 109.232.83.91 109.232.83.106
109.232.83.90 109.232.83.95
109.232.83.123 109.232.83.112
109.232.83.102 109.232.83.99
109.232.83.110 109.232.83.84
109.232.83.113 109.232.83.121
109.232.83.101 109.232.83.117
109.232.83.80 109.232.83.88
It is totally different matter how well this works. Generally people ask it to block something which in some cases doesnt necesarily work 100%
Have a look this document about the same subject
https://supportforums.cisco.com/docs/DOC-17014
With regards to your second question I can't really give a good answer. Its related to the concept of Identity Firewall. Essentially you will integrate the ASA with AD through the use of AD agent which enables you to build the ACL rules based on the users identity.
I have not really tested or configured this ever so I can't really comment on it. Probably something I will lab eventually
Have a look at this document
https://supportforums.cisco.com/docs/DOC-20366
You could also check the Configuration Guide section of Identity Firewall for more information
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/aaa_idfw.html
Hope this helps
- Jouni -
4 security level with 2 FWSM contexts
Hello,
I have to implement a DC with two 6509, ACE and FWMS with only a default license for 2 VFW.
But the problem I have, is that I have 4 separate networks where I like to give a different security level.
I'm using the FWSM in transparent mode.
Any idea ? about using VRF ? ACE or something else ?
Suggestions will be appreciated.
Regards,
OmarHello Omar,
Although I'm not familiar with the ACE blade we do run 2 X 6509s with FWSMs.
In your case you could connect your 4 networks to a single context (VFW) since the max network connections per context is 8. You would create 4 BVIs (Bridge Virtual Interfaces.) Security levels in FWSMs don't have much meaning since you are required to specifically allow traffic to pass through the context regardless of which side of the BVI it comes from. By default no traffic flows at all. All traffic is filtered with ACLs.
You could also create a VRF on the 6509 that could act as a central or core routing point for your networks. (We do this for 18 separate contexts and call it the fusion VRF.) However you would only use a VRF if you wanted to keep the routing table isolated from the global table running on the 6509's.
Otherwise this is unnecessary.
If you chose to run the FWSMs in multiple context mode you could have two networks per context, still connect them to a fusion VRF, and also run an Active/Active FWSM configuration which allows you to do a type of load sharing along with failover. One context is active and one context is standby on FWSM A and on FWSM B the roles reverse. This shares active traffic across the FWSM blades.
Hope this brief description is helpful for you.
Simon -
Help with asp ... security levels
I made a change to the security level for the end user. i add
a security feature by adding 12345 to their security level.
<%@LANGUAGE="VBSCRIPT"%>
<%Option Explicit%>
<%
'check to see if the page is submitted
Dim validLogin
Dim strErrorMessage
Dim intLevel
Dim sLevel
If (Request.Form("uname")<>"") Then
'user has submitted the form
'get the entered values and hit the database
Dim strUserName
Dim strPassword
'going to use an implicit connection, no connection object
needed
Dim objRS
strUserName = UCase(Request.Form("uname"))
strPassword = UCase(Request.Form("pwd"))
response.write("strUserName")
'prepare the RS
Set objRS = Server.CreateObject("ADODB.Recordset")
'set the sql statement
objRS.Source = "SELECT * FROM tblEmployee WHERE
strEmpUserName = '" & strUserName & "' AND strEmpPassword =
'" & strPassword & "'"
' heres the implicit connection
objRS.ActiveConnection =
"Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=c:\Inetpub\db\IMPCustomers.mdb"
objRS.CursorType = 0
objRS.CursorLocation = 3
objRS.Open
'check for EOF
If(objRS.EOF) Then
'no records matched, invalid login
Response.Redirect("invalidLogin.asp")
'strErrorMessage = "Invalid Login. Try Again."
validLogin = false
Else
'added intLevel to add more security on 3/29/07
intLevel = Cint(objRS("intEmpSecurityLevel"))
intLevel = intLevel + 12345
sLevel = intLevel
'valid login, set session variables
Session("username") = UCase(strUserName)
Session("userpass") = UCase(strPassword)
Session("sLevel") = sLevel
'Session("sLevel") = objRS("intEmpSecurityLevel") - changed
to add more security on 3/29/07
Session("fn") = objRS("strEmpFN")
'release the RS
Set objRS.ActiveConnection = Nothing
Set objRS = nothing
'redirect off this page
Response.Redirect("custSearch.asp")
End If
End If
%>
I'm now having trouble removing the 12345 from their security
level in the custSearch.asp.
<%@LANGUAGE="VBSCRIPT"%>
<%Option Explicit%>
<%
Dim strUserName
Dim strPassword
Dim intSLevel
Dim isum
Dim intS
Dim intNewSLevel
Dim sLevel
Dim strFN
Dim strErrorMessage
Dim strError
'get pass parameters
strUserName = Session("username")
strPassword = Session("userpass")
intSLevel = Session("sLevel")
'add on 3/29/07 for security
'get the security level
isum = sLevel
'take isum which contains sLevel and subtract 12345 from it
isum = isum - 12345
'now intS equals security level in the db
intS = isum
'put into a session
Session("intS") = intS
strFN = Session("fn")
strErrorMessage = ("strError")
'If strErrorMessage = "" Then
'strError = "There is no customer with that last name."
'End If
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN" "
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="
http://www.w3.org/1999/xhtml">
<head>
<title>Employee Intranet - Customer Database, Search
for a particular customer.</title>
<meta http-equiv="content-type" content="text/html;
charset=utf-8" />
<link rel="stylesheet" type="text/css"
href="../css/pop_style.css" />
<link rel="stylesheet" type="text/css"
href="../css/forms.css" />
<style type="text/css">
/* HMTL selectors start here */
h2 {
margin-bottom:15px;
p {
margin-bottom:20px;
hr {
border:thin;
border-color:#CCCCCC;
border-style:dotted;
width:100%;
text-align:center;
table {
width:300;
align:center;
cellpadding:2px;
cellspacing:2px;
margin-left:30%;
td {
font-size:14px;
font-style:normal;
font-weight:normal;
border:0;
padding:0;
/* HMTL selectors start here */
/* ID selectors start */
#mainText {
height:400px;
font-family:Arial, Helvetica, sans-serif;
font-size:14px;
text-align:left;
margin-left:1%;
margin-right:1%;
padding: 10px 5px;
word-spacing:1px;
letter-spacing:1px;
/* id ends here */
</style>
<script language="JavaScript" type="text/JavaScript">
<!-- function MM_reloadPage(init) { //reloads the window
if Nav4 resized if (init==true) with (navigator) {if
((appName=="Netscape")&&(parseInt(appVersion)==4)) {
document.MM_pgW=innerWidth; document.MM_pgH=innerHeight;
onresize=MM_reloadPage; }} else if (innerWidth!=document.MM_pgW ||
innerHeight!=document.MM_pgH) location.reload(); }
MM_reloadPage(true); //-->
</script>
</head>
<body>
<!-- CASCADING POPUP MENUS v5.2 by Angus Turnbill
http://www.twinhelix.com -->
<script language="javascript" type="text/javascript"
src="../js/pop_core.js"></script>
<script language="javascript" type="text/javascript"
src="../js/pop_data.js"></script>
<!-- border begins here -->
<div id="border">
<!-- second nav start here -->
<div id="secNavBar"><a
href="../index.htm">Home</a> | <a
href="../htm/quality.htm">Quality</a>
| <a href="../htm/contactUs.htm">Contact
Us</a> | <a
href="../htm/siteMap.htm"> Site
Map</a></div>
<!-- logo starts here -->
<div id="logo">
<img src="../art/NewLogo.jpg" alt="Logo of IMPulse NC,
INC." usemap="#Map" />
<map name="Map" id="Map">
<area shape="rect" coords="5,3,280,74"
href="../index.htm" alt="Return to home page" />
</map>
</div>
<!-- primary navigation div tags starts here -->
<div id="priNav">
<a id="home" name="home"
style="visibility:hidden;">Home</a>
<!-- primary navigation div tags ends here -->
</div>
<!-- main text starts here -->
<div id="mainText">
<h2>Customer Database </h2>
<p
style="font-size:14px;font-style:normal;font-weight:normal;">Welcome
<%=strFN%></p>
<p
style="font-size:14px;font-style:normal;font-weight:normal;">Please
search for a customer by using the fields below. You can use one
field or multiple fields for your search.</p>
<!-- signIn form starts here -->
<div id="signIn">
<div id="CSearch">
<table>
<form action="results.asp" method="post" name="search"
id="search">
<tr>
<td width="98" height="29">Last Name:</td>
<td width="150" tabindex="1"><input type="text"
name="clname" size="25" maxlength="25" /></td>
</tr>
<tr>
<td height="30">First Name:</td>
<td tabindex="2"><input type="text" size="25"
maxlength="25" name="cfname" /></td>
</tr>
<tr>
<td height="30">Company:</td>
<td tabindex="3"><input type="text" size="25"
maxlength="25" name="ccomp" /></td>
</tr>
<tr>
<td height="48" colspan="2" tabindex="4">
<input type="submit" name="login" value="Submit" />
<input type="reset" name="Reset" value="Reset" />
<a href="logOut.asp">
<input type="button" name="logOut" value="Log Out" />
</a> </td>
</tr>
</form>
</table>
<!-- customer search form ends here -->
</div>
<blockquote> </blockquote>
<!-- signIn form ends here -->
</div>
<!-- main text ends here -->
</div>
<div id="btm_Bar">
100 IMPulse Way • Mount Olive, North Carolina 28365
• Main (919) 658-2200 • Fax (919) 658-2268<br />
©2006 IMPulse NC, Inc. All Rights Reserved. </div>
</div>
<script language="javascript" type="text/javascript"
src="../js/pop_events.js"></script>
<!-- Places text blinker in the uname text box thru
javascript -->
<script language="javascript" type="text/javascript">
document.search.clname.focus();
</script>
<!-- javascript ends here -->
<%
Response.Write(Session("username")) & "<br />"
Response.Write(Session("userpass")) & "<br />"
Response.Write(Session("sLevel")) & "<br />"
Response.Write(Session("intS")) & "<br />"
%>
</body>
</html>
What am I doing wrong?"pqer" <[email protected]> wrote in message
news:eugsik$kt5$[email protected]..
> What am I doing wrong?
1. You're allowing unfiltered user input into your SQL query.
I could do
some horrible damage to your system.
2. You have SELECT * in your query.
3. You're doing something that doesn't make any sense. Why
add a constant
to the security level just to subtract it again when you
actually want to
use it? You're just making more work for yourself. There is
no benefit
there. -
Using WS-Security with Spring application in WebLogic
From a high level, are there any issues with using WS-Security in WebLogic 8 or 9 with an application constructed with Spring? What issues might come up between WS-Security and Spring that might make this complicated?
You won't be able to do this using the WSSE file.
An easy way to get around this is to use an XML Bean built from the WS-Security XML Schema. You'll have to read the WS-Security spec to determine how to create the nonce, but you'll be able to convert this XML Bean into the Element[] that the setOutputHeaders() method, which is on the service control you call the .NET Web Service with.
Regards,
Mike Wooten -
Workflow 2013 use app model for higher security levels
In a workflow 2013, I am currently calling a workflow 2010 so that I can use the impersonate step to run steps at a higher security level than the user that submitted the workflow. In the impersonate step, everything that needs to be run at a higher security
level are placed in the impersonate step.
I have found that the app model in workflow 2013 looks like it replaces the impersonate step in workflow 2010, correct?
Due to that fact if I want to use the app model in workflow 2013 instead of using the impersonate step in workflow 2010, will I need to place all actions and conditionals within in the app model step for everything that needs to be executed at a higher security
level? If so, can you show me how to accomplish this goal?
If this is not true, what actions and steps do I need to place within the app model so that those actions and conditionals occur at a higher security level?Hi wendy,
What is app model in SharePoint 2013 workflow? Based on your description, it seems like “App Step”. Is it right?
“App Step” provides all the workflow actions added to it, with Read from and Write to Permissions to all the Items in the Site.
App Step is not available by default you need to activate Workflows can use app permissions feature in your Site to get this displayed for that site in SharePoint Designer.
You need to place all actions and conditionals within the App Step for everything that needs to be executed at a higher security level.
More information about App Step in SharePoint 2013 Designer, please refer to the links below:
Create a workflow with elevated permissions by using the SharePoint 2013 Workflow platform
A word about App Step in SharePoint 2013 Workflow Platform
SharePoint Designer 2013 – The new “App Step”
Best Regards,
Wendy
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Wendy Li
TechNet Community Support -
Q : Using column level VPD policies with Oracle Jdeveloper ADF BC ?
For one of our big customer, we already successfully developped a new java application using Oracle Jdeveloper with ADF, ADF BC and the Virtual Private Database (VPD) with row level policies.
Our customer has new business requirements that could be fullfilled using column level VPD policies.
Has someone already successfully (or not) developped a business application using column level VPD policies with ADF, ADF BC on Oracle 10g R2 database and OracleAS 10g (10.1.2) ?
Is it supported by Oracle ? what are the pitfalls, difficulties, problems you've met ?
Is it a viable solution and if not, why ?
Thanks in advance.
RémyTomas,
my 2 cent:
if you know how to get the info from the db during run time you should be able to overwrite the frameworks message bundle look to get the description from the db instead of from the resource bundle.
Or you load all descriptions from the db into a resource bundle and use the keys in the tooltip directly.
Timo -
Sharing a PM's project with a TeamMember using SharePoint Security Mode
When using SharePoint Security Mode, is it possible for a Project Manager to share a his project plan with a particular Team Member? If so what are the steps?
I am asking because we want certain Team Member to be the Status Manager for certain assignments in the project plan.
Thanks in advance,
\Spiro Theopoulos PMP, MCITP. Montreal, QC (Canada)Hi Spiro,
Have you tried assigning the particular Team member to the Owners group for that Project/Site so the team member can edit the project?
Paul -
With no "lock" or "HTTPS" showing up, how do I know in Safari if an online store is actually using a secure link when their web page makes that claim?
The link in your example - https://www.gmx.com/ - is loading non- secure content from http://themes.googleusercontent.com/
The lock will display only if everything on the page is secure - in this case it's not.
As Safari has no way of knowing if theme.googleusercontent.com is going to be transmitting or receiving content that should be encrypted, then the overall page is in no way secure, and as such Safari won't display the lock icon.
This is correct behaviour - it would be dangerous to users to identify pages as secure when they're clearly not.
Reloading the page above uses cached copies of the fonts, thus no insecure connection is required on the reload. The issue in the link above (GMX) is not a Safari issue, just really bad web development by whomever built the site and mixed secure and insecure content. -
Using existing Security Providers with Spring Security
Has anyone successfully tied their existing WLS JAAS security providers in to the Spring Application Context? I can't seem to find any documentation on how to do this. I've got providers that work correctly in WLS 10.0 MP 1 for a Struts application and I'm developing a new application in Spring MVC and I'd like to use Spring Security (formerly acegi) but I'd like to share the security providers the other application is using since they've already been reviewed/approved by our internal security team.
A JAAS Authentication Provider along with a JAAS Login Module
A JAAS Identity Asserter
A JAAS Role Mapping Provider -
Need help using XWS-Security with EJB service endpoint
I am trying to use XWS-Security along the lines of the JWSDP 1.6 examples, but with an EJB endpoint deployed in an ejb-jar file rather than a typical service endpoint deployed in a WAR.
Any information on how to do this would be appreciated. I believe I'm close to getting an example working- the details on the problem I've encountered are below.
I use WSCompile to generate stubs and ties for my WS, and XDoclet to generate the ejb-jar.xml. I deploy the ejb-jar on JBoss 4.0.2.
The problem I'm having is that the security features are handled in the Stubs and Ties generated by WSCompile, and my server-side refuses to use the WSCompile generated Tie. Previously the web service had used the WSCompile argument 'import="true"', which generated no tie, and the web service worked (this was before I tried to add security features). Whatever mechanism had been used to direct messages to my EJB then is still being used now (JNDI, I believe, facilitated by the ejb-jar.xml and webservices.xml files), and bypassing the Tie class that I now generate using 'server="true"'.
There must be some way I can reconfigure my webservice so that the WSCompile generated Tie is used, but I can't find any help on the topic.
Can anyone tell me how to make sure my webservice will use the Tie class on the server side? Is it even possible when using EJBs instead of servlets?Burn your CD using iTunes. Then rip the music off of the CD using any "ripping" program. Just make sure the program you use has the "save as .wav" option available. Im not familiar with MusicMatch but I'm sure you would be able to use it.
Maybe you are looking for
-
I have a four-line toolbar. The fourth line is completely empty, so I'd like to remove it. I tried right-clicking to pull up a menu, but nothing appears. How can I remove this empty line? The empty line appeared just now after I disabled a Bing toolb
-
Hi, problem in maping. i mapped all elements.i could not mapped one element. Deletionflag value mapped with decription. hear we used valumapping. The requirement is If delete flag is on à u201Cstatus = Inactiveu201D else u201Cstatus = activeu201D
-
Eclipse BIRT in Oracle Applicatons
Hi All, We are using oracle reports(rdf) as reporting purpose in oracle applications, but i want to use Business Intelligence and Reporting Tools (BIRT) reports as a java stored Procedure. Could any one please assist me how to install BIRT engine and
-
How much does a facetime call cost per minute?
how much does facetime cost per minute?
-
Hub Resetting only when Laptop connected
Hi, I would be grateful for any pointers or advice on how to solve or track down the following problem. I have a BT Business Hub which is connected by cable to a desktop PC and by wireless to two laptops. ( The laptops are only very occasionally used