Use of Security Level on ASA with ACLs

Hi,
On my configuration, I'm using extended on the inbound of my 3 interfaces (inside,dmz,outside). I was wondering if there I should remove the security levels or if they are of any use since I have ACL in place already.

Hi,
After you have attached an ACL inbound to an interface it controls the traffic for networks behind that interface. So security-levels dont have a major role anymore.
Though you should consider that there are still situations where the "security-level" might come into the picture.
If you have identical "security-level" interfaces and you want to allow traffic between them then ACLs wont be enough but you also need to use the "same-security-traffic permit " format command to allow the traffic.
Atleast in software 8.2 there is still some limitations regarding NAT depending on the "security-level" of the source and destination of the interface. I think for example you need to do Dynamic NAT/PAT between interfaces you cant do this from lower to higher direction.
Best bet is to refer to your current software level Cisco documents. Both the Command Reference and Configuration Guide PDFs found online provide good information on these commands
Please rate if the information was helpfull and/or ask more questions if needed
- Jouni

Similar Messages

  • How to use java security in a servelt with weblogic as a servlet engine?

    Hi,
    i want to use standard java security with a user defined permission in
    servlet with wls 5.1 (Win nt) as a servelt engine.
    WL-Home: f:\weblogic
    Server: f:\weblogic\elan
    Servlet: f:\weblogic\elan\elan\ServletGropsTest.class
    The Servlet is registered in weblogic.properties:
    weblogic.httpd.register.elan.ServletGropsTest=elan.ServletGropsTest
    i've added this to the weblogic.policy:
    grant codebase "file:f:/weblogic/elan/elan/" {
    permission java.security.AllPermission;
    The servlet code is:
    SecurityManager m = System.getSecurityManager();
    if (m != null) m.checkPermission(new AndisPermission("x","y"));
    WLS throws the permission-exception:
    Do Jul 18 11:54:54 GMT+02:00 2002:<E> <ServletContext-General> Servlet
    failed with Exception
    java.security.AccessControlException: access denied
    (elan.AndisPermission x y)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java,
    Compiled Code)
    at java.lang.Exception.<init>(Exception.java, Compiled Code)
    at java.lang.RuntimeException.<init>(RuntimeException.java,
    Compiled Cod
    at elan.ServletGropsTest.doGet(ServletGropsTest.java, Compiled
    Code)
    can anyone help?
    regards
    Andy

    ran_t wrote:
    ...I am using java 1.3.Why are you using an utterly obsolete version of Java?
    My program using log4j jar.
    When i put the log4j.jar in a path that include spaces like "c:\Program files\",Try it as c:\Program%20files\

  • SOAP Adapter with Security Levels - HTTP & HTTPS

    We have a successfully working interface scenario where SAP XI is hosting a web service and the partner systems calling it using SOAP Adapter URL http://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel with Security Level HTTP on the SOAP Sender Communication channel.
    Going forward, for other similar interfaces (SAP XI hosting Web Service and partner systems calling it), we would like to use HTTPS and/or certificates.
    If we enable HTTPS on XI J2EE server as per the guide How to configure the [SAP J2EE Engine for using SSL - Notes - PDF|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc]....
    can partner systems still use the URL http://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel or should they switch to https://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel?
    can we continue to have the existing interface working using HTTP Security Level i.e. partners not having to send the certificate with each message?
    If we use HTTPS security level, is it mandatory for the partner system need to send the certificate? Is it possible to have an HTTPS scenario w/o certificates?
    What is the difference between Security Levels  'HTTPS Without Client Authentication' & 'HTTPS with Client Authentication'?
    I appreciate your inputs on this.
    thx in adv
    praveen
    PS: We are currently on SAP PI 7.0 SP17

    Hi Praveen,
    There is no need to change the interface and It is manditory for the partners to send certificates in order to validate each other. Use the https in url.
    HTTPS With Client authentication:
    The HTTPS client identifies itself with a certificate that is to be verified by the server. To validate the HTTPS clientu2019s certificate, the HTTPS server must have a corresponding CA certificate that validates this certificate. After validation of the clientu2019s certificate, the server maps the certificate to an actual system user executing the HTTP request.
    and check this link.
    http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
    Regards,
    Prasanna

  • ASA 5505 Interface Security Level Question

    I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.
    I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.
    The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)
    Can someone  show me what I did wrong?
    Thank you for any help!
    To create the VLAN, I did the following:
    int vlan5
    nameif Guest-VLAN
    security-level 10
    ip address 192.168.22.1 255.255.255.0
    no shutdown
    int Ethernet0/1
    switchport trunk allowed vlan 1 5
    switchport trunk native vlan 1
    switchport mode trunk
    no shutdown
    below is the whole config.
    Result of the command: "sho run"
    : Saved
    ASA Version 9.1(3)
    hostname ciscoasa
    enable password zGs7.eQ/0VxLuSIs encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    switchport trunk allowed vlan 1,5
    switchport trunk native vlan 1
    switchport mode trunk
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.16.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address <External IP/Mask>
    interface Vlan5
    nameif Guest-VLAN
    security-level 10
    ip address 192.168.22.1 255.255.255.0
    boot system disk0:/asa913-k8.bin
    ftp mode passive
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network Inside_Server1_80
    host <Inside_server1_IP>
    object network Inside_Server1_25
    host <Inside_server1_IP>
    object network Inside_Server1_443
    host <Inside_server1_IP>
    object network Inside_Server1_RDP
    host <Inside_server1_IP>
    object service RDP
    service tcp destination eq 3389
    object network Outside_Network1
    host <Outside_Network_IP>
    object network Outside_Network2
    host <Outside_Network_IP>
    object network Outside_Network2
    host <Outside_Network_IP>
    object network TERMINALSRV_RDP
    host <Inside_server2_IP>
    object network Inside_Server2_RDP
    host <Inside_Server2_IP>
    object-group network Outside_Network
    network-object object Outside_Network1
    network-object object Outside_Network2
    object-group network RDP_Allowed
    description Group used for hosts allowed to RDP to Inside_Server1
    network-object object <Outside_Network_3>
    group-object Outside_Network
    object-group network SBS_Services
    network-object object Inside_Server1_25
    network-object object Inside_Server1_443
    network-object object Inside_Server1_80
    object-group service SBS_Service_Ports
    service-object tcp destination eq www
    service-object tcp destination eq https
    service-object tcp destination eq smtp
    access-list inside_access_in extended permit ip any any
    access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services
    access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP
    access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP
    access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP
    access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0
    access-list Guest-VLAN_access_in extended permit ip any any
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu Guest-VLAN 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-714.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    object network obj_any
    nat (inside,outside) dynamic interface
    object network Inside_Server1_80
    nat (inside,outside) static interface service tcp www www
    object network Inside_Server1_25
    nat (inside,outside) static interface service tcp smtp smtp
    object network Inside_Server1_443
    nat (inside,outside) static interface service tcp https https
    object network Inside_Server1_RDP
    nat (inside,outside) static interface service tcp 3389 3389
    object network TERMINALSRV_RDP
    nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389
    object network Inside_Server2_RDP
    nat (inside,outside) static interface service tcp 3389 3390
    nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    access-group Guest-VLAN_access_in in interface Guest-VLAN
    route outside 0.0.0.0 0.0.0.0 <Public_GW> 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 172.16.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN
    dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN
    dhcpd lease 43200 interface Guest-VLAN
    dhcpd enable Guest-VLAN
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 129.6.15.30 prefer
    username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15
    class-map global-class
    match default-inspection-traffic
    policy-map global-policy
    class global-class
      inspect icmp
      inspect icmp error
      inspect pptp
    service-policy global-policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:7f5d70668ebeb94f49f312612f76c943
    : end

    Hi,
    To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.
    One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.
    What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.
    Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet
    Hope this helps
    Please do remember to mark a reply as the correct answer if it answered your question.
    Feel free to ask more if needed.
    - Jouni

  • Cisco ASA Security Levels

    Hi All
    I have just started working on Cisco ASAs and working on following scenario:
    3 Depts having 3 separate Networks given following names
    Finance
    Accounts
    HR
    Communication Between them should be restricted and allowed on specfic host and services. My approach is that I have assigned security level of "0"
    to each of them and also enabled "same-security-traffic permit inter-interface", so that they can communicate with each other. Now what I have observed is that as soon as I enable same-security-traffic permit inter-interface traffic starts flowing among them without the need for any access-list. But as soon as I create an access list for some specific host , traffic stops flowing for all other hosts except for the one which was granted access in access-list.
    Is my approach right? Please do advise, and also Is this a default behaviour of ASA to implicitly deny traffic for all host as soon as I place a acl after enabling same-security-traffic permit inter-interface.
    Thanks and Regards

    Hello,
    If all of the networks zone have the same security level for your company then you can use the same one on them.
    Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.
    Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.
    Regards,
    Rate all the helpful pots
    Julio
    Security Engineer

  • Can ASA have ACLs with FQDNs?

    Hello,
    2 things if I may.
    I have upgraded our ASA 5520 from 8.2 > 8.4 > 9.1.3 and I was wondering if I can now create rules where the destination can be a FQDNs rather than an IP?  We have some hosted clusters in the 'Cloud' and using a FQND would make life much easier as they keep changing the IP's in the cluster, if so how?
    Also I now notice ACLs can have users assigned to them, what is this feature all about?
    Thanks

    Hi,
    Yes, you can use FQDN in the ACLs.
    First you will need to enable the ASA to do DNS lookups so it can dynamically learn the correct public IP address corresponding to the FQDN in the ACL.
    Example configuration from my ASA
    dns domain-lookup WAN
    DNS server-group DefaultDNS
        name-server 8.8.8.8
    object network GOOGLE
    fqdn www.google.com
    access-list LAN-IN extended permit ip any object GOOGLE
    When we look at the ACL we see this (in my case)
    ASA# sh access-list LAN-IN
    access-list LAN-IN; 19 elements; name hash: 0xefdd5a99
    access-list LAN-IN line 1 extended permit ip any object GOOGLE 0x585b04df
      access-list LAN-IN line 1 extended permit ip any fqdn www.google.com (resolved) 0x4cd6ac30
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.91 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.106 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.90 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.95 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.123 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.112 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.102 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.99 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.110 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.84 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.113 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.121 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.101 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.117 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.80 (www.google.com) (hitcnt=0) 0x585b04df
      access-list LAN-IN line 1 extended permit ip any host 109.232.83.88 (www.google.com) (hitcnt=0) 0x585b04df
    You can then also use these commands to show some DNS information that the ASA has received
    show dns
    show dns-hosts
    Output of one of the above commands
    ASA# show dns-hosts
    Host                     Flags      Age Type   Address(es)
    www.google.com           (temp, OK) 0    IP    109.232.83.91  109.232.83.106
                                                   109.232.83.90  109.232.83.95
                                                   109.232.83.123  109.232.83.112
                                                   109.232.83.102  109.232.83.99
                                                   109.232.83.110  109.232.83.84
                                                   109.232.83.113  109.232.83.121
                                                   109.232.83.101  109.232.83.117
                                                   109.232.83.80  109.232.83.88
    It is totally different matter how well this works. Generally people ask it to block something which in some cases doesnt necesarily work 100%
    Have a look this document about the same subject
    https://supportforums.cisco.com/docs/DOC-17014
    With regards to your second question I can't really give a good answer. Its related to the concept of Identity Firewall. Essentially you will integrate the ASA with AD through the use of AD agent which enables you to build the ACL rules based on the users identity.
    I have not really tested or configured this ever so I can't really comment on it. Probably something I will lab eventually
    Have a look at this document
    https://supportforums.cisco.com/docs/DOC-20366
    You could also check the Configuration Guide section of Identity Firewall for more information
    http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/aaa_idfw.html
    Hope this helps
    - Jouni

  • 4 security level with 2 FWSM contexts

    Hello,
    I have to implement a DC with two 6509, ACE and FWMS with only a default license for 2 VFW.
    But the problem I have, is that I have 4 separate networks where I like to give a different security level.
    I'm using the FWSM in transparent mode.
    Any idea ? about using VRF ? ACE or something else ?
    Suggestions will be appreciated.
    Regards,
    Omar

    Hello Omar,
    Although I'm not familiar with the ACE blade we do run 2 X 6509s with FWSMs.
    In your case you could connect your 4 networks to a single context (VFW) since the max network connections per context is 8. You would create 4 BVIs (Bridge Virtual Interfaces.) Security levels in FWSMs don't have much meaning since you are required to specifically allow traffic to pass through the context regardless of which side of the BVI it comes from. By default no traffic flows at all. All traffic is filtered with ACLs.
    You could also create a VRF on the 6509 that could act as a central or core routing point for your networks. (We do this for 18 separate contexts and call it the fusion VRF.) However you would only use a VRF if you wanted to keep the routing table isolated from the global table running on the 6509's.
    Otherwise this is unnecessary.
    If you chose to run the FWSMs in multiple context mode you could have two networks per context, still connect them to a fusion VRF, and also run an Active/Active FWSM configuration which allows you to do a type of load sharing along with failover. One context is active and one context is standby on FWSM A and on FWSM B the roles reverse. This shares active traffic across the FWSM blades.
    Hope this brief description is helpful for you.
    Simon

  • Help with asp ... security levels

    I made a change to the security level for the end user. i add
    a security feature by adding 12345 to their security level.
    <%@LANGUAGE="VBSCRIPT"%>
    <%Option Explicit%>
    <%
    'check to see if the page is submitted
    Dim validLogin
    Dim strErrorMessage
    Dim intLevel
    Dim sLevel
    If (Request.Form("uname")<>"") Then
    'user has submitted the form
    'get the entered values and hit the database
    Dim strUserName
    Dim strPassword
    'going to use an implicit connection, no connection object
    needed
    Dim objRS
    strUserName = UCase(Request.Form("uname"))
    strPassword = UCase(Request.Form("pwd"))
    response.write("strUserName")
    'prepare the RS
    Set objRS = Server.CreateObject("ADODB.Recordset")
    'set the sql statement
    objRS.Source = "SELECT * FROM tblEmployee WHERE
    strEmpUserName = '" & strUserName & "' AND strEmpPassword =
    '" & strPassword & "'"
    ' heres the implicit connection
    objRS.ActiveConnection =
    "Provider=Microsoft.Jet.OLEDB.4.0;Data
    Source=c:\Inetpub\db\IMPCustomers.mdb"
    objRS.CursorType = 0
    objRS.CursorLocation = 3
    objRS.Open
    'check for EOF
    If(objRS.EOF) Then
    'no records matched, invalid login
    Response.Redirect("invalidLogin.asp")
    'strErrorMessage = "Invalid Login. Try Again."
    validLogin = false
    Else
    'added intLevel to add more security on 3/29/07
    intLevel = Cint(objRS("intEmpSecurityLevel"))
    intLevel = intLevel + 12345
    sLevel = intLevel
    'valid login, set session variables
    Session("username") = UCase(strUserName)
    Session("userpass") = UCase(strPassword)
    Session("sLevel") = sLevel
    'Session("sLevel") = objRS("intEmpSecurityLevel") - changed
    to add more security on 3/29/07
    Session("fn") = objRS("strEmpFN")
    'release the RS
    Set objRS.ActiveConnection = Nothing
    Set objRS = nothing
    'redirect off this page
    Response.Redirect("custSearch.asp")
    End If
    End If
    %>
    I'm now having trouble removing the 12345 from their security
    level in the custSearch.asp.
    <%@LANGUAGE="VBSCRIPT"%>
    <%Option Explicit%>
    <%
    Dim strUserName
    Dim strPassword
    Dim intSLevel
    Dim isum
    Dim intS
    Dim intNewSLevel
    Dim sLevel
    Dim strFN
    Dim strErrorMessage
    Dim strError
    'get pass parameters
    strUserName = Session("username")
    strPassword = Session("userpass")
    intSLevel = Session("sLevel")
    'add on 3/29/07 for security
    'get the security level
    isum = sLevel
    'take isum which contains sLevel and subtract 12345 from it
    isum = isum - 12345
    'now intS equals security level in the db
    intS = isum
    'put into a session
    Session("intS") = intS
    strFN = Session("fn")
    strErrorMessage = ("strError")
    'If strErrorMessage = "" Then
    'strError = "There is no customer with that last name."
    'End If
    %>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
    Transitional//EN" "
    http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="
    http://www.w3.org/1999/xhtml">
    <head>
    <title>Employee Intranet - Customer Database, Search
    for a particular customer.</title>
    <meta http-equiv="content-type" content="text/html;
    charset=utf-8" />
    <link rel="stylesheet" type="text/css"
    href="../css/pop_style.css" />
    <link rel="stylesheet" type="text/css"
    href="../css/forms.css" />
    <style type="text/css">
    /* HMTL selectors start here */
    h2 {
    margin-bottom:15px;
    p {
    margin-bottom:20px;
    hr {
    border:thin;
    border-color:#CCCCCC;
    border-style:dotted;
    width:100%;
    text-align:center;
    table {
    width:300;
    align:center;
    cellpadding:2px;
    cellspacing:2px;
    margin-left:30%;
    td {
    font-size:14px;
    font-style:normal;
    font-weight:normal;
    border:0;
    padding:0;
    /* HMTL selectors start here */
    /* ID selectors start */
    #mainText {
    height:400px;
    font-family:Arial, Helvetica, sans-serif;
    font-size:14px;
    text-align:left;
    margin-left:1%;
    margin-right:1%;
    padding: 10px 5px;
    word-spacing:1px;
    letter-spacing:1px;
    /* id ends here */
    </style>
    <script language="JavaScript" type="text/JavaScript">
    <!-- function MM_reloadPage(init) { //reloads the window
    if Nav4 resized if (init==true) with (navigator) {if
    ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight;
    onresize=MM_reloadPage; }} else if (innerWidth!=document.MM_pgW ||
    innerHeight!=document.MM_pgH) location.reload(); }
    MM_reloadPage(true); //-->
    </script>
    </head>
    <body>
    <!-- CASCADING POPUP MENUS v5.2 by Angus Turnbill
    http://www.twinhelix.com -->
    <script language="javascript" type="text/javascript"
    src="../js/pop_core.js"></script>
    <script language="javascript" type="text/javascript"
    src="../js/pop_data.js"></script>
    <!-- border begins here -->
    <div id="border">
    <!-- second nav start here -->
    <div id="secNavBar"><a
    href="../index.htm">Home</a>  |  <a
    href="../htm/quality.htm">Quality</a> 
    |  <a href="../htm/contactUs.htm">Contact
    Us</a>  | <a
    href="../htm/siteMap.htm"> Site
    Map</a></div>
    <!-- logo starts here -->
    <div id="logo">
    <img src="../art/NewLogo.jpg" alt="Logo of IMPulse NC,
    INC." usemap="#Map" />
    <map name="Map" id="Map">
    <area shape="rect" coords="5,3,280,74"
    href="../index.htm" alt="Return to home page" />
    </map>
    </div>
    <!-- primary navigation div tags starts here -->
    <div id="priNav">
    <a id="home" name="home"
    style="visibility:hidden;">Home</a>
    <!-- primary navigation div tags ends here -->
    </div>
    <!-- main text starts here -->
    <div id="mainText">
    <h2>Customer Database </h2>
    <p
    style="font-size:14px;font-style:normal;font-weight:normal;">Welcome
    <%=strFN%></p>
    <p
    style="font-size:14px;font-style:normal;font-weight:normal;">Please
    search for a customer by using the fields below. You can use one
    field or multiple fields for your search.</p>
    <!-- signIn form starts here -->
    <div id="signIn">
    <div id="CSearch">
    <table>
    <form action="results.asp" method="post" name="search"
    id="search">
    <tr>
    <td width="98" height="29">Last Name:</td>
    <td width="150" tabindex="1"><input type="text"
    name="clname" size="25" maxlength="25" /></td>
    </tr>
    <tr>
    <td height="30">First Name:</td>
    <td tabindex="2"><input type="text" size="25"
    maxlength="25" name="cfname" /></td>
    </tr>
    <tr>
    <td height="30">Company:</td>
    <td tabindex="3"><input type="text" size="25"
    maxlength="25" name="ccomp" /></td>
    </tr>
    <tr>
    <td height="48" colspan="2" tabindex="4">
    <input type="submit" name="login" value="Submit" />
    <input type="reset" name="Reset" value="Reset" />
    <a href="logOut.asp">
    <input type="button" name="logOut" value="Log Out" />
    </a> </td>
    </tr>
    </form>
    </table>
    <!-- customer search form ends here -->
    </div>
    <blockquote> </blockquote>
    <!-- signIn form ends here -->
    </div>
    <!-- main text ends here -->
    </div>
    <div id="btm_Bar">
    100 IMPulse Way • Mount Olive, North Carolina 28365
    • Main (919) 658-2200 • Fax (919) 658-2268<br />
    &copy;2006 IMPulse NC, Inc. All Rights Reserved. </div>
    </div>
    <script language="javascript" type="text/javascript"
    src="../js/pop_events.js"></script>
    <!-- Places text blinker in the uname text box thru
    javascript -->
    <script language="javascript" type="text/javascript">
    document.search.clname.focus();
    </script>
    <!-- javascript ends here -->
    <%
    Response.Write(Session("username")) & "<br />"
    Response.Write(Session("userpass")) & "<br />"
    Response.Write(Session("sLevel")) & "<br />"
    Response.Write(Session("intS")) & "<br />"
    %>
    </body>
    </html>
    What am I doing wrong?

    "pqer" <[email protected]> wrote in message
    news:eugsik$kt5$[email protected]..
    > What am I doing wrong?
    1. You're allowing unfiltered user input into your SQL query.
    I could do
    some horrible damage to your system.
    2. You have SELECT * in your query.
    3. You're doing something that doesn't make any sense. Why
    add a constant
    to the security level just to subtract it again when you
    actually want to
    use it? You're just making more work for yourself. There is
    no benefit
    there.

  • Using WS-Security with Spring application in WebLogic

    From a high level, are there any issues with using WS-Security in WebLogic 8 or 9 with an application constructed with Spring? What issues might come up between WS-Security and Spring that might make this complicated?

    You won't be able to do this using the WSSE file.
    An easy way to get around this is to use an XML Bean built from the WS-Security XML Schema. You'll have to read the WS-Security spec to determine how to create the nonce, but you'll be able to convert this XML Bean into the Element[] that the setOutputHeaders() method, which is on the service control you call the .NET Web Service with.
    Regards,
    Mike Wooten

  • Workflow 2013 use app model for higher security levels

    In a workflow 2013, I am currently calling a workflow 2010 so that I can use the impersonate step to run steps at a higher security level than the user that submitted the workflow. In the impersonate step, everything that needs to be run at a higher security
    level are placed in the impersonate step.
     I have found that the app model in workflow 2013 looks like it replaces the impersonate step in workflow 2010, correct?
    Due to that fact if I want to use the app model in workflow 2013 instead of using the impersonate step in workflow 2010, will I need to place all actions and conditionals within in the app model step for everything that needs to be executed at a higher security
    level? If so, can you show me how to accomplish this goal?
    If this is not true, what actions and steps do I need to place within the app model so that those actions and conditionals occur at a higher security level?

    Hi wendy,
    What is app model in SharePoint 2013 workflow? Based on your description, it seems like “App Step”. Is it right?
    “App Step” provides all the workflow actions added to it, with Read from and Write to Permissions to all the Items in the Site.
    App Step is not available by default you need to activate Workflows can use app permissions feature in your Site to get this displayed for that site in SharePoint Designer.
    You need to place all actions and conditionals within the App Step for everything that needs to be executed at a higher security level.
    More information about App Step in SharePoint 2013 Designer, please refer to the links below:
    Create a workflow with elevated permissions by using the SharePoint 2013 Workflow platform
    A word about App Step in SharePoint 2013 Workflow Platform
    SharePoint Designer 2013 – The new “App Step”
    Best Regards,
    Wendy
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Wendy Li
    TechNet Community Support

  • Q : Using column level VPD policies with Oracle Jdeveloper ADF BC ?

    For one of our big customer, we already successfully developped a new java application using Oracle Jdeveloper with ADF, ADF BC and the Virtual Private Database (VPD) with row level policies.
    Our customer has new business requirements that could be fullfilled using column level VPD policies.
    Has someone already successfully (or not) developped a business application using column level VPD policies with ADF, ADF BC on Oracle 10g R2 database and OracleAS 10g (10.1.2) ?
    Is it supported by Oracle ? what are the pitfalls, difficulties, problems you've met ?
    Is it a viable solution and if not, why ?
    Thanks in advance.
    Rémy

    Tomas,
    my 2 cent:
    if you know how to get the info from the db during run time you should be able to overwrite the frameworks message bundle look to get the description from the db instead of from the resource bundle.
    Or you load all descriptions from the db into a resource bundle and use the keys in the tooltip directly.
    Timo

  • Sharing a PM's project with a TeamMember using SharePoint Security Mode

    When using SharePoint Security Mode, is it possible for a Project Manager to share a his project plan with a particular Team Member?  If so what are the steps?
    I am asking because we want certain Team Member to be the Status Manager for certain assignments in the project plan. 
    Thanks in advance,
    \Spiro Theopoulos PMP, MCITP. Montreal, QC (Canada)

    Hi Spiro,
    Have you tried assigning the particular Team member to the Owners group for that Project/Site so the team member can edit the project?
    Paul

  • With no "lock" or "HTTPS" showing up, how do I know in Safari if an online store is actually using a secure link when their web page makes that claim?

    With no "lock" or "HTTPS" showing up, how do I know in Safari if an online store is actually using a secure link when their web page makes that claim?

    The link in your example - https://www.gmx.com/ - is loading non- secure content from http://themes.googleusercontent.com/
    The lock will display only if everything on the page is secure - in this case it's not.
    As Safari has no way of knowing if theme.googleusercontent.com is going to be transmitting or receiving content that should be encrypted, then the overall page is in no way secure, and as such Safari won't display the lock icon.
    This is correct behaviour - it would be dangerous to users to identify pages as secure when they're clearly not.
    Reloading the page above uses cached copies of the fonts, thus no insecure connection is required on the reload. The issue in the link above (GMX) is not a Safari issue, just really bad web development by whomever built the site and mixed secure and insecure content.

  • Using existing Security Providers with Spring Security

    Has anyone successfully tied their existing WLS JAAS security providers in to the Spring Application Context? I can't seem to find any documentation on how to do this. I've got providers that work correctly in WLS 10.0 MP 1 for a Struts application and I'm developing a new application in Spring MVC and I'd like to use Spring Security (formerly acegi) but I'd like to share the security providers the other application is using since they've already been reviewed/approved by our internal security team.

    A JAAS Authentication Provider along with a JAAS Login Module
    A JAAS Identity Asserter
    A JAAS Role Mapping Provider

  • Need help using XWS-Security with EJB service endpoint

    I am trying to use XWS-Security along the lines of the JWSDP 1.6 examples, but with an EJB endpoint deployed in an ejb-jar file rather than a typical service endpoint deployed in a WAR.
    Any information on how to do this would be appreciated. I believe I'm close to getting an example working- the details on the problem I've encountered are below.
    I use WSCompile to generate stubs and ties for my WS, and XDoclet to generate the ejb-jar.xml. I deploy the ejb-jar on JBoss 4.0.2.
    The problem I'm having is that the security features are handled in the Stubs and Ties generated by WSCompile, and my server-side refuses to use the WSCompile generated Tie. Previously the web service had used the WSCompile argument 'import="true"', which generated no tie, and the web service worked (this was before I tried to add security features). Whatever mechanism had been used to direct messages to my EJB then is still being used now (JNDI, I believe, facilitated by the ejb-jar.xml and webservices.xml files), and bypassing the Tie class that I now generate using 'server="true"'.
    There must be some way I can reconfigure my webservice so that the WSCompile generated Tie is used, but I can't find any help on the topic.
    Can anyone tell me how to make sure my webservice will use the Tie class on the server side? Is it even possible when using EJBs instead of servlets?

    Burn your CD using iTunes. Then rip the music off of the CD using any "ripping" program. Just make sure the program you use has the "save as .wav" option available. Im not familiar with MusicMatch but I'm sure you would be able to use it.

Maybe you are looking for