25 May 2009

JSP/servlet authentication

You can define authentication in the web.xml deployment descriptor of a web application.

  1. Define roles
    <security-role>   
      <role-name>admin</role-name>    
    </security-role>    
    <security-role>    
      <role-name>boss</role-name>    
    </security-role>
    User definition is web container dependent. 
  2. Define protected resources
    <security-constraint>   
      <display-name>Goodies</display-name>    
      <web-resource-collection>    
        <web-resource-name>Goodies</web-resource-name>    
        <description/>    
        <url-pattern>/Cookies</url-pattern>    
        <url-pattern>/Smarties/*</url-pattern>    
      </web-resource-collection>    
      <auth-constraint>    
        <description/>    
        <role-name>admin</role-name>    
        <role-name>boss</role-name>    
      </auth-constraint>    
    </security-constraint>
    Take care:
    • Is only guaranteed for cookie based sessions
    • Does not apply to forward and include
  3. Define authentication method
    <login-config>   
      <auth-method>FORM</auth-method>    
      <realm-name/>    
      <form-login-config>    
        <form-login-page>/login.jsp</form-login-page>    
        <form-error-page>/login-error.jsp</form-error-page>    
      </form-login-config>    
    </login-config>
    The authentication form is supposed to have a POST action called j_security_check and j_username and j_password input fields.
    Other HTTP authentication methods are
    • BASIC: clear text password (base64 encoded)
    • DIGEST: hashed password (works in Firefox and IE 7+)
    • CLIENT-CERT: mutual certified SSL

3 May 2009

routing components / Solaris 10

  • Commands
    • route: manage routing table
    • netstat -rn: view routing table
    • routeadm: enable/disable routing services
    • svcadm: enable/disable routing services (in addition to routeadm from Solaris 10 8/7)
      • route
      • ipv4-forwarding
    • traceroute: test and show route to system
  • Daemons
    • /usr/sbin/in.routed
      • RIPv1
      • RIPv2
      • RDISC
  • Files
    • /etc/defaultrouter: default route for static routing
    • /etc/gateways: in.routed configuration file
    • /etc/routing.conf: routeadm persistent state. From Solaris 10 8/7 this information moves to SMF.
    • /etc/inet/static.routes: route command persistent state (subject to change)

IPMP components / Solaris 10

  • Commands
    • ifconfig: configure interfaces
    • if_mpadm: change interface state
      • -d detach
      • -r reattach
  • Daemons (SMF network/initial)
    • /usr/lib/inet/in.mpathd
      • -a alert to syslog daemon.error (undocumented)
  • Files
    • /etc/default/mpathd: boot time defaults
    • /etc/hostname.interface: per interface configuration file for ifconfig

1 May 2009

solaris stealth sniffing

A network interface that is sniffing the network is in promiscuous mode: it accepts packets that are not destined for its ethernet address.
You can try to detect a promiscuous interface by tricking it into replying to a packet that is not sent to its ethernet address (e.g. a malformed packet).

In Solaris you can make all such attempts fail by bringing the interface down.

# ifconfig bge0 down
# snoop -d bge0

Still you can sniff on that interface!

Ethernet Media

  • 10Base5: 10 mm diameter (thick)





















  • 10Base2: 5 mm diameter (thin), BNC (Bayonet Neill-Concelman) connector
















  • 10BASE-T: twisted pair, 2 mm diameter, RJ45 plug
    • UTP (unshielded twisted pair)
















    • STP (shielded twisted pair)













    • S/UTP (shielded calbe with UTP wires)
















  • thin /thick /twisted pair sockets















  • 1000BASE-X: Fibre optic