JSP/servlet authentication

You can define authentication in the web.xml deployment descriptor of a web application.

1. Define roles
   ?

   1 2 3 4 5 6 7

   <security-role>     <role-name>admin</role-name>    </security-role>    <security-role>      <role-name>boss</role-name>    </security-role> User definition is web container dependent.

2. Define protected resources
   ?

   1 2 3 4 5 6 7 8 9 10 11 12 13 14

   <security-constraint>     <display-name>Goodies</display-name>      <web-resource-collection>        <web-resource-name>Goodies</web-resource-name>        <description/>        <url-pattern>/Cookies</url-pattern>        <url-pattern>/Smarties/*</url-pattern>      </web-resource-collection>      <auth-constraint>        <description/>        <role-name>admin</role-name>        <role-name>boss</role-name>      </auth-constraint>    </security-constraint>

   Take care:
   • Is only guaranteed for cookie based sessions
   • Does not apply to forward and include
3. Define authentication method
   ?

   1 2 3 4 5 6 7 8

   <login-config>     <auth-method>FORM</auth-method>      <realm-name/>      <form-login-config>        <form-login-page>/login.jsp</form-login-page>        <form-error-page>/login-error.jsp</form-error-page>      </form-login-config>    </login-config>

   The authentication form is supposed to have a POST action called j_security_check and j_username and j_password input fields.
   Other HTTP authentication methods are
   • BASIC: clear text password (base64 encoded)
   • DIGEST: hashed password (works in Firefox and IE 7+)
   • CLIENT-CERT: mutual certified SSL

routing components / Solaris 10

• Commands
  • route: manage routing table
  • netstat -rn: view routing table
  • routeadm: enable/disable routing services
  • svcadm: enable/disable routing services (in addition to routeadm from Solaris 10 8/7)
    • route
    • ipv4-forwarding
  • traceroute: test and show route to system
• Daemons
  
  • /usr/sbin/in.routed
    
    • RIPv1
    • RIPv2
    • RDISC
• Files
  • /etc/defaultrouter: default route for static routing
  • /etc/gateways: in.routed configuration file
  • /etc/routing.conf: routeadm persistent state. From Solaris 10 8/7 this information moves to SMF.
  • /etc/inet/static.routes: route command persistent state (subject to change)
    

IPMP components / Solaris 10

• Commands
• ifconfig: configure interfaces
• if_mpadm: change interface state
• -d detach
• -r reattach
• Daemons (SMF network/initial)
• /usr/lib/inet/in.mpathd
  
• -a alert to syslog daemon.error (undocumented)
• Files
• /etc/default/mpathd: boot time defaults
  
• /etc/hostname.interface: per interface configuration file for ifconfig

solaris stealth sniffing

A network interface that is sniffing the network is in promiscuous mode: it accepts packets that are not destined for its ethernet address.
You can try to detect a promiscuous interface by tricking it into replying to a packet that is not sent to its ethernet address (e.g. a malformed packet).

In Solaris you can make all such attempts fail by bringing the interface down.

# ifconfig bge0 down
# snoop -d bge0

Still you can sniff on that interface!

Ethernet Media

• 10Base5: 10 mm diameter (thick)

• 10Base2: 5 mm diameter (thin), BNC (Bayonet Neill-Concelman) connector

• 10BASE-T: twisted pair, 2 mm diameter, RJ45 plug
  • UTP (unshielded twisted pair)

• STP (shielded twisted pair)

• S/UTP (shielded calbe with UTP wires)

• thin /thick /twisted pair sockets

• 1000BASE-X: Fibre optic