Tuesday, 21 October 2008

Hardy Intrepid Update

Short note: Wanted to make a distribution update from Hardy to Intrepid.
I made a sudo bash and executed update-manager -d from this terminal but this did not show the new version.
Then I have started it with gksu - press ALT+F2 and type in "update-manager -d" - and it was working. This must be a sudo environment issue.
So update-manager -d does not show the new version if started from a sudo session but works fine via gksu or su.

Wednesday, 15 October 2008

Glassfish Custom Login Module and Realm Configuration

I wanted to create a custom login module and realm for Glassfish to implement a new authentication and authorization. I have taken the sun document but I "missed" - in fact parts of the info was there but hidden very well - some information and decided to share those here. I am focusing only on the missing parts. Rest is written in the document.

The first thing is point 3. To me it did not work to place class files into directory appserver-domain-dir/lib/classes. I created a jar file from my classes and put that into glassfish/lib and it worked after a server restart.

The next info what I missed is what jaas-context-name should be in login.conf and how it works later. So the jaas-context-name can be anything you want BUT you have to pass it to your Realm module as a parameter. Lets say you call you jaas-context-name as "customRealm".
So you have in login.conf:

customRealm{
org.CustomLogin required;
}


Then when you create your realm via the gui or any other way you must specify this as a parameter of the realm. The name of the parameter MUST BE jaas-context. To be precise it depends on the code. With the given code this is true. Otherwise depends on the following two lines:

String jaasCtx = props.getProperty(IASRealm.JAAS_CONTEXT_PARAM);
this.setProperty(IASRealm.JAAS_CONTEXT_PARAM, jaasCtx);


And JAAS_CONTEXT_PARAM inherited from super has a value "jaas-context".


Now you have a mapping between realm and login module.

But how to use the realm from NetBeans?
If you create a Web Application or Enterprise application the web part has a web.xml and a sun-web.xml file in the "Configuration Files" directory. Open web.xml and select security part. Here open the Login Configuration and if you select Basic the Realm Name: must be the name of the realm created before. This is not the jaas-context name. You have to create security roles and security constraints what I will explain later.
So now you have a realm which is using basic authentication and the Realm Name is set to custom-realm.
The result in web.xml is:

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>custom-realm</realm-name>
</login-config>

This realm has a parameter jaas-context which specifies which login module must be used.
The realm and the login module receives the user name and password typed in and returns the list of user groups to the container.
But what to return and how to specify who has rights to do what?
In the web.xml you specified you want to use a realm but under that in Netbeans you can specify which Role has access to which url via which way. You have to create security roles. This is like a group BUT this is not necessarily the group returned by the Realm Module. This is an internal application level group. If you create something like user and admin it is a good basis.
Below that you have to specify security constraints. This is where you can specify which URL is accessible to which Role in which way. Take a look and you will understand. (When you specify the url you do not have to type the application name only the path under the context. For example if you have a jsp page as server:8080/Application/faces/user/Index.jsp you have to type in only /faces/user/* and you have to miss Application.)
Here is an example constraint:

<security-constraint>
<display-name>Application User</display-name>
<web-resource-collection>
<web-resource-name>Application User Pages</web-resource-name>
<description/>
<url-pattern>/faces/user/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Application-user</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>


One missing thing is how to map Authentication Groups to Application Roles. If the Realm returns the same name as group as an existing role this is mapped automatically but this is not the usual case. If user is for example in Administrator group and application has an Admin role you need a mapping between these. You can specify these in sun-web.xml Open and do it. It is self evident.
<security-role-mapping>
<role-name>application-admin</role-name>
<group-name>Administrator</group-name>
</security-role-mapping>


So the whole procedure is when somebody calls your application via an url container checks if there is a security-constraint on the url and which Security Role you need to have to access it. The container also know which Realm is responsible to authenticate the users in this application. Makes the authentication and send this info to your module. The login module is taken based on the jaas-context parameter of the Realm. Your module returns list of user groups if user is authenticated. If the user is in the group which is mapped to the necessary Security Role access is granted. That is all.

Friday, 19 September 2008

Firefox OCSP Server experiences an internal error ( sec_error_ocsp_server_error )

I am in a Hotel now and they have free Wifi in the rooms. This would be a nice feature if it worked. The theory is that Wifi is not protected an authentication is not required but when you type in an URL the gateway forwards you to an authentication page - apc.aptilos.com, pas.aptilo.com - and you have to type in a user name and password what you can get at the reception - or via the TV.
If you type in the user name and password you can go through the gateway for a while.
I suppose even the mac address or the IP is registered in the gateway and/or in the firewall and allowed to communicate.
Nice concept except Wifi is not encrypted.

But I had a problem. When I typed in any URL in Firefox it does not work and after a while I got the error message:
"OCSP Server experiences an internal error" ( sec_error_ocsp_server_error )
I have tested this from Konqueror and it was working fine. ( I have Ubunut 8.04 now. )

I made a network traffic sniff and saw the problem is that Firefox tries to check if the servers key is revoked via OCSP. But of course this is not possible since network is not opened by this time.
The solution from aptilo would be to open the connection to the corresponding OCSP server. I do not belive this will be done.
The solution from client side is to disable OCSP in Firefox or use a client which does not have OCSP.
To disable OCSP in Firefox go to Preferences->Advanced->Encryption->Validation. Here you have a choice.

You can completely disable OCSP.


You can disable to treat the connecting server invalid if OCSP fails.



Whatever you do NEVER FORGET TO ENABLE THIS AFTER YOU LEFT THE PLACE.
This is a security feature for your safety.


Powered by ScribeFire.

Saturday, 19 July 2008

Firefox Phishing ignores user' ignore.

Firefox does not allow you to ignore the Phishing warning sometimes because of two stupid bug even if you know this is not a Phishing site.
This is because of bugs: 435081 and 442929
A quick BUT DANGEROUS workaround is to change two config values:
browser.safebrowsing.enabled=false
browser.safebrowsing.malware.enabled=false
which disables safebrowsing.

Please note
:

- Always enable this feature again right after you finished browsing the site you wanted. Besides does not open any other site meanwhile.

- You might believe this is not dangerous to disable safebrowsing on a site you know but this is FALSE.
A cracker can crack the site and can put dangerous code snippets on the page without anybody noticing that.
Even the site owner does not know about it. The code snippet can sit silently on the server and nobody can see that but can infect machines. Of course since the Phishing protection used by Firefox is black-list based somebody - or something - has already noticed and reported the site. If the site was hacked the owner should be informed and should correct the page. If the site was build intentionally you should get out of this immediately.

Thursday, 21 February 2008

Netbeans 6.0.1 Missing Ruby and Rails Problem

Today decided to test Netbeans 6.0.1. I was satisfied with 6.0 but I had a stupid problem with JAX-RPC which prevented to use that feature. Instead of trying to solve that decided to move on to this version. So I downloaded the OS independent zip - this is what I like after all - but when I started... ooops.
I got a message that Ruby and Rails version is not correct. So what? Try to upgrade. Same error again. What a shame. Decided to uninstall the Ruby and Rails and restart. Did not help. Deleted ruby files from ~/.netbeans/6.0/modules also did not help.
Finally I solved this problem with starting the IDE and updating only IDE Platform first. Since that I could not reproduce the error and I have no time now to play more with this. So if you are having this make a try. But I will try to find out the real reason as soon as I will have some time.

Tuesday, 29 January 2008

Netbeans Missing New Project Categories

Jump to solution. (Skip stupid story.)

It was raining outside and it was a dark and said day and there was nothing to work on when I decided to give a try to Netbeans in J2EE development. If you have read my blog before you must know I am an Ubuntu user. Actually not a fan. I am not loving anything easily. But I am in general very satisfied with Ubuntu. I like it very much. Am I a fan? Together with its problem too. But from time to time I am running into problems which can make life harder than .... than is should be. (Life is hard anyway. It does not matter if you are Linux Windows or Mac OS user. So hold on your arguments about it. :) )

Back to the point I have Ubuntu Gutsy which currently contains Netbeans 5.5. So I started it and wanted to start a new project. What a surprise I have seen I could not. There were no menu items besides import existing ant project what I could reach. Holy s.... something! What is this? I was asking.
Tried to purge package and reinstall but no luck. So finally I concluded that the problem is around Netbeans 5.5. What can people do than? I have taken the lattes version Netbeans 6.0 and tried. Much more surprise I had the same situation. No menu to create new project. I started to think about some kind of global conspiracy and decided to unveil it so the day just turned darker.

So first started to Google around. It almost always helps. And I found ideas to delete the ~/.netbeans directory and restart IDE. It did not help me too much. Also find some idea to use different java version. Which also did not help me.
What helped me was deleting ~/.netbeans AND using a Sun java version together. Even java 6 or 5 from Sun. (Anyway you can specify the java version as a netbeans command line parameter like: $ netbeans --jdkome /usr/lib/jvm/java-6-sun )
So I would have sat back and enjoy it. But I wanted to know what was wrong. So first checked that the java version which prevented me to use netbeans was icedtea-java-7. The other thing I had to realize - and primarily made me to investigate it - was that if you ever started netbeans with icedtea-java-7 you can not start it after even with the sun java without deleting ~/.netbeans . This is very uncomfortable since you can loose your settings I decided to find out what was the problem. I do not think that you are interested how I did it but here is the result and how to correct it without loosing your settings.

Solution:
$ rm -rf ~/.netbeans/6.0/config/Modules

Simple right?
If you are missing New Project Templates in Netbeans and you have started netbeans ever with IcedTea Java 7 - or any other "unsupported one" - first use only SUN Java as long as this error is not corrected to run netbeans. I do not know if this is an error in Iced Tea Java or in Netbeans and do not care too much anymore. To correct the problem completely delete ~/.netbeans/6.0/config/Modules and restart Netbenas with a Sun Java. This directory will be recreated and you can enjoy the newly available menus without loosing your settings.

Hope it helped you too.

Sunday, 6 January 2008

FlightGear Keyboard Shortcut Reference

I just wanted to have a list of keys can be used in FlightGear but found only the short Reference.
I realized that key shortcuts is an xml file so easy to change and not good to publish a static one on the net while anybody can change it anytime easily. So here is a command to get it under linux anytime on your own machine.

First please change directory to the one contains keyboard.xml. Gutsy have it under /usr/share/games/FlightGear


$ awk 'BEGIN {name="";desc="";spec="";} \
/.*<\/name>/{ name=$0; spec="";desc="";} \
/.*<\/desc>/ { desc=$0 ; line=spec " " name " = " desc; print gensub("<[^>]*>([^<>]*)<\/[^>]*>","\\1","g",gensub("\ \ +","\ ","g", line)) ;} \
/<mod-.*>/ { spec=gensub("<mod-(.*)>","\\1 + ","g",$0); } \
' keyboard.xml

Output is something like:
Ctrl-A = Toggle autopilot altitude lock.
Ctrl-B = Toggle speedbrake.
Ctrl-C = Toggle clickable panel hotspots
Ctrl-G = Toggle autopilot glide slope lock.
Ctrl-H = Toggle autopilot heading lock.
Ctrl-I = Show instrument setting dialog.
...

Than format print, learn and enjoy the game. :)