Axis web service security work round

This is a bit of an old one, but might be useful to Domino people (or in fact anyone) out there that still are not using security on their web services who really should know better, I’m mainly thinking of large corporations that treat their internal network as some kind of safe playground, I don’t suggest this a permanent fix, it is just a good solution if you simply don’t have the time or resources to put proper security in place.

This example came about when a security review was done on a application which was built a few years ago when web services were first all the rage and were built using something like AXIS 1.X, multiple applications including domino are consuming a set of services based on apache. we want to limit this so that random people/computers cant just read and post what they like, thank fully this is easy for apache

First find your http.conf file and find your web service location, most likely in a directory tag such as:

<Directory “D:/Apache2.2/htdocs”>

You will most likely find an couple of lines like this

Order allow,deny

Allow from all

Change them (add them if they are not there) to

Order Deny,Allow
Deny from all

This will lock down your web service completely which is not that much use, so now, add a line below such as

Allow from 192.168.1.2 192.168.1.1

Here you can list the servers you want to allow access to the web service, you can add all servers in a sub net (if your company uses a static IP address sub net) by only putting in the subnet eg, 192.168.1, as well as FQDN’s, full documentation can be found Here

In a perfect world that should be all you need, but if you applying this to an existing web service, someone is sure to need access from a computer or program (such as soapUI) not on a static server, so you will have to add a backdoor to let them in,

So next add the lines

SetEnvif User-Agent “backdoor” webservicebackdoor
Allow from env=webservicebackdoor

This means that if you set the “User-Agent Header” in programs like firefox and soapUI (its under file –> preferences) to “backdoor” the web services will start talking to you again ( yes I know it a security hole, but I’m trying to just make the best of a bad situation)

With some service clients this wont work as they dont allow the changing of the User-Agent, the most notable to me is Spring using CXF, as it uses an alternative web request header called “BrowserType” which set in the same way

SetEnvif BrowserType “backdoor” webservicebackdoor
Allow from env=webservicebackdoor

Also on your spring config in the conduit settings you include the “BrowserType” as shown

<http-conf:conduit name=”http://mywebservice.ldc.com/.*”>
<http-conf:client ReceiveTimeout=”180000″ BrowserType=”backdoor” />
</http-conf:conduit>

and now that would work just fine again

There you go, a little fringe but hopefull usefull to someone.

Sharing a room at Lotusphere

Going to Lotusphere is not a cheap experience and in this current climate even less so, it makes sense to share a room, last year I shared with that wretch/neat freak/best man at my wedding, Ben Poole, alas the evil devil is not going this year, so I started asking around to find an alternative room mate, naturally I asked my colleges at LDC first and got the answers “good luck with that” and “id rather fly cattle class”, thanks guys..really….. thanks

So I ask further afield and thus enters a slightly grubby white night in the form of Bill Buchan who is happy to share a room to me, I’m honoured to accept, its like being asked to go for a quick horse ride with Genghis Kahn, fab brill, cool… what do you mean he snores, it cant be that loud….. seismic!!….. what has seismic got to do with snoring…… Oh…… great… I’m sharing a room with the greatest lotus party animal ever who also provides his own nocturnal drum and base, base beat

I’m packing plenty of happy hardcore and enough caffeine to give me a seizure, its going to be a good lotusphere

in Matt Whites defence I did ask for a quote

Old Comments

Brett H(27/12/2010 20:01:52 GMT)

The secret is coffee, strong and lots of it. Not for you but for your noisy nocturnal room mate. Give it to him, he’ll still be awake while you drift off to peaceful oblivion. Then when he finally dozes off and starts sawing logs you won’t notice ’cause you’ll already be asleep!

Duffbert(27/12/2010 01:57:41 GMT)

I suppose you could attempt to turn it to your advantage and see if you can get an ear plug company to sponsor part of your trip… 🙂

Mark Myers(29/12/2010 10:16:50 GMT)

@kevin i am starting to feel that the only solution is to get Bill to drink so much each night that he never makes it to the room, right im off to find the whisky tanker, i may have bitten off more than i can handle Emoticon

Mark Myers(27/12/2010 20:33:13 GMT)

@brett i will try your suggestion, but there are few chemicals that effect bill, i have heard that a line of coke 12 feet long made can make him “kind’a chipper”

Bill(27/12/2010 02:06:23 GMT)

In your colleagues defence, when they found out, they did all roll their eyes and ask me about my mental heath.

But apparently, you just nest on the floor, which might at least get you out of the direct line of the snoring.

Mr Mooney threw his room at me. Mr McD also snored, rubbed his feet and sang in his sleep (Einstein a-go-go), and latterly Mr Coates also employed ear defenders to great advantage.

I’ve shared with some of the most violent people in the bubble and survived – which only attests to the thickness of my skin and the shortness of the blades they tried to use Emoticon

Look on the bright side. We’ll have a fully stocked bar. Not, I hasten to add, a Mini-bar…

—* Bill

Nils(27/12/2010 12:35:06 GMT)

Another option is to stay at the Disney’s All Star Sports Resort. I did that a couple of years, the room is just 85$ , and the buses bring you to the SWan in no time at all.

Kevin Pettitt(28/12/2010 15:42:42 GMT)

A very good pair of unobtrusive (i.e. you don’t feel them when you roll over) earphones and the Android app “Relax and Sleep” would be my recommendations. Plays all kinds of white noise and nature combinations to drown out the “ambient” noises. If those earphones are noise canceling all the better.

Disclaimer: I have only experienced Bill’s snoring from the floor below behind a closed door, so it’s possible these defenses will be insufficient in closer proximity. Emoticon

Bil(27/12/2010 02:23:56 GMT)

@Duff, let he who is without sin cast the first stone.

I recall the rather palatial Casa Mooney, where you kept the entire house awake with your snoring. Mine didn’t even form a harmonic backing to your earth shattering patella fluttering!

—* Bill

Vitor Pereira(27/12/2010 10:02:51 GMT)

Well, having both of you in the same room will definitely make things easier for Disney security Emoticon

Chris Miller(27/12/2010 16:56:15 GMT)

As a recent victim of sharing a room with Bill, I am still recovering from shock and awe. Both in forms of audio and visual Emoticon

Mark Myers(27/12/2010 12:51:50 GMT)

@nils yeah I did that the first year, and missed soo much that was going on that i swore not to do it again, the missing stuff might change if what i have heard about IBM putting their staff in the all-star this year is true, but a lot of my best mates are in the swan/dolphin

Mark Myers(27/12/2010 11:11:50 GMT)

@Bill, I am really looking forward it, nesting is the correct way to occupy ANY room, it allows for easy defence in case of wolf (or even 3 wolf t-shirt) attack

@victor, we are getting the social outcast discount room rate from Disney

@Duff I was rather hoping a whiskey or vodka company would sponsor it Emoticon

Mark Myers(27/12/2010 17:09:05 GMT)

@chris oh now your adding a visual element to it, am I going to need eye bleach?

It’s a small Lotus world (part 3)

In the continuing promo of the very good cause the Children’s Cancer Association, here is the 3rd low resolution part of the “It’s a small Lotus world” drawn by Army of Trolls, the item revealed this time is “ye olde Codestore” one of the original domino bloggers (especially in the UK), and a continuing stalwart of great domino code give away’s for many years (personally if Jake would come to one of the lugs I for one would stand him a few well earned pints)

Remember a posh full sized version of the art is one of the prizes at the UK Night at Lotusphere (on the Monday night), with all funds raised going to Children’s Cancer Association (you can buy tickets off Bruce, Gayle, Matt white, Julian Woodward or myself at lotusphere, or donate direct below)

 

 

Private VPNs

As a contractor and part of LDC I have multiple clients on the go at once, one of the problems with that is sometimes their needs overlap or one has a crisis when your on site with another, mostly you can just explain to the client your on site with, not bill for 30mins and go stand in a stairwell to talk them thought it, however often it is far quicker to just log in to a remote server and fix the problem directly.

Quite reasonably clients firewalls don’t normally allow this kind of behaviour and block most of the ports you need to fix such things (SSH, RDP and NOTES), the first response would be to just use a 3G card (and indeed I have one that works rather well and has let me fix client issues in the strangest locations ) but at large clients I always seem to be stuck in a basement or some other no-signal zone.

This preamble is by way of introduction/justification to a private VPN service I am now using, I had a good look round before picking one, needing it to both support on Linux AND not be one designed for anonymous P2P (I DO NOT want a client thinking I am using P2P on there network), the one I picked is http://www.witopia.net/ who provide a very quick professional service with good support (I waited 15 mins for a support responses) and have a great wiki http://wiki.witopia.net/wiki/Main_Page

If you want it for the same usage as me then you want a certain configuration else your not going to get out of the firewalls

1) You will need the “personalVPN – SSL (openVPN) ” product http://www.witopia.net/index.php/products/
2) You will need to swap to alternative ports (443) http://wiki.witopia.net/wiki/Alternate_Ports
3) If your on Linux (ubuntu 10.04 + ) and have followed the wiki instructions, you will also need to alter the advanced setting on the VPN configuration as below (this is not on the wiki)

solves a lot of problems for me.

The BBC model B computer and lesson in life

When I was but a nipper my parents bought me a BBC computer, which became unpopular in the market place within hours of me receiving it (every one else had Amiga, or Atari or what ever), since then I was a mite paranoid of being on a loosing side, and felt like jumping ship as soon as some twit says that something is ‘dead’ , thankfully I have since met good and sane(ish) people, who have taught me otherwise, I am not a domino developer, a flex developer, a Java developer, a web developer, a domino admin, an exchange admin, a 3rd line server support, a storage specialist, these are just roles, I am just a tech, I do the job my clients want in the way I think will bring them the most long term gain and waste the least money

I have few strong opinions (except when it comes to happy hardcore, energy drinks and dark perversion), but peoples big dramatic gestures are one of them, they make no sense in a career path such as IT where you cycle your skill set every 2 years or less, there is no need to say anything is dead, or beat the old chest or unleash attack kittens, just be good at what you do, enjoy it and keep as up to date at time allows

I love domino (the fact I’m paying to go to Lotusphere out of my own pocket I feel is proof enough), and it has paid the bills in a lot of ways for a lot of my working life, but I’m not going to pass up a job just because it does not have domino in it, and you know what, that attitude has helped me bring more life to domino that you could imagine, as each none domino project gives me extra skills I can glue back on the strange Swiss army nice we call Lotus Notes. 🙂

Prepping for Lotusphere 2011 ten things – Part 1

This is my third lotusphere and the first one where im paying for every last bit myself, no freebe ticket for both babeing this year, im also there as part of LDC, so I am going to squeese every drops worth of value from the trip, but just like the rest of the comunity stuff we do, you have to put in the effort yourself to get value out, to this end i compiled a list of tasks to do before, before during and after lotusphere, anyone going to join me?

10 things to learn/do before you go there.

1) Ensure you have a LotusLive account and have had a good look around.

2) Ensure you have the latest version of Notes installed, and have played with its new features.

3) Subscribe to the podcasts, and keep up-to-date. (DONE)

4) Make a list of questions you want answered, get your pet peeves in a row, so you can voice them to Lotus in person.

5) Sign up to a cloud service and TRULY understand what “cloud” is rather than just the hype. (DONE)

6a) If you’re an admin, have the latest version of Domino installed on the most up-to-date OS it supports.

6d) If you’re a developer, ensure that you have the latest version of Eclipse installed and set up correctly. (DONE)

7) Learn about the competitors: get accounts with at least two direct Notes competitors (salesforce.com, Google apps, a free Sharepoint account) and explore their features.

8) Learn about the symbiotic Notes products, play with at least two of these (Sametime, Quickr, Connections, etc.). Can these be of value to you, do you need to find out more from a guru when you have them to hand?

9) Tell your clients and ask your boss whether there’s anything THEY want to know. Get them involved: what do your clients / boss want in the next 12 months?

10) Get your business card printed.

Old Comments

Mitch Cohen(10/12/2010 02:03:09 GMT)

Some good ideas….. See you in Orlando

Mark Myers(10/12/2010 09:21:56 GMT)

cool, yup see you there!

rsync backup

This was something I should have got round to doing ages ago but I finally set up my laptop to backup to my NAS using rsync, and I figured a proper step by step guide might help others, there are lots of rsync guides out there but few that don’t assume loads, so here’s a simple one

GOAL: I want to backup nearly everything in my home directory onto a windows (or samba) share, I want it to be one click, not to do certain places and files and on subsequent runs only back up new stuff, I also don’t want it to inherit any fancy permissions as if I have a disaster I might need to access it without out any rights on a new machine.

I am assuming you are using ubuntu or a common version of Linux, most of this will work on the mac I suspect (I know rsync does)

SO, first thing I need is a mount or drive mapping to backup too,

1) Run “gksudo nautilus” to get a all powerful file manager and create your folder that is going to be your mount point, I created “/media/backup”

2) Next ensure you have samba file sharing utilities installed (smbfs), you can do this on a terminal prompt with “sudo apt-get install smbfs”

3) See if you can now mount your share with “sudo mount -t smbfs //192.168.0.XXX/myshare/backup/ -o username=stickfight,password=password”
This assumes that I am backing up to the “myshare” share on the IP address 192.168.0.XXX and into the “backup” folder that already exists, also that you have to log-on to your share to be able to write to it, if you don’t, just miss out the “-o username=stickfight,password=password” bit

4) Next you want to figure out which files and folders you DONT want to backup, in my case, I don’t want any big media files or to backup the cache folder, so I create a text file called “backupexclude.txt” save it into my home directory and type the following into it (making sure that items are on separate lines)

*.mkv
*.avi
*.ogm
*.mp4
.cache

The paths are relative so instead if /home/stickfight/.cache , as I’m backing all of /home/stickfight/ I just put “.cache”

5) install rsync “apt-get install rsync ”

6) Now in the terminal window you want to enter “sudo rsync -r -u –exclude-from ‘/home/stickfight/backupexclude.txt’ –progress /home/stickfight /media/backup/home”

let me break it up first

“-r” = copies all the sub directories and file, normally you would use “-a” but that copies the file permissions as well which in this case I don’t want.
“-u” = Update, means it only copies only new or recently changed files.
“–exclude-from ‘/home/stickfight/backupexclude.txt’ ” = loads the exclude file we just made.
“–progress” = makes the terminal output far more readable and tells you how far it gets now.
“/home/stickfight /media/backup/home” = source and target directories.

7) run this and make sure it does what you expect, rsync has tons of options, so alter it as you see fit, once you have it working, copy both lines into a text file and save it as backup.sh (or whatever)

8) you can now run it form a icon with “sudo sh /home/stickfight/backup.sh”

there we go , job done

P.S. you might notice a lot of “sudo” going on, perhaps this is not correct from a security point of view, but I’m stripping out the security anyway and I just want it to work, without complaining

Java quick tip, the pipe delimiter

The ‘ (or pipe) symbol is a excellent delimiter, rarely used by users, and of particular use if your doing intra line delimitation, In Lotus script a normal usage example would be:

Dim CountryCode As String

CountryCode = “Britan’GB”

Dim vField As Variant

vField = Split(CountryCode, “‘”)

 

So in Java you would expect to write

String[] vField = CountryCode.split(“‘”);

This will appear to work but will do something odd (it normally delimits on every character), this is because split() is expecting a regular expression and the ‘ is the OR special character for regular expressions, normally you would just ‘escape’ it with a ie ”’ but for some unknown reason, with split() you have to double escape it, eg

String[] vField = CountryCode.split(“\'”);

daft little tip, but it might help someone

Old Comments
————

##### Mark Myers(30/11/2010 11:15:12 GMT)
true enough, but a pain for though that don’t know (hence the post)

##### Andrew Magerman(30/11/2010 10:16:43 GMT)
Mark,

I use RegexBuddy { Link } for calculating my regexes. It’s awesome, and it automatically does the annoying Java escaping for you. It’s written by the guys who wrote the O’reilly book on regexes. It’s worth every penny of 30 – I would not do any regexes without it.

Alas, it is windows-only, but I guess you could have a little virtual machine for your regexes. Even if it hurts your Linux soul.

Andrew

##### Mark Myers(29/11/2010 11:34:22 GMT)
cool, thanks for the tip, on the reason for the double escape the reason that i say unknown is that it allows single escapes on a number of other special characters, i will looking to auto escaping of characters in eclipse as i use reg ex quite a lot , ta

##### Kerr Rainey(30/11/2010 11:04:56 GMT)
Well, the main problem is not so much how java handles regex, but that there is no regex literal in java. There is no way to simply write a regex pattern into java source without escaping it. If you pass the regex pattern in from some other input then you don’t have the escaping to deal with.

##### Mark Myers(30/11/2010 10:29:21 GMT)
Andrew, it is a fine bit of code indeed, i use edit pad pro from the same place and would go insane without it, alas you are also right about windows, it tend to only use Linux a good solid host os + media player, and do most of my actual working in windows VM’s

 

##### Mark Myers(29/11/2010 20:17:17 GMT)
an example would be b , if you go to an expression builder such as { Link } both b and ‘ work just fine, but in split() only b would work, also ‘ works fine in things like Thunar file manager.

##### Kerr Rainey(29/11/2010 10:19:14 GMT)
I think the reason for having to put two backslash chars is that the java string literal for a backslash is “\”. So to pass a regex patern ‘backslash followed by pipe’ to the regex engine from a java string literal you need to put “\'”

You can set up eclipse to automatically escape strings pasted into string literals. Normally I find this a pain, but if you have a long regex pattern that you need to escape it can be handy to turn it on, paste and then turn it off again.

##### Mark Myers(30/11/2010 09:52:08 GMT)
that’s the problem from my point for view, there is the way reg ex is handled by java and the way it is handled by everything else, if you have a valid regex expression that works else where it has to be modified to work in split()

 

it would seem im not the only person that finds this irritating see “backslash mess” near the bottom of { Link }

##### Kerr Rainey(29/11/2010 17:15:03 GMT)
Do you have a specific example?

All I can think of off the top of my head is if I wanted to pass something like a double quote to the the regex engine. Since I don’t need it escaped in the regex, but I do need to escape it the the java string literal, that would be “””. If I wanted the regex to look for a backslash, I’d need to escape it in the regex and in the java string literal, ending up with: “\\”

I’d be really curious to find something that didn’t work like that.

##### Kerr Rainey(30/11/2010 09:16:31 GMT)
Are you sure you are getting the result you expect in the b case? I’ve just done a little test and although it runs, does not give me the answer I would want.

‘b’ is the char literal in java for a backspace. Putting that into a string literal however can give you odd looking results. Just printing it to System.out will not show it, but the length of the string will include it.

If it is the regex pattern to your split then it will split on any backspace in your input. But it won’t match anything if there is not backspace char in the input.

If the regex pattern you want to use is to match only the beginning of the word then you will have to escape the backslash in your java string literal.

“Look out Mr. Toad.”.split(“bo”)
gives
[“Look out Mr. Toad.”]

“Look out Mr. Toad.”.split(“\bo”)
gives
[“Look “, “ut Mr. Toad.”]

“Look out Mr. Tboad.”.split(“bo”)
gives
[“Look out Mr. T”, “ad.”]

##### Wormwood(24/11/2011 15:38:50 GMT)
I just had this problem and found your tip using Google. Thank you very much! 🙂

Power Gorilla on Lenovo W510

I’m hoping this will be of help to searchers of google
The question is does the powergorilla work with the ThinkPad W510 and other 135W Lenovo Laptops?

Quick Answer

Yes, far better than you could hope

Long answer

Recently I have upgraded my old compal FL92 to a Thinkpad W510. I then noticed with some dismay the 135Watt power brick that came with it, and thought my existing power gorillas would no longer work.

I phoned up powertraveller and after a quick chat to one of the techs (no, I have not forgotten your name I’m just not posting it) she said she would post the 2 tips needed and a y-cable out to me for free, this was without prompting! The power traveller lot have always seemed genuinely interested in the use you put their products to.

The tips all arrived and I sat down to what I thought would be a night of experimentation with multiple Y-cables and up to 3 powergorillas in parallel. This proved to be unnecessary due to the way ThinkPads handle the fact that there are 3 20V thinkpad power supplies but only 1 connector type.

These are:

Full speed and battery charging – if you use a 135W power supply
Throttled speed but battery charging – if your use any main charger less that 135W power supply (even the 120W onces you can get trigger throttling)

The power gorilla gives out 2.5A at 20V so about 50W, so you would expect a throttled result, and believe me you don’t want the throttled option, I tried it with a 90W travel power supply and it throttles the processors so badly that even a movie stutters, but when I plugged in the power gorilla, it just “paused” the internal battery and ran of the gorilla, ehh? Why would it do that? I spent some time trying all variations of 65W/90W/travel 90W/135W/and Gorilla, and it always behaved the same, I think that because of the 27++ bolt on battery, the modern ThinkPads can detect if a battery is plugged into them, and is treating the powergorilla as such.

OK so a great solution, but how long does it keep your laptop going?

A powergorilla at the 20V (19v in reality) setting produces 55Wh

The 3 batteries that are compatible with the W510 are:

55+ (6 cell battery, the one that is flush with the back of the laptop) at 57Wh
55++ (9 Cell Battery, the one that sticks out the back of the laptop) at 94Wh
27++ (9 Cell Battery, the extra one that hangs off the bottom) at 94Wh

After playing around charging and discharging, the times all came down to the expected pro rata times (1 power gorilla lasts just under the full time of a 55+ and about 2 thirds of the time of a 55++/27++ )

And here is the bonus, if you have a power gorilla already, you will know that you can charge and use it at the same time (providing they both are on the same voltage), this means you can use travel power supply (or any 20V power supply less than 135W) to run your laptop un-throttled. I have tried this and it works (I have never seen the power meter on the w510 go above 90W, and even then it would probably just be a spike) so you can finally go back to using your sparkly new laptop on planes/cars.

All in all a perfect solution, an excellent product and fab customer service (well done to Lenovo for the smart power management as well)

Terrorists or freedom fighters in corporations

RANT WARNING

Political spin particularly in corporations who should know better is something that always gets on my nerves, currently one of my clients is moving to an outsource model for everything , this has come with a new CIO and is expected as every director wants to stamp his mark on the enterprise, this time there are some bits that are new to me, the particular one that gets my goat is:

“High operational risk due to dependency on few individuals” errr that was because these were specialists that dealt with the products day in, day out for years and knew not only the products but the underlying business and can identify and fix issues in minutes, even seconds, as a business side colleague pointed out, if this was in brain surgery rather than high finance, the suggestion that there are too few proper brain surgeons and they cost a too much, so we should give the work to ordinary doctors, would cause an outcry,

It only works in a corporations because the people issuing them don’t actually understand what their business REALLY does, yes its bad for redundancy purposes and horrible for the day to day running cost to have specialists, but the reason it looks like an easy target is because there have been no problems so everyone thinks the work is simple to do,

This problem was exemplified by an issue in which a instance of Jboss on Redhat became ill during a end of day run and would not restart with the normal scripts we had written, the cause was not a code based one, it is a dedicated box that does nothing else, and we were in a time sensitive situation, the new support personnel (who have been in the role for 8+ months now), were completely at a loss as this scenario was not on their sheet of “how to do stuff”, a suggestion of “Restart the bloody box”, was treated with blank stares and a question of “which script is that”,

It took over an hour to even get them to mail the hardware administrators to get them to do a restart of the physical box (something they could have done them selves in 2 mins with a “sudo Reboot”) , all in all nearly 2 hours of run time was lost making the business very unhappy, this is not intelligent support!!, this is not an improvement!!!, I would say that we now have even higher operational risk than before as we have NO individuals that we can depend on .

To conclude, the support and growth of any business is a balancing act, if you only have 3-4 line people then day to day its very expensive (often unjustifiably so), but you most likely wont ever have a major disaster, if you only have 1-2 line people, then day to day it will be cheap as chips, but when a change is needed to fight off your competitors or deal with a major disaster you will face a sea of blank expressions all saying “that is not on my script sheet”