Access Denial Issue on Glassfish during j2ee application deployment

Tags

Instantiation of bean failed; nested exception is java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks), Invocation of init method failed; nested exception is java.security.AccessControlException: access denied (javax.management.MBeanServerPermission findMBeanServer), security manager glassfish

Exceptions such as the ones below during j2ee application deployment on Oracle Glassfish are usually observed when the security manager under Configurations> server-config> Security is enabled. This is on account of Glassfish’s restriction on the way object/resource are being accessed when the security manager is on.

1) Invocation of init method failed; nested exception is java.security.AccessControlException: access denied (javax.management.MBeanServerPermission findMBeanServer)

2) Instantiation of bean failed; nested exception is java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)

 

To resolve the same, the security check can either be bypassed or permissions be explicitly set.

add the following onto the server.policy file under the server configuration (config) folder

grant codeBase “file:${com.sun.aas.instanceRoot}/applications/j2ee-apps/-” {
    permission java.lang.reflect.ReflectPermission “suppressAccessChecks”;
    permission javax.management.MBeanServerPermission “*”;
    permission javax.management.MBeanPermission “*”, “*”;
    permission java.lang.RuntimePermission “createClassLoader”;
};  

AES – using a static secret key

Tags

Advance encryption standard, AES, encrypt cookies, encrypt using a staic key, java AES, Static key in AES

A static secret key approach can come in handy when there is a need to persist sensitive information across session. Thus can be used to encrypt cookies where the client has nothing to do with it but is centrally processed on the app server, hence eliminating the risk of the key being exposed.

package com.core;

/**
*
* @author reisang
*/
import java.security.*;
import javax.crypto.*;
import javax.crypto.spec.*;
public class CryptoService {

private static SecretKeySpec secretKeySpec;

public static String encrypt(String message) throws Exception {
setupCrypto();
Cipher cipher = Cipher.getInstance(“AES”);
cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);
byte[] encrypted = cipher.doFinal((message).getBytes());
return BytetoHex(encrypted);
}

public static String decrypt(String ciphertext) throws Exception {
setupCrypto();
Cipher cipher = Cipher.getInstance(“AES”);
cipher.init(Cipher.DECRYPT_MODE, secretKeySpec);
byte[] original = cipher.doFinal(hexToBytes(ciphertext));
String originalString = new String(original);
return originalString;
}

public static void setupCrypto() throws Exception {
String SALT = “#42_2332!@@@!*(*(&”;
byte[] key = (SALT).getBytes(“UTF-8”);
MessageDigest sha = MessageDigest.getInstance(“SHA-256”);
key = sha.digest(key);
secretKeySpec = new SecretKeySpec(key, “AES”);
}

public static String BytetoHex(byte buf[]) {
StringBuffer strbuf = new StringBuffer(buf.length * 2);
int i;
for (i = 0; i < buf.length; i++) {
if (((int) buf[i] & 0xff) < 0x10) {
strbuf.append(“0”);
}
strbuf.append(Long.toString((int) buf[i] & 0xff, 16));
}
return strbuf.toString();
}

public static byte[] hexToBytes(String hexValue) {
char[] hex = hexValue.toCharArray();
int length = hex.length / 2;
byte[] raw = new byte[length];
for (int i = 0; i < length; i++) {
int high = Character.digit(hex[i * 2], 16);
int low = Character.digit(hex[i * 2 + 1], 16);
int value = (high << 4) | low;
if (value > 127) {
value -= 256;
}
raw[i] = (byte) value;
}
return raw;
}

public static void main(String[] args) throws Exception {
String bytes = CryptoService.encrypt(“hello”);
String temp =CryptoService.decrypt(bytes);
System.out.println(temp);

}
}

XSS and Sql Injection Filter

Tags

code injection, cross site scripting, filters, sql injection, web security, xss

It is better off checking for suspicious patterns of xss or sql injection than to strictly restrict special character usage. This approach will help avoid unnecessary exceptions being thrown.

The filter will validate every parameter being posted to the application be it GET or POST method.

Filter Class file

/**
*
* @author Reisang
*/

import java.io.IOException;
import java.util.Enumeration;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.log4j.Logger;

/**
* XSS filter
*
* This class filters every request parameters for the suspicious character patterns and
* alerts the user if found. Thus relaxing on the usage of special characters.
*
*/
public class WebFilter implements Filter {

private FilterConfig filterConfig = null;
Logger _log = Logger.getLogger(BXWebFilter.class);
private StringBuffer errorMessage;

public void init(FilterConfig filterConfig)
throws ServletException {
this.filterConfig = filterConfig;
}

public void destroy() {
this.filterConfig = null;
}

public void doFilter(ServletRequest request,
ServletResponse response, FilterChain chain)
throws IOException, ServletException {
if (!validateParameters(request)) {
request.setAttribute(“message”, errorMessage.toString());
request.setAttribute(“ERROR_TYPE”, “1”);
RequestDispatcher dispatcher = request.getRequestDispatcher(“/error.jsp”);
dispatcher.forward(request, response);
errorMessage = null;
return;
}
chain.doFilter(request, response);

}

/**
*
* @param request
* @return
*/
private boolean validateParameters(ServletRequest request) {
Enumeration<String> params = request.getParameterNames();
String paramName;
while (params.hasMoreElements()) {
paramName = params.nextElement();
if (searchReservedChars(request.getParameter(paramName), paramName)) {
return false;

}
}
return true;
}

/**
*
* @param value
* @param paramName
* @return
*
* This method search for the suspicious patterns and constructs an
* error message comprising of the pattern.
*
* paramName to be used if specific fields are to be skipped
*/
private boolean searchReservedChars(String value, String paramName) {

value=value.toLowerCase();
Pattern xsspattern = Pattern.compile([\\w]*((%27)|(‘))\\s*((%6F)|o|(%4F))((%72)|r|(%52))”
+ “|[\\w]*((%27)|(‘))\\s*((%61)|a|(%41))((%6E)|n|(%4E))((%64)|d|(%44))”
+ “|(((%3E)|>|(%3C)|<))”
+ “|(((%3E)|>|(%3C)|<)+.*[://.=/(/);’\”&#-]+.*)”
+ “|(.*[://.=/(/);’\”&#-]+.*((%3E)|>|(%3C)|<)+)”
+ “|(((%3C)|<)((%69)|i|(%49))((%6D)|m|(%4D))((%67)|g|(%47))[^\\n]+((%3E)|>)));
Matcher match = xsspattern.matcher(value);
if(match.find()) {
errorMessage = new StringBuffer();
String charstr = value.substring(match.start(), match.end());
charstr = charstr.replaceAll(“>”, “&gt;”);
charstr = charstr.replaceAll(“<“, “&lt;”);
errorMessage.append(“Suspicious input [ “).append(charstr).append(” ]. Use the browser Back key to return to the previous screen to correct this problem.”);
return true;
}
return false;
}
}

–-WEB.xml related changes—

<filter>
<filter-name>webfilter</filter-name>
<filter-class>core.WebFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>webfilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Setting your pc or laptop for wifi-hotspot on windows7

Tags

sharing internet connection, wifi-hotspot, wifi-hotspot on windows 7

Open an elevated command prompt (Type “CMD.EXE” in the start menu search bar, then right click the cmd.exe link and select “Run as Administrator”).

In the command window, type: netsh wlan set hostednetwork mode=allow ssid=(give ur network name eg. mynetwork) key=(your password for the network eg .password123)

Press Enter.

Now type: netsh wlan start hostednetwork

Press Enter.

Open Control Panel and go to Network and Sharing Center.

Click Change Adapter Settings.

Right click your Internet connection and select Properties.

Click the Sharing tab.

Check the box that says “Allow other network users to connect.”

Choose your virtual wi-fi adapter and click OK.

Manually installing a windows service

Install Windows 2000 Resource Kit…

Run the following from a Dos prompt:

instsrv yourservice_name “c:\program Files\Resource Kit\srvany.exe”  ( srvany.exe is included in the Resource kit installation )

Now go to services and find yourservice_name choose Properties In the Description type “yourservice_name description…”

Choose logon mode, and set an account to it for example “Administrator”

Click Ok

Type  Regedit in the run input found in the startup

Find the registry entry in the registry edit window

HKE Continue reading →

Petclinic(Spring 3) have el issues with Tomcat 7

Tags

"${pet.new}" contains invalid expression(s): javax.el.ELException: [new] i, petclinic not working in tomcat 7, Tomcat 7 and spring 3

When not being able to run the  petclinic sample (spring 3) on Tomcat 7 .  Replace the jasper-el.jar with the one from the link http://www.java2s.com/Code/Jar/STUVWXYZ/Downloadtomcat6016jaspereljar.htm

Its a compatibility issue.

Drupal 6.1 Configuration for php 5.2, Mysql 5.1 and apache 2.2

Tags

drupal installation configs, setting up apache with mysql

php.ini

[PHP]

;;;;;;;;;;;;;;;;;;;

; About php.ini   ;

;;;;;;;;;;;;;;;;;;;

; This file controls many aspects of PHP’s behavior.  In order for PHP to

; read it, it must be named ‘php.ini’.  PHP looks for it in the current

; working directory, in the path designated by the environment variable

; PHPRC, and in the path that was defined in compile time (in that order).

; Under Windows, the compile-time path is the Windows directory.  The

; path in which the php.ini file is looked for can be overridden using

; the -c argument in command line mode.

;

; The syntax of the file is extremely simple.  Whitespace and Lines

; beginning with a semicolon are silently ignored (as you probably guessed).

; Section headers (e.g. [Foo]) are also silently ignored, even though

; they might mean something in the future.

;

; Directives are specified using the following syntax:

; directive = value

; Directive names are *case sensitive* – foo=bar is different from FOO=bar.

; Continue reading →

Custom Grid Data Retention and Retrieval

/**

*    Reisang Risom

**/

import java.beans.BeanInfo;

import java.beans.Introspector;

import java.beans.PropertyDescriptor;

import java.util.ArrayList;

import java.util.Enumeration;

import java.util.HashMap;

import java.util.Hashtable;

import java.util.Map;

import javax.servlet.http.HttpServletRequest;

import org.apache.log4j.Logger;

import com.mgeretail.SpringApplicationContext;

public class ObjectCreationServices {

private Logger _log=Logger.getLogger(ObjectCreationServices.class);

private String className=null;

public ObjectCreationServices(Object _beanObject)

{

className=_beanObject.getClass().getName();

} Continue reading →

Password Encryption and Decryption

Tags

HASHING password, non recoverable password, password cryption and decryption, password security for web application, SHA

java Script

function generateCipher()

{

var rawpwd=document.getElementById(“txtPassword”).value;

if(trim(rawpwd)!=”)

{

var md5val=(rawpwd);

var md5val=SHA1(md5val+sid)

}

return md5val;

}; Continue reading →

Oracle Obfuscation toolkit

Tags

data decryption, data encryption, data masking, dbms_obfuscation_toolkit

——————————————————–

—  DDL for Function DES_DECRYPT

——————————————————–

CREATE OR REPLACE FUNCTION “DES_DECRYPT” (

input_string VARCHAR2,

key_string VARCHAR2

) RETURN VARCHAR2

IS

v_return VARCHAR2(2048);

v_key_string VARCHAR2(56);

Continue reading →