This is a bit of an old one, but might be useful to Domino people (or in fact anyone) out there that still are not using security on their web services who really should know better, I’m mainly thinking of large corporations that treat their internal network as some kind of safe playground, I don’t suggest this a permanent fix, it is just a good solution if you simply don’t have the time or resources to put proper security in place.

This example came about when a security review was done on a application which was built a few years ago when web services were first all the rage and were built using something like AXIS 1.X, multiple applications including domino are consuming a set of services based on apache. we want to limit this so that random people/computers cant just read and post what they like, thank fully this is easy for apache

First find your http.conf file and find your web service location, most likely in a directory tag such as:

<Directory “D:/Apache2.2/htdocs”>

You will most likely find an couple of lines like this

Order allow,deny

Allow from all

Change them (add them if they are not there) to

Order Deny,Allow
Deny from all

This will lock down your web service completely which is not that much use, so now, add a line below such as

Allow from 192.168.1.2 192.168.1.1

Here you can list the servers you want to allow access to the web service, you can add all servers in a sub net (if your company uses a static IP address sub net) by only putting in the subnet eg, 192.168.1, as well as FQDN’s, full documentation can be found Here

In a perfect world that should be all you need, but if you applying this to an existing web service, someone is sure to need access from a computer or program (such as soapUI) not on a static server, so you will have to add a backdoor to let them in,

So next add the lines

SetEnvif User-Agent “backdoor” webservicebackdoor
Allow from env=webservicebackdoor

This means that if you set the “User-Agent Header” in programs like firefox and soapUI (its under file –> preferences) to “backdoor” the web services will start talking to you again ( yes I know it a security hole, but I’m trying to just make the best of a bad situation)

With some service clients this wont work as they dont allow the changing of the User-Agent, the most notable to me is Spring using CXF, as it uses an alternative web request header called “BrowserType” which set in the same way

SetEnvif BrowserType “backdoor” webservicebackdoor
Allow from env=webservicebackdoor

Also on your spring config in the conduit settings you include the “BrowserType” as shown

<http-conf:conduit name=”http://mywebservice.ldc.com/.*”>
<http-conf:client ReceiveTimeout=”180000″ BrowserType=”backdoor” />
</http-conf:conduit>

and now that would work just fine again

There you go, a little fringe but hopefull usefull to someone.

As a contractor and part of LDC I have multiple clients on the go at once, one of the problems with that is sometimes their needs overlap or one has a crisis when your on site with another, mostly you can just explain to the client your on site with, not bill for 30mins and go stand in a stairwell to talk them thought it, however often it is far quicker to just log in to a remote server and fix the problem directly.

Quite reasonably clients firewalls don’t normally allow this kind of behaviour and block most of the ports you need to fix such things (SSH, RDP and NOTES), the first response would be to just use a 3G card (and indeed I have one that works rather well and has let me fix client issues in the strangest locations ) but at large clients I always seem to be stuck in a basement or some other no-signal zone.

This preamble is by way of introduction/justification to a private VPN service I am now using, I had a good look round before picking one, needing it to both support on Linux AND not be one designed for anonymous P2P (I DO NOT want a client thinking I am using P2P on there network), the one I picked is http://www.witopia.net/ who provide a very quick professional service with good support (I waited 15 mins for a support responses) and have a great wiki http://wiki.witopia.net/wiki/Main_Page

If you want it for the same usage as me then you want a certain configuration else your not going to get out of the firewalls

1) You will need the “personalVPN – SSL (openVPN) ” product http://www.witopia.net/index.php/products/
2) You will need to swap to alternative ports (443) http://wiki.witopia.net/wiki/Alternate_Ports
3) If your on Linux (ubuntu 10.04 + ) and have followed the wiki instructions, you will also need to alter the advanced setting on the VPN configuration as below (this is not on the wiki)

solves a lot of problems for me.

This was something I should have got round to doing ages ago but I finally set up my laptop to backup to my NAS using rsync, and I figured a proper step by step guide might help others, there are lots of rsync guides out there but few that don’t assume loads, so here’s a simple one

GOAL: I want to backup nearly everything in my home directory onto a windows (or samba) share, I want it to be one click, not to do certain places and files and on subsequent runs only back up new stuff, I also don’t want it to inherit any fancy permissions as if I have a disaster I might need to access it without out any rights on a new machine.

I am assuming you are using ubuntu or a common version of Linux, most of this will work on the mac I suspect (I know rsync does)

SO, first thing I need is a mount or drive mapping to backup too,

1) Run “gksudo nautilus” to get a all powerful file manager and create your folder that is going to be your mount point, I created “/media/backup”

2) Next ensure you have samba file sharing utilities installed (smbfs), you can do this on a terminal prompt with “sudo apt-get install smbfs”

3) See if you can now mount your share with “sudo mount -t smbfs //192.168.0.XXX/myshare/backup/ -o username=stickfight,password=password”
This assumes that I am backing up to the “myshare” share on the IP address 192.168.0.XXX and into the “backup” folder that already exists, also that you have to log-on to your share to be able to write to it, if you don’t, just miss out the “-o username=stickfight,password=password” bit

4) Next you want to figure out which files and folders you DONT want to backup, in my case, I don’t want any big media files or to backup the cache folder, so I create a text file called “backupexclude.txt” save it into my home directory and type the following into it (making sure that items are on separate lines)

*.mkv
*.avi
*.ogm
*.mp4
.cache

The paths are relative so instead if /home/stickfight/.cache , as I’m backing all of /home/stickfight/ I just put “.cache”

5) install rsync “apt-get install rsync ”

6) Now in the terminal window you want to enter “sudo rsync -r -u –exclude-from ‘/home/stickfight/backupexclude.txt’ –progress /home/stickfight /media/backup/home”

let me break it up first

“-r” = copies all the sub directories and file, normally you would use “-a” but that copies the file permissions as well which in this case I don’t want.
“-u” = Update, means it only copies only new or recently changed files.
“–exclude-from ‘/home/stickfight/backupexclude.txt’ ” = loads the exclude file we just made.
“–progress” = makes the terminal output far more readable and tells you how far it gets now.
“/home/stickfight /media/backup/home” = source and target directories.

7) run this and make sure it does what you expect, rsync has tons of options, so alter it as you see fit, once you have it working, copy both lines into a text file and save it as backup.sh (or whatever)

8) you can now run it form a icon with “sudo sh /home/stickfight/backup.sh”

there we go , job done

P.S. you might notice a lot of “sudo” going on, perhaps this is not correct from a security point of view, but I’m stripping out the security anyway and I just want it to work, without complaining

The ‘ (or pipe) symbol is a excellent delimiter, rarely used by users, and of particular use if your doing intra line delimitation, In Lotus script a normal usage example would be:

Dim CountryCode As String

CountryCode = “Britan’GB”

Dim vField As Variant

vField = Split(CountryCode, “‘”)

So in Java you would expect to write

String[] vField = CountryCode.split(“‘”);

This will appear to work but will do something odd (it normally delimits on every character), this is because split() is expecting a regular expression and the ‘ is the OR special character for regular expressions, normally you would just ‘escape’ it with a ie ”’ but for some unknown reason, with split() you have to double escape it, eg

String[] vField = CountryCode.split(“\'”);

daft little tip, but it might help someone

Old Comments
————

##### Mark Myers(30/11/2010 11:15:12 GMT)
true enough, but a pain for though that don’t know (hence the post)

##### Andrew Magerman(30/11/2010 10:16:43 GMT)
Mark,

I use RegexBuddy { Link } for calculating my regexes. It’s awesome, and it automatically does the annoying Java escaping for you. It’s written by the guys who wrote the O’reilly book on regexes. It’s worth every penny of 30 – I would not do any regexes without it.

Alas, it is windows-only, but I guess you could have a little virtual machine for your regexes. Even if it hurts your Linux soul.

Andrew

##### Mark Myers(29/11/2010 11:34:22 GMT)
cool, thanks for the tip, on the reason for the double escape the reason that i say unknown is that it allows single escapes on a number of other special characters, i will looking to auto escaping of characters in eclipse as i use reg ex quite a lot , ta

##### Kerr Rainey(30/11/2010 11:04:56 GMT)
Well, the main problem is not so much how java handles regex, but that there is no regex literal in java. There is no way to simply write a regex pattern into java source without escaping it. If you pass the regex pattern in from some other input then you don’t have the escaping to deal with.

##### Mark Myers(30/11/2010 10:29:21 GMT)
Andrew, it is a fine bit of code indeed, i use edit pad pro from the same place and would go insane without it, alas you are also right about windows, it tend to only use Linux a good solid host os + media player, and do most of my actual working in windows VM’s

##### Mark Myers(29/11/2010 20:17:17 GMT)
an example would be b , if you go to an expression builder such as { Link } both b and ‘ work just fine, but in split() only b would work, also ‘ works fine in things like Thunar file manager.

##### Kerr Rainey(29/11/2010 10:19:14 GMT)
I think the reason for having to put two backslash chars is that the java string literal for a backslash is “\”. So to pass a regex patern ‘backslash followed by pipe’ to the regex engine from a java string literal you need to put “\'”

You can set up eclipse to automatically escape strings pasted into string literals. Normally I find this a pain, but if you have a long regex pattern that you need to escape it can be handy to turn it on, paste and then turn it off again.

##### Mark Myers(30/11/2010 09:52:08 GMT)
that’s the problem from my point for view, there is the way reg ex is handled by java and the way it is handled by everything else, if you have a valid regex expression that works else where it has to be modified to work in split()

it would seem im not the only person that finds this irritating see “backslash mess” near the bottom of { Link }

##### Kerr Rainey(29/11/2010 17:15:03 GMT)
Do you have a specific example?

All I can think of off the top of my head is if I wanted to pass something like a double quote to the the regex engine. Since I don’t need it escaped in the regex, but I do need to escape it the the java string literal, that would be “””. If I wanted the regex to look for a backslash, I’d need to escape it in the regex and in the java string literal, ending up with: “\\”

I’d be really curious to find something that didn’t work like that.

##### Kerr Rainey(30/11/2010 09:16:31 GMT)
Are you sure you are getting the result you expect in the b case? I’ve just done a little test and although it runs, does not give me the answer I would want.

‘b’ is the char literal in java for a backspace. Putting that into a string literal however can give you odd looking results. Just printing it to System.out will not show it, but the length of the string will include it.

If it is the regex pattern to your split then it will split on any backspace in your input. But it won’t match anything if there is not backspace char in the input.

If the regex pattern you want to use is to match only the beginning of the word then you will have to escape the backslash in your java string literal.

“Look out Mr. Toad.”.split(“bo”)
gives
[“Look out Mr. Toad.”]

“Look out Mr. Toad.”.split(“\bo”)
gives
[“Look “, “ut Mr. Toad.”]

“Look out Mr. Tboad.”.split(“bo”)
gives
[“Look out Mr. T”, “ad.”]

##### Wormwood(24/11/2011 15:38:50 GMT)
I just had this problem and found your tip using Google. Thank you very much! 🙂

I’m hoping this will be of help to searchers of google
The question is does the powergorilla work with the ThinkPad W510 and other 135W Lenovo Laptops?

Quick Answer

Yes, far better than you could hope

Long answer

Recently I have upgraded my old compal FL92 to a Thinkpad W510. I then noticed with some dismay the 135Watt power brick that came with it, and thought my existing power gorillas would no longer work.

I phoned up powertraveller and after a quick chat to one of the techs (no, I have not forgotten your name I’m just not posting it) she said she would post the 2 tips needed and a y-cable out to me for free, this was without prompting! The power traveller lot have always seemed genuinely interested in the use you put their products to.

The tips all arrived and I sat down to what I thought would be a night of experimentation with multiple Y-cables and up to 3 powergorillas in parallel. This proved to be unnecessary due to the way ThinkPads handle the fact that there are 3 20V thinkpad power supplies but only 1 connector type.

These are:

Full speed and battery charging – if you use a 135W power supply
Throttled speed but battery charging – if your use any main charger less that 135W power supply (even the 120W onces you can get trigger throttling)

The power gorilla gives out 2.5A at 20V so about 50W, so you would expect a throttled result, and believe me you don’t want the throttled option, I tried it with a 90W travel power supply and it throttles the processors so badly that even a movie stutters, but when I plugged in the power gorilla, it just “paused” the internal battery and ran of the gorilla, ehh? Why would it do that? I spent some time trying all variations of 65W/90W/travel 90W/135W/and Gorilla, and it always behaved the same, I think that because of the 27++ bolt on battery, the modern ThinkPads can detect if a battery is plugged into them, and is treating the powergorilla as such.

OK so a great solution, but how long does it keep your laptop going?

A powergorilla at the 20V (19v in reality) setting produces 55Wh

The 3 batteries that are compatible with the W510 are:

55+ (6 cell battery, the one that is flush with the back of the laptop) at 57Wh
55++ (9 Cell Battery, the one that sticks out the back of the laptop) at 94Wh
27++ (9 Cell Battery, the extra one that hangs off the bottom) at 94Wh

After playing around charging and discharging, the times all came down to the expected pro rata times (1 power gorilla lasts just under the full time of a 55+ and about 2 thirds of the time of a 55++/27++ )

And here is the bonus, if you have a power gorilla already, you will know that you can charge and use it at the same time (providing they both are on the same voltage), this means you can use travel power supply (or any 20V power supply less than 135W) to run your laptop un-throttled. I have tried this and it works (I have never seen the power meter on the w510 go above 90W, and even then it would probably just be a spike) so you can finally go back to using your sparkly new laptop on planes/cars.

All in all a perfect solution, an excellent product and fab customer service (well done to Lenovo for the smart power management as well)