INFO-VAX Sun, 16 Nov 2008 Volume 2008 : Issue 620 Contents: Re: Apache FtpServer Re: Apache FtpServer Re: Banana Republic (was Re: OpenVMS Book Wins award) Re: Error-free DESTRUCTURING-BIND Re: Most impressive VAX installations Re: Most impressive VAX installations Re: Most impressive VAX installations Re: OVMS Integrity BASIC LTU Getting only 1 user at cost of $2400.00??? Re: OVMS Integrity BASIC LTU Getting only 1 user at cost of $2400.00??? Tomcat authentication against SYSUAF Re: VMS, HP and the recession Re: VMS, HP and the recession Re: VMS, HP and the recession ---------------------------------------------------------------------- Date: Sat, 15 Nov 2008 21:22:59 -0500 From: =?ISO-8859-1?Q?Arne_Vajh=F8j?= Subject: Re: Apache FtpServer Message-ID: <491f8403$0$90266$14726298@news.sunsite.dk> Pierre wrote: > did anyone already run the Apache FtpServer on VMS? > http://mina.apache.org/ftpserver/index.html > > if so, did you use an UAF based user manager? I was not even aware that it existed. But just for fun I created an UAF based user manager. Or actually not. I created a user manager calling a dummy class, tested that on a PC and created a real class that accessed UAF and tested that on VMS. I have the problem that the FTP server requires Java 1.5- and my VMS version only supports Java -1.4.2. But It should work when combined. Code snippets below. Arne ============================================= config fragment --------------- ... FtpUafAuthenticator.java ------------------------ package dk.vajhoej.vms.sys; import org.apache.ftpserver.ftplet.Authentication; import org.apache.ftpserver.ftplet.AuthenticationFailedException; import org.apache.ftpserver.ftplet.Authority; import org.apache.ftpserver.ftplet.FtpException; import org.apache.ftpserver.ftplet.User; import org.apache.ftpserver.usermanager.AbstractUserManager; import org.apache.ftpserver.usermanager.BaseUser; import org.apache.ftpserver.usermanager.ConcurrentLoginPermission; import org.apache.ftpserver.usermanager.TransferRatePermission; import org.apache.ftpserver.usermanager.UsernamePasswordAuthentication; import org.apache.ftpserver.usermanager.WritePermission; public class FtpUafAuthenticator extends AbstractUserManager { public User authenticate(Authentication auth) throws AuthenticationFailedException { if(auth instanceof UsernamePasswordAuthentication) { UsernamePasswordAuthentication unpwauth = (UsernamePasswordAuthentication)auth; String un = unpwauth.getUsername(); String pw = unpwauth.getPassword(); if(VMSAuth.checkPassword(un, pw)) { try { return getUserByName(un); } catch (FtpException e) { throw new AuthenticationFailedException("Login failed for username: " + un); } } else { throw new AuthenticationFailedException("Login failed for username: " + un); } } else { throw new AuthenticationFailedException("Unknown authentication type: " + auth.getClass().getName()); } } public void delete(String login) throws FtpException { // nothing } public boolean doesExist(String login) throws FtpException { return true; // not true but they can not login anyway } public String[] getAllUserNames() throws FtpException { return null; // not needed } public User getUserByName(String login) throws FtpException { BaseUser user = new BaseUser(); user.setName(login); user.setEnabled(true); user.setMaxIdleTime(0); user.setHomeDirectory(VMSAuth.getDefaultDir(login)); Authority[] auth = new Authority[3]; auth[0] = new WritePermission(); auth[1] = new ConcurrentLoginPermission(1, 1); auth[2] = new TransferRatePermission(0, 0); user.setAuthorities(auth); return user; } public void save(User user) throws FtpException { // nothing } } VMSAuth.java ------------ package dk.vajhoej.vms.sys; public class VMSAuth { static { System.loadLibrary("VMSAuth_shr"); } public static native boolean checkPassword(String un, String pw); public static native String getDefaultDir(String un); public static native boolean hasPriv(String un, String priv); } DK_VAJHOEJ_VMS_SYS_VMSAUTH.C ---------------------------- #include #include #include #include #ifndef OLD #include #include #endif #include struct itmlst { short int length; short int code; long int bufadr; long int retlenadr; }; #include "dk_vajhoej_vms_sys_VMSAuth.h" JNIEXPORT jboolean JNICALL Java_dk_vajhoej_vms_sys_VMSAuth_checkPassword(JNIEnv *cntx, jclass me, jstring jun, jstring jpw) { char *un = (char*)(*cntx)->GetStringUTFChars(cntx, jun, 0); char *pw = (char*)(*cntx)->GetStringUTFChars(cntx, jpw, 0); #ifdef OLD long int pwd[2],hpwd[2]; short int salt; char encryp; struct dsc$descriptor_s undesc,pwdesc; struct itmlst items[4] = { {sizeof(salt), UAI$_SALT, (long int)&salt, 0}, {sizeof(encryp), UAI$_ENCRYPT, (long int)&encryp, 0}, {sizeof(pwd), UAI$_PWD, (long int)&pwd, 0}, {0, 0, 0, 0} }; undesc.dsc$w_length = strlen(un); undesc.dsc$b_dtype = DSC$K_DTYPE_T; undesc.dsc$b_class = DSC$K_CLASS_S; undesc.dsc$a_pointer = un; pwdesc.dsc$w_length = strlen(pw); pwdesc.dsc$b_dtype = DSC$K_DTYPE_T; pwdesc.dsc$b_class = DSC$K_CLASS_S; pwdesc.dsc$a_pointer = pw; if((sys$getuai(0, 0, &undesc, items, 0, 0, 0) & 1) && (sys$hash_password(&pwdesc, encryp, salt, &undesc, &hpwd) & 1)) { return pwd[0] == hpwd[0] && pwd[1] == hpwd[1]; } else { return 0; } #else long int logontype, stat, sb[4]; logontype = ACME$K_NETWORK; struct itmlst items[4] = { {sizeof(logontype), ACME$_LOGON_TYPE, (long int)&logontype, 0}, {strlen(un), ACME$_PRINCIPAL_NAME_IN, (long int)un, 0}, {strlen(pw), ACME$_PASSWORD_1, (long int)pw, 0}, {0, 0, 0, 0} }; stat = sys$acmw(0, ACME$_FC_AUTHENTICATE_PRINCIPAL, 0, items, sb, 0, 0); if((stat & 1) && (sb[0] & 1)) { return 1; } else { return 0; } #endif } JNIEXPORT jstring JNICALL Java_dk_vajhoej_vms_sys_VMSAuth_getDefaultDir(JNIEnv *cntx, jclass me, jstring jun) { char dev[1+32],dir[1+64],retbuf[2+96]; char *un = (char*)(*cntx)->GetStringUTFChars(cntx, jun, 0); struct dsc$descriptor_s undesc; struct itmlst items[3] = { {sizeof(dev), UAI$_DEFDEV, (long int)&dev[0], 0 }, {sizeof(dir), UAI$_DEFDIR, (long int)&dir[0], 0 }, {0, 0, 0, 0} }; undesc.dsc$w_length = strlen(un); undesc.dsc$b_dtype = DSC$K_DTYPE_T; undesc.dsc$b_class = DSC$K_CLASS_S; undesc.dsc$a_pointer = un; if(sys$getuai(0, 0, &undesc, &items, 0, 0, 0) & 1) { dev[dev[0]+1] = '\0'; dir[dir[0]+1] = '\0'; strcpy(retbuf,dev+1); strcat(retbuf,dir+1); } else { strcpy(retbuf, ""); } return (*cntx)->NewStringUTF(cntx,retbuf); } #define MASKCHECK(privname) if(strcmp(priv, #privname) == 0) return ((mask & PRV$M_##privname) > 0); JNIEXPORT jboolean JNICALL Java_dk_vajhoej_vms_sys_VMSAuth_hasPriv(JNIEnv *cntx, jclass me, jstring jun, jstring jpriv) { __int64 mask; char *un = (char*)(*cntx)->GetStringUTFChars(cntx, jun, 0); char *priv = (char*)(*cntx)->GetStringUTFChars(cntx, jpriv, 0); struct dsc$descriptor_s undesc; struct itmlst items[2] = { {sizeof(mask), UAI$_PRIV, (long int)&mask, 0 }, {0, 0, 0, 0} }; undesc.dsc$w_length = strlen(un); undesc.dsc$b_dtype = DSC$K_DTYPE_T; undesc.dsc$b_class = DSC$K_CLASS_S; undesc.dsc$a_pointer = un; if(sys$getuai(0, 0, &undesc, &items, 0, 0, 0) & 1) { if(strcmp(un, priv) == 0) return 1; MASKCHECK(CMKRNL) MASKCHECK(CMEXEC) MASKCHECK(SYSNAM) MASKCHECK(GRPNAM) MASKCHECK(ALLSPOOL) MASKCHECK(IMPERSONATE) MASKCHECK(DIAGNOSE) MASKCHECK(LOG_IO) MASKCHECK(GROUP) MASKCHECK(NOACNT) MASKCHECK(PRMCEB) MASKCHECK(PRMMBX) MASKCHECK(PSWAPM) MASKCHECK(SETPRI) MASKCHECK(SETPRV) MASKCHECK(TMPMBX) MASKCHECK(WORLD) MASKCHECK(MOUNT) MASKCHECK(OPER) MASKCHECK(EXQUOTA) MASKCHECK(NETMBX) MASKCHECK(VOLPRO) MASKCHECK(PHY_IO) MASKCHECK(BUGCHK) MASKCHECK(PRMGBL) MASKCHECK(SYSGBL) MASKCHECK(PFNMAP) MASKCHECK(SHMEM) MASKCHECK(SYSPRV) MASKCHECK(BYPASS) MASKCHECK(SYSLCK) MASKCHECK(SHARE) MASKCHECK(UPGRADE) MASKCHECK(DOWNGRADE) MASKCHECK(GRPPRV) MASKCHECK(READALL) MASKCHECK(IMPORT) MASKCHECK(AUDIT) MASKCHECK(SECURITY) return 0; } else { return 0; } } ------------------------------ Date: Sat, 15 Nov 2008 21:58:10 -0500 From: =?ISO-8859-1?Q?Arne_Vajh=F8j?= Subject: Re: Apache FtpServer Message-ID: <491f8c41$0$90263$14726298@news.sunsite.dk> Arne Vajhøj wrote: > Pierre wrote: >> did anyone already run the Apache FtpServer on VMS? >> http://mina.apache.org/ftpserver/index.html >> >> if so, did you use an UAF based user manager? > > I was not even aware that it existed. > > But just for fun I created an UAF based user manager. > > Or actually not. I created a user manager calling a > dummy class, tested that on a PC and created a real class > that accessed UAF and tested that on VMS. I have the > problem that the FTP server requires Java 1.5- and > my VMS version only supports Java -1.4.2. But It should > work when combined. > > Code snippets below. Oh - and if the app has the privs to check a username/password combination, then the app also has privs to a lot of other things. Security of the solution should be checked. Arne ------------------------------ Date: Sun, 16 Nov 2008 18:08:27 +1030 From: Mark Daniel Subject: Re: Banana Republic (was Re: OpenVMS Book Wins award) Message-ID: <012fb96c$0$20664$c3e8da3@news.astraweb.com> Richard Maher wrote: > Hi Mark, > > Thanks for the reply. (Sorry for the delay) > >> I noted the post on Adobe policy files. > > I think the HTML5 people ignore policy-files at their peril. (Not that they > seem to care as their world is all HTTP-shaped with no end of lovely > "headers") Cross-domain access is one of the holy grails of distributed applications (at least those that can be mashed together from existing webby technologies) and are always fraught with security related issues. Of course there probably also is an element of 'HTML people' tending to have only a hammer in their toolbox (no real slight intended). >> [Orbited] Without some sort of access >> control it functions as an open relay - carte blanche. > > I haven't used it but I believe they have some sort of white-list. That is coarse-grained access control. Adobe policy files are a structured, finer-grained white-list. >> Both are broad, evolving concepts and implementations. > > Unlike TCP/IP and/or UDP Sockets with Java that have been around since year > dot. (Ok, sandboxed or signed up until now) > >> FYIW; I have an (as-yet) unpublished Web application displaying >> elementary graphs of $GETRMI (monitor) data. It uses a Comet-style >>