Paper Clips

FAQ Browsers


Which iPad versions are supported?


What are the supported browsers?

December 13, 2013

What are the supported browsers?

For the best experience use the most modern browsers

Supported desktop browsers

  1. Chrome
  2. Firefox
  3. Safari
  4. Internet Explorer


Supported tablets

  • iPad 2+ with iOS7+
  • Android tables 4.3+


Supported mobiles

  • iPhone iOS7+
  • Android Phones 4.3+


Ever Green browsers

We support the latest version of Google Chrome and FireFox (which automatically updates whenever it detects that a new version of the browser is available). We support the current and previous major releases of Safari on a rolling basis. Each time a new version is released, we begin supporting that version and stop supporting the third most recent version.


Internet Explorer

Internet Explorer 11 launched on October 17, 2013. The best Internet Explorer experience will be had on the latest version of the browser. Our support of Internet Explorer 8 is about to end as it is not compatible with newer web  features. Due to browser limitations some features may be disabled on the older versions of IE.


Bootstrap Requirements

stSoftware heavily relies on bootstrap, the upcoming release of bootstrap 4 will be removing support for IE8. We will remove support for IE8 at the same time.


Browser settings

All browsers must have cookies and JavaScript enabled to use stSoftware systems.


Browsers/Platforms Matrix 

We support the latest versions of the following browsers and platforms. 

  Chrome Firefox IE Safari
Android  Supported  Supported  N/A  N/A
iOS  Supported  N/A  Supported
Mac OS X  Supported  Supported  Supported
Windows  Supported  Supported  Supported  Not Supported



How to configure websense to use JobTrack

August 7, 2013

How to configure websense to use JobTrack

Websense must be configured to allow all SSL traffic to the system.

Incidences of "Invalid HTTP request" have been seen when the websense proxy server is used. The proxy server must be configured to allow all SSL traffic to the server.


Technical Support

What are the MINIMUM platform requirements?

September 10, 2013

What are the MINIMUM platform requirements?

Any platform that will run the current release of Java and supports large memory heaps.


stSoftware server Minimum requirements

The system is a pure Java SE implementation. All extensions required to the standard JDK7+ install come bundled with the system installation. The system is intended as a large multi-user web application, having large internal data caches which require generous amounts of RAM on the server machine.

The server is compatible with standard Java servlet 3.0 or above container. Supported servlet containers include : 

Operating Systems

The server is operating system independent which means that the server will operate on any Windows, Macintosh, Linux or UNIX machine that supports our minimum requirements.


The stSoftware system is equally effective over a wide or local area network, or delivered via the internet, but it is worth noting that performance is directly affected by the standard of the infrastructure used therefore system speed will be improved by using a higher capacity network, internet connection, or PC.

Minimum Server Requirements:
  • Java SE7 or above
  • A database server which can be one of :-
    • Postgresql 9.1+
    • MySql 5.5+
    • Microsoft SQL 2010+
    • Oracle 12+
    • Sybase 12.5+
  • Up to date JDBC database drivers for the above databases.
  • A server level computer with at least 4GB free RAM but a typical server has 12 GB of RAM or more.
  • The disk space required for the installation is a minimum of 300 MB (This does not include the user data and files).

Please note these are the MINIMUM system requirements, see the IDEAL system design.

Tags: Java

Support multiple site publishing and authoring

September 5, 2013

Support multiple site publishing and authoring

Unique layered database structure allows content and customization to be shared across systems.

stSoftware systems are built from the ground up on a unique multi-layered database structure which allows documents, articles, business rules and all other types of data to be selectively and securely shared across many systems and sites.   

A layered database system is the aggregation of the layers below by selectively placing data and documents in different layers they can be securely shared across the different systems.

Layered database

Detailed design of a layered database system Multi-Layered DB Application-document

What are the system password management options?

February 20, 2013

What are the system password management options?

The system has many standard password options.


The system administrator can configure the system password management and storage options to find the correct balance between convenience, performance and security.  The password and login options can be configured at the global level and at a per user level. 

System Password Options

  1. Password expires after X days.
    • The user will be required to enter a new password after this period has expired.
  2. Passwords can not be re-used within X days
    • The minimum period before the user may re-use their old passwords. 
  3. Passwords must have minimum length
    • The longer the password, in general the harder the password is to guess. 
  4. Passwords must have maximum length
    • There is no practical system level length restriction.
  5. Passwords must include both alpha & numeric characters
    • Requiring the user to create passwords with both alphabetic characters and numbers can increase the strength of the password.
  6. Passwords may not contain more than a set number of sequential characters.
    • This option prevents the users from entering a password like '123456'
  7. The number of log in attempts before the user is disabled.
    • This option prevents brute force attempts at guessing a user's password. 
  8. The number of days before an inactive user is disabled.
    • This option automatically disabled inactive users which reduces the opportunity for hackers to find and use an old account.
    • The option use be set to a reasonably high number of days so that people aren't lockout just by going on leave. 
  9. If "remember me" is enabled for desktop browsers. 
    • Should we offer to remember the user's with a permanent cookie on a desktop computer ? 
    • This is a very convenient feature but leads to a security risk if the computer is stolen. 
  10. If "remember me" is enabled for mobile browsers.
    • Should we offer to remember the user's with a permanent cookie on a mobile/tablet ?
    • This is a very convenient feature but leads to a security risk if the computer is stolen.
  11. Remember me can be configured for use only within trusted zones
    • This allows for users to choose "remember me" within an office environment but will not be given as an option in the airport terminal. 
    • Even if the remember me option had been previously been checked on for a device with a "trusted zone" if an attempt to re-login when the device is now in a non-trusted zone the previous remember me request will be ignored. 
  12. The email template to send the user when resetting their password.
    • This email template can be customized to give detail instructions on special procedures for resetting passwords. 
  13. The Action URLs allow the next step to be configured once a user logs in/out, changes a password or resets their password. 
  14. The default storage algorithm
    • The system default password storage algorithm can be overridden on a per login record basis. 
    • When a user's password is changed the password will be saved according to the chosen storage algorithm.
    • Different algorithms have different properties such as performance and resistance to being decrypted. 
  15. Block login attempts by browser strings. 
    • The system does not support IE6 so any attempt to login with this browser will be blocked and a message is shown.

Password options

 User Password Options

  1.  General user contact details
    • Title
    • First/Last name
    • Business unit 
    • Phone 
    • Email 
    • and many more.
  2. The login ID
  3. The password
    • The password is never sent back in a web form. A hacker can not view source to see the details.
  4. The base access level for this user.
    • Owner- Most access controls do not apply to the owner of the system "with great power comes great responsibility"
    • User- Most user actions are controlled by a series of complex Access Control Limits
    • Readonly - All the restrictions of a user but in addition all classes are readonly by default.
    • Guest- Has no access by default, tables and records must be expressly granted. 
  5. Disable the user.
    • The user will no longer able to access the system. 
    • Any current session will be terminated. 
  6. Force expire the user's password. 
    • The user will be required to change their password the next time they log in. 
    • "Force expire" is defaulted on when an administrator resets the user's password.
  7. Never expire is only used for functional accounts. 
    • This option should be used sparingly. 
    • A login that is marked as never expire will not be disabled even if multiple wrong password attempts are made. 
    • One primary account is often marked as "never expiry" so that you are not lock out of the system by a hacker attempting 5 times on all logins. 
  8. Functional allows multiple concurrent users to use the same login. 
    • Normally the system logs out a user when they login with a different browser. This makes it very obvious if someone is using your account. 
  9. SSO mode and Domain are used for integration with Microsoft NTLM single sign on and can only be used within an Microsoft intranet  environment. 

User Login

Password Storage Algorithms


Type Description
Best Practice 2017

A salted & PBKDF2 hash of the password with 23456 iterations. The resulting hash is stored in the database as an encrypted value. Key length 1024


Sample times: 272 ms, Min: 111 ms, Avg: 122 ms, Median: 115 ms, Count: 100

  • Very hard to brute force crack due the the large memory requirements of the PBKDF2 algorithm and the large number of iterations of hashing.
  • Can NOT find matching passwords due to the random salt.
  • Can NOT decrypt the value of the hash without access to the encryption keys in the separate master database.
  • Can NOT use rainbow tables to decode the hashes due to the use of random salt values.
  • The actual password value can NOT be retrieved/used in anyway.
  • Resolving a valid password will take a minimum of 100ms per call. 
Encrypted Salted PBKDF2 and SHA-512 Hashed 1234 times.

A salted & PBKDF2 hash of the password with a large number (1234) of iterations. The resulting hash is stored in as encrypted value with a key length of 64


Sample times: Max: 7 ms, Min: 3,224 μs, Avg: 3,905 μs, Median: 3,653 μs, Count: 100

  • Very hard to brute force crack due the the large memory requirements of the PBKDF2 algorithm and the large number of iterations of hashing.
  • Can NOT find matching passwords due to the random salt.
  • Can NOT decrypt the value of the hash without access to the encryption keys in the separate master database.
  • Can NOT use rainbow tables to decode the hashes due to the use of random salt values.
  • The actual password value can NOT be retrieved/used in anyway.
Encrypted Salted SHA-512 Hash

A salted and SHA-512 hash of the original password stored in as encrypted value.

  • Can NOT find matching passwords due to the random salt.
  • Can NOT decrypt the value of the hash without access to the encryption keys in the separate master database.
  • Can NOT use rainbow tables to decode the hashes due to the use of random salt values.
Salted Encrypted

The password with a random salt is stored in an encrypted format in the database. The encryption key is stored in a separate database to the encrypted value.

  • If the encryption key is retrieved from the master database and the encrypted value is retrieved from the client database the actual password can be decrypted. 
  • The password value can be used ( non destructive storage of the original password). An example of a need to use the actual password can be to access other systems such as file servers etc.
  • Can NOT find matching passwords due to the random salt.

What are the security, back-up, disaster recovery and firewall services?

November 26, 2013

What are the security, back-up, disaster recovery and firewall services?

stSoftware systems have security measures, back-up procedures and a range of disaster recovery options.


Industry standard best practice for passwords for both the web server and Linux machines. Site designers do not have direct access to the underlying Linux server, the raw database or files. All changes are done within sandbox of the system. 

Back ups

All databases are backed up nightly.

All client documents are backed up nightly and consistency check of the raw file checksum is performed. 

The backups are kept for a week on site.

The machines themselves are backed up as a whole to an off site secure backup location. A full or partial restore of the machine can be done from the off site recovery centre.


The standard system is Linux will all ports closed except HTTP, HTTPS and SSH. 

SSH is configured to block IP addresses after a series of failed log in requests. All SSH requests that are from unknown locations or from foreign countries are blocked by default.


All raw files which are stored separately to the database itself are sent to both the main site and the disaster recovery site when the files are uploaded. Each version of a file is kept and never modified ( new version created ). When a file is uploaded a file checksum of the raw file is performed and stored in the database, the file is then encrypted and the key is stored in the database.  The compressed/encrypted resulting file is sent to the redundant file servers for permanent storage.

The hosting provider has a 2 hour hardware replacement

Well supported with adequate and timely technical support.

September 5, 2013

Well supported with adequate and timely technical support.

Australian based support which are any to handle any technical queries.

Online technical documentation

  • User Help
  • Developer APIs
  • Check our BLOG page for quick answers to some of our most common support requests. 

Telephone Support

Our Sydney based help desk is staffed normal office hours of 9am-5pm Monday-Friday. Call us on 1300 78 73 78

Support via Email

For all non-urgent issues, please complete the contact us form and we'll be in touch during normal office hours of 9am-5pm Monday-Friday.


Tags: support

How to link my JobTrack calendar with my calendar on Google, Apple iCal or Outlook?

August 7, 2013

How to link my JobTrack calendar with my calendar on Google, Apple iCal or Outlook?

ICal links can be generated with a click of a button

View JobTrack dates on iCalendar Applications

Task & Event dates  /   Sales Opp & Quote timings   /    Job milestones & deadlines

Use JobTrack's iCal button to easily view your time critical sales dates & job schedules on Google Calendar, Apple iCal or Microsoft Outlook.

The new iCal button makes it so easy to integrate your JobTrack data with iCalendar* applications like Google Calendar. This means you can view time critical database information conveniently on your preferred on-line calendar application on your mobile or other devices.

Imagine the benefits when your sales staff can see all their sales opportunity critical dates on their Google Calendar app or your Project Manager can quickly review job deadlines by day or week or month on their mobile device. You can simply click on your JobTrack iCalendar entry to instantly open the record in JobTrack to update or edit the item.

iCal integrated Modules: Quick Start, Jobs, Quotes and Sales Opportunity.


See here how to try JobTrack's iCalendar integration - it only takes minutes to setup
Instructions to generate iCal format for Jobs:

Repeat steps 1 and 2 on Quick Start, Sales Opportunities and Quotes modules to set up iCalendar feeds for each of those modules.   

1. Go to the Jobs module and press the iCal button.

iCal Button


2. The system will generate a URL to add your Job dates to any iCalendar application like Google Calendar.  iCalendar


3. You can talk to us about customising your iCalendar feed to sort & display a tailored view of your JobTrack information and links back to modules: Quick Start tasks & events, Sales Opportunities, Quotes or Jobs. Advanced features


Instructions to add your iCal Calendar URLs to Google Calendar: 

To subscribe to your JobTrack iCalendar feeds using Google's Calendar application follow steps 1 and 2 for each Calendar URL you have generated using the iCal button.

  • Go to your Google Calendar and In the left column, click on the Add link in the Other Calendars section.

Google Calendar

  • From the menu select Add by URLCopy paste or enter the Calendar URL in the dialog box then click Add Calendar. You should start to see your module dates in your Google Calendar and it will update according to your Google Calendar settings.

          Add Calendar                      


Instructions to add your iCal Calendar URLs to Apple iCal: 

To subscribe to your JobTrack iCalendar feeds using Apple's iCal program follow steps 1 and 2 for each Calendar URL you have generated using the iCal button.

  1. Open the iCal program (in Applications). From the Calendar menu select Subscribe.
  2. Type or paste the Calendar URL into the URL field then click Subscribe. You should start to see your module dates in your Apple iCal calendar and it will update according to your Apple iCal settings.

*iCalendar is a popular file format used to distribute calendar information between different applications. For more information go to


What is the standard install directory structure?

September 21, 2013

What is the standard install directory structure?

The standard install comes bundled with all the external components to run out of the box.

The standard install comes pre bundled with:-

The following are the main directories:-

  • activemq-data/ used for the message server
  • apache-tomcat/ used for Tomcat web server
  • bin/ contains all the standard scripts and ant XML files
  • cache/ the cache directory ( outside of the web document root)
  • data/ the database files.
  • dev/ the source code. 
  • docs/ the compressed and encrypted documents. 
  • logs/ all the logs for the system.
  • private/ temporary work area.
  • server/ the web server definition 
  • webapps/ the web application itself

To run a task from the command line you would call:- 

java -jar launcher.jar build

In the above command "build" is the Ant task name defined in bin/launcher.xml

Tags: launcher

Does the system have comprehensive error handling and logging?

November 27, 2013

Does the system have comprehensive error handling and logging?

The system records all web access and errors in the server logs.

All web access is recorded in the standard Apache web access logs.

The server logs can be configured via log4j

All database changes are logged by user and time.

Tags: logging

How to configure DNS round robin for web server failover?

December 18, 2013

How to configure DNS round robin for web server failover?

Round-robin DNS gives cheap and easy load balancing and fault tolerance.

Server Cluster

A cluster of servers (two or more ) can be setup and the DNS entry for your site can be defined with the IP addresses for each of the servers, this is known as Round-robin DNS

DNS round-robin for Web server failover

  • www1 ->
  • www2 ->
  • www ->,

Now the DNS server returns both IP addresses for each www query, in random order. If both web servers are up, obviously no problem. If one is down. the questions are, will the browser try the second IP address. and how long does it wait to do so?

Ideally the static IP of one server would be from one network provider and the other server IP would be from another network provider. This means we are not reliant on one network provider.

Successes with modern browsers

The client browser will choose one of the identical servers. If it can't connect to one then it will try the other.  

Using recent versions of IE (8 and above), Opera, Safari, Firefox and Chrome. The browser will try one web server and if it can not connect the browser will try the next server, the process is user-transparent, and occurs only if the first server tried times out, and only for the first page requested from our site in any browser session.

The DNS round robin works best if the server is actually off not just slow/timing out as the modern browser can move to the next very quickly. 

Failures with obsolete browsers

Browsers older than IE8 are not supported by the ST web application, but may still be used to view the web sites. Old browsers such as IE7 will only use the first IP address.

What are the advantages ?
    • Rolling restart of the servers can be done transparently ( restart 1 server a few minutes later the next server).
    • If one server crashes the users will transparently move to the next. 
    • The browser connection is "sticky" which is very important i.e. once the browser connects it will stay connected to the server it originally connected to.
Is there a downside?

During periods when one server was down, users of non-switching browsers ( IE7 ) would have a 50% chance of getting the bad server in an individual browser session. The usage of IE7 is now down to below 1% of web traffic for these browsers there is no advantage but a pretty big win for all modern browsers. 

Note: Users with IE7 are prevented from logging into any ST servers due to the lack of HTML5 support but can be used browse the web sites.


When we do a lookup on google the DNS returns 4 IP addresses:-

host has address has address has address has address has address has IPv6 address 2404:6800:4006:806::1010

Repeating the lookup returns a different set of IP addresses:- 

host has address has address has address has address has address has IPv6 address 2404:6800:4006:806::1011

Sample setup used for

DNS for JobTrack

Tags: DNS, HA

Assigning a domain (host) name to your stSoftware hosted website or web system

January 1, 2014

Assigning a domain (host) name to your stSoftware hosted website or web system

How to assign your new or exisiting domain (host) name to the IP addresses of our servers

After you have registered a new domain name with a domain name (DNS) provider such goDaddy, or you have an exisiting domain name, you need to change the associated IP address so that your domain name points to stSoftware's servers.

Or contact us to add "Assigning your domain name" service to your website or websystem package and we'll manage it for you.


Assign your domain (host) name to the IP addresses of our servers

Have your DNS pointed to either of the two groupings of IP addresses below; &

or &

Once your domain name has been assigned to our servers you need to contact us so we can associate your domain name with your new website or web system.

IMPORTANT: Please remember when assigning your domain name to our servers to keep your MX record (mail address) pointing to your existing mail servers.

NOTE: it takes some time for your DNS changes to propogate around the world, you can watch it propogate here

TIP: If your DNS provider supports multiple IPs for one host name then set up simple redundancy with a DNS round robin.

Tags: DNS

What is the recommended configuration for a Linux server?

January 26, 2014

What is the recommended configuration for a Linux server?

How to Lock down a Linux and run the web server as a low privileged user.


All Linux servers are locked down to the highest security standards possible. All services are off by default and all ports shut. Only the required services started. 

To lock down a server:-

Install only the required packages
sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install openssh-server denyhosts vim oracle-java7-installer postgresql landscape-client htop lynx-cur
Firewalll close all ports and open as required, this reduces the attack vector.

Ubuntu has a simple firewall configuration tool called ufw which is really just a simplified iptables interface.

sudo ufw allow ssh
sudo ufw allow imap
sudo ufw allow http
sudo ufw allow https
sudo ufw disable
sudo ufw enable

Redirect the high permission ports 80 (http) and 443 (https) up to a port range that can accessed by the low permission user running the web service. Redirection of the ports can be done by the following iptable rules

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
Create low permission user to run the web server

Avoid running any custom code or the web server as a high permission user. A security floor in either the web server or your code will be run as the user that runs the web server.

sudo groupadd www-data

sudo useradd -g www-data -m -s /bin/bash webapps

Prevent direct access to functional accounts including ROOT

Never allow direct ssh access to the ROOT account or any other functional account such as webapps. Each admistrator that should have access to these accounts must login under their own user accont and then sudo to the correct functional account.

To block all SSH access to ROOT add the option "PermitRootLogin no" to /etc/ssh/sshd_config

sudo vi /etc/ssh/sshd_config <--- PermitRootLogin no

Increase the file handles for the user that runs the web server

This will help handle DOS attacks, and cope with a large number of slow clients.

Set the system wide maximum file handles:-

sudo vi /etc/sysctl.conf 


Set the low permission user 'webapps' to allow the maximum possible files open.

sudo vi /etc/security/limits.conf

@www-data          soft     nofile         65535
@www-data          hard     nofile        65535

After rebooting check the max number of files have been increased.

sudo -u webapps -i "ulimit -a" 

core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 386171
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 65535
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 386171
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
Tags: DDoS, how-to

What is the recommended upgrade schedule for self hosted systems?

March 4, 2014

What is the recommended upgrade schedule for self hosted systems?

Quarterly release schedule for maintenance releases, makes for a smooth and regulate process

We recommend at least quarterly maintenance release are installed to your test environment, tested then promoted to your production system as part of the normal software maintenance cycle.

Regular and timely updates reduce the risks of running a live system that is out of sync with stSoftware's current version and enables your users to benefit from our R&D program, which is our investment and commitment to continually improve our systems for our customers (in recent years we have typically invested over $250,000.00 annually in our R&D program).

In our updates we release;

  • new functionality, such as in recent updates: new integrated Website/CMS and Document modules, an upgraded Email module, new Calendar and Event Timeline (better visual interface, select multiple filters, multiple staff to view with easy drag and drop functionality, integrated Google maps), and;
  • a program of ongoing maintenance and usability improvements, such as: enabling continued system compatibility with emerging technology (making sure our systems work optimally on new browser versions, new smart phones/tablets etc), keeping pace with the latest national/international standards, continuously improving security and access controls. These are usually back-end and may not be obvious to your users but are very important for continued smooth operation, increased performance and usability and reducing risks.

The main external components that the system relies on are Java and the underlying database itself. The operating system, Java and the database must also be maintained with regular upgrades.  

See the Java support schedule, Java 6 was "end of life" as of Feb 2013. The stServer will run on the current supported version of Java, as of March 2014 Java 7 is the only supported version. Java 7 will be supported until at least March 2015


Tags: EOL, Java

How are SQL Injection attacks prevented?

March 14, 2014

How are SQL Injection attacks prevented?

All components & protocols access data through the DAL ( data access layer)

SQL injection is a code injection technique, used to attack data driven applications like stSoftware.

stSoftware systems support a number of web accessible protocols including:-

  • ReST
  • SOAP
  • Web Forms
  • GWT RPC 

All protocols access the underlying data through the DAL ( data access layer). There is NO direct access to the underlying data store no matter which protocol is used. Each protocol accepts the request to read or write data and then perform the protocols validations and then passes the request on to the DAL to execute the request which in turn validates the request, checks the user's access and perform any validations before returning the result.

SQL & XSS attacks are automatically tested for each of the supported protocols. Listed below are the standard SQL injection strings attempted.

SQL Injection String
\'; DROP TABLE users; --
\''; \'';:Contact-Delete
'\''; \'';
' or 1=1;--
{? = CALL addJdbcExampleTrade (1, 'john', 32, '2004-10-22') }
{call ...}
{?= call ...}
{fn ...}
{oj ...}
{d ...}
{t ...}
{ts ...}
©¡¢£¤¥¦§¨ª¬®°º»¼½¾¿ ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏ ÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞß àáâãäåæçèéêëìíîï ðñòóôõö÷øùúûüýþÿ
RT @ClimateGroup - RT @EurActiv: #23;Solar #23;recession signals end of \''Wild West\'' gold rush #23;EU #23;renewable #23;energy
Mr 5%3
My &amp; name
hacker '; games
/*comment */
SELECT /*!32302 1/0, */ 1 FROM tablename
ID: 10; DROP TABLE members /*
SELECT /*!32302 1/0, *\/ 1 FROM tablename
admin' --
admin' #
' or 1=1 or ''='
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
" or 1=1--
or 1=1--
' or 1=1 or ' '= '
<Description xmlns=""><![CDATA[
'or 1=1 or ''='
PETA: Seaworld's Use of Whales Violates the 13th Amendment.
PETA: Seaworld\'s Use of Whales Violates the 13th Amendment.
PETA: Seaworld''s Use of Whales Violates the 13th Amendment.
PETA: Seaworld\''s Use of Whales Violates the 13th Amendment.
INSERT INTO st_person ( code,name,notes) Values (
DROP sampletable;--
DROP sampletable;#
DR/**/OP/*bypass blacklisting*/sampletable
ID: /*!32302 10*/
SELECT IF(1=1,'true','false')
IF (1=1) SELECT 'true' ELSE SELECT 'false'
0x50 + 0x45
SELECT login + '-' + password FROM members
SELECT login || '-' || password FROM members
SELECT CONCAT(login, password) FROM members
SELECT CONCAT('0x',HEX('c:\boot.ini'))
SELECT LOAD_FILE(0x633A5C626F6F742E696E69) (M)
' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--
SELECT header FROM news UNION ALL SELECT name COLLATE SQL_Latin1_General_Cp1254_CS_AS FROM members
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
' HAVING 1=1 --
' GROUP BY table.columnfromerror1 HAVING 1=1 --
' union select sum(columntofind) from users--
SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null, NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULl, NULL--
declare @o int
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/
DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result = 0) SELECT 0 ELSE SELECT 1/0
WAITFOR DELAY '0:0:10'--
IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1))
SELECT pg_sleep(10);

How are server issues (faults etc) monitored?

March 19, 2014

How are server issues (faults etc) monitored?

Automated heartbeat monitoring and health checks.

We have automated heart beat monitors which checks the health of the servers and a number of background tasks. In addition to checking the list of known tasks database read & write actions are performed and the available disk space is checked. If the heart beat monitor itself takes more than 5 minutes to run an alert is sent. The heart beat monitor runs every 15 minutes.

Heart beat message

The list of tasks that the system will monitor are defined in the class DBTask.

List of tasks

A task is defined by:-

  • code which uniquely identifies this task
  • The human readable label. 
  • Type of task
    • One per system
    • One per application/server
    • One per database layer.
  • If this task is enabled.
  • HA (high availability) specifies that two or more machines will run the same task, if the the primary version of this task fails to update the heartbeat within the heart beat duration, the standby task runner will start automatically. If the first machine running the primary task responds after the standby task has started the primary will become the standby task.
  • Heart beat duration is the time that a task must complete in, if the task takes longer than this period it's declared dead ( standby runner will start if in HA mode)
  • Process duration is how long one run of this task is expected to task. 
  • Notification period is how frequently to notify that this process is dead or has an error.

Task screen

Each server has it's own set of logs including:- 

All the logging is configured via log4j

Email alerts for serious errors are sent automatically via a Log4J delayed SMTP append-er which will batch errors into one email if more than one per minute was to be generated.

Tags: HA

Can you explain your development, staging and disaster recovery environments?

March 19, 2014

Can you explain your development, staging and disaster recovery environments?

System is configured as a fault tolerant cluster.

Development Environment

We normally use our own in-house development servers, as they are already setup and configured to our solution server requirements it is cost effective and efficient.

Production Environment

For production environments we we recommend a HA Server Cluster. A minimum of two servers would be configured in a high availability fashion so that you can kill one and the outside world would not know.

Two client facing servers allows us to do a rolling restart.

Disaster Recovery Environment

The level of Disaster Recovery environment we can provide is only limited by client need and cost. As a minimum standard DR we have a 2 hour hardware replacement guarantee from the hosting provider and the system is backed up off site. The next level of DR would require 4 servers at a minimum.

The backups ( quite expensive half the cost of the server itself) are off site and kept for 1 week.

The system itself records every change ever made, we can tell which user changed which fields/values from the beginning of time. This is done by having a live and delta tables. We can view record sets at any point of time.

Staging Environment

For the staging we recommend using our existing servers. When we do an install, it's a complete clean install and we copy the configuration from the previous release. With two ( or more ) client facing servers we can do a rolling restart without a noticeable outage. We can fall back to the previous release by changing the symbolic link and restart. The application database ( not client data) and full source code is included in the install.

Tags: HA

How to configure the ideal stSoftware server cluster?

March 21, 2014

How to configure the ideal stSoftware server cluster?

Network layout for a fully redundant fault tolerant stSoftware server cluster.


Best practice network design for a highly scalable, distributed web system has:-

Network Layout Design 

Ideal server cluster

( source diagram)

DNS setup

The DNS for yoursite will have two (or more) IP addresses, one for each web server. This is known as a DNS round robin

We also define a direct access host name per server for health monitoring

Example configuration for

    • www1 ->
    • www2 ->
    • www ->,

Ideally the static IP of one server would be from one network provider and the other server IP would be from another network provider. This means we are not reliant on one network provider.

DMZ Firewall

The firewall only allows the ports HTTP & HTTPS (80 & 443) through to web servers in the DMZ, all other ports are closed.

The firewall is the first line of defence from a DOS attack the firewall will be configured to drop concurrent requests from one IP if a threshold is exceeded. We recommend 50 concurrent requests from one IP to be a reasonable limit. Given that one browser will only make 3 or 4 concurrent requests but users behind a proxy will be seen as one IP address. A limit of 50 allows for a staff meeting at your local Starbucks but still protect against a simple single node DOS attack.

See sample configuration of iptables to prevent DOS attacks.

We install the package “fail2ban” with a custom configuration script which monitors the web server access logs for well known hack attempts. When a hack attempt is detected the IP address of the hackers system is automatically blocked for 10 minutes.

Please note: The “fail2ban” module will need to be disabled when/if penetration testing (PENTEST) is being performed as the tester will be locked out as soon as they run a script looking for well known issues.


Web server

The web server run by a low permissioned user "webapps". The DMZ firewall has redirected the high permissioned ports from HTTP/ HTTPS ( 80 & 443) to a low permissioned port for example 8080 & 8443. The low permissioned user "webapps" has a group of "nobody". 

The web server can only access the data, files and message server through the "green zone firewall".

The servers in the DMZ do not store ANY client data or files. They can be restored from backup or completely rebuilt without the loss of any client data. The DMZ servers are considered "disposable", the web servers have as much CPU and cache as possible, and the disk space is only used for caching reasons. 

All Linux servers are locked down to the best industry standard.

Recommended Specifications
    • 300 gigs of disk space.
    • 32 gigs of RAM
    • 8 CPU cores 
Green zone Firewall

The "green zone firewall" will be configured to open the database, message server ( port 61616) and SFTP (22 port) from the DMZ to the "green zone" storage servers.

Green zone
Storage Server

The storage servers is where the data is stored and must be backed up as regularly as possible, the disk drives must be as reliable as possible, the web servers cache the files as required so disk speed isn't a large concern.


The JMS servers are configured with failover transport with a bridged connection between the two JMS servers. The definition of the JMS server is entered into the aspc_master database in the table aspc_server.


The application worker process for all background events processing. 


The actual database storage. The database is set up with "Multi-master replication" with ZERO latency or in a traditional Master slave replication

To date the only database tested and supported Multi-master replication is Oracle RAC. The system relies heavily on optimistic locking to handle multi-server bidding and processing, it is very important that the database is 100% ACID with no latency conditions. If the link between data centers goes down ( last remaining single point of failure) we need to take one of the data centres off line and then tell Oracle RAC not to sync. When the link between data centers is back up and running then we need to do a full backup restore to the database that was off line.  

Our system relies heavily on the consistency of the database. We ask questions like "what is the next invoice number?" we can't have the same invoice number been given to two application servers no matter what. This is quite a complex task for multiple master database replication. 

For other supported databases (Postgres,MSSQL or MySQL) a traditional Master-Slave database replication is supported. This configuration does mean that there is the need for manual intervention to swap from the master database to the slave database in case of outage. 

Note: There are cheaper database solutions that claim multiple master replication but there is qualifiers around the word "ACID". If there is any qualifiers on the word ACID we don't support it.

File Server (SFTP)

All raw files which are compressed and encrypted are stored on a series of SFTP servers. The default file server which is defined in the aspc_master database in the table aspc_server table will be defined to have the connection details for both file servers. When a new file is uploaded to one of the web server, the web server tries to write to both file servers. As long as the write to one file server is successful then the client file upload is treated as successful. 

There is a periodic task to sync any file that was successfully upload to one file server to the other. The system will automatically heal a file server that has a missing raw file as the missing files are discovered. This allows a file server to be recovered from backup as long as the redundant server has the full set of files since the backup being restored. 

Recommended Specifications
      • 2 TB of disk space.
      • RAID 10
      • 16 gigs of RAM
      • 4 CPU cores 
Tags: HA, DNS

What software is used to build stSoftware systems?

March 27, 2013

What software is used to build stSoftware systems?

Industry standard frameworks and libraries

Web Frameworks used:-

Server frameworks:-

Build control:-

What details of a user sessions are available?

April 8, 2014

What details of a user sessions are available?

You may see your own active sessions details or the administrator may all users session details


Normal users are restricted to view only their own session details. Administrators may see the session details for all users.

Active sessions can be forcibly logged out from the session details screen. The list of active sessions for a user can be viewed from the "My Setup" screen. 

User session details

Session Screen

  • Button "Close" closes the screen
  • Button "Print" prints the session details
  • Button "Logout" will forcibly logout the active user session.

Session details

  • ID - The internal session identifier.
  • Login - Is the user id and user name. 
  • Start - The session start time to the last active time and duration.
  • Host - The server logged into ( identifies which server in a cluster)
  • Client URL - Is the IP address of the client and client host name if known.

Client Location

  • Country - Estimated country based on the client IP address.
  • Region - Estimated region based on the client IP address.
  • City - Estimated city based on the client IP address.
  • Zip Code - Estimated zip code based on the client IP address.


  • Agent - The agent string of the browser which the client logged in with.
  • Windows/Mac/Linux - The operating system of the client
  • Type - The type of login
  • Screen - the screen size.


  • Logged out - Is this session logged out ?
  • Timed out - Has this session timed out ?
  • Valid to terminate - means this session will be automatically logged out.
  • Language - The detected client language.
  • Time Zone - The detected client time zone.

Does stSoftware support Structured data searching?

April 19, 2014

Does stSoftware support Structured data searching?

Any field on any class can be marked as "searchable" to allow indexed searching.


Any field in the system can be marked as "searchable" which will then allow the system to search on these fields in a high performance manner as they will be automatically indexed. Any field can be searched on but without an index so slower. 


Article Data model

Field Definition

DBField definition

Standard search screen

Automatically generated screen based on the data model and the fields marked as "searchable".

Contact Search

Tags: customize

How to set the store PayPal account?

April 23, 2014

How to set the store PayPal account?

Default PayPal account can be selected on the Admin/Database tab.

Go to Admin/Settings menu, Database tab, you can find the Default Pay Pal Account dropdown and Use Live PayPal Server checkbox in Financials section.

You can select a PayPal account or create a new PayPal account

By checking "Use Live PayPal Server" checkbox, all purchases from the store will be real money transactions, uncheck this checkbox to use PayPal sendbox server (test server), no real money transfered.


To create a account, please select PayPal as account type, and you need to have your PayPal account's API username, password and signature

To obtaining your PayPal API signature credentials, please refer Creating and Managing Classic API Credentials


PS: please clone the template-store site and call it "store" for your online store


Tags: store

What are the major changes over the since JobTrack 4 ( Nov 2012)

July 9, 2014

What are the major changes over the since JobTrack 4 ( Nov 2012)

Major new modules include CMS and web file manager

The changes to the system have been broad over the 18 months development period.

  1. Moved to JDK7 after end of life period of JDK6
  2. Content Management System
  3. Cloud File Manager
    • Web Folders
    • Shallow Copy of files ( duplicate files in different folders shares the same raw file)
  4. New responsive control panel
  5. E-Commerce
  6. Enhanced login page and session management
  7. HTML5 validation of every generated screen
  8. iPhone & iPad support on standard screens
  9. Numerous performance improvements & bug fixes.
  10. Java Code generator enhancements for JDK7
  11. Enhanced email marketing
  12. Questionnaires module 
  13. SOAP removed dependency on Apache AXIS1
    • DotNet native SOAP client
  14. iCal integration
  15. Remove applets dependency for time zone detection.
  16. Server side image processing
  17. Upgraded to require Servlet 3.0
  18. DNS round robin ( session transparent replication) support
  19. Timeline and new Calendar modules.
  20. Meeting invite tracking and calendar
  21. Handlebar (mustache) support


Dropped support for:-

  1. JDK6 ( EOL Feb 2013)
  2. WML generation
  3. IE6 & IE7
  4. VB soap client ( replaced by ReST)
  5. Java Applets

How to test Access Control Limits (ACLs)?

March 19, 2015

How to test Access Control Limits (ACLs)?

In built sanity checks for complex ACLs rules.


Access Control Limits (ACLs) are the expression of the systems information security policies, they can be complex in their nature and vital to not only be correct but also to be seen as correct. The ACLs sanity checks allow for this business level visibility to the information security policies.

All sanity checks in the base product are run as part of the system build process which does not proceed  if there are any failures.

The sanity checks allow for dummy data to be generated ( but not saved) and the current ACLs are checked against this dummy data.

The sanity check cases can be marked as expecting a certain number of rows to be returned by a query or to expect (  or not) an access exception if an modification is made.

Each sanity case allows a dummy login to be created as part of the sanity check at a certain access level and for the dummy person to be a member of a set of groups.

More complex set ups of clients can be done in the setup SQL using the special variables ${LOGIN_ID} and ${PERSON_ID}.

Sanity Check report

ACLs sanity checks


Sanity Group

ACls sanity group


Sanity case
ACLs sanity case

Tags: ACLs, sanity

HTTPS versus HTTP, the debate is over.

March 19, 2015

HTTPS versus HTTP, the debate is over.

Now days there is no excuse, just use HTTPS everywhere.

SSL is secure socket layer  ie. HTTPS:// instead of HTTP://

Every web page that is sent via HTTP:// is in plan text and can easily be intercepted or even changed via what is know as "man in the middle" or "man on the side" attacks.

Mobile network provides often  "improve" HTTP web pages by injecting their own scripts & images, often these unwanted "improvements" break the page being served. HTTPS prevents the carriers from being able to inject their own content.

Even when you only access the system via an intranet the setting up SSL is so simple and really is the FIRST step in any security that it's almost a mandatory step.

The old argument against httpS:// was that it was slower but that was in the days of slow machines how in many cases httpS:// is actually faster because of the hard work Google has done improving httpS:// as there is no method of securing http:// the protocol hasn't been enhance.

For a performance comparison ( most favourable to HTTPS ) see


stServer suggested Java arguments

August 27, 2015

stServer suggested Java arguments

Low GC pause with large memory caches will give the highest performance.

Below are the standard JVM server parameters. 

G1 Garbage Collector

  • -XX:+UseG1GC
    • Turn on the G1 garbage collector. 
  • -XX:MaxGCPauseMillis=250
    • Target a maximum pause time of no more than 250 milliseconds.  

Young Generation

  • -XX:PermSize=256m
    • The size of the permanent size. 
  • -XX:MaxPermSize=256m
    • Set the max and start size of the permanent memory segment. 

DO NOT over tune the G1GC by setting -XX:NewSize=512m -XX:MaxNewSize=512m -XX:SurvivorRatio=2

Logging Options

  • -verbose:gc
    • Verbosely log the garbage collection. 
  • -XX:+PrintGCDetails
    • Print the GC details
  • -XX:+PrintGCTimeStamps
    • Print the timestamps of when the GC occurred. 
  • -XX:+PrintGCApplicationStoppedTime
    • Print the time that the application was actually stopped. 
  • -XX:+PrintHeapAtGC
    • Print the heap when a full GC

Miscellaneous Options

  • -server
    • Turn on the server compiler
  • -Xss8M
    • Stack size of 8 megs. 
  • -XX:+ExplicitGCInvokesConcurrent
    • When System.gc() is called do not stop the world. Just schedule a background GC. 
  • -XX:-OmitStackTraceInFastThrow
    • Always show the full stack trace for exceptions like NullPointerException
  • -d64
    • Turn on 64 bit JVM



Tags: JVM, Java

How to retrieve forgotten passwords?

November 19, 2015

How to retrieve forgotten passwords?

Forgotten password can be reset via email/SMS


  1. Enter your email, phone number or user name
  2. Choose associated email or phone
  3. Wait for email or SMS
  4. Enter the confirmation code
  5. Enter your new password

Find your accountWhich method

Confirmation code

Reset email

Reset your password

Rest complete

Tags: password

How to create a ReST magic number?

February 2, 2016

How to create a ReST magic number?

Magic numbers are used for access to the ReST services without passwords.

To set up a new API key for a ReST service:-

  • Choose the ReST service to create the API key for ( steps 1-3)
  • Open the data entry screen for the selected service ( step 4)
  • Select the "security" tab ( step 5 )
  • Create a new magic number ( step 6)
  • Choose the user access to use for this service and press OK ( step 7-8)

The demonstration system can be used to try out the ReST services.

 Open Sync ReST service

Edit the Sync ReST service

Open Secuirty tab

Save magic number



Tags: ReST

How to disable unused modules

March 21, 2016

How to disable unused modules

Disabling unsued modules will simplify the users screens

There are many modules enabled by default. This leads to screen clutter. Disabling the modules that are not used will lead to less user confusion and screen clutter.

Default task screen


Navigate to "Admin->Settings-Modules"

Modules tab

Disable the module

Disable a module

Refresh task screen and the "Timesheet" tab will be gone

Task screen with timesheets disabled.

Tags: modules, setup

How to hide menu items

March 21, 2016

How to hide menu items

Hiding unused menu items lead to less user confusion and screen clutter

Menu List

Custmonize Menu List

Choose quickstart


Mark the menu as "Inactive"

Mark the menu as inactive

Refresh menu ( "QuickStart" will be hidden)

Quick start menu is now hidden

Tags: setup

How to install spell checker

May 10, 2016

How to install spell checker

Spell checker relies on 'aspell' to be installed.


To enable spell checker, the package 'aspell' needs to be installed on the server side. TinyMCE calls a web service 'v1/spell' to check spelling and store words in the user's dictionary.


When the user clicks the spell check button the text is sent to the server via the web service 'v1/spell' and resulting errors and suggestions are sent back and highlighted for the user.

Usage of the spell feature.

Web Service

A web service "v1/spell" allows for the checking of misspelled words and maintenance of the user's private dictionary.

Spell web service

Linux installation

sudo apt-get install aspell
Tags: spell

How are user timezones detected?

June 11, 2016

How are user timezones detected?

The timezone must be detected on the client side using JavaScript

The user's timezone can't be detected by a ReST call itself.

The client's public IP addresses we can be used in combination with ReST service to find a rough location.

When a client logs into the system, the client's timezone is passed as a parameter in the ReST call /v1/auth/login/{username}.

ReST auth login

The web pages that use the library jstz to detect the timezone and then does log-in via ReST. We remember the user's timezone in the database session record.

Sample Application
Tags: timezone

How to call ReST services from Excel?

August 16, 2017

How to call ReST services from Excel?

Example spreadsheet to fetch data from an ST server


All the data from a stSoftware server can be fetched via the standard ReST API, all the standard ACLs and validation rules are applied whether the data is access via the standard screens or via the ReST API

Example Excel Spread Sheet

Click here to download an example Excel spread sheet which shows how to fetch data from an ST Server into Excel.

How to use

1. Open spreadsheet and click "Enable Macros".

Enable Macros

2. Click "add-ins" menus

add-ins menu

3. Click "Login" icon

Login button

4. Enter connection details

Enter the connection details for your own server or use one of the demo systems by using the host and the user name user with the password user

Please note the demo servers are reset daily ( don't store anything you want to keep). 

Login form

5. Click on the query button

Query button

6. Enter the fields, class and filer for the data to be fetched. 

There are a number of predefined templates which can be chosen or enter  the fields "Class", "Fields" and "Where" directly. 

Query form


Tags: Excel, ReST

What changes to the SPF record are required to send emails via stServer?

April 3, 2018

What changes to the SPF record are required to send emails via stServer?

Unless otherwise configured we use Amazon Simple Email Service to send emails

The standard email gateway for sending emails is Amazon Simple Email Service

If your domain has configured an SPF record you will need to include the domain

For example:- 

"v=spf1 -all"


Tags: email