This question already has answers here:
Where to store JWT in browser? How to protect against CSRF?
(7 answers)
Closed 1 year ago.
I am new to JWT, I just return it as java object in JSON and made some filters so it can work just like session_id with Spring Security.
But I don't understand how is JWT stored on the client side, where does it go after the server response?
Is it automatically stored by all browsers in coockies?
Do all browsers support JWT?
I do appreciate your answer.
and made some filters so it can work just like session_id with Spring Security - if you want to use JWTs for sessions, please don't do that, and here's an article which will tell you why: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ If all you need is session, then stick with sessions. Using tokens will only complicate life for you and you will probably expose yourself to some token-related threats.
Otherwise, if you really want to stick with JWTs, then have a look at the answer linked in Yousaf's comment.
Related
I'm new to cryptography, I want to implement https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-10 to my spring-boot application (requirement from the client). The client asks me to implement a header something like this,
Authorization: Signature keyId="Test",algorithm="rsa-sha256",
signature="SjWJWbWN7i0wzBvtPl8rbASWz5xQW6mcJmn+ibttBqtifLN7Sazz
6m79cNfwwb8DMJ5cou1s7uEGKKCs+FLEEaDV5lp7q25WqS+lavg7T8hc0GppauB
6hbgEKTwblDHYGEtbGmtdHgVCk9SuS13F0hZ8FD0k/5OxEPXe5WozsbM="
I have no idea about the Authentication signature generation based on this specification.
Anyone help me to understand these terms in a simple manner
what is the KeyId & usage of it?
what is the signature value and how to generate it?
I have no idea help me to understand this
What you see here is yet another layer of protection in case someone brakes the TLS. The documentation states it like this:
For high security transactions, having an additional signature on the
HTTP header allows a client to ensure that even if the transport
channel has been compromised, that the content of the messages have
not been compromised.
So what you really want to do is to use some kind of Message Authentication Code (MAC) so even if an active attacker has the ability to manipulate the message sent, the MAC will not match and the whole message will be rejected by the server.
I have looked through the docs and implementing this stuff is not a trivial matter. But it looks like there are libraries already present which can help you achieve this. First Google hits:
https://github.com/tomitribe/http-signatures-java
https://github.com/joyent/java-http-signature
Regarding keyId:
The keyId field is an opaque string that the server can
use to look up the component they need to validate the signature. It
could be an SSH key fingerprint, a URL to machine-readable key data,
an LDAP DN, etc. Management of keys and assignment of keyId is out
of scope for this document.
In short - you decide what it is going to be. It needs to be something that allows you to identify the subject and enables to verify the signature in the first place.
I'm making an online multiplayer chess game using java servlet in the back-end. In
the front-end I'm using JavaScript, Ajax, Html. Client\Player request is sent through ajax request to the servlet controller. Now, I want to know which is the best option for handling a client request\state. I don't want to use cookies. I know URL rewriting is an option for managing client session. Apart from these, what are the other efficient approach for managing client sessions? Is HttpSession Object is a good option for uniquely identifying client sessions?
HttpSession in turn uses cookie to identify session (JSESSIONID) , it will be automatically setup when session is created
If you really don't want to use cookies , then go for Token Based Authentication , there are lot of tutorials available online, but it need a little more work for token management. This is been used widely now
Update
quick search on token based authentication on google gives this,
https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
http://arjan-tijms.omnifaces.org/2014/11/header-based-stateless-token.html
http://www.javabydefault.com/2014/11/implementing-token-based-authentication.html
yes using sessionId will be good option for you you can get the seesionis by using the following code session.getId()
If you are not concerned about security, you need not worry about 'authentication' mechanisms.
For example, if you just want to differentiate between two clients, you can simply add an extra parameter like clientId in each of your requests.
It can work like this:
Create one global variable in javascript like globalClientId =
null;
At the time of each request, send this as an extra parameter
If globalClientId is null, generate a 16-digit random number and
store it (this will be done only on first time per page)
However, some disadvantages of this method compared to Cookies are:
It works only for one tab
It will be lost if that tab is closed
Assume I have a single servlet in a web app, and all users need to be logged in before they can do anything. So in the get and post methods there is an if block to test if the user is logged by trying to extract a session attribute in to process request, and else to redirect to login page if not logged in.
Given this scenario, is there a way an intruder can manipulate the system to gain entry without knowing the password? Assume the password is hard-coded into the servlet. If yes, where would he start?
I would look at http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html#bncbj and the section linked from that section about specifying authentication mechanisms.
See also (on Stackoverflow) Looking for a simple, secure session design with servlets and JSP and How do servlets work? Instantiation, sessions, shared variables and multithreading
In short, you don't need to do much yourself about checking for a session attribute if you use the mechanisms described on those pages. Your login form can be used in the 'form-login' configuration requiring authentication.
The key of security is around your comment extract a session attribute -- how are you doing this? Are they sending you a query string param? Are they sending you credentials in the method headers?
To #Hogan's point, unless this is over HTTPS the answer is: "No, it is not secure. A man-in-the-middle (MITM) can get the password from your submission and simply re-use it to mask its own nefarious requests".
If the communication IS done over HTTPS, then you should be fine. Having a single hard-coded password is fine, but consider the case where the password gets compromised; now every single client/user/etc. has to change their code.
A better design is to issue clients a key they can send along with their requests that you can use to identify who they are and if a key gets compromise, re-issue a new one to that user/client/etc.
This assumes traffic is over HTTPS
If traffic is not, a lot of this breaks down and you need to look at things like HMAC's. I wrote this article on designing secure APIs -- it should give you a good introduction to how all this nightmare of security works.
If your eyes are rolling into the back of your head and you are thinking "My god, I just wanted a YES/NO", then my recommendation is:
Require all traffic to be over HTTPS
Issue individual passwords to each client so if one gets compromised, every single one isn't compromised.
That should get you pretty far down the road.
Hope that help. This topic is super hairy and I know you didn't want a history lesson and just want to solve this question and move forward. Hope I gave you enough to do that.
This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
Ordering of values in HttpServletRequest.getParameterValues()
We have J2EE based web application. On server side, we want to get parameters in exactly same order in which sent by client browser.
We tried request.getParameterMap() and request.getParameterNames() but these methods does not returns parameters in same sequence as send by client browser.
How can we get parameters in exactly same order in which sent by client browser?
Request parameters are stored internally in a map so you should make no assumptions about their order.
But why don't you just read them as they are and then sort them?
I am not sure why do we need to rely upon order of the parameters sent. Can you let know why thats required, may be you can solve the problem by alternative methods.
This is not even Java related.
You can't even rely on the browser to send the request params in a specific order.
Besides that as #mgamer noted, you can't make assumptions about the parameters order.
What you can do if you need to read the params in some predefined order, is to create some scheme in which you can do that easily. For example send a JSON object or use some simple format like param1=val¶m2=another-val etc.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I am teaching a web development course at a CS department, I wrote most of the final test by now, each question focus on a specific feature or a specific technology,
I wonder if you can think of/recommend a question that combine the knowledge of few technologies..
The course mostly covers: HTML, CSS, JS, HTTP, Servlets, JSP and JDBC.
(as well as AJAX, ORM, basic security issues like SQL-Injection and XSS, HTML5, REST APIs)
EDIT: I will super appreciate questions with answers :-) thanks!
I'll give the bounty to the question with the highest rank, so please vote! I honestly like most of the questions here, thank you all :-)
Explain the relationship of the DOM to
each of the following technologies:
HTML, CSS, JavaScript.
The goal here is for the answer to make clear the student understands that HTML generates a DOM structure, CSS affects how that structure is rendered, and JavaScript affects how that structure is modified. If you understand how it all ties back into the DOM, all client-side coding becomes straightforward.
Fun question :-) How about...
On web development you need to separate content, style and behavior. Describe why this is done and what different technologies you use in which layer. Every acronym should be written in full text on first time use. (10 p)
or...
Describe what happens in a Web Browser (step by step) when a web page is transferred on the internet from a Web server through HyperText Transfer Protocol to a Client. Consider all the different technologies you have used in this course. (10 p)
Explain what happens, and which technologies could be used, when a user logs in to a protected web site using form based login that sets a HTTP cookie. (Starting from the HTML form all the way to the database and back to the browser.) Bonus question: What changes, when using AJAX for the login?
Answer (main points):
HTML: Form (using POST) with text input fields and a button. Security: Form sends via HTTPS. The login page itself should also be a HTTPS page (otherwise, the form could be replaced by mallory -> MITM)
Javascript: Performs some basic validation (e. g. empty password), and displays error message before sending to server.
Servlet: Receives POST request, takes username/password parameters (in plaintext), calculates (salted) hash from password, discards plaintext password.
JDBC: Selects hashed password from DB. Used to compare with the transmitted password.
Servlet: On success, creates a new session (leads to the creation of a cookie header). Prepares objects that will be used in the JSP page (and stores them in the session or request scope).
JSP: Prepares the HTML page that will be sent to the browser.
Browser: Receives HTTP response, sets cookie and displays the page.
Bonus (AJAX): The server doesn't have to prepare the entire page, but only sends the necessary data and/or HTML snippets to the client. The browser doesn't reload the entire page, but modifies the current page using JavaScript. Security: AJAX can't perform Cross-Site requests, so it's impossible to have a HTTP page submit the login data via HTTPS.
Caution
It should be noted, that this is not meant to be used as a HOWTO for building a secure login mechanism. This description is simplified and doesn't cover every security aspect. OTOH, as an exam question, it should probably be simplified further and adjusted to the content of the curriculum.
You can ask to explain how to implement MVC pattern. And in this MVC pattern where does each technology come in use. Rather How and Why ?
Since students have already developed simplified twitter during their course, you may ask a question like what additional steps they would do to make it a real twitter website or a clone of it and ask to describe each steps staring from html to ORM / database. You may explicitly specify the technologies to be used.
Well, putting on my "evil" hat for a moment, you could ask how the back end data model should dictate the layout of the front end, and any answer other than some variation of "It doesn't" gets to take the class over again. >:-)
Why should any framework you use generate
HTML, CSS and JS?
DRY
Imagine you work for a security agency
and were given the task of developing
a web-site. The field agents
specifilly requested that the site
could swap colors so that they could
use it both on night-vision and at the
office. With what you learned describe
how you would separate content from
structure to allow night/day switching
and what security measures you would
implement to prevent another enemy
agency from stealing your data.
A spiced up question. I always find my students more interested when I put them in the middle of a plot.
Something along the lines of...
Explain how you would display the results of a call to an offsite XML feed when the user performs some action in the browser. The browser must not navigate.
A good answer would address the need for client-side scripting, the XSS issue, and the server-side component necessary to get around the XSS issue, possibly with pseudocode or snippets.
ask to develop a student database system,in which you user can search the database with Date of Birth.
here the folowing technologies can be used and tested.
1.HTML for form controls
2.CSS for esthetics
3.Javascript for date validation
4.very importantly you can explain SQL INJECTION.
5.JSP
6.SERVLETS
7.JDBC
8.ANY database
9.AJAX
10.MVC design pattern can be used.