This might be a duplicate, but I haven't found the answer that exactly resolves my problem... Sorry in advance if it's a duplicate.
I have an html form that takes a user name and password, and when I press Run request, it creates a post request to a servlet.
HTML page screenshot here.
The servlet itself doesn't need authentication. Instead, it uses the parameters to run another program in a process, which needs the user and password.
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String user = request.getParameter("user")
String password = request.getParameter("password");
String command = "cmd /c someprogram --user=\"" + user + "\" --password=\"" + password + "\"";
RunTime.getRuntime().exec(command);
...
}
But when I run this, the browser will show the http post request with the my password. Is there anyway that I can hide this?
RequestScreenshot
Thanks alot!!!!
To Simply hide from browser address bar, use POST instead of GET.
==========
If you really want to secure your password,then SSL is a must.
POST is not more secure than GET as it’s also send unencrypted.
SSL will cover the whole HTTP communication and encrypt the HTTP data send between the client and server.
Your HTML form element should have an attribute with method = post . (Formatting lacking as I'm on my phone)
Related
I am practicing maintaining sessions between client and server. For that I used simple solution with JSESSIONID stored inside cookie. So my little program works like this:
index.html:
<html><body>
<form action="testing">
<input type="text" name="animal">
<button>Go</button>
</form>
</body></html>
MyServlet.java (mapped in XML as /testing):
public class MyServlet extends HttpServlet {
#Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.setContentType("text/html");
String name = req.getParameter("animal");
PrintWriter pw = resp.getWriter();
pw.print("Welcome " + name + "<br>");
HttpSession session = req.getSession();
if (session.isNew()) {
pw.print("New session: " + session.getId() + "<br>");
} else {
pw.print("Old session: " + session.getId() + "<br>");
}
pw.print("<a href=\'index.html\'> Home </a>");
}
}
So, if I submit something from FORM more than twice, Server should "find" my JSESSIONID stored in heap. Here is a picture of how it would look when FORM is submitted (I typed 'parrot' inside input):
But then I disabled cookies in my browser. After, my server never finds user's JSESSIONID because user never actually stores it anywhere. Remember that before, JSESSIONID was stored in a cookie, but since I disabled them, it can't possibly store it there anymore. So now, I am stuck.
What can I do in this case? I came across response.encodeURL() that uses URL and appends its JSESSIONID into URL. But I have trouble understanding how to implement it and how it works internally. Can someone tell me how to fix this using encodeURL() and actually explain how does code work after made such implementation?
As per the specification, the server should support a few ways of tracking sessions: with cookies, SSL sessions, or URL rewriting.
You are asking about URL rewriting, which works like this:
URL rewriting is the lowest common denominator of session tracking. When a client will not accept a cookie, URL rewriting may be used by the server as the basis for session tracking. URL rewriting involves adding data, a session ID, to the URL path that is interpreted by the container to associate the request with a session.
The session ID must be encoded as a path parameter in the URL string. The name of the parameter must be jsessionid. Here is an example of a URL containing encoded path information:
http://www.myserver.com/catalog/index.html;jsessionid=1234
URL rewriting exposes session identifiers in logs, bookmarks, referer headers, cached HTML, and the URL bar. URL rewriting should not be used as a session tracking mechanism where cookies or SSL sessions are supported and suitable.
Notice that it's a path parameter, not a query parameter. Your query params will follow that, like this:
http://www.myserver.com/catalog/index.html;jsessionid=1234?param1=value1¶m2=value2&...
This mechanism is supported automatically by the server to track sessions, but it becomes pretty obvious that you need to give the server a helping hand. And you do that by making sure that all your links include the jsessionid otherwise your server won't identify your request with a session.
You can use encodeURL in your Java code:
Encodes the specified URL by including the session ID, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.
For robust session tracking, all URLs emitted by a servlet should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies.
You need to do the same inside your JSP files. That's usually done with something like <c:url> instead of writing URLs directly into the file:
[...] You can use the url tag to rewrite URLs returned from a JSP page. The tag includes the session ID in the URL only if cookies are disabled; otherwise, it returns the URL unchanged. Note that this feature requires that the URL be relative. [...]
Here is something you can do. This is used to append your JSESSIONID to a url you would retrieve to the user, so they can navigate in it and maintain the information of who they are. About understanding how it works internally is simple as you see, it just append the id to a url you pass, how the user information are stored, is your function on the server side, you will use the id given by the user in the next requests to retrieve information to them.
/**
* Almost minimal processing for a servlet.
*
* #param nextUrl The url the caller would like to go to next. If
* supplied, put an encoded url into the returned
* html page as a hyperlink.
*/
#Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
resp.setContentType("text/plain");
PrintWriter out = resp.getWriter();
out.print("OK");
String param = req.getParameter("nextUrl");
if (param!=null) {
// append an encoded url to carry the sessionids
String targetUrl = resp.encodeURL(param);
out.print(". You want to go <a href=\"");
out.print(targetUrl);
out.print("\">here next</a>.");
}
}
Edit:
You put it in this part of your code
pw.print("<a href=\'" + resp.encodeURL("index.html") + "\'>Home</a>");
I have a login servlet with the URL mapping "/Login", which manages the user input and the login procedure. However, when the user logs in, the web site is directed to the URL:
http://localhost:8080/pilot_1/Login
instead of
http://localhost:8080/pilot_1/checklistallitem
It is to mention that the first URL works fine, it shows all the data, but I am not sure why the URL does not show up as desired. Here's my doPost method of the Login Servlet.
protected void doPost(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
String username = req.getParameter("j_username");
String password = req.getParameter("j_password");
if (users.containsKey(username)){
if ( users.get(username).equals(password)){
req.getSession().setAttribute("active_window", "Checklist");
req.getSession().setAttribute("current_team", "allteams");
getServletContext().getRequestDispatcher("/checklistallteam").forward(req, resp);
}else{
JOptionPane.showMessageDialog(null, "Invalid ID or Password");
}
}else{
JOptionPane.showMessageDialog(null, "Invalid ID or Password");
}
}
This is the difference between a redirect and a forward. When you forward a request with a dispatcher the resolution and processing happens server side, then the final response is returned to the calling client. On the other hand, when you issue a redirect, there is an intermediate response to the client that basically tells it - 'Call this other URL to fulfill the request'. As a side effect the client will be aware of the URL of the new resource and will update the location bar to reflect it.
Because a forward is processed entirely on the server side the URL in the clients location bar does not change.
I'm trying to retrieve the username of user who recently logged in. I used .getRemoteUser() method to read the username. But it was not displaying the user infromation.
my code is :
response.setContentType("text/plain");
PrintWriter out= response.getWriter();
// Some introductory HTML...
String remoteUser = request.getRemoteUser();
// See if the client is allowed
if(remoteUser == null) {
out.println("Welcome");
} else {
out.println("Welcome " + remoteUser + "!");
}
I don't know why it was not giving the correct result. It always produces the result "Welcome". Which means request.getRemoteUser()==null. Please anyone tell me how to retrieve the remote user information. Thanks in advance....
request.getRemoteUser() will return the user logged in else it will return null. It depends upon what kind of authentication you are using.
Another reason would be the client (browser) is not sending the user name with the request. That can happen if you are outside the URL tree that asked for the authentication
use HTTP basic authentication only then you will have Remote User populated.
Here is simple tutorial on setting up a basic HTTP authentication in Java
For a fact you can use any one of the below standard authentication mechanism
static String BASIC_AUTH
String identifier for Basic authentication.
static String CLIENT_CERT_AUTH
String identifier for Client Certificate authentication.
static String DIGEST_AUTH
String identifier for Digest authentication.
static String FORM_AUTH
Sample URL http://dineshlingam.appspot.com/guestbook?name=xxx&skills=zzz
Sample Code
public class GuestbookServlet extends HttpServlet
{
public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException
{
String userName = req.getParameter("name");
String userSkills = req.getParameter("skills");
if(userName != null && userSkills != null)
{
res.setContentType("text/plain");
res.getWriter().println("Name : " + userName + ", Skills : " + userSkills);
}
else
res.sendRedirect(req.getRequestURI());
}
}
I am manually enter this URL to web browser.
How to secure parameters value.
Give me any one suitable example. Because I don't know the java concept and google-app-engine concept.
Really I don't know the SSL. So please I need detailed explanation of SSL with Example.
I am using eclipse to develop my application. Please help me. Thanks.
Your code is a classic example of a page vunerable to a CSS (Cross-Site-Scripting) attack. Using HTTPS wont mitigate that. Instead you need to escape any input before adding it to the page.
For example by using StringEscapeUtils.escapeHtml() and StringEscapeUtils.escapeJavaScript() from the Apache Commons Lang library.
Using https does not secure url parameter by any mean. You have to put parameters either in header or body if you want to make it secure. However if you are making a call directly from browser for this you cant put it in header neither in body because it is a a GET request. +1 to nfechner for highlighting XSS issue in your code.
For your problem here are the possible workaround with https:
Instead of GEt call use a POST call by putting this search in separate form in your page and use HTTPS on top of that.
If you want to use GET request you have to put the parameters in Headers, make a search page, When user hits the search button, make ajax call to above resource by passing it into header using https call.
I already asked this question, but because of missing answers i'll give it another try!
What i want to do
Write a java webapp which logs me, automatically, in any webapp. For an example I chose my zimbra
mailaccount.
How should my Java webapp work
the app should send a login request to the particular app, which is usually corresponding to
the action in the login-form. After executing my app cookies should be set so that I'm logged in
automatically.
What I'm currently trying
I'm using the code below, the doGet() method is part of an extended HttpServlet.
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
HttpClient httpclient = new HttpClient();
PostMethod postMethod1 = new PostMethod("http://mail.mydomain.at/zimbra/");
postMethod1.getParams().setCookiePolicy(CookiePolicy.BROWSER_COMPATIBILITY);
postMethod1.addParameter("username", "myname#mydomain.at");
postMethod1.addParameter("password", "mypassword");
postMethod1.addParameter("loginOp", "login");
httpclient.executeMethod(postMethod1);
out.println(postMethod1.getResponseBodyAsString());
}
What's the problem
After executing the code I only get a message, saying that my browser(which is in fact my HttpClient) appears to prohibit cookies.
So what, I think, happens is that the cookies are going to be set in the HttpClient, which I initialized.
But what i want to happen is that the cookies are set in my browser. How can i accomplish this?
SOLUTION:
the quest failed, because by logging in with a webapplication (via a self instantiated HTTPClient), this client receives the cookies, but not the browser. No workaround was found.
I don't think you can set a cookie of www.xyz.com domain if your browser is accessing www.abc.com. Otherwise it would be a big security violation. Anybody could set a fake cookie in their browser and access your data.
In your case you will need to excpilitly login to zimbra from your browser in order to get the cookie set on the client.