I have developed a web application where we can sign into to once dropbox account and get their data.
The problem here is ,lets say user(X) accessed the web application through a browser and sign into his dropbox account in the network (lets say A) , now if we open the same web application in another network (lets say B) it also says that the user (X) has signed into the dropbox account.
Same happens between browsers also, Like if a user (X) opened the application in google chrome and signed into the dropbox account and when the user opens the application in Mozilla it says that user(X) has signed in.
The application is developed in Java using Spring MVC framework, used jsp pages for UI and jquery.
Im running this application on Apache Tomcat Server.
Question:
How do I make resources not shared among browsers and networks.
We need to implement sessions in the project and store the accesstoken given by Dropbox as part of Outh 2.0 protocol as a session variable.
Whenever the user tries to request the web-application, that particular session loads up and uses the value of accesstoken present in that session variable.
In this way we can differentiate between requests.
Related
I currently have a web application say App C. which is using a LDAP login.
Additionally i have 2 more web application say App A and B using custom login against a DB.
All web apps A, B and C have common database. And we have access to change/rework all 3 apps.
Problem statement. Users of App A and B should be able to use App C and they should not be asked for login as they have already logged into A and B. So App C should allow users of App A and B.
Solutions tried.
From web app A. We wrote an service at backend which works on authentication of web app A. And this service internally calls App C and creates a session of App C. This is not a right approach and nothing elses works.
Create a common login mechanism to use an external tools for authenication or something like google login but we are nothing taking that route.
Please suggest any other possible solution.
You basically have two options:
Have applications A and C share a session (e.g. using the same web server),
Use external authentication like OAuth or SAML (as you mentioned).
https://shiro.apache.org/web.html#session_management
I have a java web application(hosted in Linux) which speaks to a document management system which is a .NET based system via rest services. By default SSO Kerberos authentication is used in document system and for the same we are passing SSO Token to identify the user who accesses our application via web browser. This works fine and the document system is able to identify the user and allows user to upload document.
However we have a problem when a user who belongs to a different domain/AD tries to access the application. This is due to the external trust level between the environment document service is hosted and user environment. The document mgmt system supports NTLM authentication to handle this scenario and we were told that we need to pass credential object in the request. It appears there are easy ways for .NET client to extract user credential using CredentialCache object but I am struggling to find equivalent in Java.
I am trying to find out a way to pull the users windows credential so that I can set in the credentials object before i send the request to document system. Our application is SSO enabled, hence we dont want the user to explicitly pass his windows credential.
i want my company website to access from my android phone but that website can only be accessed by registered member
i have login page in that i have to enter registered email and passwrd than directly from the login page only i have to redirect to my company web url ???
Please give suggestion
Thanks in advance
Edited, to be more explicit :
How to secure and restrict access to a website ?
Restrict network access
Maybe the simpliest solution. A web site is not always available on the internet or for everybody. In fact if your website sit in some machine in your company office, make it available on the net require more effort than just let local computers access to it.
What does that mean ? You configure your firewall and your network to allow access of your server for only some IP address/port. To continue on this network only solution, you can create a VPN that include your mobile phone devices.
Include authentification and authorization management directly in the application
The first solution is a first pass. It allow you to forbidd access to most people out of your organisation. But maybe you want more, you want for exemple that only people from marketing do have access to the web site. Or maybe you want depending of the user (or user group), allow them to do differents things.
The best way to do that is to directly manage uses rights into your website. You authenticate users, and when a specific functionnality is requested your firt verify is user has credential.
If you already have an IT department, it is likely that a directory is available with all users, their password and their groups. You can base your check on the directory, avoiding the harsle to create/delete users in your application directly.
Using a proxy to secure or authenticate access
This solution is like a melt of the other ones. First you make sure sure using network restriction that your web site is only accessible using the proxy machine (so only one IP basically). Then you use a web server (like Apache HTTPD server) as a proxy, or a gateway to access the website.
Basically, when a user want to request your website, it doesn't directly ask the application that manage it, but the proxy. Because the application server is isolated in the network, it doesn't have to be secured.
The proxy allow you to fine tune the behaviour of your web site :
you can add encryption using SSL to
all data that transit from the client
to server, so no senssible data is
sent unprotected
you can compress all data that
transit to optimize the bandwidth
usage (really important for mobile
device and their not so good
internet connexion).
you can use HTTP authentification to
check user has the right to access
to the page. This can be just a
login/password check, or a client
certificate to fully secure the
connexion, allowing only device
with the certificate to be granted
access.
You can tune access per group to certain part of the site, but this is not as flexible as retrictions done directly by the web site application.
Didn't catch you very well. Do you mean that you want your company website can just be accessed by android phone for registered member? If so, I think you can check what browser type can be used in android phone, and in your website check it from http request, like "String browserType=(String)request.getHeader("User-Agent");" .
I am trying to secure my Flex application within my Java web application. Currently my Java web application, handles logging and managing user accounts and the like. I was wondering if there is a way to essentially share that user credentials with the Flash movie in a secure mechanism? For instance, if you log in, we want you to be able to save items in the Flex application for that user, only if that user is logged in of course. Any ideas? Any help is greatly appreciated.
Update:
I apologize for the vagueness. I'm running Tomcat 5.5, Java 6 doing portlet development inside a Vignette Portal. All data communication is via Blaze DS. In our environment, we have data services and the portal handles logins, user management and the like. Currently we are simply passing down the username to the flash movie, which I don't feel is very secure.
You can pass data to a flash movie using flashVars which can be generated in a JSP. The data can be a one-time key generated on the server and associated with a user id. The Flex application can then take the key and use it to log in via a webservice call. The server will then validate the key and allow access to the user's account.
It is a very general question and it's hard to provide a good answer without knowing what is your current architecture. The Flex application is using the same web server as your web application? What are you using in order to discuss with the backend (web services, sockets, rtmp sockets)? If you are sharing the same web server you can access the same HTTP session and you can check if the user is logged in or not.
If you need to be aware in your Flex application that the user has just logged off from the HTML application or the session has expired you have several options, again depending on your architecture. Assuming that the HTML application was already was notified you can call through ExternalInterface a method from the Flex application. If not (session expired while you are using the Flex application) you will know when trying to save your data.
I have application written in GWT and hosted on Google AppEngine/Java. In this application user will have an option to upload video/audio/text file to the server. Those files could be big, up to 1gb or so and because GAE/J does not support large file I have to use another server to store those files. This would be easy to implement if there was no cross-domain security feature in browsers. So, what I'm thinking is to make GAE Server talk to my server (Glassfish or any other java servers if needed) to tell url to the file and if possible send status of uploaded file (how many percent was uploaded) so I can show status on clients screen. Here is what I'm thinking to do.
When user loads GWT page that is stored on GAE/J he/she will upload file to my server, then my server will send response back to GAE and GAE will send response to the client.
If this scenario is possible what would be the best way to implement GAE to Glassfish conversation?
Actually before that maybe you can try using first approach via by-passing cross-domain security of browsers using iframe. There are some ready to use components for this but for your problem which of them can be usable I don't know. Just google for these components...
Doing it the original way you suggested use URL Fetch Service
The down side to doing it the other way is that you introduce dependencies on multiple sites inside your web pages.
The downside of using the URL Fetch Service is that you have to pay by number of bytes transferred after you have reached the free quota.
One option would be to wait - the blobstore limit won't always be 50MB!
If you're in a hurry, though, I would suggest an approach like the following:
Have your App Engine app generate a signed token that signifies the user has permission to upload a file. The token should include the current date and time, the user's user ID, the maximum file size, and any other relevant information, and should be signed using HMAC-SHA1 with a secret key that your App Engine app and your server both know.
Return a form to the user that POSTs to a URL on your blob hosting server, and embeds the token you generated in step 1. If you want progress notifications, you can use a tool like plupload, and serve the form in an IFrame served by your upload server.
When the user uploads the file to your server, the server should return a redirect back to your App Engine app, with a new token embedded in the redirect URL. That token, again signed with a common secret, contains the ID of the newly uploaded file.
When your App Engine app receives a request for the redirect URL, it knows the upload was completed, and can record the new file's ID etc in the datastore.
Alternately, you can use Amazon's S3, which already supports all this with its HTML Form support.