I am trying to learn Vaadin framework and have been going through the resources on Vaadin website.
I have two questions which so far I have not been able to find a precise answer to.
Since all your business logic is sitting on the server the questions are, can Vaadin do the following with the additional constraint of not using any additional frameworks as much as possible.
Can Vaadin be used to create applications that offer limited offline capabilities when there is no internet access, (limited to 'view only' mode) without the use of Touchkit.
Can Vaadin be used to create applications that implement end to end encryption (any data the user enters is encrypted client side before being sent to server)
Can Vaadin be used to create applications that offer limited offline capabilities when there is no internet access, (limited to 'view only' mode) without the use of Touchkit.
Vaadin might be used to create applicaion with limited offline capabilities because it uses HTML5 "cache manifest" that makes it possible. However, as you are asking to without the usage of "Touchkit"; I guess this might not be possible at the moment.
Can Vaadin be used to create applications that implement end to end encryption (any data the user enters is encrypted client side before being sent to server)
I think it might be possible to encrypt client side code before being sent to the server. In an application where users have read access to data and some users have write access, the domain model can be designed to basically in any way possible. However, if there are groups of users that should be given read access to only some parts of the data, things might be complicated.
Although my answers might not be very convincing, I hope you get some idea out of this.
Related
I am a web developer and in web development we have been taught to do both client side and server side validation. In Android programming I am doing the client side validation and showing messages using Toast. After that sending data to web services,
1) should I still do a validation (like password field has min of 6 characters, alphanumeric etc.) in web services.
What are the best practices with respect to validation in Android development?
Yes, You should do validation from server side. then the question why comes
Client-side validation is always in the sense of providing a better User Experience (UX), so the user doesn't have to submit and reenter information simply because a value in a form isn't valid - it makes things more dynamic.
What could a user do if you do not server-side validate? Anything, depending on how you use their data. You could be allowing users to drop entire databases (or worse, leak them), modify anything they like (or worse, read anything they like. Directory traversal flaws are extremely common entrance points for naughty people), and elevate their privileges at will. Do you want to run this risk? Not validating user input is like trusting people and not installing locks on your house.
Yes, you should definitely!
Imagine you add other clients, other than Android, to communicate with your application. Then, by server-side checks, you have the insurance that the checks are consistent. Otherwise, consistency is much harder to achieve.
For example: You add a Website as an additional client (beside your app, like some messangers do), and add checks on the client-side by JavaScript. The user disables JavaScript and puts trash into your database!
Another example: You add a iOS-Client. Your password-requirements change from 6 to 8 letters. Now you have to modify and deliver 2 clients, while with serverside-checks. you only have to update your webservice.
So you get safety for more clients!
Read an interesting article about securing XP,http://www.expertreviews.co.uk/software/1304965/when-windows-xp-support-ends-this-is-how-you-secure-your-pc-and-save-all-updates.
With these suggestions is building apps for the marketplace ok with this setup to get by w/o headaches.
Here are my noob thoughts and question:
Just learning to code. Do you think I could run a limited setup to learn languages Java and C# while still being able to use my desktop for deployment of apps? A limited login as described only allows certain actions which I believe is different than a typical guest account. I wonder if my comp could still act as a server to retrieve data requested by users away from my machine. I figure I would need to be logged in as an admin to make some changes but, would hope that tasking processes or jobs could still be done.
I guess my question is, do users of a program you made need access to a local machine for some functions and would that work in limited?
I would like to get something portable and keep my desktop for business to be economical and not run the risk of logging on to an unsecure Wi-Fi with a portable that has business use. Ideally, I'd pony up for newer, better. I'm just learning though.
Do users of a program you made need access to a local machine for some functions and would that work in limited.
No. If you need some sort of server backend for your app a personal computer would be a bad choice for several reasons:
It would need to be available at all times: you can't frequently turn it off or restart.
It would require the same ip address.
It could consume a good amount of you're computer's resources, making it difficult to use for personal use
Instead you should probably be using a dedicated server or a cloud based solution, of which several offer free usage tiers.
I wish to connect to a Mysql Database with Java without revealing the password to anyone that may decompile my code? I can efficiently connect to a database, but my ways will openly show my password in the code :( and wish only a response on how to hide the password. Thanks is advance, Josh Aurora
OAuth allows client connection without storing credentials on client ( used widely on mobile devices or to identify tweitte applications ). It also allows to remove access permissions from rogue clients. But I doubt that mysql suzpports this directly,. so you will have to wrap your database with some kind of service layer. One of usable imaplementations of OAuth:
http://code.google.com/p/oauth-signpost/
(IIRC, used by Qipe )
Assuming that the database which will be accessed will be on your machines, two things that come to mind:
Set up a small secure REST service (as shown here) which will, upon a certain request with certain credentials, pass the password to your database. This however might be an issue if your application is sitting behind some corporate firewall since you might need to add firewall exceptions, which is something that not all administrators are enthusiastic about.
You could use a mix of Cryptography and Obfuscation to encrypt the password to the database and then obfuscate all your code.
As a note though, either of these methods can, in time be broken. This is basically the rule about all security related software.
If it where up to me, I would go about this problem using the first approach and make sure that the credentials through which the service is accessed are changed often.
However, databases which are used as part of a client solution contain pretty sensitive data which is in the client's interest not to tamper with, so the client will most likely not mess around with it, he/she will be happy as long as the system works.
If on the other hand, the database is not deployed onto one of your machines then you can't really do much about it. You could recommend that the server will be stored on a remote machine with access only over the intranet, but other than that, I do not think you can do much about it.
I am going to make an application (iOS and Android) that will use a web service that I am developing. I will use HTTPS and SSL so that the data sent from the app to the server is secured. However how do I stop (or make the life of people who decompile the app hard) "hackers" from decompiling the source code where the URL is written?
I don't want other people to make an application that use my data.
The users of my app will have to register and login in order to use it. I have read something about authenticating the users and pass a key back (the way Facebook does). However wouldn't this mean that a "hacker" could sign up and then use the same key? Would you need to track the usage of each key to look for irregular use?
The server technology is either Java EE or Scala (Lift).
First: There is no 100% security for anything you run on a device that is not under your control (like iOS and Android devices in your case).
You could make "abuse" harder by several measures:
issue a session key after a successfull login with a time-limit so a new login needs to happen after a certain time has passed by
issue an interaction key for every communication step which gets invalidated right after one usage
when a successfull login happens terminate any other session associated with the same credentials that might be active before that login
"throttle" usage (might be impossible depending on the specific application)
IF you really really want to make it very hard you can issue a device-specific client-certificate and use cert-based client authentication (defined in SSL standard) - you can invalidate the cert associated with the device if you see abuse without harm for the legitimate users of other devices...
This is more-or-less impossible. You can use bytecode obfuscation to make decompiling harder, but anyone who tries hard enough can see what the code is doing.
If you are allowing access to the data to people that you can't trust, then the only things you can do are to
ask nicely (please don't abuse my data)
authenticate users so you can monitor individual usage, and maybe apply usage or rate limits (like Twitter does)
make people sign a legal agreement (unlikely to attract many users unless your data/app is very valuable to them!)
Also consider whether you can do more server-side processing so that less raw data is sent to the client. I don't know what your data is like, but taking the example of maps, if you send a pre-rendered bitmap rather than some lat/long vector data, then extracting anything useful is much harder work.
I want to create a Java server in the client's browser to collect and manage communication
and update the displayed material in the client browser and receive the Get Push Post statements and then communicate through a long life persistent link for security reasons.
I know some universities have started working on this type of service
But i would prefer to do this from another approach.
What services/plugins are there that can help me in this field.
Its taken me a long time just to get to this point to even know what I'm asking for
But now I'm hearing I just need the tools and implementation of them.
What you're looking for is probably known as COMET, and can be done purely in JavaScript, without requiring a Java applet: http://en.wikipedia.org/wiki/Comet_(programming)) The advantage being that it could be implemented on a mobile device/tablet as well.
There are a number of libraries that will help you accomplish this depending on your programming environment. I tend to work in JSF, and so I favor tools for that environment, (IceFaces, RichFaces, PrimeFaces) but your choice of tools will depend on your specific application environment, which you haven't provided much detail about.