Looking for a pointer on how to get HttpClient (httpclient 4.3.6) to Authenticate the current user to IIS REST service.
I can connect no problem using UrlConnection as it seems to handle the WWW-Authentication protocol out of the box.
I have moved to HttpClient to leverage the multi-part POST/PUT (FileEntity) and I have discovered that the HttpClient does not handle the WWW-Authentication, it simply fails with a 401 which is the first part of the process.
I have found some examples out there that present NTLM credentials etc... but I don't want to capture credentials, I want to execute the request using the current windows identity.
Is there some code or an API out there that I can use to manage this on my behalf? I don't want to capture user name and password, I just want to present the current user credentials. Do I need to use a 3rd party library like SPNEGO?
Many thanks in advance
You might want to try out HttpClient 4.4 (to be released as GA soon). It supports native Windows Negotiate, Kerberos and NTLM via SSPI through JNA when running on Windows OS. Please note this feature is still considered experimental. Your mileage may vary.
http://hc.apache.org/httpcomponents-client-4.4.x/httpclient-win/examples/org/apache/http/examples/client/win/ClientWinAuth.java
Related
I want to write a messenger app on Swift, iOS and as a database I chose MongoDB and turned ON authentication on it. And for the bridge I chose RESTHeart(GitHub). But for input something to database from RESTHeart I use the next line:
http PUT 127.0.0.1:8080/myfirstdb desc='this is my first db created with restheart' -a username:password
So, I use authentication for each connection. So my question is:
Is it OK, log in for each insert to database for the messenger app or there are another, better, solution? I think that I need to make this process as faster as possible
Quoting the RESTHeart documentation:
If a request is successfully authenticated, an authentication token is generated and included in every subsequent responses. Following requests can either use the password or the auth token.
http://restheart.org/docs/security.html
You have to enable the auth token with the auth-token-enabled: true configuration
You should also make sure to use https.
Quoting the RESTHeart documentation:
With stateless basic authentication, user credentials must be sent over the network on each request. It is mandatory to use only the https listener; with the http listener credentials can be sniffed by a man-in-the-middle attack. Use the http listener only at development time and on trusted environments.
Currently I have got a specific problem finding a solution and I am hoping you are able to provide
some light on the matter.
The Structure of the problem:
The task at hand is to gather a client's login credentials (token) and pass this to the servlet. However I cannot seem to find a good resource to do this. I have researched a wide variety of ways. I.e SPNEGO, WAFFLE etc..., However, these seem to require some sort of active directory by my understanding, I am trying to gather the credentials from the users local machine. A clear explanation or guidance to how I can gather the windows credentials to the servlet for my specific request would be appreciated.
Diagrams are always a better way of explaining so I will provide one if you are still confused:
Windows PC (Client) ------------------------> Java Servlet -------------------------------------> IIS Server
(windows authentication) --------------> (Get Credentials) -------------------- (Check Credentials & Authenticate)
(token) (pass credentials)
Thank you in advanced to anyone who replies, I really appreciate it!.
You are wasting your time. If you only take the credentials from the users local machine then you have no way of knowing if those credentials can be trusted. You might as well just give every user administrative access to your web application.
The reason active directory (or something like it) is required is that it is not under the control of the client and is trusted by the server. For example, when using SPNEGO, the client authenticates itself to the windows domain, the client gets a token from the windows domain that it can only get if it is authenticated, the client passes the token to the server, the server can then validate that token with the Windows domain to confirm that the client is indeed who they claim to be. (Not quite that simple but you get the idea.)
There are other ways to do this - e.g. with PKI - but they all have in common a central, trusted authentication system that the server can use to validate credentials provided by the client.
I'm building an android application which uses a PHP web service (I am building this also).
My question is, how do I prevent unauthorised users using my webservice? For example, could someone get the address of my web service and use it outside of my app (e.g. sending post variables to my service)?
Another related question is how do I prevent spam requests on my webservice? Would it be a case of logging the IP address and limiting the amount of calls?
You can use an HTTPS connection between the Android device and your webservice API endpoint.
Limit you webservice so that it accept only HTTPS connections. You can easily do this using Apache (perhaps using the SSLRequireSSL directive) or directly in your PHP connection handler.
While using an HTTPS transport stream, you can pass specific arguments when making an API call to your webservice to ensure the request has been sent from your application. Nobody will be able to know what specific data are transmitted and will not be able to reproduce an acceptable connection to your remote service.
Regarding your second question, you can indeed limit the number of requests for a given amount of time. Either in PHP or by using specific tools such as fail2ban.
PHP can receive data via POST or GET out of your site and even the internet browser. One of the methods used to do this is by curl.
To what are you referring to this question is known as Cross-site request forgery.
If you are able, you should implement the use of HTTPS in your app and this could solve many security problems.
In case you can not use HTTPS (whether it is expensive or any other problem):
You must verify the information received by POST or GET in your PHP, this language has much ability to solve these "problems"; Take a look at this part of the PHP official documentation.
Suppose you're building a login system:
Also you can add in the login page place a hidden element with secret unique code that can happend only once, save this secret code in session, so, the loging script look in session for this code, compare with what was posted to the script, should same to proceed.
And, if you want to get the IP address of your visitors:
function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}
Finally, read this.
EDIT
If you can't pay an HTTPS certificate, (as Halim Qarroum says) you can use:
Self signed SSL certificates,
which are free.
Of course this has its advantages and disadvantages
I'm implementing a little snippet of code in order to log into a SAML protected website.
I have this piece of code:
HttpsURLConnection connection = (HttpsURLConnection)url.openConnection();
through which I connect with a safe SSL connection to some URLs.
On the first two times, with two different URLs, it works perfectly, but then, when I try to perform a specific request (the SAMLRequest to the IDP server, to be precise), the script thows this error:
[ATTENTION] An error occured: java.lang.IllegalStateException: connection not yet open
I can't really understand what's going on. While connecting to the SP, the connection is good (I also able to obtain this information, so I suppose the SSL to be working con.getCipherSuite() = TLS_RSA_WITH_AES_128_CBC_SHA), but then it stops.
Since the request I'm trying to issue is the only one which really matters in the SAML scheme, among the three I tried to perform, I thought it was a server-side problem:
Connect to the homepage of the service provider (SP) in order to get JSESSIONID cookie: it works
Connect to the SP login page in order to get the SAML Request: it works
Connect to the IDP in order to send (via GET) the SAML Request: ERROR.
How can I get rid of this problem, and be sure the connection is safe? I have the strong need to avoid a MINM attack, since the script will be implemented in an Android app which will need a strong level of security...
Sorry I might be a bit off topic here!
Are you using Google app engine for this? As google app engine doesn't support HttpsUrlConnection. Please read more here
I am having a problem with a signed Java applet which performs simple HTTPS requests to our server (using Java's URL, Connection classes). Everything looks ok for majority of the clients. However, we do have several clients under corporate network, which are behind a proxy that requires authentication (possibly windows-logon-based authentication)). And for these clients we often hear such feedback like:
The application behaves extremely slow though our network speed is 20mbps.
20mbps connection is a huge speed for our application to work perfectly.
So my first question specifically the following:
1) Can it be the case that proxy analyses the content of our requests and thus impacts the performance of the app. And could it be only a Java-specific problem ?
The next part is about Java and Java applets specifically.
From forums I know there is a problem with Java selecting the right proxy configured in Browser. Sometimes Java applet fails to detect the proxy configured in IE, and the only solution is to configure it also in Java's Control Panel.
Having said this, the next question is:
2) Taking into account that direct connection for the corporate clients is not allowed and Java Control Panel is not properly configured, could that be the case that Java plugin selects another - wrong proxy, thru which it eventually access to the servers and thus resulting very low performance ?
I also have tried to use Apache's HttpClient (http://hc.apache.org/httpcomponents-client-ga/), to check how it performs under such environment. I have configured the client as specified in Apache tutorial to automatically get the JRE's proxy:
httpclient = new DefaultHttpClient();
ProxySelectorRoutePlanner routePlanner = new ProxySelectorRoutePlanner(
httpclient.getConnectionManager().getSchemeRegistry(),
ProxySelector.getDefault());
httpclient.setRoutePlanner(routePlanner);
And what we faced is an authentication required error (407) when we try to execute requests via Apache's httpclient. Specifically407 proxy authentication required. the ISA server requires
authorisation to fulfill the request
So the last question is about this differences between Apache and Java's client.
3) How Java Applet chooses the proxy ? and How Apache Client's selection logic differs from that of Java's ?
Please share any strongly confirmed experience you might find out could be helpful for my situation.
Thanks in advance.
3) How Java Applet chooses the proxy ?
Default behaviour:
Applet checks control panel\java\ network\network proxy settings
and uses the proxy according to the configuration in there.
Setting system properties for an applet does not works.
i.e:
System.setProperty("java.net.useSystemProxies","true");
System.setProperty("http.proxyHost", "1.1.1.1");
System.setProperty("http.proxyPort", "8080");
If you want to alter the proxy selection for an applet.
then you can use ProxySelector class.
also check out this question how-to-set-http-proxy-in-an-applet you may find it useful.