I have a question about whether I really need SSL or not. The scenario is as follows:
I have two applications at the moment, they are both Java webapps. One of them is getting data from another via RESTful web service secured by Spring Security, but my problem is that it sends username and password in URL so the other app can authenticate and authorize it using LDAP. In the end both apps will be running on JBoss AS 7 server so even though one of them is a client and the other one is server they will be running on one server and that confuses me a little bit (even if they will use multiple instances of JBoss they will still be both in the same network). Also signing certificate by third party seems unnecessary here because I don't really care if anyone will trust my server app and again I found that I can implement my own Certificate Authority but it really seems to me as an overkill.
So to summarize it: if I only care about request (or just its parts - username and password) being encrypted do I need to enable SSL and provide all it needs or is there any easier way to achieve it?
Related
I have two microservices. Microservice A is sending a request to microservice B to register a user in the system, in the request there is a plain text password. Data exchange between those services is HTTP based.
The connection between those microservices is purely local so basically I should not really worry about password leaking anyhow but is it really a good programming practice to not encode password even between two local microservices?
The rule is that sensitive information should never be exchanged in plain text over an insecure connection. If you are in a fully closed environment, typically 2 services in the same host machine, encryption does not matter. But if the application is splitted in multiple services, those services could later be hosted in more distant places with a less secure network between them.
In that case a simple way is to protect the whole connection with SSL. HTTPS is no longer a too heavy load for nowadays servers, so it is an easy way to encrypt everything between the client part and the server part.
The nice point is that through proxying and reverse-proxying, it is easy to protect the communication between two java services without the services themselves seeing it. So if for any reason you cannot directly process HTTPS inside the microservices, you can always rely on Apache or nginx (reverse-)proxies to encrypt the communication between the microservices is it later use an insecure network. BTW, it is the common way to use HTTPS on Java servlets: the servlet is hosted in a Tomcat (or any other servlet container), and hidden behind an Apache httpd server (or any other reverse proxy) that handles the HTTPS part, and optionaly can serve static content.
As already stated you should at least use https to encode the data stream between the services.
Additionally it is a good idea to have a look at JWT (JSON Web Token) or similar common techniques to protect services. With JWT's you don't need to exchange the passwords which is always unsecure (think of network sniffers).
You can use,
Base-64 encoded password (Not encryption/Hashing) to transfer password if it is not sensitive information between two services.
It is recommended to have SSL/TSL over HTTPS protocol in wire transfer.
Instead of passing plan text password, try to use Token. (Example: pass the JWT token and verify in other service) [Quick read: https://stormpath.com/blog/microservices-jwt-spring-boot]
Hope this will help.
I am wondering if there is a solution to my problem. As a summary, I need a non-intrusive Web response cache for users that authenticate via a client certificate and are authorised to see URLs based on that.
I have a JEE application and I would like to cache responses to Web requests. I am trying to do it as transparent as possible (ie. without messing with the code), so I found Squid.
My problem is that users might authenticate themselves via a client certificate (or the absence of it) getting authorisation based on this, and this is what makes things "difficult". Is there a way to configure Squid, or any other software, to cache the results after the communication has been established by Tomcat? Something like a cache that is triggered by my application right after the TLS handshake is over and Shiro has been called (because user permissions depend on their certificate). The fact that users have to be authorised by my app make me think that the only way is to create Java code for this, not using Squid or similar software transparently.
I am sure this is a problem that has happened before.
I need to connect to a MySQL database from a java Desktop application. The way I was planning on doing this, was using HTTP to open a php page on my website, that PHP script will handle all the mysql stuff so my MySQL user/pass is not accessable to the client at all. so, my question is, would SSL be required? and also, how could I prevent people from taking the URL to the PHP script and using their web browser to mess things up on the database?
This should probably be on the security site, but anyway.
If you don't want everything you send to the database to be visible to the world, use SSL.
Force the client to authenticate to your server side script before making any changes to the database if you don't want anyone in the world making changes.
Make sure that SQL injection is prevented.
Why wouldn't you just use MySQL user authentication with SSL? Writing your own bridge sounds like it would only cause problems and expose more security holes than you'd otherwise have.
so, my question is, would SSL be required?
SSL helps provide a layer of security, through encryption, which keeps people from hijacking the connection and intercepting what you send (for more information, see: Firesheep). Therefore, while not required, per se, it is recommended. If you have control over the Java app, and depending on your purposes (namely, an in-house application), then you can use a self-signed certificate and package the cert with the app for verification purposes (see: this SO question for more info on self-signed vs CA SSL certs).
how could I prevent people from taking the URL to the PHP script and using their web browser to mess things up on the database?
As with other Information Security things, nothing is 100% guaranteed, but the most common way to do this would be via an API key, especially since what you're describing is an API.
If you're looking for a quick-and-dirty setup, then you can use HTTP Basic Authentication to send some credentials, and use SSL to secure it. For a more robust solution, you'll probably want to look into HTTP Digest Authentication and/or OAuth. What you use will also depend on your specific needs.
You can then code the API key into the Java app, or create a way of generating and requesting API keys (again, depends on your specific purposes and needs), and the client sends the API key with the request. If the key doesn't match what you have "on file", then you deny the request.
A quick note on using an API vs connecting to MySQL directly
A couple of people brought up connecting to MySQL directly. I think this is a valid option, but will depend largely on what you're doing and who you're distributing to (and, for that matter, whether you want to open that database to other clients).
If you have plans to have other clients (such as mobile devices) connecting to this database, or if you don't have control of the database for whatever reason (ie - your hosting setup won't allow you to make remote access available), then it might prove useful in the long run to build an API.
However, if you have no such plans, or do have full control of the database, and you control the source code of the Java application, then directly connecting to the MySQL database is a valid option. Just make sure you follow the principle of least access - the Java application gets a dedicated MySQL user that only has the permissions that are absolutely necessary - and the Java application user has a strong password (and since no humans are involved in this process after you code it, you can use a password generator to create something long and convoluted and completely random).
I have to write a java program that hits a url
https://localhost:8443/ping.jsp
over ssl and returns the response whether the application is up or not. If I hit that url manually from my web browser it asks for security certificates and when I provide them it communicates with the application and displayes the response on the web page. I want to automate this process so that the java program takes care of providing the security certificates and everything. I could do it if it were not for ssl and security certificates but I am not sure how to automate this part (providing certificates).
I have truststore/keystore files but I am not sure how to use them in order to accomplish the task. Any ideas or any useful links that I should follow ?
I have a Java Web Start Application which communicates against my server via a web service (over https).
I want to restrict the usage of the webservice to my app only, so that 3rd party apps don't work.
What strategies to I have? This question is somewhat broad, but running in JWS disables some options, like doing a checksum over all jars (at least I don't know a way of doing this in a JWS environment).
I can always implement my own auth scheme, but since the client code is on the client-side, one can always disassemble the class files and crack the auth mechanism.
Remember that if the client is communicating with the server over https, the user can easily replace the JWS client with something else that also communicates over https. Anything the JWS client could sent to "prove" its identity could be faked pretty easily. You could use client certificates (or numerous other types of authentication) to make sure only users with access to the JWS client could connect, but they will always be able to extract what they need from the JWS client to connect with something else.
The service needs to be secured based on what the user should be allowed to do.