I want to restrict the direct download of a file on my site (let's say www.me.com/asd.txt)
but permit to my java applet in www.me.com/javaapplet.jar to be able to download it.
Is there a simple way for this?
I'm not sure if it's relevant, but the server is running Apache 2.2.24
Anticipated thanks for your help,
sboda
A secure way to do this is to require client certificate authentication for applets that want to download your file. Here's an example that uses the Apache HTTP Client.
You'll also need to create a self-signed client certificate that you provide to "valid" users through some other channel (like a web page with a required login), and you'll need to tell your HTTP server about the self-signed certificate. Here's a way to set up a self-signed client certificate if you are using Tomcat: Tomcat Server/Client Self-Signed SSL Certificate. Of course, other HTTP servers will have different procedures.
There are some issues using the browser certificates with the java plugin that will require your users do to some work exporting the browser certificates for use with the Java plugin. See http://download.java.net/jdk7/archive/b126/docs/technotes/guides/deployment/deployment-guide/upgrade-guide/article-16.html
Use a private key. The file can only be downloaded if the private key is passed along with the request.
Related
I'm writing a J2ME application that make HTTPS requests on a phone with outdated root SSL certificates
and I wanted to ask is there a way to include a root SSL certificate as a resource in the application and let The HttpsConnection API validate against this root certificate?
You can't supply certificates with your application for working with default API. But you can use libraries, which can replaces this API, for example: https://github.com/rotsenmarcello/mhc
If you want install root certificate, this question is very device-specific and have no single answer.
If we're talking about a specific SSL certificate you just need to install on the phone, to be used by the phone browser, I think there's a way do to it with JavaME:
Include the certificate inside the JAR.
Code a simple webserver that serves the cerfiticate file, and start it.
Call platformRequest("http://127.0.0.1");
This should theoretically open a new native browser and the user downloads and installs the certificate.
I have a SSL applet I want to connect to a Cpp server. Do I need to self sign the JAR at all? Also do I absolutely need to set up a CA to do it?
I had some luck with trust stores in the past. Do I need a trust/key store to get it working? If so can you please link me a decent page on how to do it?
The difference between signed and unsigned applets is that unsigned applets runs in a security sandbox and is restricted in what they can do. The can make http connections to the server they was loaded from. The can not make http connections to other servers.
So it is not neccesary to sign the applet provided that you host the applet on the server you want to connect to.
Using SSL is a neccesary if you want the connection between the server and the applet to be secure.
I have a requirement to use client/server architecture and with Open SSL authentication.
Here, how server to know the connect client using their OPen SSL certificate?
Anyone knows the link, sample then please reply me.We have to develop it in Java.
OpenSSL is not Java, so your solution cannot be both - but I think I know what is intended.
Normally OpenSSL is used as part of Apache http as part of mod_ssl. This in turn uses a "connector" to send the requests to an application server, e.g. Apache Tomcat. You can configure this connector to also send the SSL certificates to tomcat if that is required, but normally the authentication/verification is handled within the deamon.
All this is pretty easy to Google, although you should factor in some time to fully understand the connectors. You've the keywords, now use them :)
I'm new to SSL connections so here goes my question.
I have a desktop Java program in a JAR file. This JAR sends sensitive information over the internet to a remote Tomcat server. Of course I need to encrypt the data.
If I purchase an SSL cerfiticate say from Verisign, will the data sent over SSL be automatically encrypted?
I mean in my JAR, will I still need to do extra work like use Java encryption extensions API to manually encrypt my data over the SSL connection?
Thank you.
I mean in my JAR, will I still need to do extra work like use Java encryption extensions API to manually encrypt my data over the SSL connection?
Encryption will be done for you (with the Java Secure Socket Extension). Just establish your connection using https://. Maybe have a look at HTTP Client for a higher level API.
By the way, the certificate goes on the server side (unless you want to do client-authentication too in which case, well, you'll need a client certificate too).
And yes, you could use a self-signed certificate but one of the benefits of using a certificate signed by a well known Certificate Authority (CA) like Verisign, Thawte, etc is that you won't have to add it to the trust store of the client VM (unless you disable the verification mechanism).
Follow the SSL Configuration HOW-TO on how to setup https.
If your goal is just to get the encryptian, you don't need to buy a certificate. You can make your own. Buying a certificate just creates the verification chain back to verisign (or whomever) to give users a warm fuzzy that you're really who you say you are.
SSLSocket should handle most of the work for you.
All data sent over SSL is by definition encrypted, you do not need to worry about encryption at all. Also, you do not need to by a certificate to achieve that: you can issue one on your own.
If you'll set up the SSL on Tomcat and send your data over HTTPS then the encryption will be done for you. But you don't actually need to purchase a certificate if you only need encryption for your data channel, you could generate a self-signed certificate. Have a look at this page http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html on how to configure SSL for Tomcat. But note that HTTPS can be configured not to use encryption at all (at least on Apache httpd).
To answer your question, SSL implementations automatically encrypt the data. You don't need to worry about using additional encryption routines.
It might be easiest to purchase an SSL certificate because SSL implementations provide easy certification authentication using common root certificates and provide a verification service. However, you could save some money by using a self-signed certificate.
Even with a self-signed certificate, it's important to validate the signature on the server certificate from the desktop application when you connect to the server. This will prevent man in the middle attacks.
You won't have to add your self signed certificate to the store because you should be able to disable the automatic verification mechanism and use your own.
I created a JApplet using Netbeans 6.5.1 that accesses a database. When the program is run by itself, it runs perfectly. The issue is when you try to put it online using a web application in Netbeans, it will not access the database. I was told by somebody that the problem is that Java security will not allow you to do this. Is this correct? How do I fix this problem? Thanks.
As already mentioned, an unsigned applet can only make network connection to the host from which the applet originated. However, if the database is hosted on a different server than the originating applet then you will have to make the applet signed. If the application is not for production use, you can self sign the applet (not suitable in production use where the signing has to be done by a trusted Certificate Authority. Certificate authorities typically charge a fee for the service of validating their clients' credentials.) However, for testing and demo purposes, you can create a self-signed certificate. With self-signed certificates, the browser displays a warning to the user mentioning that the information given in a self-signed certificate has not been validated by a trusted third party (Certificate Authority).
For self signing the applet take a look at the following links:
http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html
http://www-personal.umich.edu/~lsiden/tutorials/signed-applet/signed-applet.html
The other things to keep in mind are the JDBC driver types to use. Type-1 and Type-2 drivers are not suitable to be used within applet due their dependence on native binary code. Type-3 and Type-4 are ones you should be using to connect to database from within an applet.
The best solution is to NOT make database connection from an applet (if possible) but instead use a server side application to connect to the database on behalf of the applet.
as Clint pointed out, an applet is only allowed to connect to it's origin server.
to work around this, you can sign your applet with a certificate from a root authority, but certificates cost 200-400$/year.