I would like to use the IBM SBT for server to server communication instead of displaying data from , for instance, connections at the user. In this particular usecase I would like to have data updated in Connections whenever a user saves or edits data.
Because we are not using oAuth we would like to use Basic authentication without prompting the user for authentication. Are there any examples how to do is?
yes there are some examples of using Pure Java, no J2EE.
http://bastide.org/2014/01/28/how-to-develop-a-simple-java-integration-with-the-ibm-social-business-toolkit-sdk/
and
https://github.com/OpenNTF/SocialSDK/blob/master/samples/java/sbt.sample.app/src/com/ibm/sbt/sample/app/BlogServiceApp.java
Essentially, you'll need the dependent jar files.
once, you have the jar files you need to configure your class so you can get an Endpoint
once you have the endpoint you can use the endpoint in one of the top level services such
as ForumsService
then you can use the ForumsService to call back to Connections
Related
So I have a Java Program that just runs in the windows console at the moment. When the program first starts, I want to have it go through a login prompt with a username & password. I’ve previously used a MySQL database to check if a username + password combo exists, and then allow that user to login. I know how to encrypt passwords and such when I compare them to the database info. However, when I did this, the MySQL login details were left in the code so that the program could connect to the database. This leaves a huge problem in that someone could decompile the program and find those login details, then use them to access the database.
So my question is, is there a way to access these logins using the program, WITHOUT exposing my database details to a snooping person. Is there a library out there that could accomplish this?
Yeah you can do it, But you need to re-architect your application.
You should separate you application into two different application.(In short: you have long way to go)
1- Client Application: Where your Java Application is interacting with the end user.
2- Server Application: Where your Application is interacting with your DataBase. This Application can talk to your Client through your network.
Note: keep in mind that, any application at client, can be decompiled. All traffic even any communication between client-server can be monitored.
There are many methods out there, to make the communication between the server and clients. The choice is yours, you can make your own one (Socket communication) or follow some standards like REST or SOAP.
If you want to use REST or SOAP, there are many ready framework and libraries available where Spring is one of them. Since you need to have Server Application(Ex: Rest Server), you need to run your server application in a container, where in this case, Tomcat is the most famous one in JAVA world.
But there is better way to Start ; you can make an Spring Boot Application for your Server app. Most of the libraries even your container is already embedded, and you only need to focus in your Application Logic. Once it's done, you just need to run a single jar file and your client can start talk to the server app, through network. The drawback is that you need to follow the spring boot standard.
You can also Secure your Rest API by Spring Security framework (Which is totally separate topic), but you can simplify it to, token exchange between your server-client for each REST call.
So in this scenario, let say someone decompile your client application, he would
see nothing but, some rest API links, which can not work without login and token.
Also keep in mid that you also need to Secure the communication between Server and Client Throw the Network by TLS.(Which is totally separate topic)
If you're giving out db access then deal with the side effects of that choice. I think mysql offers some kind of row level security option. Check the docs.
If you want some level of backend obfuscation then put it between your users and backend via REST or some other scheme.
I'm looking for some advice on the simplest way to create some product registration communication. I have a Java desktop application that needs to be re-newed every year. When a user downloads and install this app (through JNLP) they get a limited demo-version. There is code in place on the client to "register" the product and unlock all of the features.
My next step is to build the server-side components. There will be a database with customer ID numbers and other information about the customer. When the user clicks register, some contact information will be sent to the server as well as some product registration ID. The server will check this against the database and then either give the client the o.k. to unlock the features or the user will be informed that the registration id was not valid. This seems like a very standard thing. So what is the standard way to do it?
I have my own VPS and I'm running Tomcat, so I'm really free to implement this any way I choose. I was planning on building some web service, but I have never used REST before.
Use REST; REST is nothing more than using plain HTTP 'better'. Since you are already using HTTP, somehow you are already doing REST like calls and moving these calls to full fledged REST will be easy.
Implementing REST calls is easy. You have two approaches:
Low end: using URLConnection objects on the client, servlets on the server and following some REST conventions on using HTTP methods and 'clean' URLs (see here). Advantage is that you need no 3rd party library and minimize the footprint. Maintenance and evolutions are harder though.
High-end: a framework and specifications like JAX-RS. Using Restlet you can be up in running with a REST server in a couple of hours without having to deploy a servlet container.
Don't use SOAP. The only reason you would want to use SOAP is that you want to contractualise using a WSDL what you are exposing (you can do the same with REST btw, see the Amazon documentation for instance). Trust me, SOAP is way too heavy and confusing for what you are trying to do.
I'm using GWT for a web-app and I need to access to a mySql-database. There will be only one client (The app is used on a iPad localy). Is there any way to access the database without RPC? I'm looking for a possibility to direkty query a database.
Thanks!
There are 2.5 reasons you cannot use gwt to directly access MySQL.
Reason #1.
GWT is compiled into Javascript. You need to open a socket to the database server. GWT does not allow you to open a socket. In fact, no unaugmented browser (before advent of html5) is able to open a socket. But you can open a socket using Flash actionscript, or HTML 5 javascript.
Reason #2.
OK, let's say you used HTML5 sockets. And you spent 6 months writing in Javascript a JDBC connectivity. But, your websocket would still need to address a servlet on the server which would help your websocket establish a persistent connection - and mysql is unable to perform such an establishment.
Reason #3.
SLD - SOP restriction:
(Second Level Domain Same Origin Policy)
Standard browser restricts its pages to only be able to request for, and to include, content from within the same second-level domain (SLD) as the server that provided that page to the browser. Top level domains (and top-level and a half) are such as .com, .org, .net, .me.us or .co.uk. So, domain names such as google.com, fbi.gov, mit.edu are second level domains. While, mail.google.com would be a third-level domain. Therefore, GWT would work only within the confines of an SLD. Your web server must also be accessible at the same SLD as your mysql server.
SLD-SOP and tunneling requirement is to close a security hole that could have allowed any tom-rick-or-mary to log into your system thro your browser. Tunneling is always required for a browser to connect to a server other than a http server. Tunneling is when a browser exploits the web server as a yenta (yiddish for busy-body/go-between/match-maker) to get to another server.
You have no choice but to use GWT-RPC. Perhaps you don't wish to use RPC, then you could use RequestBuilder, or Script-Include or RequestFactory. But they are all still diverse means of tunneling. http://h2g2java.blessedgeek.com/2011/06/gwt-requestbuilder-vs-rpc-vs-script.html.
There is one reason why you can connect to your database server from your gwt client:
Your database server must run httpd connection engine. That is, your gwt app would access the db server thro http. I am not familiar with which relational database has a http access available. Most probably, you would have to query thro xml or json.
However, a company I had worked for created our own http service to allow "direct" client access. "direct" is a misnomer because we used tomcat. It is stil tunneling. Any database company that offers "direct" http access is still tunneling. Tunneling - no escape from it.
You could augment the browser with Flash and write a Flash application rather than using GWT. If direct access is so essential to you, you would have to abandon GWT and develop in Flash and run a httpd engine for your database server.
GWT is ultimately Javascript. As noted at Are there JavaScript bindings for MySQL?
, there is currently no way of accessing MySQL from Javascript.
Therefore you can't access it from client-side GWT code.
AFAIK it's not possible, and even if it were, it would be a really bad idea. Are you sure you actually need a database? Maybe something like gwt-client-storage would be more appropriate.
EDIT
Your database would we publicly accessible and open for any sort of attacks.
EDIT 2
This may even be a better solution, as it offers support for accessing the HTML5 Database API and is targeted to iPhone/iPad.
gwt-mobile-webkit
If you were even successful in doing so, in short, doing a CTRL + U on the browser would make your database name, username, password, tables names etc visible... And done, any developer curious to know your code has a way to hack anything and everything in your server.
I think it's not possible, I mean, if you want all your data stored in DBs. I mean, GWT compiles into javascript and javascript executes on the client (typically a web browser).
If you want to access data stored somewhere (by some mean) in a server, then you have no option but RPC. If I were you, I would stop thinking in client-server paradigm (GWT was developed with that in mind). Perhaps some embedded database like H2 and then hold connections through JDBC.
I would like to create a touch screen application.It will be a windows application, so using that how can i get data from a web server?
There are several methods.
Your server can create scripts/webpages to return data in XML or JSON format upon request, and your windows application will have to make HTTP requests to your scripts/web server, retrieve and parse to get the data.
Make sure to protect your data which are requested from the web to prevent other unintended use.
You can also directly connect to the database (depending whether your database supports remote connection or not...)
Using a webserver is usually totally independent from the clients operating system. It may be tricky if the webserver provides service and entity beans and you rich client is written in C/C++ language.
But there are several protocols where you do not have to care. If your application is a thin client (browser interface), I suggest having a look at REST. For rich clients you can use SOAP to talk with your server.
Of course, the server has to provide the data for the chosen protocol...
I have a Java web application designed to be deployed on the internet. It needs a database connection. Depending upon hosting environments it may not be possible for the deployers of the web application to configure appropriate data sources so the application needs to store it's database connection information somewhere to be reloaded if the application is restarted.
I also need to give one user administrator privilileges. If this is just the first user account created there is the small possibility that the admin account could be hijacked in between the time that the application is deployed and the time that the installer logs in.
I need to do both of these tasks securely and in a way that is lowest common denominator for a web application.
Clarification: Upon first use I want the application to set up an admin user. That admin user will have all security access in the system. Somehow I need to determine what that user is called and what their password will be. If the application gets deployed on a shared web host the application will be live from the moment it is deployed. If I allow the site to be configured through a web interface there is the small possibility that an unauthorised person will do the web configuration before the site owner effectively hijacking the site. I am looking for an elegant way to avoid this.
Ok, to answer your revised question...
There isn't really that much you can do. If you don't want the admin to configure their account during installation on the server, then there will always be a small window where someone else might create it via the web before they do.
All the solutions involve modifying something on the server (as this is how they prove they are the real admin). Yes, that can mean a config file...
Upon first connect, give the user a
token. Basically a hash of some
salt+theirIP+theirUserAgent, etc.
Then ask them to log into the server
and feed this token to your app,
probably in a config file. If the
generated token next time matches the
one in the config, allow them to
proceed.
A simpler solution is to let them put
their IP address in the config from
the start, and just allow this IP. (Assumes they know what their IP address is)
Alternatively, allow account
creation, but refuse to do anything
else until some file is removed from
the server. Many PHP apps do this
with an install.php, but the file
could be anything you test for.
The most common way to do this is through a static configuration file, in some simple text format.
The file resides on the same system as the application, and should be just as secure as the code (eg. if someone has access to modify the configuration who shouldn't be able to, couldn't they just as easily modify the code?)
For one of our Java web apps, we're using Spring dependency injection to configure most of the app. If you create a "Configuration" class with all of the configurable properties exposed, you can wire up a bean in Java that is configured via Spring XML context file. You can then create different versions of the XML file for your different environments, and have them automatically built into specific packages, which can be deployed all-at-once. If you want to go all-out, you can basically configure every single class in your application using Spring, which is really useful.
There's a little bit of overhead to get Spring setup, but it's actually not too hard, there are plenty of tutorials out there.