I'm going crazy creating a payment application. The problem of the moment is that. I set the glassfish authentication using jdbcRealms on the /secure/ directory. The user authenticate himself and enter in my application. When the user wants to pay, the application redirect him to the bank platform. After the payment the bank platform redirect the user again to my application sending some data.
The problem is that the bank platform wants to redirect the user in a page outside the /secure/ directory. It doesn't want a page under authentication. So I had to create a JSP page to grab data in an insecure directory. From the JSP I pass data to a Bean to write them in a db. But everyone can call the page and trying to passing it data. It's very dangerous. Is there a way to avoid that? Can I maintain the authentication state after the redirection?
Related
I am developing an case management application.I have created login page and landing page other pages as well.
i have used the spring mvc 4,oracle database.
A used logged into the application and then went to admin page.copy the admin page url ,logout from the application.when the user directly copy and paste the admin page url into another user user he is able to open that page.how can i restrict the user. when user perform any crud operation how can validate user's credentials every time.
Please suggest.
If you are using Spring framework, the best practice case you can implement is to integrate Spring Security.
Regarding the session handling within your system, you might use JWT tokens which allows you to control the user flow easily. You can read this complete tutorial.
I would like to know internals of tomcat. I configured my web application in 'BASIC' authentication mode. When I logged in for first time, browser asks for credentials. Till this it is fine, may be at the time of login, tomcat reading 'tomcat-users.xml' and set the role. But I am wondering, how tomcat knows the role of the user in subsequent requests. How it keep tracking of the role? Internally is it maintaining some data structure (or) is it keeping this information in session?
I wanted to get some more information on about form based authentication. I understand that the form based authentication mechanism is used when you want to protect certain server resources, like all jsps under a certain directory, and only make those URL's available to users with certain roles.
I am working on an application from scratch, just to get better at web development, and I have the form based authentication setup, and it is working fine. However, I would also like to build in the ability for users to login on the fly, using a 'Login' button, not just when they necessarily try to access a protected resource.
I know that when I tried to have the login button take the user to the login page that uses j_security_check as its action, the server yelled because I was directly accessing the login page, which makes sense because since I wasn't trying to access a protected resource, so I guess the server wouldn't know where to take me after I authenticate.
So, my question is, if I want to keep the form based authentication in place to protect some admin resources, but also have the ability for the user to just login on the fly using a login button, do I have to roll my own security, and have the form take me to a servlet(for example) that manually checks the username and password against the database, and set some attribute that says whether or not the user is logged in? How would that mesh with the server knowing whether or not I'm logged in? I know that there are some server side methods for getting the user, asking if they are in a certain role, etc, but isn't that all server managed, meaning I can't just say 'hey, I've authenticated the user myself, and this is who they are, it has to go through the form based authentication? I'm still learning web development. Thanks for the help.
The only way I can think of providing the behavior that you want is through a cookie that doesn't expire easy, which has its fair share of security concerns. It seems you want to have the ease of use that the "Login with Google", or "Login with Facebook" have. These tend to make heavy use of something called OAuth, and I don't think are applicable for your project.
Are you forced to login for a resource every single time you access it? You shouldn't be , as you seem to be using the servlet's form authenicator.
I am developing a java application having front end in html5 and dojo. I am using SOAP as well as REST services tomake service calls to get data from downstream system. What I found is a potential threat in the application. Users are able to access the URL of the application and they are able to edit the URL.e.g. IF the user is viewing his profile and if he knews name of some other user then he can edit the URL to change the user name from his name to someother name and can change some other fields and hit the url. Likewise user can edit some sensitive data and get access to confidential information.
My question is How can i prevent the user from editing the parameters in the application url?
What URL a user chooses to access is client side and can't necessarily be controlled. Anybody can easily open a new tab and type in whatever URL they want to.
I would instead suggest protecting your REST endpoints with some sort of server side security framework instead. If you're using Java on your server side, you could look into something like http://shiro.apache.org/ for security which would not allow any user to access data that they shouldn't have access to.
Another solution would be to just have a single REST endpoint that can access whatever profile the user's session currently refers to.
I am trying to secure my Flex application within my Java web application. Currently my Java web application, handles logging and managing user accounts and the like. I was wondering if there is a way to essentially share that user credentials with the Flash movie in a secure mechanism? For instance, if you log in, we want you to be able to save items in the Flex application for that user, only if that user is logged in of course. Any ideas? Any help is greatly appreciated.
Update:
I apologize for the vagueness. I'm running Tomcat 5.5, Java 6 doing portlet development inside a Vignette Portal. All data communication is via Blaze DS. In our environment, we have data services and the portal handles logins, user management and the like. Currently we are simply passing down the username to the flash movie, which I don't feel is very secure.
You can pass data to a flash movie using flashVars which can be generated in a JSP. The data can be a one-time key generated on the server and associated with a user id. The Flex application can then take the key and use it to log in via a webservice call. The server will then validate the key and allow access to the user's account.
It is a very general question and it's hard to provide a good answer without knowing what is your current architecture. The Flex application is using the same web server as your web application? What are you using in order to discuss with the backend (web services, sockets, rtmp sockets)? If you are sharing the same web server you can access the same HTTP session and you can check if the user is logged in or not.
If you need to be aware in your Flex application that the user has just logged off from the HTML application or the session has expired you have several options, again depending on your architecture. Assuming that the HTML application was already was notified you can call through ExternalInterface a method from the Flex application. If not (session expired while you are using the Flex application) you will know when trying to save your data.