I am able to access to a SmartCard with a Java Applet (embedded) using MS CryptoAPI and PKCS#11 (registering the provider with the .dll). I can use both, but right now I'm using the CryptoAPI one for having an easier support for all keyboards/Windows versions:
keystore = KeyStore.getInstance("Windows-MY");
keystore.load(null,null);
I'm using Javascript to comunicate with Java to sign some operations in a web application I am developing.
The default use case is just what I need:
I get/load the Keystore
I try to sign something, it ask for the PIN and once introduced it remembers until the end of the session (when I extract the SmartCard or cache timeout).
The problem is: It's an embedded Applet. When I sign something in web page A and then I go to web page B (through a link or redirect, for ex.), the Applet is destroyed/created (just like the JVM) and the session is lost so I have to introduce again the PIN. This does not happen if I do not leave/reload the actual web page, of course.
Questions: Is there some way to reuse the session/Applet/JVM programmatically? or loading the Keystore in a way that can avoid this problem?
Possible workaround solutions I already know:
Free floating Applet. I can't, it has no GUI and I need to comunicate with JS...
Web in a frameset/iframe. Dirty.
Ajaxify the web (just one page + all operations in Ajax + some kind of history JS plugin or PushState). This is the solution I like more but requires some refactoring.
I ended up doing it in a completely different way: Creating a client desktop app for the signature. This app is installed in all desktop clients (this is ok for me because it's a corporate environment).
This new app listens to a port with a HttpListener. I connect from the web via javascript (jsonp), send the string to be signed, and it returns the js callback with the result signed.
It now remembers the PIN because it does not lose the session.
And, therefore, do not need Java.
Related
Let's say we have a very simple Java application, that edits resources on remote servers, that it authenticates with using Access Tokens. Application always uses the same identity, so it is always using the same client id, secret and refresh token to obtain access token.
The whole authentication process is supposed to go through without user intervention and app should perform actions automatically triggered by the user from another application. The other app is sending HTTP requests, but the whole thing would only be accessed in internal network and there would be no "legal" way to access it outside of it.
Is there a way to keep this data (refresh token, client id, secret...) securely within my application?
I have seen similar questions, but they all talked about websites and cookies, but this is supposed to happen under the hood, without any frontend etc. so I don't think those apply to my issue.
Edit: the application will be deployed on an internal server so it's not a Desktop solution. Basically there is an internal app that will send HTTP request to mine, triggering edit on a remote server that is outside of the internal network.
It is not a good idea to store client secrets, access tokens, refresh tokens etc in persistence storage unless it is stored in a secret store (like Vault). But there are other options.
If you are using Spring then you can use Spring OAuth2RestTemplate or else you can write something similar by looking at the code.
It acquires or renews an access token transparently and caches to avoid round trips to Authorization server.
The simplest option is to use memory storage, but if that diesn't work because you need to deal with restarts etc, operating systems provide per-user secure storage. This is a model sometimes used by OAuth desktop or console clients:
Credential Manager on Windows
Keychain on macOS
Passwords and Keys on Linux
It would require some native interop to interact with these credential stores, via use of a library such as java-keytar.
DESKTOP EXAMPLE
For something to compare against see these resources of mine:
Node.js desktop keytar code
This blog post has some related screenshots towards the end
I'm looking to create a web page that sends an email from the client machine to an uncontrolled server (not from the server, this is mandatory due to an IP check). This email needs to have specific MIME tags, so "mailto:" is not an option.
I want to do this the cleanest way possible. (The user will trust the web page so is ready to click on any security warning, but repeated warnings would be annoying). Assume that we will only have access to self-signing, even if a trusted certificate might be available in the future.
Java applets seem to be strongly deprecated and no longer supported in some browsers, so I looked at Java Web Start. It seems to be a bit better, but still requirements of whitelisting, and chrome support seems dubious.
Is there any way I overlooked? If i choose to use Java Web Start with all-permissions, what kind of problems am i looking at depending on browser?
Your best bet is to send the email from the server hosting the web-page. You would create a form doe the fields or whatever, post the form the web-server, let the web-server construct the email and send the mail through a sendmail type system or through you local mailserver to the server in question.
Look at JavaMail - http://www.oracle.com/technetwork/java/javamail/index.html
If you are using Spring Boot or Spring you could use their mail implementation - http://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-email.html
I have a web PHP web application that has a link to a java web application. The php application has a login page, and a link to the the java application, but not every user has permission to access the java web application. What I was trying to do is send user credentials from the php application to the java application, and then the java application checks the credentials and if correct logs in the user. I was thinking of using http headers to do this.
So my question is what is how to send user credentials from a PHP application to a java application?
If it helps I am using a Java web framework called Vaadin.
Do a normal POST request from the PHP application to the java application. This can be done as simply as having a normal HTML form in the PHP application, set the form's method to "POST" and action to the java application's URL. If you want to catch HTTP parameters in a Vaadin application, you can do it by using request handlers (https://vaadin.com/book/vaadin7/-/page/advanced.requesthandler.html).
Then a few words of advice or something to at least consider. If your login page is in the PHP application and your "admin" application is the Vaadin application, then I discourage you from doing the credential checking in the Vaadin application. This is because when you enter the Vaadin application, a new application instance is created. This means that your UI will be initialized and whatever else you do in the UI's init method. What you probably want to do, is to hinder the user from entering the Vaadin application unless she is logged in - which means that you need to do the credential checking somewhere else - for example, have a separate servlet whose only responsibility is to log in the user. If login is granted, then give access to the Vaadin application, if access is denied, forward the user to the PHP login screen. The next question is, how do you hinder the user from accessing the Vaadin application until she is logged in? Typically, this is done using servlet filters.
I highly encourage you to use a 3rd party framework for doing the authentication and authorization. Take a look at http://shiro.apache.org/, it's easy to install and seems to work nicely together with Vaadin. All you need to do is to configure it and implement a login screen, the framework will take care of the rest.
If I understood your question, you want to be able to provide an "auto-login-link" to some specific users that are logged in to the PHP application. This link should automatically login the user to the java application, right?
Without knowing any details about this case, like are both apps running on the same domain or do they use the same database (same user credentials in both apps), etc., I would propose the following solution:
Create an action (link) on the java application, which receives the necessary parameters (as GET) needed for creating the session (probably userId is sufficient), timestamp and a signature of all parameters. For example:
http://javaapp.example.com/autologin?userId=123&timeStamp=123456789&sign=hj23kh4j234jk324h
Where the signature is calculated with some strong encryption algorithm. Then you verify that the signature is correct at the receiving end (java app). If it is correct, you create the session. Signature calculation could be something like:
$signature = sha1($userId . $timeStamp . 'some salt' . $sharedSecretBetweenBothApps);
With the timeStamp you are able to check that an old link is not used. For example not allow older than 15 min old links and store used links in the java app to make sure they are never re-used. You do not have to keep history of links older than the expiration time.
Another idea, as discussed in the comments, is creating an API on the java side, which is able to provide a one-time link.
The sha1 algorithm is probably not strong enough, but shows the idea and is simple to implement.
Does this answer your question?
I am working with a small webpage using java and servlets. From my webpage I want to open a third party website without showing its login page. I mean to say authenticating it from Java and entering its home page. Can anyone help me with it?
You have to distinguish between the server (your app) and the client (the browser). Even if you (the server) would authenticate successfully, the client still wouldn't be authenticated, as you have no way to pass the authentication data to the client (cookie restrictions etc.).
So what you could do is read the HTML data of the foreign site on your server and stream it out to your client. But the performance would be miserable, you would have to rewrite every single link on the pages and most of all: you would probably violate copyright laws. Don't do it!
I don't think there is a sane solution for you, unless the author of the other site agrees on a shared authentication mechanism with you.
I'm working on a server written in Java, and a client (a desktop application written in .Net) that runs on Windows machines on the same network. I would like to have some basic authentication so that the server can determine the username of the user running the client, without needing the user to re-enter their Windows password in the client.
Is this possible, and what's the simplest way to accomplish it?
I had a look at some of the available APIs, it looks as though the org.ietf.jgss package in Java, and NegotiateStream class in .Net, should probably be able to talk to one another to achieve this - but I keep hitting frustrating error messages I don't understand. I thought I'd check if this is the right approach, if so I'll post a separate question with more detail about the errors in question :)
The approach is the right one. Notice a number of things, though:
this will have nothing to do with "Basic Authentication" (in http)
.NET will try to use the SPNEGO GSS mechanism. See the Sun documentation for proper support of this mechanism.
your service will need to incarnate a service principal. So you need to create an Active Directory account not only for the user, but also for the service, and you need to put the service's password into the Java keytab.
If you're using Active Directory, I think the Spring LDAP module can offer you a nice way to access credentials.
Not being familiar with the GSS mechanism. I would suggest a shared key mechanism used in passwordless ssh.
This open source library http://spnego.sourceforge.net has exactly what you are looking for. It implements an HTTP Servlet Filter on the server so that your web-app can call request.getRemoteUser() to find out the username.