In a Servlet, I'll like to obtain the datetime when a request is made.
I don't want to use Java's Date Class because it could not provide the accurate time.
Any help?
You have three choices:
Use client's computer time. This will require the client to send his or her system time explicitly in the request parameters or in a custom header. Not to mention arbitrary computer in the Internet might have much more inaccurate time.
Use external time servers to fetch current time.
...or just trust your server, if it uses ntp, you are on the safe side.
Related
I have a list of users across various companies who are using one of the functionality that our website provides. Whenever they contact our business group , we need to send a url via email to the requestor in order for them to upload some data. All these external users do not have any dedicated account. However we do not want a static link to be provided to them as this can be accessed by anyone over the internet. We want dynamic links to be generated. Is this something that is usually done? Is there an industry accepted way of doing this? Should we ensure that the dynamic link expires after a certain amount of time - if so , are there any design options?
Thanks a lot!
Usually, parameters to urls and not the actual urls are what's dynamic. Basically you generate params that are stored somewhere, typically on the database, and send email with the url and the parameter(s). This url is valid for only a limited period of time and possibly only for one request.
Answers to questions:
yes, this is something that is quite commonly used in, for example, unsubscribing from a mailing list or validating an account with a working email address
I'm not aware of any single way that is "industry accepted", there are many ways of doing it, but the idea is not that complex - you just need to decide on a suitable token format
normally you should ensure that the link expires after a certain amount of time. Depending on the use case that can be some days, a week or something else. In practice, you'd remove or disable the generated parameters in your database. However, if this data is something that might be needed for extended periods of time, you might want to think up a functionality so that it can be retrieved later on.
You may have a static URL taking a token as parameter. Eg. http://www.mycompany.com/exchange/<UUID> or http://www.mycompany.com/exchange?token=<UUID>.
The UUID could have a validity in a time range or be limited to a single use (one access or one upload).
Other variant is to use exists cookies on that site in web browser (of course, if they are).
But there are some drawbacks in this solution:
User can open link in different machine, different browser. User can clean all cookies or they can expire after it was visited your site last time when user try to go on granted URL. In these cases user won't access your page.
I want to basically monitor the server calls on java side. So is there any way I can directly obtain the timestamp when request was received .
In other words,I do not want to explicitly make Date Objects and find out the timestamp. Rather I am interested if there's any timestamp parameter utility provided with Request Object.
Something provided by ServletActionContext.getRequest() or any available solution without the need to code to create Date() objects and find out.
The reason I am saying is I have around 50-60 server calls and may be even more in future in my application so each time i need code in application layer rather use this ready-made facility.
HttpServletRequest.getDateHeader gives you a timestamp as a long value.
Although this is from the request header and not the receieved time, it might work since it provides milliseconds since the epoch.
You can also look into Filter, which allows you to
Examples that have been identified for this design are:
1. Authentication Filters
2. Logging and Auditing Filters
...
Event Listeners might be another facility, where you can hook into the processing of a servlet.
Back to your question:
ServletActionContext.getRequest() -> HttpServletRequest.getSession() ->
HttpSession.getLastAccessedTime
Returns the last time the client sent a request associated with this session, as the number of milliseconds since midnight January 1, 1970 GMT, and marked by the time the container received the request.
I'm working with Java and JSP. I have to create something like a promotion which has start date and end date. Within the start date and end date, it will show a form that is corresponding to the promotion; otherwise, it will be just show a normal page. I have done the validation based on the time they open the page. I can manipulate the time in Unit Testing by making the current time to any time I want.
However, the problem is when I want to pass this to client to test. They want to see how it's like on the promotion day? Does the promotion really show on a particular time? Does it really close afterwards? One possible way is to secretly pass current date as HTTP param when trying to access the page. Doing so, client can check how the system behaves on a particular day but it's very dangerous indeed. Anyone who knows this will be able to access the promotion anytime they want. I don't know what the best way to handle this.
What's your suggestion?
It sounds like a bad idea basing ANY of your JSP (server-side) code on time being sent from a client. It would be much better to handle this entirely server side and have some way of configuring the time via which you and your client can do testing.
1) if the client is really concerned (or your application is complex) - it may be that the ONLY way to do such a test reasonably is to change the server time as suggested by Nathan Hoad's comment. Every other test comes with confidence since it relies on something other than the time ticking over and "triggering" the promotion to start or end. Also keep in mind the activities that occur during the promotion - do they use the system time to make decisions or store the date/time in a database etc?
2) if #1 isn't a real issue I would have your code that checks the time (for the trigger of the promotion) to call a custom function in your code (eg. getCustomTime()). That method will by default return the system time, but also checks to see if an offset has been configured and use that to offset the actual time. The offset can be dynamically configured.
Good luck.
Firstly, you shouldn't be putting this functionality onto a live production server, so the "very dangerous" exposure shouldn't happen.
I'd try a "belt and braces" approach:
Set up a demo server that only has read-only access so can't do any damage
Tell the client the secret parameter to use
Have the "client promotion demo" feature switchable on/off from an admin console
(If you're really nervous) limit access to only the client's IP
The client can access the demo box and check everything works perfectly. When they are happy, you deploy to production, but with the "demo mode" disabled, so only the "time-sensitive" way of accessing the promotion will work.
You don't have to tweak the time on your server to demo this to the client. Just have a promotion that is expired in the system, one that is currently active and another that is in the future on three different items, and show the customer the effects.
Either that, or create a promotion during your presentation that takes effect one minute in the future, lasts for 2-3 minutes and then expires, then talk through it and click around and show them the effects.
i intend to use JSON to implement a client server communication. My goal is for a Java-server to receive data via HTTP-Post from an Iphone-app.
I'm concerned about the fact of how I can be sure, that the data the Java-server receives only come from the Iphone-app? It may be possible that somebody else is catching the Java-Server URL and send rigged data?
Do I have a chance to recognize that? SSL encrypts transferred data only, but doesn’t solve the problem, i think.
kind regards
stormsam
You could send a token that is hardcoded into your application. Everything that comes without this valid toke should be rejected. Or you can use .htaccess and specify a user and password within your app.
You could use public key encryption, with users having their own keys and you keeping track of who are the legitimate users. This is the most reliable scheme I can think of. That, or giving each user a username and password. However, it's probably a lot more trouble than it's worth, and still doesn't protect against users that have registered with you but are still malicious.
Embedding a token in your application and then sending it with requests, as Cyprian suggests, is probably the easiest scheme and would probably work pretty well, but might be relatively easy to reverse engineer.
A somewhat better solution might be to program into your app a function that transforms any given input into an output; then, your server responds to a request by giving the app a piece of data to transform, and checks the result. A client that passes the test gets a session token which allows it to proceed. This does require an extra round-trip for authentication, though. And it's still not immune to being reverse engineered, since all the information needed to do so is stored in the app that's present on the user's machine.
Assuming you can reasonably protect your iOS app from being dissambled, you could use "signed requests" like the Facebook API (and probably others):
You'll need a shared secret on both client and server (e.g. a random string/byte array). The iOS app then hashes all request parameters plus the shared secret and appends the hash as additional request parameter, e.g. myserver.com/ws?item=123&cat=456 becomes myserver.com/ws?item=123&cat=456&hash=1ab53c7845f7a. Upon receiving a request, the server then recomputes the hash from the regular parameters and the shared secret and compares it to the value sig parameter. If both are equal, the request is considered valid (assuming integrity of your iOS app).
An advantage of this method is that it doesn't require additional round trips to fetch any one-time/CSRF-prevention tokens and does not require encrypting requests and responses (as long as you only care about the integrity of requests, not confidentiality).
You might have to take a look at this. It may give you some directions.
I'm writing some code that needs to know how much out of sync the client and the single server's time are.
I'm trying to do it by creating a temp file on a SMB share hosted on the server and reading of its last modified time. I thought (maybe incorrectly) that the timestamp would be generated by the server and not the client. since it seemed like the client could really mess things up otherwise.
Can someone confirm this behaviour or come up with a different way of doing this?
Why not get the epoch time on the client and send that to the server when the client starts communication with the server, no need for smb share then. By comparing the epoch time against one another you will have your time offset in seconds. Can use rest/soap, socket, etc to communicate this between the client and server depending on what your client/server model looks like.
You could synchronize both against a common NTP server and not worry about it. Added bonus of having a (more) correct clock!
I guess the variable latencies involved (such as IO) here are the key issue. How fine a measure are you looking for? I am also not sure this is (strictly speaking) related to Java.
In any event, I think you need a comparative operation.
Two distinct machines are writing to a shared device (your SMB) and each creates a file which contains their epoch. Ideally, to minimize latency issues, you would want to obtain this epoch obtained just before you write and then immediately close the file.
The client then compares its own epoch and file timestamp to the server's file and its epoch content. These 4 measures should provide sufficient information to gain insight regarding the relative diff between the two JVM's epoch time.
[Edit to clarify]
For example, the server's tuple is ({epoch, ts}): {S_t, SMB_ts}, and the client {C_S_t, SMB_C_ts}. Lets say you get (funny numbers here) {5000, 4800} and {5100, 5000}. Take the diff between server's timestamp and client's stamp (here 4800 - 5000 => -200), and add to the client's epoch (here 5100+(-200)=>4900). So the client is 100 units behind the server.
[Final edit]: (Note that you have 3 clocks to deal with here: SMB's, servers', and the client's.)