I am writing one application which store user data into file. However, when I try to open phone memory my application raise security exception and won't allow me to write or read data.
Here is my code.
try
{
FileConnection fc = (FileConnection)Connector.open("file:///C:/myfile.dat",Connector.READ_WRITE);
// If no exception is thrown, the URI is valid but the folder may not exist.
if (!fc.exists())
{
fc.create(); // create the folder if it doesn't exist
}
OutputStream os=fc.openOutputStream();
String s="hello how r u..";
byte[] b=s.getBytes();
os.write(b);
os.flush();
fc.close();
}
catch(Exception error )
{
Alert alert = new Alert(error.getMessage(), error.toString(), null, null);
alert.setTimeout(Alert.FOREVER);
alert.setType(AlertType.ERROR);
display.setCurrent(alert);
}
However I used SDycard to save data and it works fine. But is there any solution to escape from SecurityException when I try to access phone memory? And when I store data in SDCARD every time one message is prompting that ask user to allow application to read or write data. I also don't want this prompt message.
How to escape from this situation?
You will have to sign and certify your J2ME application. This would involve purchasing a certificate. I havent done this, so you would have to confirm this or wait for another answer in SO. But I am pretty sure that unless you sign your midlet the phone's security policy will prevent this.
One URL on how sign your midlet:
http://m-shaheen.blogspot.com/2009/07/1.html
Agree with #Sethu that OP is due to midlet signing.
The OP is divided into logical phases to address the issue:
Issue/Cause:
Whenever a restricted API (in this case JSR 75 api) is accessed by the midlet it needs the permission to validate its authenticity, this helps to keep away malicious code. In your case the midlet is not signed (explained in #2 how to sign) so it does not have the necessary permissions hence Application Management System is prompting for user consent for each such sensitive operation by your midlet. Read this link for more details.
Resolution
Its a multi step process, (a) Procure the certificate, refer this link, (b) Add the necessary permissions (for read: javax.microedition.io.Connector.file.read, for write: javax.microedition.io.Connector.file.write) under MIDlet-Permissions in the JAD file
Procurement of certificate
A detailed explaining is given in this link Java ME signing for dummies
Related
I challenged myself to create a minecraft server with the proviso that most of the plugins I will use will be just mine. I have already made many different plugins from shops to various minigames. Now I have decided to code my own login registration plugin. Basically everything is already functional and ready, but I would like to add one feature there. This feature is that when a player connects to the server (warez), my plugin checks the player's session to see if it is original (I mean that player have bought game and he is logged throught original mojang launcher with valid mojang session. Players should connecting to server in warez mode (not logged in, using not official launcher)). I don't just mean the name as mentioned here, but his mojang session. In short, whether it is logged in via the original launcher with its e-mail and password.
I absolutely don't know how verifying the originality of players works, I know that mojang has an API but I don't know if it offers such a possibility. I would also like to know if the client is sending a hash from the UUID or sessionID to the server, which can be compared with the mojang API, or I don't know.
UPDATE:
I found these two articles:
1) https://wiki.vg/Protocol#Login
2) https://wiki.vg/Protocol_Encryption#Authentication
From this articles I roughly understood that during the connection of the client I will send the server ID and ciphers together with the server and then the subsequent hash on which they will agree will send the client via POST to the mojang servers and my server should then ask from the mojang if it is logged in on my server the client.
UPDATE2
I thought of the following:
If I programmed my own proxy in the phenomenon to which players would connect and this proxy would reproduce everything to the server. Thus, I would be able to let in who I would like to go and I can also do cross-checks via the mojang page with the server ID and hash. But it would be 3-rd party software, it would not be a plugin.
Modify the spigot itself, by that I mean do the above somewhere at the SSLServerSocket level, where the spigot server receives all the socket and the data from them. There, if I code the bridge over which the data would pass, I am also able to agree with the client SERVER ID, calculate a hash and verify it from the mojang server. But it would still not be within the plugin but in the servers.
Override some of the deep parts of the server mentioned above from the plugin. The plugin would replace some parts of the server after loading.
Now my questions is, how to replace some mentioned parts of the server from plugin? Is good idea to try use reflection (i am noob, with reflection) and replace some functions with my functions, that would calling back to spigot low level code?
Thank you very much for any advice.
Have a nice day.
PS: Sorry for my bad english.
public boolean isCracked(ProxiedPlayer player) {
String name = player.getName();
UUID actualUUID = player.getUniqueId();
String actualUUIDStr = uuid.toString();
String offlineUUIDStr = getMd5("OfflinePlayer:"+name);
if(offlineUUIDStr.equals(actualUUIDStr)) {
return true;
}
return false;
}
// Taken from https://www.geeksforgeeks.org/md5-hash-in-java/
public static String getMd5(String input)
{
try {
// Static getInstance method is called with hashing MD5
MessageDigest md = MessageDigest.getInstance("MD5");
// digest() method is called to calculate message digest
// of an input digest() return array of byte
byte[] messageDigest = md.digest(input.getBytes());
// Convert byte array into signum representation
BigInteger no = new BigInteger(1, messageDigest);
// Convert message digest into hex value
String hashtext = no.toString(16);
while (hashtext.length() < 32) {
hashtext = "0" + hashtext;
}
return hashtext;
}
// For specifying wrong message digest algorithms
catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
}
I have searched and searched and cannot seem to pull data from the draft's folder within the device. Basically I am wanting to pull the typed (unsent) message from the user's conversation, my thinking is that it was stored within Android as a draft. However if I try to search the draft folder using the uri-
Uri message = Uri.parse("content://sms/draft/");
No data is returned. I have adjusted it to remove the 'draft' portion and it does return all my inbox messages. I have ensured that the permissions have been set and accepted.
I'll first say that I'm sure it is just me since people have probably got this to work out of the box without having to edit the ADAL 4 Android Library without editing the source.
When running the sample program and authenticating with a token I get an error from AZURE that it is not passing the client_secret in the message body. I can confirm that this is in fact the case - it is not passing the client_secret.
Although if I edit the OAuth2.java file and change the method buildTokenRequestMessage to something like the following the workflow works perfectly
public String buildTokenRequestMessage(String code) throws UnsupportedEncodingException {
String message = String.format("%s=%s&%s=%s&%s=%s&%s=%s&%s=%s",
AuthenticationConstants.OAuth2.GRANT_TYPE,
StringExtensions.URLFormEncode(AuthenticationConstants.OAuth2.AUTHORIZATION_CODE),
AuthenticationConstants.OAuth2.CODE, StringExtensions.URLFormEncode(code),
AuthenticationConstants.OAuth2.CLIENT_ID,
StringExtensions.URLFormEncode(mRequest.getClientId()),
AuthenticationConstants.OAuth2.REDIRECT_URI,
StringExtensions.URLFormEncode(mRequest.getRedirectUri())
// these are the two lines I've added to make it work
AuthenticationConstants.OAuth2.CLIENT_SECRET,
StringExtensions.URLFormEncode("<MY CLIENT SECRET>")
);
return message;
}
Am I doing something wrong? If not, what is the correct way to access the client secret?
My implementation is straight from the demo application with only changes being setting up the strings to match my endpoints.
Thanks
You need to register your app as a Native application at Azure AD portal. You don't need client secret for native app.
I want to have LinkedIn authentication in my website. Their API returns the desired information, the create account function is working. However, I seem to have some problems when I try to login on the site.
It seems that I get a UserEmailAddressException when I call the LoginUtil.login method.
at com.liferay.portal.service.impl.UserLocalServiceImpl.authenticate(UserLocalServiceImpl.java:2480).
It fails at
if (authType.equals(CompanyConstants.AUTH_TYPE_EA)) {
if (!Validator.isEmailAddress(login)) {
throw new UserEmailAddressException();
}
}
Here is my code :
boolean rememberMe = true;
String authType = CompanyConstants.AUTH_TYPE_EA;
try {
LoginUtil.login(request, response,
String.valueOf(user.getUserId()), user.getPassword(), rememberMe, authType);
}
catch (UserEmailAddressException ueae) {
ueae.printStackTrace();
}
The users authenticate via email address, so I guess that should be the correct authentication type?
I have added company.security.auth.type=emailAddress in portal-ext.properties, but I get the same error as without this setting.
Because Liferay documentation is unsatisfying, I would like to know how to do a proper call to the login() function so that my user will login with its LinkedIn account.
It's hard to answer this question from the amount of code that you give.
First of all: About documentation. Judging by the use of LoginUtil, you seem to be modifying Liferay's internal code in order to implement your functionality. This is an internal API that is not guaranteed to be stable and will most likely be documented last (the API documentation has improved a lot, but it's mostly about the external, public API).
You might want to look into the implementation of ServletFilters that Liferay uses for implementing other external single sign on systems. Many customers/users have implemented these successfully (I haven't looked at the state of that documentation though, but there are several SSO implementations that you can find)
Further, it will probably help, which email address is supposed to be invalid - from your code it looks like you're calling with user.getUserId() (this is numeric), but you state that you demanded the login to be through email.
Lastly, if you have configured the login method through the UI, it is saved to the database - and that setting would win. So please check ControlPanel/Portal/Portal Settings/Authentication/"How do users authenticate?" to make sure that the setting is actually asking for the email address.
I have an existing Java web application running through IBM WebSphere (I'm unsure of the version, but could find out if it helps) that I am looking to implement two factor authentication with.
The system has a decent user base, and I wanted to distribute hardware tokens to the admin users of the system to ensure strong authentication.
Minimal impact to the end user is desirable, but I'd like to avoid having the admins need to go through a VPN connection.
Does anyone know of any products that provide Java APIs that could be directly integrated into the existing application or other products that will provide a minimal impact? I've already spoken with RSA SecurID, but their system wouldn't integrate directly and would require an infrastructure change. Any other ideas/experience is greatly appreciated.
For posterity, I've just posted my simple Java two factor authentication utility class to Github. With it, you can do something like the following:
TwoFactorAuthUtil twoFactorAuthUtil = new TwoFactorAuthUtil();
// To generate a secret use:
// String base32Secret = generateBase32Secret();
String base32Secret = "NY4A5CPJZ46LXZCP";
// now we can store this in the database associated with the account
// this is the name of the key which can be displayed by the authenticator program
String keyId = "user#j256.com";
System.out.println("Image url = " + twoFactorAuthUtil.qrImageUrl(keyId, base32Secret));
// we can display this image to the user to let them load it into their auth program
// we can use the code here and compare it against user input
String code = twoFactorAuthUtil.generateCurrentNumber(base32Secret);
// this little loop is here to show how the number changes over time
while (true) {
long diff = TwoFactorAuthUtil.TIME_STEP_SECONDS
- ((System.currentTimeMillis() / 1000) % TwoFactorAuthUtil.TIME_STEP_SECONDS);
code = twoFactorAuthUtil.generateCurrentNumber(base32Secret);
System.out.println("Secret code = " + code + ", change in " + diff + " seconds");
Thread.sleep(1000);
}
If you want two-factor authentication via a TLS client-certificate, there are a few hardware cryptographic tokens out there. Java can load a PKCS#11 store out of the box, although some configuration may be required. How much of it is admin configuration vs. application configuration depends on the application (and sometimes on how 'locked' the terminal is w.r.t to inserting a USB token or having a card reader).
There may be alternative solutions, such as One-Time Password tokens (which don't rely on certificates, but on unique passwords instead). This seems less heavy for the users. I must admit I've never tried it, but this project might be interesting: http://directory.apache.org/triplesec/ (There are also hardware OTP keyrings, usually by the same vendors who do RSA cards/USB tokens).
We have API packages for Java (and php, ruby, python, and C#): http://www.wikidsystems.com/downloads/network-clients for the WiKID Strong Authentication system. These packages are LGPL, so you can also use them in commercial products. They work with both our open-source community version and the commercial Enterprise version.
HTH,
Nick
If you are able to use Spring Security we have a plugin which offers two factor authentication (physical and soft tokens) - www.cloudseal.com