I have an existing Java web application running through IBM WebSphere (I'm unsure of the version, but could find out if it helps) that I am looking to implement two factor authentication with.
The system has a decent user base, and I wanted to distribute hardware tokens to the admin users of the system to ensure strong authentication.
Minimal impact to the end user is desirable, but I'd like to avoid having the admins need to go through a VPN connection.
Does anyone know of any products that provide Java APIs that could be directly integrated into the existing application or other products that will provide a minimal impact? I've already spoken with RSA SecurID, but their system wouldn't integrate directly and would require an infrastructure change. Any other ideas/experience is greatly appreciated.
For posterity, I've just posted my simple Java two factor authentication utility class to Github. With it, you can do something like the following:
TwoFactorAuthUtil twoFactorAuthUtil = new TwoFactorAuthUtil();
// To generate a secret use:
// String base32Secret = generateBase32Secret();
String base32Secret = "NY4A5CPJZ46LXZCP";
// now we can store this in the database associated with the account
// this is the name of the key which can be displayed by the authenticator program
String keyId = "user#j256.com";
System.out.println("Image url = " + twoFactorAuthUtil.qrImageUrl(keyId, base32Secret));
// we can display this image to the user to let them load it into their auth program
// we can use the code here and compare it against user input
String code = twoFactorAuthUtil.generateCurrentNumber(base32Secret);
// this little loop is here to show how the number changes over time
while (true) {
long diff = TwoFactorAuthUtil.TIME_STEP_SECONDS
- ((System.currentTimeMillis() / 1000) % TwoFactorAuthUtil.TIME_STEP_SECONDS);
code = twoFactorAuthUtil.generateCurrentNumber(base32Secret);
System.out.println("Secret code = " + code + ", change in " + diff + " seconds");
Thread.sleep(1000);
}
If you want two-factor authentication via a TLS client-certificate, there are a few hardware cryptographic tokens out there. Java can load a PKCS#11 store out of the box, although some configuration may be required. How much of it is admin configuration vs. application configuration depends on the application (and sometimes on how 'locked' the terminal is w.r.t to inserting a USB token or having a card reader).
There may be alternative solutions, such as One-Time Password tokens (which don't rely on certificates, but on unique passwords instead). This seems less heavy for the users. I must admit I've never tried it, but this project might be interesting: http://directory.apache.org/triplesec/ (There are also hardware OTP keyrings, usually by the same vendors who do RSA cards/USB tokens).
We have API packages for Java (and php, ruby, python, and C#): http://www.wikidsystems.com/downloads/network-clients for the WiKID Strong Authentication system. These packages are LGPL, so you can also use them in commercial products. They work with both our open-source community version and the commercial Enterprise version.
HTH,
Nick
If you are able to use Spring Security we have a plugin which offers two factor authentication (physical and soft tokens) - www.cloudseal.com
Related
I'm trying to use twitter4j (in Java) to grab the list of users following a particular user who happen to have direct messaging enabled. Something like this...
IDs followerIDs = twitter.getFollowersIDs(someTwitterScreenName, -1);
long[] ids = followerIDs.getIDs();
for (long id : ids) {
twitter4j.User user = twitter.showUser(id);
String userScreenName = user.getScreenName();
String realName = user.getName();
//I'm hoping for something like...
///Boolean directMessagingEnabled = user.messagingEnabled();
}
The only problem is that I can't find any attributes associated with the twitter4j.User object that sound suitable (and also can't find any reference to it in the API documentation). Does anyone know if there's some way to programmatically find these types of users? Or perhaps twitter have deliberately excluded it? Thanks for any thoughts at all.
------EDIT-----
The documentation link from Yuri led me to this response from a twitter employee: "Determining if a user accepts DMs from all is not available via the public API. If you are a trusted partner please reach out via your direct Twitter contacts for details."
(https://twittercommunity.com/t/how-can-i-tell-which-users-the-current-user-can-send-messages-to/36127/4)
Also noticed that it IS possible to get the DM status for an already authenticated user using "AccountSettings.getAccountSettings().allow_dms_from"
This is discussed here
https://dev.twitter.com/rest/reference/post/direct_messages/new
There is apparently a whitelist for access you can apply for.
However it seems you mostly have all you need. The users following your account can usually receive DMs from you already. This doesn't cover the cases where the user either DMed you first, or accepts DMs from anyone.
But it is probably simplest to try sending and inspect the failures.
I recently set up a website and pushed it to production using Digital Ocean. However, I noticed that for both SEO purposes and to make Facebook Share work appropriately, I should set up my server to redirect www. requests to non-www. I'm running Play! Java 2.3 with a PostgreSQL database and the default Netty server. Any advice would be greatly appreciated.
There are lots of ways of redirecting. I wouldn't say DNS-redirects are the correct and only way of doing it, it's one way. Google is just fine with you doing a 301 redirect with Play.
Here's one way of accomplishing it with Play! filters (scala):
object NonWwwFilter extends Filter {
def apply(f:RequestHeader => Future[Result])(rh: RequestHeader): Future[Result] =
if (rh.host.startsWith("www.")) {
Future.successful(Results.MovedPermanently("https://" + rh.host.substring(4) + rh.uri))
} else {
f(rh)
}
}
The right way to do it is to do in not on the framework/webserver side, but on the DNS-server side.
You can do it in DNS-management area of GoDaddy or any other domain name registrar.
I'm trying to create an authenticate database in MongoDB 2.6 using java driver v 2.12.
In particular I need to create a user accessing to admin collection.
Any suggestion?
Thanks.
Here my solution:
MongoClient mcAdmin = new MongoClient(
configuration.getServerAddresses(),
Arrays.asList(MongoCredential.createMongoCRCredential(
MONGODB_ADMIN_USERNAME, "admin",
MONGODB_ADMIN_PASSWORD.toCharArray())));
try {
mcAdmin.setWriteConcern(WriteConcern.JOURNALED);
DB db = mcAdmin.getDB(userDbName);
BasicDBObject commandArguments = new BasicDBObject();
commandArguments.put("user", userUsername);
commandArguments.put("pwd", userPassword);
String[] roles = { "readWrite" };
commandArguments.put("roles", roles);
BasicDBObject command = new BasicDBObject("createUser",
commandArguments);
db.command(command);
} finally {
mcAdmin.close();
}
Doing this in Java code is not the best way to do it, and except for very rare use cases (writing an admin application for MongoDB) even one I would strongly advice against.
Security risk
First of all, your application would need extremely high privileges, namely userAdminAnyDatabase or userAdmin on the admin database, which more or less grants the same rights: creating a superuser at will. To put it in other words: this code would be a high security risk.
Granting roles and rights on a database is an administrative task and for good reasons should be decoupled from an application accessible by arbitrary users.
Technical problems
Activating authentication from a client simply is impossible. The mongod instance in question has to be started with authentication enabled. Furthermore, you would have to save to create a user with the mentioned roles before you could have your app administer users. The problem: you would have to store the password for that user somewhere. Unless you encrypt it, you basically store the most powerful password for your MongoDB databases and cluster in cleartext. And if you encrypt it, you have to pass the key for decryption to your application at some point in a secure manner. And all this to break best practices ("Separation of concerns")?
I am new to android development & I am trying to create an app which connects to available wifi network for data communication. There are various security types for wifi network configuration.(EX WEP, etc). How to know which network is using which security type?
& after knowing that, how to connect to particular network.
I've searched a lot for my problem, & found this:
WEP Network requires:
wifiConfigObj.wepKeys[0] = "\"" + networkPass + "\"";
wifiConfigObj.wepTxKeyIndex = 0;
wifiConfigObj.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.NONE);
wifiConfigObj.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.WEP40);
EAP Network requires:
wifiConfigObj.preSharedKey = "\""+ networkPass +"\"";
Public Network requires
wifiConfigObj.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.NONE);
But still I am unable to get any clarity. Please Let me know how to get through it.
Thanks..
See answer given by ayj in this question.
In case link doesn't work in future, let me copy paste it for you here.
You need to parse the ScanResult's capabilities string in the scanComplete method. According to the Android developer documentation, :
ScanResult.capabilities describes the authentication, key management, and
encryption schemes supported by the access point.
You might be able to make use of -- or at the very least use as an example -- the static helper methods available in the AccessPointState class.
AccessPointState.getScanResultSecurity
AccessPointState.isEnterprise
I am writing one application which store user data into file. However, when I try to open phone memory my application raise security exception and won't allow me to write or read data.
Here is my code.
try
{
FileConnection fc = (FileConnection)Connector.open("file:///C:/myfile.dat",Connector.READ_WRITE);
// If no exception is thrown, the URI is valid but the folder may not exist.
if (!fc.exists())
{
fc.create(); // create the folder if it doesn't exist
}
OutputStream os=fc.openOutputStream();
String s="hello how r u..";
byte[] b=s.getBytes();
os.write(b);
os.flush();
fc.close();
}
catch(Exception error )
{
Alert alert = new Alert(error.getMessage(), error.toString(), null, null);
alert.setTimeout(Alert.FOREVER);
alert.setType(AlertType.ERROR);
display.setCurrent(alert);
}
However I used SDycard to save data and it works fine. But is there any solution to escape from SecurityException when I try to access phone memory? And when I store data in SDCARD every time one message is prompting that ask user to allow application to read or write data. I also don't want this prompt message.
How to escape from this situation?
You will have to sign and certify your J2ME application. This would involve purchasing a certificate. I havent done this, so you would have to confirm this or wait for another answer in SO. But I am pretty sure that unless you sign your midlet the phone's security policy will prevent this.
One URL on how sign your midlet:
http://m-shaheen.blogspot.com/2009/07/1.html
Agree with #Sethu that OP is due to midlet signing.
The OP is divided into logical phases to address the issue:
Issue/Cause:
Whenever a restricted API (in this case JSR 75 api) is accessed by the midlet it needs the permission to validate its authenticity, this helps to keep away malicious code. In your case the midlet is not signed (explained in #2 how to sign) so it does not have the necessary permissions hence Application Management System is prompting for user consent for each such sensitive operation by your midlet. Read this link for more details.
Resolution
Its a multi step process, (a) Procure the certificate, refer this link, (b) Add the necessary permissions (for read: javax.microedition.io.Connector.file.read, for write: javax.microedition.io.Connector.file.write) under MIDlet-Permissions in the JAD file
Procurement of certificate
A detailed explaining is given in this link Java ME signing for dummies