I would like to know if it is possible to maintain an authentication (like a session with login and password in php) on a website from a java program, and if anyone had any lead on the subject or some reading for me, that would be great.
thanks
You can use the HttpClient class. Once you have authenticated with the website the server will send you a cookie that you have to send with each successive request in order for the server to think that you are logged in.
all you need is cookies, and java URLConnection. I use this all the time http://www.rgagnon.com/javadetails/java-0092.html
you use readcookies after you open a new urlconnection and writecookies when creating a new one.
Related
So I'm all very new to Java and developing for Android, but I somehow managed to get a successful idToken when logging into my app via Google.
I read on the Android dev site that just ID's are not safe as a modified client could send a fake one and result in impersonation of another user, so I followed their steps to get the user's idToken.
Anyway, is this safe to send over a URL to my server at home? For example, like so (pretend the long string of random text is the idToken of the user):
http://130.155.122.8/api_test/h78e568e7g6589gjkdfhjghdjfkghjkdfhgjkdfhk7hg9867458g74598hg6745896gh49/command
Also, is the idToken even required? Could I just as easily use the user's email address to identify the user (again, it would be sent over an insecure URL, no HTTPS)?
Thanks!
You should use encryption, if someone gets the token from a user they can impersonate that user, in my case, since i can't aford ssl (for now) i encrypt the token using asymetric encryption, and i send it to the server, but ssl is the best way
Generally speaking - No.
A token that identifies you should never be transmitted over an insecure connection (e.g. http). Since on such connections no encryption is used, a third party can very easily monitor the connection and get your token (leading to the impersonation issue).
IANAE, but any security-relevant data (e.g. idToken or password) should only ever be transmitted over a secure (encrypted) connection (e.g. https).
And using the e-mail address does not solve the issue. You simply replaced one identifier for another one. And if anyone ever were to know a user's e-mail address, he could impersonate said user. Stick to the "documented" authentication techniques. If done right they should be safe.
I want to write a messenger app on Swift, iOS and as a database I chose MongoDB and turned ON authentication on it. And for the bridge I chose RESTHeart(GitHub). But for input something to database from RESTHeart I use the next line:
http PUT 127.0.0.1:8080/myfirstdb desc='this is my first db created with restheart' -a username:password
So, I use authentication for each connection. So my question is:
Is it OK, log in for each insert to database for the messenger app or there are another, better, solution? I think that I need to make this process as faster as possible
Quoting the RESTHeart documentation:
If a request is successfully authenticated, an authentication token is generated and included in every subsequent responses. Following requests can either use the password or the auth token.
http://restheart.org/docs/security.html
You have to enable the auth token with the auth-token-enabled: true configuration
You should also make sure to use https.
Quoting the RESTHeart documentation:
With stateless basic authentication, user credentials must be sent over the network on each request. It is mandatory to use only the https listener; with the http listener credentials can be sniffed by a man-in-the-middle attack. Use the http listener only at development time and on trusted environments.
Looking for a pointer on how to get HttpClient (httpclient 4.3.6) to Authenticate the current user to IIS REST service.
I can connect no problem using UrlConnection as it seems to handle the WWW-Authentication protocol out of the box.
I have moved to HttpClient to leverage the multi-part POST/PUT (FileEntity) and I have discovered that the HttpClient does not handle the WWW-Authentication, it simply fails with a 401 which is the first part of the process.
I have found some examples out there that present NTLM credentials etc... but I don't want to capture credentials, I want to execute the request using the current windows identity.
Is there some code or an API out there that I can use to manage this on my behalf? I don't want to capture user name and password, I just want to present the current user credentials. Do I need to use a 3rd party library like SPNEGO?
Many thanks in advance
You might want to try out HttpClient 4.4 (to be released as GA soon). It supports native Windows Negotiate, Kerberos and NTLM via SSPI through JNA when running on Windows OS. Please note this feature is still considered experimental. Your mileage may vary.
http://hc.apache.org/httpcomponents-client-4.4.x/httpclient-win/examples/org/apache/http/examples/client/win/ClientWinAuth.java
I am developing an app which sends email. I use this to send message, but it requires username and password of my gmail account. So, I need to store them in app. How to protect them from malefactors?
Don't store passwords use tokens like a session cookie on http. Sessions can been revoked server side by user actions without harming other sessions.
A password can been read out (even if it is encrypted you need to send it unencrypted to the server hopefully via TLS) and if the user uses that password on multiple sites the user will get a problem.
I don't see the adequate answer, so I decided to get rid of storing password within my app. I just send request with necessary parameters to my server. The server gets these parameters, creates email and sends it to the recipient by using PHPMailer library. I used the code from this to send request to server. I hope it helps someone else.
This is just a suggestion but a little helpful. As other says SharedPreferences is fully secured but if we save data in SharedPreferences as encrypted format then it should applicable.
here is a examples and also MessageDigest will help you a little here.
Note: This question is directly proportional to security things, so I never recommend any of my answers. But it can be helpful.
You can use SharedPreferences for this but beware saving passwords is usually frowned upon even if highly encrypted.
Even in a PC app saving a password always warns you that the password is saved locally and is not secure from attacks.
I'm implementing a little snippet of code in order to log into a SAML protected website.
I have this piece of code:
HttpsURLConnection connection = (HttpsURLConnection)url.openConnection();
through which I connect with a safe SSL connection to some URLs.
On the first two times, with two different URLs, it works perfectly, but then, when I try to perform a specific request (the SAMLRequest to the IDP server, to be precise), the script thows this error:
[ATTENTION] An error occured: java.lang.IllegalStateException: connection not yet open
I can't really understand what's going on. While connecting to the SP, the connection is good (I also able to obtain this information, so I suppose the SSL to be working con.getCipherSuite() = TLS_RSA_WITH_AES_128_CBC_SHA), but then it stops.
Since the request I'm trying to issue is the only one which really matters in the SAML scheme, among the three I tried to perform, I thought it was a server-side problem:
Connect to the homepage of the service provider (SP) in order to get JSESSIONID cookie: it works
Connect to the SP login page in order to get the SAML Request: it works
Connect to the IDP in order to send (via GET) the SAML Request: ERROR.
How can I get rid of this problem, and be sure the connection is safe? I have the strong need to avoid a MINM attack, since the script will be implemented in an Android app which will need a strong level of security...
Sorry I might be a bit off topic here!
Are you using Google app engine for this? As google app engine doesn't support HttpsUrlConnection. Please read more here