My Java desktop application includes a component for communicating with a web service.
We therefore need to include the access details for it within the application, but do not want it to be easily accessible in the event that the code is decompiled (we will be obfuscating).
What techniques can we use to secure these details?
Do not bother encrypting the password in your application. Whatever you do, a determined user will be able to decrypt it and get access to it. My recommendation is to have a username and password for every user. The application will ask the user to enter the credentials and store them (using MD5 for example). If you can't modify the web service to authenticate many users, create a proxy service that can do that. The proxy service, deployed on a secure environment, will be allowed to have access to the username and password of the secured service.
I prefer you try Java Properties API.
Related
I have created Java Web Application by using Netbeans IDE. I have created entities with relationships. Webpages are simple dashboards where I can add new entities, change them and delete them.
I have added Restful web services to my entities. So web page will be available only for admin and I want to create client application that will have access only for his own data. That means client must login or register to my server.
When user logins/registers on website, server will create session for this user. I know that in RESTful service there is no sessions. My thought is to pass login and password every time when client wants to do some operation with server.
Question: is there any other method to create something like session between client and server? I hope it is not connected with encryption.
There are many options for authentication as well as authorization. If you want to use simple authentication then 'Basic Auth' of HTTP. Check out https://www.rfc-editor.org/rfc/rfc2617 for details. Remember that this is unsafe because the username/password flows on wire. Anyone can sniff username/password. This is updated by new RFC7235 - https://www.rfc-editor.org/rfc/rfc7235#section-4
Safer choice is oAuth. Explained in RFC6749 https://www.rfc-editor.org/rfc/rfc6749. In this case an access token goes with each request.
In both the cases the credential details travel with headers. No interference with parameters.
I have a web PHP web application that has a link to a java web application. The php application has a login page, and a link to the the java application, but not every user has permission to access the java web application. What I was trying to do is send user credentials from the php application to the java application, and then the java application checks the credentials and if correct logs in the user. I was thinking of using http headers to do this.
So my question is what is how to send user credentials from a PHP application to a java application?
If it helps I am using a Java web framework called Vaadin.
Do a normal POST request from the PHP application to the java application. This can be done as simply as having a normal HTML form in the PHP application, set the form's method to "POST" and action to the java application's URL. If you want to catch HTTP parameters in a Vaadin application, you can do it by using request handlers (https://vaadin.com/book/vaadin7/-/page/advanced.requesthandler.html).
Then a few words of advice or something to at least consider. If your login page is in the PHP application and your "admin" application is the Vaadin application, then I discourage you from doing the credential checking in the Vaadin application. This is because when you enter the Vaadin application, a new application instance is created. This means that your UI will be initialized and whatever else you do in the UI's init method. What you probably want to do, is to hinder the user from entering the Vaadin application unless she is logged in - which means that you need to do the credential checking somewhere else - for example, have a separate servlet whose only responsibility is to log in the user. If login is granted, then give access to the Vaadin application, if access is denied, forward the user to the PHP login screen. The next question is, how do you hinder the user from accessing the Vaadin application until she is logged in? Typically, this is done using servlet filters.
I highly encourage you to use a 3rd party framework for doing the authentication and authorization. Take a look at http://shiro.apache.org/, it's easy to install and seems to work nicely together with Vaadin. All you need to do is to configure it and implement a login screen, the framework will take care of the rest.
If I understood your question, you want to be able to provide an "auto-login-link" to some specific users that are logged in to the PHP application. This link should automatically login the user to the java application, right?
Without knowing any details about this case, like are both apps running on the same domain or do they use the same database (same user credentials in both apps), etc., I would propose the following solution:
Create an action (link) on the java application, which receives the necessary parameters (as GET) needed for creating the session (probably userId is sufficient), timestamp and a signature of all parameters. For example:
http://javaapp.example.com/autologin?userId=123&timeStamp=123456789&sign=hj23kh4j234jk324h
Where the signature is calculated with some strong encryption algorithm. Then you verify that the signature is correct at the receiving end (java app). If it is correct, you create the session. Signature calculation could be something like:
$signature = sha1($userId . $timeStamp . 'some salt' . $sharedSecretBetweenBothApps);
With the timeStamp you are able to check that an old link is not used. For example not allow older than 15 min old links and store used links in the java app to make sure they are never re-used. You do not have to keep history of links older than the expiration time.
Another idea, as discussed in the comments, is creating an API on the java side, which is able to provide a one-time link.
The sha1 algorithm is probably not strong enough, but shows the idea and is simple to implement.
Does this answer your question?
I have a web application which is hosted on apache web server. And i have external java application which runs on tomcat integrated in this web application.
The apache is kerberized and I get the username of the person accessing it in the intranet. I want to use the same username and pass it on tomcat to check against ldap and authorize the user.
I was looking into JNDI realm which supports LDAP module. But the problem is I do not have access to the user's password. But I'm able to get the groups the user belongs to and based on that I want to authenticate the user.
So my question is will i be able to authenticate a user against Tomcat server via LDAP with just the username and not the password?
PS: Sorry there is no code or configuration that I can post at this point. The only resources i found implemented both username and password. I cannot kerberize the tomcat server because I have other issues in the network.
"I was looking into JNDI realm which supports LDAP module. But the problem is I do not have
access to the user's password. But I'm able to get the groups the user belongs to and based
on that I want to authenticate the user."
Once I was asked to write some code to do the very same thing. I found a way to make it work. However, although it seemed to work well enough with Internet Explorer which would automatically detect the Windows username (because my code was parsing some NTLM information that only Internet Explorer passes in as a header), in Firefox or any other browser the user would be presented with an authentication box and any username they typed in would be accepted! Its very insecure.
(Well, its not really true that only IE passes the header in. Only IE passes it in automatically; but Firefox also passes it in after someone gets the authentication box and types in any name they want. That's the problem.)
What I would suggest is writing a C#.NET service to do the authentication for real on a webserver that is IIS and has Integrated Authentication on. Then, redirect to the C# service when someone hits the Java site and the username session variable is null. Have the C# service save the info in a trusted/secure database including ip address and browser and redirect to the Java app which reads the db to validate IP address and browser and that the record was just created.
Edit: I just noticed you said your Apache is kerberized and already gets the Windows username, which may render the problem above about the unreliability of parsing the NTLM header null and void. In this case, if you can get the AD groups via LDAP you can authenticate the user in your webapp with your own code, but probably not using the official Tomcat authentication scheme. What is described above is just because my Tomcat is not paired with an Apache server but with a IIS server. So basically, its the same thing, except you won't need C#.
I am trying to secure my Flex application within my Java web application. Currently my Java web application, handles logging and managing user accounts and the like. I was wondering if there is a way to essentially share that user credentials with the Flash movie in a secure mechanism? For instance, if you log in, we want you to be able to save items in the Flex application for that user, only if that user is logged in of course. Any ideas? Any help is greatly appreciated.
Update:
I apologize for the vagueness. I'm running Tomcat 5.5, Java 6 doing portlet development inside a Vignette Portal. All data communication is via Blaze DS. In our environment, we have data services and the portal handles logins, user management and the like. Currently we are simply passing down the username to the flash movie, which I don't feel is very secure.
You can pass data to a flash movie using flashVars which can be generated in a JSP. The data can be a one-time key generated on the server and associated with a user id. The Flex application can then take the key and use it to log in via a webservice call. The server will then validate the key and allow access to the user's account.
It is a very general question and it's hard to provide a good answer without knowing what is your current architecture. The Flex application is using the same web server as your web application? What are you using in order to discuss with the backend (web services, sockets, rtmp sockets)? If you are sharing the same web server you can access the same HTTP session and you can check if the user is logged in or not.
If you need to be aware in your Flex application that the user has just logged off from the HTML application or the session has expired you have several options, again depending on your architecture. Assuming that the HTML application was already was notified you can call through ExternalInterface a method from the Flex application. If not (session expired while you are using the Flex application) you will know when trying to save your data.
I don't know if this question has any sense, but this is what my boss want.
I work in a company with an intranet web.
In my department we have developed an application wich connects to a Bussiness Object server and executes and prints reports. This is a regular client/server app with our own user/password manintenance to log in.
My boss want to remove our password maintenance and let the users log in using the intranet password, somehow the desktop app connect the intranet (i don't know if it has a web service, but probabilly yes), makes the log in and retrieves some kind of object the Bussiness Object can use to authenticate.
Can this be done? I know the B.O. can use LDAP authentication if its well configured, so that if i can verify the intranet password and redirect the same password to B.O. it can autenticate the user by itself.
The closest I have seen/created is to use the shared secret (ITrustedPrincipal) mechanism to authenticate the user against secEnterprise without knowing the true password of the user. The only gotcha with this log in model is that the Universe Connection needs to not use the Business Objects credentials for connecting to the database.
The alternate is LDAP can be used and is fairly easy to set up as an authentication method for logging into Business Objects and auto adding users. The only caveat is that LDAP groups need to be correctly such that the Business Objects groups that the LDAP groups associate to are set up correctly.
Probably you'll have to look to some kind of "Single Sign One" ( sso ) and see if 1) your server can handle, 2) You client can implement it.