I have a Java Web Start Application which communicates against my server via a web service (over https).
I want to restrict the usage of the webservice to my app only, so that 3rd party apps don't work.
What strategies to I have? This question is somewhat broad, but running in JWS disables some options, like doing a checksum over all jars (at least I don't know a way of doing this in a JWS environment).
I can always implement my own auth scheme, but since the client code is on the client-side, one can always disassemble the class files and crack the auth mechanism.
Remember that if the client is communicating with the server over https, the user can easily replace the JWS client with something else that also communicates over https. Anything the JWS client could sent to "prove" its identity could be faked pretty easily. You could use client certificates (or numerous other types of authentication) to make sure only users with access to the JWS client could connect, but they will always be able to extract what they need from the JWS client to connect with something else.
The service needs to be secured based on what the user should be allowed to do.
Related
I am wondering if there is a solution to my problem. As a summary, I need a non-intrusive Web response cache for users that authenticate via a client certificate and are authorised to see URLs based on that.
I have a JEE application and I would like to cache responses to Web requests. I am trying to do it as transparent as possible (ie. without messing with the code), so I found Squid.
My problem is that users might authenticate themselves via a client certificate (or the absence of it) getting authorisation based on this, and this is what makes things "difficult". Is there a way to configure Squid, or any other software, to cache the results after the communication has been established by Tomcat? Something like a cache that is triggered by my application right after the TLS handshake is over and Shiro has been called (because user permissions depend on their certificate). The fact that users have to be authorised by my app make me think that the only way is to create Java code for this, not using Squid or similar software transparently.
I am sure this is a problem that has happened before.
I have a question about whether I really need SSL or not. The scenario is as follows:
I have two applications at the moment, they are both Java webapps. One of them is getting data from another via RESTful web service secured by Spring Security, but my problem is that it sends username and password in URL so the other app can authenticate and authorize it using LDAP. In the end both apps will be running on JBoss AS 7 server so even though one of them is a client and the other one is server they will be running on one server and that confuses me a little bit (even if they will use multiple instances of JBoss they will still be both in the same network). Also signing certificate by third party seems unnecessary here because I don't really care if anyone will trust my server app and again I found that I can implement my own Certificate Authority but it really seems to me as an overkill.
So to summarize it: if I only care about request (or just its parts - username and password) being encrypted do I need to enable SSL and provide all it needs or is there any easier way to achieve it?
My project is an Android application that communicates with a server. The server is written in Java, deployed in Tomcat, and running on a Windows Server host.
I need to provide authentication against Windows domain accounts. Basically I need to ask the user of the app to type in their username and password; send this data to the Tomcat server; and have the server authenticate it.
I'm having trouble finding a straight answer as to how to do this. Since my app is not a web site, I don't have the option to do browser redirects or anything like that, and obviously the Android device on which the app runs is not a Windows machine and will most likely not even be on the local network.
I don't really need to execute anything as the Windows user, I just need to know that they are who they say they are. Hopefully there is a simple way to do this?
Thanks.
Assuming you want to use Java EE container-based form authentication, on the server you'll have to:
secure your web application
configure Tomcat to use Windows authentication
On the client, you can:
POST application/x-www-form-urlencoded login data with the special keys in the web form (j_password, etc.)
retain the session cookies in the response for subsequent interactions with the server
I haven't tested the specifics with these exact technologies but approach is sound.
I have to write a java program that hits a url
https://localhost:8443/ping.jsp
over ssl and returns the response whether the application is up or not. If I hit that url manually from my web browser it asks for security certificates and when I provide them it communicates with the application and displayes the response on the web page. I want to automate this process so that the java program takes care of providing the security certificates and everything. I could do it if it were not for ssl and security certificates but I am not sure how to automate this part (providing certificates).
I have truststore/keystore files but I am not sure how to use them in order to accomplish the task. Any ideas or any useful links that I should follow ?
I have somewhat of a problem.
We have a centralized interface engine that will talk to a web service that will provide information complement and allow to submit request to external systems. All this is good and fine until we have to integrate this with the required security from this provider.
They issue certificates distributed through smart cards (usb key) that the end user must use to have the software interact with said system (the web services). They insist that the (sometimes multiple) signature be done against the end-user`s certificate on his usb key. The private key is, of course, password protected.
How do I connect Axis2 that will ultimately handle all this to the certificates that are on the end-user`s computer.
The system is mostly legacy thick client application in Delphi 5, the interface engine interacts mostly with the database. Now we have managed to connect a piece of code that effectively connects the end-user`s station to the interface server via a simple TCP socket.
---- EDIT ----
We implemented the solution with customized signature interceptor within CXF (we changed from Axis) that forwarded the message content to a signature proxy which in turn would find and connect the right signature service running on the user-interactive session where the original request came from.
I accepted Eugene's answer because even though we did not use the components he specified we did implement the solution that followed his proposal's general guidelines.
There is no escaping the fact that the signature has to be done in a user-interactive session because of the USB token. Additional constraints were imposed due to the fact we used legacy systems and to the need to have the system work in a shared environment (Remote desktop server). Though it is possible it is not naturally supported by the web service frameworks or cryptographic libraries.
If you have the certificate residing on the client's USB token, then signing (as cryptographic operation) must be performed on the client side. If you can modify this Delphi application, then you can use SecureBlackbox for signing. I know nothing about Axis2, but if it allows creation and plugging custom cryptographic modules, then you make one that will take a hash (which is what is actually signed) and send it to the client for signing.