I am currently developing a web automation system that helps me know how mutch money I have on different web pages I use. The problem is that I made selenium read a file with all the passwords for each webpage. This is because i am opening one webdriver, loging in a page, getting the data i need and going to the next row of the passwords file. More clearly: it is a for loop that runs over each of the web pages (rows of the file) and for each web page there is a different user and password.
My question is the following: How can I mantain security over my passwords. Encrypting the file has to be a priority since its saved locally and if someone has local access to my computer all my passwords are leaked. Also inside of selenium, I supose thet whenever it reads a password from the file and uses it, it does it without beeing secure, so incercepting processes (I supose this is possible) could also leak passwords. Is there any way of avoiding this threads? I dont mind changing the thought process behind the application if there is no way of having it secure with this way of working.
PD: I still have to develop almost all the application so this part is not implemented. By the time i have to implement it I want to do it safely.
I have one question about Android. I need to run one of my activities only once - at the beggining. So, usually the best solution is to create file which contains flag isFirstRun and check the value after application's start.
But in my application it is very important to protect this file before deleting by user. Even if user has rooted phone he should not be able to change the value or delete this file.
So, is it possible to write this information to any Android system registry or somewhere else where user can't change this value?
No, it is not possible, for a simple reason, a root user have access to everything by definition. It won't make sense to have a program that has more rights than root.
The user can delete all the data your application saves. Consider saving this information on some server.
Is there a small framework for Spring 3 & JSP that allows server side form validation for forms that contains normal fields and file upload, which is able to "rejecting" the request without loosing the uploaded file?
In more Detail:
I have a HTML Form that contains normal input fields and a file upload field. The validation of this form is done on server side (it is to complex to do it on client side). There is no problem if the form data is correct.
But the user sends a invalid form then I need to display the form again, the user corrects the input and send the form again. That works fine except the fact that the user needs to enter (and upload) the file again. -- The solution in general is simple: I need to store the file on server side and then use this already uploaded file if the user sends the corrected data again. -- But even if it is not so complicated it is a lot of work, and I do not want to reinvent the wheel.
So my question is, is there any small framework that implement this feature, which I can add to my application?
(At the moment I use: Spring 3.0, JSP, Dojo)
All you really need to do is save the file and associate it with the session, and not to rely on automatic or injected validations which would reject the request without allowing you to save the file first - programmatic validation. Save the file with some kind of association to the session (or the user, if using Spring Security, for example) so it can be used in future requests.
But: that desired solution requires you to establish some offline cleanup of files. I have a similar situation where a process creates a (permanent) "temp" table. When the table is created, I kick off a table watcher process annotated with #Async that loops and sleeps the thread for an hour, checking to see if the table still exists (its deleted by the end of the online process). If the table is still present after an hour, the async thread deletes it and exits. In your case, you need to establish 1) what to check for to see if the user has completed the process, and 2) how long to check for it.
I am working for a company developing web based software J2EE.
On our webapp its possible to upload a csv file. Ive got some kind of reader class which reads each line and processes it. (It checks if the values in each csv line are valid and inserts them into the database). Along with this the reader counts the lines read to show this number at the end of the process.
Users can upload a file and click on the 'process' button, after this the process starts.
But these processes can have a very long duration since the csv files can be very big. When the users closes the webbrowser the process still continues on the server.
I want users to let them follow the progress. Even when they close the browser and log in again. So I guess there should be some kind of ID attached to each process, to know which user's process it is and what the status of the progress is?
Is there some kind of mechanism in Java with which I can accomplish this?
The simplest way to track the progress is to get the process to write its update to a database table - say 'jobs'. When a user uploads a new csv file and hits 'process', you can first make an entry into this table. The process periodically writes to the table its progress. When the user logs in to his account he can see all the jobs he had started and their progress. This is not the cleanest approach but it will get the work done. A lot of things depend on your specific framework. Perhaps you could make an entry into this table with the process id and there wont be a need for you to update the progress in the table. The frontend could then use a RPC to your process to query its progress.
If you store the csv as raw in a table in the database the entry should have a unique UPLOAD_ID. There should be another column in that table to reference the associated CLIENT as a foreign key. In short you need to associate the uploaded entry with the client or username of that client that performed the upload.
I'm coding a little library which will handle xml files to store some data, and I need this data to be handled only by the methods I provide in my library.
I know that xml is readable for both human and machine, and that if somebody really wants to modify the xml file he'll probably do it, so... do any of you have an idea that could work?
You can store more information in it, such as a hash of the content (before the hash was inserted of course).
When you will reload this file, you can check the hash. If it doesn't match with the current hash of your file, well it has been modified.
Well, there is no definitive way to block access to that file. But you can use several measures to make it hard on manual overriding of the file.
First thing you can do is lock the file (need to ensure OS compatibility) for as long as your application is running. Anyone can circumvent an OS file lock, but it is not trivial for an average user.
Second, you can consider encrypting the file on application termination. Restoring the key can be done from application code inspection, but again - a non-trivial effort.
As you said above, you have already implented a method that detects file changes, and you want a way how to prevent these modifications.
Usally, that's not possible. I'll explain at the end.
You have a few choices what to do:
If you want to prevent modifications while the program is running, you can lock the file. This will prevent applications from accessing it, but when your program exits, the lock will be released. (Example)
If you want to prevent access while the program is not running, you'll have to change file system permissions to forbid the user to edit the file. This is way more difficult as it is filesystem-related, and some filesystems like FAT haven't got file permissions at all.
You could write a "daemon" script that watches for file changes and revert them.
But all these possibilities have one problem - a program usally has the same permissions as the user, so everything the program does can be undone by the user. If your program has access, the user has too.
If you lock a file, the user could use a tool like Unlocker to release the lock, and edit it anyway. If your program sets file permissions, the user can simply change them back. On some systems, it might be possible to prevent this, but then your program looses access too. Bad. If you write a daemon, the user can kill it.
The only possibility is to have the program running with more rights than the user, and store the data on a place where the user has no access too. As example, on Windows, you can run it as a service. This requries the user to not have Administrator rights (or root, on Unix systems).
If the user is admin or root, you've lost, as he has full access to the system and you can't hide. (on Windows, there is one more level, the SYSTEM user, but an admin user can easily get these rights too).
Append a hash of the file concatenated with a secret key to the end of the file. Like an XML comment
<!-- 0123456789abcdefabcdef0123456789 -->
Upon opening the file you hash it again with the appended secret key and verify it.
Some psuedo code to clarify.
# Read
secret = "Secret key"
file = get_file_contents("file.xml")
content = strip_trailing_comment(file)
hash = get_content_hash(file)
if sha1(content + secret) == hash:
# File is valid
# Write
secret = "Secret key"
content = content_to_xml()
hash = sha1(content + secret)
content_with_hash = append_comment(hash)
write_to_file("file.xml", content_with_hash)
Hope that clears up potential misunderstandings. This way the code is still human readable, if you want that, and hard to tamper with.
As I understand from discussions and your question, you want to store the data as xml, and difficult for user to open/modify it.
In that case you will have to do some additional work:
Create the xml file with hash information as suggested by Colin HEBERT
Zip the file with password protection, the password to which only your app will know
There is a question on stackoverflow on how to password protect your zip file
In this approach, mind you, the xml file does not even become readable.
If you want your files to be readable, then you could probably use a seperate user id for your application (unix user id or windows userid) as owner of the files. and only allow that user to modify the files, but still this won't be a 100% solution.