How can i prevent anonymous users to run domino servlet in a database. I have set the access for Anonymous to no access and then it works find ... but ...
We need to have the Anonymous access set to "NoAccess" and "Read public documents" in the Access Control list. I don't understand why anonymous users are allowed to run the java servlet when we have "read public document" checked.
Can I prevent this in some way? we donĀ“t wanne allow the Anonymous to run servlets.
In our databas we have an login form thats allow public acess.
Is this possible or do we need to do this in another way?
If Anonymous is granted Read Public in the ACL, the anonymous users have to be given the ability to access design elements. That includes forms, views, and I guess servlets, too. That would explain why it behaves as you have observed.
For a workaround, you could consider putting the servlet in a separate NSF file where you can set the ACL so that Anonymous has "No Access" without the "Read public documents" flag? This might require a small amount of reprogramming if the Java code is assuming that it is accessing the current database, but the change could just be a single line of code and it should lock your servlet down.
Related
In our app, application loads user module using custom class loader. What would be the best way to protect wild behavior of the user module? We want to prevent:
user code to modify any application code. We have some singletons, and user may access it using e.g. reflection to get some instances and change e.g. some critical configuration; or replace some guard code. Since the classloader is written by me, so I can prevent loading any class that is critical.
user code should access only some folders; if possible. So it behave like unix user :)
The first step is to set a SecurityManager. This is because the Java class library contains global state. You will also need to ensure your code does not use its privileges to expose itself through this state. In addition some global state is not security checked, for instance through "AppContext" and the current thread.
Usually the package.access security property is used to hide internal code within a parent class loader context. This isn't a bad idea if the potentially malicious code is loaded through a non-child class loader.
Note, if you pass an instance of your hidden code, malicious code can use Object.getClass, Class.getMethods, etc., to explore the public interface. Class.getClassLoader is checked, but make sure there aren't other outlets, such as through the thread context class loader (though Thread.getContextClassLoader strangely has a security check, its use is to publish the class loader).
I am working on workflow management system.
Have one separate java class which contains logic method. One of this is:
public static in get_nxt_stg(int current_stg,int action)
{
}
and define static variable cur_stg and nxt_stg. used in servlet. call this method.
When multiple users log in and do some action these variables get not proper value. It seems like it is shared between all user requests.
What is best way to use variable in servlet, which is remain specific for that request?
You should not use static in such a way. If you need to share state, consider using the singleton pattern; but try to avoid static. Unwise use of "static" can turn into a nightmare (for example regarding unit testing).
In addition: it seems that you are a beginner with the Java language. But creating servlets is definitely a "advanced" java topic. I really recommend you to start learning more about Java as preparation for working on servlets. Otherwise the user of your server might have many unpleasant experiences ...
What you are doing is wrong. You should use Servlets only for the purpose of reading request parameters and sending responses. What you are trying to do, should be implemented in the Business layer of your application and if you have it implemented with EJBs, then your problem can easily be solved with an Stateful EJB.
I'm using an XPage as an agent (XAgent) which makes an SSJS call into some Java classes stored as Java design elements. I want the processes which are instigated by the XPage to be in the context of the user I'm currently signed into the browser as. However everything seems to be running as me, I guess based on the last signature on the XPage?
For example, in my custom classes the following returns my name when I need it to be returning the user's name:
DominoUtils.getCurrentSession().getEffectiveUserName()
When using old school Domino agents, the effective username is determined by the "Run as Web User" or "Run on behalf of" fields in the agent properties.
Is it possible to achieve the same functionality when using an XPage?
To investigate you have a number of moving parts:
Add to the XAgent (not your Java code) a print statement with session.getUserName() and session.getEffectiveUsername()
Check your DominoUtils if there is a sessionAsSigner hidden in it
if 1 works, but not 3, consider dependency injection: instead of getting the session from DominoUtils hand it over as parameter from the XAgent to the Java class
Let us know how it goes
In my scenarios I could solve most of the requirements with either:
session.getEffectiveUserName()
or:
context.getUser().getFullName()
There are situations where you need to encapsulate this with:
session.createName(string):NotesName
to get the NotesName-Object representation.
I have a Java class which have some confidential information which I don't want to provide to any unauthorized class.
I want to access this class in some packages (classes from this packages are going to utilize confidential information), So that my secure class should be accessible in these packages.
Is there any way where I can check if caller of method is a authorized class from authorized package or not?
I know public/private/default all things (so please don't ask me to use it), but those are not useful here, because I want a class to be accessible in some packages(not one/same).
I feel that you are going in the wrong direction. It might be a design problem.
The security requirement is your business logic. You should implement your security policy somehow, not rely on the java language level visibility modifier or caller package names. since if you give your jar to someone, he can anyway get access to your "confidencial" class.
And moreover, a class is a type, something abstract. it should not contain "data". well sure sometimes conf information was written as static variable etc. However if some data is sensitive, it should not be written in class. It could be stored in database or encrypted file and so on. Once a request to the sensitive information comes, you check your implemented security policy, if it is allowed to access those data.
just my 2cents
The visibility modifiers in Java are not a security tool, but an OO design tool. Whatever you might do, if someone uses your class, it can access any private members of any class using reflection.
If your objects contain confidential information, leave these objects in your secure server.
You can create an Exception (no need for it to be thrown) and use the getStackTrace() to analize the call stack. I always found it ugly, though.
That said, anything that you put in a client machine is vulnerable to that machine; if you have something really confidential protect it in your server; make it available only as a service.
You can use the proxy pattern, implemented by the Proxy class in Java - it is designed exactly for your purpose.
Here is a how-to.
EDIT : AFAIK, you cannot use the regular Proxy mechanism for static methods, as the proxy and the proxied class must implement a common interface. However, there are more advanced tools, which may help you like javassist. Unfortunately I'm not familiar with it myself.
You might be able to leverage aspectj here. It's theoretically possible to intercept the call to a given classes' methods based on the current flow scope, and have the aspect throw an exception or something. I'm no aspectj expert though, but the "cflow" pointcut qualifier would be your most likely bet. Maybe something like this
! cflow(call(* com.mycom.AllowedClient.*))
I haven't tested this kind of pointcut, but i believe it would work.
You'd probably want compile time weaving in this case though (as opposed to load time weaving).
As a side note, i agree with some of the others that i think this is the wrong approach to take. You protect data. You protected function access based on logged in user permissions. You typically don't protect function calls from other classes.
Guideline 4-2 / EXTEND-2: Limit the accessibility of packages
Containers may hide implementation code by adding to the package.access security property. This property prevents untrusted classes from other class loaders linking and using reflection on the specified package hierarchy. Care must be taken to ensure that packages cannot be accessed by untrusted contexts before this property has been set.
This example code demonstrates how to append to the package.access security property. Note that it is not thread-safe. This code should generally only appear once in a system.
private static final String PACKAGE_ACCESS_KEY = "package.access";
static {
String packageAccess = Security.getProperty(PACKAGE_ACCESS_KEY);
Security.setProperty(PACKAGE_ACCESS_KEY,
(packageAccess == null || packageAccess.trim().isEmpty()
? "" : packageAccess + ",")
+ "xx.example.product.implementation.");
}
I am java and php programmer.
In java i can use static class/method so that anyone can use the same one time created class during run-time.
But for php how to do it since it is script based and only run while we refreshing the page?
My main objective is, I want to use syncronized class/method so that it wont clash while executing the PHP...
Need your help to give input.
Thanks
Update:
I am doing portal like multi level marketing(mlm)
Once register a member, we should pay bonus to the uplines
I don't want immidiately calculate the bonus because it is risky and could take some time to finish, so is is better just to register the member and show successfull.
My idea is, after registration, just invoke another class to run bonus with syncronized method so that the bonus calculation will not disturb by another registration.
Given that a php scripts runs from new every sinlge time a "static" class would not be very different from an ordinary class.
If you want to store some sort of state or preserve some data between runs of a php program then there are a number of options.
SESSION variables can be used to store data between requests from a single users as long as he keeps the session open.
COOKIES can be used to store data which persists between sessions as long as the user is using the same browser, on hte same machine and hasnt emptied the cookie jar.
memchached and similar packages can be used to store data and make it available to any php program on the server.
Databases are the most scalable solution as they will persist data between sessions, and between servers. There is some overhead involved is establishing connections and retrieving the data compared with the other solutions.
PHP is shared-nothing. Everything just lives for the Request. If you want to share information between Requests, you have to implement some additional technology layer that can do so. Or look into process control, shared memory segments and semaphores. The latter three are uncommon usage in PHP though. And all of the above will still be asynchronous.
To my knowledge, there is no way to update class Foo in one Request and have it change state immediately in a concurrent Request with PHP.