In interview, I have been asked that "A user tries to log-in to a website with proper credentials and he is just taken to blank page. How would you troubleshoot that?"
I have basically talked about to go and check the splunk logs with X-request id. Make sure the entire URL request is correct, and check the error message.
But I am not sure the exact answer of this question? Could you help me to answer this question perfectly?
There is no perfect answer, because it depends on what web infrastructure they are using, and if they are leveraging Splunk at all. In most cases, an investigation will not start with a request-id. Someone will come to you and say 'find it'. I'd say the best way to answer this question is by asking questions.
IF (big if here) they are using splunk, then it's something like this:
Questions to ask:
What is the time frame this happened in?
is there are user / ip associated with this, or is that what you're looking for?
what system did this occur on? (assuming they have more than a single web front end. iis, apache, blah blah)
Solution:
Use Splunk to search web data any failed login events during the time window mentioned, and provide a report of user/hosts/ips to the SME / system owner or requester.
Related
All,
I have been looking for this answer for several hours and I cannot seem to find a lot of great information.
I have been provided a URL to a JNLP file, which is opened via JavaWeb start.
When this application open, it has two fields. One for a username and one for a password. I can manually enter data into these fields and the application redirects me to where it should go.
My question is, is there any way to programatically access these fields for automation purposes?
There seems to be limited information on the subject.
Any assistance or pointers in the right direction are welcome.
Thank You
I know my question is more likely to be discussed rather than really answered (because it's very large), but I need some elements and "advices" to really get started, sorry for that.
So I've got a java program which has to analyse some URLs, I've finished this part. For the moment, the user has to enter manually the link into my program, then the link is analysed.
Now I have to retrieve automatically those links, which will be sent to me via e-mail. (In a special Gmail inbox created for that purpose)
So I need to :
Let my Java program "listen" to my inbox
Extract the link of any new mail in order to analyse it
There are many problems, according to the way I choose to access to my inbox (POP3, GMail API...), according to the frequency my application would check the inbox, maybe there would be authentification problems... Even how to let my application run as a "daemon"...
And I really don't know how to get started, which choices to make etc.
Any help is welcome of course, if you have any documentation or else. Thank you in advance.
You have several ways of doing this.
I suggest you using Java Mail, that has a simple and useful API.
You have some documentation and examples in this URL:
https://java.net/projects/javamail/pages/Home#Samples
Look at the class monitor (very bad name!!!) inside the examples. This class monitor a mail box for new emails.
I am making a secure application which should not run if the mobile device is stolen/lost, or the sim card is changed. If I programatically uninstall my app it prompts user whether she wants to uninstall it or not. I want this thing in a hidden way.
One more thing is to keep a file in assets/raw folder and when sim card is changed i must remove that file and my app will not run without that file. But deleting the files from both folders is not possible on run time.
All suggestions highly appreciated!
I know about password protection, cryptography, Pro-Guard, Dex-Guard, keep minimum functionality on phone. Guys I must need a way to remove the App! Please help on that point
Thankx in advance!
One more secure solution is to run your app on some Android x86 servers and to pipe in only the user interface to the phone.
Disclaimer: I've never used those guys, so I don't know how good they are. I just saw their lightning talk presentation at the most recent AnDevCon in San Francisco, and I just thought it was a clever idea.
One added advantage that this solution provides is that your employee's personal content doesn't get mixed in with the content of your company's. In hindsight, it's an old solution that has worked quite well for PCs and remote workers.
I'm not sure if this is exactly what you are asking for, but it may address your concerns. In general, the big concern with a stolen phone would be data. If you are concerned about someone else running your application, it seems that authentication should address that. A secondary concern is that someone could de-compile your code to learn details that could lead to exploitation. So here are 2 suggestions that address these concerns.
Use Progaurd to obfuscate your code. That way if the device is rooted and the APK is obtained, it cannot be de-complied (at least not into easily understandable code). Reference.
If you store any data in a database on the device, be sure to encrypt it. SQLCipher is a free library that will allow you to do so. Reference.
Answering some other interesting comments I was pinged about:
A couple of things:
I am that guy who gave the lightning talk in AnDevCon Stephan Branczyk mentioned, but I'm not a heavy stackoverflow user so I do not have the privilege to reply. 50 Upvotes for this comment and I may be able to answer inline :)
I will however give my insights on this, so if you are "paranoid" about security and want to read more about it from the founder of a "paranoid security vendor" - you can continue reading it.
Otherwise goto 7.
It is very important to understand that there is no catch-all solution - so do not be naive about it. All Android security best practices are great - but up to some point, as your Operating System (ROM, MOD,...) can, and will be compromised. I do not want anyone to panic - but there is NO perfect solution.
Stephan is right about Nubo's security design concept - if you violate the terms - your are out of the game. If you're out of network, or doing something suspicious - well - the device is not in control, no matter what. We aim towards satisfying both the user in their personal space, and the IT managers in the remote Android space.
It is very important for me to say clarify it is NOT a remote desktop. It's not even close to it - we have developed a Display protocol for Android from scratch - intended for the mobile environment. This is nothing like Remote Desktop/X11/VNC/... for "PC".
Should you need a "perfect" solution, you need to have a "trusted" device, which involves hard-core hardware support + secure bootloader + block verification chains etc. You can learn from the ChromeOS project if you are interested but I assume you are not willing to take it that far.
Answering the original answer: It depends on what phone. If you want
to use the PackageManager - you need your app to have a System
certificate, which means that unless you bundle it with your own
device, or do other tricky stuff I will not get into in this post -
you can't. What you can do is to use the BIND_DEVICE_ADMIN permission in your manifest,
and essentially register your app as an administrator (Something like MDM, etc.). Then, with some more trickery stuff you can handle your problem on the nominal case. You could bundle another app with that capability, and just invoke it from your app if you want to be on the very safe side.
*This post is already way too long and referring to too many questions so if you have further questions please go ahead and ask. I will try to reply before 2014...
step 1 : write a process to run in background
step 2 : make the process be active when cell starts
step 3 : check for internet connection or balance
step 4 : if internet available mail yourself phone specific details like IMEI ,MAC ,IP whatever you think is important ,
step 5 : locating GPS location would be very helpful
step 7 : recieve these mails from the mail id registered in your app
I am trying to download the contents of a site. The site is a magneto site where one can filter results by selecting properties on the sidebar. See zennioptical.com for a good example.
I am trying to download the contents of a site. So if we are using zennioptical.com as an example i need to download all the rectangular glasses. Or all the plastic etc..
So how do is send a request to the server to display only the rectangular frames etc?
Thanks so much
You basic answer is you need to do a HTTP GET request with the correct query params. Not totally sure how you are trying to do this based on your question, so here are two options.
If you are trying to do this from javascript you can look at this question. It has a bunch of answers that show how to perform AJAX GETs with the built in XMLHttpRequest or with jQuery.
If you are trying to download the page from a java application, this really doesn't involve AJAX at all. You'll still need to do a GET request but now you can look at this other question for some ideas.
Whether you are using javascript or java, the hard part is going to be figuring out the right URLs to query. If you are trying to scrape someone else's site you will have to see what URLs your browser is requesting when you filter the results. One of the easiest ways to see that info is in Firefox with the Web Console found at Tools->Web Developer->Web Console. You could also download something like Wireshark which is a good tool to have around, but probably overkill for what you need.
EDIT
For example, when I clicked the "rectangle frames" option at zenni optical, this is the query that fired off in the Web Console:
[16:34:06.976] GET http://www.zennioptical.com/?prescription_type=single&frm_shape%5B%5D=724&nav_cat_id=2&isAjax=true&makeAjaxSearch=true [HTTP/1.1 200 OK 2328ms]
You'll have to do a sufficient number of these to figure out how to generate the URLs to get the results you want.
DISCLAIMER
If you are downloading someone's else data, it would be best to check with them first. The owner of the server may not appreciate what they might consider stealing their data/work. And then depending on how you use the data you pull down, you could be venturing into all sorts of ethical issues... Then again, if you are downloading from your own site, go for it.
A pretty basic JSP question, since I'm still trying to understand the right way to do things.
I'm working on a web app which requires users to log in before working. What I'd like to happen is, anytime a user that isn't logged in tries to access any page (other than the login page), the user will be redirected to my login page.
The approach that I've chosen is just to have a bit of code at the top of each page, attempting to grab the user object from the session, and if it doesn't exist, redirect to the login (I have a User object stored in the session for users that exist, which contains other details like permissions).
Is this the proper way of going about doing authentication? Or are there more standard ways I should be looking into?
EDIT: I decided to split this question into two questions, since one was more of a best-practices question and another was a purely technical one. Thanks for the responses.
I don't know whether you have this alternative, but using the Java EE declarative security would free you from needing to put authentication code into every JSP.
The idea is that in your web.xml you specify security rules, such as: this URL pattern can only be accessed by users in that role.The container will then challenge when users attempt to access the protected resources. You can specify your own login page for use when the users are challenged.
I think this is much perferable to coding your own login.
Here's a link to a description of how to do this.
Yes, JSPs are compiled down to servlet subclasses. The proper way to return early is to simply place a "return;" in your JSP.
Having said that, I think you should consider other authentication solutions. Its very easy to end up inadvertantly forgetting the include at the top of 1 JSP, and then you end up accidentally allowing GUEST users on that page!