We need to read a file via http(s) that can require authentication via different protocols. I think we need to handle:
Basic
Digest
Windows (I think this is the same as NTLM?)
SharePoint (via FBA)
Claims Based authentication for OData access of SharePoint & MS Dynamics.
Numerous systems that provide token(s) on login that must be placed in the header of each read.
Is there a single way to do this in Java 6 and/or an Apache library that covers all these cases? And if not, I know how to do Basic, Digest, & header injections, but is there anything showing how to do this for Windows, SharePoint FBA, & CBA?
And is there any commonly used protocol not in my list above? This is read only so no need for WEBDAV.
As to why such an all-encompassing need, this is for a commercial library we ship. I have no idea what our customers will face and so I want to try and cover any possibility.
thanks - dave
Here is an 'answer', sort of.
Before addressing the question as you wrote it, I want to throw a challenge back at you: Why does your library need to take responsibility for opening remote resources? Most library APIs are written to accept input as InputStream or Path, and leave it to the application that calls them to work out how to get access (in the former case) to the particular resource of interest, whether local, remote, or invented on the fly.
Further, your restriction to Java 1.6, now long unsupported and mostly considered obsolete, will severely constrain your ability to find open source assistance in offering broader functionality that 'you can be called with an InputStream'.
However, having written that, there is a big difference between resources available via HTTP/HTTPS and resources available via other protocols. Java intrinsically supports HTTP, and libraries such as hc.apache.org provide broad assistance with some of the more annoying details (though, again, there hasn't been a 1.6 compatible release of that for some time).
If you feel the need to support protocols beyond HTTP, you are in a much more difficult landscape. In the mostly-linux ecosystem, the usual next thing is SSH protocol, for which there are good open source alternatives. For more-or-less proprietary protocols such as CIFS (Windows shares), let alone the really Microsoft-specific items, Google will give you all the answers there are, which is why questions that 'ask for an off-site resource or library' are officially off-topic here. You're perhaps better off requiring your customers to enable HTTP access to the resources.
Related
I am writing a remote Lotus/Domino NSCO (Notes CORBA API) Java client for reading and writing to a Domino server. The client should roughly be able to act and simulate all the features of Lotus Notes desktop client for a user's mailbox (Mail, Calendar, Tasks).
Those of you experienced with NSCO.jar are probably already aware of many limitations it has. One example is marking a document as read/unread, which isn't implemented with this API. To bypass this, my latest direction is writing a Java Agent on the server side, which would use Java Notes local API to mark a document as read/unread. I can later call this client using the NSCO API. I would like to be able to call this agent for every user (every user has his own database), but I dont like the idea of creating an instance of this agent on each database. According to this, my question is:
- How (if possible) can I register an Agent in Domino so that is available for every user?
Apart from this specific question, I would very much appreciate any links towards good documentation or books on this topic. (I believe I have already browsed through most of online documentation, and it's quite poor or out-of-date so books might be more useful)
Thanks.
Your question is very broad but I will attempt to answer what I can.
First, I don't think you realise the huge task you are attempting to do in simulating the Notes Client.
Much of the functionality in the front end will not be available for you, and creating back end agents to get to that functionality is going to put undue stress on the server. You are going to have to do some serious load testing to see what impact it has.
How (if possible) can I register an Agent in Domino so that is available for every user?
The proper way is to create the agent once in a template and then have the mail files update their design (Admin related help). The agent is then run within each users mail file as they need it. You also need to factor in how the agent runs. For example if you run it scheduled then AMGR may not run it as you expect it to.
If you plan to have one agent you kick off to process all databases, then you start having to deal with security of your agent.
Alternatively you can go the route of DOTS tasklets. These are OSGi bundles which can run like a service on the server.
I would very much appreciate any links towards good documentation or books on this topic.
The help within the Domino Designer client will be the most up to date on the API. The Domino Wiki will have a lot of resource material you are looking for.
Personally I think what you are attempting to achieve with just NCSO is not going to cut it. I would recommend to leverage already existing standards to talk to the server. For example POP3/SMTP/ICAL/RnR/DDS (REST API). Or use iNotes which would have much less overhead then what you are trying to achieve.
I'm trying to make sure that someone can't recompile my obfuscated application and then send malicious data to my server. I am doing an SSLed PHP_POST of my application's versionCode and packageName. These POSTED variables are all encrypted via asymmetrical encryption along with signature verification which will be changed per every version upgrade. I have thought of using checksums but those methods are not supported officially by Google and research has shown that they are not error-proof meaning that they could potentially disrupt legitimate users.
On top of all of this is a ban-on-site via IP/Mac Address/IMEI/Serial/Android_ID/etc when something is detected that is 100% not legit.
I understand that nothing could be 100% secured and the difference between a good security and a bad one is the time/money/effort it takes to break a security is valued higher than the item being protected by the security. With this in mind, are there any other methods I could use to protect my application or any ideas I should implement to add onto current security?
On a side-note, how easy is it to decompile/recompile an apk(jar) that's been obfuscated and would it be easier once its been done once? (aka, it doesn't matter how many times I change the key because the application is already compromised and the decompiler can simply look at the same spot where my last key was)
First thing, first, don't do your own crypto. If you are properly(!) doing SSL that is probably enough to protect data in transit against tampering, etc. What you need to do is authenticate your app somehow which is generally tricky, because you need to keep the credentials in the app. There are different ways around that, but currently the standard (and Google-endorsed way) is to use Google Play services to obtain a token and verify it in your server app. Details here: http://android-developers.blogspot.jp/2013/01/verifying-back-end-calls-from-android.html
This not perfect, but is probably better than most non-standard solutions you can come up with.
Decompiling is generally easy, and obfuscation doesn't change much, since it is trivial to find the places where you are calling system APIs (to get MAC addresses, hash, encrypt, etc.)
I'm building a webapp that will need to provide some real-time tracking information overlayed on to some maps. My requirements are fairly simple:
I need to take a series of lat/long co-ordinates, and overlay simple markers at those positions with a small bit of associated textual information (ie, just a label and/or tooltip at the marker)
allow the user to zoom/pan
use open client side technologies (eg, AJAX, not flash/active-x)
a client-side control to allow them to configure an auto-refresh interval would be nice (but not necessary)
be deployable in a standard servlet container like Tomcat
by deployable in a private network (ie, can't go to a web service on the internet to fetch data)
provides basic map data (I do not have my own)
commercial or open source is fine
This question suggests GeoServer + OpenLayers, but required an open-source solution (I do not). A casual glance at those sites seems like it would be a reasonable amount of effort to get that going, and it's not clear to me that GeoServer actually comes with map data. This is key, I do not have my own map data. I want a library that provides basic map data. I don't need detailed street information, just basic geography, political boundaries and major cities is enough.
I found Dundas Maps which looks like it would serve my needs fine, however, it is for ASP.NET so it is not an option.
Geoserver doesn't come with map data, but then no map server does. Depending on which area of the world you need data for, you can check e.g. Openstreetmap, Natural Earth Data, and local authorities. You'll have to serve the data (= background map) from your own servers to meet your "by deployable in a private network" requirement.
Setting up Geoserver with an OpenLayers front-end is pretty straight-forward. Labeling and customizing markers is simlple (Geoserver uses standard SLDs). The "preview" pages Geoserver provides by default are a good basis for development of your website and Tomcat is the recommended container for Geoserver afaik.
I have worked on a inhouse project a work that provides almost all the features in ur bullets, but we use GeoExt for the UI and geoserver as our server. GeoExt provides a very rich UI using Ext and OpenLayers. Also some of our data has been take from Open street Maps.
Another option is Mapguide, an open source GIS platform.
Without knowing exactly what you are doing on the server side, I think you might find GeoServer usable. I have recently read through the licensing of GeoServer and my understanding is that you can use it as a service with unreleased software without issue which is how the software is intended. If you alter the GeoServer code and redistribute, you would have to contribute your changes.
GeoServer used in the case you are describing is different from a scenario like ExtJS where it is a part of the application. Have a look at the licensing again and look for scenarios that explain the interpretation to set your mind at ease. The company I work for uses open source GIS software quite a bit and this is how we interpret it. BTW I work with one of the contributors.
+1 for OpenLayers & GeoServer. There are other viable open source options.
If you are willing to spend money, do at least consider the commercial GIS solutions like ArcGIS Server. They are very successful, and it's not just due to marketing muscle. The deal is you pay them money, sometimes serious money, but you save developer time - which of course is also money.
You should have a look at Geomajas (http://geomajas.org/). This is a solution which is all-Java and integrates both front-end (GWT) and back-end (using amongst others Spring, Geotools, JTS,...). It is open source (AGPL), but other licenses are also available (from Geosparc).
I think it servers all your needs (though for map data, you would indeed need OpenStreetMap, Natural Earth or similar).
I know some people have worked on something similar to what you mention. There was even a talk at foss4g about display of a soccer match using Geomajas (the presentation should be online, but the foss4g site seems to be down at the moment).
Try http://www.opengts.com/ an opensource project for free GPS tracking built on Java
Before I jump both feet in and waste my time learning something that I can't use for my needs, I have to ask:
Can I make a http connection to another website from within a java applet or a flash file?
Say I have a java applet that wants to load results from google. Will the JVM give me access to such a call? What about Flash? I've read about URLLoader but am confused with the this:
" * Data loading is not allowed if the calling file is in the local-with-file-system sandbox and the target resource is from a network sandbox.
* Data loading is also not allowed if the calling file is from a network sandbox and the target resource is local."
Anyway if it isn't possible, will it fail on the user silently or will it ask for permission?
Thanks a lot.
Of course you can do that in Java, and also flash. However some browsers and environments may restrict by forcing security levels.
The warnings you found were related to local<->remote. For web applications which is hosted on network, you can usually access other network resources. (well, some may restrict you for "other" domains - you'll need to check the security models)
But modern technology usually suggest you to do that with the combination of JavaScript. Google for "Ajax" and search for some frameworks that best fits your requirement - that would save a lot of time.
Yes, but the problem is that for security reasons, many browsers only allow the application to connect to the domain from which the application came from.
so for example, if I go to website A and my app is trying to make an access to website B, it could sometimes be blocked (e.g., to avoid spamming, attacks, etc.). A work-around, if you control website A, is to create a "pass-through" script on website A that will send the request to B.
Can I make a http connection to another website from within a java applet or a flash file?
From Flash, yes. You do need to read up on the Flash Security Model to be sure what you can and what you cannot ask. Most of the time this is to stop unauthorized access and/or XSS or similar attacks. Flex (a related technology), for example, does not give you access to your disk, whereas AIR does. Take your pick.
As for applets, you'll have to wait for someone else to explain it to you. But AFAIK, it also has a security model to pose the least threat to its users.
Java, JavaScript, Flash, etc., implement some form of "same origin" policy which only allows untrusted code to read from the site it was downloaded from. One way around this, supported to some extent by recent versions of Flash and Java since 6u10 is crossdomain.xml (Google it). This allows sites to permit access via code downloaded by other sites. Note, this requires the site you want to access to grant you permission to do so.
Not with ease. By definitions Java sandbox won't let your applet call other than the origin it came from. You will have to sign your applet properly. Then users will either trust your applet and let it call elsewhere, or deny it - it's up to user. You can self-sign your applet, but I would personally never allow such thingy on my computer. It's good for testing and stuff like that. So you'd probably need to buy a certificate from reputable source. Same to the Flash, I believe the idea is identical.
I have a bunch of Java code which was written using the Hibernate framework, originally destined to have a front end written using JSPs. However, the requirements for the front end have changed, and we've decided that a desktop client (which will be written in .NET) is a better match for our users.
I don't really want to waste the code that's already been written - can anybody suggest a good set of tools for writing a document-based web services interface that we will be able to access from .NET?
Thanks,
Jim
If you truly want a document based service interface (rather than an RPC style web service architecture), your best bet is going to be creating a SOAP based web service interface.
A quick glance at the Java site shows that the Metro stack might help a bit:
Java Web Services at a Glance
We're developing an application with the exact architecture you describe for a finance application. We reviewed several different options, and have finally landed on using compressed CSV over HTTP.
CSV was chosen since the vast majority of data was going to be displayed in a grid on the front end, we had very large result sets >250k rows on a regular basis, and it compresses really really well.
We also looked at using:
ICE, but declined on that due to licensing costs and the need to reinvent so much.
Google's protocol buffers via servlets, but declined on that due to lack of C# support (as of last fall).
Compressed XML using WOX, but declined on that due to lock-in to a small thesis project for support and XML being too verbose.
The industry supports a couple of different options as well:
SOAP, but that has its own well documented issues.
IIOP, J-Integra has a product called Espresso which will allow you to do RMI from a front end.
I'd personally use some lightweight RPC protocol, be it XML-RPC or a homegrown one. SOAP, IMO, is way too fat and is not as interoperable as it's supposed to be. The simpler the better.
We have a quite large application using a Java RMI server and IIOP.NET for interoperability. We have used IIOP.NET with the Sun RMI and the Bea Weblogic (now Oracle) without major issues.