I have developed a web application.Same user(same login id) can login to the system by using multiple devices. I want to identify the devices seperately. The devices can be ipads,tabs etc...
As an example, there can be 3 ipads .So I need to uniquely identify which ipad was used to login. I need to implement this using java.
Thank you in advance
You cannot really identify each device uniquely because device does not send any type of unique identifier to server.
The typical solution is using cookie. You can create cookie that identifies you each device when it connect first time. The cookie may (for example) take into consideration the client IP, user-agent, timestamp and some random part or, alternatively just create UUID. The cookie should be persisted and never expired.
Now, every time the client connects it sends the cookie and you can identify it.
If you want to detect the device type use User-Agent HTTP header. This will allow you to limit number of devices of the same type as you want.
Obviously user can delete cookie from his browser or use other browser. This is the reason that I mentioned in the beginning of my answer: you cannot really identify the device uniquely. You can however do the best effort explained above.
*I think you can use method
java.lang.System.getProperty(String)
The blow two property be concated will ok.
* <dt>os.name <dd>Operating System Name
* <dt>user.name <dd>User account name*
the above is error.
You cat get client identifier by javascript .java is working with server.
Related
I have a Java web application. I want to get the Ipad name or serial number or UDID or other information when the user access to my app.
If you have any solution to this. Can you tell me how to get there?
Thank you so much.
It is intentionally not possible for a web site (written in any language) to be able to get uniquely identifiable information about each visitor's hardware, so unless you can control the browser or other app that is being used (on the iPad) to make the request, there's no way to do what you want.
The only information your web server will receive about the visitor is the information they disclose in the HTTP request they make (user agent string, cookies, their IP address, etc.).
This question already has answers here:
How do I uniquely identify computers visiting my web site?
(22 answers)
Closed 2 years ago.
I am developing a web application using jsp. My requirement is to identify the no of request is from the same machine or not. How to finger print a device... I tried to get IP address but jsp returns always the server IP address. For this I refere the following question.get IP from client is there any way available to get IP or Mac address or a unique identifier of client PC using java script or jsp.....
You can always set a cookie. Check for the cookie on the request (when it arrives in Java). If it's there and it has a value you know, it's an existing user. If it's not there, it's a new user and you should set one for that user and keep track of the value you placed in.
If all other options aren't viable (like cookies, IP, user-agent or a combination of all), then you might want to consider having the user sign-up and login. That way, you have full knowledge on who's actually operating.
IP request will not work when your server is behind a webserver like Apache. Better is to assign an id to the very first request and put it in a cookie. But if you want to identify the same client across multiple browsers, cookie might not help you. Can you be a bit more explanative about your requirement? What constitutes a unique client? same browser / multiple browsers / subnet is acceptable / or anything else? Can this help - How do I uniquely identify computers visiting my web site? ?
Check https://www.chromium.org/Home/chromium-security/client-identification-mechanisms which explains different client identification mechanisms. HTML appcache sounds like an option (but if cookies are not allowed, not sure about 'storing' something on the client machine's disk).
On your jsp you can use cookies. You could have something like this:
<%
Cookie alreadyAccessed = new Cookie("already_accessed", "true");
// Set expiry date after 24 Hrs
alreadyAccessed.setMaxAge(60*60*24);
// Add the cookie in the response header.
response.addCookie( alreadyAccessed );
%>
You can't get MAC address. Other option available to you are :
Set a unique cookie and use this.
Use IP address and browser information in addition to cookie for additional surety.
Remote host and address diff you can get here Remote Address and Remote Host
I am making app, which would send value to php script. Then php script would conncect to Mysql database and return JSON array. And then the app would read it. How to ensure safety? For now I am not using any safety measures.
It depends, this is such a huge topic that a true answer would take a books worth of material.
What 'safety measures' are you asking about?
If you're talking about involving a web server, then you first need to secure your web server and build an API that is smart enough to protect against most common methods of attack. You need to make sure that other people - just by entering something in URL - cannot do the same thing your intended user can do. This means that you need to validate the user before giving them access to API.
Most common method of doing this is sharing a 'secret key' that only the server and client knows. So your user, with a phone, has a specific key and server has a key. Now user sends data to the server and also sends a validation hash (like sha1(KEY+DATA)). Server then receives data and makes sure that the hash is the same. Never send the key itself together with the request.
Another thing you need to test for are replay attacks. If someone listens in on the communication, then you have to limit the damage. This is usually done by you also sending a timestamp with the request and the server checking if the timestamp is within accepted range, so if someone sends that same request again later, it would fail due to timestamp being different. Server checks for this since timestamp is also taken into account for input data validation.
Then you have to make sure that the data returned from server is correct. So server will ALSO build a validation hash that your phone will check, making sure that someone didn't change the data while it was sent back to your phone.
As an added layer, you can also encrypt data that is sent (and received from API) with a heavy cryptography algorithm like AES/Rijndael 256bit encryption. This will encrypt data with a key that is required to open the data. If phone and server know the key and no one else does, then data can be sent securely.
Then the connection should be HTTPS/SSL, which helps protect communication from being listened in. But this does not help if someone already has access to your phone, so it is recommended to use the other mentioned methods as well.
As for your phone, it is pretty secure by itself as long as you don't have apps installed on it that might compromise that security. Also, if you think you can secure your web server less, thinking that since only phones communicate with it that it is safe, then a hacker can easily listen in on communication on their own phone and figure out the basics of your web service API and then open all the doors. So make sure your security layers go from biggest to smallest: web server is by far the biggest entity in your system.
As you can see, this is a MASSIVE topic that can take a long time to learn. But without knowing what exactly you were asking about, I cannot really help you any further.
Is a way to gather hardware information to uniquely identify a certain device (not a category) that makes requests to a Java servlet ? I searched for this, but I don't think there is a method ( "user agent" header can be used for some information, but that only identifies a certain set of devices and it is not enough).
This information is not available anywhere in a HTTP request. The remote address (client IP) and the user agent (the string which the browser pretend to be) are the closest unique identifiers you can ever extract based on a HTTP request. Even then, this information is not reliable. The client can for instance use an anonymous proxy. The client can for instance have changed the browser's user agent string.
You basically need to collect this information in the client side and then send it to the server side as request parameters yourself. You're in turn however limited in the available ways to collect this information. JavaScript for example doesn't allow this due to security reasons. Your closest bet is a signed(!) Java Applet or Web Start application. This allows you to let the client download some Java code and execute it locally. But this is also not always reliable. The client can for instance hack the applet/webstart code and/or tamper the HTTP traffic between the applet and the server.
Another way is to just introduce a registration/authorization/authentication system wherein the client need to supply an unique identifier itself by a valid login. This is not only simpler, but also more robust.
I want to implement a autmatic billing systen for one cybercafe.MEasning when some one want to surf net in my cafe he goes to attendent and attendent allocates him the pc and gives him the passswd which is generated by the applciation and the passswd will be valid for specific time(session of 1 hr or so depending on customer needs).Now when customer goes to his pc and opens any site he must be first redirected to my webapplication which will ask for passswd .If he enters correct details he will be allowed to surf the net for that particular and if his time expires he has to get the timer renevewd fro attnedent or else he cant serf.
In short i want a readymade proxy server module in java that i can combine with my webapplication. As i will need to implemet billing/ autontication based on this thigs.
What approach can i use? What proxy moduels are available?
The only Java proxy server I've encountered is jsocks. It should provide the proxy features you want.
You can then write your own authentication on top of this to make it behave you want with regards to time based logins e.t.c. Quoting from the jsocks page:
Authentication scheme is rather
simplistic, but can be extended, if
you know how to program in Java.
I would use CoovaChili or some other captive portal and then work the RADIUS part into the billing application.