I am transmitting a password through HTTP(S) to a HttpServlet as parameter. To get the password I am using the Servlets getParameter(String) method, which returns a String. But passwords should be handled with char[] like mentioned here.
Well, what I want to know is: How can I process a password securely within a Java Servlet? Is my solution with getParameter(String) the only one or are there better options?
Please keep in mind that I am NOT interested in how to transmit a password securely (I am expecting that the transmit is secure - maybe with SSL or something else).
Thanks in advance :)
Edit:
I forgot to mention that I am not using the password myself (for some kind of access restrictions for my application). I am just forwarding the password (so you could say my WebApp is something like a remote control).
If your login parameter is sent in a POST request and contained in the request content you could parse the content yourself and put the password in a char array.
You need to do this before any call to request.getParameter(String)is made since this will make the container read and parse the content. This only works if the servlet container lazily initializes its parameter map.
"Teleporter" approach:
Have Javascript break the password into parameters of 1 character each. Reassemble directly into char array at server side.
Related
I am following this for prevent CSRF in my webapp.
I could implement the same, but I have a minor doubt regarding how it exactly secures my webapp. We are creating an encrypted String along with the form with input type="hidden". So far so good. The user is not aware of the attribute that is passed along when submitting a form.
But, if the attacker is keen and finds the input element (document.getElementById/Name), and uses JS to get the value out of the form and use it in the malicious request, How is it exactly helping here? My server would still keep allowing the request to go through since the malicious request also might be having the same encrypted String as hidden input.
A CSRF token is a random, hard-to-guess string. On a page with a form you want to protect, the server would generate a random string, the CSRF token, add it to the form as a hidden field and also remember it somehow, either by storing it in the session or by setting a cookie containing the value.
When the user submits the form, the server simply has to compare the value of the posted field csrf-token (the name doesn’t matter) with the CSRF token remembered by the server. If both strings are equal, the server may continue to process the form. Otherwise, the server should immediately stop processing the form and respond with an error.
For More detailed Info: https://cloudunder.io/blog/csrf-token
Is it possible to send extra data attached to a http response via Java or Php?
My Website is a homework-platform: One User enters homeworks into a database, and all users can then see the homeworks on the website. The current load is very inefficient, as the browser makes two requests for eveything to load: One for the index file and one for the homeworks. For the homeworks request the client also sends settings of the user to the server, based on which the returned homeworks are generated by a Php script.
Now, I wonder, if it is possible, to combine those two requests into one? Is it maybe possible to detect the http request with Java or Php on the server, read the cookies (where the settings are saved), then get the homeworks from the database and send the data attached to the http response to the client? Or, even better, firstly only return the index file and as soon as possible and the homework data afterwards as a second response, because the client needs some time to parse the Html & build the DOM-tree when it can't show the homeworks anyway.
While browsing the web I stumbled across terms like "Server-side rendering" and "SPDY", but I don't know if those are the right starting points.
Any help is highly appreciated, as I'm personally very interested in a solution and it would greatly improve the load time of my website.
A simple solution to your problem is to initialize your data in the index file.
You would create a javascript object, and embed it right into the html, rendered by your server. You could place this object in the global namespace (such as under window.initData), so that it can be accessed by the code in your script.
<scipt>
window.initData = {
someVariable: 23,
}; // you could use json_encode if you use php, or Jackson if you use java
</script>
However, it is not a huge problem if your data is fetched in a separate server request. Especially when it takes more time to retrieve the data from the database/web services, you can provide better user experience by first fetching the static content very quickly and displaying a spinner while the (slower) data is being loaded.
I am developing an android application through which i am sending a mail via GMAIL API.
To send mail via GMAIL API i have to give them my ID and password.
GMailSender m = new GMailSender("myemailhere#gmail.com",
"mypasswordhere");
and i know writing password like this is not at all safe as my password could easily be stolen by extracting my apk and alsostoring the password in strings.xml is also not secure as xml can also retrieved.
my question is-
Is there any other way to write password in my file so that it remain secure??
The short answer is not. You shouldn't store your password anywhere in the code or in any file.
Even if you encrypt it like someone said you will have to store it's decryption algorithm/key somewhere in the code, which will be easily reverse engineered.
No,It's not safe to store passwords on the device.
small advice is always store passwords in char[] in encrypted form rather than storing in a String whenever it is mandatory to store.
Since Strings are immutable in Java if you store password as plain text it will be available in memory until Garbage collector clears it and since Strings are used in String pool for re-usability there is pretty high chance that it will be remain in memory for long duration, which pose a security threat. Since any one who has access to memory dump can find the password in clear text and that's another reason you should always use an encrypted password than plain text. Since Strings are immutable there is no way contents of Strings can be changed because any change will produce new String. So Storing password in character array clearly mitigates security risk of stealing password.
Storing passwords is not considered safe, and shouldn't be done if at all avoidable. There are a few considerations, if you have to for some reason.
The best place to store such things is in private SharedPreferences. These are not readable by anything but the app, or rooted devices. Do not store on external storage!!!
Encryption can always be undone, but if you have to, then it would be better than nothing, requiring more work to undo. Use a key which is unique to each device.
Some sort of a token, such as is used by Oauth, could be a solution. This isn't perfectly secure either, but it could be.
Google provides more secure APIs for it's functions. You really should look in to that.
Services like : http://www.wbwip.com/wbw/emailencoder.html encodes email to ASCII. Is it totally safe? Can spammers copy this code and decode it?
They can decode it, so how is it safest to show your email on the website? Probably by putting it in the image?
No, it is not safe at all. You are still exposing your email address on the page. Some dumb spiders will end confused, but those which are up to date will definitely be able to "decode" these entities quickly. The only solution is to... not expose email address at all. If you use contact form with recipients to be chosen by users, use IDs and dereference it in your code. If you need to show email - show image, but if anyone would like to have you address in their spam DB, then he can always put it by hand there.
Short answer - no, it is not fully secure as it can easily be decoded by anyone.
Anyone could easily decode this using an ASCII table, like so: http://www.asciitable.com/
A clever spam bot can trivially read the "hidden" address.
What you should do instead, is have something like (for john.doe#gmail.com):
john (dot) doe (at) gmail (dot) com
One could still construct a bot to counter this, but it would be impractical as this technique isn't very common.
Truth be told, there's no 100% way of hidhing your email. Even images have OCRs, and in the worst case, a persistent human can always manually type your address and add it to his to-spam list.
If you want your users to contact you, the best way would be to make a form, and have the server to process the request and send you an email. This way, your address is not exposed to anyone.
The best solution is not to show the email address at all. If you want your users to be able to send emails to each other, write a dedicated UI where they can type the message in and send the email directly from your server. But make sure that the UI itself is secured with login/pass too, otherwise you're back to square one.
That method would be safe against some - but not all spiders. If even one got through, you could be introducing the user to thousands of emails of spam. I guess it's up to you whether it's worth the risk, but I definitely wouldn't.
Sure, this form of email encoding is very weak in terms of security, in fact, it is not design for security purposes at all. It's encoding, not encrypting.
I have an application to build in Java, and I've got some questions to put.
Is there some way to know if one URL of a webpage is real? The user enters the URL and I have to test if it's real, or not.
How can I konw if one webpage has changes since one date, or what is the date of the last update?
In java how can I put an application running on pc boot, the application must run since the user turns on the computer.
I'm not sure what kind of application you want to build. I'll assume it's a desktop application. In order to check if a URL exists, you should make a HTTP HEAD Request, and parse the results. HEAD can be used to check if the page has been modified. In order for an application to start when the PC boots, you have to add a registry entry under Windows; this process is explained here
To check whether a url is valid you could try using a regular expression (regex for urls).
To know if a webpage has changed you can take a look at the http headers (reading http headers in java).
You can't make the program startup automatically on boot, the user must do that. However, you can write code to help the user set the program as startup app; this however depends on the operating system.
I'm not sure what you mean by "real". If you mean "valid", then you can just construct a java.net.URL from a String and catch the resulting MalformedURLException if it's not valid. If you mean that there's actually something there, you could issue an HTTP HEAD request like Geo says, or you could just retrieve the content. HTTPUnit is particularly handy for retrieving web content.
HTTP headers may indicate when the content has changed, as nan suggested above. If you don't want to count on that you can just retrieve the page and store it, or even better, store a hash of the page content. See DigestOutputStream for generating a hash. On a subsequent check for changes you would simply compare the new hash with the the one you stored last time.
Nan is right about start on boot. What OS are you targeting?