Is it possible for a java web application to get digital certificates installed in Browser. What I am looking for is I will read the digital certificate from the browser and based on the certificate, I will give certain access. I tried to search in stackoverflow but did not see any similar questions.
To make things more clear, we have users have company issued laptops and has company specific digital certificates installed. Now my web application should allow or deny access based on whether these digital certificates are available. From the browser I can see the certificates as shown in the following image
I am looking for some method like getting all the certificates based from httpservletrequest(i know its not available, but just giving reference so that someone can point out if api of some sort is available and if it is really feasible/). Read the certificates one by one and get details like who issued it, what is the expiration date, CRL Distribution points, etc.
I know it may be a dumb question and may have security flaw, but still going for it.
Related
i am a student and i have an assignment to do which involves Digital Certificates.I literally know very little about this topic and my project that i have to do is:"Create a GUI program(System) that authenticates users based on their digital certificate" .Now, That's the whole project request , and i looked a little(too much i must say) and literally found nothing that could help me .Researching i found out that the most basic certificate is X.509, so i d like to write a simple maybe java gui program that could solve my problem, if someone can help me , please do! Thanks in advance!!
If you do not know how certificate based authentication works, here is some information you shall need to read.
https://www.networkworld.com/article/2226498/infrastructure/infrastructure-management-simply-put-how-does-certificate-based-authentication-work.html
You should discuss with the person where assignment originated what sort of UI they expect and how the client would send the certificate to the server for authentication.
X.509 is a specification. All certificates conform to the specification to ensure that systems can work with each others certs. However you can maintain the certificates in many different formats.
A real life use case of this could be a terminal program that sends your personal key to the server and the server program opens up a session for you.
For my education I often have to program math exercises for our site, which will be used in schools.
I had to port a .swf file to java applet, mainly because the .swf ran really slow.
The game/excercise worked fine in both Eclipse and my localhost, but when we put it on the site it always got blocked by Java.
I have read that you need a certificate, but that self signed certificates dont work.
I have tried to do it (Not sure if I was succesful), and the applet was still blocked.
What am I supposed to do to make it work?
Why don't you try Java Web Start instead of applets?
You chan check it at http://www.oracle.com/technetwork/java/javase/applet-migration-139512.html
From https://www.java.com/en/download/help/java_blocked.xml
Java has further enhanced security to make the user system less
vulnerable to external exploits. Starting with Java 7 Update 51, Java
does not allow users to run applications that are not signed
(unsigned), self-signed (not signed by trusted authority) or that are
missing permission attributes.
So, from Java 7 Update 51, users cannot run unsigned application (without a certificate), self-signed application (applications signed with a certificate that doesn't come from trusted authority), or applications missing Permission Attribute.
As the documentation says about self signed applications,
Applications of this type present the highest level of risk because
publisher is not identified and the application may be granted access
to personal data on your computer.
Also, as stated in the documentation, if you can still use self signed applications you need to add it to the exception site list,
As a workaround, you can use the Exception Site list feature to run
the applications blocked by security settings. Adding the URL of the
blocked application to the Exception Site list allows it to run with
some warnings.
I've made a Java applet and I self signed it before, but due to security changes in recent Java updates, self signing no longer gives the applet the necessary permissions.
I need the applet to be able to read the local file system to use images and to be able to connect to a MYSQL database.
The applet used to work with the database when I self signed it, but not anymore.
In addition, many unknown users will be using the applet, so I won't have control over their machines.
Where can I get my applet professionally signed and if possible, is there another way to self sign that will make the applet work?
Purchase a certificate from any reputable certificate authority. Use that to sign your code. List of CAs
Or, some companies also do this: Sign the jars themselves, but pre-populate the JDK trust store with your (self created) CA cert. If you have control over the JRE that is installed on all user machines, you can place your certificate in JRE/lib/security/cacerts so that is trusted ahead of time.
update: This page (Java Control Panel Documentation) describes what type of signature is required for various client side security level settings:
As long as the applet 'phones home' to the DB & this demo. of the JNLP API file services1 works for the problem machines you should be set to go for a Plug-In 2 JRE (1.6.0_10+) JRE. And if the client has less than that, they should seriously look to update. The Deployment Toolkit Script can assist with that.
It is relevant in that:
It uses a self signed certificate
It allows a sand-boxed app. to read/write to the local file system.
An applet launched using JWS has access to the API.
This should only be considered a work-around. The correct way to solve the problem is to heed the advice offered to get a certified code certificate. Oracle seems to be heading towards making it so that unsigned or self-signed code will not just be sand-boxed, but entirely forbidden (& that is for the best).
As an aside re. DB access: For the protection of the DB. The applet should be forced to go through a 'public interface' (via the site that hosts the applet). Do not give the applet direct access to the DB. Otherwise hackers also have direct DB access.
I have some websites that redirect the user login to https, some user get scared when they see the warning as it says the site is not trustable or someone is trying to intercept their communication, so most of the users do not continue with the login procedure.
The fact is that i would like to avoid paying the big amount to get a valid certificate from one of those companies, as i am not making money with these sites, but i would like to keep the users credentials secure. is there a way to avoid this?
It would be enough if i can intercept the https redirection and display a message to the users explaining the situation.
Some widely accepted certification authorities offer a free certification path for Class 1 certificates (which make no assertion over the identity of the certificate owner, only that they control the subject; in reality, few people actually check SSL certificates for identity verification, so this is rarely a realistic concern—and given the non-commercial nature of your application, may not be a concern at all in this case).
One such certification authority (that I have used myself in the past) is StartCom.
No, you can't hide the message without using a cert that is endorsed by a recognized CA. That's a fundamental fact of internet security.
What you CAN do is, before that message comes up, explain that they will see the warning. You can tell them that in fact your self-signed certificate is not vulnerable if a CA gets hacked (which has happened), while the rest of e-commerce is compromised.
But they won't read the long explanation. The best you can do is prepare them and tell them that ONE TIME they have to trust that you are who you say you are.
I am still new to security issues so my problem may actually be just a misunderstanding.
The system I am working has the requirement that users should sign/timestamp data somewhere in the web application.
However, in order to sign with a digital certificate, users should input their privates keys on the system.
Giving the fact that a third party is involved, we as a company should guarantee that only the end user is allowed to sign/timestamp data.
The only way I see out of this, is to create a desktop application, that can certificate data. But still I should need somewhere the ability of timestamping, and this would require communication with an external server, which could be a way of our company 'stealing' their private keys.
Is there a pattern for signing/timestamping data on the Internet and specifically on a web app? How could this be implemented?
So you have a server and users. Users perform digital signing of data on their systems. Timestamping is done together with signing (it proves the signing time). Timestamping is performed by trusted thirdparty TSA (Timestamping Authorities). The code which will do signing will contact the TSA (usually using HTTP or HTTPS protocol) and timestamping will be performed that way. TSA's certificate is included with the timestamp so that the timestamp can be validated later.
Now about technical side. For web application your best option is to create an applet or ActiveX control which will be downloaded to user's browser and which will do signing.
Our company offers pre-created solution for this, and I described it in details in this answer.
Of course you can let the user download the document and sign it using Acrobat stuff or some other client-side application, then upload the document back. If you decide to write such application yourself, you would need signing components, eg. IText or our SecureBlackbox.