I want to retrieve the following things from the user's desktop when the user uses logs into my website:
1) Mother Board Serial Number
2) Hard Disk Serial Number
3) CPU Serial Number
Now I am confused and not sure which way to go.
I cannot use Javascript because it will not provide these details because of security reasons.
I cannot use php because php runs on server side and not client side.
So last option is using Java Applets. As soon as the user logs in, the applet will be downloaded. When the user runs the applets, it will retrieve the necessary information. But I dont want to be using this because applets are obsolete these days and nobody uses them.
So is there any method in which I find find the user's hardware details without using Java Applets.
Using Java to get os level system Information will get you started in right direction.
Finding Operating System Information
How to get System Information using Java
Related
So, how much trust do I need to have in a publisher before I run their applet in the web browser?
In other words, I understand that a java applet is run in a sandbox in the browser, but this article suggests that the applet can actually access files stored on the local computer.
Can you please clarify the security limits of a java applet run in a modern browser, such as Firefox 50?
I understand that a java applet is run in a sandbox in the browser, but this article suggests that the applet can actually access files stored on the local computer.
There are potentially three different levels of security available to a Java applet.
The first is as you described 'sandboxed'. They can only access resources from their own server, nothing on your local file system unless they are launched using Java Web Start & will thereby have access to the services of the JNLP API. You might note that two of the services are the FileOpenService / FileSaveService! If the applet goes to use these, the end user will be prompted to permit the action via a dialog that states what the applet is trying to do, and asking for permission to proceed (to show a file chooser & go from there). These services provide back a 'file like' object that is more limited than the normal File API would supply. For example, it will not provide the path to the resource, just it's name and access to the content.
The level up from that can be specified in the launch file - '(J2EE) application client permissions'. This level removes the prompts for use of the JNLP API services.
The highest level of access is obtained by requesting, and being granted, 'all permissions'. Then the applet should have full access to File objects, be able to communicate with servers other than the one that launched it, etc. One of the few things they would still not be permitted to do in this mode is to call System.exit(n) to effectively 'kill the JRE' - this is something that is commonly done in other desktop apps.
But then there are JRE bugs, that screw all that up. Sun, then Oracle, kept stuffing up security so poorly (& regularly) that many browser manufacturers are entirely removing the support for applets (and other embedded objects requiring plug-ins) in web pages.
See Java Plugin support deprecated and Moving to a Plugin-Free Web for more detail.
..how much trust do I need to have in a publisher before I run their applet in the web browser?
I cannot answer for you, but my take would be that I would need to know them personally, and trust completely both their integrity and competence before I'd run their code in any browser I controlled.
Having said that, I don't think I have a single browser installed that even supports applets, and my complete lack of motivation to set something up, is probably a good view on whether I'd allow applets to run on this PC at all.
I made a Java (on IntelliJ IDEA) application and I want to give it to someone via USB or Dropbox.
However I don't want him to give it to someone else, like you know, he downloaded the file, so he can copy/paste it to his USB and give it to more people.
Is there any way to prevent the application from being copied after I give him the application? At first I thought of making a login window, but then I thought "hey, if he knows the password to login to application, he can just give the application to someone and give him the password as well", so login window is not an option (I think?). Can I disable the copy/cut functions with If statements after being copied once?
Or I can only prevent it by linking my application with a database and generating unique passwords to activate my application? Like for example, someone requested to use my application, so I will give him the application but he won't be able to run it. Then I generate a password and sent him the password. However that password can only be used once so if he will try to use the same password on 2 different PCs, it will give him an error. Is there any guide/tutorial/tips of making something like that on Java?
You could create some kind of "activation code" for your software that is generated based on some information about the hardware it's running on. I've seen some people using, for example, the MAC address, that you can obtain in a platform-independent way in Java.
However, keep in mind that those techniques will only work against the most basic users. MAC addresses can be easily changed by anyone that knows how to use Google and even if you use something incredibly complicated instead of MAC addresses, Java programs are dead simple to decompile and once the attacker knows what function is checking if the program is correctly activated, he/she can easily replace it. Yes, you can obfuscate your bytecode, but it only makes the task a little harder, not impossible.
You can do what you suggested and use passwords that can only be used once, but then your program needs to know that it has been activated, by storing that information somewhere (a file or something like that). And once the user knows where that information is stored, it can be replicated on other computers.
Unfortunately, once the user has your program, you have no control over what he/she can do. You can make sure that the user is not going to do stuff he/she is not supposed to do with your program by not giving him/her the program at all. You can, for example, expose your program's features through the web. But, as you said, nothing stops an user from sharing login credentials with another person. Yes, you could check if the user is accessing the page from a different IP address, but then a legitimate user could have problems when, for example, accessing your program from a different wifi network. And in this case, your protection not only fails in solving the problem, but also becomes annoying to a honest user.
In summary, brilliant engineers at huge software companies have been working on protections for their software for years and I'm yet to see a software that cannot be illegally activated given enough time and effort.
I have written a webbased application which handles contacts, orders, and permits to use this company's facilities. We use an ACR122U interfacing with it via a Java Applet and javascript (http://ndefeditor.grundid.de/).
I have come to realize this was a bad idea, as it seems every week Firefox blocks the applet because 1.) it's an applet 2.) it's unsigned 3.) Java needs to be updated
So I'm looking for a better way to interface with the ACR122U connected to each terminal via javascript.
One idea I had was to write a chrome app wrapper for my app, but I don't know if this will give me the access to the ACR122U that I need without using the applet. There's a whole Java library (https://github.com/grundid/nfctools) that is available also.
Looking for any suggestions or anyone else with previous experience.
In this question's answers someone can find many sites (like ideone) allowing a user to write and run programs online. I'm interested in making something similar (only for Java code though) and was wondering on how can this be done.
A simple idea would be take user's given code, send it to server, compile it, run it and then send back the output to the user. But what if the user has malicious code like deleting my server files, etc.? If I wanted to create the same thing for the C programming language, I guess I could just get the assembly code of the C file, see what system calls are being used and decide whether the given code is malicious or not. Based on the previous idea, should I look in Java, the program's created bytecode? Is there any better/easier way to do it?
Don't reinvent the wheel, Java has the SecurityManager mechanism to restrict potentially malicious code
Reference
the Security Trail of the Java
Tutorial
Permissions in the Java™ SE 6
Development Kit (JDK)
In addition to what Sean Patrick Floyd said in his answer, you could also sandbox the process itself on your Operating System as an added measure. Create a new user on your host (the machine that executes the code) and assign it very few permissions (only what's required to run the code). Run the process as that user.
That way regardless of the SecurityManager present, the spawned process won't be able to harm anything.
I'm currently developing a support system for a university. The system is written in PHP and I would like to be able to get a current list of software and basic computer information on a computer. Basically when one of the faculty or staff creates a ticket from our web interface, I would like to have a Java Applet or similar that could be run and would return the information to the help desk PHP script. Does something like this exist?
There are lots of programs that do this sort of thing. Googling for "CMDB" should give you a reasonable start -- a couple of them are open source, though others aren't even close to free (e.g., BMC Atrium).
To keep things closer to topical (i.e., programming related), one of the main frameworks for this sort of situation is called Web-Based Enterprise Management (WBEM). On Windows this is implemented as WMI. On Linux there are a couple of implementations including OpenWBEM and HP WBEM.
In Java? You'd probably have a hard time even finding, let alone making, an applet that can get that info without already having some software installed on the user's end. The biggest features of java are (1) that it runs in a virtual machine (read: getting to the underlying OS/hardware is not something it likes to do), and (2) that in a browser, applets generally run in a "sandbox" that keeps the applet from doing anything remotely dangerous. Basically the most it can do is tie up resources.
Number 2 can be worked around by signing the applet, but that'll require you either buy a code signing certificate or install a self-signed certificate on any computer that'll run your app.
Number 1 might be worked around with some help from Runtime.exec and ...\wmic.exe, but that assumes the WMI stuff is installed -- which is rarely the case unless someone does a full install.