I am storing the user credentials in a properties file, and use them whenever my java application makes a request to the server, and upon confirmation, the user is redirected to an ASP page. The issue with this approach is, the user credentials are visible in the URL, during the redirection to the ASP page.
How do I encrypt the credentials (at least the password) so that exact information is not displayed in the URL?
You can use MessageDigest SHA encryption to send the data to server. However you need to make changes to your ASP web application to decrypt the credentials. It is not one way street.
For this case sharing login information between different applications, the common solution is to use SSO, for example CAS. User login from java application which will get a valid token from CAS server and you can redirct to ASP page with the token instead of user name and password. Your ASP application needs to configue to use CAS to verify the token.
Keeping the security aspect in mind, consider implementing Salted Password Hashing.
Related
I have a username and password in my Java app to call an external API. I would like obfuscate these credentials' strings and not hardcode them in plain text inside source code.
Any tip how I can do that?
If the credentials are in an app on an insecure client device, then there is no way to secure them 100%. The common solution is to avoid storing username/password but instead have the user login once to obtain a token from the (secure) application server. This token is stored on the insecure device as securely as feasible, and refreshed on a regular basis: When the token nearly expires, it is used to authenticate with the server and obtain a new token. In this way, if the token is stolen it will not grant access indefinitely.
Hi i have created my web application in java to authenticate my application i can check the credentials in active directory. If user typed his user name and password means it works fine.
My question is, if the user already logged in his personal computer which is present in the domain by using his username and password. If the user open my web application means i need to go inside the home page without typed the username and password in the login page. How can i do this? Thanks in Advance.
Once the user is logged in successfully you can store some attributes in the session. You can then check on each page load whether the session is valid before allowing access. At a more comprehensive level this can be done using a Filter. Read a little bit on sessions here https://docs.oracle.com/cd/E19644-01/817-5451/dwsessn.html
If you want to read credentials from a user's browser, as someone suggested search Single Sign-on (SSO). There are a number of ways SSO can be implemented by your application, Kerberos-SPNEGO might be most suited for your requirement. But you can make a call once you have better understanding of SSO concepts.
Problem Description
I am writing application which must connect to the server and download some data from the server. The URL of the file witch must be downloaded is formatted as follow:
http://www.myserver.com/file.xml?username=xxx&password=xxx
Question
URL and password are not provided by the user, I simply keep them in the code and add to the URL where I need. My question is how can I keep securely password and username on the Android device.
I would advise against keeping any kind of credential (username) and authenticator (password) stored on your device, as well as transmitting them around; this is often considered a security flaw, since middle-man attacks can intercept the HTTP traffic and easily identify both.
I would recommend instead the creation a token engine that would associate temporary identifiers to users and devices. For example:
User ID 100 receives a temporary token, code A1S2D3F4 (randomly generated.)
The code is associated with the device ID AND200.
Whenever device AND200 tries to access the server, it would generate the following URL:
http://www.myserver.com/file.xml?t=A1S2D3F4
Notice that there is no content identifying the user, nor its credentials or passwords. You may check if the device generating the URL is the one the token was originally associated with. Adittional controls may be implemented to detect tokens being used out of their lifespan, and help identify malicious users.
In Android you can use Md5 encoding method for password encoding and if you need to save those user details then it store in the shared preference
Did you see if you can use Google OAuth2: http://developer.android.com/training/id-auth/authenticate.html
If not, do not send user name and password in the URL but in a HTTPS POST and the correct way is using SOAP web services.
Just as a hint there is a good talk on google io conference about security of android apps.
Link
They don't cover secure server communication explicitly but give some hints about it and provide an encryption library to simplify any encryption tasks.
I have Java Applet(J2EE), I want to make it accessible only to a certain set of users,by authenticating them using username and password.What is the the best way of doing this?
This guide to form-based authentication could be helpful.
The way you secure this will depend on what you have on server side?
Applet takes username and password. Calls some auth service on the server to authenticate the user.
Next challenge would be to maintain this authentication state. Solution would totally depend on how you are communicating back from your applet.
I’m looking for a bit of feedback on the practice of requesting users to authenticate to an intranet based web app by entering their AD credentials directly in form fields. For example, using domain\username and password fields as opposed to using the native browser based challenge window for integrated authentication. In the form based example, credentials are passed to the application in plain text and it’s essentially up to the integrity of the application to handle the data appropriately. It seems to me this is the equivalent of entering my Open ID credentials directly into a host app on the Internet.
So my questions are:
Is there any best practice guidance on authenticating to a custom web app (assume predominantly .NET / Java stacks) in an AD environment?
Can you think of any legitimate circumstances where this is really necessary?
Is this a legitimate concern or am I just being paranoid?!
In a highly secure environment, users would be encouraged to only enter their credentials when using the Secure Attention Sequence CTRL-ALT-DEL, which is designed so that it can't be intercepted by applications.
So in such an environment, even the browser challenge window for authentication would be suspect. Instead you would log on locally using the same AD credentials as you need to access the website, and would be authenticated without needing to be prompted.
I'd say entering AD credentials in form fields is extremely suspect if the credentials can also be used for access to other sensitive resources. Even if the app developers are well-intentioned, it is an unnecessary security hole. For example, anyone who has write access to the web directory can easily replace the login form and capture credentials.
If it's a browser based application, why wouldn't you just enable Windows authentication in your web.config (not sure what the equivalent is in the Java world, sorry) and let the browser handle authentication.
Otherwise, I'd say if you do this over a secure transport (SSL) then you should be ok. Microsoft's own products often use form fields to submit AD credentials (I know Outlook Web Access and Internet Security & Acceleration Server both do this).
The best approach is to use Kerberos tokens instead of an encrypted username/password.
This open source library, http://spnego.sourceforge.net, will allow your java web apps to perform integrated windows authentication using Kerberos tokens.
The library is installed as a servlet filter so you will not have to write any code.