I have a web app which uses spring security basic authentication .
So now if i hit the url.. server sends a 401 and my browser show the username/password popup.
Every thing is fine.
But now i want that a user can login and can change the access as anonymous i.e.
If now user hit the url he/she will be directly able to see the content without 401 or a redirect
How to do that since xml is hardcoded ?
Not sure if I got it right but what you want can be done with separating your "dynamic part" into some URL subtree (i.e. "/dynamic/**") and permitting everyone to access this part with single filter rule.
Related
I have created an application using spring boot that uses angular for the front end and is a basic login portal with encrypted credentials and click verification, what I want to do is have like when someone visits the IP of the server it gets the angular portal, when it's a domain name, it actually pulls up that website. I want to program this to happen either in java or angular to request the resource from java. How would one go about implementing this? I know how to have java handle http requests and actually get the html to the browser... What I don't know is how to do that while using the angular front end to act as my control panel.
Here is my goal, user types in the Servers IP, which could be changed, "0.0.0.0" to the port that I specify which would be 8080 it brings them to my login page which is the angular front end. once they are authenticated it goes into the dashboard Control Panel to Manage the server, Ip's, etc. However if a user types in "Example.com", even if they type in port 8080 I want it to pull up the Index.hmtl File of "Example.com" not the Angular Cpanel. this would be an actual website with many pages and so on. the Angular portion is really just for server management changing files, updating Emails, and so on. Not sure this has ever been done before in the likes of java, I really just need to have the java App do one thing if its the IP and another if It's a Domain Name.
Update 03/24/22:
Ok after further Research I am trying to achieve something like a Webmin, Plesk, cPanel esk type application. A user could make their website and such with the control panel which I was going to Use Angular combined with Spring boot. those applications will only bring up the login screen if you type in the IP and the specified port, else they are going to load the records and the sites that are required based on what the User has typed in, I don't know if this needs to be Angular passing a String to the Backend with a URL if the URL does not meet the criteria for the login screen to appear, or if there needs to be a different approach here.
Ok, so I have found the answer I am looking for is through a proxy, you can get the domain name from the answer in this solution. It seems that what I was looking for in this case is a proxy which is defined in Angular's Documentation here. Once you have these two put together, you can then pass the base URL or really the Entire URL Back to the Spring Boot backend to request the requested resource, however by using the proxy it seems this would not be needed and would just need the Backend to be able to handle requests as they are redirected to the Backend, which would then be passed back to the front end to put together for the client. building an httpserver is done by using this class and can be combined with some others to actually give the requests back to the angular application to then give back to the client.
I have java web application using struts 1.x. Recently my application has gone through penetration testing and our testers found some security holes. Let me explain. In my application i have 2 users called ‘Admin’ and ‘user’. First our PenTester logged to my application as ‘Admin’ and they use ‘Burp tool’ to intercept the request and copy the whole request content into notepad and then forward the request. Now My application log in as ‘Admin’. They use another browser instance to login as “user” and use burp tool to intercept the request. This time they removed the whole request content and copy back the whole request content of ‘Admin’ and then forward the request. Now my application logged in as ‘Admin’ without asking any user id/password? How to restrict this situation? I already stored userid in my session variable after successful login of each user. The moment they intercept the request and copy the ‘admin’ request content, my session variable userid also changed to ‘admin’. How to validate this situation? Your help is really appreciated.
That is not really that much of an issue since the first part "copy the whole request content" is not easily doable if you have a proper HTTPS / SSL connection. That only works if the PC the user is logged in on as an admin is compromised in which case: nothing you can do about it anyway because they can just sniff the keystrokes and get the plain password.
If on the other hand you communicate without the S, namely just HTTP then the solution is: get a certificate and switch to HTTPS.
Apart from that your application can pin a session to an IP which means if the session id / cookie is stolen and someone else uses it you can detect an IP mismatch and ask for credentials again.
To prevent direct replay attacks like copying the request and sending it again you can introduce a hash that incorporates the timestamp or alternative measures, see. How do I prevent replay attacks? . The problem however is that copying the entire request means copying the cookies as well and if the "admin" cookie is copied this measure will not prevent you from "generating" a new hash based on the now admin user.
I have a java servlet that is redirecting to a web application on a different server.
I was wondering if there is a way to hide the querystring parameters, so they are not visible to the client in the address bar.
response.sendRedirect("http://www.mywebapp.com/login.html?parameter1=value1¶meter2=value2");
Is there a way to force the sendRedirect to POST to the page and hide the querystring?
Edit: use case.
A user goes to http://www.mywebapp.com
They are automatically redirected to my servlet filter
The servlet handles SSO to an Identity provider using SAML
Once it recieves the SAML response back, I redirect the now authenticated user back to mywebapp.com
I want to pass some parameters back to the webapp. Parameters from the SAML response. But I don't want the user to see them in the URL
Clearly, sendRedirect() is not what I want. What would be the best way to handle this?
No, you can't use POST in this scenario. When calling sendRedirect() this is what you send back to the client:
HTTP/1.1 302 Found
Location: http://www.mywebapp.com/login.html?parameter1=value1¶meter2=value2
Browser interprets this and points user to that location.
Something tells me (maybe login.html name and two parameters) that you want to automatically login user on some web site). Don't go this way, sending username/password (both using GET parameters and inside POST) is really insecure.
Without knowing much about your use case it's probably the best solution to call http://www.mywebapp.com/login.html from your servlet, parse the response and return it to the user (so he will never really see mywebapp in his browser.
You could connect to the other server from your servlet (HttpConnection) and copy the returned data. The user will only see your server.
An alternative is returning an HTML page that does send a POST form automatically after loading. The user will need to allow JS.
You can forward the request from server side and then at the end redirect to some other page
I found a way for hiding any string from Java or Android project with concept of inner classes using proguard to hide them a class is my server side processing
I have a web-app (let's call it app1),in which I can't even see the source code, and to get into it.I need to do the basic authentication, "user, pass".
Then I am creating another web-app (app2) (which is java/JSF/Icefaces), where you also have to login using user pass (the user and pass from app1 are the same than user and pass from app2).
Sometimes I have to open one app1 window (to fill in some forms, which I do not want to replicate in app2). I have a valid URL for that window/form, BUT, here is the problem, when I call that URL, then app1 first asks for user/pass, and I do NOT want that. I would like something like single sign on. It is just basic authentication (and I have the user pass).
I tried to open a new jsp in app2, and there sendredirect it to app1 trying to do basic authentication, but I cant, I mean, it does not work.
App1 has a REST API, and I can use it from app2 with basic authentication (So that works).
Can someone help me?
Thaks!!
You will have to understand how App1 handles login, for e.g. if it is cookie based then first you need to login using REST and then set a cookie as per the App1 requirement.
Single Sign On Concept
Build A Single Sign On
You can use a SSO (Single Sign On) concept for this. If you want to do it by SSO straight, yes you can follow the SSO modules, provided by some people. Ofcourse you can create your own SSO method, Implement these steps:
1-> Use the REST/SOAP API to login to app1. In response, give back a parameter (an encrypted string or something). Store it in some cookie.(In the back, save this parameter against some timeout and user information for eg, in a HashMap)
2->While the login happens from second app, send the parameter with the request. If you accept that parameter in backend, try to validate it against timeout and may be the user info.Proceed with authentication on success.
you can set the parameter in a domain level cookie.,So all process happens in your backend.
Can you try this and let me know?
thanks
You can do it in three ways:
Session
Cookies
Filters
In first case, you have to alter the App1 code so that it process automatic login from a Shared session of App2.
In second case, simply do automatic login by checking the cookies set by App2..(I am not confident about this one though)
In Third case, you have to set a Filter in App1 so that it by-passes the login credentials if request came from your App2 with special information.
But for those you have to alter the code of App1. You just cannot bypass an authentication process directly. Also it is a good characteristics of your App1 that does not allow direct access to a secure page without login credentials.
I have a design like that:
There is a core part runs Spring on it with REST.
There is another part which has a Tomcat Server and has just HTML files(not jsp or anything else.) So if I want to change a page at tomcat side there is no need to restart application also design and code part separated. Let's accept that I am listing users at my web side(tomcat side). Then my web side makes a GET request and response comes as JSON. PUT, DELETE and POST happens with same methodology.
I have 2 security problem at this point.
First, When a user wants to see an URL at server side how I will check authorization and authentication? And how can I limit an authorized person to get my web page with a too wget?
Second, How can I hide my REST URLs. For example if a user debugs my JavaScript code he/she will see that I am making a DELETE request to an URL with some parameters so he/she will try to do the same(or can make thousands of GET request to my core server if learns the URL)
Thanks for advices.
Firstly, why do you use Tomcat to serve static files ?
The approach I would take is this one:
use a static server to serve static files (apache, lighttpd, nginx).
This server will do authN and authZ (using an LDAP directory e.g. or any other suitable auth backend).
AuthN is done using scheme like Http Basic + SSL, Http Digest, WebID, ...
This is a solution to your 1st problem
Configure the static server to reverse proxy your app server and use the same auth rules.
URI are not "hidden", but they are no more accessible to anyone. Since the user is already authenticated to the static page, no auth should be necessary to request "rest uri".