I'm working on a Java application that asks the user for a username & password, and then connects to a server to verify the entered details. If they are valid, it will then ask the server (by requesting a PHP page) for data about that user. The user can modify this information using the application GUI, and changes are sent back to the server.
The main challenge is that the server doesn't use any Java. I need to make the server only use PHP, and it must be able to handle connections from different users simultaneously.
What would be the best way to go about doing this?
EDIT: The application will be requesting multiple different scripts from the server for different types of data, and will need to send and receive quite a bit of data (Probably up to 500 pieces at a time).
Create a PHP file that accepts POST.
In your JAVA, try passing a custom header KEY:VALUE pair that's verified via your PHP file - or try to think of a more elaborate way.
Then, post along the username and password to the PHP file: POST http://server.com/java-auth.php?user=username&pass=password for pseudo example. Then, have that PHP file return a JSON-encoded string or a serialized string... or go super fancy, and encrypt it all with public/private keys.
Hope this helps :)
Related
I have an applet that communicates with php through http post requests and then my php script inserts data in a mysql database. So the problem is that i guess anyone can make a http post requests and add data to my mysql database if they now the "post" names and of course i dont want that.
So i would like to have som solution where my php can be sure that the http requests are really from my applet and no one else. I would be grateful for ideas on how to solve this. The data being sent contains no secrets so it dont need to be encrypted if it can be solved with no encryption that is.
Thanks in advance.
If you can't use encryption while communicating , so the answer is simply you can't make sure.
In fact, even with encryption, it is impossible to determine whether a request was made by your applet or by something else that is perfectly mimicing its behavior. You will need to build your application such that it can deal with this.
Encryption will help secure any methodology you will put into place in order to achieve what you want, but it will do nothing on its own.
What you want is to authenticate the post message. This is usually achieved by having your client (here, applet) sign (HMAC) the POST message using a key that only the applet AND the server knows. The challenge here is that you need to securely store the key on the client side.
If I were you I would check into authenticating the users and hosting the applet in a secured area of your site, making sure your applet is re-using the HTTP session of the authenticated user when performing POST requests. Add to this basic safeguards against standard attacks (ie Cross Site Request Forgery, Replay attack, etc). This setup would make sure your requests come from your site by authorized users.
You could have the applet register by generating an RSA key pair on the client and sending the public key to the server. The server then keeps track of the public key of each registered client.
On each POST the client signs some piece of data using the private key, and includes the signature and the public key (or a hash of the public key) to identify itself. The server verifies that the public key is registered, and verifies the signature.
There would be no way to mimic this short of stealing the private key from the client, or breaking RSA encryption. Well, I guess you could record and replay somebody else's POST. There is that problem to solve.
However, you could have a fake client follow the steps of registration and send a public key, and then that fake client would be free to POST along with all valid clients. So there is that problem to solve, too.
I upload some data to my server with my application. I send the data to a PHP file on the server and this PHP write the data in my database. This works fine.
But currently I have the link to this PHP unsave in my Android code.
Is there a possibility to save this link or make my PHP only for my app available?
A static key could work but if the key is compromised by an app owner sniffing their own network traffic this protection will quickly break. A cryptographic system should be used instead, for example simple hashing of a secret salt with the time and date.
Both the client and the server should take the date and time to the minute in the same string format, concatenate it with a secret salt, and hash that. As long as the times are in synchrony, it should be fine.
You can also use a challenge-response system. The first request gets a challenge value, and all future requests include hash($challenge.$secretkey) which the server verifies.
More complex but worthwhile is OAuth.
Try to send some secret key as GET parameter to your PHP script.
You can set it on your app and then check it in your PHP script.
Something like this:
script.php?key=893284932890482304
And in your PHP script:
if ($_GET['key'] = '893284932890482304')
{
// do the rest
}
Another option is to set "User-Agent" in your app and then check this information in your PHP script. To be honest, I have no idea how to set "User-Agent" in Android app or iPhone app or whatever you have there, but there is probably some way to do so.
In a GWT application, I am building a login system.
I have implemented BCrypt, on the server side. My User class is only on the server side, as to protect the data. I have made the following assumptions, and cannot work out if they are correct:
Since client side java is converted to javascript, I should not save the password's content in a client side variable, since it will be readable.
For the same reason, I should send it over to the server already hashed.
I should not put my User class in shared, because I do not want its properties readable/derivable from source code.
I have seen many examples, but none encrypt the password before sending it to the server. Is this safe?
It is safe to send the password unencrypted to the server as long as you are using a secure channel like HTTPS.
You can also keep the same user object (without storing the password) in memory for performance reasons, just make sure you always validate it on the server side. Never trust user information given to you by the client.
Hashing the password before sending it to the server proves nothing. (Other than perhaps protecting the user form being compromised on other systems where they used the same password.)
If the attacker has whatever it is you send from client to server, whether it is clear text or hash or quantum brainwaves, they have what they need to access the system.
The sensitive information needs to be sent over an encrypted socket, then it does not matter how you encode it yourself.
I need to pass commands and data between a PHP CodeIgniter based server and a Java Client. I was thinking of using very simple encryption to encrypt / decrypt the messages. I have run into a lot of issues trying to do very basic crypto on the Java side.
Either I would like some help with the Java side of the Crypto, or a different idea to secure communication between the Client and Server.
The data is not sensitive and can be sent in the clear, as long as I can ensure it is coming from the correct source. I was thinking of using the basic encryption as an authentication measure that would not be circumvented by a replay attack. But I could be going about this all wrong.
Any help or comments are appreciated.
There is no method of guaranteeing that the data your server is received comes from a legitimate version of your Java app. If you're using any form of encryption, the key must be stored somewhere in your application bytecode. Also, it is not very difficult to hack the client-side application and let it send invalid data.
The correct approach is to keep in mind, on the server side, that your data might not be coming from the correct source and therefore you'll have to validate all data in order to make sure nothing illegal is being done.
If you just want to guarantee that legitimate users using your client application can be certain that they are communicating with your server, you can use HTTPS or some other method using asymmetric encryption.
I need to be able to access my database, which in it's own isn't hard as java can directly access it. I want to, however, use a php script to access it, as I need to insert stuff into the database as well, and I don't want to have the username and password of a read-write accoutn for my database in my java code. If someone decompiles it, he can just access my database and do stuff with it...
So basicly, I want to use a PHP script and send $_POST request info from my java code to my php script
(yes, java, not javascript ;-) )
You can do this, no problem. Use a URLConnection with setDoOutput(true), and get its output stream for the POST.
Of course, your PHP script should make sure that all data which is sent is sane, as anyone could send such a request to your PHP script. (Or you would need some way for the Java application to authenticate itself to the PHP script, which simply shifts the problem of hiding these credentials instead of the database ones.)
You should store DB credentials in configuration file to avoid embedding them directly into the code.