I'm working on a java swing application that up until now was single user/role. Now I have a requirement that users should be separated into roles with different permissions. Each panel in the application will have certain permission requirements that will dictate its behavior (i.e. it needs permission P1 for visualization and P2 for editing).
After some research it I'll stick to Apache Shiro for my security/UAC framework.
My question is this:
Where should I store the required permissions for each panel? My first thought was to have them in the java class itself, but this seems kind of "hack-y". Another option was to have them stored in the database and link the class with its required permissions. But this creates problems: every time a new panel is added/removed permissions will have to be updated in the database.
If you have any pointers to how this could be done/was already done, i would be very grateful.
I think the safest thing is to store the permissions in the database (or any other centralized server). The advantage is that if the permissions change, you have only one central place to change.
If any security configuration is in the application, then after a change you would have to make sure that no user is using secretly an old version...
Related
Context: I have two apps, both signed with the same signature. The first app has data stored in internal storage that I would like to migrate to the second app.
Question: How can I access the data in the first app from the second app? The Android documentation makes reference to "signature permissions" (https://developer.android.com/guide/topics/permissions/overview#signature and https://developer.android.com/training/articles/security-tips#StoringData) and hints that it is possible to share data between apps with the same signature, but I cannot find clear guidelines about how to do this.
It seems like it might be possible by creating a content provider? Or is it possible to directly access the files, since I understand from the docs that they will be running with the same user / same process?
Ideally this process can happen with minimal intervention from the user, and can all happen from the second app (e.g. the second app can recognize that the first app is installed, prompt the user to migrate, and then read the data from the first app and move it to the second). It would be even better if it was possible to move the files (rather than copy) because we potentially have a lot of data and the user may not have enough disk space to copy the data.
It seems like it might be possible by creating a content provider?
Yes. You can create a signature-level permission and use that to protect access to any of the standard IPC options in Android, including ContentProvider and Service.
Or is it possible to directly access the files, since I understand from the docs that they will be running with the same user / same process?
No, two apps signed by the same signing key to not run as the same user, let alone in the same process. android:sharedUserId has the apps run as the same user. This was never a great idea, is deprecated, and is likely to go away soon.
It would be even better if it was possible to move the files (rather than copy) because we potentially have a lot of data and the user may not have enough disk space to copy the data.
That suggests that having two apps is a bug, not a feature, from the standpoint of the user. The closest you will be able to do to a "move" operation is "delete-after-copy", so plan your copies to be as granular as possible so you can delete as you go.
How do you remove the default WMS Layer from a basic WorldWind Java application? If I remove it like so, my application is still trying to reach the public WorldWind WMS servers:
import gov.nasa.worldwind.Model;
Model testModel = new BasicModel();
testModel.getLayers().clear(); // Makes default geo invisible, but still queries server in background.
// Add my own layers, here
Oh wow - thanks for reminding me about an old love !
However, regarding your question:
If you want to work completely offline, use property
gov.nasa.worldwind.avkey.OfflineMode
(answer found here)
If you want to remove individual layers, take a look at the config folder.
config/worlwind.layers.xml contains the layer config, just comment out layer you do not want to use.
The folder resides in worldwind.jar when using the standard build, but you can specify a different location - take a look at the Configuration class on how to do that.
There is also another interesting file there, DataFileStore.xml, which lets you define the cache location. If you fill the cache with your area of interest while being online, this data will also be used when in offline mode. Once there were also Cachepacks available but it seem these are not available anymore.
I think there was also a tool to select an area and download the data into the cache for offline mode.
Have fun !
I know this sounds like a pretty simple question but I want to make sure that I am going about this in the right way before I begin coding. I am trying to hardcode a tab for a standard website (I don't want to use any other software/programs if possible) that is visible to all users but can only be accessed by people with certain permision levels aka admins. I am getting all my user information from a database file (lets call it users.txt) that is set up/contains the following: -username -password -permission level. So here is my thought proccess on this so far: grab each full line from the database, if(permission level != 1) then(alert message pops up and brings user back to home page).
So here is my questions:
-First off is this even the right way to go about this?
-How do I get a full line from the database and store the info in created variables? I want to try and get the info from the DB line by line, and store them in temp variables and see if the user logged in matches that information. (I guess this would go first when the user logs in and store the permission level info for later use aka when they try to access this tab).
Thanks in advance.
This doesn't sound like a good idea. Firstly I would recommend using an actual database, e.g. SQLite. I also think storing user permissions in a file is a particularly poor way of ensuring security (as the user can just edit the file). Using a real database will allow you to extract the users permission directly from the database without having to search. Furthermore depending on the database you chose you may be able to use various integrity features for security.
I would recommend, that you put the information in a database, then use the logged in user's information to pull the correct permissions level, and if it is high enough load the tab. Depending on your security needs you can also enforce some kind of integrity checks on the database and loading the tab from an external source (although in reality you would keep the tab's code encrypted on the device and requisition the key from a central authority).
I have an SQLite database stored in the assets resources of one application used to load UI and other stuff into the app, mainly just holding text nothing out of the ordinary. I want to be able to get a writable version of this database so I can modify it from another application.
Example:
First application is on the market with limited number of enabled features. User gets to a certain point where they need to buy extra content to do more stuff in the app. The original app has these features but they are not enabled in the app using the database. I want the user then to download a second app from the market which is just used to change one field in the database from disabled to enabled thus unlocking the new features.
I have an idea I may need to use content providers but my understanding is once created they are accessible to all applications. I need it, for piracy reasons I guess, to only be able to communicate with apps signed off by my key.
Thanks
Sam,
I understand what you intend to do, but you are going about it the wrong way. Your 'Unlock App' would not be able to modify the Database in the assets folder of your 'Free App'. That's just general android security model stuff.
You may want to look at this question: How can I use the paid version of my app as a "key" to the free version?
It describes how you can create a 'Unlock App' on the market to unlock features of your 'Free app' without needing to actually modify any of the original data in the 'Free App'.
Good luck
I'm working on an app that is meant to be used by fans of a sport team. In the future, I expect to use the same app but for any different team. So, what changes would be the colors, team logo, app name and the like.
So, is there any technique that allows me to build binaries for different teams without having duplicated resources?
Probably the best way is to depart from the default build system. That typically means writing custom Ant scripts (or you could use some kind of preparatory script that manipulates the resources prior to invoking the default build).
I've previously sketched an outline of how I achieved something similar.
Is it possible to have one binary that contains all the resources and have the user select which team they want from the app itself? Then the app can load whichever resources it needs.
There may be a better way to do this, but here goes:
Build your app for the first team and make all logos / team names / styles / etc resources. Then just write yourself a script that allows you to delete all the items in the res/ folder of your project and replace them with different items. If you are smart, then most of the string's like team names are included in the logos, so all your script has to do is to delete the old ones and copy in the new ones from some other location on your hard drive.
The worst part about this is that you will have to define android-type file for the styles. It might be good to have your script take as parameters a team primary & secondary color, and actually generate all the android-type style files.
Again, there might be a better way, I am just saying that this way could be a solution.
I think build your application which will load the image , colour information from internet / your server. then,
1) ask user for team name which they are following and download image,color information from internet/server and store it as local. don't download next time.
2) attach any global id with each build which will download the image,color information from server first time user installs the application.