I am working on a java project where we have a server and a client application. The server accepts a connection and sends requested data to a client through socket programming.
Everything works fine but when uploaded and working on server I get connections from unknown ip's. And this application will be used from many countries so there wont be specific ip's to whitelist.
Is there a way to ban / reject these ip's so that only connections from my application should be accepted by the server using sockets. Is it possible to send custom data when requesting connections to the server so that it will tell the server to accept only these connections.
The selective acceptance you describe falls within the scope of authentication and authorization. You will want connecting clients to:
Identify themselves to you, so you can determine wether they are allowed access to the server. This can be accomplished by many means, ie IP or MAC address whitelisting, client side certificates, basic/digest authentication, or some other custom a uthentication scheme.
Once allowed access, you can further scope down what the connecting client can do in the system via authorization rules.
I recommend taking a look at libraries like Apache Shiro, that will do some of the heavy lifting for you.
After accepting the inbound connection you can use Socket.getInetAddress() on the returned Socket to retrieve and subsequently validate the IP.
If the IP is not allowed, then use Socket.close() to close the unwanted connection.
Edit:
Validation can of course be based on things beyond just IP. Once the connection is open you can use its streams to transfer arbitrary data to identify the client for instance closing the connection following an authentication failure.
Doing this you should, however, consider the possibility of someone being able to intercept your communications. In other words using a secure connection would make sense.
I'm not aware of a way in which you can authenticate clients in Java prior to opening (accepting) the connection.
If your server and client should be validated, you should think about using certificates also.
Here are some more information :
the java class
another SO question
Related
I have a working xmpp web client using strophe,my current approach is to login user from strophe on java script,but security point of view it is not secure and in my application ihave to switch pages vary rapidly,
while searching on internet on SO i found that Jake Moffitt has given a solution of implementing session which overcome both limitation ,as mention in his book "professional xmpp using java script",one can easy implement session and get SID and RID on server[have to create xmpp bosh connection from server]and pass it to java script(jid,sid and rid) which will than used in attach() method to connect with xmpp bosh manager,
I am using java as server side language,while some one try to implement boshclient in java it seem java smack and jbosh is only available solution (i mean working solution),
But i couldn't find any method by which i can get RID and SID using java script, i went through another approach
why not run strophe client on top of jvm,(why to run strophe on jvm? i am able to get rid and sid using strophe on java script as mention on this link ,why one should try this solution on java) i have included rihno in my dynamic web project js.jar to my lib folder in WebContent/WEBINF/lib and gave a qualified path to run env.rihno.js which create an browser run time on java and included strophe.js and jquey.js file and try to connect to bosh clint as i did on javascript for my web app,
code::
Context cx = ContextFactory.getGlobal().enterContext();
cx.setOptimizationLevel(-1);
cx.setLanguageVersion(Context.VERSION_1_5);
Global global = Main.getGlobal();
global.init(cx);
Main.processSource(cx, "/home/devwrat/workspace/Test/env.rhino.1.2.js");
Main.processSource(cx, "/home/devwrat/workspace/Test/jquery-1.11.1.js");
Main.processSource(cx, "/home/devwrat/workspace/Test/strophe.js");
Main.processSource(cx, "/home/devwrat/workspace/Test/boshconnection.js");
It seem everything is working fine on java until cinnection.connect() using strophe execute in my java script,i observers that it is not connection to bosh manager.
My question is as below
is it possible to establish bosh connection using strophe in java? and yes how?
thanks in advance!!!!
Edit (21-8-2014)::
I observed that after executing conn.connect(Arthur.jid, Arthur.password, function (status){print(status);}),status is 1 which in turn means connection status is connecting,it always say connecting never get connected ??May be xmpp bosh manager is not authenticating connection!!!
Strophe.js is usually used with the client side javascript. I think you're adding unnecessary complexity by trying to run Strophe.js on the server side.
You've mentioned two separate problems, moving authentication to the server side, and also maintaining session between page changes.
Problem #1 Moving authentication to server-side (Prebinding)
If you want to move the login process to the server side, then you can do so by utilizing a java based XMPP library or by manually creating and sending the stanza's (isn't that hard, it's basically just XML being sent over HTTP) which are needed for the authentication process. Once the BOSH session has been established server side, the JID+RID+SID attributes of the session can be passed to the client side javascript and used by Strophe's attach().
In order to write your own BOSH pre-binder, you should start by inspecting the stanza's which are exchanged between Strophe and ejabberd, and you should also read XEP-206. In summary, you will need to create a HTTPClient of some sort, point it towards ejabberd's /http-bind/ address, and begin sending it the same messages that strophe sends during login. You can always inspect the messages (stanzas) with your browser's network debugger, or Fiddler2 (I recommend this). Once you understand how Strophe establishes a session, you can begin writing your own server side mechanism to establish a session. Once the session has been established server side, you can extract the SID+RID+JID, and send them to your page and use them with attach().
Problem #2 Maintaining session between page changes
The second problem you state is that your application changes pages frequently. If you want to implement a mechanism to maintain your XMPP session between page changes, this can be done by utilizing strophes attach() in combination with a mechanism to store the JID+RID+SID. I use a combination of LocalStorage with fallback to AJAX to accomplish this.
BOSH and XMPP
The reason you cannot extract the RID and SID values from many XMPP libraries is because they don't use these attributes. SID and RID are used with BOSH, which is what enables us to communicate with an XMPP server using HTTP. With a web application using BOSH to communicate to an XMPP server, we have 3 levels: the XMPP server itself, a BOSH connection manager, and the web application. Since HTTP is stateless, and XMPP is not (it's designed to maintain a persistent connection), we need to use a BOSH connection manager to maintain that persistent connection to the XMPP server. This connection manager is what's managing our session with the server and handling the intermittent requests from the web application, it's able to push messages to the client with Comet.
In order for the BOSH connection manager to validate the intermittent requests coming from the web application, we include a SID and a RID attribute with each stanza. The SID will remain the same during the lifetime of the session, and the RID will increment by 1 with each outgoing request. It is important that the RID is incremented properly, if a request with an unexpected RID is sent to the connection manager, the session is usually ended and the connection manager will return an error.
Hope that helps.
I'm going to create an authentication server which itself interacts with
a set of different Oauth2.0 servers.
Netty seems to be a good candidate to implement network part here.
But before start I need to clear some details about netty as I'm new to it.
The routine will be as follows:
The server accepts an HTTPS connection from a client.
Then, not closing this first connection, it makes another connection
via HTTPS to a remote Oauth2.0 server and gets data
After all, the server sends the result back to the client which is supposed to keep the connection alive.
How to implement this scenario with Netty?
Do I have to create a new netty client and/or reconnect it each time I need to connect to a remote Oauth2.0 server?
If so, I'll have to create a separate thread for every
outgoing connection which will drastically reduce performance.
Another scenario is to create a sufficient number of Netty clients
within a server at the beginning (when server starts)
and keep them constantly connected to the Oauth2.0 servers via HTTPS.
That's easily done with Netty. First you set up your Netty server using the ServerBootstrap and then in a ChannelHandler that handles your connection from the client you can use e.g. the client Bootstrap to connect to the OAuth server and fetch the data. You don't need to worry about creating threads or similar. You can do it all in a non-blocking fashion. Take a look at and try to understand how this example works:
https://github.com/netty/netty/blob/master/example/src/main/java/io/netty/example/proxy/HexDumpProxyFrontendHandler.java#L44.
Is it possible to fetch the IP addresses of connected clients to a server from the client side? I know it's possible server sided, but is it client sided?
Note: I'm talking about server-client connection using a basic Socket.
Only if the server purposely provides that list.
Otherwise, it is not possible to get any information of other clients connected to a server you are connected to (this, of course, applies to Java, but can also be understood as a general concept of networking -- in the context of peer to peer, client/server, sockets).
Not without a script or program on the client end of the socket having code to retrieve it (e.g. Javascript on a web page). You cannot tell this strictly from the server side.
You are talking with your server, and only server talks with other clients directly. So only server can send you clients ip addresses.
So, this is possible, but must be implemented on server.
I want to write a program in Netty4 that should act as a server to other clients and also it itself is a client to another server. How to do this in Netty4? So far all examples I have seen are either client or server. Thanks.
There are no special difficulties here. You need to create a part that will act as a server (using ServerBootstrap), and a part that will act as a client (using Bootstrap).
If you need to establish a connection to another server while handling incoming connection from a client, you can place that logic into a ChannelHandler of the server's pipeline.
Netty provides two examples of this approach:
Hex dumping proxy
SOCKS proxy
I have something like a proxy server (written in java) running between my clients and the actual video server (made in c++). Everything the clients send goes through this proxy and is then redirected to the server.
It is working fine, but I have some issues and think it would be better if I could make this proxy server only to listen to the clients requests and then somehow tell the server that a request has been made from the client side, and that it is supposed to create a connection with the client directly.
Basically in the TCP level what I want to happen is something like this:
1- whenever a client sends a SYN to my proxy, the proxy just sends a message to the real server telling the ip and port of the client.
2- The server would then send the corresponding SYN-ACK to the specified client creating a direct connection between client and server.
The proxy would then be just relaying the initial requests (but not the later data transfer) to the actual server. I just don't know if that is possible.
Thank you very much
Nelson R. Perez
That's very much the way some games (and Fog Creek CoPilot) do it, but it requires support on both the server and the client. Basically the proxy has to say to the client and server "try communicating with the directly on this ip and this port" and if they can't get through (because one or both is behind a NAT or firewall), they fall back to going through the proxy.
I found this good description of "peer to peer tcp hole punching" at http://www.brynosaurus.com/pub/net/p2pnat/
Does the proxy and server lives on the same machine? If so, you can pass the connection to the server using Socket Transfer or File Descriptor Passing. You can find examples in C here,
http://www.wsinnovations.com/softeng/articles/uds.html
If they are on the different machines, there is no way to pass connection to the server. However, it's possible to proxy the IP packets to server using VIP (Virtual IP). This is below socket so you have to use Link layer interface, like DLPI.
You don't have control of TCP handshake in userland like that. This is what firewalls/routers do but it all happens in the kernel. Take a look at the firewalling software for your platform - you might not even have to code anything.