I need to run a java application (not an applet or JNLP, but a full blown application in the JRE) and need some restrictions on:
File System - The app could only access 1 folder to read & write (this would be a fixed path for the app's reference like / )
Ports - The app could only access several local ports. (eg could only access port 8080 / 3306 only)
Is there a way to do this? I have searched through Java Security & Policies but came nothing close to a solution.
I am considering to write a container to run this app or changing / overriding the classes (in case of OpenJDK). Is this ok?
This is for an open source project that we are about to start, Appreciate some good advice from the wise StackExchange community.
regards
First and most basic, run the java application with a user who has the minimum permissions required for the app to do its work.
Secondly, set the java SecurityManager and configure it.
SJuan76 has the right answer here. The SecurityManager is the appropriate way to restrict files/directories a java app can access. This tutorial might be a good guide to setting that up.
You can restrict the ports your java app listens on. But restricting ports really requires an OS level firewall to be configured.
Related
I have a web application that uses a Java applet to get my clients' system information by executing vbs code in Windows or basic commands in Linux, and network address too with java.net.InetAddress in order to log them into the webapp through ldap.
Due to Java applets will not be supported anymore shortly in the majority of browsers, I'm looking for another way of getting this information. Is there any way of doing it?
Thanks,
xavi
EDIT: Required information: System (OS, RAM, HD, IP, MAC) and network (username, machine name, domain name)
All you basically need is some sort of module that can be downloaded from you application over the network, which would run locally on client machine and would do stuff you require.
Since Applets seems to a little outdated, there are other options as well.
You can use JNLP, it would work just like applets, but the whole package would be downloaded first and would require JRE on client machine to run it.
When developing a Java EE 7 webapp (Win8, eclipse Kepler, JBoss Tools 4.1.1, wildfly8.0CR) I can use the application at localhost:8080/app/
But I wonder what to do, if I want an extern access to that app, e.g. from my other PC. What configuration is needed, or do you need a "real" server for such a purpose?
Thanks in advance
How public to you want your website to be?
If you want to access it from another computer on the same network(for example your home network) you need to adjust your network and firewall settings so that that you would have access from one computer to anoher on the same network. Then if on the computer that contains the app you would access it for example http://localhost:8080/myapp then on another network you would access it http://ip-of-the-comuter-that-contains-the-app:8080/.
If you would like to access it from outside the local network then the process is same, but a static IP would be recommended to the computer that contains the app.
If you would like the general public to use the app, then hosting it from your PC may not be such a good idea and somekind of server solution is adviseable. There are lots of different cloud solutions like http://aws.amazon.com/ec2/ or https://developers.google.com/appengine/ that would provide enough flexibility for majority of apps. Or you could ofcourse have your own server hardware, but this can turn out to be much more expensive to keep stable and secure.
For a quick-and-dirty solution you can choose the "Enable remote access" option on the server (double click the server, and you should see a check box in the server editor).
This will tell the server to start listening on all network interfaces and not just the local one.
btw. we only listen on local network interface by default for security reasons since we don't want you to unintentionally get hacked if a vulnerability is found and used by someone malicious.
I am learning Java and am trying to do some experiments with networking Java programs.
I have a program made in 2 parts with a client and a server and it works in local testing but the program actually has usefulness for me and a friend of mine and I want to put the server online so both of us can connect to it and use it.
Where/How can I put the program online and have it running so that the client programs can connect to the ServerSocket with an ip address? (Preferably free)
If you dont want to pay server hosting then I would open a virtual server on my computer, then playaround with modem and forward related port to server ip. I would use a port more than 40000. Then just send your ip and port your friend or update application.
If you really want the application to go live within 5 mins, try Jelastic. If you have built a WAR file, simply sign up with their server,choose a provider closest to your geo location, configure Tomcat and you can upload the WAR file through their fantastic web console. Otherwise if you have some source control system(SVN,GIT etc), you just connect and build it with their Maven console and you can be ready. I used it for my start up(Cloudlabz) and really found it exciting.
Surya
You could also consider the cheapest Rackspace Cloud Server. You'll get a full fledged Linux server (distribution of your choice) for about USD 11/month. I've done that now and then myself to try things out.
Just install Java on it and you're good to go.
http://www.rackspace.com/cloud/cloud_hosting_products/servers/pricing/
http://ideone.com/
is that what you want for this?
This is a free web app for you to run your program online....so you can just paste your code and run it.
On the cloud you could use two different services in order to host your Java application.
IaaS (Infrastructure as a Service). Where you can just rent a specific infrastructure on the cloud and you could install and configure all the services that you need.
PaaS (Platform as a Service). In this case, you still enjoy the infrastructure on the cloud + the service Aaren full pre-configured. It means that you can deploy your application without installing or configuring anything. You just need to deploy your application. You have an example about how it works here. Also, you usually can test your Java apps on the cloud without paying.
You should host the server in Heroku ,they offer a free hosting with limits , I have an app there
First, this is not the first time I ask a question related to this problem, but now that we have talked with the network admin guys and we know we absolutely HAVE to get through that proxy, I will ask again the question but with further details.
So here is the deal. We have an application built for Lotus Notes. That application needs to talk with a web service that is located outside the network of our client, but nothing can get out of the network without going through a proxy server. Since the Agent is running on the server, we need to tell the server to go through the proxy first. That can be achieved in Java using the System's properties (http.proxyHost, etc). That being said, I set all the properties related to the proxy settings in my Java Agent, and then I try getting the XML file from the web service. What I get is a connection time out exception. So, I was wondering why? We did a network analysis with WireShark, and the application is not trying to go through the proxy. Here is what it STRANGELY does.
I built the application and set the proxy host to a dummy address, just for the time I get the real proxy address and my credentials. Let's say proxy.mydomain.com
I get my credentials, so I change the proxy config with the real ones, say webproxy.ca.mydomain.net
Nothing works, so we restart the Domino server and do a clearcache, thinking it might be related to this
We did a network analysis with WireShark and the application queries the DNS for this:
proxy.mydomain.com
proxy.mydomain.com.ca.mydomain.com
proxy.mydomain.com.eu.mydomain.com
proxy.mydomain.com.anotherknowdomain.com
And that goes for a while. BUT, I can see it's still using the dummy address. Where does it get it. It's not in notes.ini, it's not in the server's cache, it's not in my source code, it's not in java.properties, it not in the JVM (since we restarted the machine). Any idea? We're at the end of a project and we need this to work to deliver it and preassure is building!!! I searched the WHOLE WEB!!!
One more thing I would say, when I set my properties in java code, I tryied to print them before to see if it was ok and everything is fine...
For your information, even though it was a web proxy going through HTTP, the JVM setting sockProxyHost was set and preceds on the other. That was our problem...
I'm currently writing a Java application to be used with a Windows-Machine authed with an ActiveDirectory. The application basically only needs to know the user's name and hostname. I know there are
System.getProperty("user.name")
and
java.net.InetAddress.getLocalHost().getHostName()
But I am not sure wether System.getProperty("user.name") will function correctly with the VM running on windows (I searched google and found a lot of threads saying it might not work with windows, as it might return something different, depending on the environment-variables
(and I am currently unable to test it [I'm running ubuntu and archLinux]).
So, I wondered if there is a better and more secure way to handle this and stumbled upon NTSystem .
But NTSystem does not seem to be available on Linux (which I use for developing), which - I think - is due to calling native windows code.
My question would hence be: "Is there a secure way to retrieve the logged in user's name in Windows and if yes - how would you accomplish that?"
user.name is inherently insecure because it can be overridden via -Duser.name=XYZ. This might be an issue for you, or it may not be
Obviously NTSystem won't work on Linux but you mention that you are writing a GUI to be run on Windows. Are you trying to validate the Windows user name of the user? You can do this via NTSystem embedded in the code which runs on the Windows client but not (of course) code which runs under the Linux OS.
Or are you trying to validate them on a Linux server? Perhaps you have a kerberos domain you could do this with? (i.e. if there is a kerberos domain, then you can have a secure, authenticated communication between client and server, ensuring that the client is who they say they are)
EDIT: I may be confused by the fact you are saying that you're writing a Java App "in Linux". I took this to mean a Linux server and Windows client - but possibly you just mean that you are using Lenux as your development environment? In this case, you might think of writing a pluggable identification layer which you can switch between using NTSystem on the Windows box and user.name for testing
Use JNA, com.sun.platform.jna.win32 has a number of methods to do this wrapping the Win32 API. Try Advapi32Util.getUserName or Kernel32Util.getUserNameEx.