First, this is not the first time I ask a question related to this problem, but now that we have talked with the network admin guys and we know we absolutely HAVE to get through that proxy, I will ask again the question but with further details.
So here is the deal. We have an application built for Lotus Notes. That application needs to talk with a web service that is located outside the network of our client, but nothing can get out of the network without going through a proxy server. Since the Agent is running on the server, we need to tell the server to go through the proxy first. That can be achieved in Java using the System's properties (http.proxyHost, etc). That being said, I set all the properties related to the proxy settings in my Java Agent, and then I try getting the XML file from the web service. What I get is a connection time out exception. So, I was wondering why? We did a network analysis with WireShark, and the application is not trying to go through the proxy. Here is what it STRANGELY does.
I built the application and set the proxy host to a dummy address, just for the time I get the real proxy address and my credentials. Let's say proxy.mydomain.com
I get my credentials, so I change the proxy config with the real ones, say webproxy.ca.mydomain.net
Nothing works, so we restart the Domino server and do a clearcache, thinking it might be related to this
We did a network analysis with WireShark and the application queries the DNS for this:
proxy.mydomain.com
proxy.mydomain.com.ca.mydomain.com
proxy.mydomain.com.eu.mydomain.com
proxy.mydomain.com.anotherknowdomain.com
And that goes for a while. BUT, I can see it's still using the dummy address. Where does it get it. It's not in notes.ini, it's not in the server's cache, it's not in my source code, it's not in java.properties, it not in the JVM (since we restarted the machine). Any idea? We're at the end of a project and we need this to work to deliver it and preassure is building!!! I searched the WHOLE WEB!!!
One more thing I would say, when I set my properties in java code, I tryied to print them before to see if it was ok and everything is fine...
For your information, even though it was a web proxy going through HTTP, the JVM setting sockProxyHost was set and preceds on the other. That was our problem...
Related
We are using the owasp csrf tool in our application. It is quite an old java8 / Tomcat application but this aspect has worked without a problem for a long time. We have 3 environments -
dev - local machine test
runs on remote servers as production
production
runs on remote servers
We recently changed the ip address of the test server and the OWASP protection no longer seems to trigger on this environment. I don't believe there is anything in the code base to cause this change as it still works on dev. I have checked and there is no hard coded reference to the old ip address in the code.
The token is still being injected into the form on test, and changes between initial set up and 2nd logon & submit.
The owasp_csrf.js file is still active as I put some alerts in there to check and they fire (I noticed on dev our warning message appears before the alerts so I don't think this is where the main part of the token checking is happening).
Everything seems to work as expected except the csrf check doesn't seem to fire.
So, my test is
log in and enter data into a data entry form
log out before submitting
log back in (different user, although this isn't necessary on production)
use back button to get to previous filled in form and submit
on test this allows submission (on dev and production it triggers csrf alert).
I don't think this has been tested on test for a while but but I know it as been in the past. I believe the only significant difference is the IP address change but I can't find anywhere in the code base or Tomcat configs where this looks relevant. (I've double checked the hosts files and rebooted in case any aspect of (linux) server setup had missed the ip change).
Apologies if this is a little vague but I wondered if anyone had any ideas about where the ip address may be relevant to the OWASP csrf set up ?
When developing a Java EE 7 webapp (Win8, eclipse Kepler, JBoss Tools 4.1.1, wildfly8.0CR) I can use the application at localhost:8080/app/
But I wonder what to do, if I want an extern access to that app, e.g. from my other PC. What configuration is needed, or do you need a "real" server for such a purpose?
Thanks in advance
How public to you want your website to be?
If you want to access it from another computer on the same network(for example your home network) you need to adjust your network and firewall settings so that that you would have access from one computer to anoher on the same network. Then if on the computer that contains the app you would access it for example http://localhost:8080/myapp then on another network you would access it http://ip-of-the-comuter-that-contains-the-app:8080/.
If you would like to access it from outside the local network then the process is same, but a static IP would be recommended to the computer that contains the app.
If you would like the general public to use the app, then hosting it from your PC may not be such a good idea and somekind of server solution is adviseable. There are lots of different cloud solutions like http://aws.amazon.com/ec2/ or https://developers.google.com/appengine/ that would provide enough flexibility for majority of apps. Or you could ofcourse have your own server hardware, but this can turn out to be much more expensive to keep stable and secure.
For a quick-and-dirty solution you can choose the "Enable remote access" option on the server (double click the server, and you should see a check box in the server editor).
This will tell the server to start listening on all network interfaces and not just the local one.
btw. we only listen on local network interface by default for security reasons since we don't want you to unintentionally get hacked if a vulnerability is found and used by someone malicious.
We are in the process of creating a training mode for our ColdFusion (9) sites.
The system will allow our users, after logging in, to switch from production mode to training mode by clicking on a link.
When they switch, the data-sources will be switched allowing the data to be safely modified.
We are also going to implement a test SMTP server, using the SubEthaSMTP Java project, in order to capture the emails that are sent from the training mode and display them to the user in a web page.
We can launch the SMTP server as a stand alone process or service without much trouble.
The nicer solution would be to launch server as part of the ColdFuson runtime at the point that the user switches to training mode.
We would create a true Java thread that would persist on a Server level scope for the length of any training sessions and then some arbitrary time out period. If the server times out and a new training session is initiated we would initiate a new SMTP server.
My essential question is, therefore, is it a bad idea to run an ongoing thread in the ColdFusion runtime this way?
I can't see a problem with doing this, although you ought to test to see what resources SubEthaSMTP uses and make sure it's not going to cause you issues. It looks to have minimal dependencies (essentially just SLF4J, which ColdFusion 9 & 10 already provide)
From the example page it looks to be pretty easy to set up and drop into a long-running scope. I think you're right to pick the server scope, as you may have problems using application or anything more volatile, as there'll be a situation where application scope would timeout and be reset, but you'd loose all references to the Mail Server instance.
Please update the post with your findings, as I'd be interested in seeing what you find.
I am attempting to run a Java application (specifically Minecraft) at my school on a mac computer. I wish to play online on my personal server, however the way the network is set up here the only way to access the internet is to enter network user/pass (The school uses a websense filter). Each student has one, and when you open a browser window a prompt will automatically ask me for it. The same user/pass is used to log into the machine, and some software will simply pick it up and go online without entering it a second time (ex. Safari just connects, Chrome however prompts for the user/pass).
Java applications however seem to be a mixed bag, some will connect, some will not. However none of them prompt me for the user/pass to the network.
So is there any way to force possibly through command line?) a Java application to log into the network?
Or is there possibly some other problem here?
You can set the proxy at the command line. This should help you: How do I set the proxy to be used by the JVM
In case you can't use your proxy directly you might try and install a local proxy such as CNTLM that connects to your network proxy and authenticates using the credentials you provide. The application would then not have to provide credentials. However, you'd have to provide your network credentials to CNTLM and thus should not forget to remove them when you are done.
Is it possible to invoke an exe on a remote computer, supposing we know the absolute path of the exe where it lies?
I have written a client and a server program and am able to get both work as expected when both are running. But now, all I want to do is to invoke the server program from client if server is not running. Seems like defeating the purpose of server-client model but still.
If that is possible without knowing the login credentials of the remote system, then it'd be cool. Eg: There are softwares like 'PsExec' that need login credentials.
I understand that, such a feature may not be there, as it would mean a serious security threat, but, I am just wondering if there is some sort of a workaround.
If that is possible without knowing
the login credentials of the remote
system, then it'd be cool. Eg: There
are softwares like 'PsExec' that need
login credentials.
I understand that, such a feature may
not be there, as it would mean a
serious security threat, but, I am
just wondering if there is some sort
of a workaround.
Those "inconvenient" security rules are there for a purpose. You simply do not want people to be able to run any old program on your machine without proper authentication and authorization. Not even if you are behind a firewall.
Why?
In one word - Viruses! If some machine on your network gets infected with a virus (or similar malware), then all machines that run a non-authenticated remote execute service would be at serious risk of infection.
Try Gridserver technologies... it's based on grid technology and very efficient and easily deployable.
You could setup a messaging system like a remote procedure call, webservice, or simple tcp socket on the server to do a wake up on the server process.
The only way you can execute an exe is by executing a local application which you have access to. There must be a part of the software running on the computer you want to execute an application on. From there, you can do a remote call from a second program on a remote machine asking the local one to do his job : execute.
As stephen C said, it would be a violent breach of security if I could run exe on your machine without your permision.