I'm working with a SOAP application in Java. A new API was added to the server that wants login credentials and returns a guid which is used in queries to the server. Unfortunately, the sample code was in Perl and I'm having trouble translating it to java:
my $client = SOAP::Lite->service("$URL/webservices.php?wsdl")->newSession("$USER", "$PASSWORD");
my $result = SOAP::Lite->service("$URL/webservices.php?wsdl")->getMyData($client->{'guid'});
I can barely read the Perl here, but I take it there's some sort of "newSession" protocol to SOAP that returns some sort of client object that contains a guid token.
Is there an equivalent to newSession in javax.xml.soap? I'm working with a pre-existing application, so switching to a different SOAP client api would not be easy.
Related
I am working on Google Sheets <-> Salesforce integration and developing it in Salesforce programming language - Apex on Force.com platform.
Currently I am attempting to connect to Google Sheets API. I am using Service Account Key, so Salesforce can pull the data from Google Sheets without the requirement for manual authorisation every time it sends out a query.
I am at the point where I set up the Service Account Key and I am successfully sending a request to it to obtain the access_code.
Then I am attempting to query the API, using the following class:
/****** API CALLOUT *******/
public static HttpResponse googleSheetsCallout (){
//the below line provides a string containing access token to google
string accessCode = getAccessToken();
//I found this endpoint structure online, this may be why my script
//isn't working. However, I am struggling to find the alternative.
string endpoint = 'https://sheets.googleapis.com/v4/spreadsheets/params=[SPREADSHEET ID GOES HERE]/values/[RANGE GOES HERE]?access_token=';
httpRequest req = new httpRequest();
req.setEndpoint(endpoint+accessCode);
req.setMethod('GET');
req.setTimeout(120000);
httpResponse res = new http().send(req);
System.debug ('res is ' +res);
return res;
}
When I run the function this is what the log returns:
|CALLOUT_RESPONSE|[71]|System.HttpResponse[Status=Forbidden, StatusCode=403]
|USER_DEBUG|[72]|DEBUG|res is System.HttpResponse[Status=Forbidden, StatusCode=403]
I enabled Google Sheets access in the google developer console menu, and what's interesting is when loking at the console it appears that Google notices API requests being sent out (they are appearing on the activity chart).
I solved it, and the issue was not the code itself.
The problem was sharing my sheet. To allow read/edit access to your sheet from the service account it must be shared with the Service Account ID email address, the same way it's shared with any other user. If this isn't done the script will produce 403 error.
I have Java client running on Windows machine that calls remote EJB
on JBoss EAP/Wildfly running on Linux machine.
I use Kerberos to achieve SSO. Java client verifies the user against Windows domain
and pass his identity within EJB call to the JBoss server.
I started with JAAS and the builtin com.sun.security.auth.module.Krb5LoginModule.
It works correctly except one thing: user has to type his username and password
again. So, it is not a real SSO.
The problem is that Windows prohibits to export kerberos session key from its LSA credential cache.
It can be fixed by setting a specific Windows registry key on each client machine - but this is not acceptable for the customer.
Therefore I am trying to find an alternative solution.
I learned that Windows provides SSPI that shall be interoperable with GSSAPI used by Java. I use Waffle library to access SSPI from Java on the client. On the server I keep using JAAS, because it runs on Linux so I cannot use Waffle there.
I also learned that I don't need to implement LoginModule, rather I need SASL client.
So, I had a look how com.sun.security.sasl.gsskerb.GssKrb5Client works and I am trying to reimplement it using Waffle.
First step seems to work correctly - I obtain SSPI security context from Waffle,
then get the initial token and send it to the server.
The server accepts the token and respond with its own token.
And now the problem comes. In the original SASL client the 'unwrap' operation is
used to extract data from the server token, and 'wrap' operation is used to create
reply token to be sent to server.
GSSAPI wrap / unwrap operations shall correspond to SSPI EncryptMessage / DecryptMessage
operations according to Microsoft doc. This two methods are not available in Waflle, but are available
in NetAccountClient library.
However, I am not able to use them correctly. If I use a single SECBUFFER_STREAM then the DecryptMessage
is succesfull, however the data part of the token is not extracted and I don't know how to determine
the offset where it begins.
If I use SECBUFFER_STREAM and SECBUFFER_DATA as suggested by Microsoft docs, then I get an error:
com.sun.jna.platform.win32.Win32Exception: The message or signature supplied for verification has been altered
I also tried other combinations of SECBUFFER types as suggested elsewhere, but without success.
Any idea what am I doing wrong ?
To source code of unwrap method:
public byte[] unwrap(byte[] wrapper) throws LoginException {
Sspi.SecBuffer.ByReference inBuffer = new Sspi.SecBuffer.ByReference(Secur32Ext.SECBUFFER_STREAM, wrapper);
Sspi.SecBuffer.ByReference buffer = new Sspi.SecBuffer.ByReference();
buffer.BufferType = Sspi.SECBUFFER_DATA;
Secur32Ext.SecBufferDesc2 buffers = new Secur32Ext.SecBufferDesc2(inBuffer, buffer);
NativeLongByReference pfQOP = new NativeLongByReference();
int responseCode = Secur32Ext.INSTANCE.DecryptMessage(secCtx.getHandle(), buffers, new NativeLong(1), pfQOP);
if (responseCode != W32Errors.SEC_E_OK) {
throw handleError(responseCode);
}
byte[] data = buffer.getBytes();
return data;
}
A common SO question, but no specific solid answers.
My setup:
I have a website running on Classic ASP with backed DB. Unfortunately, no SSL Certs are available
I have an Android application that will send a Google Volley to request data from the site using a bespoke but simple API
Currently:
I am still in testing, privately, so currently I just access the site as such:
On the app, the user enters a UserId and Password once.
User navigates to a Fragment which is associated with a specific ASP Page which will return some data
A Volley is sent to /mysite.com/_api/apage.asp?m=md5hashhereabcdefghijk
The server searches user records for a matching hash (built on UserID+SALT+pass). On matching record, it uses the found userid as the User's ID
apage.asp does some sql queries and returns a JSON object
app receives this JSON response and parses.
The problem:
Anyone packet sniffing, or MITM, would be able to plainly see the URLs being accessed (and server responses) and be able to replicate the query via their browser. This is what I'm trying to stop. Any SALTs or secret keys in the app would be easily seen by decompiling the APK.
Issues:
I've read all sorts of different solutions, but none of which really fit my environment. I can't use ASP session variables (RESTful being stateless), I cant use HTTPS(SSL/TLS) as there are no Certs on the Server. I can't use an App-based password as this can be decompiled and easily seen.
I appreciate that you will never get something 100% secure, but can only make people disinterested in hacking a system, or not make it worth while.
Proposed solution:
I want some feedback/thoughts on the following proposed method:
Each request will have its own handshake to authenticate the app
This will go as such:
User opens app for the first time and enters UserID/Password. This will remain with the app until it is uninstalled (or logged out), but I intend to keep the user's app logged in
User navigates in the app to a Fragment that corresponds with a specific page on the server
Volley is sent with :
UserAgent HTTP header 'some value'
generate the same authentication hash for (userid+salt+pass)
encrypt this hash with a public key
one query string /apage.asp?q=abcdefghijk.... sent to server
server decrypts using its private key
server checks this hash as I do currently.
page returns plaintext JSON values (not encrypted)
The same problem happens here whereby a MITM or sniffer could replicate the URL and get the same information back
A Second Proposed Solution:
Would it be better with every request actually starting with a whole handshake?
App sends volley to server requesting a handshake (HELO)
Server gross error check with UserAgent HTTP Header
Server logs the timestamp and IP of the request and generates a unique random code
App receives this code and builds a new hash using that unique code as a Salt
App sends second volley to /apage.asp?m=MD5(UserID+UniqueCode+Password)
Server Gross error check with originating IP, timestamp+-tolerance (30 seconds between the two requests?), UserAgent Request Header.
APage.asp uses this hash to authenticate the request, providing previous steps have successfully passed.
APage.asp returns a JSON object, as requested.
Server flags the log of originating IP/timestamp as EXPIRED, or, just remove the record.
This initial step would make it a lot harder for a sniffer or MITM to replicate the URL calls, as A) Each request would have a randomly returned code B) each code/hash combo can only be used once.
The only thing I can think of is someone decompiles the App, and sees the method of handshake, so could try to replicate this. However, the username/password hash would never match as that is the only thing they cannot get from the hash (as it is salted with the random code)
Thoughts? Could it be improved with some RSA public/private key cryptography? Could I generate my querystring apage.asp?m=abcdeghi..., Generate an MD5 Hash of that, append onto the end, then encrypt before sending?
Many thanks in advance
I am calling a restful web service written in java from java script page and from restful web service i am returning J SON data. how can i encrypt the j son data in java so that no one can see the data using firebug and again i need to decrypt the data in java script page.
Somewhere i read about b son but i couldn't get much info about this.
Is there any way to do this.
Thanks in advance.
i am making ajax call from java script like this...
$.post(url,{cache: false, "_": $.now() },function(){
// code
}, "json");
and from server i am returning json data like this
objectmapper.writeValueAsString("String data");
Regardless of which encryption you use between the client and the server, there must be a point for the client where the data can be read. That is in the browser, which is exposed to javascript, and therefore to Firebug.
Bson is bynary Json (http://bsonspec.org/), and, unless javascript reads and writes the stream by itself (without parsing it into a clear text object), you would fall into the same problem.
I'm building a server to test all my in-app purchases of Android market. But I don't think that I'm sending the information from the app correctly. My server is built in PHP.
My app access the url:
...&response={...json...}&signature={...signature...}
The signature is previously encoded with URLEncoder.encode(signature,"UTF-8")
My server:
$response = $_GET["response"];
$signature = htmlspecialchars(urldecode($_GET["signature"]));
And then I execute the verification process. I think the problem comes from the way that I'm passing the arguments from the app to server, because if I copy the response and signature manually and test them, the verification function says that they are valid.
URL:
...&response={"nonce":-871647007848398655,"orders":[{"orderId":"768142460571407","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.flyboys","purchaseTime":1330090436000,"purchaseState":0,"developerPayload":"Flyboys"},{"orderId":"203523162686707","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.16blocks","purchaseTime":1330511533000,"purchaseState":0,"developerPayload":"16 Blocks"},{"orderId":"328483664834399","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.aceventura3","purchaseTime":1331037005000,"purchaseState":0,"developerPayload":"Ace Ventura 3"}]}&signature=EyT9IgZeq2OLRqCtabTIc5wOKARtdHUfCQAdkEqkGyi%2Bd1qQgcfxPnvIa9VMDQqwh8rxxGPOYQKuhaEuZUJzbSain8%2FN7p41euzb1n1%2FgZkgqXlQTDn076U2AXcp1ymBFZamrwETo0gkZi4q6PZV47oR7Rk28vPU5vjs%2Bl0TN0DdlzclHuH40CkZqD1ErSMMwWGTGR6bGnJlmmhgHC2KV7Ab63i0hdgkqk5MOtkOxhjS%2B4LG1YxmJIsxhJnOcmNI7n2VKUdtn%2B0CWxO5M8m0BcfpZ9Se3sR6ZtVli2rS1KSKQPL1Td9GWPhmG4nvzZFtKCqf9Le6Meudv6iFTSw5Hg%3D%3D
Vardump
Response
string
'{"nonce":-871647007848398655,"orders":[{"orderId":"768142460571407","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.flyboys","purchaseTime":1330090436000,"purchaseState":0,"developerPayload":"Flyboys"},{"orderId":"203523162686707","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.16blocks","purchaseTime":1330511533000,"purchaseState":0,"developerPayload":"16
Blocks"},{"orderId":"328483664834399","packageName":"net.xxx.aaa","productId":"net.xxx'...
(length=617)
Signature
string 'EyT9IgZeq2OLRqCtabTIc5wOKARtdHUfCQAdkEqkGyi
d1qQgcfxPnvIa9VMDQqwh8rxxGPOYQKuhaEuZUJzbSain8/N7p41euzb1n1/gZkgqXlQTDn076U2AXcp1ymBFZamrwETo0gkZi4q6PZV47oR7Rk28vPU5vjs
l0TN0DdlzclHuH40CkZqD1ErSMMwWGTGR6bGnJlmmhgHC2KV7Ab63i0hdgkqk5MOtkOxhjS
4LG1YxmJIsxhJnOcmNI7n2VKUdtn
0CWxO5M8m0BcfpZ9Se3sR6ZtVli2rS1KSKQPL1Td9GWPhmG4nvzZFtKCqf9Le6Meudv6iFTSw5Hg=='
(length=344)
When using URL Encode php will automatic decode data so if your re-decoding it it's going to break something, I have had this problem before
URL encoding is for the browser so stuff like & in a string sent though get does not act as new parameter in GET
so for you code htmlspecialchars(urldecode($_GET["signature"])); should be htmlspecialchars($_GET["signature"]);
I know this has been answered by comments but Added answer for Googlers