I have two web apps in one domain. One is written by ruby another is by java. And my rails app is using db session. So there have a "sessions" table in my database. What I want to do is reading the session info from this table in java.
Here is my problem: Rails' sessions table is encrypted. So I can not read it directly from JDBC.
I don't want to write a decrypt code to convert it. Because it's not a good idea to split one logic both in java and rails. So I hope to find a way to cancel the encrypt session data behavior in rails. Does anyone know how to wirte it in rails config file?
Thanks!
The encryption scheme isn't going to change in the Rails code, so it's not a horrible thing to implement the decryption in Java. If you want to take this route, refer to this question. However, if you really want to prevent encryption, it's not well documented, but in config/environment.rb it would probably suffice to make sure that the hash in config.action_controller.session does not contain an entry with the key :secret. Make sure you secure your database with other means though!
Related
I have an APP (Android) and a service made in PHP.
I send information between them and now there is a security problem that I need to encrypt the data very much.
I need to encrypt in java and when I get to the service (PHP) I need to decrypt the content that has arrived.
Is there any native function in JAVA and PHP that already does this?
I found some examples in Google and here in stackoverflow, but nothing that I described in PHP
Ok, 1st if you consider encryption or decryption depends on any specific language or vice-versa, then It's not true. Any encryption/decryption is a concept which available in all languages and surely support by one another.
Now come to your question, as far as I can understand your question, you are looking for approach which encrypt data in JAVA and decrypt same in PHP. Please correct me if I m wrong.
Below I am sharing process/approach which may help you to design/setup your architecture about it.
1) Let's assume you are aming to implement MD5 encryption/description in your application.
2) In java you can achieve all publicly available encryption either inbuilt or by third party jars, just create utility class and create separate bean with required fields, then add required logic in utils class and pass same information to bean.
3) Now Pass that bean data to web-api which is written in PHP (method you prefer get/post), most of the time in PHP it is String only.
4) Inside PHP code pass that information in fashion which describe in below link:
Encp/Decp in php
And in the end just follow below answer, I guess it is bit close to what you are looking for.
Note: I use MD5 just to explain how to setup an architecture and kick-off for base, but in real environment avoid using MD5 as now n-number way available to bypass this one, best use some strong encpy/decpy technique/algorithm like triple DES, RSA, AES etc.
Java and Php relation for encp/decpt
I have created a java daemon program that collects data from social network accounts. I use a lot of services including Flick, S3, GeoCoding, etc. Currently I have the program set up to read all these API keys from a properties file. I also have a similarly formatted properties file in my test folder that contains different keys for testing purposes. These property files are not committed to source obviously. This collection program writes to a mongo db. I am also building a web app that also works with mongo and will be deployed along side the collection. During my development I am reading that it is best to store keys as environment variables on the production side. It got me think; which leads me to my question...
I am wondering if there is a better way to handle these keys in my java program (from a deployment standpoint) or some possible routes that people have tried in doing something similar to this. Can someone shed some light on this?
I would recommend a database. If you are only storing API keys for personal use, then the size of the database isn't probably a major concern. Personally, I would suggest MySQL (or alternatively SQLite) as they are both quite well-supported.
If you encrypt your keys then it shouldn't matter too much where you store your database, although of course I still wouldn't make it openly downloadable. Just pick a good encryption tool and do not try developing your own encryption algorithm!
The latest hotness (in a world of containers) is to use zookeeper, etcd or consul as a distributed configuration store. The confd tool is capable of ensuring that application configuration files are kept in sync with changes to configuration.
My personal preference is Consul which has a similar template tool called consul-template, and another called envconsul if you would prefer your program to consume environment variables.
Finally Hasicorp, the makers of consul, have an encryption product called vault. It works well with consul and is also supported by consul-template.
Is there any way to get the users and passwords created in MongoDB from Java? I am trying to write an encryption utility which will then encrypt the usernames and passwords. I went through the Driver documentation for Java but didn't find anything relevant.
Thanks
Boris
User/password stored in collection of system.users per mongoDB database, just query it as query normal collection. But normally you can't get the original password because it has been converted.
Thanks... That works but as you said the password is stored in encrypted format. I am writing a script that will create the users and the roles and encrypt it and store it in a different collection. So I was thinking of implementing the encryption part as a separate utility, in Java, which can be run after the automated scripts (which are nothing but Mongo shell commands in Javascript) have run. Now i need to figure out a way to invoke the utility at the time of user creation i.e from Javascript or to implement the encryption in Javascript itself. I'll post the solution once i figure it out.
Thanks Again!!!!
I am tasked with writing an application in Java (it is not web hosted, but rather deployed to multiple platforms - this decision is not in my control).
I know Java well enough to do this and MySQL enough to seem clever but is probably dangerous. I am not an expert though which is why I'm here asking for design help with this.
Here are the requirements:
1) The java application will require generic read access to certain tables in a database - This does not need access control
2) The java application will need to be able to modify a few specific tables (not necessarily on the same database - but some are), but only when the user accid matches the rows in that table
3) Due to the nature of the infrastructure the users cannot access the database directly for the read data (though they could for the write data)
How do I give users write access to a table so that they only insert/modify on their account id.
If they have write access to a table they could modify rows that aren't tied to their account id. And while I can set the app to make sure it ties it to their account, if they have write access they can access it outside the app? And if I make a generic write account for the app they could simply view the user/pass in the java code which is as bad?
The infrastructure will not allow me to set up a real server-client communication system (which could handle auth and processing). The the best I can do is background process that only communicates with internal systems. This app will be external. The best I could do is allow the external users access to a database.
I was thinking something like having the app work on a seperate replicated database and then have the background process transfer it to the real one (this doesn't need to be real time so..) but it doesn't solve the inherent security issue with write access.
Is there a way to give users conditional write access to a table (condtiional on their accid matching) wholly within MySQLs security features?
The read data is obviously easy, just open read access to the table. Its the write access I"m not sure about and I'm just hoping I'm missing something.
I appreciate any comment and suggestions. Even if the answer is its not possible.
Thanks.
I'm building a basic webapp that takes in a user input and returns an encrypted password.
Problem is, currently the SecretKey I am using is stored in the src for the Java class. To me, it seems this is risky practice so I'm trying to find a way to safely store my SecretKey.
Doing some research, I found the Java KeyStore class but I'm not entirely sure if this is what I need. Also, if this is what I need, can you guys point me in the direction of how to implement it, and more importantly, how it works?
Thanks
Edit: From doing a lot of thinking/reading it seems like there really isn't a great solution and really a solution isn't needed so long as your main server is secure, which mine will be, so it's not an issue.
Thank you for all the replies! :)
Passwords should be stored using one way hash functions that way your system avoids this problem. See https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
If you are talking about your encryption key, then there is no secure way to store that key safely in JavaScript. I guess the storage you are talking about its the browsers local storage, which is nothing more then a persistent cookie on browser side.
Everybody that uses the chrome WebInspector or Firefox Firebug can easly read this store for any page he is visiting. Furthermore, you would have to save it in this store by JavaScript and as everybody can read your source code in the browser, its even more obvious.
The only possibilty to do such things safely is Server-Sided, like with PHP for example. If you though want the feeling of interactive behaviour, you can use AJAX on clientside to interact with the backend.
EDIT:
Ah, I think I got you wrong as you are talking about Java in Backend? If yes I think there is no Problem when u have the key hardcoded in your compiled sources??? If you want to store it somewhere else and are afraid someone uses it, you could salt and hash it in your application before you use it for key generation (of course the salt is hardcoded then)?