I am currently accepting the parameters login and password in my servlet, but logs are storing this info when using wget (as long as it is GET method, and apache is in the middle)
Instead of this I want to enhance my servlet's authentication accepting:
wget --http-user=login --http-password=password http://myhost/myServlet
How can I read, in my servlet, the server side, the login and the password user is sending, in java code?
Can you not persuade your servlet clients to use POST instead of GET? wget has --post-data and --post-file options which might do what you need it.
wget's --http-user and --http-password options cause it to send HTTP Basic authentication. They are normally used for simple access control enforced by the web server itself, typically mediated by a .htaccess file; you'll have to consult your servlet framework documentation to find out whether that is available to you.
Related
We have Windows Active Directory, where all users are registered and use to login in Windows.
We have an Apache server configured to use LDAP to authenticate users in that Active Directory. It's setup so that, in PHP, all we have to do is call $_SERVER['REMOTE_USER']. Browser verifies user login in Windows and sends this data to Apache, which talks to LDAP to verify authentication. When LDAP authenticates, that code returns user's login, otherwise it returns null.
This way we can safely and easily authenticate users inside PHP and use their AD login to control access to our softwares. Another advantage is that we don't need a login page and not even have to handle passwords in variables: authentication is handled transparently to users and they are automatically logged to our softwares all the time, and their password never comes into our code.
I'd like to do the same thing with Servlet. I see no reason for it not happen if it works with PHP. But I can't find how to do it. I googled but couldn't find anything. Has anybody done something like that and could point me a way?
Standard authentication with login and password is working in Java. If I have domain, login and password, (that in Servlet would come from a login page) I can authenticate any user.
What you're looking to do is plug a SSO provider into your web app. There are several options, you will have to do your own research into what will work best in your environment. You might want to investigate the following security frameworks, which all enable SSO:
Apache Shiro
Spring Security
JCIFS
There are also commercial products like CA SiteMinder that do the same thing.
the HttpServletRequest object you have in the doGet and doPost methods on the servlet has the equivalent of PHP $_SERVER['REMOTE_USER'], it is called getRemoteUser().
Your post is tagged as Tomcat. You could add a "realm" in tomcat to do the Authentication.
I have no idea how you can not prompt for a password unless you are using some sort of SASL plugin to verify the user against LDAP.
$_SERVER['REMOTE_USER'] implies you are using "HTTP Authentication" header which would (AFIK) require a popup for the credentials. Perhaps this is transparent if only using IE against a Windows server.
There is an example of how to configure tomcat
Website is developed on JSF, Servlet.
In my website, I accept data submission from few restricted websites using HTTP POST method. We exchange some secure key to ensure that correct source is sending data.
But is there any way to ensure that the data is submitted from specific domain / IP address only?
In application level I can check
request.header('Referer')
, but some proxy might hide the referer. Can this configuration done on firewall level?
Eg. Say my website is a payment gateway website, integrated with www.abc.com. I want only abc.com to submit data. So a user using abc.com should be able to submit data to my website only through abc.com, and not any other website.
You can use the ServletRequest.getRemoteAddr() method to verify the client or the last proxy.
If you are using an apache server you could use
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
this. So you could specify which all domains can access your application
I have developed myself in the last few months about web development in java (servlets and jsp). I am developing a web server, which is mainly serving for an application. Actually it is running on google app engine. My concern is, although I am using SSL connections, sending parameters in the URL (e.g. https://www.xyz.com/server?password=1234&username=uname) may not be secure. Should I use another way or is it really secure? I don't know if this url is delivered as plaint text as whole (with the parameters)?
Any help would be appreciated!
Everything is encrypted, including the URL and its parameters. You might still avoid them because they might be stored in server-side logs and in the browser history, though.
Your problem seems to go further than Web Server and Google App Engine.
Sending a password through a web form to your server is a very common security issue. See this SO threads:
Is either GET or POST more secure than the other? (meaningly, POST will simply not display the parameter in the URL so this is not enough)
Are https URLs encrypted? (describes something similar to what you intend to do)
The complete HTTP request including the request line is encrypted inside SSL.
Example http request for the above URL which will all be contained within the SSL tunnel:
GET /server?password=1234&username=uname HTTP/1.1
Host: www.xyz.com
...
It is possible though that your application will log the requested URL, as this contains the users password this may not be OK.
Well, apart from the issues to do with logging and visibility of URLs (i.e., what happens before and after the secure communication) both GET and POST are equally secure; there is very little information that is exchanged before the encrypted channel is established, not even the first line of the HTTP protocol. But that doesn't mean you should use GET for this.
The issue is that logging in is changing the state of the server and should not be repeated without the user getting properly notified that this is happening (to prevent surprises with Javascript). The state that is being changed is of the user session information on the server, because what logging in does is associate a verified identity with that session. Because it is a (significant) change of state, the operation should not be done by GET; while you could do it by PUT technically, POST is better because of the non-idempotency assumptions associated with it (which in turn encourages browsers to pop up a warning dialog).
I have a design like that:
There is a core part runs Spring on it with REST.
There is another part which has a Tomcat Server and has just HTML files(not jsp or anything else.) So if I want to change a page at tomcat side there is no need to restart application also design and code part separated. Let's accept that I am listing users at my web side(tomcat side). Then my web side makes a GET request and response comes as JSON. PUT, DELETE and POST happens with same methodology.
I have 2 security problem at this point.
First, When a user wants to see an URL at server side how I will check authorization and authentication? And how can I limit an authorized person to get my web page with a too wget?
Second, How can I hide my REST URLs. For example if a user debugs my JavaScript code he/she will see that I am making a DELETE request to an URL with some parameters so he/she will try to do the same(or can make thousands of GET request to my core server if learns the URL)
Thanks for advices.
Firstly, why do you use Tomcat to serve static files ?
The approach I would take is this one:
use a static server to serve static files (apache, lighttpd, nginx).
This server will do authN and authZ (using an LDAP directory e.g. or any other suitable auth backend).
AuthN is done using scheme like Http Basic + SSL, Http Digest, WebID, ...
This is a solution to your 1st problem
Configure the static server to reverse proxy your app server and use the same auth rules.
URI are not "hidden", but they are no more accessible to anyone. Since the user is already authenticated to the static page, no auth should be necessary to request "rest uri".
I have a servlet hosted in the glassfish server. i want to communicate with it using telnet to understand what is going on behind the scenes when using html form get method.
What should i give in the Host field of the HTTP request?
Get /WebApplication1/NServlet HTTP/1.1
Host: localhost
If i want to send custom properties in the HTTP request as below, is it possible to extract their value using request.getAttribute() method.
Get /WebApplication1/NServlet HTTP/1.1
Host: localhost
Custom-Attribute: xyz
Another doubt is that is javax.servlet package not a part of java SE sdk. i had to install java ee to get it running.
The Host field is just the hostname part of the URL, e.g. Host: google.com for http://google.com/
Custom-Attribute: xyz would be exposed in the HttpServletRequest using getHeader(), not getAttribute().
If you want to use HTTP for your protocol (as you've suggested in your comments), check out HttpClient. As the name suggests, it's the client-side of the client/server HTTP implementation, and it should be relatively easy to determine what to set on the client side such that you see it on the server.
There's a great tutorial here. I would perhaps get a simple page working in the servlet first, and check it via the browser, and then implement the client side.
Based on your question, I don't there's enough information for anyone to answer you. Tomcat/Jetty/etc are basically web servers that contain servlets (and therefore JSP/JSF/Wicket etc etc) processors for dynamically generating content.
So, what is it you're trying to figure out, and why?