I am designing an enterprise security server for our company - we own many different applications, most written in java and a few written in PHP. I could provide a remote API that would give each application access to the server. I could also create 'agents' that each application could include that would do all the work for them, but allow my server control over their sessions and thus their authentications/authorizations. Issue is I would probably be better to write the agent in java because 80% or more of our apps are in java.
If I wrote the agent in java does anyone know if there was a way this program could access the php session? If not does anyone have a suggestion regarding a better way to go about doing this?
The session data is stored as a (php) serialized array in a temporary folder. The locations for these are set in the php.ini file.
But you can change both the format of the data and the place it is stored (e.g. to a database or shared memory or somewhere else) by writing your own handler.
A quick google suggests that several people have written [de]serializers in Java for PHP data. e.g. http://hurring.com/scott/code/java/serialize/
If you have problems with the built-in PHP serialize function - have a google for WDDX (which IIRC comes as standard) and serializes data into XML.
You might want to think about how you keep the session data appearing to be active to PHP if you want the agent to continue independently of the web session.
C.
You can hook into PHP's session handling using session_set_save_handler() (an example for a simple but complete custom handler is included in the manual). You should be able to synchronize PHP's session management with a central Java server that way.
Your PHP application would receive a session ID through a cookie ($_COOKIE["SESSION_ID"] or whatever).
Your custom session_save_handler would, instead of maintaining a session store of its own, pass that session ID to your central Java-based security server, and get all the session data in return. Writing into a session from PHP would be routed the same way.
You could of course also go the other way, and poll PHP's internal session data from the outside, but wouldn't quite understand what exactly for. If that is the case, can you go into more detail there?
Related
I want to create a webpage where a user sets up a profile via a form; form data is sent to my server and creates requisite nodes in neo4j. I want to do this in a way that does as much as possible to prevent people arbitrarily sending commands to my server outside of the form, such as via chrome or any other injection method.
I expect that I will need to utilize the REST API to connect with neo4j via java. It also seems like I will need to use Jersey to allow the site to communicate with the neo4j REST API. I am new to securing data being transferred from the client to server and to validating data received by the server to ensure I am not sending commands to neo4j that shouldn't have been sent, and which could cause all sorts of damage to my members. I am also new to utilizing graph databases and neo4j in general.
Can someone give me a step by step example of how to basically accomplish this task? I am looking to find out what tools I need to install, and what types of commands I should include both on the client and on the server side to ensure that I am only passing correct data to neo4j when creating/deleting/modifying nodes and relationships.
Thanks for any help that anyone is willing to provide - getting past this hump will allow me to move so much more quickly with the rest of my development.
I guess the most easy way to prevent others from accessing your neo4j instance is using Neo4j authentication example. Just follow the docs on the start page. Additionally you might set up some IP address filtering using e.g. iptables on linux to restrict network access to your Java client machine.
With authentication extensions installed, you need to supply username/password with each request. The most easy way to communicate with Neo4j from a Java client these days is using the Neo4j JDBC driver.
I'm developing an app for Android which needs data of my server. My doubt is:
Is it safe to make a query from android to mysql?
Because... I was thinking to obtain a JSON with a PHP file, but I believe this is slower method. So, now i'm trying to make a query to mysql server without any PHP file, putting the password and the user of data base in the android project.
I need to know if someone could decompile my app and see my credentials in java files.
Are there other methods?
More than "safe", there's not a native way to send data from Android to a MySQL server. The correct way is implementing a web-service that receives the query (for instance, via HTTP POST), then handles it, connects to the local (or remote) database and executes the requested query (and possibly returns the result if needed).
As far as security goes, this seems to be a totally different question, but in this kind of architecture it seems that a Asymmetric encryption algorithm is what best fits this kind of transactions, as you can hardcode/download each time you need the public key for encrypting messages and they'll be only decrypted by the server side using the private key.
Hardcoding credentials into your app is pretty much a bad idea, because if someone who has some knowledge about this subject, will try crack you app, and if your app manages some financial sensitive data, they actually will try triplify efforts.
How to securely share key between two remote devices?
How dangerous might be publishing a public key?
You should be aware that people can always get the db user and password from the application. This allows them to login and drop your tables in the database.
Therefore creating a small web service that will do it for you gives you more security, since you can decide what operations is allowed to perform to the database.
Using a RESTful (in your case)PHP framework is the way to go. You can then use data from JSON or XML in your application. This way is definitely not slower. You can use this framework:
http://www.slimframework.com/
Or whatever your are using right now.
I'm working on a project which involves writing web services on mainframe enviroment.We are going to be provided a test enviroment on which we can do development and see the inital results. That process is taking a lot of time and I wanted to see if I can simulate some of the parts that I've to do.
Finally I've to get web services talking with mainframes which would have webservice talking with DB2 and IMS segments. I've never worked with mainframes before and I wanted to know how can I create mocks for IMS segment which then my webservice can read and update to. I would appreciate any insights into this
I've done the mainframe side of POX and SOAP web services in CICS. (CICS can access both DB2 and IMS) The thing that seems to surprise the distributed folks is the tag names. They tend to be generated from language structures, so they look like (in our case) COBOL variable names.
Other than that, the SOAP looks like what the WSDL says it should, the POX looks like POX.
If you've got a schema, work from that. Don't worry about the fact that it's a mainframe or that the data is stored in IMS or DB2, write to the specification.
You might want to ask about authentication mechanisms, as this is another stumbling block regardless of platform. Generally people are nervous about unauthenticated access to their business systems, even if that access is coming from another part of the same organization. No one wants to have created an exploitable hole in their security.
In our case, using CICS, we required a logon ID and password for each transaction - http basic authentication as per RFC 2617. Depending on your policies and procedures, that password may be required to expire on a regular basis. Some organizations allow non-expiring IDs, some don't.
An option we looked at but did not implement was SSL certificates. CICS allows one to send a certificate along with a request and then CICS matches the certificate to a logon ID under whose auspices the rest of the transaction runs. The ID is authenticated by virtue of the certificate. This is done in the TCPIPSERVICE definition in CICS.
I realize I'm going on about CICS and you didn't even mention it in your question, but I have to believe you're going to run into similar concepts/issues. IMS also does web services, and I seem to remember there being a mechanism to expose a DB2 stored procedure as a web service. IMS, DB2, and CICS all use the same external security manager behind the scenes.
I want to make a web based Java application that reads an LDAP compliant directory and creates a record in a database for each user and group in the directory.
How can i go about it?
I've used the Spring LDAP module to interact with directories. It works very well, same as all Spring code. You would use whatever relational database technology you wish to write to the database. If you're already using Spring, this won't be difficult. In this case you'd create a connection to an LDAP to read the data and another to the database to write it.
But there's a question here that's worth asking: Why do you feel like you need to duplicate the data? The DRY principle would discourage you from doing so. Wouldn't it be better to have all the information in one place or the other?
I don't see how being web-based will affect things, so long as the web server has access to the LDAP directory - you'd use classes under javax.naming.
If you want to access a directory which the browser has access to but not the web server, you'll need to write code to run on the client instead - possible a JNLP application with appropriate access to make network connections.
The general API for talking to directory services (including LDAP) in Java is JNDI (javax.naming).
The official documentation for LDAP is rubbish, but there's a good tutorial on JavaWorld here.
Hey, I am in a WTF code situation working on a jsp tomcat server and trying to pass session data (user id, etc.) to php. i am planning to rewrite php session handling with session_set_save_handler()
my question is where does tomcat stores it session data (harddrive?) and what kind of encoding does it uses?
or am i on the wrong path?
i know the idea of mashing php and jsp is stupid just got this assignment and i am pissed too.
Try to avoid sessions between different systems. You can't really share sessions between PHP and Java because,
They run under different processes, maybe different machines. There is no shared memory.
Their session data structures are totally different.
The serialization is not compatible.
Different cookie flavors, "PHPSESSID" vs. "JSESSIONID".
You pretty much have to do session management yourself to share sessions. It's pretty complicated. Following are the components you have to write,
Setup a common session store, like a DB or memcached. The session is stored as big blob.
Design a common session data structures. I just use name-values pairs. The same name must be used on both systems and the values must be string (UTF-8).
Use a common serialization. I would go with PHP's session_encode(), which is fairly easy to handle on Java.
Handle your own session cookie.
You could try using database driven sessions to solve this issue. Assuming that tomcat and apache have the same session hashes, it may be possible to transfer them across servers? You need to look in the tomcat config file and it SHOULD be under something prefixed with session. That is where I would start. Typically, on an Ubuntu linux server it would be under something like /etc/apache2/apache2.conf.
I hope this helps and good luck!
Kyle
I believe the default session manager for Tomcat will store session data in a SESSIONS.ser files in the "work" directory for your application.
You may want to create and configure your own session manager: http://tomcat.apache.org/tomcat-5.5-doc/config/manager.html