This week's book giveaway is in the Open Source Projects forum.
We're giving away four copies of Spark in Action and have Jean-Georges Perrin on-line!
See this thread for details.
Win a copy of Spark in Action this week in the Open Source Projects forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

securing applet parameters

 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I need access to my web application session from an applet but I don't think this is possible (correct me if I am wrong here) so...

I want to pass a user id to applet as a parameter but I am worrying that a user might able to change the applet parameter and resubmit the request getting another users data.

Is this something I should be worrying about?
can I hash the paramater value?

I'm using struts.
Thanks.
 
Rancher
Posts: 4686
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Never trust anything from the browser. You can't trust it.

Much better to send a HMAC of the user and a timestamp, encode it in hex or base64.

Store the HMAC on your server in a HashMap and only continue if the value from the browser is known to you.

Expire them after a suitable time.
 
Matthew Plant
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm sorry what is a HMAC?
Any advice on how to do this in a very simple way.
 
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How about securing the applet with a username/password scheme that's checked against credentials you keep on the server?
 
Pat Farrell
Rancher
Posts: 4686
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Originally posted by Matthew Plant:
I'm sorry what is a HMAC?
Any advice on how to do this in a very simple way.



Google is your friend.
 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

S... I agree that any information security in the internet is difficult.

But there is some option called jar signer... Which will create secure on your application. Which provide the security algorith....

Thanks,
Yacoob
 
Ulf Dittmer
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I agree that any information security in the internet is difficult.


I don't see anyone saying that, nor would I agree with that statement. Can you elaborate why you think that way?

But there is some option called jar signer... Which will create secure on your application.


Signing the applet doesn't provide any security by itself. It is an indication of where the code originates (assuming a trusted certification authority was used), and that the code wasn't tampered with in transit, but that's the extent of what it does.
It can actually make code less secure, because a signed applet can wreak all kinds of havoc on a client machine (if the certificate is trusted by the client) which unsigned applets never could do.
 
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Dittmer,

You are correct, applet will provide the security.... While you are creating the jar signer...

Thanks,
Jaffer
 
Ulf Dittmer
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

You are correct, applet will provide the security.... While you are creating the jar signer...


Actually, I said that the applet itself does not provide any security. And that using jar signer does not do so, either, and may have harmful consequences, security-wise.
 
Matthew Plant
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks guys.
Sounds like a can of worms, I guess have to do a bit of research
 
Jaffer Sadiq
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Dittmer,

If jar signer doesnt do security, then what is the need of creating signed applet......

Thanks,
Jaffer
 
Pat Farrell
Rancher
Posts: 4686
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Originally posted by Jaffer Sadiq:
If jar signer doesnt do security, then what is the need of creating signed applet......



A signed applet can have looser restrictions on the sandbox in the user's browser.

Without signature, the sandbox is extremely tight. With signatures, its a little more generous.

But signed or not, it has nothing to do with the security of the data flowing between the server and the browser/applet. That is what SSL/TLS is for.
 
Well THAT's new! Comfort me, reliable tiny ad:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
    Bookmark Topic Watch Topic
  • New Topic