• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

securing applet parameters

 
Matthew Plant
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I need access to my web application session from an applet but I don't think this is possible (correct me if I am wrong here) so...

I want to pass a user id to applet as a parameter but I am worrying that a user might able to change the applet parameter and resubmit the request getting another users data.

Is this something I should be worrying about?
can I hash the paramater value?

I'm using struts.
Thanks.
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Never trust anything from the browser. You can't trust it.

Much better to send a HMAC of the user and a timestamp, encode it in hex or base64.

Store the HMAC on your server in a HashMap and only continue if the value from the browser is known to you.

Expire them after a suitable time.
 
Matthew Plant
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm sorry what is a HMAC?
Any advice on how to do this in a very simple way.
 
Ulf Dittmer
Rancher
Posts: 42969
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How about securing the applet with a username/password scheme that's checked against credentials you keep on the server?
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Matthew Plant:
I'm sorry what is a HMAC?
Any advice on how to do this in a very simple way.


Google is your friend.
 
mohammedd yacoob
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

S... I agree that any information security in the internet is difficult.

But there is some option called jar signer... Which will create secure on your application. Which provide the security algorith....

Thanks,
Yacoob
 
Ulf Dittmer
Rancher
Posts: 42969
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I agree that any information security in the internet is difficult.

I don't see anyone saying that, nor would I agree with that statement. Can you elaborate why you think that way?

But there is some option called jar signer... Which will create secure on your application.

Signing the applet doesn't provide any security by itself. It is an indication of where the code originates (assuming a trusted certification authority was used), and that the code wasn't tampered with in transit, but that's the extent of what it does.
It can actually make code less secure, because a signed applet can wreak all kinds of havoc on a client machine (if the certificate is trusted by the client) which unsigned applets never could do.
 
Jaffer Sadiq
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Dittmer,

You are correct, applet will provide the security.... While you are creating the jar signer...

Thanks,
Jaffer
 
Ulf Dittmer
Rancher
Posts: 42969
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You are correct, applet will provide the security.... While you are creating the jar signer...

Actually, I said that the applet itself does not provide any security. And that using jar signer does not do so, either, and may have harmful consequences, security-wise.
 
Matthew Plant
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks guys.
Sounds like a can of worms, I guess have to do a bit of research
 
Jaffer Sadiq
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Dittmer,

If jar signer doesnt do security, then what is the need of creating signed applet......

Thanks,
Jaffer
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jaffer Sadiq:
If jar signer doesnt do security, then what is the need of creating signed applet......


A signed applet can have looser restrictions on the sandbox in the user's browser.

Without signature, the sandbox is extremely tight. With signatures, its a little more generous.

But signed or not, it has nothing to do with the security of the data flowing between the server and the browser/applet. That is what SSL/TLS is for.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic