M Jay

Ranch Hand
+ Follow
since Sep 21, 2004
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
In last 30 days
0
Forums and Threads

Recent posts by M Jay

Greetings,

I am using Sun DS as my password store, which stores passwords in SHA1 hashed form. I need to use the retrieved password (SHA1 hashed) to generate an AES-128 key. This is not possible with SHA1 as it is 20 byte long whereas I need a 16 byte hash to generate the key. Is rehashing my SHA1 password with MD5(16 bytes) going to make the generated key less secure? Unfortunately Sun DS doesn't support MD5 hashing of passwords hence my problem.

Cheers
14 years ago
Thanks again for your reply Ulf.

SSL encryption -being a transport-level protocol- ends the moment the request arrives at the web server (or SSL terminator); from then on, the data is unencrypted.



This will not matter in my scenario, since the services we are exposing are within our network perimiter, we only need to secure interactions with the outside world which is point-to-point rather than end-to-end.

It takes a certain effort to add a certificate to the truststore for each client; WSS authentication would allow you to work with a DB (or LDAP) repository.



This is a very valid point. The number of web service clients that we might have could potentially be up to 500 different clients. I will look into how WSS authentication works.

Thanks for your help.
15 years ago
OK so I have read a number of articles on the internet relating to WSS and still have some unanswered questions...

I understand that using WSS is industry-standard and best practise but at the same time I need to justify the use of this over SSL and so far I cannot see what WSS offers that cannot be accomplished through SSL (for my requirements below) - especially that SSL is easier to implement through server configuration only whereas to implement things like XML Digital Signatures and XML Encryption would involve code writing!

Essentially we have a number of services that we are to expose to the cloud... these services are intended for B2B transactions... so:

1- We need to ensure that the service caller is authorised to do so by verifying they are our business partner.
2- We need to make sure that the messages exchanged over the internet are encrypted.

Please correct me if I'm wrong, but I believe both of the above requirements will be satisfied by using SSL since the communication between the service and consumer is secured and the communication channel is encrypted, and the identity of the caller can be verified through a client digital certificate which is registered at the server-side trust store. Am I missing something? Is there other security considerations that I am overlooking?
15 years ago
Thanks a lot James and Ulf... that was very helpful.
15 years ago
Thanks for your reply James,

Of the different technologies that fall under WS-Security, which ones are applicable to the scenario I described? i.e. which technology would be used to authenticate the client (no username and password required this is just to authenticate theh actual client and not the user), and which one would be appropriate for securing the messages so that they cannot be intercepted?

Thanks
15 years ago
Hi,

I am part of a project that aims to SOA enable my organization. This is being achieved through Web Services and the use of an ESB. We now have a requirement to expose one of our Web Services onto the internet to be consumed by a number of mobile devices - this is not a public service, but a third party organization will invoke our service from a number of mobile devices. How can we make sure that our web service is secure? Would using SSL with Client authentication be sufficient? I have been reading a few articles around XML Digital Signatures and XML Encryption/SAML ...etc but this all seems to be message-level security and I don't feel that those technologies are relevant. Our main requirements are to authenticate the client and ensure that messages exchanged are secured, in addition to securing the service against DoS attacks.

Thanks for your help in advance
15 years ago
Hi,

I am part of a project that aims to SOA enable my organization. This is being achieved through Web Services and the use of an ESB. We now have a requirement to expose one of our Web Services onto the internet to be consumed by a number of mobile devices - this is not a public service, but a third party organization will invoke our service from a number of mobile devices. How can we make sure that our web service is secure? Would using SSL with Client authentication be sufficient? I have been reading a few articles around XML Digital Signatures and XML Encryption/SAML ...etc but this all seems to be message-level security and I don't feel that those technologies are relevant. Our main requirements are to authenticate the client and ensure that messages exchanged are secured, in addition to securing the service against DoS attacks.

Thanks for your help in advance
15 years ago
Hi,

Is there a way to password protect the whole of tomcat, i.e. not only protecting individual web applications, but all.

i.e. When pointing the browser to http://localhost:8080 The user should be asked for a username and password.

Is there a way of doing this???

Many Thanks
18 years ago
Hi,

I understand that a Singleton can only have one instance at any given time.

My question is can multiple threads use the same instance? If so what are the thread-safety issues with this? specifically:

1- Would class static variables be shared amongst the threads?
2- Would local variables to non staic methods be shared amongst the threads?



The reason I ask this is because I have designed a Data Access Facade Layer as a singleton. During instantiation it would initialize the data source, as I don't want it to be initialized more than once. Then I have member methods (instance methods) which perform insert, select, update ...etc to the database. Each of those methods gets its own connection, statement, resultset ...etc

Was just wondering if the above has any thread safety issues as it will be used by multiple threads.


Thanks for replying in advance

P.S. The above class will be running in Tomcat and called from a servlet, not sure if this is relevent.
Hi,

I have an application that is deployed on Tomcat on my local machine. My local machine is sitting behind a broadband router. I think this is disabling me from accessing my application/tomcat from outside the network. Is there a possible way for me to configure the network (router or local machine) to enable direct access from the internet to my local machine/ tomcat?

I am not very experienced in networking, so detailed instructions will be very appreciated.

Many Thanks
Hi and Thanks for your reply,

When I try accessing http://myipaddress:8080 it doesnt work from a remote machine, while localhost works fine.

My machine is connected to the internet through a broadband wireless router. Could this be the problem? and if so how could I fix it?

Many Thanks
18 years ago
Hi,

I have Tomcat installed on my local machine, with a web application deployed to it. From within my machine, I can access my web application.

However, when I want to access the application from a remote machine, it fails, I am not sure what is the reason for this.

I have my windows firewall disabled.

Do I need to install Apache to front Tomcat? or is there some setting I can do to Tomcat to make it accessible from a remote machine?

Many Thanks
18 years ago
Hi,

I understand that in order to write a client program that accesses an SSL Web server, the following line of code needs to be inserted in the client code:



The above can be done on a simple program, but how can I set the system property say if the client and server are running on two different machines? Is there away to do the above?

Thanks
18 years ago
Hi,

I am writing a Data Access Layer. At first I made this a Singleton class, so that the same DB connection is used everytime, to avoid creating many connections. Then I changed my code to use DataSource and connection pooling with Tomcat, and now I'm not sure how to go about.

I need the DataSource lookup code to run only once, and use this one DataSource to get connections to the DB. Should I keep the class a singleton?

Not sure if that will work as I am thinking to make my Connection object a member variable.

Below is my current DA class, any advice would be much appreciated:

How do I specify the log file's name to be a dynamic name, for example if it's a daily rolling logger than I want the name of the file to have the date?