• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

securing applet parameters

 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I need access to my web application session from an applet but I don't think this is possible (correct me if I am wrong here) so...

I want to pass a user id to applet as a parameter but I am worrying that a user might able to change the applet parameter and resubmit the request getting another users data.

Is this something I should be worrying about?
can I hash the paramater value?

I'm using struts.
Thanks.
 
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Never trust anything from the browser. You can't trust it.

Much better to send a HMAC of the user and a timestamp, encode it in hex or base64.

Store the HMAC on your server in a HashMap and only continue if the value from the browser is known to you.

Expire them after a suitable time.
 
Matthew Plant
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm sorry what is a HMAC?
Any advice on how to do this in a very simple way.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How about securing the applet with a username/password scheme that's checked against credentials you keep on the server?
 
Pat Farrell
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Matthew Plant:
I'm sorry what is a HMAC?
Any advice on how to do this in a very simple way.



Google is your friend.
 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

S... I agree that any information security in the internet is difficult.

But there is some option called jar signer... Which will create secure on your application. Which provide the security algorith....

Thanks,
Yacoob
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I agree that any information security in the internet is difficult.


I don't see anyone saying that, nor would I agree with that statement. Can you elaborate why you think that way?

But there is some option called jar signer... Which will create secure on your application.


Signing the applet doesn't provide any security by itself. It is an indication of where the code originates (assuming a trusted certification authority was used), and that the code wasn't tampered with in transit, but that's the extent of what it does.
It can actually make code less secure, because a signed applet can wreak all kinds of havoc on a client machine (if the certificate is trusted by the client) which unsigned applets never could do.
 
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Dittmer,

You are correct, applet will provide the security.... While you are creating the jar signer...

Thanks,
Jaffer
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

You are correct, applet will provide the security.... While you are creating the jar signer...


Actually, I said that the applet itself does not provide any security. And that using jar signer does not do so, either, and may have harmful consequences, security-wise.
 
Matthew Plant
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks guys.
Sounds like a can of worms, I guess have to do a bit of research
 
Jaffer Sadiq
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Dittmer,

If jar signer doesnt do security, then what is the need of creating signed applet......

Thanks,
Jaffer
 
Pat Farrell
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Jaffer Sadiq:
If jar signer doesnt do security, then what is the need of creating signed applet......



A signed applet can have looser restrictions on the sandbox in the user's browser.

Without signature, the sandbox is extremely tight. With signatures, its a little more generous.

But signed or not, it has nothing to do with the security of the data flowing between the server and the browser/applet. That is what SSL/TLS is for.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic