This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
I want to get the client's information from the server side using servlet. This information can be used to identify the client. This idea is similar to installing new software and it requires the user to agree the terms in order to continue installing the software. I'm not sure what kind of information they get but in my case, I need some information which can identify the client. I'm not good at hardware specification but as I know that we can use Mac Address, HDD serial, CPU ID and some information of client such as user account...(if possible) to identify the client since these values are unique.
Firstly, I thought that the getProperties in System class can do that but then I recognized that what it gets is the server's information. Do you have any idea about this? Could you please give me some advices? Thanks a lot!
You can only get the information supplied with the request - the methods in HttpServletRequest show what that includes. Above and beyond the infomation you get in the request headers (remember this will vary based on the browser type, and may be clouded by proxies etc.) you'll need to implement such logic yourself as a process that runs on the client. If you want to use Java that means a (probably signed) Applet.
Additionally, a lot of the information that you can get from the methods of HttpSerlvetRequest will be of limited value.
For instance, a company could have a subnet with multiple people sharing the same IP number. If your user has a DHCP connection, their IP could change each time they access your application.
On the other end, some of your clients might want to access your app from multiple computers (desktop PC in the office, laptop when on the road, home machine).
If you try to tie their account to one particular machine you could run into problems with these people.
Actually I understand that user account does not solve my problem. It is only the minor detail to tie to the information that users provided. You're absolutely right that a user can use any computer to access the web application, but here I would like to limit the security problems as much as possible by identifying the client's specification. I am searching for solution about this but I haven't find the best solution. If anyone used to do this, please suggest me. Thanks you very much for your help!
cho con wrote:but here I would like to limit the security problems as much as possible by identifying the client's specification.
What security problems are you anticipating? Theer may be another way to achieve what you need.
Joined: Apr 02, 2010
Sorry, I would like to emphasize that in my case, I want to identify the computer not user. That's why I want to get this kind of information. As we know that on the internet environment, it's very difficulty to verify a user whether that he is the exact person that he stated to be (password, certificate....can be the solution but they can be steal on the internet and they are not really bind to the user). So I choose to bind the provided information from the user to computer specification. That's what I'm doing. But I don't know how to execute in servlet, or plain old java?
As stated, without running Java (or similar) code on the client, you will not be able to get the kind of information you're looking for. You *might* be able to do something with cookies (easily copied to another machine) combined with a one-time sign-up process depending on what your actual requirements are.
As we know that on the internet environment, it's very difficulty to verify a user whether that he is the exact person that he stated to be (password, certificate....can be the solution but they can be steal on the internet and they are not really bind to the user).
Just to make you aware, the hardware is not a "silver bullet". If you've ever looked into device discovery software you'll see it tends to have a scoring mechanism to identify if one device is the same as another. Why do they do this? The hardware spec. (and software spec.) of a PC sitting in a big organisation will be very similar to the PC sitting next to it, and the tens of thousands of other PCs dotted throughout the organisation. How do you tell that a PC is a different PC, or a piece of hardware (or some other detail) has been changed in that PC? I'd be annoyed if I was locked out a site because (say) techical support has increased the memory on my machine. And as technical support, I'd be looking for a new job if I had to respond to requests for fixing access problems that involved picking through a hardware spec. to find out what (if anything) had changed.
There are pretty secure mechanisms out there that require the user to identify themselves. OK, not 100% fool proof, but (depending how they are implemented) good for the vast majority of uses. If your application needs to be really secure do what the banks do: buy yourself a private network, put it in a secure building and deploy it there.
Joined: Apr 02, 2010
I agree with you that the hardware can be changed later. There are many cases that would happen and we cannot cover all. I know this is not really a good solution. I just suppose it is stable for some time, and I do in the simplest way. How about the session id? Is it useful for my case?
I'm sorry for my persistence and my stupid question. I still wonder that can we use java applet combining with servlet to get this information?