I'd like to create a simple CRUD application using web sockets, with a Java EE 7 Websocket Server, running on Glassfish 4, communicating with a single page website. My question is: how can I secure my application? In other words: how can I perform user Authentication and Authorization? Because there are a few messages that I would like the Server to reply to only after authentication and authorization of the requesting user. Last but not least: how can I provide a "remember me" function? Thank you.
A practical method is for the user to login via your Web page, setting a cookie from your Web app upon successful authentication, and check that cookie in your WebSocket server on the incoming WebSocket connection from the page.
This will require to have the Web page and the WebSocket served from the same origin (otherwise the browser won't send the cookie on the WebSocket connection).
Another possibility is to implement a custom authentication mechanism via messages on top of the WebSocket connection.
Another possibility is to use TLS and client-certificate based authentication.
Note that though WebSocket has a HTTP based initial opening handshake and you can in principle use any HTTP authentication mechanism, there are practical restrictions. E.g. with HTTP basic authentication, browsers will render login dialogs for plain HTML page requests, but not for so-called subresources, like requests for images .. and WebSocket (which also counts as a subresources).
Related
I need to do a communication between two applications, and I want to ensure the client application identity.
I wanna know if is there some pattern to make something like this:
The client application has a key and secret
The client send some info to the main application with identity data
The main application verify the client and returns the requested data
You may want to investigate client and server TLS certificates. They will allow for a mutual authentication between the server and the client.
I think You are talking about server-client communication. In this case, you have to search RESTful API. With REST, you implement endpoint which returns your data as a JSON. So you can use the data in Desktop app,Mobile app or Web app and with this way you can resolve the security risk. Because in mobile app
or desktop app, conneting to db is risky. You cant put your db options in your app. Implement a REST which returns JSON and send a http request in client.
If response is OK. Parse the JSON and use in the client
Here is the simple example in php
I am developing a backend for a mobile application using Node.js to handle HTTPS requests. I have set up an SSL to connect from the client to the server and was wondering if this was secure enough.
I don't have experience with intercepting endpoints from the mobile devices, but I have seen that it is possible for people to monitor internet traffic out of their cellphones and pick up endpoints to server requests. I have seen hacks on tinder where people can see response JSON and even automate swipes by sending http requests to tinder's endpoints.
My real concern is that people will be able to update/read/modify data on my backend. I can implement OAuth2 into my schema as well but I still see cases in which people could abuse the system.
My main question is whether or not using HTTPS is secure enough to protect my data, or if a session authentication system is needed like OAuth2.
Thanks.
HTTPS, providing it is properly configured, will ensure the message was not read or changed en route and that the client can know the server it is talking to is not a fake.
It will secure the transport. It will not secure the application.
For example supposing you have an app that allows you to send a message saying https://www.example.com/transfermoney?from=Kyle&to=BazzaDP&amount=9999.99 and the server does just that based on those parameters. Then I could send that message myself - I've no need to intercept any app messages.
Normally the server needs authentication as well as HTTPS to, for example, verify only Kyle user can send above message and not anyone else. HTTPS normally only gives server authentication not client authentication (unless using two way certificate HTTPS).
So the question is, even if an attacker cannot read or alter any messages between app and server can they still cause harm? That is the measure of whether it is secure enough.
A SSL connection is only secure with the content you are sending.
SSL encrypts and ensures the authenticity of the whole connection, including the requested method and URL
So i would say just using the SSL encryption is save to transfer data between - i might consider OAuth2 for password etc.
But i would recommend to use GET for retrieval data and post for authorized data
You're building an armored tunnel between two open fields.
Assuming that you use current SSL protocols and settings, and valid certificates from trusted issuers, you can pretty much assume the network is OK.
However it's still entirely possible to compromise any or all of your transaction from the client. Security really depends on the device and how well it's configured and patched.
I am trying to secure an https post service through a username/password authentication (Basic authentication). But so far I am not able to figure out how I can secure my service on the server side and force the username/password combination for the clients. I get that using httpclienthandler/httpclient/networkcredentials you can access the server, but how to force it on the server side and send appropriate unauthorized access errors etc.
Any directions or links using C#?
It seem there is the AuthenticationFilter, what I was looking for..
Here is a good amount of detail here;
I have few ideas where im not sure if Im correct and if my approach is correct.
The situation is that I got some backend server(s) which exposes REST (of course stateless) interface and expects usage of HTTP authentication via its headers. Then I have some its clients and one of them is web server which has loaded web application that is accessed by typical web browser (using SSL). User via web browser enters his credentials (username and password), which are sent to web server and here comes the thing I want to ask. Web server will delegate all the requests to backend server (REST) putting those credentials to HTTP headers. Is it safe to store those credentials within HTTP session between web server and browser? And if not, where to store them otherwise?
Thanks:-)
for as long as you using session.abandon at the end of the session(application exit or close) all your data should be in theory safe.
Make sure that you close session when application shuts down or user idle for too long.
I usually give no more then 20 minutes. Over HTTPS even less.
I'm interested to know what methods people use to secure their webservices from unauthorized web service consumers.
There is a protocol specifically for web services security WS-Security. I've used parts of it in the past but at the time there was not a lot of support for it in .Net so it was a lot of work.
Currently with .Net I use SOAP Extension Headers. I have one web service call to authenticate and get a session token and then include that token in a SOAP header for every subsequent call, somewhat similar to this example. Of course all the request must travel over TLS to keep them from being compromised.
I usually require either a user id/password to be sent each time, or return a token from the first authenticated connection that can be used subsequently.
Nothing fancy. Pretty similar to standard web app login.
I've used both SOAP headers and method parameters to pass user credentials -- .NET makes using the SOAP headers pretty easy, but I had issues with this using Java (several months back). I also do some IP-based filtering if the service is not intended for client (browser) use, but rather from backend web servers. Public, browser consumable web services are often protected by session cookies -- i.e, requires a valid logon to the web site, then the standard session authentication mechanism is used for requests via AJAX to web services.
You can use network appliances such as IBM's DataPower or Vordel if you don't want to handle in your own application.