 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / GUI / November 2005Get data from external config file securely
I'm creating an FTP file upload applet. I've got the functionality of it working, however since I will be distributing it, I want to make it configurable for other users to setup on their web servers. In order to do so, I need to take out the hard-coded information like FTP server, username, password and store it in a config file. This will allow other users to supply their FTP information for use in the applet. My quest is how do I read in the data from this config file securely from a webserver in the applet? I have seen many examples that say to use a UrlConnection to read the file, but that means that you are making the file readable by all users who have access to the applet for example, if the config file was at http://your-site.com/path/to/config/file.txt, then I could setup the Java UrlConnection to that location, however, at the same time any visitor could just type that location into their browser and see all the FTP server information. Another way I have seen to pass data into an applet is to use the parameter tags inside the HTML code for the applet. This has an obvious insecurity, since a visitor could just view the source of the page and see all your FTP connection information that gets passed to the applet. The main idea of this applet is to let other users have the ability to upload files to an FTP server without the need to give out the connection information. Can anyone tell me how to go about doing this so that the FTP connection information is not publically available to the world? Thanks for all your help so far. I'm really learning a lot and I hope to be able to share the knowledge some day. >I'm creating an FTP file upload applet. I've got the functionality of >it working, however since I will be distributing it, I want to make it [quoted text clipped - 11 lines] >visitor could just type that location into their browser and see all >the FTP server information. If you have a servlet at the other end of your HTTP connection, that servlet can implement some simple security, such as ensuring that the text file is sent back only to a client which already has a session established and sends a session ID in the request. (The session ID would be created when the request for the applet's page is made, and passed to the applet in its parameters. And perhaps destroyed on its first use. If you're worried about the data being intercepted, use HTTPS.) >Another way I have seen to pass data into >an applet is to use the parameter tags inside the HTML code for the >applet. This has an obvious insecurity, since a visitor could just >view the source of the page and see all your FTP connection information >that gets passed to the applet. Sometimes that may not matter - the URL is probably publicly known anyway, and even the user name may not be private; only the password is definitely sensitive, and that could be encrypted. (Obviously, you know what's sensitive and I don't.) You're posting from an edu email address, so I expect this is an exercise, but this leads on to something about security in the real world. No security is a hundred percent, and it's not necessary that it should be; it's only necessary that it should make it so difficult to get the information that's being secured, that an attacker will find it easier to get it some other way (eg. by kidnapping the programmer and tickling their toes until they talk). Or, to put it another way, a system is only as secure as its largest security hole, and the object is to make sure that none of the security holes you're responsible for aren't that. Pete Barrett I use PHP as the server side scripting language. If I set a session variable in PHP, will this be available to the applet? If so, how do I grab the session information from inside the applet? >I use PHP as the server side scripting language. If I set a session >variable in PHP, will this be available to the applet? If so, how do I >grab the session information from inside the applet? I don't know PHP unfortunately, but if a session-scoped variable in PHP is the same as one in JSP, then no, it won't be explicitly available to the applet. What I do is as follows: When the session starts (in my case this is usually an explicit Login screen, but in your case it will probably be when the page containing the applet is requested), I create a unique session token which I associate with the session. That session token is passed to the applet in its parameters. When the applet requests a resource (the configuration file in your case), it passes the session token back to the server as an authorisation. The server can check that the session token that is being passed is the same as the session token that it has associated with the session, and only send back the resource if it is. The session token, of course, must be only temporary to prevent an interloper from getting hold of it and using it. Exactly how temporary depends upon circumstances - if you can get away with having it exist only for the single request for the configuration file, so much the better, but even if it exists for the whole of the HTTP session, that's probably OK. Pete Barrett How would I go about encrypting/decrypting this information for use in the applet? >How would I go about encrypting/decrypting this information for use in >the applet? What information? The applet parameters? If you're worried about people intercepting them, you can use an SSLSocket/HTTPS connection, which should be more than secure enough for the short amount of time it will be possible for a third party to use it. If you're worried about the user of the applet looking at the source, then if they've got the applet open they're entitled to access the configuration file anyway; if they're trying to use a session token at a later date when they're not, it will have been destroyed and will no longer be valid. Pete Barrett Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.