Implementing a secure servlet

Hi all,
I am stuck about implementing this! My web site is implemented using static HTML pages and hosted on Apache server. I have a separate application server that runs my dynamic applications. In my web site, I have a contact us form with action as a simple servlet. Everything works fine and servlet does its purpose. But there is security issue with this. Anybody can access my servlet using the URL. Anybody can view source my page, get the servlet URL and can spam! I need to make this secure.
Any thoughts on this issue would be great.
Thanks and Regards,
Abdel Olakara
[http://technopaper.blogspot.com|http://technopaper.blogspot.com]

Olakara wrote:
Yawmark, your thinking correct with my context. I am more concerned with the user side and not the bots. I am having a look at spring but is there any simple way (with out using any frameworks?).Personally, I think using Spring Security is the simple way, rather than trying to think through and design an effective security model on one's own, only to come up with a poor imitation of an existing framework. :o)
Security is not a simple subject, and "implementing a secure servlet" is not a simple matter. At least, not to my reckoning.
~

Similar Messages

  • What are the different options for implementing web security?

    Hi,
    Right now I am working on an internet website. We are using JSP for presentation and running Weblogic Application Server. I want to know different options for implementing website security. One of the options that I am aware of is to use LDAP. But we donot want to go and buy a LDAP Directory Server now. So I would really appreciate if somebody could let me know my choices here.
    Thanks in advance.

    Hi,
    If you are working on a Windows 2000 platform, the most obvious choice would be Active Directory Server as this is shipped free with Server 2000. It is LDAP compliant, although does have a few differences that set it apart from the other X500 standard based solutions which I will mention in a moment. Details on these differences can be found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/msdn_activedirvsnds.asp
    Other options are openldap, an open source implementation of an ldap server or iPlanet's Directory Server. If you are initially doing an evaluation, a trial version is available of the iPlanet software and can be downloaded from their site. I found this particularly easy to get to grips with and their is excellent documentation available. There is also an offering from Novell, but I have no experience of this.
    Hope this helps.
    Jon

  • Implementing Function Security in Oracle apps.

    I wanted to restrict certain menus in Payables manager for a particular user. How should i implement it? Is there any live example of implementing function security in oracle apps? Please Help.

    Hi,
    One approach is to create a custom menu and attach to it all the menus and functions you want and the add this menu to a new responsibility. But this is not the best way to solve the issue because you have to define different menus + responsibilities for each different user. Other way is to create roles which can be assigned to users.
    Thanks,
    Bahchevanov.

  • Issue with implementing Object Security in RPD (OBIEE 11g)

    Hello All,
    I am following these steps to implement Object Security, but it doesn't work. Please let me know what am I doing wrong here:
    1. I want to block a few presentation tables for the user 'weblogic'.
    2. I open the RPD in online mode and in the Identity Manager, for the application role 'BIAdministrator', I setup permissions 'no access' to these presentation tables. It asks me to 'Check Out' which I do.
    3. I check in the changes, save the RPD and deploy in back in EM.
    4. I login into OBIEE Answers using 'weblogic' user but alas these presentation tables are still available for me to use.
    I have tried looking for a solution on the internet before posting the solution here. Please don't ask me to read through the security setup guide because I have done that. Any specific answers are most welcome.
    Thanks in advance.

    Try this:
    Double click on the presentation table.
    Go to permissions and then revoke the access to BI Administrators.

  • How to implement the security notes in Java System.

    Hi All,
    For the ABAP systems we use RSECNOTE to implement the security notes, but how do we do that in Java systems?
    Any reference or guidance will be of great help.
    Thanks,
    Akash.

    RSECNOTE is for ABAP only, and I dont think there is any equivalent for Java.
    For Java , security note will guide you on how to implement.
    It could be manual changes or via SDM or JSPM.
    Regards,
    Pinkle

  • How to resolve Issues while implement gateway security by using reginfo,secinfo?

    Hi,
    I want to implement gateway security using  gw/reg_info,  gw/sec_info,  gw/reg_no_conn_info.
    so far I have created reginfo and secinfo files to allow all internal traffic and I kept gw/reg_no_conn_info=11, gw/acl_mode=1
    reginfo
    ======
    #VERSION=2
    P TP=*,HOST=local
    P TP=*,HOST=internal
    P TP=*,HOST=*.abc.com
    with the above setting I believe all the programs with in sap systems(including app servers), also system from domain abc.com can register programs with out having any issues.
    secinfo:
    ======
    #VERSION=2
    P TP=* USER=* USER-HOST=local HOST=local
    P TP=* USER=* USER-HOST=internal HOST=internal
    similarly  as per secinfo content I believe that all the internal traffic can go with out any issue with in sap system.
    beside that I have activated gateway logging to find the rejecting connections if any.
    I have following questions:
    ===================
    1)As the reginfo,secinfo files maintained can I remove gw/acl_mode=1 parameter ?
    2)if I want to add a specific programs to register from 3rd party system, suppose a program called "zram" from system "172.198.10.1" where I suppose to add it. Do I need to add that IP to secinfo along with reginfo?
    3)when I set parameter gw/reg_no_conn_info=11 when convert to binary it equals to 00001011
    what exactly this means from the following definitions from note 1444282
    1 1298433 Bypassing security in reginfo & secinfo
    2 1434 117 Bypassing sec_info without reg_info
    4 1465129 CANCEL registered programs
    8 1473017 Uppercase/lowercase in the files reg_info and sec_info
    will that means 8+2+1 means satisfying the above 3 lines except condition 4 ?
    4) I enabled  gateway logging, how could I catch rejecting connections from third party systems?
    5)From simulation mode I got to know that It will satisfy reginfo,secinfo restrictions and it will allow all other traffic.so what is the added advantage with this when activate?
    6)is there any sap native tools which help while preparing reginfo, secinfo files?
    Regards,
    Koteswararao.Davuluri(Koti).

    Hi,
    Here is answers for questions 4 and 5.
    4) I enabled  gateway logging, how could I catch rejecting connections from third party systems?
    SMGW->Goto->Expert functions->logging
    In the above path if you select security->(under that)->Rejected access only
    when you select that it should show you the connections getting rejected.
    5)For simulation mode you have 2 options. you can activate directly from the above path.Other option  if you maintain gw/sim_mode = 1  that will make the permanent simulation mode. But once after all the entries set in reginfo you have to disable simulation mode. with secinfo you will not have much problems.
    After doing steps 4, 5 you can see rejected entries in Gateway log.

  • Implementing port security

    i have about a dozen2960 that i wish to implement port security. Some users tend to bring their own router and cause mayhem to the network. I've tried DHCP snooping, dont seem to work and port security testing on a few ports work well.
    What are the recommended steps? All are connected with users and all ports are already in use.
    - Some ports already have a few mac address in the tables thus i cant say do a across the board implement say "switchport port-security maximum 3".
    - It's tedious to go switch by switch, port by port
    - Any mechnism that can convert sticky to static with "switchport port-security mac-address sticky" first then convert them to static since the network is ok now.

    The poster above raised some excellent points about an "IT Acceptable Policy". I wouldn't want people allowed to bring in random network eqiupment just plugging it in all willy nilly.
    With DHCP Snooping, you need to understand, that all ports will be untrusted by default. So you need to make sure the only ports that are trusted are trunk ports, that lead to a DHCP server, and the port connected to the DHCP server. Also, you may or may not have to deal with Option 82, which you have two options. You can either turn if off from being checked at the router, or instruct the switch to not install the option to being with in DHCP Discover packets.
    When you enable DHCP Snooping, this will create teh DHCP Snooping database, which will keep track of the DHCP assigned IP address, and the MAC address assigned to each port.
    If you have users who bring in their own switches, find out who they are, and just watch the MAC addresses associated with the port, and then you can adjust port security appropraitely.
    It sounds like you may have a hard time, since they don't seem to really care about security at this place.
    Personally, if it were me, all ports would have BPDU Guard that should, at a minimum. You can always setup 'errdisable recovery' to deal with the recovering of ports that have been disabled automatically.

  • Three part blog about Reducing the Cost to Implement a Security Plan

    Part 3 of a great blog done by in AlienVault Support who has "heard it all" about the problems SMBs have in implementing a security plan with small budgets. Kenneth offers lots of practical and helpful advice for IT and security practitioners.
    https://www.alienvault.com/blogs/security-essentials/third-step-in-reducing-the-cost-to-implement-a-...
    This topic first appeared in the Spiceworks Community

    hi Elistariel -
    With no texting plan, it is 25 cents per picture message. The LG VX5500 (same phone my daughter has) does not use a memory card, so you can try two different programs on your computer (both free) and see if either one will get the pics off and saved on your computer; from there you can upload to your online album without a per picture charge.
    You can try Verizon's VCast media manager - download and install it on your computer, then use the USB cable to link the phone to the computer and transfer the pics with VCast.
    Here's a link
    A third party program called BitPim will also work, but it's more technical and does a lot more than just transfer your media. It can also brick your phone if you don't know what you are doing, so it's "use at your own risk", as Verizon won't cover any losses due to using BitPim. It does work though--I have used it, very cautiously!

  • Implementing Filters in Servlet 2.2 Version

    Hi ,
    We are using a WebServer(SUN ONE PORTAL SERVER 6.0) that is using servlet engine 2.2, but we need a functionality like Filters.
    But filters are supported from servlet 2.3 version onwards. Currently we don't have the option to upgrade to a new version of the server.
    Is there any way to implement Filters in Servlet 2.2 engine.?

    The following page has information on how implement filter-like functionality yourself.
    [http://java.sun.com/blueprints/corej2eepatterns/Patterns/InterceptingFilter.html]
    Edited by: dave_spaghetti on Aug 19, 2009 9:35 AM

  • How to implement a security sub-system?

    Hi Everyone,
    I got the following task below from my team leader. I don't know where to start to get the following task done. If you have any idea on how to get the following task done, please give me the steps on how to complete the following task. Or give me some links (websites) which can get me start on getting the following task done. Thanks for your time and help in advance!
    Your next task is depicted in the case scenario as follows:
    Some remote process is able to view a directory listing of the files on the directory and then selects a JSP file to execute. It runs without any enforced permission on the server and the remote process is able to view the output or that the JSP file is executed without the proper caller - a DocIt system process (JSP, Javabean). How can we solve this problem?
    For one thing the directory listing permissions should only be permitted explicitly by the server "system security/permission objects" (configured by the administrator/root) on win32/Linux. Second, all JSP files must include a security module as part of it's code base before even a single line of code is written by the programmer. This ensures that at least the caller is allowed certain permissions to execute the code residing in the JSP file. The granularity of the permissions depend directly on the type of caller. Is it a "user", a "power user", a "system admin", a "pre-defined DocIt system object" (forms subsystem), and so on. We need a powerful yet flexible security system as it is important to register the permitted objects to execute only the rightful code determined by the DocIt system security policy.
    This task is less specific and thus you have more flexibility to provide a solution. Please describe and analyze a security policy to prevent any executable code from running without its proper caller for the case scenario above. Be creative in determining the requirements for identifying the calling object and the code that checks for the proper credentials before permitting execution of the code. Say you have an hierarchy of inheritable permission objects. The code must be able to check that the caller belongs to the set of permission objects. Please use diagrams, cases scenarios, and other designs to provide a basis for implementation. After the designs are reviewed along side any other requirements we will implement this security sub-system in the near future

    You may also want to look at JAAS. http://java.sun.com/developer/technicalArticles/Security/jaasv2/
    It's probably a tad overkill for some JSP applications, but it would give you an additional layer of protection for documents, i.e., you can control access to actual files based on roles. I say it's a bit of overkill because Tomcat incorporates most of the ideas into their realms.

  • REPOST: where is weblogic.security.servlet.encodeXSS?

    http://e-docs.bea.com/wls/docs81/servlet/progtasks.html
    suggests to use
    weblogic.security.servlet.encodeXSS
    to encode output string to prevent cross-site scripting.
    my question is simple:
    where is weblogic.security.servlet.encodeXSS?
    I cannot find it anywhere under WL installation dir.
    -Thx

    There is a bug in documentation.
    encodeXSS is in
    weblogic.servlet.security.Utils
    You're welcome

  • In which way Servlet implements  multiThread  without servlet implement Run

    Hi,
    In which way Servlet implements multiThread without servlet implement Runnable.
    In general servletconaainer use one instance of servlet to handle multiple request(except implement SingleThreadmodal).
    I thing that conatainer can achive this ,in this Way
    Myservlet ms;
    1st Way:
    For each new request container call
    new Thread(){
    puvlic void run(){
    ms.service(request,response);
    }.start();
    but I do not thing in this way we get any performace.
    It is better creat pool of Myservelt. and get object from this
    ms1,ms2,ms3
    2nd way is
    Myservlet implement Runnable
    and for each request
    new Myservlet ().start();
    Please tell me In which way conatiner achive multithread of servlet
    Siddharth Singh([email protected])

    You don't need to do any of this. The servlet container starts its own threads, and they call the servlet methods as required. All you have to do is syncrhonize your servlet internally as required to protect anything that needs protecting from multiple threads.

  • Using beforeTrigger to implement VPD security model - any suggestions?

    Hi,
    I'm investigating using the beforeTrigger in a data set to implement VPD security. The idea is that a parameter containing the username would be passed to the beforeTrigger pl/sql function to set the user context for that database session. I got this to work in a small prototype, but ran into a couple of what seem to be significant restrictions.
    1) The pl/sql package I name in the dataTemplate defaultPackage must contain a global variable for each report parameter. In my case I'm passing the username to the pl/sql method as an bind variable argument, so I don't need/want any global variables. This is a major problem as we will have lots of reports all with different parameters. I want to bind the parameters using the :PARAM bind variable in the queries themselves.
    Is there a way to avoid having to make each parameter a global variable?
    2) We will need the ability to call various pl/sql packages in different reports. The following ER makes it sound as if this is not possible - but I haven't actually tested it out:
    Bug# 6472921 - ALLOW FUNCTION CALL OUTSIDE OF DEFAULT PACKAGE IN DATA TEMPLATE
    Is it required that all of the pl/sql calls for a data set be within the same pl/sql package?
    I've included my dataTemplate below for reference.
    If anyone has experience establishing VPD security for a data set using this technique or another, I'm interested in hearing what you recommend.
    Thanks,
    Leslie
    <dataTemplate name="TARGET_DATA_TEMPLATE" defaultPackage="MGMT_IP">
    <properties>
    <property name="debug_mode" value="on"/>
    </properties>
    <parameters>
    <parameter name="EMUSER" dataType="character" defaultValue="THREE"/>
    </parameters>
    <dataTrigger name="beforeReport" source="MGMT_IP.IPSETUSERCONTEXT(:EMUSER)"/>
    <dataQuery>
    <sqlStatement name="Q1">select TARGET_TYPE as TARGET_TYPE, TARGET_NAME
    as TARGET_NAME from mgmt$target order by TARGET_TYPE</sqlStatement>
    </dataQuery>
    <dataStructure>
    <group name="G1" source="Q1">
    <element name="TTTYPE" value="TARGET_TYPE"/>
    <element name="TNAME" value="TARGET_NAME"/>
    </group>
    </dataStructure>
    </dataTemplate>

    Hi Leslie,
    Step 1.
    Setup the VPD policy in database,
    Create some proxy users, and create data sources and try querying, by login in with the different users.
    You should be able to get the different results based on user logged in.
    Step 2:
    Package in data template.
    for each report, you need to create separate package.
    And the parameters in the report should be declared as Global variables in the report.
    And once the trigger calls the package, then i guess, package has control to call other packages inside the database.
    You can write all the function in the default package.
    Is it required that all of the pl/sql calls for a data set be within the same pl/sql package?
    I guess, yes as of now. if you need anything outside this default, you can call them in the default package like a wrapper may be.
    This is what i can think right now.
    Will try my luck on this and let you know :) in details.

  • Web - What is easiest way to implement User Security and User Profiles

    Hi, I am new to these forums and kind of new to Java. Sorry if this is in the wrong forum!
    Bit of background to my experience with java
    I have been playing about with java for a number of years and have created a few basic programs such as a screen shot tool that allows you to capture to default locations and look at previews first etc. I am now venturing into web related stuff. I work in IT doing systems testing and have done bits of basic development on various things.
    What I've done so far
    I am using Netbeans IDE 6.7 and MySQL 5.0
    I am trying to learn more complex java and have decided to try build a basic web / database system that basically implements adding / amending / deleting data from a MySQL database through web pages. I am now trying to implement basic user access and profiles. I have so far got the following:
    - MySQL table with user info - username / password
    - JSP page with usual login stuff
    - Servlet that validates the username and password - if correct forwards to main menu page.
    Its as simple as that - there is nothing stopping you just typing in the URL of the main menu page and going from there.
    What I want
    I am wanting to eventually get the following:
    - User authentication so that you have to logon before you can access anything else
    - User profiles that determine what each user can or can't do, restricting the pages / services / options available (i.e. normal user can't delete etc)
    - Would it need some sort of session manager to allow multiple users etc?
    I appreciate this is a fairly open question but what is the easiest way to start implementing this? Not after specific code as I would prefer to try figger things out myself, but a point in the right direction would be great. It doesn't have to be extremely secure as this is just for me at the minute.
    I have spent all day looking at things like session data / url rewriting / security settings in web.xml / bespoke servlets and am now in java overload!

    Hi everyone,
    I've now actually gone back to the tutorial that I linked to above and implemented that using form login and j_security_check.
    Agree with Saish, and although I don't know enough about the other options to give a good reason, using realms and j_security_check just seems to be a bit cluncky and messy. I would also prefer something a bit more generic, that doesn't rely on setting users in glassfish, hence why I started with my own user table.
    Anyway, I will leave it as is for now and maybe come back and try one of the other options.
    The only problem I can see now is that to add users i will need to go through all the steps of adding users in glassfish and web.xml... Is there a way to do this through a servlet or something so I can have a jsp page to add users that also creats all the other bits for it to work?
    Thanks everyone for your help

  • Implemention of JAAS+servlet+jboss+sql database

    Hi,
    I am trying to implement JAAS for login module using code and CallbackHandler( ie lc = logincontext(...).), but i got a sample code which is used for commandline execution, but i need to implement in web application, what all are the files that i need to configure to implement JAAS in web application?, so that i can check the user name and password which is entered by the user against the value that inside my sql database. it would be appreciated if anyone send some sample code to start work on JAAS.
    Regards
    kumar

    Kumar,
    i am trying to do the same thing, but i am having a slight problem, maybe between the two of us we can figure it out. here is what i have come up with so far:
    1. edit web.xml to specifiy which directories and pages are secured and accessed only by specific user roles (Optional)
    2. edit login-config.xml which is found in JBOSS_directory/server/default/conf or JBOSS_directory/server/all/conf depending on which version of the server you are using. you need to add the following to login-config.xml file, to include the JAAS DatabaseServerLoginModule, the configuration is as follows:
    <application-policy name = "testDB"> <! -- this is the name of the secrurity policy which you refer to in jboss-web.xml
    <authentication>
    <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
    flag = "required">
    <module-option name = "unauthenticatedIdentity">guest</module-option>
    <module-option name = "dsJndiName">java:/testDB</module-option> <! -- this is the datasource the is used to connect to your database
    <module-option name = "principalsQuery">SELECT password from Principals where PrincipalID =?</module-option>
    <module-option name = "rolesQuery">SELECT Role, Rolegroup FROM roles WHERE principalid=?</module-option>
    </login-module>
    </authentication>
    </application-policy>3. you edit jboss-web.xml with the following code
    <jboss-web>
    <security-domain>java:/jaas/testDB</security-domain>
    <context-root>/testJBOSSsecurity</context-root>
    </jboss-web>4. Create a Login Form with the action pointing to the servlet you will create in the next step
    5. create the servlet that handles logging the user in
    ****loginservlet.java*****
    import java.security.Principal;
    import java.security.PrivilegedAction;
    import java.util.Locale;
    import javax.servlet.*;
    import javax.servlet.http.*;
    import java.util.Set;
    import javax.security.*;
    import org.jboss.security.SimplePrincipal;
    import org.jboss.security.auth.callback.SecurityAssociationHandler;
    try {
    SecurityAssociationHandler handler = new
    SecurityAssociationHandler();
    Principal user = new SimplePrincipal(request.getParameter("j_username"));
    handler.setSecurityInfo(user, request.getParameter("j_password"));
    LoginContext loginContext = new LoginContext("testDB",(CallbackHandler)handler);
    loginContext.login();
    Subject subject = loginContext.getSubject();
    Set principals = subject.getPrincipals();
    principals.add(user);
    out.println(subject.toString());
    //response.sendRedirect("securepage.java");
    }6. create two database tables: one to hold the principalid (primary key) and password. this table is called pricipals. create another table to hold the user roles. call this table roles, and it has three fields. principalid as a primary key and a foreign key from the principals table, role and rolegroup
    this is what i have so far, but it's not working, i have posted my problem in this link [http://forum.java.sun.com/thread.jspa?threadID=5293266|http://forum.java.sun.com/thread.jspa?threadID=5293266] as well an other forums since two nights ago, but so far no replies. so read the post and you will get a better picure and try it out, if you have luck wiith it, please let me know
    Sam

Maybe you are looking for