AppletTalk.com Java discussions newsgroups   Archives   FAQ   Search   Memberlist   Usergroups   Register   Profile   Log in to check your private messages   Log in  using an applet to verify a user's credentials          AppletTalk.com Forum Index -> Java Help View previous topic :: View next topic   Author Message J Guest Posted: Fri May 18, 2007 2:25 am    Post subject: using an applet to verify a user's credentials I have a rather large set of web pages which are all linked and categorized. Some of them are ok for anyone to look at, other's are not. Is there a way that I can use a Java Applet to ask a user for their ID and check against a list of valid user id's and deny them access if it's not one of the allowed users? My biggest concern in this is not the writing of the code, but hiding the source for the applet so that no one can see what I'm doing behind the scenes. Of course, in a professional environment, this would never happen, but I need to be sure. There are some pieces of information that I don't want anyone to know (like how to do certain things..sorry for the cryptic nature of the post) except for certain users. The ideal thing would be to have the applet check the users domain id without asking for it and instantly allowing or denying access. Back to top Andrew Thompson Guest Posted: Fri May 18, 2007 7:11 am    Post subject: Re: using an applet to verify a user's credentials J wrote: Quote: I have a rather large set of web pages which are all linked and categorized. Some of them are ok for anyone to look at, other's are not. Is there a way that I can use a Java Applet to ask a user for their ID and check against a list of valid user id's and deny them access if it's not one of the allowed users? Yes - but there are also relatively easy ways to .. - ..change bytecodes to do whatever the user wants. - ..detect all calls to and from the PC, and replicate any parts of the outbound calls, accurately or otherwise, as the user wishes. Any security that is required, should be implemented on the server. -- Andrew Thompson http://www.athompson.info/andrew/ Message posted via JavaKB.com http://www.javakb.com/Uwe/Forums.aspx/java-setup/200705/1 Back to top Daniel Dyer Guest Posted: Sat May 19, 2007 2:53 am    Post subject: Re: using an applet to verify a user's credentials On Thu, 17 May 2007 22:25:17 +0100, J <printdude1968 (AT) gNOSPAMmail (DOT) com> wrote: Quote: I have a rather large set of web pages which are all linked and categorized. Some of them are ok for anyone to look at, other's are not. Is there a way that I can use a Java Applet to ask a user for their ID and check against a list of valid user id's and deny them access if it's not one of the allowed users? My biggest concern in this is not the writing of the code, but hiding the source for the applet so that no one can see what I'm doing behind the scenes. Of course, in a professional environment, this would never happen, but I need to be sure. There are some pieces of information that I don't want anyone to know (like how to do certain things..sorry for the cryptic nature of the post) except for certain users. The ideal thing would be to have the applet check the users domain id without asking for it and instantly allowing or denying access. This is like putting a padlock on a tent. It's just not going to stop somebody from getting in if they want to. If client-side code is deciding which URLs to allow access to, what's to stop the user just finding out the URL of the content and going to it directly? And further more, if the applet is the only thing denying access, I could just turn off applets and avoid the checks. "Hiding the source" is known as "security by obscurity". It is not really security in any meaningful sense, it just deters less committed attackers. As Andrew said in his response, doing the restrictions server-side is the only workable solution. If your site is on Apache, it's trivial to get some basic protection with .htaccess. This is probably good enough for the situation you describe, though not bullet-proof (data is still sent unencrypted between client and server unless you also use HTTPS). This kind of configuration should be possible even with cheap web hosting accounts. Dan. -- Daniel Dyer https://watchmaker.dev.java.net - Evolutionary Algorithm Framework for Java Back to top TideRider Guest Posted: Sat May 19, 2007 3:50 am    Post subject: Re: using an applet to verify a user's credentials Another issue with trying to use an applet for user authentication is that you are providing, to a greater of lesser degree, account information for all your valid accounts. This is especially a problem if it includes accounts with more potent access rights. Even when your account matrix is on the server, you should take care to keep it secured from attack. Transmitting it in any form to the Internet is just plain reckless. -- TideRider Back to top printdude1968@gmail.com Guest Posted: Sat May 19, 2007 5:35 am    Post subject: Re: using an applet to verify a user's credentials On May 18, 7:50 pm, "TideRider" <4me2k...@noyb.com> wrote: Quote: Another issue with trying to use an applet for user authentication is that you are providing, to a greater of lesser degree, account information for all your valid accounts. This is especially a problem if it includes accounts with more potent access rights. Even when your account matrix is on the server, you should take care to keep it secured from attack. Transmitting it in any form to the Internet is just plain reckless. -- TideRider It's an intranet site, not accessible from the outside world. The only reason I am wanting to do this is to protect the administrative information. There are only a couple of people who should know how to do certain things. There are no passwords on the site, nor is there anything which is truly destructive, it's a purely informational/how- to site. But I would rather restrict access to certain pieces of information than to get paged at 3 AM because someone did something by accident. I had another thought last night... if I were to code a JSP which checks the entered username and password against a database table, I might be able to hide more information. Back to top TideRider Guest Posted: Mon May 21, 2007 6:33 am    Post subject: Re: using an applet to verify a user's credentials <printdude1968 (AT) gmail (DOT) com> wrote in message news:1179534958.403058.266510 (AT) h2g2000hsg (DOT) googlegroups.com... | On May 18, 7:50 pm, "TideRider" <4me2k...@noyb.com> wrote: | > Another issue with trying to use an applet for user authentication is that you | > are providing, to a greater of lesser degree, account information for all your | > valid accounts. This is especially a problem if it includes accounts with more | > potent access rights. | > | > Even when your account matrix is on the server, you should take care to keep | > it secured from attack. Transmitting it in any form to the Internet is just plain reckless. | > | > -- | > TideRider | | It's an intranet site, not accessible from the outside world. The | only reason I am wanting to do this is to protect the administrative | information. There are only a couple of people who should know how to | do certain things. There are no passwords on the site, nor is there | anything which is truly destructive, it's a purely informational/how- | to site. But I would rather restrict access to certain pieces of | information than to get paged at 3 AM because someone did something by | accident. I had another thought last night... if I were to code a JSP | which checks the entered username and password against a database | table, I might be able to hide more information. That is the approach I would take. If this is the only thing you need a database table for, you may also consider an XML file, or even a static data structure, since it doesn't sound like you need a dynamic list of users. -- TideRider Back to top Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First         AppletTalk.com Forum Index -> Java Help All times are GMT Page 1 of 1   Jump to: Select a forum Java Newsgroups----------------Java DiscussionsWeb-based java games comp.lang.java 3D Graphics API's for Java Java: Support and criticism Java System Announcements comp.lang.java.api JavaBeans Java and CORBA Java and Databases comp.lang.java.developer Java GUI Toolkits Java Help comp.lang.java.javascript JVM, native methods and hardware comp.lang.java.misc Java Language Programming Security and Java comp.lang.java.setup Java Software Tools comp.lang.java.tech ibm.software.java.linux  Non-English Java Newsgroups----------------Java Language (German)Language Java (Français)Java (Italian)  You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum Powered by phpBB © 2001, 2006 phpBB Group SEO toolkit © 2004-2006 webmedic.