I'd like to use the evercookie javascript library to receive the users cookie and make the spring security rememberme-service use it.
I read a bit about implementing a custom remember-me service, but I think I just need to discover the cookie on the client-side using the evercookie library. I've got zero knowledge about cookie handling, so any help how to implement the evercookie library so that a cookie will be set and discovered through the library would be appreciated.
evercookie: samy.pl
In my opinion evercookie isn't good choice. It is generating tremendous number of http requests. It has killed my browser. Your users will be fourious about it.
See http://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/Cookie.html
Related
My client suggests that implementing a web service using WS-Policy entries inside the WSDL (using WS-SecurityPolicy standard, which seems to be the recommended way) might cause incompatibility issues with clients that call the web service. My first question is, are his concerns correct? If not, how can I prove to my client that it is safe to use WS? I could not find anything on the subject.
If compatibility issues can indeed occur, I need to find a different way to implement WS-Security requirements (like signing parts etc.) without Spring, using JavaEE APIs. I could not find anything on that subject either. The only thing I could find is about standalone web services but I do not want that, I want a web application and I need to use JavaEE APIs (so no Spring).
Any help will be appreciated.
If you have pre-existing clients already using this webservice, then yes it will break compatibility if you add WS-Security.
But if no one is using it, or it hasn't been developed yet, how will this cause compatibility issues?
Personally I see WS-Security as rather complex, particular in the area of signing and encryption, so if your client had said that some clients might not have the skills to implement the web service I would have been inclined to agree with him.
I am new to Enyo and web services. I am looking to build a web page with Enyo that will require use of Echonest. Can anyone help me understand how to connect to the Echonest service from inside Enyo and whether to use SOAP, REST, or something else?
I assume you are talking about the Echo Nest found here: http://the.echonest.com ?
Briefly glancing at their API, you may not have to use SOAP or REST since everything is accessible with simple GET requests through the Web service. It looks like the hardest part of using their API will be generating OAuth signatures for authenticated requests.
As far as the enyo.WebService, http://enyojs.com/api/#enyo.WebService, goes, you should be able to include the kind, set the URL and call the .send() method on it. Then you response handler would get the data back (I recommend json) so you can do what you will with it.
Another option would be to use enyo.Ajax, http://enyojs.com/api/#enyo.Ajax, directly. enyo.WebService wraps that and provides a familiar (to Enyo 1 developers) way to use it.
My team and me are currently working on quite a large project. We are working on an online game, which will be accessible (for the moment), in two ways:
-Via a web browser, an application full JavaScript(client-side), full Ajax (basically meaning that the UI will be managed in JS client side).
-Via an iPhone application (the UI will be managed by the application itself).
Between the two different applications, the core logic remains the same, so I believe (I could be wrong), that the best solution would be to create a web service (if possible using standards such as RESTful or Rest) capable of perming all necessary operations.
Following this logic, I have encountered a problem: the authentication and identity management of the user. This poses problem as the applications users need to be authenticated to preform certain operations.
I’ve looked into WS-security, but this obviously requires passwords to be stored, unencrypted on the server, which is not acceptable!
I then looked into Oauth, but at first glance this seemed like a lot of work to set up and not particularly suited to my needs (the way that applications have to be accepted does not please me since it will be my application and my application only using the web service, not any external application).
I’ve read and heard about a lot of other ways to do what I want, but to be honest, I’m a little confused and I don’t know what information is reliable and what isn’t.
I would like to note that I’m using symfony2 for the backend and jquery for the client side JavaScript.
Furthermore, I would like a detailed, step-by-step response, because I really am confused with all that I have read and heard.
Thank you for your time, and I hope someone can help me as it’s quite urgent.
Good evening
I'm not entirely sure if this answers your request, but since the UI will always be handled on the client side, I think you could use stateless HTTP authentication:
This is the firewall in security.yml:
security:
firewalls:
api:
pattern: ^/api/ # or whatever path you want
http_basic: ~
stateless: true
And then the idea basically is that on the server, you use your normal user providers, encoders and whatnot to achieve maximal security, and on the client, you send the HTTP authentication headers, for example, in jQuery:
$.ajax("...", {
username: "Foo",
password: "bar"
});
Please note that since the authentication is stateless (no cookie is ever created), the headers have to be sent with every request, but, I figure, since the application is almost entirely client-side, this isn't a problem.
You can also check the Symfony2 security manual for further information on how to setup HTTP authentication. Also be sure to force HTTPS access in your ACL, so the requests containing the credentials are secured (requires_channel: https in your ACL definitions).
We developed a web service which is accessed by various platforms clients, for example it is requested by c++ and Java enabled clients.
I want to use simple, effective encryption Algorithm which is easily decrypted by JAVA - C++ and JAVA script based clients.
Why not just deliver your service over HTTPS?
Why write anything?
The most widely-compatible method of Web Service security that is still actually secure is Transport with Message Credentials. This uses SSL (https) for transport-layer security, which handles the encryption aspect, and passes a username/password in the SOAP header, which handles the authentication side.
It is not as secure as mutual-certificate authentication, which also gives you non-repudiation, but it is good enough for the vast majority of applications.
Several other options exist, but T/MC is usually the easiest to get working across platforms (.NET, Java, C++).
If you need to add javascript into the mix then I'm afraid you may be disappointed, as that is a serious game-changer. Although there do seem to exist various JavaScript SOAP Client implementations, SOAP is a second-class citizen in the JavaScript world, and I don't believe that any existing libraries have proper support for WS-Security or really WS-Anything except for the basic profile.
If you want your web service to be consumable by JavaScript then you want to go for REST instead of SOAP. I know that .NET (WCF) is pretty good at this but I'm not too sure how well Java and C++ fare. I believe that the transport security should be simple enough (it's just SSL), but it's likely that you'll have to implement some custom authentication code to get it working across platforms. Either way, you definitely want to go the SSL route; please do not try to roll your own encryption scheme.
If you already have the service implementation which is Base profile compliant and you want to keep on supporting various platform clients, extend your current service with WS-Security/WS-Trust. This will allow for encrypting/signing the content of the message, without loosing interoperability.
Depending on which toolset you used for your original implementation, the inclusion of WS-Security can be as easy as 'flicking a switch and selecting some options in your configuration file' (WCF/ASMX+WSE).
Since you mention the various platforms client side, I assume this is one of your main requirements.
Hope this helps.
You can simply use HTTPS which is easily implementable in both C++/Java clients (e.g. using the GNUtls library). On the server side, you will only need some small configuration changes.
Apart from the different request code, you have to create a self-signed SSL server certificate and install it on the clients. Of course this is not a good idea if the web service is public, where you need trust (= a real SSL certificate). But if it's only used internally, self-signed certificates are a quite good solution, as long as you keep the private key secret.
We currently have an application that runs an embedded jetty 6.1.14 server to which we need to add authentication via Kerberos. I'm new to Kerberos, which makes the task about 100x harder that maybe it should be. I've scoured the internet and have found conflicting reports as to whether or not it is even possible but nothing much to provides guidance as to how to proceed.
I've managed to have the server basically be able to authenticate the users via kerberos but can't find away to have the client automatically send its kerberos ticket: I have to use the from auth-method, though there are hints that this may be using filters, which are very poorly documented.
My question - and I apologize for it being a bit vague, I've not been this exasperated in quite a long time - is to request some guidance for plugging in kerberos authentication without login forms in Jetty 6? Or am I just out of luck? Has anyone added this type of authentication to jetty 6?
If Jetty supports Servlet Filters (JSR-53), then this open source project http://spnego.sourceforge.net might be what you are looking for.
You have to prepare your domain environment first. Make sure that your server if part of your domain (joined it). Then you have to create an machine account and assign an SPN. If you have done that, create a keytab for that account. From now on a client will be able to search for the host in the domain and create a ticket for. Then comes Jetty into play.