| Time |
S |
Nick |
Message |
| 00:52 |
|
|
SoniEx joined ##javaee |
| 01:16 |
|
|
Guest8293 joined ##javaee |
| 03:14 |
|
|
kobain joined ##javaee |
| 03:15 |
|
|
kobain joined ##javaee |
| 03:15 |
|
|
kobain joined ##javaee |
| 04:20 |
|
|
oO0Oo- joined ##javaee |
| 04:46 |
|
|
dangertools joined ##javaee |
| 04:46 |
|
|
dangertools joined ##javaee |
| 06:02 |
|
|
[[thufir]] joined ##javaee |
| 06:09 |
|
|
patouche joined ##javaee |
| 06:11 |
|
|
dks__ joined ##javaee |
| 06:12 |
|
dks__ |
hi |
| 06:14 |
|
dks__ |
HELLOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO |
| 06:15 |
|
grug |
. |
| 06:15 |
|
dks__ |
?? |
| 06:18 |
|
dks__ |
Hello , I'm vaguely new to Java , i havent used it past 10 years |
| 06:18 |
|
grug |
cool story |
| 06:19 |
|
dks__ |
? |
| 06:20 |
|
dks__ |
grug i dont see any discussion done by You , just looking at logs ... Best guess your a newbie |
| 06:21 |
|
Guest8293 |
dks__, ask your question if you have one |
| 06:21 |
|
dks__ |
Okay Quest |
| 06:21 |
|
Quest |
dks__, I am about to leave though |
| 06:23 |
|
dks__ |
wow your a admin you may have good experience , |
| 06:24 |
|
dks__ |
I work on Hadoop as principal architect |
| 06:26 |
|
Quest |
dks__, I suspect you are using webchat or similar client / server that has ips like gateway/web/freenode/ip.95.141.31. |
| 06:26 |
|
Quest |
this pattern is known for a trouble maker. please change it and join with your regular real ip. untill then. I have to quit you by +q |
| 06:27 |
|
grug |
you realise that a LOT of people on freenode have that hostmask |
| 06:28 |
|
Quest |
cant take chances. if he wants to talk. he can come with a registered nick. or real ip. |
| 06:28 |
|
grug |
why don't you set mode +r? |
| 06:29 |
|
Quest |
new channel. most complain about reg requirements. specially new bies |
| 06:30 |
|
grug |
blocking the entire gateway isn't really the smartest move dude |
| 06:30 |
|
Quest |
I would find out soon what it implies. |
| 06:32 |
|
|
dks__ left ##javaee |
| 06:35 |
|
grug |
dude - think about it :P |
| 06:35 |
|
Quest |
investigated. changed my thought |
| 06:38 |
|
Quest |
grug, the gateway is freenode webchat |
| 07:22 |
|
|
[[thufir]] joined ##javaee |
| 08:19 |
|
|
obiat joined ##javaee |
| 08:48 |
|
|
sl33k joined ##javaee |
| 10:11 |
|
* pdurbin |
looks at http://programmers.stackexchange.com/questions/157991/reasons-not-to-use-jsf |
| 10:11 |
|
pdurbin |
via http://www.evanchooly.com/logs/%2523%2523jsf/2013-09-13 |
| 10:13 |
|
|
raelianer joined ##javaee |
| 10:29 |
|
raelianer |
Hello, I'd like to start programming with JSF, but haven't really understood how to implement a authentication and authorisation. I want to be able to manage this within the web application, like in drupal. It's a bit confusing to me that JAAS seems to be for integration with existing authentication systems... Could you give me advise where to look for further information, like best practises? |
| 10:44 |
|
pdurbin |
raelianer: I'm looking for this too, actually. We have auth already in our JSF app at https://github.com/IQSS/dvn but I was thinking of starting with a much smaller "hello world" kind of JSF app and adding auth to it... to make the JSF app into a Shibboleth Service Provider (SP) |
| 10:48 |
|
pdurbin |
raelianer: how about "The hello1_formauth Example: Form-Based Authentication with a JavaServer Faces Application" at Examples: Securing Web Applications - The Java EE 6 Tutorial - http://docs.oracle.com/javaee/6/tutorial/doc/bncbx.html#bncby ? |
| 10:49 |
|
|
patouche joined ##javaee |
| 10:50 |
|
raelianer |
pI already have followed a tutorial with the file realm, but I had to add the user by |
| 10:50 |
|
raelianer |
ups, didn't mean to send that |
| 10:51 |
|
raelianer |
I had to add the user via glassfish admin |
| 10:52 |
|
raelianer |
that does not seem to be very scalable... |
| 10:55 |
|
pdurbin |
yeah, no way. not scalable |
| 10:56 |
|
pdurbin |
here's the code from that tutorial I mentioned: https://svn.java.net/svn/javaeetutorial~svn/branches/javaee-tutorial-6/examples/security/hello2_basicauth/ |
| 10:57 |
|
|
patouche joined ##javaee |
| 10:59 |
|
raelianer |
pdurbin yeah, I'm now trying to look at the code from github, but I first want to look how to get it conveniently into netbeans. As far as I have seen you have to use the glassfish admin there, too, don't you? |
| 11:19 |
|
pdurbin |
raelianer: here's our dev guide for DVN. Yes, we use Netbeans and Glassfish: http://devguide.thedata.org/build |
| 11:25 |
|
raelianer |
okay thanks, though I guess it won't work with SSH as I don't have access to that repository? |
| 11:27 |
|
pdurbin |
raelianer: correct |
| 11:29 |
|
raelianer |
pdurbin: Okay, trying to clone that repository now... I'm still not used to all the different formats of SSH certificates, I got one from CAcert. |
| 11:32 |
|
|
patouche joined ##javaee |
| 11:34 |
|
pdurbin |
raelianer: you can just clone https://github.com/IQSS/dvn.git with no ssh or any cert at all |
| 11:35 |
|
raelianer |
pdurbin: yeah, it just took a loooong time, so I was wondering what's wrong. |
| 11:39 |
|
pdurbin |
it's a big fat repo. many jars :( ... we're hoping to move to maven soon: https://redmine.hmdc.harvard.edu/issues/2738 |
| 11:52 |
|
|
SoniEx joined ##javaee |
| 12:30 |
|
|
sl33k joined ##javaee |
| 12:31 |
|
|
sl33k1 joined ##javaee |
| 12:43 |
|
raelianer |
pdurbin: there is no auto-depends.jar in my modules directory... |
| 12:44 |
|
|
Quest joined ##javaee |
| 12:46 |
|
pdurbin |
raelianer: what version of Glassfish are you using? We use 3.1.2 |
| 12:47 |
|
raelianer |
pdurbin: ok, I use Glassfish 4.0 |
| 12:47 |
|
pdurbin |
hmm. I have no idea if our app even works with that |
| 12:48 |
|
|
sl33k joined ##javaee |
| 12:48 |
|
raelianer |
pdurbin: this with regard to backwords compatibility... |
| 12:51 |
|
pdurbin |
I'm sure some day/year we'll move to Glassfish 4.x |
| 13:08 |
|
raelianer |
pdurbin: okay, so you have an own UserServiceBean... this somehow looks like you've implemented the whole authentication system by yourself |
| 13:08 |
|
pdurbin |
raelianer: sounds right, I think. I haven't worked on that part of the code yet |
| 13:09 |
|
pdurbin |
I know we use roles |
| 13:10 |
|
pdurbin |
VDCRole: https://github.com/IQSS/dvn/blob/develop/src/DVN-web/src/edu/harvard/iq/dvn/api/datadeposit/SwordAuth.java |
| 13:11 |
|
raelianer |
pdurbin: you have a RoleServiceBean there, too and it seems to read directly from the database... |
| 13:12 |
|
pdurbin |
sounds right |
| 13:12 |
|
raelianer |
pdurbin: yeah, so I guess that's all your own implementation... |
| 13:13 |
|
pdurbin |
raelianer: yeah. you mentioned some blog post you read. How do other people do it? |
| 13:13 |
|
raelianer |
pdurbin: I was really hoping that java would provide some mechanism that I could just use out of the box with defining where it has to look at... |
| 13:18 |
|
raelianer |
pdurbin: I can't see where I mentioned a blog post, I have been reading books and the documentation http://docs.oracle.com/javaee/7/tutorial/doc/security-advanced003.htm |
| 13:20 |
|
pdurbin |
raelianer: oh, tutorial, I mean. sorry. you also mentioned JAAS. does it help at all? http://en.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service |
| 13:26 |
|
raelianer |
pdurbin: yeah, maybe I should have a look at http://www.jguard.net/ (open source project which can secure standalone or web applications based on JAAS) |
| 13:26 |
|
|
Naros joined ##javaee |
| 13:27 |
|
pdurbin |
hmm. "jGuard is a library that provides EASY security (authentication and authorization) for Java web applications." |
| 13:28 |
|
raelianer |
pdurbin: yeah, that EASY sounds very appealing to me ;) |
| 13:28 |
|
pdurbin |
raelianer: you mean you don't like ours? ;) |
| 13:30 |
|
raelianer |
pdurbin: I mean yours is configured for a complex application and I would have to find documentation for it, while I guess, a library that is soley meant for that purpose will have some support for a newbie like me ;) |
| 13:30 |
|
pdurbin |
sure. I kid :) |
| 13:30 |
|
raelianer |
pdurbin: and they say it is EASY!!!11!! |
| 13:30 |
|
raelianer |
:D |
| 13:31 |
|
pdurbin |
everything in Java EE is easy ;) |
| 13:31 |
|
raelianer |
Unfortunately I haven't found this "everything" yet ;) |
| 13:32 |
|
raelianer |
it's easy when you know it... |
| 13:34 |
|
raelianer |
pdurbin: and btw, I'd like to have support for CAcert certificates there, too. For my wordpress blog I've found an implementation, that will just register you automatically when you have a CAcert class 3 certificate. |
| 13:41 |
|
pdurbin |
oh, right. "community-driven" certs... I've heard of this: http://en.wikipedia.org/wiki/CAcert.org |
| 13:43 |
|
raelianer |
pdurbin: and I think the way you build the querys is not the way it should be done any longer... |
| 13:44 |
|
pdurbin |
raelianer: hmm? something about a query? |
| 13:44 |
|
raelianer |
pdurbin: lowerSearchString.replaceAll("'", "''")... I'm not sure if that's enough... |
| 13:45 |
|
raelianer |
pdurbin: I've just read that there are security issues with this way of implementing it |
| 13:45 |
|
* pdurbin |
runs `git blame src/DVN-EJB/src/java/edu/harvard/iq/dvn/core/admin/UserServiceBean.java` |
| 13:45 |
|
raelianer |
pdurbin: maybe you can use SQL-injection here |
| 13:46 |
|
pdurbin |
raelianer: interesting any blog posts or whatever about it? |
| 13:46 |
|
raelianer |
pdurbin: I've read about it in a book, I will look for it... |
| 13:47 |
|
raelianer |
pdurbin: and I guess it's included in the JPA tutorials |
| 13:48 |
|
pdurbin |
raelianer: have a link to the specific section? |
| 13:49 |
|
raelianer |
pdurbin: I'm looking for it, was just out of memory, that they have mentioned security issues there |
| 13:51 |
|
raelianer |
pdurbin: http://docs.oracle.com/javaee/7/tutorial/doc/persistence-querylanguage002.htm |
| 13:51 |
|
raelianer |
pdurbin: I guess that is how it should be done... |
| 13:52 |
|
raelianer |
pdurbin: so Java can take care of SQL injections |
| 13:52 |
|
pdurbin |
raelianer: so you would re-write https://github.com/IQSS/dvn/blob/d1c09fd9b544e917c6ee603d18053cb25352a679/src/DVN-EJB/src/java/edu/harvard/iq/dvn/core/admin/UserServiceBean.java#L302 ? |
| 13:54 |
|
raelianer |
pdurbin: "The main disadvantage to string-based queries is their lack of type safety, which may lead to runtime errors due to type mismatches that would be caught at development time when using strongly-typed metamodel queries." |
| 13:54 |
|
raelianer |
pdurbin: http://docs.oracle.com/javaee/7/tutorial/doc/persistence-string-queries001.htm |
| 13:55 |
|
raelianer |
pdurbin: As it seems to work, I guess it's not neccesary... |
| 13:56 |
|
raelianer |
pdurbin: when it's just type safety |
| 13:57 |
|
* pdurbin |
looks at bobby-tables.com: A guide to preventing SQL injection in Java - http://bobby-tables.com/java.html |
| 13:59 |
|
raelianer |
pdurbin: https://weblogs.java.net/blog/caroljmcdonald/archive/2009/10/02/top-10-web-security-vulnerabilities-number-2-injection-flaws |
| 14:01 |
|
raelianer |
pdurbin: in doubt... I guess it would be better to rewrite it, but as I'm not a security expert I can't say if it's exploitable this way |
| 14:02 |
|
pdurbin |
yeah, I'm not sure either. this seems like good advice though (from your last link): "Use Query Parameter binding with typed parameters, this ensures the input data can only be interpreted as the value for the intended parameter so the attacker can not change the intent of a query." |
| 14:03 |
|
raelianer |
yeah, exactly |
| 14:04 |
|
pdurbin |
"This sets the first question mark placeholder to the value of the input parameter empId in the SQL command. Any dangerous characters - such as semicolons, quotes, etc.. should be automatically escaped by the JDBC driver." |
| 14:05 |
|
raelianer |
pdurbin: I just know they changed it in drupal to be handled like this... it's written in php though, but it was a big security concern for them |
| 14:06 |
|
pdurbin |
yeah, I've seen similar advice for Perl. This, basically... "parameterized SQL calls": http://bobby-tables.com/perl.html |
| 14:07 |
|
raelianer |
pdurbin: and Bruce Schneier says, implementations should be as simple as possible, regarding security... |
| 14:07 |
|
pdurbin |
sure |
| 14:08 |
|
raelianer |
it's not a problem when it's no user input |
| 14:09 |
|
raelianer |
pdurbin: but in the UserServiceBean it looks like it could be user data... I don't know, it's a big application ;) |
| 14:09 |
|
pdurbin |
that it is :) |
| 14:11 |
|
raelianer |
pdurbin: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet |
| 14:14 |
|
pdurbin |
good stuff |
| 14:19 |
|
raelianer |
yeah :) username could be /* |
| 14:20 |
|
raelianer |
SELECT * FROM Users WHERE ((Username='1' or '1' = '1'))/*') AND (Password=MD5('$password'))) and the rest would be seen as comment |
| 14:21 |
|
raelianer |
or stacked queries with ; |
| 14:22 |
|
raelianer |
pdurbin: could be fun to try that with the live website :D |
| 14:22 |
|
raelianer |
pdurbin: username = username; DROP TABLE ALL; :D |
| 14:22 |
|
pdurbin |
:) |
| 14:23 |
|
raelianer |
pdurbin: that website is really great: https://www.owasp.org/index.php/Testing_for_SQL_Injection_%28OWASP-DV-005%29 |
| 14:39 |
|
raelianer |
ok, I will look for further information about JAAS then... see you later... maybe ;) |
| 14:52 |
|
|
SoniEx joined ##javaee |
| 14:53 |
|
|
kobain joined ##javaee |
| 15:15 |
|
|
Sircle joined ##javaee |
| 15:22 |
|
|
sl33k1 joined ##javaee |
| 15:24 |
|
|
sl33k2 joined ##javaee |
| 15:36 |
|
|
sfisque joined ##javaee |
| 15:37 |
|
pdurbin |
looks like a bug has been filed: https://redmine.hmdc.harvard.edu/issues/3296 |
| 15:38 |
|
|
sl33k joined ##javaee |
| 15:38 |
|
sfisque |
what project has this attack vector? |
| 15:38 |
|
sfisque |
*** product |
| 15:57 |
|
|
Quest joined ##javaee |
| 15:58 |
|
|
sl33k1 joined ##javaee |
| 16:01 |
|
|
sl33k joined ##javaee |
| 16:43 |
|
|
sl33k joined ##javaee |
| 16:44 |
|
|
sl33k joined ##javaee |
| 16:47 |
|
pdurbin |
sfisque: I'm not sure that an actual attack vector has been identified |
| 16:48 |
|
whartung |
attack vectors? What are we babbling about? |
| 16:48 |
|
* pdurbin |
does like to babble |
| 17:10 |
|
|
kobain joined ##javaee |
| 17:20 |
|
|
sl33k joined ##javaee |
| 17:29 |
|
|
Quest joined ##javaee |
| 18:31 |
|
|
acuzio joined ##javaee |
| 18:37 |
|
|
sl33k1 joined ##javaee |
| 19:06 |
|
|
sl33k joined ##javaee |
| 19:21 |
|
|
oO0Oo joined ##javaee |
| 20:23 |
|
pdurbin |
so... any minimal ways to do auth in Java EE? I guess I'll look at https://svn.java.net/svn/javaeetutorial~svn/branches/javaee-tutorial-6/examples/security/hello2_basicauth/ as I mentioned earlier today. this is just for testing |
| 20:24 |
|
pdurbin |
I'll probably just start with the OIOSAML does and see where they lead me: https://svn.softwareborsen.dk/oiosaml.java/sp/trunk/docs/intro.html |
| 20:24 |
|
pdurbin |
docs* |
| 20:52 |
|
|
Quest joined ##javaee |
| 21:05 |
|
|
SoniEx joined ##javaee |
| 21:52 |
|
|
Quest joined ##javaee |
| 22:14 |
|
sfisque |
depends. are you using jboss? |
| 22:14 |
|
sfisque |
jboss has about 8 built in JAAS providers |
| 22:17 |
|
whartung |
JAAS in general in terms of it implementation is plain awful |
| 22:17 |
|
whartung |
specificially in regards to web authentication |
| 22:23 |
|
sfisque |
aye, but if you want quick and dirty CMAA, it works fine, especially if the container provides you off the shelf providers. |
| 22:27 |
|
whartung |
CMAA? |
| 22:30 |
|
sfisque |
container managed auth/auth |
| 22:30 |
|
pdurbin |
crimsonfubot: lucky java CMAA |
| 22:30 |
|
crimsonfubot |
pdurbin: https://www.cmaa.org/template.aspx?id=27120 |
| 22:30 |
|
whartung |
heh |
| 22:30 |
|
pdurbin |
bah |
| 22:30 |
|
pdurbin |
sfisque: thanks. was slow on the draw |
| 22:31 |
|
pdurbin |
sfisque: I'd prefer glassfish since it's what our actual app uses |
| 22:31 |
|
sfisque |
aye. you'll have to completely roll your own or use a thirdparty provider then. GF doesnt bundle any |
| 22:32 |
|
whartung |
no, it bundles several realms |
| 22:32 |
|
whartung |
file, jndi, jdbc |
| 22:32 |
|
whartung |
for use with basic web auth |
| 22:32 |
|
whartung |
those work fine |
| 22:32 |
|
sfisque |
oh, basic |
| 22:32 |
|
sfisque |
who uses basic? |
| 22:33 |
|
sfisque |
none integrate with form auth at all unless they changed that in 4.x |
| 22:33 |
|
whartung |
sure they doi |
| 22:33 |
|
whartung |
constinare form auth? Yea they all do |
| 22:33 |
|
whartung |
container form auth is just crummy, but it works fine |
| 22:34 |
|
sfisque |
can you link some docs? when i researched this a year ago for our app, i did not find anything that indicated off the shelf JAAS providers in GF |
| 22:34 |
|
pdurbin |
my kid wants me to read her new Scooby Doo comic to her but go on, I'll catch up :) |
| 22:34 |
|
whartung |
didn't say it was JAAS |
| 22:35 |
|
whartung |
Said it was realams |
| 22:35 |
|
whartung |
realms |
| 22:35 |
|
sfisque |
OH, tomcat crap |
| 22:35 |
|
whartung |
no, glassfish |
| 22:35 |
|
sfisque |
3 guesses what engine is used for servlets in GF |
| 22:35 |
|
whartung |
http://docs.oracle.com/javaee/6/tutorial/doc/bnbxj.html |
| 22:35 |
|
whartung |
yes |
| 22:36 |
|
sfisque |
so it's basically leveraging TC's realms. blech. |
| 22:36 |
|
sfisque |
i'll take jaas over tc's realms anyday |
| 22:36 |
|
whartung |
http://glassfish.java.net/javaee5/security/faq.html#pluglogin |
| 22:38 |
|
sfisque |
aye. that's what i was indicating. they support jaas (have to, it's part of the spec) but they dont give you any. jboss bundled around 8 (at least thats how many 4/5.x bundled) |
| 22:39 |
|
sfisque |
all i had to do was write a little xml, and my apps were using database tables for auth and the container was exposing it to the various layers. zero code |
| 22:39 |
|
whartung |
I haven't bothered to look at the difference between a JAAS login module and a GF realm. |
| 22:39 |
|
whartung |
yea, you can do that in GF |
| 22:39 |
|
whartung |
db, jndi (Ldap), and files |
| 22:39 |
|
sfisque |
aye. i just dislike realms and they're not portable |
| 22:39 |
|
whartung |
no they're not portable |
| 22:40 |
|
sfisque |
i always found the documentation for realms… lacking clarity…. |
| 22:40 |
|
whartung |
yes |
| 22:43 |
|
sfisque |
so here's a fun question. anyone here ever connected a solaris x86 machine to a corporate vpn (cisco endpoint)? |
| 22:43 |
|
whartung |
uh…not in this century... |
| 22:44 |
|
sfisque |
lolz |
| 22:44 |
|
whartung |
poor solaris. so disappointed what oracle has (not) done to OpenSolaris/Indiana/Whatever it is today |
| 22:45 |
|
whartung |
coulda been a contenda... |
| 22:45 |
|
sfisque |
i know cisco had a sparc client, but they have no "official" x86 client. at least one they will not admit to. but supposedly there was a non-commerical client that was used at sun internally |
| 22:45 |
|
whartung |
ugh |
| 22:45 |
|
whartung |
do they have a oss linux client? |
| 22:45 |
|
sfisque |
negative. closed source linux |
| 22:46 |
|
sfisque |
supposedly even run on slackware |
| 22:46 |
|
sfisque |
afaik, cisco has never OSSed anything |
| 22:46 |
|
whartung |
solaris should be able to run Linux binaries >.< |
| 22:47 |
|
whartung |
"what could possible go wrong..." |
| 22:47 |
|
sfisque |
lolz |
| 22:47 |
|
sfisque |
if they were statically linked, maybe |
| 22:47 |
|
whartung |
yea |
| 22:47 |
|
sfisque |
as soon as a single elf call went out. boom |
| 22:48 |
|
whartung |
"Well I copied 100G of stuff in to /u/centos...." |
| 22:48 |
|
whartung |
I'm sure a determined linux/solaris geek might be able to pull it off |
| 22:49 |
|
sfisque |
aye. i have "openvpn" installed, but i have no idea how to connect it to cisco hardware. i've done OVPN -> OVPN endpoint. that's easy |
| 22:49 |
|
sfisque |
but i have no clue how to configure or if ti even supports connecting to cisco hardware |
| 22:49 |
|
sfisque |
and googling hasnt turned up much hope |
| 22:50 |
|
whartung |
yea, cisco is … cisco |
| 22:50 |
|
sfisque |
got that right, bruthah |
| 22:50 |
|
* sfisque |
shakes his fist at cisco |
| 23:09 |
|
pdurbin |
sfisque: give www.infradead.org/openconnect/ a try. I switch to it after first using https://github.com/pdurbin/anyconnect |
| 23:12 |
|
sfisque |
i will give that a shot. thx! |
| 23:15 |
|
sfisque |
if i can get it to work, my ultimate goal of running my corp windows install virtualized to a minimum (to run outlook) and do all my dev on solaris will be achieved :-) |
| 23:15 |
|
sfisque |
i'd do it on slackware, but i'm not in the mood to spend months getting VBox running on slackware |
| 23:16 |
|
whartung |
…or you can get a mac ... |
| 23:16 |
|
sfisque |
i have one, but i prefer not doing corp work on it. i use the mac for "my own work" :P |
| 23:17 |
|
sfisque |
and "they" are very resistant to handing contractors macs |
| 23:17 |
|
* sfisque |
shakes his fists at "them" |
| 23:27 |
|
|
oO0Oo joined ##javaee |
| 23:34 |
|
pdurbin |
sfisque: sure thing |
| 23:45 |
|
|
neuro_sys joined ##javaee |
