Menu
▾
▴
php-java-bridge-users
|
From: <php...@li...> - 2012-09-07 19:25:54
|
Hello all, I'm in the process of deploying an application which uses PHP/Java Bridge, and I'm having some difficulty figuring out how to secure the bridge against unauthorized usage. I've configured Tomcat to block access to the servelet except from localhost, but unless I'm mistaken, this still allows everybody on my shared hosting server to run arbitrary Java code in my container (reading or writing any of my files, etc.). This is certainly not ideal. I have followed the instructions to run P/JB with Tomcat's security manager (http://php-java-bridge.sourceforge.net/pjb/FAQ.html#tomcat-security), but this appears to simply bypass the security manager altogether, making it something of a non-solution. I would like to do one or ideally both of the following: 1. Run PHP/JavaBridge with a security manager so that I can prevent it from accessing files or directories not specifically required by my application. 2. Require authentication (e.g. basic HTTP authentication) when connecting to the PHP/Java Bridge servelet (presumably I could set this up in Tomcat, but I don't see any way to perform the authentication on the client end from my PHP application). Any pointers would be appreciated. Thank you! -Jon |
|
From: <php...@li...> - 2012-09-07 19:34:03
|
Use Apache as a frint end and jee server as a back end and block all access to the jee port except from localhost. If you install and update apache (or any other http server) from your linux distribution (redhat or debian) you should be relatively save. |
|
From: <php...@li...> - 2012-09-07 19:46:38
|
Hi again. Sorry, I misunderstood you post. There's no resonable way to sandbox your application. In general Java's security manager is the wrong path, but it might work for your specific application. You might want to implement your own xen based solution instead. |
|
From: <php...@li...> - 2012-09-07 19:47:00
|
On Fri, Sep 7, 2012 at 4:33 PM, <php...@li... > wrote: > If you install and update apache (or any other http server) from your linux > distribution (redhat or debian) you should be relatively save. > he said he´s running a shared hosting account,quote: "this still allows everybody on my shared hosting server..." FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell |
|
From: <php...@li...> - 2012-09-07 20:53:17
|
Thanks for your responses. Yes, it's a shared host, so it's not especially secure to begin with, but a service that lets all and sundry execute any Java code they desire is one more gaping hole I'd prefer not to have open. Am I correct that there's no support for authentication within the client in Java.inc? If so, can anybody shed any light on why it's not supported? (i.e. is it more complicated to implement than I'm imagining? Is the back-end communication not happening over HTTP? Did it just never occur to anybody that somebody might want this feature?) In other words, if I decide to try modifying the client to support basic authentication, will I live to regret it? :) Thanks again, -Jon On Fri, Sep 7, 2012 at 3:46 PM, <php...@li... > wrote: > On Fri, Sep 7, 2012 at 4:33 PM, < > php...@li... > > wrote: > > > If you install and update apache (or any other http server) from your > linux > > distribution (redhat or debian) you should be relatively save. > > > > he said he´s running a shared hosting account,quote: "this still allows > everybody on my shared hosting server..." > > FC > -- > During times of Universal Deceit, telling the truth becomes a revolutionary > act > Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto > Revolucionario > - George Orwell > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > php-java-bridge-users mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/php-java-bridge-users > |
|
From: <php...@li...> - 2012-09-07 21:55:10
|
You can secure the back end using basic auth and send something like "Authorization: Basic " base64_encode(user.":".pass) but this won't solve the other problems (files, all apps running in shared memory). |
|
From: <php...@li...> - 2012-09-08 00:05:34
|
Enviado desde mi BlackBerry® soportado por CNT -----Original Message----- From: php...@li... Date: Fri, 7 Sep 2012 23:55:03 To: <php...@li...> Reply-To: php...@li... Subject: Re: [Php-java-bridge-users] Securing PHP/Java Bridge You can secure the back end using basic auth and send something like "Authorization: Basic " base64_encode(user.":".pass) but this won't solve the other problems (files, all apps running in shared memory). ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ php-java-bridge-users mailing list php...@li... https://lists.sourceforge.net/lists/listinfo/php-java-bridge-users |
|
From: <php...@li...> - 2012-09-08 00:06:46
|
T Enviado desde mi BlackBerry® soportado por CNT -----Original Message----- From: php...@li... Date: Fri, 7 Sep 2012 23:55:03 To: <php...@li...> Reply-To: php...@li... Subject: Re: [Php-java-bridge-users] Securing PHP/Java Bridge You can secure the back end using basic auth and send something like "Authorization: Basic " base64_encode(user.":".pass) but this won't solve the other problems (files, all apps running in shared memory). ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ php-java-bridge-users mailing list php...@li... https://lists.sourceforge.net/lists/listinfo/php-java-bridge-users |
|
From: <php...@li...> - 2012-09-12 14:24:06
|
Thanks again, all!
For the benefit of anybody else wanting to implement this, the specific bit
you need to change is around line 1043 of Java.inc, in
java_SimpleHttpTunnelHandler::getBodyFor().
REPLACE:
return "Cache-Control: no-cache\r\nPragma: no-cache\r\nTransfer-Encoding:
chunked\r\n\r\n${len}\r\n\177${compat}${data}\r\n";
WITH:
$auth = "";
if ( defined("JAVA_AUTH_USER") && defined("JAVA_AUTH_PASS") ) {
$encoded_credentials = base64_encode(JAVA_AUTH_USER . ":" .
JAVA_AUTH_PASS);
$auth = "Authorization: Basic {$encoded_credentials}\r\n";
}
return "{$auth}Cache-Control: no-cache\r\nPragma:
no-cache\r\nTransfer-Encoding:
chunked\r\n\r\n${len}\r\n\177${compat}${data}\r\n";
Then after you configure Tomcat to require HTTP Basic Authentication to
access your Java Bridge, you just need to define JAVA_AUTH_USER and
JAVA_AUTH_PASS appropriately in your PHP app.
Disclaimers: This is pretty thin security, but it may or may not be better
than nothing. It worked for my particular setup, but may not work (or break
things) on yours. Your mileage may vary, void where prohibited, no refunds.
-Jon
On Fri, Sep 7, 2012 at 5:55 PM, <php...@li...
> wrote:
> You can secure the back end using basic auth and send something like
>
> "Authorization: Basic "
> base64_encode(user.":".pass)
>
> but this won't solve the other problems (files, all apps running in shared
> memory).
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> php-java-bridge-users mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/php-java-bridge-users
>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X