(answers in text)
> -----Original Message-----
> From: Bing Zhang [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 23, 1999 1:37 PM
> To: [EMAIL PROTECTED]
> Subject: Applet-Servlet Security Design
>
>
<snip>
> 1. The applet prompt a window for user to enter username and
> password. Then
> the data is send out to server with clear text by opening a
> URLconnection
> to server. This clear text is dangerous, so I plan to use
> some encryption
> or use SSL. Which one is better? If I choose SSL, is there
> any free library
> that I can use with Apache and Jserv? Is it possible for same
> server to
> serve both normal users and previliged ones (the connection
> is not secure
> at first, when the user is prompt for user name and passwd,
> it change to
> SSL)? Is it possible to return SSL to normal channel if the
> previliged user
> choose to do so?
Using SSL will be the easiest once you set up your server. It is transparent
to both the Applet and Servlet. You could easily switch between HTTP and
HTTPS in the applet.
>
> 2. After the server get the username and passwd, it pulls up
> a table from
> server side and try to find a match. Server return a status
> back to applet
> base on whether a match has been found. If the status is positive, the
> applet set a flag that is stored inside the applet and from
> now the applet
> can do all the previliged orperation. But I think store the
> flag inside the
> applet may be a security hole. The user could tweak the
> applet to set the
> flag and cheat the server. Is this doable? If doable how
> could he do it?
> Could he use some de-compiler to decompile the applet class
> download to his
> browser and modified the source code to cheat the server?
>
> Thanks
>
> Bing
It would be very easy for a hacker to set your flag. Probably the easiest
way to do this is to DL the applet from your server, subclass it, set the
flag in the subclass, and set the security level for applets in their
browser to allow socket connections to anywhere. Your applet doesn't even
have to be decompiled. Anyone can find out all the fields and methods in a
class with bytecode examiners such as CafeBabe. (If you'd like to see this
done just give me the URL for a page with your applet on it ;-)
All security should be on the server. You can use sessions to maintain your
state instead of a flag in the applet.
Aaron
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
