JSP :: Security Constraints When Connecting To Database?
Jan 29, 2015
I know that Servlets are meant to do the JDBC tasks, JSP are only for displaying the final information forwarded by the Servlet.
JSP are Servlets too, but I heard an idea that it is safer to make database operations in a Servlet.
The idea is that I have a few JSP that use JSTL tags to retrieve some database information. By doing this I was concerned that this may be bad design, though I really wanted to get in fit with the JSTL tags.
Are there any security weaknesses if doing some JDBC stuff in a JSP, by using JSTL or plain Java code in <%...%>?
P.S. In my JSP I only retrieve data, not modifying it.
I am new to Java Stored Procedures. There is a PL/SQL package in our legacy application(Oracle 9i) which pulls data from Oracle 8i source database through a DB link. Now we have upgraded our databas to Oracle 11g R2 from 9i. So the DB lint to Oracle 8i will no longer work in 11g. Hence I have created a Java stored procedure that establishes JDBC thin connection to the source 8i database. I have loaded the java stored procedure in the database using loadjava and have created a call specifaction.
I have called this java stored procedure inside the PL/SQL package. Now while executing the PL/SQL package, it takes the default driver ojdbc6.jar to establish JDBC connection and fails to connect to the 8i database giving ArrayIndexOutOfBounds Exception. While running the code in the linux application server with classes12.jar the code succeeds. But when the same is called in the database it fails.
1. How can I make my PL/SQL call use classes12.jar while calling the Java Stored Procedure?
2. How can I load the jar file(which includes my classes and the classes12.jar) into the datase as one object? (When I tried to load the whole jar, in database the classes and dependent jar loaded separately)
3. Is there a way to use classpath while calling the Java Stored Procedure like how we do from Unix?
We currently have an application which uses JDBC to connect to the backend database (DB version - 11.2.0.3 ). The application uses a properties file in which the password for the db schema is hardcoded in plain text format. Due to security restrictions we have been asked to make sure the password is encrypted in the file and no direct access is made to the schema using the plain text password. Best options we can use to make this password encrypted both at Oracle DB side and Java side.
I am making a basic calculator using SWING.I want my JTextField to stretch across the top, above my buttons. All I can seem to get is it be the same size as one of my buttons.
I'm suppose to be doing a factorial of a number within certain constraints (say a number between 5 and 10). I get the factorial easy enough but I'm getting it for every number no matter what I put in.
textio is used instead of scanner for our class.
Java Code:
public class Factorial { public static void main(String[] args) { int max = 0; int x = 0; long y = 0;
[Code] .....
Ideally I should be able to put in a number outside the range and the program will do nothing until I put a number in with the correct value.
The following code uses a column constraint to specify that a column of labels should extend horizontally in their cell but they don't as you can see by looking at their border. My mistake or a bug?
I've created a Dynamic Web Project in Eclipse Kepler EE, connected it to a Tomee plus 1.7.1 server and created a servlet and a POJO. So after opening the browser and trying to do something with the classes, the servlet worked as expected, but the POJO returns error 404.
The actual code is something like this:
// The servlet public class MyServlet extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); out.println("I'm a servlet.");
[Code] ......
So when I type "localhost:8080/<project_name>/MyServlet" I get the expected "I'm a servlet." message. The problem is with the POJO:
//The POJO @Path("/MyPOJO") public class MyPOJO { @GET public String get() throws IOExeption { return "I'm a POJO."; } }
I have nothing about that class in the web.xml file. I have this class, that I don't really know what it does:
@ApplicationPath("/sth") public class ApplicationConfig extends Application { @Override public Set<Class<?>> getClasses() { return new HashSet<Class<?>>(Arrays.asList(MyPOJO.class)); } } Application is a class from M2_REPOjavaxws sjavax.ws.rs-api2.0.1javax.ws.rs-api-2.0.1.jar
So when I enter "localhost:8080/<project_name>/sth/MyPOJO", I get error 404, no exceptions no logs. I've tried to debug but it doesn't hit any breakpoints.
Maybe it has something to do with the exception I get when I start the server:
Nov 19, 2014 6:44:50 PM org.apache.myfaces.ee6.MyFacesContainerInitializer onStartup INFO: Added FacesServlet with mappings=[/faces/*, *.jsf, *.faces] Nov 19, 2014 6:44:51 PM org.apache.myfaces.config.DefaultFacesConfigurationProvider getStandardFacesConfig INFO: Reading standard config META-INF/standard-faces-config.xml
[code]....
I've tried to add the line that is missing in the server.xml file but then the server doesn't start at all.
When my college tries to run it on his PC, it work with both the POJO and the Servlet. We can't find any reason why it's not running on my PC.
Question 1: Upon importing the Play Framework content in Eclipse there's a default codes as localhost:9000 is immediately routed to play framework website controllers, checked and running fine test, checked and running fine conf, checked and running fine the problem is the views under app on all youtube tutorials and other websites, the contents of views is editable but when my brother tried to, he cant edit it
Question 2: Is there an easy tutorial on POST, PUT, GET, and DELETE for eclipse-playframework
Question 3:my brother is using POSTMAN - RESTCLIENT to test his HTTP METHODS (post, put, get, and delete)and is there a tutorial where they also test the HTTP METHODS using POSTMAN?
I am trying to connect to Sql Server database using Oracle UCP with sqljdbc4-3.0 JDBC driver for Sql Server,with different ports and instances.
– the issue is with the port being ignored in the server string.
For example, using port 1440 connects to the default instance (which is on port 1433) rather than MSSQLINSTANCE1 which is on 1440.
Below are Server hosts used.
sql005.sqlasoftware.com (connects correctly to the default instance) sql005.sqlasoftware.com:1440 (connects incorrectly to the default instance on port 1433) sql005.sqlasoftware.comMSSQLINSTANCE1 (connects correctly to the named instance)
While debugging everything is going through... even it passes through the last line. But the pdf is not launching... showing only a blank screen in its status bar as "Connecting"... Earlier it was launching.. but suddenly this issue is raising up. Is there any IE settings need to be checked?
I have a simple applet that doesn't stray outside the sandbox. It used to work fine before Java 7 but now it craps out with security warnings. It does nothing but play a game, it doesn't even save the state of the game. This is the applet, it's a very simple chess program.
The warnings and popups I'm getting are: activate javaTM platform SE 7U?allow now?activation blocked by security settings - I never changed any security settings and as I said, this applet stays firmly in the sandbox so I can't see what the issue is.Viewing the java error window I see
Java Plug-in 10.51.2.13 Using JRE version 1.7.0_51-b13 Java HotSpot(TM) Client VM User home directory = C:UsersMike ---------------------------------------------------- c: clear console window f: finalize objects on finalization queue g: garbage collect h: display this help message l: dump classloader list m: print memory usage o: trigger logging
[code]....
why it shows the C:UsersMike directory in the above listing, there is no access to files etc.The applet plays fine if I run it in appletviewer.What do I need to do to make this simply work in anyone's browser? I have a similar problem with a (rather funky) Connect 4 program I wrote. It worked fine for years and then just stopped with the Java 7.
I have JSP application naming myProject ,which has been deployed in webapp folder in tomcat. I want to provide security for myProject folder. I mean, I want to protect it from copying by someone else. Is there any way to do the same. I tried by hiding the folder using one of hiding software, but when I do that, I was not able to access those files in web browser.
But when i try to open it i get the message: Application Blocked. Click for details.
- The list i see doesn't work - If i click Ignore nothing happens - If i click reload nothing happens
When i read and search the net i have to change my java security settings. The security setting are HIGH and i cannot change that.But i can fill in an Exception Site List...The hello.html file is on my NAS : file:///X:/Lantronix/hello.html..I fill this in the exception Site list -> I get a message that it is a security risk to add this location.
I've been building out a course lab project over the last few weeks, and at the time (with what we knew), it made sense to use a session level ResourceBundle to facilitate translations.
In order to validate if there is a session level ResourceBundle, I have a filter running (checking if the bundle exists, creating one if not, etc...).
The problem I now have is the final step of the project (the part most recently taught), is to add Declarative Security.
Of course, when that happens the login.jsp is called and the Filter doesn't run. It's not a problem for most scenarios, except for someone who bookmarks a link inside the secure part of the site. Then, the ResourceBundle doesn't exist and the login.jsp content that should be translated is "".
Is there a way to indicate via the web.xml that a specific Filter should be allowed before the login.jsp is displayed?
I imagine JSTL:FMT is probably the best solution, but we don't cover that until after the lab is due. I have a (messy) short-term solution of creating a temporary ResourceBundle in the login.jsp via a scriplet if the session scope ResourceBundle is null, but I was wondering if I missed something with the web.xml.
I am using AES/CBC/PKCS5Padding algorithm to encrypt/decrypt, it works fine across machines, since i am not using a Facrtory to create the secret . I am using constant SecretKeySpec and iv for the ciphers. This of course heart the security , and doesn't prevent the "man of the middle" problem .
I saw that there are ways with key generation with MAC , and RSA symmetric encryption , but i am not sure how to implement it , and how to it depends on local certificates or files .
I have an FX application which invokes a REST JSON webservice. It works perfect if I run it standalone. But if I try to run it over browser, it throws java security exception.
It also works fine in web if I comment some lines that invokes the webservice (code that calls the webservice using jackson.)
Java version used is JDK 1.7u67 IE plugin version : 7.0.670.1
Error log : java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source)
I have several Windows 7 Enterprise machines that have already been deployed via image and need to lower the security settings for use on internal web based applications.
Is there an easy way to manipulate the configuration (a file) so that I may simply make the changes by overwriting the current configuration settings instead of, having to go to each device, opening the Java console, and changing the security settings that way?
I have attempted to login as the machine administration, make the changes on the Java console with the hopes this configuration would have migrated to all user profiles that log into the PC. Is there a "public profile" configuration file I can change and if so, what should I do.
I need to write a simple client to access a WS. Things I can not do :
Modify the serverAdd external jars
The client will be part of a command line call and will run as a stand alone.
I've been searching all day and have found hundreds of vague, overly complex examples, mostly based on SOAPHandler (which tells me I need to install server components which I cannot do). I grasp the general requirements but am having difficulty figuring out how to add the security elements to the header.
What do I need to do to add the username and password tokens to the header?
I have been trying to implement a alphanumeric security code in JAVA. Here are my specifications:
1) Numbers and letters 2) There is user input 3) In the format of NNN-LL-NNNN where N=Numbers and L=UPPERCASE letters 4) If it is incorrect print out INVALID CODE 5) If it is correct print out VALID CODE
Here is what I have produced so far...
import java.util.*; import java.io.*; //Class Declaration class WorkingWithStrings { //Main Method public static void main(String[] args) { //Takes input from user
[Code]...
I have taking the approach of invoking a separate method that will check the validity of the security code. However I am having an issue with creating a statement that checks if the middle two characters of the security code are capital letters. This could possibly tie in with my understanding of strings.
I have to validate security number based on tHIS REQUEST
If the SECURITYNNUBER IS INVALID UNDER THE SECURITYNUMBER attribute,it must reject(Date & algorith). To override the normal validation,the subject must contain INVALIDSECURITYNUMBER. The incorrect ID number must still reflect in the SECURITYNUMBER attribute.
THE FIRST 6 DIGIT IS DATE
EXAMPLE 7701205334086
public boolean val_SECURITYNUMBER() { boolean flag = true; String u_Securtynr = transactionFile.getS_securtynumber(); // 1. Invalid securty number if completed if(!isBlank(u_Securtynr))
I have been trying to find all day long a way to secure my .ear file from modifications made by third parties... My product is packaged as an .ear file which i send for deployment to other administrators. What i am looking for is a way to "sign" my version of .ear versus the deployed version of .ear to be sure that no modification has been made to my code...
