I know there are many similar questions on the internet but none of them could solve my doubt. So pardon me. About my project. I have a java file or program that takes a string , encrypts it and then returns the encrypted string to me.
I want to include or keep this java file (.jar file) on the webpage or the client-side. Now I know that we can upload this java program on server side and then easily communicate with it instead of calling keeping it on client-side which most people consider a bad practice.
But my purpose of keeping this jar file on the client side is that JavaScript code for encryption can be easily seen if we inspect element, so compared to it .jar file is more secure and one cannot see underlying encryption code and also if in case the there is network loss then instead of typing the entire string again and getting it encrypted again from the server, I want to save that string in such situation, get it encrypted from the jar file on the client-side so that once network problem is solved I don't need to retype whole message again and then I can directly send the message or the string to the other end or to other user on the network.
So for this I need help regarding how can I store my .jar file on webpage or client-side and then how to call methods from the .jar file using JavaScript. I know applets are deprecated, chrome does not support java. I have also seen some examples on internet like https://docs.oracle.com/javase/tutorial/deployment/applet/invokingAppletMethodsFromJavaScript.html but Its not working properly for me.
So I am in search of some ideal method by which I can first of all include or upload .jar file on client-side and then a method by which I can call java methods from .jar file using JavaScript. Please help... My earnest request...!
JavaScript code for encryption can be easily seen if we inspect element
I'm assuming you mean embedded Javascript here. Because you can refer to an external JS files which are located on the web server, not the client machine.
The browser may cache your script file somewhere locally but if one were bothered enough to dig it up, he might as well decompile your jar file which is much more easier.
Java can easily be decompiled. A jar file on the client will not be more secure than client-side JavaScript.
An encryption method that is compromised by looking at its code is not secure.
You seem to have many misconceptions... here are some facts for you to consider:
A JAR file (as either an application, WebStart or applet) running on client-side is NOT secure. If it runs on my computer, I can do anything I want. I can download the JAR file and decompile it. It's no better than JavaScript in this regard, it just takes slightly more effort and knowledge.
To protect data between client and server, you can simply use HTTPS and POST the data from web page to your server.
If client is encrypting data to you, there should be nothing to hide about the encryption process. The client generates a session key to encrypt the data, then wrap that session key by your server's public key. Then client send both encrypted data and wrapped session key to your server. Read more about Public Key Infrastructure (PKI): https://en.wikipedia.org/wiki/Public_key_infrastructure
By default a Java applet/WebStart is not granted access to disk. You must sign it to write data to disk, and user/security policies can still deny granting those access rights. (Applet - Unable to write file)
As you are aware of it, applet/WebStart is dying because of browsers rejecting plugins. There's Web Cryptography API (it's not mature, and there's no hardware support), you can try that instead. https://www.w3.org/TR/WebCryptoAPI/
Related
I apologize for what might seem like a really dumb question based on a limited of Node.js but please know I am attempting to learn all I can. That being said, as I understand it, Node.js is similar to Apache or IIS. What types of files does it actually serve though (ASP, ASP.NET, PHP, HTML, etc.)?
My IMPRESSION is that it serves JavaScript and HTML by recommendation? In such a case, if I write a JavaScript file used on the server side to write data to my database, is my code exposed to the end user?
My scenario for example is that I would write an HTML5 page with JavaScript to write to a database but if that is served by Apache or IIS then both the HTML and JavaScript have their code exposed. How does this work with Node.js, do I need to stay with PHP for securing my code?
Thank you!
As long as the server-side javascript isn't served to the requesting user you're safe. So no, the database stuff within nodejs won't be served.
That's like asking if PHPs or javas database code get served if someone requests a page (only if the code is read and echoed).
Node.js is a server-side scripting language with modules for interacting with HTTP requests and responses.
You can serve literally any kind of file with Node (as you could with other server-side scripting languages), and in fact, probably want to go out of your way not to let people grab any files they want.
PHP won't secure your code for you. Normally, nginx or Apache helps to protect against threats, but a Node.js server running on a port completely bypasses all of that unless you specifically configure nginx or Apache to forward requests to the port your node program is listening on.
I need to have data written to a text file in javascript. I want it to write a username and password to the text file and create a new line every time. Here is my code http://pastebin.com/24Tvdemu.
Can anyone help this has had me stumped for ages.
As Javascript in html is a client side language, you will need to send the files to the server, and save there the file. Anyway, you can prompt the user to save the file in their local machine, but it´s not usefull at least you really need that for any reason.
Check this answer Javascript: Create and save file
Some suggestions for this -
If you are trying to write a file on client machine, You can't do this in any cross-browser way. IE does have methods to enable "trusted" applications to use ActiveX objects to read/write file.
If you are trying to save it on your server then simply pass on the text data to your server and execute the file writing code using some server side language.
To store some information on the client side that is considerably small, you can go for cookies.
Using the HTML5 API for Local Storage.
More details : Is it possible to write data to file using only JavaScript?
I am new to Javascript. Please tell me that how to retrieve and read XML file which is placed on ftp server in Javascript. Javascript only speaks HTTP and WebSockets (on newer browsers), and not FTP
If you are restricted to using client-side JS, it's not possible. It is possible with NodeJS, though.
If you are speaking about client side Javascript (the one that is in the browser), then this is not possible (it can understand only HTTP protocol and with the rise of HTML5 also WebSockets). FTP is completely another protocol and hence this is not possible.
Think about it this way: your JS is stored in your browser. So the whole code that will connect to your FTP and do something there is exposed to everyone. In order to connect to FTP you need to provide your credentials (your username and password). This means that everyone who wants to get them can get them. This is not nice :-).
As I understand, the thing you want to achieve - user does something on your site (click a button) and he can download the file from the ftp. In this case I would do something like this. On click I will make an ajax call or some sort of redirect ( window.open('http://yourserver/getFile.php'); ) And the script in getFile.php (php does not matter here - this is any server side script python, asp, ...) connects to your FTP server and does whatever you want.
Is it possible to configure the FlexPaper reader to decrypt password-protected PDFs or SWFs?
Here is the use-case:
User uploads a PDF.
My server would then convert the PDF to SWF via pdf2swf.
Then somehow encrypt the SWF with a password (not sure best way to do this).
Then the FlexPaper would be able to decrypt the SWF and display it.
What I am trying to avoid is the caching of readable SWF in the browser's cache.
Any ideas on the best way to achieve this?
I know, even with this it will not be a fully secure solution, but certainly helps.
Note: I am running this on Linux and OS X and using Rails.
Answers from questions asked in the responses:
Do you need it on the wire?
No, I don't think so, the application will be only accessed via SSL
Do you need the files to be stored securely on your hard drive?
Ideally yes, we will keep them encrypted on the server -- but not critical
What exactly are you trying to prevent by encrypting them?
I want users of the application only to be able to view the documents from the FlexPaper reader on the website. I do not want users to be able to download a readable document to their machine.
Thanks!
Jonathan
What I am trying to avoid is the caching of readable swf in the browser's cache.
I'm not sure if using a password will help at all. If the SWF is encrypted it may likely be stored in the cache encrypted. I think this post on how to prevent caching is probably what you want.
But in case not, I'll answer some of the encryption questions below.
pdf2swf supports a -P (or --password) option that allows you to decrypt an encrypted PDF, which implies you need a password fairly early in that process.
If you want to encrypt the SWF, you should check out the as3crypto libraries for the Flex side and some ruby crypto libraries for the server side.
I have a blog post entitled, "Why Obfuscate, Encrypt those SWFs! that talks about how you can encrypt a SWF that is then decrypted via a SWFLoader that I hope is useful to you. The same concepts apply here:
Encrypt the SWF (after it's been converted from PDF)
Use a modified SWFLoader (or URLLoader) to decrypt the SWF
Use the decrypted SWF just like you would a regular one
But, a few questions:
Where do you need security? Do you need it on the wire? Do you need the files to be stored securely on your hard drive? What exactly are you trying to prevent by encrypting them? The answers to these questions will largely determine the best approach to take.
I have an application on my server that is called leaf.exe, that haves two arguments needed to run, they are: inputfile and outputfile, that will be like this example:
pnote.exe input.pnt output.txt
They are all on the same directory as my home page file(the executable and the input file). But I need that a JavaScript could run the application like that, then I want to know how could I do this.
I'm using just Apache, I don't have any language for web installed on it. My goal is to do a site using just JavaScript, without the help of anyother language than it, HTML and CSS.
You would need to make an Ajax request to the server - the server would then have a handler that would then invoke the executable with the appropriate parameters.
Without know which web server technology you are using, it's harder to give a more concrete answer (ex: ASP.NET, PHP, Ruby, etc).
EDIT: If you're talking about doing this without any kind of server side resources, then this is impossible, and for good reason. Think of the security exploits!
Any other way to this without using other languages that need to be installed on the server?
No, but you almost certainly already have languages on the server. If it's a Linux, BSD or OSX server you've got shell script; if it's a Windows server you've got JScript and VBScript via Windows Scripting Host (using a cscript.exe hashbang).
JavaScript is for Client Side of a web application, so you won't be able to directly use javaScript to access server side files. As mentioned by Tejs, you should use Ajax to make a call to server side and then use appropriate server side routine to do the task.
Even at client side, most browsers don't allow accessing of any resource( e.g files) by javaScript code.
For server side javascript in Apache you could use Sun ONE Active Server Pages, formerly known as Chili!Soft ASP. For an IIS server, javascript is plainly available as asp-language.
Look into Rhino and node.js. I dont know a lot about this, but thats a route you can use for serverside javascript.