php-java-bridge-users Mailing List for PHP/Java Bridge

You can secure the back end using basic auth and send something like

   "Authorization: Basic "
   base64_encode(user.":".pass)

but this won't solve the other problems (files, all apps running in shared
memory).

Thanks for your responses. Yes, it's a shared host, so it's not especially
secure to begin with, but a service that lets all and sundry execute any
Java code they desire is one more gaping hole I'd prefer not to have open.

Am I correct that there's no support for authentication within the client
in Java.inc? If so, can anybody shed any light on why it's not supported?
(i.e. is it more complicated to implement than I'm imagining? Is the
back-end communication not happening over HTTP? Did it just never occur to
anybody that somebody might want this feature?) In other words, if I decide
to try modifying the client to support basic authentication, will I live to
regret it? :)

Thanks again,
-Jon


On Fri, Sep 7, 2012 at 3:46 PM, <php...@li...
> wrote:

> On Fri, Sep 7, 2012 at 4:33 PM, <
> php...@li...
> > wrote:
>
> > If you install and update apache (or any other http server) from your
> linux
> > distribution (redhat or debian) you should be relatively save.
> >
>
> he said he´s running a shared hosting account,quote: "this still allows
> everybody on my shared hosting server..."
>
> FC
> --
> During times of Universal Deceit, telling the truth becomes a revolutionary
> act
> Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
> Revolucionario
> - George Orwell
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> php-java-bridge-users mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/php-java-bridge-users
>

On Fri, Sep 7, 2012 at 4:33 PM, <php...@li...
> wrote:

> If you install and update apache (or any other http server) from your linux
> distribution (redhat or debian) you should be relatively save.
>

he said he´s running a shared hosting account,quote: "this still allows
everybody on my shared hosting server..."

FC
-- 
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell

Hi again. Sorry, I misunderstood you post. There's no resonable way to
sandbox your application. In general Java's security manager is the wrong
path, but it might work for your specific application. You might want to
implement your own xen based solution instead.

Use Apache as a frint end and jee server as a back end and block all access
to the jee port except from localhost.

If you install and update apache (or any other http server) from your linux
distribution (redhat or debian) you should be relatively save.

Hello all,

I'm in the process of deploying an application which uses PHP/Java Bridge,
and I'm having some difficulty figuring out how to secure the bridge
against unauthorized usage. I've configured Tomcat to block access to the
servelet except from localhost, but unless I'm mistaken, this still allows
everybody on my shared hosting server to run arbitrary Java code in my
container (reading or writing any of my files, etc.). This is certainly not
ideal.

I have followed the instructions to run P/JB with Tomcat's security manager
(http://php-java-bridge.sourceforge.net/pjb/FAQ.html#tomcat-security), but
this appears to simply bypass the security manager altogether, making it
something of a non-solution.

I would like to do one or ideally both of the following:

1. Run PHP/JavaBridge with a security manager so that I can prevent it from
accessing files or directories not specifically required by my application.
2. Require authentication (e.g. basic HTTP authentication) when connecting
to the PHP/Java Bridge servelet (presumably I could set this up in Tomcat,
but I don't see any way to perform the authentication on the client end
from my PHP application).

Any pointers would be appreciated.

Thank you!
-Jon

I thought so.

If you don't want to use a jee (e.g. tomcat, glassfish,jetty...) back end,
you're on your own.

Please see FAQ and install document on php-java-bridge.sf.net for details.

Thanks for your answer.
I'm not using Tomcat though, but directly calling java classes.
I wonder if this could mean that a java class is for some reason not responding..
Thanks again,
A




--- Gio 6/9/12, php...@li... <php...@li...> ha scritto:

> Da: php...@li... <php...@li...>
> Oggetto: [Php-java-bridge-users] mysterious error(s)
> A: php...@li...
> Data: Giovedì 6 settembre 2012, 15:18
> Hello,
> I get this error message in the Apache error log, and I
> cannot understand what's causing it.
> 
> Could somebody help please? Or at least point me to the
> right direction :)
> 
> 
> [Thu Sep 06 16:45:13 2012] [error] [client 131.152.227.94]
> PHP Notice:  fwrite() [<a
> href='function.fwrite'>function.fwrite</a>]: send
> of 193 bytes failed with errno=32 Broken pipe in
> /import/wnz/home/mirz/libraries/php/Java.inc on line 652,
> referer: http://www.clipz.unibas.ch/index.php?r=tools%2Falignment%2FregionalAlignment&strand=%2B&orgId=7&yt0=Show+genome+browser
> 
> Java.inc looks like this:
> 
> 648:   $res .= "\r\n";
> 649:   $res .= "\177";
> 650:   $res .= $compatibility;
> 651:   $res .= $data;
> 652:   $count = fwrite($socket, $res) or
> $this->shutdownBrokenConnection("Broken connection
> handle");
> 653:   fflush($socket) or
> $this->shutdownBrokenConnection("Broken connection
> handle");
> 654:   return $count;}
> 655:   function read($size)
> {if(is_null($this->headers)) $this->parseHeaders();
> 656:   $data = fread($this->socket,
> $this->headers['content_length']);
> 
> 
> Another problem I get is that in a certain page I have this
> error:
> Error 500
> Undefined index: content_length
> Which I strongly suspect that it's the same "content_length"
> of line 656..
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's
> security and 
> threat landscape has changed and how IT managers can
> respond. Discussions 
> will include endpoint security, mobile security and the
> latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> php-java-bridge-users mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/php-java-bridge-users
>