Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Monday, July 4, 2011

JSON and SSL in groovy, how to ignore certificates

In the last couple of days I became more and more interested in bitmining and the first thing I noticed was the utter lack of integrated tools and hence statistics I would like to associated with my miners.

This resulted in me creating a tiny grails application to synchronzie my deepbit statistics with the current market data from mtgox to calculate at which point it becomes pointless to mine these thing. I basically hope that this pays for the 700$ for my 2x6950 radeons and associated cooling the 100+F heat we have here in California.

Now originally you could assume that this is rather straightforward. After all you got json data, which just need to be parsed.


Map jsonArray = JSON.parse(new InputStreamReader(new URL("https://mtgox.com/code/data/ticker.php").openStream()))

println jsonArray



but sadly the java ssl security manager does not agree here with us and tosses a fit..



javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)



Now java is kinda smart, if want's to force you install a security certificate from the server you access and authorize yourself. But sometimes you don't want this. In this case it's overkill, since we are having a readonly transaction.

So what has to be done?

you need to create your own security manager implementation. Which basically is a 3 step procedure


  1. implement an interface


    class TrustManager implements X509TrustManager {

    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
    return null;
    }

    public void checkClientTrusted(
    java.security.cert.X509Certificate[] certs, String authType) {
    }

    public void checkServerTrusted(
    java.security.cert.X509Certificate[] certs, String authType) {
    }

    }




  2. register the interface and update the context configuration

    TrustManager[] trustAllCerts = new TrustManager[1]

    trustAllCerts[0] = new TrustManager()
    try {
    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    } catch (Exception e) {
    }

  3. and continue like always with your json script

    Map jsonArray = JSON.parse(new InputStreamReader(new URL("https://mtgox.com/code/data/ticker.php").openStream()))


and the result should be now the current ticker for the USD to BitCoin exchange rate.


    {"ticker":{"high":15.4989,"low":13.31415,"avg":14.726503862,"vol":42862,"last":13.31415,"buy":13.331,"sell":13.35999}}



    Posted by at 1 comment:
    Labels: , , , , , ,

    Friday, January 22, 2010

    protecting jboss

    Protecting JBoss

    in the last couple of weeks we released more and more of our BinBase Tools to make it able to actually work with the database. Which means we have to protect our data better.

    Since I had no time at work for this and JBoss doesn't provide a convenient way, well I decided to write a little tool which does this for me.

    So I created yet another google code project, called 'jboss-ip-filter', which basically does nothing else than providing an interceptor, which intercepts all method calls and check's if the ip is in a list of registered IP Address.

    Features
    • protect ejb3.x services
    • protect ejb2.x services
    • ip can be defined as regular expression to support subnets
    Configuration/Installation

    First you need to download the latest release and copy it into the jboss library directory of your choosen configuration.

    Afterwards you need to register the interceptor in the jboss configuration.

    Example

    vim /usr/local/jboss/server/all/conf/standardjboss.xml

    Go to the part about the container configurations and register the interceptor in the first position for every ejb configuration you want to protect.

    The name of the class is: 'com.blogspot.codingandmore.jboss.filter.SessionInterceptor'


    <container-configuration>
    <container-name>Standard CMP 2.x EntityBean</container-name>
    <call-logging>false</call-logging>
    <invoker-proxy-binding-name>entity-unified-invoker</invoker-proxy-binding-name>
    <sync-on-commit-only>false</sync-on-commit-only>
    <insert-after-ejb-post-create>false</insert-after-ejb-post-create>
    <call-ejb-store-on-clean>true</call-ejb-store-on-clean>
    <container-interceptors>
    <interceptor>com.blogspot.codingandmore.jboss.filter.SessionInterceptor</interceptor>
    <interceptor>org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor</interceptor>
    <interceptor>org.jboss.ejb.plugins.LogInterceptor</interceptor>
    <interceptor>org.jboss.ejb.plugins.SecurityInterceptor</interceptor>
    <interceptor>org.jboss.ejb.plugins.TxInterceptorCMT</interceptor>
    <interceptor>org.jboss.ejb.plugins.CallValidationInterceptor</interceptor>
    <interceptor>org.jboss.ejb.plugins.EntityCreationInterceptor</interceptor>
    <interceptor>org.jboss.ejb.plugins.EntityLockInterceptor</interceptor>
    <interceptor>org.jboss.ejb.plugins.EntityInstanceInterceptor</interceptor>
    <interceptor>org.jboss.ejb.plugins.EntityReentranceInterceptor</interceptor>
    <interceptor>org.jboss.resource.connectionmanager.CachedConnectionInterceptor</interceptor>
    <interceptor>org.jboss.ejb.plugins.EntitySynchronizationInterceptor</interceptor>
    <interceptor>org.jboss.ejb.plugins.cmp.jdbc.JDBCRelationInterceptor</interceptor>
    </container-interceptors>
    <instance-pool>org.jboss.ejb.plugins.EntityInstancePool</instance-pool>
    <instance-cache>org.jboss.ejb.plugins.InvalidableEntityInstanceCache</instance-cache>
    <persistence-manager>org.jboss.ejb.plugins.cmp.jdbc.JDBCStoreManager</persistence-manager>
    <locking-policy>org.jboss.ejb.plugins.lock.QueuedPessimisticEJBLock</locking-policy>
    <container-cache-conf>
    <cache-policy>org.jboss.ejb.plugins.LRUEnterpriseContextCachePolicy</cache-policy>
    <cache-policy-conf>
    <min-capacity>50</min-capacity>
    <max-capacity>1000000</max-capacity>
    <overager-period>300</overager-period>
    <max-bean-age>600</max-bean-age>
    <resizer-period>400</resizer-period>
    <max-cache-miss-period>60</max-cache-miss-period>
    <min-cache-miss-period>1</min-cache-miss-period>
    <cache-load-factor>0.75</cache-load-factor>
    </cache-policy-conf>
    </container-cache-conf>
    <container-pool-conf>
    <MaximumSize>100</MaximumSize>
    </container-pool-conf>
    <commit-option>B</commit-option>
    </container-configuration>


    After this is done you need to restart your server and it should generate a property in the start directory after the next reboot. In this directory you configure your ip address. To be allowed.

    For example if you started the server in the bin directory, the file will be found there


    vim /usr/local/jboss/bin/ip-filter-config.properties


    The ip address of the local host is always registered.

    These following two lines allow it the host '128.120.136.154' to connect but refuses connections from any other hosts to the ejb's.


    128.120.136.154 = true
    \b(?:\d{1,3}\.){3}\d{1,3}\b = false


    If you encounter any problems, please don't hesitate to contact me and I try to help with the encountered problems.
    Posted by at No comments:
    Labels: , ,
    Subscribe to: Posts (Atom)