Citrix retrieve client IP address from web application - javascript

Situation
We have:
A JSF web application that runs on an Application Server.
A Java Server Socket application for smart card access that runs on the client computer.
The web application needs to read a smart card in a smart card reader on the client computer.
For this the web application makes a connection to the Server Socket application on the client computer with the IP address of the client computer.
This IP address is determined through ServletRequest object of our web application call.
Problem
When this setup runs in a RD environment (eg Citrix), we receive the server IP address instead of the client computer IP address.
Question
How can we retrieve the client IP address?
Perhaps by using WebSockets?
Comment
I am not sure if these are correct, but I have looked around and some possible solutions found are:
using a Virtual IP Policy (I understand that this would make the localhost call revert to the correct IP address?)
Adding a X-Forwarded-For header to the request
These would require modification/configuration of the RD environment and we don't manage this level.
Of course, if there is no other way, I can try to request this.

You should try X-Forwarded-For. Worked for us. Somehow different scenario but it worked for us.

Related

This solution is safe to access to user's private certificate on a web with a webSoket communication?

We are developing a web page that use https protocol (two way).
We need to access to the private certificates of the user, because we need sign documents by the user's certificate, so we developed a Java application that communicate with the web by a websoket.
This application will call with a protocol call since the web (same that when you open a pdf on Acrobat Reader from a browser).
So we have to be sure that our web is calling to the native application(only our web). We want develop a system to be sure of that. Our idea:
Send a public key, a signed token by the server's private certificate and a symmetric key (to encrypt websocket communications) to the native application.
Next, we will Check in the native application that the token it is OK with a web service to the server.
After, we will have to open the websocket between the native app and the web, and send the signed document by the native app by this way.
Then sent document to the server.
Is this implementation safe? We will be safe of a man in the middle?
Any suggestion about this solution will be wellcome, because I don't see any weakness but I am not an expert on security.
I know other solutions for this problem, like applets, JavaFX or native messages on Chrome, but I only want to know if these solution is safe.
Thanks to all in advance and sorry if my english isn't the best :P,
I see the following issues
Send a public key and a signed token by the server's private certificate to the native application.
You are calling a local app by protocol. For example mylocalapp://sign?securitytoken=.... You do not control which application is installed on local PC to respond to mylocalapp://. The browser shows an ugly warning because you are leaving the secure environment. An attacker could have replaced the default app, simulate the flow and get all signed documents.
2.Next, we will Check in the native application that the token it is OK with a web service to the server.
To verify identity of server and avoid a ManInTheMiddel attach you need also to set a trustore for your application with the server certificate
Your server needs also to verify identity of client. Are you planning to use TLS two ways also?
After, we will have to open the websocket between the native app and the web, and send the signed document by the native app by this way.
You do not need a websocket. Simply use a URL connection to download and upload the documents.
This solution was used by Spanish ministry of economy when chrome decided to cut the NPAPI support and signature applets began to fail. Now, they have rebuilt the system in this way
Install a local Java application on the user's PC. The application listens on a port as, for example 5678
In your page, javascript connects to the application in the form http://127.0.0.1:5678/sign and sends the data to sign.
The application is local and has no trouble using the operating system keystore, which includes drivers PKCS#11. Perform digital signature and sends the result to the server
The javascript of the page periodically query the result and retrieves it when ready
The security problem is basically the same, but install a server in localhost is harder than replace the local default app.
The solution is called #firma, I guess you probably know it. It is opensource, you can use it

Locate server on LAN in JavaScript

TL;DR
In Javascript, how do you to find the IP of all servers running a specified program on a specified port in the LAN?
Background
I'm writing a server in node.js that is supposed to connect users browsers as controllers to a common device on which a game is running. The browsers are running a web app based on html and Javascript. The connection is based on socket.io.
I'd like for the web app to be able to find all available instances of this server in the LAN in order to create a server list for the user to choose from.
Is there a way to make the server discoverable by the web app on the local network in Javascript, and in that case: how?
Ideas
Have the server broadcast its IP to all devices on the LAN and have the web app listen for these messages (No idea how to do this without node on the client)
Connect to every IP on the network and see if the connection is successful. (Does not seem feasible)
Scan every IP on the network and connect only to those where the port is open. (Once again, no idea how to do this without node on the client and does not seeem feasible either.)
EDIT
The server is supposed to be portable and work independently, without any central system backing it up or providing matchmaking for clients. It is a LAN only server and should work even without internet access.
There is no way for you do this. Sorry. Since there is no exposure to UDP on client-side JavaScript, broadcasting is out of question. Any attempt on massive scanning will quickly raise flags on network monitoring software. You have to use a known address.

Tomcat and Browser to Openfire Authentication scheme

We are developing a web application that uses strophe.js to communicate with an openfire server for XMPP chat. The web application is hosted on tomcat and both tomcat and openfire reside on the same server. Strophe.js is using BOSH (essentially http long-polling) as a communication mechanism between the client and the openfire.
Our tomcat instance authenticates (form-based) using a users table in our database. We've configured our openfire instance to read out of the same table. That way mobile apps can directly connect to our chat server using the user's credentials
We also have apache running as a reverse proxy. This might be TMI for the problem at hand, but more information can't hurt. The url schemes look like the following:
http://myserver/web Our web interface. Goes to http://myserver:8080/
http://myserver/chat Forwards to the openfire BOSH url (what strophe.js connects to). Goes to http://myserver:7070/http-bind (openfire bosh endpoint)
The problem I'm trying to figure out is how to log in to our openfire server from the browser. For example, if the user goes to the login.jsp site and enters their credentials, the server will forward that user to index.jsp. The strophe.js connection will try to connect to the chat server (/chat), but at that point, the username and password is no longer available to the javascript code.
I need to figure out how to securely authenticate the user in the web browser with the openfire server AFTER authentication has occurred. I've looked around for some examples, but there's not much information out there (or rather, I don't know what to look for).
Some Possible Solutions
1.) The first strategy I tried was creating an AuthProvider implementation in openfire that can take the browser's cookie as the password, make an HTTP request to tomcat with that cookie, and if succeeds deem that user as authenticated. This worked at first, but when deploying I found that I needed to configure tomcat to allow the document.cookie to be populated with the JSESSIONID. After reading a bit about this, it seems that using cookies is not recommended from a security standpoint. Jeff Atwood has an post Protecting Your Cookies: HttpOnly that discusses the security issues stemming from cookies accessible to javascript. Although I am not completely opposed to using cookies, is there a better way?
2.) A solution I have also thought of (haven't implemented yet) was providing a REST endpoint to create tokens that the user can fetch once they are logged in and use as passwords for the openfire server. Seems a little better, but I'll need to create a new table, manage their expiration, etc.
If anyone has tackled this problem, please let me know. It would be greatly appreciated.

How to get client IP address(es)

We have an asp.net application which deployed in head office of a bank. Employees of the bank are consumers of this application.
Employees of the bank are usually access this application using their computers which is connected to internet though a proxy server.
For auditing purpose we need all (at least one) ip-address assigned to their LAN-interface, when they login to the application.
I know there are some Server Variables which provides IP of client but they are only giving us IP of Proxy Server (external IP).
It depends on the proxy but I believe the standard is to put the original client IP under the server variable called HTTP_X_FORWARD_FOR. Sometimes others are used HTTP_X_FORWARDED and HTTP_CLIENT_IP.

If i GET a site using client-side javascript, what will the site see as the requesting ip? My server or the client's?

I'm building an app where the user may occasionally make a search. I'd like to run the search through google, but I'm unsure in the event I have many users if i will hit google's search quota. Any individual user will not make more than one or two searches a day on the app. But cumulatively, it could potentially be much more.
Will doing client side retrival of a google query avoid this problem and not identify my server as the origin ip?
Yes, if you do a GET request from the client, the clients IP will be the source IP
Since you are doing a GET from the client's side, the TCP/IP connection is being opened by the client. So it would be the client's IP that the site would see as the requesting IP. However if you would like the site to see your IP instead, you can re-route the request via AJAX to your server, have your server do the GET and send the results asynchronously back to the client.

Categories

Resources