Toni Epple works as a consultant for Eppleton (http://www.eppleton.de) in Munich, Germany. In his spare time he's an active member of the Open Source community as a community leader for JavaTools community (http://community.java.net/javatools/), moderator of the XING NetBeans User Group (http://www.xing.com/group-20148.82db20), founder of the NetBeans User Group Munich (http://tinyurl.com/5b8tuu), member of the NetBeans Dream Team (http://wiki.netbeans.org/NBDTCurrentMembers) and blogger (http://www.eppleton.de/blog). Toni is a DZone MVB and is not an employee of DZone and has posted 51 posts at DZone. You can read more from them at their website. View Full User Profile

How to Secure a NetBeans Platform Update Center

07.09.2010
| 6860 views |
  • submit to reddit

Many times I've been asked how to secure an update center of a NetBeans Platform application. If you're OK with "Basic authentication", it's dead simple—simply configure the server where your update center's XML and NBMs are hosted to use "Basic authentication". Then the user will be prompted for a login.

If you want to try, follow the sections described below.

Enabling Basic Authentication for an Update Center

In this section, you set up a scenario where "Basic authentication" is enabled for a NetBeans Platform application. You can use any NetBeans Platform application, such as the Paint Application (one of the NetBeans Platform samples in the New Project dialog), when taking the steps below.

  1. Follow the "Basic authentication" example of this tutorial: http://netbeans.org/kb/docs/web/security-webapps.html. However, change the URL pattern for the admin user to "/*/updates.xml".

  2. Afterwards, take one of your NetBeans Platform applications, right-click it in the Projects window, and select "Create NBMs".

  3. Switch to the Files window (Ctrl-2) and navigate to your application's "build/updates" dir.

  4. Take everything in there and copy it to your webapps "web" dir:

  5. Now run your webapp and see if you can access this URL:

    http://localhost:8080/<WebAppName>/updates.xml

    The browser should show it to you only after you logged in correctly as the admin user. 

You have now created an update center that requires "Basic authentication". So, in the next section, you are going to attempt to register that update center in the Plugin Manager of the applicaton.

Registering a Secure Update Center

When your users have the URL to the XML defining an update center, they can register it in their application's Plugin Manager. However, now you have set up the update center so that "Basic authentication" is enabled for it. Let's now pretend to be a user of the application, who has the URL of the update center and wants to register that in the application's Plugin Manager.

  1. Go to Tools -> Plugins.

  2. Switch to the "Settings" tab and click "Add". Add a new update center under this URL:

    http://localhost:8080/<WebAppName>/updates.xml

  3. When you confirm by clicking OK, the application should ask you for your credentials, before accepting the new update center:


  4. Even though when you enter a wrong password, the update center is registered in the application, the user won't be able to access any modules from it, until authentication has been successful:

    If authentication fails, the user sees the following, while no modules will be made available for installation:


Silently Updating an Application with Basic Authentication

So, as seen above, if you reuse the Plugin Manager infrastucture from the NetBeans Platform, you're set, but let's now look at a variation on this theme, since many organizations don't want to make the Plugin Manager available to their users. For one reason, it's complicated for a "non-computer-person", and you can also easily mess things up, e.g., by accidentally uninstalling or deactivating stuff or when registering new update centers to install additional plugins. So NetBeans Platform engineer Jiri Rechtacek has, as an example, has published a module to illustrate silently updating your application.

You can easily reuse that code with "Basic authentication" as well. Just follow his example for using the silent update module. If you do that, the NetBeans Platform CRUD application will prompt you for your credentials during startup. If you don't want that, you need to find a way to dynamically encode the login in the update center URL. To try that, go to the Silent Updates Module and open the Bundle.properties file in org.netbeans.modules.autoupdate.silentupdate. Add username & password similar to this:

org_netbeans_modules_autoupdate_silentupdate_update_center=http\://user\:password\@localhost\:8080/WebApplication4/updates.xml

Now the updates will be silent again. 

 

0
Your rating: None
Published at DZone with permission of Toni Epple, author and DZone MVB.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

Comments

Vincent Cantin replied on Wed, 2010/07/14 - 10:37am

Hello,

I would like to update my NetBeans RPC application silently, but I have trouble with the method you gave in the last paragraph:

- My certificate on the server is self-signed, and the https connection is refused - probably because the certificat is not issued from a trusted source. I don't know how to deal with this.

- The login and password are showing up in the URL in the logs if the connection cannot be made. That's not safe at all for the user to have its login and password displayed in the logs.

 

 

Toni Epple replied on Thu, 2010/07/15 - 4:16am

Hi Vincent,

 You need to import your self-signed certificate to the truststore.

Putting the credentials in the URL was just the simplest way of doing it as a proof of concept. Normally you would register your own java.net.Authenticator that silently returns the correct username and password. 

  cheers

 Toni

Matt Coleman replied on Thu, 2013/01/10 - 12:06am

I needed this for my security.thanks!

buffalo freelance web designer 

Cata Nic replied on Mon, 2013/09/02 - 5:09pm

The security is the main problem of any online application. When the app si connected to the web, everything is possible...

Allan Rich replied on Wed, 2014/01/22 - 10:27am

I think your system security is extremely important especially when you are linked to some sort of network, online viruses will always find a way to you if you don't take action. Taking your laptop at work is increasing the risks even more, that's why checking out the security options on http://www.trendmicro.com/us/enterprise/challenges/it-consumerization/index.html is always a good idea.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.