• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 636
  • Last Modified:

How to get client's MAC address by which it connects to server

We have a Java web service, running on WebSphere. A Java client is installed on every client PC (Windows 2000 or Windows 2003) to do the connection, through SSL.

Now we want to authenticate clients by their MAC address. As we have a thick client installed on client side, I know we can easily get client's MAC address by simple "ipconfig /all" or WMI scripting. (But I don't know a pure Java way. If anyone does, it's appreciated too.)

However, we consider the possibility that a client PC may have more than 1 LAN cards. What we want is, during each single connection, to get the MAC address of the LAN card by which the client uses to connect to server. I wonder if this is possible?
0
wcleung9
Asked:
wcleung9
  • 4
  • 3
  • 3
2 Solutions
 
giltjrCommented:
I would suggest that you pick another method of authentication.  Server and client side certificate authentication.  Do self signed client side certificates based on each PC.   Validate the certificate when the client connects.  If you want to cut of a specific PC, then you just remove its certificate from your keyring file.


In addition to having a client with more that one NIC, you also have the problem of them replacing the NIC if it dies.  What happens if a client uses more that one computer?

How are you going to populate your database you validate against?  Is the user going to have to tell you his MAC address?

0
 
PraxisWebCommented:
And don't forget about MAC spoofing...
0
 
wcleung9Author Commented:
Actually, client side certificate authentication is the approach we are currently using.

An incident happened was that, an unfaithful user produced a backup image of his PC's harddisk content, and gave the image to a 3rd party. That 3rd party then successfully connected to our web service, just because they had the certificate. So we learnt that digital certificate is a mere file, which can be easily copied.

That's why we came up with the MAC address approach. We searched Google and read through many discussions about this topic. We fully understand the drawbacks: user's MAC address changes, when he replaces the NIC, or when he uses another computer. So yes, we will require users to submit their MAC addresses to us, everytime after they changed it. We would rather sacrifice users' convenience so as to make the mechanism more secured.

Well, this MAC address approach is more pratical in our case than usual because:
1. each user uses 1 and only 1 computer as client PC to connect to our web service.
2. users rarely change the hardware components of their client PC, at most once or twice per year.
3. users rarely change to use another computer as client PC, at most once every 3 to 4 years.
4. users are obligated to use the web service, no matter they think it's convenient or not.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
giltjrCommented:
Was the client side certificate user based?  It sounds like it.  You need one that is based on the users IP address, that is machine based.  As long as each user has a static IP address, you are fine.
0
 
wcleung9Author Commented:
yeah MAC spoofing would be a problem......

In fact we wanted to use more hardware info. However, not much hardware info is as unique as MAC address.

We wondered if CPU has something like an unique serial no., but then learnt that Intel was forced to remove such "fingerprint" from their products due to privacy issue.

Some suggested to use hard drive's volume label. Then others said that, although it is supposed to be randomly generated, it is actually not that random.
0
 
giltjrCommented:
http://forum.java.sun.com/thread.jspa?threadID=245711&start=0

This is a link to some Java code that is supposed to be able to get the MAC and IP address.

Some CPU's have a unique serial no. but there is a way to disable this from being presented and I beleive that most systems now ship with this disabled.

There is not a whole lot that is unqiue to a PC that can't be changed, hidden, or is copied over when doing some sort of disk copy.

If the desktops have static IP addresses, you may be able to use a combination of:

     the IP address that your server sees
     the MAC address of the computer
     the IP address of the computer

In the situation you described above, the only way the computer running the copy of the software would have worked is if it was behind the same firewall/proxy server as the original and the original computer was turned off, and they had spoofed the MAC address.  If they are going to that much trouble, they there is not a whole lot you can do to preven them from getting in.
0
 
wcleung9Author Commented:
thx for the link. It might come in handy~

Actually we had considered all the 3 info you mentioned (though not considered the combination of them).
MAC address is the info we chose to use.
For the "IP address the server sees", i.e. the public IP of the client, yes, the clients have fixed public IP. But I heard that (I haven't dug into the code yet) our web service mechanism, XML-RPC, has difficulty in obtaining that info. Please correct me if this is wrong.
Since we can't get the fixed public IP, getting the internal IP becomes meaningless.

I agree that if we can use this combination for authentication, it's secured enough for our needs.





Well, apart from the discussion about the authentication means, just want to ask again: any method to get client's MAC address by which it connects to server?
0
 
giltjrCommented:
I know that WebSphere knows the IP address that the client connects to it with. So it should just be a matter of passing this as a parameter to your application when it is launched.

If a client has more than one MAC address you will not be able to see which one it connects to you with.  In order to do that you have to "see" the whole path to the client.  In fact you really should not care what mac access the client is using, as long as it has one that you know about.

Some PC's today are setup with mutliple NIC (thus multiple MAC's) and have dynamic pathing setup so that if a path via one NIC does not work  it will try a path using the other NIC.  Do you really care which one it uses?
0
 
PraxisWebCommented:
Something else that came to mind once I started dealing with some issues at work was your privacy policy.  Depending on how your service works IE6+ might block anything that gets personally identifiable information unless you have a specific P3P header that is allowed by the browser, especially if you use cookies in any way.

As far as Java code goes try this:
Also Check out http://forum.java.sun.com/thread.jspa?threadID=245711

public class ARPTable {        

     
    private Map addressArray =  Collections.synchronizedMap( new HashMap() );
   

        public void updateARPTable() {
        Matcher a = this.getARPResult();
        while (a.find()){
            addressArray.clear();
            String s = a.group();
            String[] ss = s.split(" ");
            String ip = "", mac = "";
            for (int i=0;i<ss.length;i++){
                if (ss[i].matches("\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"))
                    ip = ss[i];
                if (ss[i].matches("[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}"))
                    mac = ss[i];
            }
            addressArray.put( ip, mac);

        }
    }

   
    private Matcher getARPResult() {

        Process p =  null;
        try {
            //TODO: &#1057;&#1076;&#1077;&#1083;&#1072;&#1090;&#1100; &#1087;&#1088;&#1086;&#1074;&#1077;&#1088;&#1082;&#1091; &#1076;&#1083;&#1103; &#1054;&#1057;
              p = Runtime.getRuntime().exec("arp -a");
        }
        catch(java.io.IOException e)
        {
            e.printStackTrace();
        }

        BufferedReader in =
                new BufferedReader(
                     new InputStreamReader(p.getInputStream())
                );
        String output=null,currentLine = null;

        try {
            while ( (currentLine = in.readLine() ) != null)
                output+=currentLine+"\n";
        }
        catch(java.io.IOException e) {
            e.printStackTrace();
        }

        String spat = "\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\s*[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}";
        Pattern arpPattern = Pattern.compile(spat);
        Matcher arpM = arpPattern.matcher( output );

        return arpM;
    }
   
   
    public String getMAC(String ip){
       
        Object o = this.addressArray.get( ip );
       
        return ( o != null)? (String)o: "";        
    }
}

[REF: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4143901 ]
0
 
PraxisWebCommented:
You may also want to check out this post:
http:Web_Languages/CGI/Q_21022121.html
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now