Home » Tag Archives: Security (page 11)

Tag Archives: Security

Security Requirements With Abuse Cases

software-development-2-logo

Gary McGraw describes several best practices for building secure software. One is the use of so-called abuse cases. Since his chapter on abuse cases left me hungry for more information, this post examines additional literature on the subject and how to fit abuse cases into a Security Development Lifecycle (SDL). Modeling Functional Requirements With Use Cases Abuse cases are an ...

Read More »

Bcrypt, Salt. It’s The Bare Minimum.

software-development-2-logo

The other day I read this Arstechnica article and realized how tragic the situation is. And it is not this bad because of the evil hackers. It’s bad because few people know how to handle one very common thing: authentication (signup and login). But it seems even cool companies like LinkedIn and Yahoo do it wrong (tons of passwords have ...

Read More »

Cross Site Scripting (XSS) and prevention

java-interview-questions-answers

Variants of Cross site scripting (XSS) attacks are almost limitless as mentioned on the OWASP site (https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)). Here I propose to use a Servlet Filter based solution for sanitization of HTTP Request. The attack Lets see how an XSS attack manifests itself. Attached is an over simplified portlet which shows a scenario which is very common in social and collaboration ...

Read More »

WSO2 Identity Server: Identity Management platform

oasis-saml-logo

WSO2 Identity Server provides a flexible, extensible and robust platform for Identity Management. This blog post looks inside WSO2 Identity Server to identify different plug points available for Authentication, Authorization and Provisioning. WSO2 Identity Server supports following standards/frameworks for authentication, authorization and provisioning. 1. SOAP based authentication API 2. Authenticators 3. OpenID 2.0 for decentralized Single Sign On 4. SAML2 ...

Read More »

Spring security 3 Ajax login – accessing protected resources

spring-interview-questions-answers

I have seen some blogs about Spring Security 3 Ajax login, however I could not find any that tackles how to invoke Ajax based login, where a protected resource is being accessed in Ajax by an anonymous user. The problem – The web application enables anonymous access to certain parts and certain parts are protected resources which require the user ...

Read More »

Spring Security – Two Security Realms in one Application

spring-security-logo

This blog post is mainly about Spring Security configuration. More specifically it is intending to show how to configure two different security realms in one web application. First security realm is intended for the browser clients. It enables us to log in with in the login page and access protected resources. Second security realm is intended for the REST web ...

Read More »

GlassFish JDBC Security with Salted Passwords on MySQL

oracle-glassfish-logo

One of the most successful posts on this blog is my post about setting up a JDBC Security Realm with form based authentication on GlassFish. Some comments on this post made me realize that there is more to do to actually make this secure as it should be. Security out of the box Picture: TheKenChan (CC BY-NC 2.0) GlassFish comes with a ...

Read More »

Hash Length Extension Attacks

java-logo

In this post I will try to leave the summer slump behind and focus on more interesting things than complaining about the weather – hash length extension attacks. Hash length extension attacks are nothing complicated or high sophisticated, to be honest it is just about how to use hash functions. As discussed in one of my former posts there are ...

Read More »

Database Abstraction and SQL Injection

software-development-2-logo

I have subscribed to various user groups of jOOQ’s competing database abstraction tools. One of which is ActiveJDBC, a Java implementation of Active Record design pattern. Its maintainer Igor Polevoy recently claimed that: SQL injection is a web application problem, and not directly related to an ORM. ActiveJDBC will process any SQL that is passed to it. (See the discussion ...

Read More »

Extending JMeter with a WS-Trust/STS sampler

apache-jmeter-logo

JMeter does not have any inbuilt support for WS-Security or WS-Trust and that made me develop this STS Sampler for JMeter – which could make anyone’s life better while load testing an STS. First you need to have the Apache JMeter distribution. I am using v2.7. Then you can download sts.sampler.zip from here – unzip it and copy the “repo” ...

Read More »
Want to take your Java Skills to the next level?
Grab our programming books for FREE!
  • Save time by leveraging our field-tested solutions to common problems.
  • The books cover a wide range of topics, from JPA and JUnit, to JMeter and Android.
  • Each book comes as a standalone guide (with source code provided), so that you use it as reference.
Last Step ...

Where should we send the free eBooks?

Good Work!
To download the books, please verify your email address by following the instructions found on the email we just sent you.