Home » Tag Archives: Security (page 11)

Tag Archives: Security

XACML In The Cloud


The eXtensible Access Control Markup Language (XACML) is the de facto standard for authorization. The specification defines an architecture (see image on the right) that relates the different components that make up an XACML-based system. This post explores a variation on the standard architecture that is better suitable for use in the cloud. Authorization in the Cloud In cloud computing, ...

Read More »

Security Requirements With Abuse Cases


Gary McGraw describes several best practices for building secure software. One is the use of so-called abuse cases. Since his chapter on abuse cases left me hungry for more information, this post examines additional literature on the subject and how to fit abuse cases into a Security Development Lifecycle (SDL). Modeling Functional Requirements With Use Cases Abuse cases are an ...

Read More »

Bcrypt, Salt. It’s The Bare Minimum.


The other day I read this Arstechnica article and realized how tragic the situation is. And it is not this bad because of the evil hackers. It’s bad because few people know how to handle one very common thing: authentication (signup and login). But it seems even cool companies like LinkedIn and Yahoo do it wrong (tons of passwords have ...

Read More »

Cross Site Scripting (XSS) and prevention


Variants of Cross site scripting (XSS) attacks are almost limitless as mentioned on the OWASP site (https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)). Here I propose to use a Servlet Filter based solution for sanitization of HTTP Request. The attack Lets see how an XSS attack manifests itself. Attached is an over simplified portlet which shows a scenario which is very common in social and collaboration ...

Read More »

WSO2 Identity Server: Identity Management platform


WSO2 Identity Server provides a flexible, extensible and robust platform for Identity Management. This blog post looks inside WSO2 Identity Server to identify different plug points available for Authentication, Authorization and Provisioning. WSO2 Identity Server supports following standards/frameworks for authentication, authorization and provisioning. 1. SOAP based authentication API 2. Authenticators 3. OpenID 2.0 for decentralized Single Sign On 4. SAML2 ...

Read More »

Spring security 3 Ajax login – accessing protected resources


I have seen some blogs about Spring Security 3 Ajax login, however I could not find any that tackles how to invoke Ajax based login, where a protected resource is being accessed in Ajax by an anonymous user. The problem – The web application enables anonymous access to certain parts and certain parts are protected resources which require the user ...

Read More »

Spring Security – Two Security Realms in one Application


This blog post is mainly about Spring Security configuration. More specifically it is intending to show how to configure two different security realms in one web application. First security realm is intended for the browser clients. It enables us to log in with in the login page and access protected resources. Second security realm is intended for the REST web ...

Read More »

GlassFish JDBC Security with Salted Passwords on MySQL


One of the most successful posts on this blog is my post about setting up a JDBC Security Realm with form based authentication on GlassFish. Some comments on this post made me realize that there is more to do to actually make this secure as it should be. Security out of the box Picture: TheKenChan (CC BY-NC 2.0) GlassFish comes with a ...

Read More »

Hash Length Extension Attacks


In this post I will try to leave the summer slump behind and focus on more interesting things than complaining about the weather – hash length extension attacks. Hash length extension attacks are nothing complicated or high sophisticated, to be honest it is just about how to use hash functions. As discussed in one of my former posts there are ...

Read More »

Database Abstraction and SQL Injection


I have subscribed to various user groups of jOOQ’s competing database abstraction tools. One of which is ActiveJDBC, a Java implementation of Active Record design pattern. Its maintainer Igor Polevoy recently claimed that: SQL injection is a web application problem, and not directly related to an ORM. ActiveJDBC will process any SQL that is passed to it. (See the discussion ...

Read More »
Want to take your Java Skills to the next level?
Grab our programming books for FREE!
  • Save time by leveraging our field-tested solutions to common problems.
  • The books cover a wide range of topics, from JPA and JUnit, to JMeter and Android.
  • Each book comes as a standalone guide (with source code provided), so that you use it as reference.
Last Step ...

Where should we send the free eBooks?

Good Work!
To download the books, please verify your email address by following the instructions found on the email we just sent you.