Home » Tag Archives: Security (page 12)

Tag Archives: Security

Database Abstraction and SQL Injection


I have subscribed to various user groups of jOOQ’s competing database abstraction tools. One of which is ActiveJDBC, a Java implementation of Active Record design pattern. Its maintainer Igor Polevoy recently claimed that: SQL injection is a web application problem, and not directly related to an ORM. ActiveJDBC will process any SQL that is passed to it. (See the discussion ...

Read More »

Extending JMeter with a WS-Trust/STS sampler


JMeter does not have any inbuilt support for WS-Security or WS-Trust and that made me develop this STS Sampler for JMeter – which could make anyone’s life better while load testing an STS. First you need to have the Apache JMeter distribution. I am using v2.7. Then you can download sts.sampler.zip from here – unzip it and copy the “repo” ...

Read More »

Implementing SAML to XACML


Before Implementing SAML This is how a XACML request will looks like when it is arriving at PDP(Policy Decision Point) to be evaluated. <Request xmlns='urn:oasis:names:tc:xacml:2.0:context:schema:os'> <Subject> <Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:subject:subject-id' DataType='http://www.w3.org/2001/XMLSchema#string'> <AttributeValue>admin</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:resource:resource-id' DataType='http://www.w3.org/2001/XMLSchema#string'> <AttributeValue>http://localhost:8280/services/echo/echoString</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:action:action-id' DataType='http://www.w3.org/2001/XMLSchema#string'><AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment/> </Request> Basically it states who is(Subject) wanting to access which resource and what action ...

Read More »

OAuth 2.0 Webapp Flow Overview


In my last few blogs I’ve been talking about accessing Software as a Service (SaaS) providers such as Facebook and Twitter using Spring Social. Some of you may have noticed that my sample code may have been a bit thin on the ground as I’ve being trying to describe what’s going on in the background and what Spring Social is ...

Read More »

Anti cross-site scripting (XSS) filter for Java web apps


Here is a good and simple anti cross-site scripting (XSS) filter written for Java web applications. What it basically does is remove all suspicious strings from request parameters before returning them to the application. It’s an improvement over my previous post on the topic. You should configure it as the first filter in your chain (web.xml) and it’s generally a ...

Read More »

JBoss AS 7: Custom Login Modules


JBoss AS 7 is neat but the documentation is still quite lacking (and error messages not as useful as they could be). This post summarizes how you can create your own JavaEE-compliant login module for authenticating users of your webapp deployed on JBoss AS. A working elementary username-password module provided. Why to use Java EE standard authentication? Java EE security ...

Read More »

Servlet Basic Auth in an OSGi environment


You will first need to get a reference to the OSGI HTTP Service. You can do this through a declarative service. This post will concentrate on steps after getting a reference to the HTTP Service. Note: The complete class for this post is located here When registering a servlet through the OSGI HTTP Service, it provides you with an option ...

Read More »

Preventing CSRF in Java web apps


Cross-site request forgery attacks (CSRF) are very common in web applications and can cause significant harm if allowed. If you have never heard of CSRF I recommend you check out OWASPs page about it. Luckily preventing CSRF attacks is quite simple, I’ll try to show you how they work and how we can defend from them in the least obtrusive ...

Read More »

Google Services Authentication in App Engine, Part 2


In the first part of the tutorial I described how to use OAuth for access/authentication for Google’s API services. Unfortunately, as I discovered a bit later, the approach I used was OAuth 1.0, which has apparently now been officially deprecated by Google in favor of version 2.0 of OAuth. Obviously, I was a bit bummed to discovered this, and promised I ...

Read More »

Google Services Authentication in App Engine, Part 1


This post will illustrate how to build a simple Google App Engine (GAE) Java application that authenticates against Google as well as leverages Google’s OAuth for authorizing access to Google’s API services such as Google Docs. In addition, building on some of the examples already provided by Google, it will also illustrate how to persist data using the App Engine ...

Read More »
Want to take your Java Skills to the next level?
Grab our programming books for FREE!
  • Save time by leveraging our field-tested solutions to common problems.
  • The books cover a wide range of topics, from JPA and JUnit, to JMeter and Android.
  • Each book comes as a standalone guide (with source code provided), so that you use it as reference.
Last Step ...

Where should we send the free eBooks?

Good Work!
To download the books, please verify your email address by following the instructions found on the email we just sent you.