Home » Security » Page 17

Tag Archives: Security

Preventing CSRF in Java web apps

Cross-site request forgery attacks (CSRF) are very common in web applications and can cause significant harm if allowed. If you have never heard of CSRF I recommend you check out OWASPs page about it. Luckily preventing CSRF attacks is quite simple, I’ll try to show you how they work and how we can defend from them in the least obtrusive ...

Read More »

Google Services Authentication in App Engine, Part 2

In the first part of the tutorial I described how to use OAuth for access/authentication for Google’s API services. Unfortunately, as I discovered a bit later, the approach I used was OAuth 1.0, which has apparently now been officially deprecated by Google in favor of version 2.0 of OAuth. Obviously, I was a bit bummed to discovered this, and promised I ...

Read More »

Google Services Authentication in App Engine, Part 1

This post will illustrate how to build a simple Google App Engine (GAE) Java application that authenticates against Google as well as leverages Google’s OAuth for authorizing access to Google’s API services such as Google Docs. In addition, building on some of the examples already provided by Google, it will also illustrate how to persist data using the App Engine ...

Read More »

Where do Security Requirements come from?

One of the problems in building a secure application is that it’s not always clear what the security requirements are and where they are supposed to come from. Are security requirements supposed to come from the customer? Are they specified in the regulatory and compliance environment? Or are they implicit in the type of application that you are building – ...

Read More »

Key Exchange Patterns with Web Services Security

When we have message level security with web services – how we achieve integrity and confidentiality is through keys. Keys are used to sign and encrypt messages been passed from the rqeuestor to the recipient or form the client to the service and vise versa. During this blog post, we’ll be discussing different key exchange patterns and their related use ...

Read More »

Java JAAS form based authentication


Implementing a login module using JAAS is an of advance topic and also most of the developers have rare chance of involving with this kind of development. But the basic implementation of JAAS login module is not that much hard implementation.That is because, I intended to post this. Here, I am explaining, how to implement a tomcat managed authentication module. ...

Read More »

Apache Shiro Part 3 – Cryptography

Besides securing web pages and managing access rights Apache Shiro does also basic cryptography tasks. The framework is able to: encrypt and decrypt data, hash data, generate random numbers. Shiro does not implement any cryptography algorithms. All calculations are delegated to Java Cryptography Extension (JCE) API. The main benefit of using Shiro instead of what is already present in Java ...

Read More »

Apache Shiro Part 2 – Realms, Database and PGP Certificates

This is second part of series dedicated to Apache Shiro. We started previous part with simple unsecured web application. When we finished, the application had basic authentication and authorization. Users could log in and log out. All web pages and buttons had access rights assigned and enforced. Both authorization and authentication data have been stored in static configuration file. As ...

Read More »

Apache Shiro Part 1 – Basics

Apache Shiro, originally called JSecurity, is Java security framework. It was accepted and became Apache top level project in 2010. It aims to be powerful and easy to be used. The project is in active development with active both users and developers mailing lists. Most important areas are documented on its web page. However, it has lot of gaps in ...

Read More »