In this post we will be looking at code for a system designed to integrate all of the devices used to provide surveillance and security to extensive physical premises such as malls, campuses, and industrial parks. The approach I am taking involves the actor paradigm and the Java programming language. The selection of actors for this type of application is based on a number of...
Introducing a project for developing a premises guardian system in Java with actors.
Is it more secure to allow the browser to save a website password or prohibit the browser from saving the password?
HTML5 brings new opportunities – for developers and for attackers.
Here you will see two examples of how an attacker could abuse HTML5 and how you as a developer could prevent this (or not).
These are only two of many new or improved attacks on web clients. I chose them for two reasons: the first is a new attack, first described in December 2011 and not widely known to developers. The second shows a misuse of new HTML5 functionalities which have often has been overlooked.
Servlet 3.1 Specification (JSR 340) and Java Authorization Contract for Containers (JSR 115) MR3 are almost ready for release. Besides "*", the role-name "**" is introduced in the above two specifications.
In a nutshell, "*" means any role defined in web.xml and "**" means any authenticated user.
Prior to Servlet 3.1, web containers use proprietary mechanisms to add security-constraints for any...
Servlet 3.1 Specification (JSR 340) is almost ready for the release. Several new security features have been added in this version of Servlet specification.
In this blog, I will explain one of the security features, namely deny-uncovered-http-methods.
Let us take a look at a simple security-constraint in web.xml as follows:
<web-app xmlns="http://www.w3.org/2001/XMLSchema" ...
Servlet 3.1 was in Public Review in Janurary 2013. And it is in Proposed Final Draft now. Most of the new features are related to security.
In this following, I will highlight features since Servlet 3.1 Public Review:
add new API javax.servlet.http.Part#getSubmittedFileName
add new API javax.servlet.ServletContext#getVirtualServerNameThis API allows a JASPIC module to be registered in a Servlet...
A quick, hopefully readable analysis of this week's security exploit and fix over at my new blog
Cross-site request forgery (CSRF)
is a malicious attack exploiting the trust of a site from a user's browser.
As an example, an user may be tricked to invoke a url to do a bank transaction
by either clicking on the url or accessing the url through <img>.
In GlassFish 3.1.1, there is a
CSRF prevention filter,
which is based on Tomcat 7.
Single Sign On allows web applications to share the same authentication state.
GlassFish v2 supports virtual server level Single Sign On (SSO). Web applications with the same authentication realm in a given virtual server can share the authentication state in GlassFish v2.
GlassFish 3.1 supports SSO failover at cluster level. So one has high availability for Single Sign On in a virtual server of...
This entry discusses file permission and file attributes support in NIO.2 or JSR-203 which will be part of JDK 7. In this entry you can lean how to read the file attributes like creation date, size, and permissions like execute, read and write flags.
This a rather long article covering OpenESB (Open ESB) administration and management along with discussing a complete sample application shows how to develop solutions based on OpenESB
A few years ago, we met with our business analysts to discuss security for our application.
Our goal was to implement our own authentication mechanism for the web-based or user-interface
portion of the application.
We defined authentication security as "access rights to resources of the application".
After some initial discussion, one of our business analysts suggested we look for an
In JUG-AFRICA we started an Open Source project to manage the BIG ANNUAL EVENTS for our JUGs. The first release will be available in the early second half of January.
The application will provide a lot of services via the REST Web services.
GlassFish security book authored by Masoud kalali and published by Packt is now available for purchase. The book covers GlassFish, Java EE 6, OpenSSO and OpenDS.
There is one talk I would like to comment on today: "Don't Be Pwned: A Very Short Course on Secure Programming in Java".
This talk, presented by Robert Seacord and Dean Sutherland from SEI/CERT, was the scariest Java talk I have ever been to.
Do you believe the software you write is secure enough? Believing it or not, I suggest you take some time...
The www.abelski.com web site offers free (for personal and academic usage) courses about various topics in software development. The site focuses on Java technologies.
I decided to write down the answer for some questions which my book's readers email me or ask me via twitter in my weblog so everyone can benefit from the answers. Here is the answer to the first question which involves custom security realms.
GlassFish supports 5 types of security realms out of the box which are sd follow:
File Realm: Usefull for development and testing purposes. GlassFish...
Java EE Security refcard is available for download. This refcard covers Java EE 6 security and discuss how each application server supports the specs. The refcard covers authentication, authorization, and transport security in Web Application, EJB application and web services by introducing the concept and the related annotations and deployment descriptors which help us realize the concept.