Skip to main content

Home/ SoftwareEngineering/ Group items tagged application

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
kuni katsuya

Authentication Cheat Sheet - OWASP - 0 views

www.owasp.org/...Authentication_Cheat_Sheet

security authentication CheatSheet

shared by kuni katsuya on 09 Aug 12 - No Cached
  • Authentication Cheat Sheet
  • Sessions should be
  • unique per user
  • ...26 more annotations...
  • computationally very difficult to predict
  • "strong" password policy
  • Secure Password Recovery Mechanism
  • Require re-authentication for Sensitive Features
  • Authentication and Error Messages
  • can be used for the purposes of user ID and password enumeration
  • Incorrectly implemented error messages
  • generic manner
  • respond with a generic error message regardless if the user ID or password was incorrect
  • give no indication to the status of an existing account
  • Authentication responses
  • Invalid user ID or password"
  • does not indicate if the user ID or password is the incorrect parameter
  • Transmit Passwords Only Over TLS
  • login page
  • all subsequent authenticated pages
  • must be exclusively accessed over TLS
  • unencrypted session ID
  • credentials
  • Implement Account Lockout
  • lock out an account if more than a preset number of unsuccessful login attempts are made
  • can produce a result that locks out entire blocks of application users accounts
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      somewhat of a denial-of-service attack, since legitimate users can no longer access their accounts/services
  • sensible strategy
  • is to lockout accounts for a number of hours
  • Password lockout mechanisms have a logical weakness
  • Session Management General Guidelines
kuni katsuya

Temporary Documentation - Apache DeltaSpike - Apache Software Foundation - 0 views

cwiki.apache.org/...Temporary+Documentation

ApacheDeltaSpike documentation CDI

shared by kuni katsuya on 16 Aug 12 - No Cached
  • DeltaSpike will consist of a number of portable CDI extensions that provide useful features for Java application developers
  • de-facto standard of CDI-Extensions
  • Project-Configuration (with Maven)
kuni katsuya

Security Module Drafts - Apache DeltaSpike - Apache Software Foundation - 0 views

cwiki.apache.org/...Security+Module+Drafts

ApacheDeltaSpike

shared by kuni katsuya on 16 Aug 12 - No Cached
  • Authorization
  • Impersonalization
    • kuni katsuya
      kuni katsuya on 16 Aug 12
       
      impersonation
  • authenticates “as a user” or access application imitating his identity - without knowing his password
  • ...36 more annotations...
  • elements of the user interface are displayed to the user based on the user's privilege level
  • assign permissions to individual objects within the application’s business domain
    • kuni katsuya
      kuni katsuya on 16 Aug 12
       
      individual objects == instances
  • Permissions
  • Permissions assigned to user for a given resource in the tree are inherited by other resources
  • Permissions are inherited
  • persist user, group and role information in database. JPA implementation is his dream
  • Security Module Drafts
  • Identity
  • interface Identity
  • login()
  • logout()
  • getUser()
  • Events LoggedInEvent LoginFailedEvent AlreadyLoggedInEvent PreLoggedOutEvent PostLoggedOutEvent PreAuthenticateEvent PostAuthenticateEvent
  • Object level permission
  • Grant or revoke permissions
  • Group management
  • User/Identity management
  • identity.hasRole
  • identity.hasPermission
  • Permissions model
  • Identity Management (IDM)
  • User, Group and Role
  • Events
  • hooks for common IDM or Security operations
  • Audit and logging for permission and IDM related changes
  • Event API.
  • Impersonalization
  • Impersonalization
  • control which elements of the user interface are displayed to the user based on their assigned permissions
  • ask for permission
  • without need to obtain object from DB
  • String resourceId
  • structure of resources
  • more advanced security resolution mechanisms
  • Rules based engine
  • external services - XACML
kuni katsuya

Interview of GraniteDS founders | RIAgora - 0 views

www.riagora.com/...nterview-of-graniteds-founders

graniteds blazeds comparison interview

shared by kuni katsuya on 06 Jun 12 - No Cached
  • explained the origin of GraniteDS and the differences with LiveCycle Data Services
  • ActionScript3 reflection API
  • GraniteDS 2.2
  • ...8 more annotations...
  • JSR-303 (“Bean Validation”) ActionScript3 framework for form validation
  • validation framework is a specific adaptation of the JSR-303 (Bean Validation) specification to Flex: like its Java counterpart, it relies on validation annotations placed on bean properties and provides an engine API that lets you validate your forms without writing by hand a specific validator for each of your input fields
  • code generation tools provided by GraniteDS so that when you write your Java entity bean with validation annotations, they are automatically replicated in your ActionScript3 beans
  • problem with LCDS is mainly that it promotes a strict “client / server” architecture, with – roughly speaking – a heavy Flex client application connected to a server almost reduced to a database frontend
  • big majority of  these organizations use BlazeDS, a free and open-source subset of LCDS
  • need more advanced mechanisms than just Remoting start looking for open-source libraries to enable deeper integrations with the Java business layer, and GraniteDS is for sure the most popular project
  • “Flex Data Services” (now renamed to “Live Cycle Data Services”)
  • Flex Data Services seemed too “client-centric”
kuni katsuya

JPA Reference Guide - JBoss AS 7.1 - Project Documentation Editor - 0 views

docs.jboss.org/...JPA+Reference+Guide

jbossas7 jpa reference

shared by kuni katsuya on 12 Jun 12 - No Cached
  • Troubleshooting The org.jboss.as.jpa logging can be enabled to get the following information: INFO - when persistence.xml has been parsed, starting of persistence unit service (per deployed persistence.xml), stopping of persistence unit service DEBUG - informs about entity managers being injected, creating/reusing transaction scoped entity manager for active transaction TRACE - shows how long each entity manager operation took in milliseconds, application searches for a persistence unit, parsing of persistence.xml
  • Container-managed Extended Persistence context
  • extended persistence context can
  • ...20 more annotations...
  • span multiple transactions
  • and allows data modifications to be queued up (like a shopping cart),
  • without an active JTA transaction
  • EXTENDED
  • entity lifecycle
  • is managed by the underlying persistence provider.
  • New (transient):
  • an entity is new if it has just been instantiated using the new operator, and it is not associated with a persistence context. It has no persistent representation in the database and no identifier value has been assigned.
  • Managed (persistent):
  • a managed entity instance is an instance with a persistent identity that is currently associated with a persistence context.
  • Detached:
  • the entity instance is an instance with a persistent identity that is no longer associated with a persistence context, usually because the persistence context was closed or the instance was evicted from the context.
  • Removed:
  • a removed entity instance is an instance with a persistent identity, associated with a persistence context, but scheduled for removal from the database.
  • Replacing the current Hibernate 4.0.x jars with a newer version
  • update the current as7/modules/org/hibernate/main folder
  • Delete *.index files in as7/modules/org/hibernate/main and as7/modules/org/hibernate/envers/main folders
  • Remove the older jars and copy new Hibernate jars into as7/modules/org/hibernate/main + as7/modules/org/hibernate/envers/main.
  • Update the as7/modules/org/hibernate/main/module.xml
  • as7/modules/org/hibernate/envers/main/module.xml to name the jars that you copied in.
kuni katsuya

JBoss Tools : 2012 : February : 8 | JBoss Tools | JBoss Community - 0 views

community.jboss.org/...08

eclipse remotedebug jboss openshift

shared by kuni katsuya on 12 Jun 12 - No Cached
  • Debugging and Browsing OpenShift Applications in Eclipse
kuni katsuya

Overview of Interceptors - The Java EE 6 Tutorial - 0 views

docs.oracle.com/...gkigq.html

javaee6 interceptors tutorial overview

shared by kuni katsuya on 16 May 12 - No Cached
  • Overview of Interceptors
  • allow developers to invoke interceptor methods in conjunction with method invocations or lifecycle events on an associated target class
  • logging, auditing, or profiling
  • ...7 more annotations...
  • Interceptor classes and methods are defined using metadata annotations, or in the deployment descriptor of the application containing the interceptors and target classes
  • Interceptor Metadata Annotations
  • AroundInvoke
  • AroundTimeout
  • PostConstruct
  • PreDestroy
  • Interceptor classes must have a public, no-argument constructor
kuni katsuya

Chapter 9. Integration with Seam 2.2 - 0 views

www.graniteds.org/...graniteds.seam2.html

graniteds seam2 integration

shared by kuni katsuya on 15 May 12 - No Cached
  • Integration with Seam 2.2
  • GraniteDS provides out-of-the-box integration with Seam 2.2 via either the RemoteObject API or the Tide API to remotely call Seam components, and fully supports serialization of JPA entities from and to your Flex application, taking care of lazily loaded associations
kuni katsuya

Forgot Password Cheat Sheet - OWASP - 0 views

www.owasp.org/...Forgot_Password_Cheat_Sheet

security authentication password ForgotPassword PasswordReset

shared by kuni katsuya on 21 Sep 12 - No Cached
  • Forgot Password Cheat Sheet
  • no industry standard for implementing a Forgot Password feature
  • Step 1) Gather Identity Data or Security Questions
  • ...12 more annotations...
  • asks the user for multiple pieces of hard data that should have been
  • previously collected
  • send the password reset information to some
  • out-of-band side-channel
  • such as a (possibly different) email address or an SMS text number, etc. to be used in Step 3.
  • Step 2) Verify Security Questions
  • application verifies that each piece of data is correct for the given username
  • If anything is incorrect, or if the username is not recognized, the second page displays a generic error message such as “Sorry, invalid data”. If all submitted data is correct, Step 2 should display at least two of the user’s pre-established personal security questions, along with input fields for the answers.
  • Avoid sending the username as a parameter
  • Do not provide a drop-down list
  • server-side session
  • user's email account may have already been compromised
kuni katsuya

SQL Injection - OWASP - 0 views

www.owasp.org/...SQL_injection

security SqlInjection background overview

shared by kuni katsuya on 21 Sep 12 - No Cached
  • SQL Injection
  • "injection" of a SQL query via the input data from the client to the application
  • exploit can
  • ...18 more annotations...
  • read sensitive data
  • modify database data
  • execute administration operations
  • SQL injection errors occur when:
  • Data enters a program from an
  • untrusted source
  • The data used to
  • dynamically construct a SQL query
  • consequences are:
  • Confidentiality:
  • sensitive data
  • Authentication
  • user names and passwords
  • Authorization
  • change this information
  • Integrity
  • read sensitive information
  • changes or even delete this information
kuni katsuya

Preventing SQL Injection in Java - OWASP - 0 views

www.owasp.org/...eventing_SQL_Injection_in_Java

security SqlInjection prevention Java DefensiveCoding

shared by kuni katsuya on 21 Sep 12 - No Cached
  • Preventing SQL Injection in Java
  • inject (or execute) SQL commands within an application
  • Defense Strategy
  • ...19 more annotations...
  • To prevent SQL injection:
  • All queries should be
  • parametrized
  • All dynamic data
  • should be
  • explicitly bound to parametrized queries
  • String concatenation
  • should never be used
  • to create dynamic SQL
  • OWASP SQL Injection Prevention Cheat Sheet.
  • Parameterized Queries
  • Prepared Statements
  • automatically be escaped by the JDBC driver
  • userId = ?
  • PreparedStatement
  • setString
  • Dynamic Queries via String Concatenation
  • never construct SQL statements using string concatenation of unchecked input values
  • dynamic queries via the java.sql.Statement class leads to SQL Injection
« First ‹ Previous 141 - 155 of 155
Showing 20 items per page