Skip to main content

Home/ SoftwareEngineering/ Group items tagged implementation

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
kuni katsuya

5. Exception Handling - Confluence - 0 views

www.graniteds.org/...5.+Exception+Handling

graniteds ExceptionHandling javaee6 Flex ActionScript actionscript3

shared by kuni katsuya on 13 Sep 12 - No Cached
  • Exception Handling
  • 5. Exception Handling
  • server exceptions
  • ...41 more annotations...
  • can be handled on the
  • client-side
  • by defining a
  • fault callback
  • each remote call
  • very tedious
  • possible to define common handlers for particular fault codes on the client-side, and exception converters on the server-side, to convert server exceptions to common fault codes
  • define an
  • ExceptionConverter
  • class
  • Converter
  • ExceptionConverter
  • accepts(Throwable t, Throwable finalException)
  • convert( Throwable t, String detail, Map<String, Object> extendedData)
  • t.getMessage(), detail, t
    • kuni katsuya
      kuni katsuya on 13 Sep 12
       
      * instead of *wrapping* the server-side exception and rethrowing it to the client, ** extract only details relevant to the client (eg. include: human-friendly error message and any helpful parametrized data, exclude: stack traces), ** "wrap" it in a generic ServiceException, which gets "thrown" remotely to the client * client can check ServiceException.getCode() to implement behavior tailored to server-side exception 'type'
  • ENTITY_NOT_FOUND
    • kuni katsuya
      kuni katsuya on 13 Sep 12
       
      ENTITY_NOT_FOUND - 'fault code' understood by client
  • This class will
  • intercept
  • all EntityNotFound exceptions on the server-side, and convert it to a proper ENTITY_NOT_FOUND fault event.
  • exception converter has to be
  • declared on the GDS server config :
  • scan="true" in granite-config.xml
  • META-INF/granite-config.properties
  • in the jar containing the exception converter class
  • granite-config.xml
  • <exception-converters> <exception-converter type="com.package.SomeExceptionConverter"/> </exception-converters>
  • Flex side
  • Handler
  • Handler
  • IExceptionHandler
    • kuni katsuya
      kuni katsuya on 13 Sep 12
       
      **I**ExceptionHandler??? really?  ;)
  • accepts(emsg:ErrorMessage)
  • handle(context:BaseContext, emsg:ErrorMessage)
  • register it as an exception handler for the
  • Tide context
  • in a static initializer block to be sure it is
  • registered before anything else happens.
  • addExceptionHandler(EntityNotFoundExceptionHandler);
  • ExceptionConverter
  • 5. Exception Handling
  • 5. Exception Handling
  • 5. Exception Handling
kuni katsuya

Remote call using class as parameter - Google Groups - 0 views

groups.google.com/forum

graniteds remoting DTO ValueObject Method parameter wrapper Java ActionScript3 Class

shared by kuni katsuya on 16 Sep 12 - No Cached
  • public class ClassHolderDTO<T> {    private Class<T> classToTransfer;// get/set boilerplate}
  • Resource
  • Class<Resource> entityClass
  • ...18 more annotations...
  • Class as parameter
  • serverside
  • Remote call using class as parameter
  • Does GraniteDS could manage date and TimeZone ?
  • Flash Player (GMT +X) -> IExternizable methods (GMT + X - X = GMT + 0) - > AMF over HTTP (GMT + 0) -> Granite AMF0Deserializer (GMT + 0) -> Granite Converter (GMT + 0 + Y = GMT + Y) -> Java Services (GMT + Y)Java Services (GMT + Y) -> Granite Converter (GMT + Y - Y = GMT + 0) -> Granite AMF0Deserializer (GMT + 0) -> AMF over HTTP (GMT + 0) -> IExternizable methods (GMT + 0 + X = GMT + X) -> Flash Player (GMT + X)
  • We use
  • GMT + 0
  • for AMF for convention
  • define a
  • fixed timezone
  • for your AMF that is over HTTP
  • GMT + X
  • : timezone for your flex client
  • GMT + Y
  • : timezone for your server
  • don't want to modify the default templates
  • override the readExternal / writeExternal methods and do the conversion here.
  • The patch is to use a custom template for generating your as files with a conversion to GMT 0 in the implementations of IExternalizable methods.On the server-side you add a Converter to convert dates GMT 0 to dates GMT + Y.
    • kuni katsuya
      kuni katsuya on 16 Sep 12
       
      see better suggestion below (ie. override instead of replace)
kuni katsuya

Mapping JPA Entities To SQL Views - It Works Even With Derby : Adam Bien's Weblog - 0 views

www.adam-bien.com/...mapping_jpa_entities_on_view

jpa views entity

shared by kuni katsuya on 24 Jul 12 - Cached
  • Mapping JPA Entities To SQL View
  • return a different “view” to the client
  • Especially in the context of pagination, where the data is mostly retrieved for read-only purposes, database views are the easier and more efficient alternative. Instead of implementing a lot of plumbing on the “Java-side” all the work could be easily done in the database
  • ...1 more annotation...
  • There is a drawback: not all views are updatable. Whether a view is updatable or not highly depends on the complexity and particular database
kuni katsuya

12 Tips On JPA Domain Modelling - With Existing Database - Thinking In Structs Not Obje... - 0 views

www.adam-bien.com/...11_tips_on_jpa_domain

jpa best practices DomainModeling

shared by kuni katsuya on 24 Jul 12 - No Cached
  • think in structs. Try to as frictionless as possible export/generate the JPA-entities from the existing database
  • Implement a very thin facade / transaction boundary
  • @Stateless Bean (EJB 3)
  • ...10 more annotations...
  • If the JPA entities still do not look right, try to apply some JPA tricks like mapping a JPA-entity to several tables, or even map JPA-entities to DB-views, to improve the situation
  • Rename the classes into some more meaningful. The attribute, class names are in general everything but not fluent
  • Junit. Purpose: JPA mapping verification
  • Thinking In Structs Not Objects
  • 12 Tips On JPA Domain Modelling
  • - With Existing Database -
    • kuni katsuya
      kuni katsuya on 12 Oct 12
       
      strategy when constrained by baggage of *legacy database* schema, NOT for a green fields project!
  • Execute the "Unit" tests after every change
  • even better get rid of them
  • domain objects are
  • semi-objectoriented
kuni katsuya

Improve your life Through Science and Art: JEE6: Interfaces on Demand with EE6 (CDI & e... - 0 views

tamanmohamed.blogspot.ca/...demand-with-ee6-cdi-ejb31.html

javaee6 CDI ejb3.1 interfaces

shared by kuni katsuya on 30 Jul 12 - No Cached
  • JEE6: Interfaces on Demand with EE6 (CDI & ejb3.1)
  • JEE6: Interfaces on Demand with EE6 (CDI & ejb3.1)
  • Since Java Platform, Enterprise Edition 6 (Java EE 6),
  • ...9 more annotations...
  • interfaces are no longer required
  • by the container in order to realize common use cases
  • An interface becomes a vehicle for encapsulation or abstraction,
  • as it was originally intended to be:
  • “Interfaces are used to encode similarities which the classes of various types share, but do not necessarily constitute a class relationship. For instance, a human and a parrot can both whistle; however, it would not make sense to represent Humans and Parrots as subclasses of a Whistler class. Rather they would most likely be subclasses of an Animal class (likely with intermediate classes), but both would implement the Whistler interface.” [http://en.wikipedia.org/wiki/Java_interface]
  • Extensive use of interfaces derives from a
  • belief that they might be helpful in the future
  • Premature Extensibility Is the Root of Some Evil
  • The number of artifacts will double and you will have to introduce a configuration facility
kuni katsuya

MySQL :: MySQL 5.1 Reference Manual :: 21.3.5.1 Driver/Datasource Class Names, URL Synt... - 0 views

dev.mysql.com/...-configuration-properties.html

mysql jdbc configuration

shared by kuni katsuya on 17 Jul 12 - Cached
  • The name of the class that implements java.sql.Driver in MySQL Connector/J is com.mysql.jdbc.Driver
  • JDBC URL Format The JDBC URL format for MySQL Connector/J is as follows, with items in square brackets ([, ]) being optional: jdbc:mysql://[host][,failoverhost...][:port]/[database] » [?propertyName1][=propertyValue1][&propertyName2][=propertyValue2]... If the host name is not specified, it defaults to 127.0.0.1. If the port is not specified, it defaults to 3306, the default port number for MySQL servers. jdbc:mysql://[host:port],[host:port].../[database] » [?propertyName1][=propertyValue1][&propertyName2][=propertyValue2]... Here is a sample connection URL: jdbc:mysql://localhost:3306/sakila?profileSQL=true
  • Initial Database for Connection If the database is not specified, the connection is made with no default database
  • ...2 more annotations...
  • fully specify table names using the database name (that is, SELECT dbname.tablename.colname FROM dbname.tablename...) in your SQL
  • work with multiple databases
    • kuni katsuya
      kuni katsuya on 17 Jul 12
       
      including cross database joins
kuni katsuya

Spring Security - Features - 0 views

static.springsource.org/...features.html

Java security SpringSecurity

shared by kuni katsuya on 09 Aug 12 - Cached
  • Domain object instance security: In many applications it's desirable to define Access Control Lists (ACLs) for individual domain object instances. We provide a comprehensive ACL package with features including integer bit masking, permission inheritance (including blocking), an optimized JDBC-backed ACL repository, caching and a pluggable, interface-driven design.
  • OpenID Support: the web's emerging single sign-on standard (supported by Google, IBM, Sun, Yahoo and others) is also supported in Spring Security
  • Easy integration with existing databases: Our implementations have been designed to make it easy to use your existing authentication schema and data (without modification). Of course, you can also provide your own Data Access Object if you wish. Password encoding: Of course, passwords in your authentication repository need not be in plain text. We support both SHA and MD5 encoding, and also pluggable "salt" providers to maximise password security.
  • ...5 more annotations...
  • Caching: Spring Security optionally integrates with Spring's Ehcache factory. This flexibility means your database (or other authentication repository) is not repeatedly queried for authentication information when using Spring Security with stateless applications.
  • Run-as replacement: The system fully supports temporarily replacing the authenticated principal for the duration of the web request or bean invocation. This enables you to build public-facing object tiers with different security configurations than your backend objects.
  • Tag library support: Your JSP files can use our taglib to ensure that protected content like links and messages are only displayed to users holding the appropriate granted authorities. The taglib also fully integrates with Spring Security's ACL services, and obtaining extra information about the logged-in principal.
  • User Provisioning APIs: Support for groups, hierarchical roles and a user management API, which all combine to reduce development time and significantly improve system administration.
  • Enterprise-wide single sign on using CAS 3: Spring Security integrates with JA-SIG's open source Central Authentication Service (CAS)
kuni katsuya

Chapter 17. Configuration Reference - 0 views

www.graniteds.org/...graniteds.configuration.html

graniteds configuration reference

shared by kuni katsuya on 09 Aug 12 - No Cached
  • <security>
  • custom security service that should implement org.granite.messaging.service.security.SecurityService
  • services-config.xml
  • ...1 more annotation...
  • contains all the remoting and messaging configuration of the application. There are three main sections: channels, factories and services.
kuni katsuya

This is Stuff: Apache Shiro Part 2 - Realms, Database and PGP Certificates - 0 views

meri-stuff.blogspot.ca/...art-2-realms-database-and.html

security ApacheShiro Realm database

shared by kuni katsuya on 09 Aug 12 - No Cached
  • Apache Shiro Part 2 - Realms, Database and PGP Certificates
  • move user account data to database
  • give users an option to authenticate themselves via PGP certificates
  • ...9 more annotations...
  • log in options: log in with user name/password and log in with certificate
  • how to create custom realm and how to handle multi-realm scenario
  • account credentials and access rights are stored in database. Stored passwords are hashed and salted.
  • Authorization
  • If the realm wishes to do also authorization, it has to implement Authorizer interface. Each Authorizer method takes principal as parameter and checks either role(s) or permission(s)
  • Permissions are supplied either as strings or as permission objects
  • use WildcardPermissionResolver to convert strings into permission objects
  • connect application to database and create tables to store all user account data
  • replace IniRealm with realm able to read from database and salt passwords.
kuni katsuya

ICW Developer Network - 0 views

idn.icw-global.com/...saf.html

security frameworks comparison Seam SAF SpringSecurity

shared by kuni katsuya on 08 Aug 12 - No Cached
  • ComparisonThis section provides a brief comparison of SAFs functionality with that of the Acegi Security Framework [11] and JBoss Seam Security [12]
  • Acegi’s Policy Decision functionality is not based on Java security standards but on a proprietary solution
  • ACL defines per domain object who has access permissions
  • ...5 more annotations...
  • Both Acegi as well as SAF use AspectJ and Spring AOP for Policy Enforcement
  • JBoss Seam follows a different process when implementing Policy Decision functionality and sets access rules with the help of JBoss Rules [13] the JBoss rules engine
  • access decision to the domain objects in an application can be based on any number of complex rules
  • @Restrict annotations
  • 07.2007
kuni katsuya

Security Module Drafts - Apache DeltaSpike - Apache Software Foundation - 0 views

cwiki.apache.org/...Security+Module+Drafts

ApacheDeltaSpike

shared by kuni katsuya on 16 Aug 12 - No Cached
  • Authorization
  • Impersonalization
    • kuni katsuya
      kuni katsuya on 16 Aug 12
       
      impersonation
  • authenticates “as a user” or access application imitating his identity - without knowing his password
  • ...36 more annotations...
  • elements of the user interface are displayed to the user based on the user's privilege level
  • assign permissions to individual objects within the application’s business domain
    • kuni katsuya
      kuni katsuya on 16 Aug 12
       
      individual objects == instances
  • Permissions
  • Permissions assigned to user for a given resource in the tree are inherited by other resources
  • Permissions are inherited
  • persist user, group and role information in database. JPA implementation is his dream
  • Security Module Drafts
  • Identity
  • interface Identity
  • login()
  • logout()
  • getUser()
  • Events LoggedInEvent LoginFailedEvent AlreadyLoggedInEvent PreLoggedOutEvent PostLoggedOutEvent PreAuthenticateEvent PostAuthenticateEvent
  • Object level permission
  • Grant or revoke permissions
  • Group management
  • User/Identity management
  • identity.hasRole
  • identity.hasPermission
  • Permissions model
  • Identity Management (IDM)
  • User, Group and Role
  • Events
  • hooks for common IDM or Security operations
  • Audit and logging for permission and IDM related changes
  • Event API.
  • Impersonalization
  • Impersonalization
  • control which elements of the user interface are displayed to the user based on their assigned permissions
  • ask for permission
  • without need to obtain object from DB
  • String resourceId
  • structure of resources
  • more advanced security resolution mechanisms
  • Rules based engine
  • external services - XACML
kuni katsuya

GraniteDS - deserialize ActionScript object to a Java Map object - Ross Henderson - 0 views

blog.rosshenderson.info/...pt-object-to-a-java-map-object

graniteds deserialization serialization actionscript

shared by kuni katsuya on 06 Jun 12 - No Cached
  • GraniteDS – deserialize ActionScript object to a Java Map object
  • key of type String and a value of type List
  • HOWEVER, the value has to be an ArrayCollection, not an Array.
  • ...2 more annotations...
  • Dictionary object is very similar to Java’s Map object.
  • Granite claims to implement the same serialization/deserialization matrix as BlazeDS (with two small exceptions).
kuni katsuya

In Relation To...  Bean Validation for Flex developers - 0 views

in.relation.to/...eanValidationForFlexDevelopers

graniteds flex actionscript3 as3 bean validation

shared by kuni katsuya on 06 Jun 12 - No Cached
  • Bean Validation for Flex developers
  • GraniteDS have added support for Bean Validation into their project and hence Bean Validation is usable by all Flex users
  • Because they do not run on the JVM, they basically have reimplemented the full specification in Flex: you can annotate your ActionScript3 objects with constraints: it supports all the standard constraints and you can write your own constraints you can execute the validation logic and retrieve the error report you can make use of most of the feature including advanced ones like groups, group sequence etc
  • ...3 more annotations...
  • for GraniteDS users keeping their Java domain model and ActionScript3 domain model in sync via Gas3, the constraints are kept in sync
  • a couple of gotchas to be aware of
  • the constraint implementation is in the same class as the constraint declaration (not a problem in a dynamic language) @Pattern has a sightly different semantic because the regexp engine in Flex is a bit different. instead of the features provided by ConstraintValidatorContext, you can define a properties attribute in your constraints to make it belong to several sub-properties. not as flexible but good enough in many cases.
kuni katsuya

8. Bean Validation (JSR-303) - Confluence - 0 views

www.graniteds.org/...+Bean+Validation+%28JSR-303%29

graniteds bean validation

shared by kuni katsuya on 06 Jun 12 - No Cached
  • "Bean Validation" specification (aka JSR-303) standardizes an annotation-based validation framework for Java
  • Flex doesn't provide by itself such framework. The standard way of processing validation is to use Validator subclasses and to bind each validator to each user input (see Validating data). This method is at least time consuming for the developer, source of inconsistancies between the client-side and the server-side validation processes, and source of redundancies in your MXML code.
  • GraniteDS introduces an ActionsScript3 implementation of the Bean Validation specification and provides code generation tools integration so that your Java constraint annotations are reproduced in your AS3 beans
  • ...16 more annotations...
  • GraniteDS validation framework provides a set of standard constraints
  • Constraint Description AssertFalse The annotated element must be false AssertTrue The annotated element must be true DecimalMax The annotated element must be a number whose value must be lower or equal to the specified maximum DecimalMin The annotated element must be a number whose value must be greater or equal to the specified minimum Digits The annotated element must be a number whithin accepted range Future The annotated element must be a date in the future Max The annotated element must be a number whose value must be lower or equal to the specified maximum Min The annotated element must be a number whose value must be greater or equal to the specified minimum NotNull The annotated element must not be null Null The annotated element must be null Past The annotated element must be a date in the past Pattern The annotated String must match the supplied regular expression Size The annotated element size must be between the specified boundaries (included)
  • Constraint annotations must be placed on public properties, either public variables or public accessors
  • -keep-as3-metadata+=AssertFalse,AssertTrue,DecimalMax,DecimalMin, Digits,Future,Max,Min,NotNull,Null,Past,Pattern,Size
  • must use
  • keep the constraint annotations in your compiled code
  • Error Messages and Localization
  • {name.notnull}
  • {name.minsize}
  • use the built-in ResourceBundle support offered by Flex:
  • to add support for different locales
  • follow the same principle:
  • create a ValidationMessages.properties for the new locale
  • translate all default error messages and add new ones for your customized message keys
  • Note that the bundle name must always be set to "ValidationMessages".
  • Using the FormValidator Class
kuni katsuya

ListCollectionView/ArrayCollection tip for using GraniteDS - Ross Henderson - 0 views

blog.rosshenderson.info/...ection-tip-for-using-graniteds

graniteds tip ListCollectionView ArrayCollection

shared by kuni katsuya on 06 Jun 12 - No Cached
  • The reason why GraniteDS generates properties of type ListCollectionView is simple : it internally uses collections implementations that extend ListCollectionView and not ArrayCollection. But as you have described when you manually assign collections, you should use ArrayCollection. It’s exactly the same as in Java when you do List list = new ArrayList().
  • ListCollectionView/ArrayCollection tip for using GraniteDS
  • new ListCollectionView();
  • ...4 more annotations...
  • instead of this:
  • do this:
  • new ArrayCollection();
  • I’m not really sure what the deal is
    • kuni katsuya
      kuni katsuya on 01 Nov 12
       
      see comment from william (wdrai) below (graniteds guy)
kuni katsuya

Article Series: Migrating Spring Applications to Java EE 6 - Part 1 | How to JBoss - 1 views

howtojboss.com/...plications-to-java-ee-6-part-1

spring javaee6 migration

shared by kuni katsuya on 06 Jun 12 - No Cached
  • In fact people still love those books without realizing that the world has changed dramatically ever since
  • The reality check here is to wonder whether the rhetorics set forth by Rod Johnson in his 2003/2004 books are still actual today
  • So if you still care about those books, the best way to show your appreciation is probably to use them as your monitor stand
  • ...21 more annotations...
  • The discussion whether or not to use Spring vs. Java EE for new enterprise Java applications is a no-brainer
  • Why migrate?
  • since then fallen a prey to the hungry minds of Venture Capitalists and finally into the hands of a virtualization company called VMware
  • While the different companies and individuals behind the Spring framework have been doing some work in the JCP their voting behavior on important JSRs is peculiar to say the least
  • outdated ORM solution like JDBC templates
  • some developers completely stopped looking at new developments in the Java EE space and might have lost track of the current state of technology
  • size of the deployment archive
  • fairly standard Java EE 6 application will take up about 100 kilobytes
  • comparable Spring application weighs in at a whopping 30 Megabytes!
  • Lightweight
  • Firing up the latest JBoss AS 7 Application Server from scratch and deploying a full blown Java EE 6 application into the server takes somewhere between two and five seconds on a standard machine. This is in the same league as a Tomcat / Spring combo
  • Dependency injection
  • Java EE 6, the Context and Dependency Injection (CDI) specification was introduced to the Java platform, which has a very powerful contextual DI model adding extensibility of injectable enterprise services
  • Aspect Oriented Programming
  • “AOP Light” and this is exactly what Java EE Interceptors do
  • common pitfall when taking AOP too far is that your code might end up all asymmetric and unreadable. This is due to the fact that the aspect and its implementation are not in the same place. Determining what a piece of code will do at runtime at a glance will be really hard
  • Testing
  • With Arquillian we can get rid of mocking frameworks and test Java EE components in their natural environment
  • Tooling
  • capabilities comparison matrix below to map Spring’s technology to that of Java EE
  • Capability Spring JavaEE Dependency Injection Spring Container CDI Transactions AOP / annotations EJB Web framework Spring Web MVC JSF AOP AspectJ (limited to Spring beans) Interceptors Messaging JMS JMS / CDI Data Access JDBC templates / other ORM / JPA JPA RESTful Web Services Spring Web MVC (3.0) JAX-RS Integration testing Spring Test framework Arquillian *
kuni katsuya

JBoss Web - Documentation Index - 0 views

docs.jboss.org/7.0.x

jbossweb jbossas7

shared by kuni katsuya on 22 Jun 12 - No Cached
  • top-level entry point of the documentation bundle for the JBoss Web Servlet/JSP container
  • JBoss Web implements the Servlet 3.0 and JavaServer Pages 2.2 specifications
  • JBoss Web 7.0.x is a subsystem of AS7, there isn't yet standalone version of it
kuni katsuya

java - Getting confused with Apache Shiro and Custom Authorizing Realms - Stack Overflow - 0 views

stackoverflow.com/...-and-custom-authorizing-realms

security ApacheShiro realm RealmSecurityManager SecurityManager authorization AuthorizationInfo

shared by kuni katsuya on 22 Sep 12 - No Cached
  • getRealms()
  • RealmSecurityManager
  • authorization is effectively disabled due to the default doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) implementation returning null
kuni katsuya

Session Management Cheat Sheet - OWASP - 0 views

www.owasp.org/...Session_Management_Cheat_Sheet

OWASP BestPractices CheatSheet SessionManagement

shared by kuni katsuya on 21 Sep 12 - No Cached
  • Session Management Cheat Sheet
  • should not be extremely descriptive nor offer unnecessary details
  • change the default session ID name of the web development framework to a generic name
  • ...50 more annotations...
  • length must be at least 128 bits (16 bytes)
  • Session ID Length
  • Session ID Name Fingerprinting
  • Session ID Properties
  • Session ID Entropy
  • must be unpredictable (random enough) to prevent guessing attacks
  • good PRNG (Pseudo Random Number Generator) must be used
  • must provide at least 64 bits of entropy
  • Session ID Content (or Value)
  • content (or value) must be meaningless
  • identifier on the client side
  • meaning and business or application logic associated to the session ID must be stored on the server side
  • session objects or in a session management database or repository
  • create cryptographically strong session IDs through the usage of cryptographic hash functions such as SHA1 (160 bits).
  • Session Management Implementation
  • defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID
  • token expiration date and time
  • This is one of the reasons why cookies (RFCs 2109 & 2965 & 6265 [1]) are one of the most extensively used session ID exchange mechanisms, offering advanced capabilities not available in other methods
  • Transport Layer Security
  • use an encrypted HTTPS (SSL/TLS) connection for the entire web session
  • not only for the authentication
  • process where the user credentials are exchanged.
  • “Secure” cookie attribute
  • must be used to ensure the session ID is only exchanged through an encrypted channel
  • never switch a given session from HTTP to HTTPS, or viceversa
  • should not mix encrypted and unencrypted contents (HTML pages, images, CSS, Javascript files, etc) on the same host (or even domain - see the “domain” cookie attribute)
  • should not offer public unencrypted contents and private encrypted contents from the same host
  • www.example.com over HTTP (unencrypted) for the public contents
  • secure.example.com over HTTPS (encrypted) for the private and sensitive contents (where sessions exist)
  • only has port TCP/80 open
  • only has port TCP/443 open
  • “HTTP Strict Transport Security (HSTS)” (previously called STS) to enforce HTTPS connections.
  • Secure Attribute
  • instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection
  • HttpOnly Attribute
  • instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object
  • Domain and Path Attributes
  • instructs web browsers to only send the cookie to the specified domain and all subdomains
  • “Domain” cookie attribute
  • “Path” cookie attribute
  • instructs web browsers to only send the cookie to the specified directory or subdirectories (or paths or resources) within the web application
  • vulnerabilities in www.example.com might allow an attacker to get access to the session IDs from secure.example.com
  • Expire and Max-Age Attributes
  • “Max-Age”
  • “Expires” attributes
  • it will be considered a
  • persistent cookie
  • and will be stored on disk by the web browser based until the expiration time
  • use non-persistent cookies for session management purposes, so that the session ID does not remain on the web client cache for long periods of time, from where an attacker can obtain it.
  • Session ID Life Cycle
« First ‹ Previous 81 - 100 of 102 Next ›
Showing 20 items per page