Group items tagged

"strong" password policy

Secure Password Recovery Mechanism

Require re-authentication for Sensitive Features

Authentication and Error Messages

can be used for the purposes of user ID and password enumeration

Incorrectly implemented error messages

generic manner

respond with a generic error message regardless if the user ID or password was incorrect

give no indication to the status of an existing account

Authentication responses

Invalid user ID or password"

does not indicate if the user ID or password is the incorrect parameter

Transmit Passwords Only Over TLS

must be exclusively accessed over TLS

unencrypted session ID

credentials

Implement Account Lockout

lock out an account if more than a preset number of unsuccessful login attempts are made

can produce a result that locks out entire blocks of application users accounts

is to lockout accounts for a number of hours

Session Management General Guidelines

asks the user for multiple pieces of hard data that should have been

send the password reset information to some

such as a (possibly different) email address or an SMS text number, etc. to be used in Step 3.

Step 2) Verify Security Questions

application verifies that each piece of data is correct for the given username

If anything is incorrect, or if the username is not recognized, the second page displays a generic error message such as “Sorry, invalid data”. If all submitted data is correct, Step 2 should display at least two of the user’s pre-established personal security questions, along with input fields for the answers.

Avoid sending the username as a parameter

Do not provide a drop-down list

server-side session

user's email account may have already been compromised

Changes for Hibernate 3.5 applications

if your application uses Hibernate 3 classes that are not available in Hibernate 4, for example, some of the validator or search classes, you may see ClassNotFoundExceptions when you deploy your application. If you encounter this problem, you can try one of two approaches: You may be able to resolve the issue by copying the specific Hibernate 3 JARs containing those classes into the application "/lib" directory or by adding them to the classpath using some other method. In some cases this may result in ClassCastExceptions or other class loading issues due to the mixed use of the Hibernate versions, so you will need to use the second approach. You need to tell the server to use only the Hibernate 3 libraries and you will need to add exclusions for the Hibernate 4 libraries. Details on how to do this are described here: JPA Reference Guide.

In previous versions of the application server, the JCA data source configuration was defined in a file with a suffix of *-ds.xml. This file was then deployed in the server's deploy directory. The JDBC driver was copied to the server lib/ directory or packaged in the application's WEB-INF/lib/ directory. In AS7, this has all changed. You will no longer package the JDBC driver with the application or in the server/lib directory. The *-ds.xml file is now obsolete and the datasource configuration information is now defined in the standalone/configuration/standalone.xml or in the domain/configuration/domain.xml file. A JDBC 4-compliant driver can be installed as a deployment or as a core module. A driver that is JDBC 4-compliant contains a META-INF/services/java.sql.Driver file that specifies the driver class name. A driver that is not JDBC 4-compliant requires additional steps, as noted below.

DataSource Configuration

domain mode, the configuration file is the domain/configuration/domain.xml

standalone mode, you will configure the datasource in the standalone/configuration/standalone.xml

MySQL datasource element:

        <connection-url>jdbc:mysql://localhost:3306/YourApplicationURL</connection-url>        <driver-class> com.mysql.jdbc.Driver </driver-class>        <driver> mysql-connector-java-5.1.15.jar </driver>

       <security>            <user-name> USERID </user-name>            <password> PASSWORD</password>        </security>

example of the driver element for driver that is not JDBC 4-compliant. The driver-class must be specified since it there is no META-INF/services/java.sql.Driver file that specifies the driver class name.

 <driver-class>com.mysql.jdbc.Driver</driver-class>

JDBC driver can be installed into the container in one of two ways: either as a deployment or as a core module

Install the JDBC driver

Install the JDBC driver as a deployment

In AS7 standalone mode, you simply copy the JDBC 4-compliant JAR into the AS7_HOME/standalone/deployments directory

example of a MySQL JDBC driver installed as a deployment:     AS7_HOME/standalone/deployments/mysql-connector-java-5.1.15.jar

Step 2 securing some content

create a database that will hold the list of the authorized users along with their password

Create a new directory “auth” and add a new JSP under it, let’s call it “BackOffice.jsp“

enable Shiro into our project by adding a ServletFilter into our Web.xml

 <filter-class>05            org.apache.shiro.web.servlet.IniShiroFilter06        </filter-class>

10    <filter-mapping>11         <filter-name>ShiroFilter</filter-name>12         <url-pattern>/*</url-pattern>13    </filter-mapping>

classpath:shiro.ini

shiro-core

shiro-web

create shiro.ini under resource dir

07ds.jdbcUrl=jdbc:derby://localhost:1527/shiro_schema08ds.username = APP09ds.password = APP

15/auth/** = authcBasic16/** = anon

jdbcRealm.authenticationQuery

jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm

setup the jdbc realm, this is where Shiro will find the authorized users

map the URLs to be protected, all the url under /auth should be authenticated with basic HTTP authentication

All the other URLs should be accessed without authentication

Add a new directory under src let’s call it production we will create a new shiro configuration file compatible with MySQL

06ds.serverName = localhost07ds.user = ADM08ds.password = secret12309ds.databaseName = shiro_schema

jdbcRealm which use a MySQL driver

added the appropriate dependency to maven pom.xml

mysql-connector-java

environment.type

staging

13                <jdbc.user>APP</jdbc.user>14                <jdbc.passwd>APP</jdbc.passwd>15                <jdbc.url>jdbc:derby://localhost:1527/shiro_schema</jdbc.url>16                <jdbc.driver>org.apache.derby.jdbc.ClientDriver</jdbc.driver>

src/main/resources

derbyclient

production

environment.type

45                <jdbc.user>ADM</jdbc.user>46                <jdbc.passwd>secret123</jdbc.passwd>47                <jdbc.ds>com.mysql.jdbc.jdbc2.optional.MysqlDataSource</jdbc.ds>48                <jdbc.serverName>localhost</jdbc.serverName>49                <jdbc.databaseName>shiro_schema</jdbc.databaseName>

src/production/resources

To build and run for staging

To build for production

-Denvironment.type=prod

Caching: Spring Security optionally integrates with Spring's Ehcache factory. This flexibility means your database (or other authentication repository) is not repeatedly queried for authentication information when using Spring Security with stateless applications.

Run-as replacement: The system fully supports temporarily replacing the authenticated principal for the duration of the web request or bean invocation. This enables you to build public-facing object tiers with different security configurations than your backend objects.

Tag library support: Your JSP files can use our taglib to ensure that protected content like links and messages are only displayed to users holding the appropriate granted authorities. The taglib also fully integrates with Spring Security's ACL services, and obtaining extra information about the logged-in principal.

User Provisioning APIs: Support for groups, hierarchical roles and a user management API, which all combine to reduce development time and significantly improve system administration.

Enterprise-wide single sign on using CAS 3: Spring Security integrates with JA-SIG's open source Central Authentication Service (CAS)

UserService

UserDao

FacebookWS

User u

UserService uses UserDAO and FacebookWS

but don’t know how those dependencies are instantiated

And you shouldn’t really care, all that is important is that UserService depends on dao and webservice object.

BDD template given-when-then) tests are easy to read

@Entity

public class User

calling new User(“someName”,”somePassowrd”, “someOtherName”, “someOtherPassword”) becomes hardly readable and maintainable

code duplication

Maintaining this code would turn into a nightmare in no time

running the code above will throw an exception by the JPA provider,

Joshua Blooch gives fine example of builder pattern.

Instead of making the desired object directly, the client calls a constructor (or static factory) with all of the required parameters and gets a builder object. Then the client calls setter-like methods on the builder object to set each optional parameter of interest. Finally, the client calls a parameterless build method to generate the object, which is immutable. The builder is a static member class of the class it builds.

Coffee

public static class Builder

Builder(CoffeeType type, int cupSize)

Builder withMilk()

Coffee build()

Coffee(this)

private Coffee(Builder builder)

Coffee coffee = new Coffee.Builder(CoffeeType.Expresso, 3).withMilk().build();2}

especially if most of those parameters are optional.

For all entity attributes I create private fields

those that are obligatory become parameters for the public constructor

parameter-less constructor, I create one, but I give him

protected access level

protected

represents data submitted for any given login attempt

implementations represent already-verified and stored account data

Since Shiro sometimes logs authentication operations, please

as these might be viewable to someone reading your logs

always have to include this library in either WEB-INF/lib

support for CDI is included in the library granite-cdi.jar

10.1. Configuration with Servlet 3 On Servlet 3 compliant containers, GraniteDS can use the new APIs to automatically register its own servlets and filters and thus does not need any particular configuration in web.xml. This automatic setup is triggered when GraniteDS finds a class annotated with @FlexFilter in one of the application archives:

@FlexFilter(configProvider=CDIConfigProvider.class) public class GraniteConfig { }  

list of annotation names that enable remote access to CDI beans

@FlexFilter declaration will setup an AMF processor for the specified url pattern

@TideEnabled

@RemoteDestination

always declared by default

10.3.2. Typesafe Remoting with Dependency Injection

It is possible to benefit from even more type safety by using the annotation [Inject] instead of In. When using this annotation, the full class name is used to find the target bean in the CDI context instead of the bean name.

Security

integration between the client RemoteObject credentials and the server-side container security

client-side component named

API to define runtime authorization checks on the Flex UI

bindable property

represents the current authentication state

integrated with server-side role-based security

clear the security cache manually with

elements of the user interface are displayed to the user based on the user's privilege level

assign permissions to individual objects within the application’s business domain

Permissions

Permissions assigned to user for a given resource in the tree are inherited by other resources

Permissions are inherited

persist user, group and role information in database. JPA implementation is his dream

Security Module Drafts

Identity

interface Identity

login()

logout()

getUser()

Events LoggedInEvent LoginFailedEvent AlreadyLoggedInEvent PreLoggedOutEvent PostLoggedOutEvent PreAuthenticateEvent PostAuthenticateEvent

Object level permission

Grant or revoke permissions

Group management

User/Identity management

identity.hasRole

identity.hasPermission

User, Group and Role

hooks for common IDM or Security operations

Audit and logging for permission and IDM related changes

Event API.

Impersonalization

Impersonalization

control which elements of the user interface are displayed to the user based on their assigned permissions

ask for permission

more advanced security resolution mechanisms

Rules based engine

external services - XACML

Subversion Tagging Plugin — This plugin automatically performs subversion tagging (technically speaking svn copy) on successful build.

ViewVC Plugin — This plugin integrates ViewVC browser interface for CVS and Subversion with Hudson.

Source code management

Build Pipeline Plugin — This plugin creates a pipeline of Hudson\Jenkins jobs and gives a view so that you can visualise it.

Build tools

JBoss Management Plugin — This plugin allows to manage a JBoss Application Server during build procedure

Maven 2 Project Plugin — Jenkin's Maven 2 project type

Phing Plugin — This plugin allows you to use Phing to build PHP projects.

Post build task — This plugin allows the user to execute a shell/batch task depending on the build log output. Java regular expression are allowed.

Promoted Builds Plugin — This plugin allows you to distinguish good builds from bad builds by introducing the notion of 'promotion'.

Publish Over SSH Plugin — Publish files and/or execute commands over SSH (SCP using SFTP)

Selenium AES Plugin — This plugin is for continuous regression test by Selenium Auto Exec Server (AES).

Vagrant Plugin — This plugin allows booting of Vagrant virtual machines, provisioning them and also executing scripts inside of them

Unicorn Validation Plugin — This plugin uses W3C's Unified Validator, which helps improve the quality of Web pages by performing a variety of checks.

Build wrappers

Android Emulator Plugin — Lets you automatically generate, launch and interact with an Android emulator during a build, with the emulator logs being captured as artifacts.

Artifactory Plugin — This plugin allows deploying Maven 2, Maven 3, Ivy and Gradle artifacts and build info to the Artifactory artifacts manager.

AWS Cloudformation Plugin — A plugin that allows for the creation of cloud formation stacks before running the build and the deletion of them after the build is completed.

Build Keeper Plugin — Select a policy for automatically marking builds as "keep forever" to enable long term analysis trending when discarding old builds - or use to protect logs and artifacts from certain builds

Build Name Setter Plugin — This plugin sets the display name of a build to something other than #1, #2, #3, ...

SSH plugin — You can use the SSH Plugin to run shell commands on a remote machine via ssh.

SeleniumRC Plugin — This plugin allows you to create Selenium server instance for each project build.

Vagrant Plugin — This plugin allows booting of Vagrant virtual machines, provisioning them and also executing scripts inside of them

Timestamper — Adds timestamps to the Console Output.

VirtualBox Plugin — This plugin integrates Jenkins with VirtualBox (version 3, 4.0 and 4.1) virtual machine.

Version Number Plugin — This plugin creates a new version number and stores it in the environment variable whose name you specify in the configuration.

VMware plugin — This plugin allows you to start a VMware Virtual Machine before a build and stop it again after the build completes.

AWS Cloudformation Plugin — A plugin that allows for the creation of cloud formation stacks before running the build and the deletion of them after the build is completed.

Desktop Notifier for Jenkins — This is useful for those who are looking for a Desktop Notifier for Jenkins builds to automatically notify you about failed builds directly from their desktops.

Email-ext plugin — This plugin allows you to configure every aspect of email notifications. You can customize when an email is sent, who should receive it, and what the email says.

Google Calendar Plugin — This plugin publishes build records over to Google Calendar

HTML5 Notifier Plugin — Provides W3C Web Notifications support for builds.

Jabber Plugin — Integrates Jenkins with the Jabber/XMPP instant messaging protocol. Note that you also need to install the instant-messaging plugin.

Build reports

Checkstyle Plugin — This plugin generates the trend report for Checkstyle, an open source static code analysis program. 

Clover PHP Plugin — This plugin allows you to capture code coverage reports from PHPUnit. For more information on how to set up PHP projects with Jenkins have a look at the Template for Jenkins Jobs for PHP Projects.

Crap4J Plugin — This plugin reads the "crappy methods" report from Crap4J. Hudson will generate the trend report of crap percentage and provide detailed information about changes.

Dependency Analyzer Plugin — This plugin parses dependency:analyze goal from maven build logs and generates a dependency report

Dependency Graph View Plugin — Shows a dependency graph of the projects using graphviz. Requires a graphviz installation on the server.

FindBugs Plugin — This plugin generates the trend report for FindBugs, an open source program which uses static analysis to look for bugs in Java code. 

Grinder Plugin — This plugin reads output result files from Grinder performance tests, and will generate reports showing test results for every build and trend reports showing performance results across builds.

JSUnit plugin — This plugin allows you publish JSUnit test results

Performance Plugin — This plugin allows you to capture reports from JMeter and JUnit . Hudson will generate graphic charts with the trend report of performance and robustness.

PerfPublisher Plugin — This plugin generates global and trend reports for tests results analysis. Based on an open XML tests results format, the plugin parses the generated files and publish statistics, reports and analysis on the current health of the project.

PMD Plugin — This plugin generates the trend report for PMD, an open source static code analysis program. 

Sonar plugin — Quickly benefit from Sonar, an open-source dashboard based on many analysis tools like Checkstyle, PMD and Cobertura.

testng-plugin — This plugin allows you to publish TestNG results.

Violations — This plug-in generates reports static code violation detectors such as checkstyle, pmd, cpd, findbugs, codenarc, fxcop, stylecop and simian.

xUnit Plugin — This plugin makes it possible to publish the test results of an execution of a testing tool in Jenkins.

Artifact uploaders

ArtifactDeployer Plugin — This plugin makes it possible to copy artifacts to remote locations.

Artifactory Plugin — This plugin allows deploying Maven 2, Maven 3, Ivy and Gradle artifacts and build info to the Artifactory artifacts manager.

Confluence Publisher Plugin — This plugin allows you to publish build artifacts as attachments to an Atlassian Confluence wiki page.

Deploy Plugin — This plugin takes a war/ear file and deploys that to a running remote application server at the end of a build

FTP-Publisher Plugin — This plugin can be used to upload project artifacts and whole directories to an ftp server.

HTML Publisher Plugin

Publish Over FTP Plugin — Publish files over FTP

Publish Over SSH Plugin — Publish files and/or execute commands over SSH (SCP using SFTP)

S3 Plugin — Upload build artifacts to Amazon S3

SCP plugin — This plugin uploads build artifacts to repository sites using SCP (SSH) protocol.

Hudson Helper for Android — Monitor your CI builds right from your Android device.

Hudson Mobi, the iPhone, iPod and Android client for Hudson CI — The iPhone, iPod and iPad client for Hudson CI monitoring on the road.

Hudson Monitor for Android — Monitor and display the status of your builds on your Android™ phone.

External site/tool integrations

ChuckNorris Plugin — Displays a picture of Chuck Norris (instead of Jenkins the butler) and a random Chuck Norris 'The Programmer' fact on each build page.

UI plugins

Active Directory plugin — With this plugin, you can configure Jenkins to authenticate the username and the password through Active Directory.

Audit Trail Plugin — Keep a log of who performed particular Jenkins operations, such as configuring jobs.

JClouds Plugin — This plugin uses JClouds to provide slave launching on most of the currently usable Cloud infrastructures.

Checkstyle Plugin — This plugin generates the trend report for Checkstyle, an open source static code analysis program. 

FindBugs Plugin — This plugin generates the trend report for FindBugs, an open source program which uses static analysis to look for bugs in Java code. 

JIRA Plugin — This plugin integrates Atlassian JIRA to Jenkins.

M2 Release Plugin — This plugin allows you to perform a release build using the maven-release-plugin from within Jenkins.

PMD Plugin — This plugin generates the trend report for PMD, an open source static code analysis program. 

Meme Generator Plugin — Generate Meme images when a build fails (and returns to stable), and post them on the project page.

Log date and time

Event date and time

Application identifier

Application address

User identity

Type of event

Severity of event

Description

Action

original intended purpose of the request

Object

affected component

Result status

Reason

Extended details

Data to exclude

Access tokens

Session identification values