Skip to main content

Home/ SoftwareEngineering/ Group items tagged security

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
kuni katsuya

AuthorizingRealm (Apache Shiro 1.2.1 API) - 0 views

shiro.apache.org/...AuthorizingRealm.html

security ApacheShiro authorization AuthorizingRealm realm

shared by kuni katsuya on 09 Sep 12 - No Cached
  • perform all role and permission checks automatically
  • getAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) method returns an AuthorizationInfo
  • subclasses do not have to write this logic
  • ...11 more annotations...
  • If caching is enabled and if any authorization data for an account is changed at runtime, such as adding or removing roles and/or permissions, the subclass implementation should clear the cached AuthorizationInfo for that account via the
  • clearCachedAuthorizationInfo method
  • getAuthorizationInfo
  • AuthorizingRealm
  • AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals)
  • Returns an account's authorization-specific information for the specified principals, or null if no account could be found
  • This implementation obtains the actual AuthorizationInfo object
  • from the subclass's implementation of doGetAuthorizationInfo
  • and then caches it for efficient reuse if caching is enabled
  • clearCachedAuthorizationInfo(PrincipalCollection principals)
  • Clears out the AuthorizationInfo cache entry for the specified account.
kuni katsuya

Dependency Injection in Java EE 6 - Part 1 - 0 views

www.theserverside.com/...-Injection-in-Java-EE-6-Part-1

javaee6 DependencyInjection DI

shared by kuni katsuya on 13 Sep 12 - Cached
  • Dependency Injection in Java EE 6 - Part 1
  • high-level look at CDI, see how it fits with Java EE overall and discuss basic dependency management as well as scoping.
  • CDI is designed to solve
  • ...21 more annotations...
  • highly type-safe
  • consistent
  • portable
  • CDI enhances the Java EE programming model in two more important ways
  • allows you to use EJBs directly as JSF backing beans
  • CDI allows you to manage the scope, state, life-cycle and context for objects in a much more declarative fashion, rather than the programmatic way
  • CDI has no component model of its own
  • set of services that are consumed by Java EE components such as managed beans, Servlets and EJBs.
  • well-defined create/destroy life-cycle that you can get callbacks for via the @PostConstruct and @PreDestroy annotations.
  • Managed beans
  • @ManagedBean
  • annotation
  • CDI also integrates with JSF via EL bean name resolution
  • CDI does not directly support business component services such as transactions, security, remoting, messaging
  • Dependency Injection for Java
  • JSR 330
  • JSR 330 defines a minimalistic API for dependency injection solutions and is primarily geared towards non-Java EE environments.
  • Figure 1 shows how CDI fits with the major APIs in the Java EE platform.
  • none of this uses string names that can be mistyped and all the code is in Java and so is checked at compile time
  • Qualifiers
  • are additional pieces of meta-data that narrow down a particular class when more than one candidate for injection exists
kuni katsuya

Java EE 7 Roadmap (The Aquarium) - 0 views

blogs.oracle.com/...java_ee_7_roadmap

javaee javaee7 roadmap

shared by kuni katsuya on 14 Sep 12 - No Cached
  • Java EE 7 Roadmap
  • support for use in cloud environments
  • Web Sockets
  • ...19 more annotations...
  • JSON-P
  • we believe that providing solid support for standardized PaaS-based programming and multi-tenancy would delay the release of Java EE 7 until the spring of 2014
  • way too long
  • defer the remaining aspects of our agenda for PaaS enablement and multi-tenancy support to
  • Java EE 8
  • already laid some of the infrastructure for cloud support in Java EE 7
  • resource definition metadata
  • improved security configuration
  • JPA schema generation
  • Java EE 8 Platform release for the
  • spring of 2015
  • support for HTML 5 in the form of Web Sockets
  • JSON-P
  • simplified JMS 2.0 APIs
  • improved Managed Bean alignment, including
  • transactional interceptors
  • JAX-RS 2.0 client API
  • method-level validation
  • more comprehensive expression language
kuni katsuya

[#SHIRO-160] Flex integration with Shiro - ASF JIRA - 0 views

issues.apache.org/...SHIRO-160

Shiro Flex integration security

shared by kuni katsuya on 09 Aug 12 - No Cached
kuni katsuya

This is Stuff: Apache Shiro Part 2 - Realms, Database and PGP Certificates - 0 views

meri-stuff.blogspot.ca/...art-2-realms-database-and.html

security ApacheShiro Realm database

shared by kuni katsuya on 09 Aug 12 - No Cached
  • Apache Shiro Part 2 - Realms, Database and PGP Certificates
  • move user account data to database
  • give users an option to authenticate themselves via PGP certificates
  • ...9 more annotations...
  • log in options: log in with user name/password and log in with certificate
  • how to create custom realm and how to handle multi-realm scenario
  • account credentials and access rights are stored in database. Stored passwords are hashed and salted.
  • Authorization
  • If the realm wishes to do also authorization, it has to implement Authorizer interface. Each Authorizer method takes principal as parameter and checks either role(s) or permission(s)
  • Permissions are supplied either as strings or as permission objects
  • use WildcardPermissionResolver to convert strings into permission objects
  • connect application to database and create tables to store all user account data
  • replace IniRealm with realm able to read from database and salt passwords.
kuni katsuya

Apache Shiro JDBC Realm « Mehmet Celiksoy's Weblog - 0 views

blog.pinateknoloji.com/shiro-jdbc-realm

security ApacheShiro JdbcRealm

shared by kuni katsuya on 08 Aug 12 - No Cached
  • how you create a JDBC realm
  • Apache Shiro
  •  doGetAuthenticationInfo(AuthenticationToken token) 
  • ...1 more annotation...
  •  getRoleNamesForUser(Connection conn, String username) 
kuni katsuya

SQL Injection Prevention Cheat Sheet - OWASP - 0 views

www.owasp.org/...jection_Prevention_Cheat_Sheet

security SqlInjection prevention CheatSheet

shared by kuni katsuya on 09 Aug 12 - No Cached
  • SQL Injection Prevention Cheat Sheet
  • it is EXTREMELY simple to avoid SQL Injection vulnerabilities in your code.
  • create dynamic database queries that include user supplied input
  • ...19 more annotations...
  • a) stop writing dynamic queries
  • b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query
  • Primary Defenses:
  • Option #1: Use of Prepared Statements (Parameterized Queries)
  • Option #3: Escaping all User Supplied Input
  • Additional Defenses:
  • Enforce: Least Privilege
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      least privilege should be *required*, included as a primary defense
  • Perform: White List Input Validation
  • Primary Defenses
  • Defense Option 1: Prepared Statements (Parameterized Queries)
  • attacker is not able to
  • change the intent
  • of a query, even if SQL commands are inserted by an attacker
  • allows the database to
  • distinguish
  • between
  • data,
  • code a
  • Defense Option 3: Escaping All User Supplied Input
« First ‹ Previous 121 - 140 of 148 Next ›
Showing 20 items per page