Group items tagged

install the MevenIDE plugin

select all 7 plugins from the Maven category

Creating the Parent POM Project

create a parent pom project and then create ear, ejb and war child projects

create the EJB Project

make sure the Project Location is the root directory of the Parent POM Project

Maven recognise it as a sub-module

The WAR Project

The EAR Project

Deploying to GlassFish

There are a few ways of deploying applications to GlassFish

GlassFish command line utility to deploy to both local and remote servers is asadmin

Maven for the deployment

glassfish-v2/bin/asadmin

exec-maven-plugin

deploy

length must be at least 128 bits (16 bytes)

Session ID Length

Session ID Name Fingerprinting

Session ID Properties

Session ID Entropy

must be unpredictable (random enough) to prevent guessing attacks

good PRNG (Pseudo Random Number Generator) must be used

must provide at least 64 bits of entropy

Session ID Content (or Value)

content (or value) must be meaningless

identifier on the client side

meaning and business or application logic associated to the session ID must be stored on the server side

session objects or in a session management database or repository

create cryptographically strong session IDs through the usage of cryptographic hash functions such as SHA1 (160 bits).

Session Management Implementation

defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID

token expiration date and time

This is one of the reasons why cookies (RFCs 2109 & 2965 & 6265 [1]) are one of the most extensively used session ID exchange mechanisms, offering advanced capabilities not available in other methods

Transport Layer Security

use an encrypted HTTPS (SSL/TLS) connection for the entire web session

process where the user credentials are exchanged.

“Secure” cookie attribute

must be used to ensure the session ID is only exchanged through an encrypted channel

never switch a given session from HTTP to HTTPS, or viceversa

should not mix encrypted and unencrypted contents (HTML pages, images, CSS, Javascript files, etc) on the same host (or even domain - see the “domain” cookie attribute)

should not offer public unencrypted contents and private encrypted contents from the same host

www.example.com over HTTP (unencrypted) for the public contents

secure.example.com over HTTPS (encrypted) for the private and sensitive contents (where sessions exist)

only has port TCP/80 open

only has port TCP/443 open

“HTTP Strict Transport Security (HSTS)” (previously called STS) to enforce HTTPS connections.

Secure Attribute

instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection

HttpOnly Attribute

instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object

Domain and Path Attributes

instructs web browsers to only send the cookie to the specified domain and all subdomains

instructs web browsers to only send the cookie to the specified directory or subdirectories (or paths or resources) within the web application

vulnerabilities in www.example.com might allow an attacker to get access to the session IDs from secure.example.com

Expire and Max-Age Attributes

it will be considered a

and will be stored on disk by the web browser based until the expiration time

use non-persistent cookies for session management purposes, so that the session ID does not remain on the web client cache for long periods of time, from where an attacker can obtain it.

Session ID Life Cycle

Log date and time

Event date and time

Application identifier

Application address

User identity

Type of event

Severity of event

Description

Action

original intended purpose of the request

Object

affected component

Result status

Reason

Extended details

Data to exclude

Access tokens

Session identification values

Sensitive personal data

passwords

Database connection strings

Encryption keys

payment

Information a user has opted out of collection

Synchronize time across all servers and devices

Input validation failures

Which events to log

proportional to the information security risks

Always log:

Authentication successes and failures

Authorization failures

Session management failures

Application errors and system events

Application and related systems start-ups and shut-downs

Use of higher-risk functionality

asks the user for multiple pieces of hard data that should have been

send the password reset information to some

such as a (possibly different) email address or an SMS text number, etc. to be used in Step 3.

Step 2) Verify Security Questions

application verifies that each piece of data is correct for the given username

If anything is incorrect, or if the username is not recognized, the second page displays a generic error message such as “Sorry, invalid data”. If all submitted data is correct, Step 2 should display at least two of the user’s pre-established personal security questions, along with input fields for the answers.

Avoid sending the username as a parameter

Do not provide a drop-down list

server-side session

user's email account may have already been compromised

channels that encapsulate the connection behavior between the Flex client and the BlazeDS server

Channels

new entity has no id until it has been persisted to the database

take care that you have added the [Lazy] annotation to your Flex metadata compilation configuration