Skip to main content

Home/ SoftwareEngineering/ Group items tagged session

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
kuni katsuya

Session Management Cheat Sheet - OWASP - 0 views

www.owasp.org/...Session_Management_Cheat_Sheet

OWASP BestPractices CheatSheet SessionManagement

shared by kuni katsuya on 21 Sep 12 - No Cached
  • Session Management Cheat Sheet
  • should not be extremely descriptive nor offer unnecessary details
  • change the default session ID name of the web development framework to a generic name
  • ...50 more annotations...
  • length must be at least 128 bits (16 bytes)
  • Session ID Length
  • Session ID Name Fingerprinting
  • Session ID Properties
  • Session ID Entropy
  • must be unpredictable (random enough) to prevent guessing attacks
  • good PRNG (Pseudo Random Number Generator) must be used
  • must provide at least 64 bits of entropy
  • Session ID Content (or Value)
  • content (or value) must be meaningless
  • identifier on the client side
  • meaning and business or application logic associated to the session ID must be stored on the server side
  • session objects or in a session management database or repository
  • create cryptographically strong session IDs through the usage of cryptographic hash functions such as SHA1 (160 bits).
  • Session Management Implementation
  • defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID
  • token expiration date and time
  • This is one of the reasons why cookies (RFCs 2109 & 2965 & 6265 [1]) are one of the most extensively used session ID exchange mechanisms, offering advanced capabilities not available in other methods
  • Transport Layer Security
  • use an encrypted HTTPS (SSL/TLS) connection for the entire web session
  • not only for the authentication
  • process where the user credentials are exchanged.
  • “Secure” cookie attribute
  • must be used to ensure the session ID is only exchanged through an encrypted channel
  • never switch a given session from HTTP to HTTPS, or viceversa
  • should not mix encrypted and unencrypted contents (HTML pages, images, CSS, Javascript files, etc) on the same host (or even domain - see the “domain” cookie attribute)
  • should not offer public unencrypted contents and private encrypted contents from the same host
  • www.example.com over HTTP (unencrypted) for the public contents
  • secure.example.com over HTTPS (encrypted) for the private and sensitive contents (where sessions exist)
  • only has port TCP/80 open
  • only has port TCP/443 open
  • “HTTP Strict Transport Security (HSTS)” (previously called STS) to enforce HTTPS connections.
  • Secure Attribute
  • instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection
  • HttpOnly Attribute
  • instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object
  • Domain and Path Attributes
  • instructs web browsers to only send the cookie to the specified domain and all subdomains
  • “Domain” cookie attribute
  • “Path” cookie attribute
  • instructs web browsers to only send the cookie to the specified directory or subdirectories (or paths or resources) within the web application
  • vulnerabilities in www.example.com might allow an attacker to get access to the session IDs from secure.example.com
  • Expire and Max-Age Attributes
  • “Max-Age”
  • “Expires” attributes
  • it will be considered a
  • persistent cookie
  • and will be stored on disk by the web browser based until the expiration time
  • use non-persistent cookies for session management purposes, so that the session ID does not remain on the web client cache for long periods of time, from where an attacker can obtain it.
  • Session ID Life Cycle
kuni katsuya

Session Management | Apache Shiro - 0 views

shiro.apache.org/session-management.html

java security authentication authorization ApacheShiro SessionManagement session

shared by kuni katsuya on 04 Oct 12 - No Cached
  • available in any application,
  • regardless of container.
  • even if you deploy your application in a Servlet or EJB container, there are still compelling reasons to use Shiro's Session support instead of the container's
  • ...40 more annotations...
  • Easy Custom Session Storage
  • POJO/J2SE based (IoC friendly)
  • Container-Independent Clustering!
  • Heterogeneous Client Access
  • Event Listeners
  • listen to lifecycle events during a session's lifetime
  • Host Address Retention
  • retain the IP address or host name of the host from where the session was initiated
  • Inactivity/Expiration Support
  • can be prolonged via a touch() method to keep them 'alive' if desired
  • Transparent Web Use
  • can use Shiro sessions in existing web applications and you
  • don't need to change any of your existing web cod
  • Can be used for SSO
  • easily stored in any data source
  • can be
  • 'shared'
  • across applications if needed
  • 'poor man's SSO'
  • simple sign-on experience since the shared session can retain authentication state
  • interface-based and implemented with POJOs
  • allows you to easily configure all session components with any JavaBeans-compatible configuration format, like JSON, YAML
  • easily extend
  • customize session management functionality
  • session data can be easily stored in any number of data sources
  • easily clustered using any of the readily-available networked caching products
  • no matter what container you deploy to, your sessions will be clustered the same way
  • No need for container-specific configuration!
  • Shiro sessions can be 'shared' across various client technologies
  • listen for these events and react to them for custom application behavior
  • SecurityUtils.getSubject()
  • currentUser.getSession()
  • If the Subject already has a Session, the boolean argument is ignored and the Session is returned immediately
  • If the Subject does not yet have a Session and the create boolean argument is true,
  • a new session will be created
  • and returned.
  • If the Subject does not yet have a Session and the create boolean argument is false, a new session will not be created and null is returned.
  • Suject.getSession(boolean create)
  • method functions the same way as the
  • HttpServletRequest.getSession(boolean create) method:
    • kuni katsuya
      kuni katsuya on 04 Oct 12
kuni katsuya

Architecture | Apache Shiro - 0 views

shiro.apache.org/architecture.html

apache shiro architecture

shared by kuni katsuya on 15 Aug 12 - No Cached
  • Realm is essentially a security-specific DAO
  • 3 primary concepts:
  • Subject
  • ...51 more annotations...
  • SecurityManager
  • Realms
  • High-Level Overview
  • Subject
  • essentially a security specific 'view' of the the currently executing user
  • Subject
  • instances are all bound to (and require) a
  • SecurityManager
  • When you interact with a Subject, those interactions translate to subject-specific interactions with the SecurityManager
  • SecurityManager
  • 'umbrella’ object that coordinates its internal security components that together form an object graph
  • Realms
  • ‘connector’ between Shiro and your
  • application’s security data
  • Shiro looks up many of these things from one or more Realms configured for an application
  • Subject
  • SecurityManager
  • Authenticator
  • Authorizer
  • component responsible determining users' access control in the application
  • if a user is allowed to do something or not
  • SessionManager
  • knows how to create and manage user
  • Session
  • lifecycles
  • Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available
  • Shiro will use
  • an existing session mechanism
  • if available, (e.g. Servlet Container)
  • if there isn't one, such as in a standalone application or non-web environment, it will use its
  • built-in enterprise session management
  • SessionDAO
  • exists to allow any datasource to be used to
  • persist sessions
  • SessionDAO
  • performs Session persistence (CRUD) operations on behalf of the SessionManager
  • allows any data store to be plugged in to the Session Management infrastructure
  • CacheManager
  • creates and manages Cache instance lifecycles used by other Shiro components
  • improve performance while using these data source
  • Cryptography
  • Realms
  • ‘connector’ between Shiro and your application’s security data
  • Realms
  • Realms
  • Realms
  • ‘connector’ between Shiro and your application’s security data
  • ‘connector’ between Shiro and your application’s security data
  • ‘connector’ between Shiro and your application’s security data
  • ‘connector’ between Shiro and your application’s security data
  • ‘connector’ between Shiro and your application’s security data
kuni katsuya

Session Management | Apache Shiro - 1 views

shiro.apache.org/session-management.html

ApacheShiro SessionManagement SessionClustering clustering

shared by kuni katsuya on 08 Nov 12 - No Cached
  • Session Clustering
  • can cluster Subject sessions natively and never need to worry again about how to cluster sessions based on your container environment
  • if you configure a cluster-capable SessionDAO, the DAO can interact with a clustering mechanism and Shiro's SessionManager never needs to know about clustering concerns
  • ...8 more annotations...
  • Therefore enabling Session clustering in Shiro is
  • as simple as configuring Shiro to use a distributed cache
  • Ehcache+TerraCotta
  • When Shiro initializes the
  • SessionDAO implements the CacheManagerAware interface
  • call the
  • setCacheManager
  • Ehcache + Terracotta
kuni katsuya

HttpServletRequest (Java EE 6 ) - 0 views

docs.oracle.com/...HttpServletRequest.html

java security authentication authorization SessionManagement HttpSession session SessionLifeCycle

shared by kuni katsuya on 04 Oct 12 - No Cached
  • kuni katsuya on 04 Oct 12
     
    "getSession(boolean create)"
kuni katsuya

Article Series: Migrating Spring Applications to Java EE 6 - Part 3 | How to JBoss - 0 views

howtojboss.com/...rom-spring-to-java-ee-6-part-3

spring javaee6 migration

shared by kuni katsuya on 02 Jul 12 - No Cached
  • Stateless Session Bean is transactional by default
  • In this article we will discuss migrating the DAO layer, AOP and JMX
  • Migrating JDBC templates
  • ...3 more annotations...
  • In general, JDBC Templates are a poor solution. They don’t have enough abstraction to work on different databases because you use plain SQL in queries. There is also no real ORM mapping which results in quite a lot of boilerplate code
  • SimpleJdbcTemplate(ds)
  • @InterceptorBinding
  • kuni katsuya on 02 Jul 12
     
    Stateless Session Bean is transactional by default.
kuni katsuya

Threats - salesforce.com - 0 views

trust.salesforce.com/...best_practices

security policy BestPractices salesforce.com

shared by kuni katsuya on 01 Sep 12 - No Cached
  • Security Best Practices Webinar for All Salesforce.com Customers
  • Designate a security contact within your organization so that salesforce.com can more effectively communicate with you
  • Consider using other two-factor authentication techniques
  • ...14 more annotations...
  • activate IP range restrictions
  • Implement IP Restrictions in Salesforce.com
  • Two-Factor Authentication
  • second-level authorization, including requiring secure IT tokens
  • does not protect against “man-in-the-middle” attacks, where messages are intercepted
  • applications that may be integrated with salesforce.com are not protected by two-factor authentication
  • Strengthen Password Policies
    • kuni katsuya
      kuni katsuya on 01 Sep 12
       
      salesforce.com password policies: - password expiry period - password history (reuse) enforcement - minimum password length - password complexity requirement - forgotten password hint question requirement
  • Require Secure Sessions
  • mandating that all sessions are encrypted and secure
  • Decrease Session Timeout Thresholds
  • Identify a Primary Security Contact
  • identify a person in your company who is responsible for application security
  • should have a thorough understanding of your security policies
  • single point of contact for salesforce.com
kuni katsuya

Authentication Cheat Sheet - OWASP - 0 views

www.owasp.org/...Authentication_Cheat_Sheet

security authentication CheatSheet

shared by kuni katsuya on 09 Aug 12 - No Cached
  • Authentication Cheat Sheet
  • Sessions should be
  • unique per user
  • ...26 more annotations...
  • computationally very difficult to predict
  • "strong" password policy
  • Secure Password Recovery Mechanism
  • Require re-authentication for Sensitive Features
  • Authentication and Error Messages
  • can be used for the purposes of user ID and password enumeration
  • Incorrectly implemented error messages
  • generic manner
  • respond with a generic error message regardless if the user ID or password was incorrect
  • give no indication to the status of an existing account
  • Authentication responses
  • Invalid user ID or password"
  • does not indicate if the user ID or password is the incorrect parameter
  • Transmit Passwords Only Over TLS
  • login page
  • all subsequent authenticated pages
  • must be exclusively accessed over TLS
  • unencrypted session ID
  • credentials
  • Implement Account Lockout
  • lock out an account if more than a preset number of unsuccessful login attempts are made
  • can produce a result that locks out entire blocks of application users accounts
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      somewhat of a denial-of-service attack, since legitimate users can no longer access their accounts/services
  • sensible strategy
  • is to lockout accounts for a number of hours
  • Password lockout mechanisms have a logical weakness
  • Session Management General Guidelines
kuni katsuya

Web | Apache Shiro - 0 views

shiro.apache.org/web.html

security ApacheShiro SessionManagement session

shared by kuni katsuya on 19 Sep 12 - No Cached
  • Session Management
  • Servlet Container Sessions
  • kuni katsuya on 19 Sep 12
     
    "t"
kuni katsuya

Lazy Loading Entities In Views Challenge--Reader's Question And Answer : Adam Bien's We... - 0 views

www.adam-bien.com/...lazy_loading_entities_in_views

java javaee6 anti-patterns DesignPatterns lazy-loading EagerFetch JPA

shared by kuni katsuya on 12 Dec 12 - No Cached
  • Lazy Loading Entities In Views
  • class User
  • Address
  • ...10 more annotations...
  • Friend
  • addresses are lazily loaded
  • detached mode already in the controller
  • eagerly loaded
  • It gets ugly pretty quickly
  • JXPath relations
  • Use Fetch Joins they are designed to prefetch lazy relations
  • Anti-Pattern
    • kuni katsuya
      kuni katsuya on 12 Dec 12
       
      DO NOT USE THE OPEN-SESSION-IN-VIEW *ANTI*-PATTERN
  • Use Stateful Session Beans
    • kuni katsuya
      kuni katsuya on 12 Dec 12
       
      do not penalty: death, or at least a public flogging
  • eager load the relations
    • kuni katsuya
      kuni katsuya on 12 Dec 12
       
      just don't hard-code this eager loading behavior by using jpa's FetchType.EAGER when annotating the entity beans if you do, you force all clients of said entity beans to *always* eager fetch everything, even if the client doesn't want/need the full depth/breadth of the object graph to eager load the relations when needed, try fetch joins (see item 5)
kuni katsuya

Open Session in View | Hibernate | JBoss Community - 0 views

community.jboss.org/...OpenSessionInView

java javaee6 anti-patterns DesignPatterns lazy-loading EagerFetch JPA

shared by kuni katsuya on 12 Dec 12 - No Cached
  • Open Session in View
    • kuni katsuya
      kuni katsuya on 12 Dec 12
       
      do not do this!  this be an anti-pattern
kuni katsuya

Login for Server-side Apps - Facebook Developers - 0 views

developers.facebook.com/...server-side-login

Facebook login authentication AccessToken FacebookAPI

shared by kuni katsuya on 27 Mar 13 - No Cached
  • compare it to the same state variable stored client-side in the session
    • kuni katsuya
      kuni katsuya on 27 Mar 13
       
      cross-site request forgery defense mechanism
  • If the user decided to decline to authorize your app
  • YOUR_REDIRECT_URI
  • ...38 more annotations...
  • error_reason=user_denied
  • Handling Revoked Permissions to see how best to proceed
  • Step 6. Exchange the code for an Access Token
  • exchange it for a User access token that can then be used to make API requests
  • /oauth/access_token
  • server-side request to the following OAuth endpoint:
  • client_secret
  • code=CODE_GENERATED_BY_FACEBOOK
  • body of the response
  • access_token
  • USER_ACCESS_TOKEN
  • persist this User access token in your database or in a session variable
  • must have the same base domain as that specified in the App Domain property of your app's settings
  • URL of the form https://apps.facebook.com/YOUR_APP_NAMESPACE
  • scope=user_birthday,read_stream
  • Step 4. Add Permissions to Login Dialog request
  • comma-separated list of any of the Permissions available
  • Step 5. Handle the response from the Login Dialog
  • Step 5. Handle the response from the Login Dialog
  • Step 5. Handle the response from the Login Dialog
  • Step 5. Handle the response from the Login Dialog
  • YOUR_REDIRECT_URI
  • Step 3. Redirect the user to the Login Dialog
  • Login for Server-side Apps
  • Login for Server-side Apps
  • Login for Server-side Apps
  • Login for Server-side Apps
  • Login for Server-side Apps
  • Login for Server-side Apps
  • way to authenticate users in situations where the use of client-side Javascript is not appropriate.
  • Login for Server-side Apps
  • received an access token for them and can make API calls on their behalf
  • Step 5. Handle the response from the Login Dialog
  • include CSRF protection using the state parameter
  • if the user has authorized the app, they will be redirected to:
  • YOUR_REDIRECT_URI
  • code=CODE_GENERATED_BY_FACEBOOK
  • redirect_uri as the same URL that redirect the user to the Login Dialog
kuni katsuya

Chapter 14. Tide client framework - 0 views

www.graniteds.org/...graniteds.tideframework.html

graniteds tide context

shared by kuni katsuya on 23 Apr 13 - No Cached
  • 14.3. Contexts and Components
  • core concepts
  • component
  • ...14 more annotations...
  • context
  • unique context that exists during the whole lifetime of the Flex application. It can be compared to to the server-side session
  • Components
  • two main kinds of contexts:
  • stateful objects that can be of any ActionScript 3 class with a default constructor
  • global context
  • temporary contexts that can be created and destroyed at any time during the lifetime of the application
  • conversation contexts
  • conversation context always has an identifier
  • usually tied to a particular use case in the application
  • three available scopes:
  • session scope
  • conversation scope
  • event scope
kuni katsuya

MySQL :: MySQL 5.1 Reference Manual :: 5.1.7 Server SQL Modes - 0 views

dev.mysql.com/...server-sql-mode.html

shared by kuni katsuya on 23 Oct 12 - No Cached
  • Modes define what SQL syntax MySQL should support and what kind of data validation checks it should perform
  • Server SQL Modes
  • When working with InnoDB tables using the InnoDB Plugin, consider also the innodb_strict_mode configuration option. It enables additional error checks for InnoDB tables, as listed in InnoDB Strict Mode
  • ...7 more annotations...
  • Setting the SESSION variable affects only the current client. Any client can change its own session sql_mode value at any time
  • To avoid this, it is best to use single-row statements because these can be aborted without changing the table
    • kuni katsuya
      kuni katsuya on 21 May 13
       
      ie. the cheezy and hugely time consuming workaround for avoiding the partial update failure issue with slaves (ie. master-slave data skew)
  • STRICT_TRANS_TABLES
  • Strict mode does not affect whether foreign key constraints are checked
  • POSTGRESQL
  • ORACLE
  • TRADITIONAL
kuni katsuya

UML Profile Diagrams Examples - 0 views

www.uml-diagrams.org/profile-diagrams-examples.html

uml UmlProfiles EJB3

shared by kuni katsuya on 05 Sep 12 - No Cached
  • Java EJB 3.0 UML Profile
  • [UML Profile for Java and EJB. Version 1.0]
  • Java 1.3, EJB 1.1 and most likely UML 1.4, so it could be only of some interest
    • kuni katsuya
      kuni katsuya on 05 Sep 12
       
      ancient java and ejb versions!
  • ...8 more annotations...
  • simplified and unofficial UML Profile for EJB 3.0 with support for
  • session
  • entity
  • message-driven
  • Enterprise JavaBeans
  • stateful
  • stateless
  • session beans
kuni katsuya

Chapter 14. Tide client framework - 0 views

www.graniteds.org/...graniteds.tideframework.html

graniteds Tide framework Flex

shared by kuni katsuya on 12 Sep 12 - No Cached
  • Tide client framework
  • framework features
  • Dependency Injection
  • ...18 more annotations...
  • Event Bus
  • Contextual Components and Conversations
  • Contexts and Components
  • two main kinds of contexts:
  • global context
  • unique context that exists during the whole lifetime of the Flex application
  • compared to to the server-side session
  • conversation contexts
  • temporary contexts that can be created and destroyed at any time during the lifetime of the application
  • can exist simultaneously
  • isolated from each other
  • Components are stateful objects that can be of any ActionScript 3 class with a default constructor
  • have a name
  • A context is mostly a container for component instances
  • three available scopes:
  • session scope
  • conversation scope
  • event scope
  • kuni katsuya on 12 Sep 12
     
    "Tide client framework"
kuni katsuya

Comparing JSF Beans, CDI Beans and EJBs | Andy Gibson - 0 views

www.andygibson.net/...g-jsf-beans-cdi-beans-and-ejbs

javaee6 ejb3.1 cdi JsfBackingBean

shared by kuni katsuya on 30 Jul 12 - No Cached
  • differences between CDI beans and EJBs is that EJBs are : Transactional Remote or local Able to passivate stateful beans freeing up resources Able to make use of timers Can be asynchronous
  • Stateless EJBs can be thought of as thread safe single-use beans that don’t maintain any state between two web requests
  • Stateful EJBs do hold state and can be created and sit around for as long as they are needed until they are disposed of
  • ...15 more annotations...
  • Stateless beans must have a dependent scope while a stateful session bean can have any scope. By default they are transactional, but you can use the transaction attribute annotation.
  • CDI beans can be injected into EJBs and EJBs can be injected into CDI beans
  • When to use which bean How do you know when to use which bean? Simple.
  • In general, you should use CDI beans unless you need the advanced functionality available in the EJBs such as transactional functions. You can write your own interceptor to make CDI beans transactional, but for now, its simpler to use an EJB until CDI gets transactional CDI beans which is just around the corner
  • Comparing JSF Beans, CDI Beans and EJBs
  • JSF Managed Beans
  • In short, don’t use them if you are developing for Java EE 6 and using CDI. They provide a simple mechanism for dependency injection and defining backing beans for web pages, but they are far less powerful than CDI beans.
  • JSF beans cannot be mixed with other kinds of beans without some kind of manual coding.
  • CDI Beans
  • includes a complete, comprehensive managed bean facility
  • interceptors, conversation scope, Events, type safe injection, decorators, stereotypes and producer methods
  • JSF-like features, you can define the scope of the CDI bean using one of the scopes defined in the javax.enterprise.context package (namely, request, conversation, session and application scopes). If you want to use the CDI bean from a JSF page, you can give it a name using the javax.inject.Named annotation
  • Comparing JSF Beans, CDI Beans and EJBs
  • Comparing JSF Beans, CDI Beans and EJBs
  • JSF Managed Beans
1 - 20 of 34 Next ›
Showing 20 items per page