Skip to main content

Home/ SoftwareEngineering/ Contents contributed and discussions participated by kuni katsuya

Contents contributed and discussions participated by kuni katsuya

Simple Middle Filter: All | Bookmarks | Topics
kuni katsuya

java - Getting confused with Apache Shiro and Custom Authorizing Realms - Stack Overflow - 0 views

stackoverflow.com/...-and-custom-authorizing-realms

security ApacheShiro realm RealmSecurityManager SecurityManager authorization AuthorizationInfo

shared by kuni katsuya on 22 Sep 12 - No Cached
  • getRealms()
  • RealmSecurityManager
  • authorization is effectively disabled due to the default doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) implementation returning null
kuni katsuya

Session Management Cheat Sheet - OWASP - 0 views

www.owasp.org/...Session_Management_Cheat_Sheet

OWASP BestPractices CheatSheet SessionManagement

shared by kuni katsuya on 21 Sep 12 - No Cached
  • Session Management Cheat Sheet
  • should not be extremely descriptive nor offer unnecessary details
  • change the default session ID name of the web development framework to a generic name
  • ...50 more annotations...
  • length must be at least 128 bits (16 bytes)
  • Session ID Length
  • Session ID Name Fingerprinting
  • Session ID Properties
  • Session ID Entropy
  • must be unpredictable (random enough) to prevent guessing attacks
  • good PRNG (Pseudo Random Number Generator) must be used
  • must provide at least 64 bits of entropy
  • Session ID Content (or Value)
  • content (or value) must be meaningless
  • identifier on the client side
  • meaning and business or application logic associated to the session ID must be stored on the server side
  • session objects or in a session management database or repository
  • create cryptographically strong session IDs through the usage of cryptographic hash functions such as SHA1 (160 bits).
  • Session Management Implementation
  • defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID
  • token expiration date and time
  • This is one of the reasons why cookies (RFCs 2109 & 2965 & 6265 [1]) are one of the most extensively used session ID exchange mechanisms, offering advanced capabilities not available in other methods
  • Transport Layer Security
  • use an encrypted HTTPS (SSL/TLS) connection for the entire web session
  • not only for the authentication
  • process where the user credentials are exchanged.
  • “Secure” cookie attribute
  • must be used to ensure the session ID is only exchanged through an encrypted channel
  • never switch a given session from HTTP to HTTPS, or viceversa
  • should not mix encrypted and unencrypted contents (HTML pages, images, CSS, Javascript files, etc) on the same host (or even domain - see the “domain” cookie attribute)
  • should not offer public unencrypted contents and private encrypted contents from the same host
  • www.example.com over HTTP (unencrypted) for the public contents
  • secure.example.com over HTTPS (encrypted) for the private and sensitive contents (where sessions exist)
  • only has port TCP/80 open
  • only has port TCP/443 open
  • “HTTP Strict Transport Security (HSTS)” (previously called STS) to enforce HTTPS connections.
  • Secure Attribute
  • instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection
  • HttpOnly Attribute
  • instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object
  • Domain and Path Attributes
  • instructs web browsers to only send the cookie to the specified domain and all subdomains
  • “Domain” cookie attribute
  • “Path” cookie attribute
  • instructs web browsers to only send the cookie to the specified directory or subdirectories (or paths or resources) within the web application
  • vulnerabilities in www.example.com might allow an attacker to get access to the session IDs from secure.example.com
  • Expire and Max-Age Attributes
  • “Max-Age”
  • “Expires” attributes
  • it will be considered a
  • persistent cookie
  • and will be stored on disk by the web browser based until the expiration time
  • use non-persistent cookies for session management purposes, so that the session ID does not remain on the web client cache for long periods of time, from where an attacker can obtain it.
  • Session ID Life Cycle
kuni katsuya

Logging Cheat Sheet - OWASP - 0 views

www.owasp.org/...Logging_Cheat_Sheet

OWASP logging BestPractices CheatSheet

shared by kuni katsuya on 21 Sep 12 - No Cached
  • Legal and other opt-ins
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      terms & conditions acceptance, license transfers, etc
  • Data changes
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      all changes to domain objects
  • Event attributes
  • ...35 more annotations...
  • Log date and time
  • Event date and time
  • Application identifier
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      eg. service type
  • Application address
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      eg. service instance
  • User identity
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      ie. subject
  • Type of event
  • Severity of event
  • Description
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      eg. event message text
  • Action
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      eg. action performed on managed resource (eg. 'update' action on resource 'hotel')
  • original intended purpose of the request
  • Object
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      eg. managed resource being accessed
  • affected component
  • Result status
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      boolean was_successful
  • Reason
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      include in event message text
  • Extended details
  • Data to exclude
  • Access tokens
  • Session identification values
  • Sensitive personal data
  • passwords
  • Database connection strings
  • Encryption keys
  • payment
  • Information a user has opted out of collection
  • Synchronize time across all servers and devices
  • Input validation failures
  • Which events to log
  • proportional to the information security risks
  • Always log:
  • Authentication successes and failures
  • Authorization failures
  • Session management failures
  • Application errors and system events
  • Application and related systems start-ups and shut-downs
  • Use of higher-risk functionality
kuni katsuya

Forgot Password Cheat Sheet - OWASP - 0 views

www.owasp.org/...Forgot_Password_Cheat_Sheet

security authentication password ForgotPassword PasswordReset

shared by kuni katsuya on 21 Sep 12 - No Cached
  • Forgot Password Cheat Sheet
  • no industry standard for implementing a Forgot Password feature
  • Step 1) Gather Identity Data or Security Questions
  • ...12 more annotations...
  • asks the user for multiple pieces of hard data that should have been
  • previously collected
  • send the password reset information to some
  • out-of-band side-channel
  • such as a (possibly different) email address or an SMS text number, etc. to be used in Step 3.
  • Step 2) Verify Security Questions
  • application verifies that each piece of data is correct for the given username
  • If anything is incorrect, or if the username is not recognized, the second page displays a generic error message such as “Sorry, invalid data”. If all submitted data is correct, Step 2 should display at least two of the user’s pre-established personal security questions, along with input fields for the answers.
  • Avoid sending the username as a parameter
  • Do not provide a drop-down list
  • server-side session
  • user's email account may have already been compromised
kuni katsuya

Guide to SQL Injection - OWASP - 0 views

www.owasp.org/...Guide_to_SQL_Injection

security SqlInjection background overview

shared by kuni katsuya on 21 Sep 12 - No Cached
  • Least privilege connections
  • Always use accounts with the
  • minimum privilege necessary
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      yet another reason why shared db logins (eg. etl_update) are a *BAD IDEA* ie. a set of apps using the same db login are effectively granted the 'highest common denominator' of db privileges, so have more access than they should (eg. update/delete privilege on tables unrelated to app)
  • ...9 more annotations...
  • for the application
  • Parameterized Queries with Bound Parameters
  • keep the
  • query
  • d data
  • separate through the use of placeholders known as "bound" parameters
  • how to Review Code for SQL Injection Vulnerabilities.
  • Guide to SQL Injection
  • "injection" of a SQL query via the input data from the client to the application
  • kuni katsuya on 21 Sep 12
     
    "Least privilege connections"
kuni katsuya

SQL Injection - OWASP - 0 views

www.owasp.org/...SQL_injection

security SqlInjection background overview

shared by kuni katsuya on 21 Sep 12 - No Cached
  • SQL Injection
  • "injection" of a SQL query via the input data from the client to the application
  • exploit can
  • ...18 more annotations...
  • read sensitive data
  • modify database data
  • execute administration operations
  • SQL injection errors occur when:
  • Data enters a program from an
  • untrusted source
  • The data used to
  • dynamically construct a SQL query
  • consequences are:
  • Confidentiality:
  • sensitive data
  • Authentication
  • user names and passwords
  • Authorization
  • change this information
  • Integrity
  • read sensitive information
  • changes or even delete this information
kuni katsuya

Preventing SQL Injection in Java - OWASP - 0 views

www.owasp.org/...eventing_SQL_Injection_in_Java

security SqlInjection prevention Java DefensiveCoding

shared by kuni katsuya on 21 Sep 12 - No Cached
  • Preventing SQL Injection in Java
  • inject (or execute) SQL commands within an application
  • Defense Strategy
  • ...19 more annotations...
  • To prevent SQL injection:
  • All queries should be
  • parametrized
  • All dynamic data
  • should be
  • explicitly bound to parametrized queries
  • String concatenation
  • should never be used
  • to create dynamic SQL
  • OWASP SQL Injection Prevention Cheat Sheet.
  • Parameterized Queries
  • Prepared Statements
  • automatically be escaped by the JDBC driver
  • userId = ?
  • PreparedStatement
  • setString
  • Dynamic Queries via String Concatenation
  • never construct SQL statements using string concatenation of unchecked input values
  • dynamic queries via the java.sql.Statement class leads to SQL Injection
kuni katsuya

MySQL :: MySQL 5.5 Reference Manual :: 13.1.17 CREATE TABLE Syntax - 0 views

dev.mysql.com/...create-table.html

MySQL MySQL5.5 column comment length

shared by kuni katsuya on 20 Sep 12 - No Cached
kuni katsuya

AMFParser - 0 views

amfparser.codeplex.com

graniteds flex blazeds debugging AMF AMFParser Fiddler2

shared by kuni katsuya on 20 Sep 12 - No Cached
  • AMFParser
  • AMFParser plugin for Fiddler2 web debugger
  • parsing and displaying AMF data inside HTTP's POST requests and responses
kuni katsuya

java - Flex+JPA/Hibernate+BlazeDS+MySQL how to debug this monster? - Stack Overflow - 0 views

stackoverflow.com/...ysql-how-to-debug-this-monster

graniteds flex blazeds debugging

shared by kuni katsuya on 20 Sep 12 - No Cached
  • Set break points in my Java code Start up the Java application server with the appropriate debug JVM properties set (e.g. -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n) From Eclipse, I attach a remote debugger to the app server on the default port 8000. The Java Debugger will open up when a break point is hit. Set breakpoints in my Flex application (or one of its modules). From Eclipse (with Flash Builder) I launch a debug configuration for my Flex app. The Flex Debugger will open up when a break point is hit. At this point I have two debuggers open and everything work great. Two other things I do: a) extend the transaction system timeout, so it doesn't get trigger while I am sitting there think for a few minutes b) use Charles Proxy (in reverse proxy mode) inbetween the client and server to watch the AMF traffic and view payloads, etc.
  • Flex+JPA/Hibernate+BlazeDS+MySQL how to debug this monster?
kuni katsuya

graniteds - can newer web containers having Servlet 3 extend BlazeDS max # of simultane... - 0 views

stackoverflow.com/...-blazeds-max-of-simultaneous-u

graniteds AsynchronousServlets asynchronous servlets servlet3.0

shared by kuni katsuya on 20 Sep 12 - No Cached
  • GraniteDS & Asynchronous Servlets
  • to handle many thousands concurrent users, you can even
  • create a cluster of GraniteDS servers
  • ...9 more annotations...
  • Asynchronous Servlets Performance
  • With a non NIO or non Continuation based server, this would require around 11,000 threads to handle 10,000 simultaneous users. Jetty handles this number of connections with only 250 threads.
  • Classical synchronous model: 10,000 concurrent users -> 11,000 server threads. 1.1 ratio.
  • Comet asynchronous model: 10,000 concurrent users -> 250 server threads. 0.025 ratio.
  • classical (synchronous) servlet model
  • request -> immediate processing -> response
  • Comet implementations rely on a different model:
  • request -> wait for available data -> response
  • With synchronous servlet processing, each request is handled by one dedicated server thread
kuni katsuya

Christophe Herreman » Blog Archive » Spring ActionScript at FlexCamp 2008 Bel... - 0 views

www.herrodius.com/158

flex service configuration

shared by kuni katsuya on 20 Sep 12 - Cached
  • endpoints externally configured
  • allows me to switch between different endpoints - different test or production servers for instance - just by specifying the ip and port in an external properties file
  • don't have to specify any compiler arguments that point to the services-config.xml or messaging-config.xml files.
kuni katsuya

Web | Apache Shiro - 0 views

shiro.apache.org/web.html

security ApacheShiro SessionManagement session

shared by kuni katsuya on 19 Sep 12 - No Cached
  • Session Management
  • Servlet Container Sessions
  • kuni katsuya on 19 Sep 12
     
    "t"
« First ‹ Previous 461 - 480 of 1268 Next › Last »
Showing 20 items per page