Skip to main content

Home/ SoftwareEngineering/ Contents contributed and discussions participated by kuni katsuya

Contents contributed and discussions participated by kuni katsuya

Simple Middle Filter: All | Bookmarks | Topics
kuni katsuya

What Is The @Interceptors Overhead? : Adam Bien's Weblog - 0 views

www.adam-bien.com/...t_is_the_interceptors_overhead

javaee6 interceptor performance overhead

shared by kuni katsuya on 09 Aug 12 - No Cached
  • What Is The @Interceptors Overhead?
  • two, empty, interceptors
  • TypeAverageMinMaxTransactions/Sec Plain EJB 3.11082833.66 Intercepted EJB 3.11092818.88
  • ...1 more annotation...
  • Even applying two interceptors on a @Stateless EJB 3.1 does not make a significant performance impact. In worst case the performance difference is 1 ms and so negligible.
kuni katsuya

Why Service Isn't A ServiceFacade, But ServiceFacade Is Sometimes A Service... : Adam B... - 0 views

www.adam-bien.com/...why_service_isn_t_a

javaee6 ejb3.1 ServiceFacade service boundary

shared by kuni katsuya on 09 Aug 12 - No Cached
  • boundary, which main responsibilities are:Providing coarser granularityEnsuring consistencyProviding a defined entry point which can be easily decorated with aspects / interceptorsExposure of components (what components are we will cover later) functionality to remote clients via IIOP, REST, SOAP, JMS, Hessian etc...
  • ServiceFacade - the facade to Services. The Services just rely on a certain amount of cross cutting aspects and concentrate on the realization of business logic
  • only invokes Services in consistent way, mostly using transactions
  • ...2 more annotations...
  • Services can remain independent
  • ServiceFacade combines them
kuni katsuya

Enterprise JavaBeans 3.1 with Contexts and Dependency Injection: The Perfect Synergy - 0 views

www.oracle.com/...ejb-3-1-175064.html

javaee6 ejb3.1

shared by kuni katsuya on 09 Aug 12 - No Cached
  • EJB beans cannot be directly exposed to JSF or JSP without a little help from CDI
  • CDI doesn't provide any transactional, monitoring, or concurrency aspect out of the box
  • stateless EJB 3.1 bean as boundary (Facade)
  • ...1 more annotation...
  • injected managed beans (controls) results in the simplest possible architecture
kuni katsuya

Frequently Answered Questions (FAQ) - 0 views

static.springsource.org/...faq.html

java security SpringSecurity requirements dependencies

shared by kuni katsuya on 09 Aug 12 - No Cached
  • 1.3.What Java and Spring Framework versions are required?
  • Spring Security 3.0 and 3.1 require at least JDK 1.5
  • and also require Spring 3.0.3 as a minimum
kuni katsuya

Appendix C. Spring Security Dependencies - 0 views

static.springsource.org/...appendix-dependencies.html

java security SpringSecurity dependencies

shared by kuni katsuya on 09 Aug 12 - No Cached
  • Spring Security Dependencies
  • This appendix provides a reference of the modules in Spring Security and the additional dependencies that they require in order to function in a running application
  • C.1 spring-security-coreThe core module must be included in any project using Spring Security.
  • ...8 more annotations...
  • DependencyVersionDescriptionaopalliance1.0Required for method security implementation.
  • spring-aop Method security is based on Spring AOP
  • spring-beans Required for Spring configuration
  • spring-expression Required for expression-based method security (optional)
  • spring-jdbc Required if using a database to store user data (optional).
  • spring-tx Required if using a database to store user data (optional).
  • C.6 spring-security-aclThe ACL module.
  • spring-jdbc Required if you are using the default JDBC-based AclService (optional if you implement your own).spring-tx Required if you are using the default JDBC-based AclService (optional if you implement your own).
kuni katsuya

Spring Security - Features - 0 views

static.springsource.org/...features.html

Java security SpringSecurity

shared by kuni katsuya on 09 Aug 12 - Cached
  • Domain object instance security: In many applications it's desirable to define Access Control Lists (ACLs) for individual domain object instances. We provide a comprehensive ACL package with features including integer bit masking, permission inheritance (including blocking), an optimized JDBC-backed ACL repository, caching and a pluggable, interface-driven design.
  • OpenID Support: the web's emerging single sign-on standard (supported by Google, IBM, Sun, Yahoo and others) is also supported in Spring Security
  • Easy integration with existing databases: Our implementations have been designed to make it easy to use your existing authentication schema and data (without modification). Of course, you can also provide your own Data Access Object if you wish. Password encoding: Of course, passwords in your authentication repository need not be in plain text. We support both SHA and MD5 encoding, and also pluggable "salt" providers to maximise password security.
  • ...5 more annotations...
  • Caching: Spring Security optionally integrates with Spring's Ehcache factory. This flexibility means your database (or other authentication repository) is not repeatedly queried for authentication information when using Spring Security with stateless applications.
  • Run-as replacement: The system fully supports temporarily replacing the authenticated principal for the duration of the web request or bean invocation. This enables you to build public-facing object tiers with different security configurations than your backend objects.
  • Tag library support: Your JSP files can use our taglib to ensure that protected content like links and messages are only displayed to users holding the appropriate granted authorities. The taglib also fully integrates with Spring Security's ACL services, and obtaining extra information about the logged-in principal.
  • User Provisioning APIs: Support for groups, hierarchical roles and a user management API, which all combine to reduce development time and significantly improve system administration.
  • Enterprise-wide single sign on using CAS 3: Spring Security integrates with JA-SIG's open source Central Authentication Service (CAS)
kuni katsuya

Authentication Cheat Sheet - OWASP - 0 views

www.owasp.org/...Authentication_Cheat_Sheet

security authentication CheatSheet

shared by kuni katsuya on 09 Aug 12 - No Cached
  • Authentication Cheat Sheet
  • Sessions should be
  • unique per user
  • ...26 more annotations...
  • computationally very difficult to predict
  • "strong" password policy
  • Secure Password Recovery Mechanism
  • Require re-authentication for Sensitive Features
  • Authentication and Error Messages
  • can be used for the purposes of user ID and password enumeration
  • Incorrectly implemented error messages
  • generic manner
  • respond with a generic error message regardless if the user ID or password was incorrect
  • give no indication to the status of an existing account
  • Authentication responses
  • Invalid user ID or password"
  • does not indicate if the user ID or password is the incorrect parameter
  • Transmit Passwords Only Over TLS
  • login page
  • all subsequent authenticated pages
  • must be exclusively accessed over TLS
  • unencrypted session ID
  • credentials
  • Implement Account Lockout
  • lock out an account if more than a preset number of unsuccessful login attempts are made
  • can produce a result that locks out entire blocks of application users accounts
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      somewhat of a denial-of-service attack, since legitimate users can no longer access their accounts/services
  • sensible strategy
  • is to lockout accounts for a number of hours
  • Password lockout mechanisms have a logical weakness
  • Session Management General Guidelines
kuni katsuya

SQL Injection Prevention Cheat Sheet - OWASP - 0 views

www.owasp.org/...jection_Prevention_Cheat_Sheet

security SqlInjection prevention CheatSheet

shared by kuni katsuya on 09 Aug 12 - No Cached
  • SQL Injection Prevention Cheat Sheet
  • it is EXTREMELY simple to avoid SQL Injection vulnerabilities in your code.
  • create dynamic database queries that include user supplied input
  • ...19 more annotations...
  • a) stop writing dynamic queries
  • b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query
  • Primary Defenses:
  • Option #1: Use of Prepared Statements (Parameterized Queries)
  • Option #3: Escaping all User Supplied Input
  • Additional Defenses:
  • Enforce: Least Privilege
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      least privilege should be *required*, included as a primary defense
  • Perform: White List Input Validation
  • Primary Defenses
  • Defense Option 1: Prepared Statements (Parameterized Queries)
  • attacker is not able to
  • change the intent
  • of a query, even if SQL commands are inserted by an attacker
  • allows the database to
  • distinguish
  • between
  • data,
  • code a
  • Defense Option 3: Escaping All User Supplied Input
kuni katsuya

Chapter 16. Extensibilty - 0 views

www.graniteds.org/...graniteds.extensibility.html

graniteds security SecurityService documentation

shared by kuni katsuya on 09 Aug 12 - No Cached
  • 16.2. Writing a Security Service
  • login(Object credentials)
  • authorize(AbstractSecurityContext context)
  • ...20 more annotations...
  •  logout() 
  • An implementation of this interface must be thread safe
  • If authorization fails, either because the user is not logged in or because it doesn't have required rights, it must throw an appropriate org.granite.messaging.service.security.SecurityServiceException.
  • Writing a Security Service
  • SecurityService interface
  • nothing to do with a true Flex destination
  • only one instance of this service is used in the entire web-app and will be called by concurrent threads
  • configure
  • login
  • This method is called upon each and every service method call invocations (RemoteObject) or subscribe/publish actions (Consumer/Producer). When used with RemoteObjects, the authorize method is responsible for checking security, calling the service method, and returning the corresponding result.
  • authorize
  • logout
  • handleSecurityException
  • default implementation of this method in AbstractSecurityService is to do nothing
  • security services are not exposed to outside calls
  • configure
  • login
  • authorize
  • logout
  • handleSecurityException
« First ‹ Previous 741 - 760 of 1268 Next › Last »
Showing 20 items per page