Session Management Cheat Sheet
Group items matching
in title, tags, annotations or url
53More
Session Management Cheat Sheet - OWASP - 0 views
-
-
should not be extremely descriptive nor offer unnecessary details
-
change the default session ID name of the web development framework to a generic name
- ...50 more annotations...
-
length must be at least 128 bits (16 bytes)
-
Session ID Length
-
Session ID Name Fingerprinting
-
Session ID Properties
-
Session ID Entropy
-
must be unpredictable (random enough) to prevent guessing attacks
-
good PRNG (Pseudo Random Number Generator) must be used
-
must provide at least 64 bits of entropy
-
Session ID Content (or Value)
-
content (or value) must be meaningless
-
identifier on the client side
-
meaning and business or application logic associated to the session ID must be stored on the server side
-
session objects or in a session management database or repository
-
create cryptographically strong session IDs through the usage of cryptographic hash functions such as SHA1 (160 bits).
-
Session Management Implementation
-
defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID
-
token expiration date and time
-
This is one of the reasons why cookies (RFCs 2109 & 2965 & 6265 [1]) are one of the most extensively used session ID exchange mechanisms, offering advanced capabilities not available in other methods
-
Transport Layer Security
-
use an encrypted HTTPS (SSL/TLS) connection for the entire web session
-
not only for the authentication
-
process where the user credentials are exchanged.
-
“Secure” cookie attribute
-
must be used to ensure the session ID is only exchanged through an encrypted channel
-
never switch a given session from HTTP to HTTPS, or viceversa
-
should not mix encrypted and unencrypted contents (HTML pages, images, CSS, Javascript files, etc) on the same host (or even domain - see the “domain” cookie attribute)
-
should not offer public unencrypted contents and private encrypted contents from the same host
-
www.example.com over HTTP (unencrypted) for the public contents
-
secure.example.com over HTTPS (encrypted) for the private and sensitive contents (where sessions exist)
-
only has port TCP/80 open
-
only has port TCP/443 open
-
“HTTP Strict Transport Security (HSTS)” (previously called STS) to enforce HTTPS connections.
-
Secure Attribute
-
instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection
-
HttpOnly Attribute
-
instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object
-
Domain and Path Attributes
-
instructs web browsers to only send the cookie to the specified domain and all subdomains
-
“Domain” cookie attribute
-
“Path” cookie attribute
-
instructs web browsers to only send the cookie to the specified directory or subdirectories (or paths or resources) within the web application
-
vulnerabilities in www.example.com might allow an attacker to get access to the session IDs from secure.example.com
-
Expire and Max-Age Attributes
-
“Max-Age”
-
“Expires” attributes
-
it will be considered a
-
persistent cookie
-
and will be stored on disk by the web browser based until the expiration time
-
use non-persistent cookies for session management purposes, so that the session ID does not remain on the web client cache for long periods of time, from where an attacker can obtain it.
-
Session ID Life Cycle
8More
Chapter 15. Data Management - 0 views
-
Data Management
-
Tide provides an integration between the Flex/LCDS concept of managed entities and the server persistence context (JPA or Hibernate)
-
Tide maintains a client-side cache of entity instances and ensures that every instance is unique in the Flex client context
- ...5 more annotations...
-
highly recommended to use JPA optimistic locking in a multi-tier environment (@Version annotation)
-
Tip The easiest and recommended way for getting Tide enabled managed entities is to generate them from Java classes with Gas3 or the GDS Eclipse builder using the tide="true" option.
-
In a typical Flex/app server/database application, an entity lives in three layers: the Flex client the Hibernate/JPA persistence context the database
-
only invariant is the id.
-
id reliably links the different existing versions of the entity in the three layers
10More
shared by kuni katsuya on 31 Aug 12
- No Cached
JAAS Reference Guide - 0 views
docs.oracle.com/...JAASRefGuide.html
JavaAuthenticationAndAuthorizationService JAAS java security authentication authorization reference guide documentation
shared by kuni katsuya on 31 Aug 12
- No Cached
-
JavaTM Authentication and Authorization Service (JAAS) Reference Guide
-
Common Classes Subject Principals Credentials
-
Authentication Classes and Interfaces
- ...7 more annotations...
-
Authorization Classes Policy AuthPermission PrivateCredentialPermission
-
Subject
-
Principals
-
Credentials
-
Authorization Classes
-
Policy
-
AuthPermission
70More
Chapter 2. Mapping Entities - 0 views
-
Composite identifier
-
You can define a composite primary key through several syntaxes:
-
@EmbeddedId
- ...66 more annotations...
-
map multiple properties as @Id properties
-
annotated the property as
-
map multiple properties as @Id properties and declare an external class to be the identifier type
-
declared on the entity via the @IdClass annotation
-
The identifier type must contain the same properties as the identifier properties of the entity: each property name must be the same, its type must be the same as well if the entity property is of a
-
basic type
-
last case is far from obvious
-
recommend you not to use it (for simplicity sake)
-
@EmbeddedId property
-
@EmbeddedId
-
@Embeddable
-
@EmbeddedId
-
@Embeddable
-
@Embeddable
-
@EmbeddedId
-
Multiple @Id properties
-
arguably more natural, approach
-
place @Id on multiple properties of my entity
-
only supported by Hibernate
-
does not require an extra embeddable component.
-
@IdClass
-
@IdClass on an entity points to the class (component) representing the identifier of the class
-
WarningThis approach is inherited from the EJB 2 days and we recommend against its use. But, after all it's your application and Hibernate supports it.
-
Mapping entity associations/relationships
-
One-to-one
-
three cases for one-to-one associations:
-
associated entities share the same primary keys values
-
foreign key is held by one of the entities (note that this FK column in the database should be constrained unique to simulate one-to-one multiplicity)
-
association table is used to store the link between the 2 entities (a unique constraint has to be defined on each fk to ensure the one to one multiplicity)
-
@PrimaryKeyJoinColumn
-
shared primary keys:
-
explicit foreign key column:
-
@JoinColumn(name="passport_fk")
-
foreign key column named passport_fk in the Customer table
-
may be bidirectional
-
owner is responsible for the association column(s) update
-
In a bidirectional relationship, one of the sides (and only one) has to be the owner
-
To declare a side as
-
not responsible for the relationship
-
the attribute
-
mappedBy
-
is used
-
mappedBy
-
Indexed collections (List, Map)
-
Lists can be mapped in two different ways:
-
as ordered lists
-
as indexed lists
-
@OrderBy("number")
-
List<Order>
-
List<Order>
-
List<Order>
-
To use one of the target entity property as a key of the map, use
-
@MapKey(name="myProperty")
-
@MapKey(name"number")
-
Map<String,Order>
-
String number
-
-
@MapKeyJoinColumn/@MapKeyJoinColumns
-
if the map key type is another entity
-
@ManyToAny
-
2.4.5.2. @Any
-
@Any annotation defines a polymorphic association to classes from multiple tables
-
this is most certainly not meant as the usual way of mapping (polymorphic) associations.
-
@ManyToAny allows polymorphic associations to classes from multiple tables
-
first column holds the type of the associated entity
-
remaining columns hold the identifier
-
not meant as the usual way of mapping (polymorphic) associations
18More
Seam - Contextual Components - 0 views
-
15.6. Authorization
-
Seam Security is built around the premise of users being granted roles and/or permissions, allowing them to perform operations that may not otherwise be permissible for users without the necessary security privileges
-
15.6.1. Core concepts
- ...15 more annotations...
-
15.6.1.1. What is a role? A role is a group, or type, of user that may have been granted certain privileges for performing one or more specific actions within an application
-
used to create logical groups of users for the convenient assignment of specific application privileges
-
15.6.1.2. What is a permission? A permission is a privilege (sometimes once-off) for performing a single, specific action. It is entirely possible to build an application using nothing but permissions, however roles offer a higher level of convenience when granting privileges to groups of users
-
consisting of three "aspects";
-
a target
-
an action
-
a recipient
-
An empty @Restrict implies a permission check of componentName:methodName
-
implied permission required to call the delete() method is account:delete
-
equivalent of this would be to write @Restrict("#{s:hasPermission('account','delete')}")
-
@Restrict annotation may reference any objects that exist within a Seam context. This is extremely useful when performing permission checks for a specific object instance.
-
selectedAccount
-
selectedAccount
-
Identity.instance().checkRestriction
-
If the expression specified doesn't evaluate to true, either if the user is not logged in, a NotLoggedInException exception is thrown or if the user is logged in, an AuthorizationException exception is thrown.
6More
Advanced Searching - JIRA 5.1 - Atlassian Documentation - Confluence - 0 views
-
It is safer to search by Custom Field ID than by Custom Field nameIt is possible for a Custom Field to have the same name as a built-in JIRA system field, in which case JIRA will search on the system field (not your custom field). It is also possible for your JIRA administrator to change the name of a Custom Field, which could break any saved filters which rely on that name. Custom Field IDs, however, are unique and cannot be changed.
-
Custom Field
-
It is safer to search by filter ID than by filter nameIt is possible for a filter name to be changed, which could break a saved filter that invokes another filter by name. Filter IDs, however, are unique and cannot be changed.
- ...3 more annotations...
-
Alias: ?cf[CustomFieldID]
-
An Advanced Searching statement in your typed query will override an ORDER BY statement in the saved filter.
-
Original Estimate
30More
Authentication Cheat Sheet - OWASP - 0 views
-
Authentication Cheat Sheet
-
Sessions should be
-
unique per user
- ...26 more annotations...
-
computationally very difficult to predict
-
"strong" password policy
-
Secure Password Recovery Mechanism
-
Require re-authentication for Sensitive Features
-
Authentication and Error Messages
-
can be used for the purposes of user ID and password enumeration
-
Incorrectly implemented error messages
-
generic manner
-
respond with a generic error message regardless if the user ID or password was incorrect
-
give no indication to the status of an existing account
-
Authentication responses
-
Invalid user ID or password"
-
does not indicate if the user ID or password is the incorrect parameter
-
Transmit Passwords Only Over TLS
-
login page
-
all subsequent authenticated pages
-
must be exclusively accessed over TLS
-
unencrypted session ID
-
credentials
-
Implement Account Lockout
-
lock out an account if more than a preset number of unsuccessful login attempts are made
-
can produce a result that locks out entire blocks of application users accounts
-
somewhat of a denial-of-service attack, since legitimate users can no longer access their accounts/services
-
-
sensible strategy
-
is to lockout accounts for a number of hours
-
Password lockout mechanisms have a logical weakness
-
Session Management General Guidelines
2More
How to search issues from specific Sprint - Atlassian Answers - 0 views
-
to find issues from a specific sprint, you have to add one of the following to your JQL query: 1sprint = ID 1sprint in (1,3,4)
-
have to know the ID (not name) of your sprint.
1More
jmeter-amfsampler - A JMeter sampler for testing Flex/BlazeDS applications using Adobe'... - 0 views
-
jmeter-amfsampler A JMeter sampler for testing Flex/BlazeDS applications using Adobe's AMF protocol over Http.
1More
wrenched - externalization and lazy-loading framework for flex/java projects - Google P... - 0 views
-
wrenched externalization and lazy-loading framework for flex/java projects
13More
Chapter 6. Messaging (Gravity) - 0 views
-
Granite Data Services provides a messaging feature, code name Gravity, implemented as a Comet-like service with AMF3 data polling over HTTP (producer/consumer based architecture)
-
GraniteDS messaging relies on two main AS3 components on the Flex side: org.granite.gravity.Consumer and org.granite.gravity.Producer
-
6.3. Common Configuration There are three main steps to configure Gravity in an application: Declare the Gravity servlet implementation for your target server in web.xml Declare a messaging service and destination in services-config.xml, mapped to a specific channel definition of type GravityChannel
- ...10 more annotations...
-
org.granite.gravity.tomcat.GravityTomcatServlet
-
/gravityamf/*
-
6.3.1. Supported Application Servers
-
GraniteDS provides a generic servlet implementation that can work in any compliant servlet container
-
blocking IO and thus will provide relatively limited scalability
-
GraniteDS thus provides implementations of non blocking messaging for the most popular application servers.
-
asynchronous non blocking servlets
-
JBoss 5+org.granite.gravity.jbossweb.GravityJBossWebServletOnly with APR/NIO enabled (APR highly recommended)
-
GlassFish 3.xorg.granite.gravity.async.GravityAsyncServletUsing Servlet 3.0
-
Tomcat 7.x / Jetty 8.xorg.granite.gravity.async.GravityAsyncServletUsing Servlet 3.0
3More
AMFParser - 0 views
-
AMFParser
-
AMFParser plugin for Fiddler2 web debugger
-
parsing and displaying AMF data inside HTTP's POST requests and responses
74More
Chapter 15. Data Management - 1 views
-
abstractEntity.uid();
-
-
UUID.randomUUID().toString();
-
AbstractEntity
- ...70 more annotations...
-
@MappedSuperclass
-
Important things on ID/UID
-
entity lives in three layers:
-
Flex client
-
JPA persistence context
-
database
-
When updating existing entities coming from the database
-
id is defined and is maintained in the three layers during the different serialization/persistence operations
-
when a new entity is being created in any of the two upper layers (Flex/JPA)
-
new entity has no id until it has been persisted to the database
-
most common solution is to
-
have a second persisted id, the uid
-
which is created by the client and persisted along with the entity
-
recommended approach to avoid any kind of subtle problems is to have a real uid property which will be persisted in the database but is not a primary key for efficiency concerns
-
You can now ask Tide to
-
limit the object graph before sending it
-
Flex with the following API :
-
EntityGraphUnintializer
-
uninitializeEntityGraph
-
Person object will be uninitialized
-
uperson contains
-
only the minimum of data
-
to correctly merge your changes in the server persistence context
-
Tide uses the
-
client data tracking
-
to determine which parts of the graph need to be sent
-
Calling the EntityGraphUninitializer manually is a bit tedious and ugly, so there is a cleaner possibility when you are using generated typesafe service proxies
-
annotate your service method arguments with @org.granite.tide.data.Lazy :
-
@Lazy
-
take care that you have added the [Lazy] annotation to your Flex metadata compilation configuration
-
in the Flex application, register the UninitializeArgumentPreprocessor component in Tide as follows :
-
[UninitializeArgumentPreprocessor]
-
all calls to PersonService.save() will
-
automatically use a properly uninitialized version
-
of the person argument.
-
15.4. Dirty Checking and Conflict Handling
-
simplify the handling of data between Flex and Java EE
-
Chapter 15. Data Management
-
Tide maintains a client-side cache of entity instances and ensures that every instance is unique in the Flex client context
-
uid().hashCode();
-
Tide currently only supports Integer or Long version fields, not timestamps and that the field must be nullable
-
in a multi-tier environment (@Version annotation)
-
highly recommended to use
-
JPA optimistic locking
-
highly recommended to add a
-
persistent uid field
-
AbstractEntity
-
in general this identifier will be
-
initialized from Flex
-
@Column(name="ENTITY_UID", unique=true, nullable=false, updatable=false, length=36) private String uid;
-
@Version private Integer version;
-
uid().equals(((AbstractEntity)o).uid())
-
consistent identifier through all application layers
-
@PrePersist
-
15.3. Reverse Lazy Loading
-
15.4. Dirty Checking and Conflict Handling
-
15.4. Dirty Checking and Conflict Handling
-
15.4. Dirty Checking and Conflict Handling
-
Dirty Checking and Conflict Handling
-
entity instance can be in two states :
-
Stable
-
Dirty
-
property meta_dirty is
-
bindable
-
could be used
-
to enable/disable a Save button
-
correct way of knowing if any object has been changed in the context, is to use the property meta_dirty of the Tide context
-
tideContext.meta_dirty
-
reliable when using optimistic locking
-
check that its @Version field has been incremented
1More
shared by kuni katsuya on 15 Mar 13
- No Cached
ddd-cqrs-base-project - DDD-CQRS Base Project Using Spring and Hibernate (Manage Comple... - 0 views
code.google.com/...ddd-cqrs-base-project
DDD CQRS DomainDrivenDesign CommandQueryResponsibilitySegregation
shared by kuni katsuya on 15 Mar 13
- No Cached
-
ddd-cqrs-base-project DDD-CQRS Base Project Using Spring and Hibernate (Manage Complexity Simply)
1More
dphibernate - Flex / BlazeDS Hibernate Adapter, with full lazy loading support - Google... - 0 views
-
dphibernate Flex / BlazeDS Hibernate Adapter, with full lazy loading support
1More
entity-pruner - prune JPA entities so they can be serialized for client service calls -... - 1 views
-
entity-pruner prune JPA entities so they can be serialized for client service calls
25More
Entity-attribute-value model - Wikipedia, the free encyclopedia - 0 views
-
Entity–attribute–value model
-
Entity–attribute–value model (EAV) is a data model to describe entities where the number of attributes (properties, parameters) that can be used to describe them is potentially vast, but the number that will actually apply to a given entity is relatively modest
-
also known as object–attribute–value model, vertical database model and open schema
- ...21 more annotations...
-
In an EAV data model, each attribute-value pair is a fact describing an entity, and a row in an EAV table stores a single fact
-
EAV tables are often described as "long and skinny": "long" refers to the number of rows, "skinny" to the few columns
-
Data is recorded as three columns: The entity: the item being described. The attribute or parameter: a foreign key into a table of attribute definitions. At the very least, the attribute definitions table would contain the following columns: an attribute ID, attribute name, description, data type, and columns assisting input validation
-
The value of the attribute
-
Row modeling, where facts about something (in this case, a sales transaction) are recorded as multiple rows rather than multiple columns
-
differences between row modeling and EAV (which may be considered a generalization of row-modeling) are:
-
A row-modeled table is homogeneous in the facts that it describes
-
The data type of the value column/s in a row-modeled table is pre-determined by the nature of the facts it records. By contrast, in an EAV table, the conceptual data type of a value in a particular row depend on the attribute in that row
-
In the EAV table itself, this is just an attribute ID, a foreign key into an Attribute Definitions table
-
The Attribute
-
The Value
-
Coercing all values into strings
-
larger systems use separate EAV tables for each data type (including binary large objects, "BLOBS"), with the metadata for a given attribute identifying the EAV table in which its data will be stored
-
Where an EAV system is implemented through RDF, the RDF Schema language may conveniently be used to express such metadata
-
access to metadata must be restricted, and an audit trail of accesses and changes put into place to deal with situations where multiple individuals have metadata access
-
quality of the annotation and documentation within the metadata (i.e., the narrative/explanatory text in the descriptive columns of the metadata sub-schema) must be much higher, in order to facilitate understanding by various members of the development team.
-
Attribute metadata
-
Validation metadata include data type, range of permissible values or membership in a set of values, regular expression match, default value, and whether the value is permitted to be null
-
-
Presentation metadata: how the attribute is to be displayed to the user
-
Grouping metadata: Attributes are typically presented as part of a higher-order group, e.g., a specialty-specific form. Grouping metadata includes information such as the order in which attributes are presented
-
Advanced validation metadata Dependency metadata:
2More
[#SHIRO-337] adding support for CDI - ASF JIRA - 0 views
-
Shiro SHIRO-337 adding support for CDI
-
9More
Java Persistence/Auditing and Security - Wikibooks, open books for an open world - 0 views
-
Use a common database user id, and manage auditing and security in the application
-
managed in the application by having an application user, and a single shared database user
-
adding a AUDIT_USER and AUDIT_TIMESTAMP column to all of the audited tables and auditUser and auditTimestamp field to all of the audited objects
- ...5 more annotations...
-
When the application inserts or updates an object, it will set these fields and they will be stored in the database. JPA events could also be used to record the audit information, or to write to a separate audit table.
-
Example AuditedObject class
-
@MappedSuperclass public Class AuditedObject {
-
@Column("AUDIT_USER"); protected String auditUser; @Column("AUDIT_TIMESTAMP"); protected Calendar auditTimestamp;
-
@PrePersist @PreUpdate public void updateAuditInfo() { setAuditUser((String)AuditedObject.currentUser.get()); setAuditTimestamp(Calendar.getInstance()); }
-
Use a common database user id, and manage auditing and security in the application