Once upon a time, I published one article explaining the principle to build Stateless Session. Coincidentally, we are working on the same task again, but this time, for a multi-tenant application. This time, instead of building the authentication mechanism ourselves, we integrate our solution into Spring Security framework.
This article will explain our approach and implementation.
on Sep 7, 2014
Is it more secure to allow the browser to save a website password or prohibit the browser from saving the password?
Benefits of allow the browser to save the password:
Spoof websites are more easily detected because the username and password don't show up (this may be a mute point if the username is saved but not the password).
Keyloggers won't pick up the password if you don't type it. (Thanks...
on Jul 15, 2013
HTML5 brings new opportunities – for developers and for attackers.
Here you will see two examples of how an attacker could abuse HTML5 and how you as a developer could prevent this (or not).
These are only two of many new or improved attacks on web clients. I chose them for two reasons: the first is a new attack, first described in December 2011 and not widely known to developers. The second...
on Jun 4, 2013
Servlet 3.1 Specification (JSR 340) and Java Authorization Contract for Containers (JSR 115) MR3 are almost ready for release. Besides "*", the role-name "**" is introduced in the above two specifications.
In a nutshell, "*" means any role defined in web.xml and "**" means any authenticated user.
Prior to Servlet 3.1, web containers use proprietary mechanisms to add security-constraints for any...
on Apr 19, 2013
Servlet 3.1 Specification (JSR 340) is almost ready for the release. Several new security features have been added in this version of Servlet specification.
In this blog, I will explain one of the security features, namely deny-uncovered-http-methods.
Let us take a look at a simple security-constraint in web.xml as follows:
<web-app xmlns="http://www.w3.org/2001/XMLSchema" ...
on Apr 19, 2013
Servlet 3.1 was in Public Review in Janurary 2013. And it is in Proposed Final Draft now. Most of the new features are related to security.
In this following, I will highlight features since Servlet 3.1 Public Review:
add new API javax.servlet.http.Part#getSubmittedFileName
add new API javax.servlet.ServletContext#getVirtualServerNameThis API allows a JASPIC module to be registered in a Servlet...
on Mar 18, 2013
A quick, hopefully readable analysis of this week's security exploit and fix over at my new blog
on Jan 15, 2013
Cross-site request forgery (CSRF)
is a malicious attack exploiting the trust of a site from a user's browser.
As an example, an user may be tricked to invoke a url to do a bank transaction
by either clicking on the url or accessing the url through <img>.
In GlassFish 3.1.1, there is a
CSRF prevention filter,
which is based on Tomcat 7.
on May 31, 2011
Single Sign On allows web applications to share the same authentication state.
GlassFish v2 supports virtual server level Single Sign On (SSO). Web applications with the same authentication realm in a given virtual server can share the authentication state in GlassFish v2.
GlassFish 3.1 supports SSO failover at cluster level. So one has high availability for Single Sign On in a virtual server of...
on Mar 1, 2011
In two previous entries I covered Introducing NIO.2 (JSR 203) Part 1: What are new features? and Introducing NIO.2 (JSR 203) Part 2: The Basics In this entry I will discuss Attributes introduced in NIO.2. Using attributes we can read platform specific attributes of an element in the file system. For example to hide a file system in DOS file system or to check the last access date of a file in...
on Jun 23, 2010
OpenESB project initiated by Sun Microsystems to develop and deliver a high performance, and feature rich implementation of Java Business Integration (JBI) under an open source friendly license. Basic task of JBI implementations is connecting different type of resources and applications together in a standard and none intrusive way. Basic building blocks of an ESB includes the Bus which is a...
on May 24, 2010
In this post we will be looking at code for a system designed to integrate all of the devices used to provide surveillance and security to extensive physical premises such as malls, campuses, and industrial parks. The approach I am taking involves the actor paradigm and the Java programming language. The selection of actors for this type of application is based on a number of...
on Nov 30, 2013
This post introduces a new Java actor based open source sub-project of the project "Learning Actors in Java". This work will develop a premises guardian system. A premises guardian system is a distributed application whose purpose is to support the physical protection of premises such as office buildings, campuses, apartment complexes, shopping malls, etc. Protecting information...
on Nov 20, 2013
A few years ago, we met with our business analysts to discuss security for our application.
Our goal was to implement our own authentication mechanism for the web-based or user-interface
portion of the application.
We defined authentication security as "access rights to resources of the application".
After some initial discussion, one of our business analysts suggested we look for an
on Aug 14, 2012
In JUG-AFRICA we started an Open Source project to manage the BIG ANNUAL EVENTS for our JUGs. The first release will be available in the early second half of January.
The application will provide all services bellow via the REST Web services :
- Appointment Manager
- Conference Manager
- Paper reviews and approval Manager
- Profile Manager
- Registration Manager
on Jan 2, 2011
There is one talk I would like to comment on today: "Don't Be Pwned: A Very Short Course on Secure Programming in Java".
This talk, presented by Robert Seacord and Dean Sutherland from SEI/CERT, was the scariest Java talk I have ever been to.
Do you believe the software you write is secure enough? Believing it or not, I suggest you take some time...
on Oct 4, 2011
My name is Haim Michael, I am the General Manager for Zindell Technologies and I am an eternal student and a lecturer. I chose to develop the abelski web site for the benefit of all people world wide. I have started to develop it in November 2007 and I continuously update its courses and add new ones. All courses on this web site are available for free personal and academic usage.
on Oct 4, 2010
I decided to write down the answer for some questions which my book's readers email me or ask me via twitter in my weblog so everyone can benefit from the answers. Here is the answer to the first question which involves custom security realms.
GlassFish supports 5 types of security realms out of the box which are sd follow:
File Realm: Usefull for development and testing purposes. GlassFish...
on May 18, 2010
Java EE Security refcard is available for download. This refcard covers Java EE 6 security and discuss how each application server supports the specs. The refcard covers authentication, authorization, and transport security in Web Application, EJB application and web services by introducing the concept and the related annotations and deployment descriptors which help us realize the concept....
on May 17, 2010
Please use the following articles while I am updating this entry
How to have your Own CA and configure Glassfish and your clients for mutual authentication?
How to have your Own CA and configure Glassfish and your clients for mutual authentication?, Part II
Please post any comment or question here so we can have one main reference for this.
var gaJsHost = (("https:" == document.location....
on May 13, 2010