The Book in Details:
Security was, is, and will be one of the most important aspects of Enterprise Applications and one of the most challenging areas for architects, developers, and administrators. It is mandatory for Java EE application developers to secure their enterprise applications using Glassfish security features.
Learn to secure Java EE artifacts (like Servlets and EJB methods),...
on May 13, 2010
Manage, Administrate and Monitor GlassFish v3 using Application Server Management Extensions (AMX) & The Java Management Extensions (JMX)
Management is one of the most crucial parts of an application server set of functionalities. Development of the application which we deploy into the server happens once with minor development iteration during the software lifecycle, but the management is...
on Apr 6, 2010
During implementation of the NTLM authentication into our application, I wanted to achieve failover to standard login page (html form) if NTLM authentication fail.
on Mar 25, 2010
The GlassFish Certificate Realm in V2.X and V3.0 releases is somewhat limiting. Many users expressed the need to able to do some custom authentication based on the client-certificate (or extensions within) in a Mutual-SSL scenario. And subsequently do custom group assignment's which ultimately affect the authorization results. With V2.X/V3.0 the only two things that were possible are...
on Mar 25, 2010
Embedded GlassFish v3 is a delivery vehicle of GFv3 so that applications and tools can use GFv3 just as a library, inside their JVM. More details on this can be found on the separate project page that has been created for Embedded GlassFish.
One would thus expect that even secure applications which use security annotations on an EJB or security-constraints in a web...
on Mar 25, 2010
I'v migrated code from spring-security 2.0.5 to be able to use NTLM on spring-security 3.0.2. NTLM isn't supported anymore official by SpringSource but after some refactoring I was able to use NTLM without problems.
on Mar 21, 2010
Spring framework is one of the biggest and the most comprehensive frameworks Java Community can utilize to cover most of the end to end requirement of a software system when it come to implementation.
Spring Security and Spring Remoting are two important parts of the framework which covers security in a descriptive way and let us have remote invocation of a spring bean methods using a local...
on Mar 18, 2010
Here are steps showing you how to prepare and install a SSL certificate purchased from Godaddy into GlassFish v3 server. To learn more about Godaddy certificates and step to buy a certificate you need to take a look at http://www.godaddy.com/ssl/ssl-certificates.aspx?app_hdr=. After you understand what Godaddy offer and whether it suites your requirement you can use the following steps to get and...
on Mar 1, 2010
I received an email from core Mojarra team member Jim Driscoll, who was
inexplicably laid off from Sun after its recent acquisition by Oracle,
about a talk at next week’s BlackHat
Conference in Arlington, VA, U.S.A.. Jim pointed out that two
security luminaries from the elite SpiderLabs team from
Trustwave are giving a talk at BlackHat about view state security,
specifically focusing on...
on Jan 31, 2010
After configuring Hudson to run in a Glassfish with security manager enabled I started to have problems in other applications, specially web applications using reflection to access private fields in Java classes. Over the web I noticed a lot of people struggling with the same issue (Seam, GWT, Vaadin, etc). The problem is caused because most of the modern frameworks tries to access Java...
on Jan 2, 2010
Due to recent problems on java.net blogging platform you can find the article here:
on Dec 19, 2009
This and the next series of blog entries will highlight the Top
10 most critical web application security vulnerabilities
identified by the Open
Web Application Security Project (OWASP).
You can use OWASP's WebGoat
to learn more about the OWASP Top Ten security vulnerabilties. WebGoat
is an example web application, which has lessons showing "what not to
do code", how to exploit the code, and...
on Sep 29, 2009
The Java KeyStore API supports multiple keystore formats which include JKS( the default Java KeyStore), PKCS12, PKCS11 etc. By default when GlassFish V3 is installed the default Keystore Type is JKS and the server keystore (keystore.jks) is located in the domain config directory. With latest GlassFish V3 builds it should be possible to define a different KeyStore Type such as PKCS11 or...
on Aug 26, 2009
I'm happy to announce that the final release of Apache Java XML Security 1.4.2 is now available. See the web site http://santuario.apache.org for more details on the release or download it from http://xml.apache.org/security/dist/java-library/
The main highlights of this release are:
22 bugs and rfes have been fixed
A new implementation of C14N 1.1 is supported.
A potentially serious XML...
on Jun 24, 2008
Allegedly invented by accident, the humble Post-it Note has likely been responsible for more potential breaches in computer security than any single virus, rootkit or keylogger. This handy little aide-mémoire is home to 'to do' lists, phone numbers, doodles, and (inevitably) passwords.
Most people wouldn't tape their front door key to their front door, yet they'll happily stick their...
on May 30, 2008
JSR 105 (XML Digital Signature API) is included with JDK 6, but is also available separately, for example as part of the Apache XML Security Project. This allows you to use the JSR with earlier JDK/JREs such as JDK 1.4 or JDK 5.
If you do this, however, be aware that the JSR 105 service provider implementation is not included by default with JDK 1.4 or JDK 1.5, so you may get some exceptions...
on Feb 27, 2008
In a previous blog entry, I wrote about how to enable logging to get debugging output when using the Java XML DSig API to validate an XML Signature. There are also various methods in the API that you can invoke to get similar information. Here are a couple of those which are probably most useful:
This method will return an InputStream containing the canonicalized...
on Aug 3, 2007
Extending GlassFish CLI and Administration Console, Developing the sample Modules
Administrators are always looking for a more effective, easier to use, and less time consuming tool to use as the interface sitting between them and what they supposed to administrate and manage. GlassFish provide effective, easy to access and easy to simple to navigate in administration channels which cover all...
on Mar 29, 2010
There are several ways to enable user authentication for web based applications, like .htaccess files, plain tekst files, databases, LDAP, etc. They all have their pros and cons. In case a central, flexible solution is needed, either a database or LDAP solution can be used.
I chose for an LDAP solution since it can be reused by many web and application servers and the applications that run on...
on Mar 15, 2010
TOTD #97 showed how to install GlassFish Tools Bundle for Eclipse 1.1. Basically there are two options - either install Eclipse 3.4.2 with WTP and pre-bundled/configured with GlassFish v2/v3, MySQL JDBC driver and other features. Or if you are using Eclipse 3.5, then you can install the plug-in separately and get most of the functionality.
TOTD #98 showed how to create a simple Metro/JAX-WS...
on Aug 31, 2009