Articles Tagged ‘security’
Sunday, November 26th, 2017
Communicating with identity and access management systems is a common task for many web-applications exposing secured resources.
Keycloak is an open source software that provides not also such authorization services but also offers a lot of features from Single-Sign-On, Identity-Brokering, Social-Login, User-Federation, multiple client-adapters up to the administration console or support for protocols like OpenID, SAML, OAuth2, Kerberos and more.
I will demonstrate how to integrate a Spring Boot web application with Keycloak and configure an authentication flow that requires a two-factor-authentication with user credentials and also one-time-passwords. (more…)
Tags: docker, freeotp, identity, kerberos, keycloak, maven, oauth, oauth2, openid, otp, principal, qr, realm, redhat, saml, security, spring, spring-boot, sso, thymeleaf
Posted in Java | No Comments »
Tuesday, October 3rd, 2017
On the one hand adding dependencies to a project is easy, on the other hand securing a project and checking for vulnerable dependencies is way harder.
The OWASP dependency check plugin for Maven allows us to scan our project’s dependencies for know vulnerabilities.
I will demonstrate its usage in the following short example.
(more…)
Tags: check, cvss, defect, maven, nist, nvd, owasp, security, vulerability
Posted in Java | 4 Comments »
Sunday, March 13th, 2016
OAuth2 is a frequently used standard for authorization and with Spring Boot it is easy to set up authorization and resource server in no time.
In the following short tutorial I’d like to demonstrate how to set up an OAuth2 authorization server as well as a connected and secured resource server within a few minutes using Java, Maven and Spring Boot.
(more…)
Tags: authentication, boot, identity, oauth, oauth2, postman, protocol, security, Snippet, spring, standard
Posted in Java | 32 Comments »
Sunday, July 12th, 2015
These days where a cheap GPU for about 100 € is capable to create 3 billion of MD5 Hashes per second, we need not only need to use salts the right way but we also need to choose a strong, non-reversible and slow hashing schemes when storing passwords in our application.
Heimdall is a library that implements a secure and upgradable password hashing mechanism and uses at the time of writing this article PBKDF2 SHA-1 HMAC with 20000 iterations and a 192 bit (24 byte) salt per default.
In the following short examples I’d like to demonstrate how to create password hashes, how to verify passwords and how to check if a password hash needs to be recreated using a more secure algorithm.
(more…)
Tags: encryption, gradle, hashes, hashing, heimdall, owasp, password, pbkdf2, salt, security
Posted in Java | No Comments »
Sunday, December 21st, 2014
Especially when it comes to testing, setting up a decent environment for a secured Java EE web application isn’t always an easy thing to do.
In the following tutorial I’d like to demonstrate how to create a secured web application using form-based authentication and a JDBC realm to fetch users and roles and how to run the application in an embedded container for testing and development.
Additionally I’d like to show how to write and run integration tests to verify the security setup using a setup of Maven, Embedded GlassFish, Arquillian, jUnit and rest-assured.
(more…)
Tags: arquillian, authentication, eclipselink, glassfish, h2, it, javaee, jdbc, jdbcrealm, junit, maven, rest, rest-assured, security, testing
Posted in Enterprise, Java | 1 Comment »