SlideShare uma empresa Scribd logo

Java Web Application Security - Utah JUG 2011

Matt Raible
Matt Raible

During this presentation, I demonstrate how to implement authentication in your Java web applications using Spring Security, Apache Shiro and good ol' Java EE Container Managed Authentication. You'll also learn how to secure your REST API with OAuth and lock it down with SSL. After learning how to develop authentication, I'll introduce you to OWASP, the OWASP Top 10, its Testing Guide and its Code Review Guide. Much of this talk is contained in demos and I plan on uploading those as screencasts throughout May and June. I'll also be delivering this talk at ÜberConf in July 2011.

TecnologiaEducação
1 de 33
Baixar para ler offline
Java Web Application Security Develop. Penetrate. Protect. Relax. Matt Raible http://raibledesigns.com @mraible Images by Stuck in Customs - http://www.flickr.com/photos/stuckincustoms © 2011 Raible Designs
Introductions Your experience with web development? Your experience with implementing security? Have you used Java EE 6, Spring Security or Apache Shiro? What do you want to get from this talk? © 2011 Raible Designs
Blogger on Father, Skier, raibledesigns.com Cyclist Founder of AppFuse Web Framework Connoisseur Who is Matt Raible? © 2011 Raible Designs
Session Agenda Security Development Java EE 6, Spring Security, Apache Shiro SSL and Testing Verifying Security OWASP Top 10 Commercial Tools and Services Q and A Develop Penetrate Protect Relax © 2011 Raible Designs
Why am I here? Purpose To learn more about Java webapp security and transform myself into a security expert. Goals Show how to implement Java webapp security. Show how to penetrate a Java webapp. Show how to fix vulnerabilities. © 2011 Raible Designs
Develop © 2011 Raible Designs
Dynamic Language Support? If it deploys on Tomcat, it has a web.xml. Grails JRuby on Rails Lift Play! Framework © 2011 Raible Designs
Java EE 6 Security constraints defined in web.xml web resource collection - URLs and methods authorization constraints - role names user data constraint - HTTP or HTTPS User Realm defined by App Server Declarative or Programmatic Authentication Annotations Support © 2011 Raible Designs
Java EE 6 Demo http://www.youtube.com/watch?v=8bXBGU7uo4o © 2011 Raible Designs
Servlet 3.0 HttpServletRequest authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2011 Raible Designs
Servlet 3.0 and JSR 250 Annotations @ServletSecurity @HttpMethodConstraint @HttpConstraint @RolesAllowed @PermitAll @DenyAll © 2011 Raible Designs
Java EE Security Limitations No error messages for failed logins No Remember Me Container has to be configured Doesn’t support regular expressions for URLs © 2011 Raible Designs
Spring Security Filter defined in web.xml Separate security context file loaded by Spring Defines URLs, Roles and Authentication Providers Defines UserService (provided or custom) Password Encoding Remember Me © 2011 Raible Designs
Spring Security Demo http://www.youtube.com/watch?v=poc5dyImbig © 2011 Raible Designs
Securing Methods <global-method-security secured-annotations="enabled"/> @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account readAccount(Long id); @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account[] findAccounts(); @Secured("ROLE_TELLER") public Account post(Account account, double amount); <global-method-security jsr250-annotations="enabled"/> © 2011 Raible Designs
Securing Methods 3.0 <global-method-security pre-post-annotations="enabled"/> @PreAuthorize("isAnonymous()") public Account readAccount(Long id); @PreAuthorize("isAnonymous()") public Account[] findAccounts(); @PreAuthorize("hasAuthority('ROLE_TELLER')") public Account post(Account account, double amount); © 2011 Raible Designs
Spring Security Limitations Authentication mechanism in WAR Securing methods only works on Spring beans My remember me example doesn’t work © 2011 Raible Designs
Apache Shiro Filter defined in web.xml shiro.ini loaded from classpath [main], [urls], [roles] Cryptography Session Management © 2011 Raible Designs
Apache Shiro Demo http://www.youtube.com/watch?v=YJByiDvOhsc © 2011 Raible Designs
Testing with SSL Cargo doesn’t support http and https at same time Jetty and Tomcat plugins work for both Pass javax.net.ssl.trustStore & javax.net.ssl.trustStorePassword to maven-failsafe-plugin as <systemPropertyVariables> © 2011 Raible Designs
Ajax Login http://raibledesigns.com/rd/entry/implementing_ajax_authentication_using_jquery © 2011 Raible Designs
Securing a REST API Use Basic or Form Authentication Use Developer Keys Use OAuth © 2011 Raible Designs
OAuth © 2011 Raible Designs
REST Security and OAuth Demo http://raibledesigns.com/rd/entry/implementing_oauth_with_gwt http://raibledesigns.com/rd/entry/grails_oauth_and_linkedin_apis © 2011 Raible Designs
Penetrate OWASP Testing Guide and Code Review Guide OWASP Top 10 OWASP Zed Attack Proxy Burp Suite OWASP WebGoat © 2011 Raible Designs
OWASP The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. At OWASP you’ll find free and open ... Application security tools, complete books, standard security controls and libraries, cutting edge research http://www.owasp.org © 2011 Raible Designs
OWASP Top 10 for 2010 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) © 2011 Raible Designs
OWASP Top 10 for 2010 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10.Unvalidated Redirects and Forwards © 2011 Raible Designs
Protect Firewalls IDS and IDPs Audits Penetration Tests Code Reviews with Static Analysis Tools © 2011 Raible Designs
Firewalls Stateless Firewalls Stateful Firewalls Invented by Nir Zuk at Check Point in the mid-90s Web App Firewalls Inspired by the 1996 PHF CGI exploit WAF Market $234m in 2010 © 2011 Raible Designs
Gartner on Firewalls © 2011 Raible Designs
Relax Web App Firewalls: Imperva, F5, Trustwave Open Source: WebNight and ModSecurity Stateful Firewalls: Palo Alto, Juniper IDP/IDS: Sourcefire, TippingPoint Audits: ENY, PWC, Grant Thornton Pen Testing: Electric Alchemy, FishNet Security, Immunity Static Analysis: Fortify, Veracode © 2011 Raible Designs
Questions? Contact Information http://raibledesigns.com @mraible My Presentations http://slideshare.net/mraible © 2011 Raible Designs

Recomendados

Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 
What's New in Spring 3.1
What's New in Spring 3.1What's New in Spring 3.1
What's New in Spring 3.1Matt Raible
 
Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Matt Raible
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 
Java Web Application Security - UberConf 2011
Java Web Application Security - UberConf 2011Java Web Application Security - UberConf 2011
Java Web Application Security - UberConf 2011Matt Raible
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Matt Raible
 
Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onMatt Raible
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatCase Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatVMware Hyperic
 

Recomendados

Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 
What's New in Spring 3.1
What's New in Spring 3.1What's New in Spring 3.1
What's New in Spring 3.1Matt Raible
 
Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Matt Raible
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 
Java Web Application Security - UberConf 2011
Java Web Application Security - UberConf 2011Java Web Application Security - UberConf 2011
Java Web Application Security - UberConf 2011Matt Raible
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Matt Raible
 
Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onMatt Raible
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatCase Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatVMware Hyperic
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudArun Gupta
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Matt Raible
 
Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021Matt Raible
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Rich Web Experie...
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Rich Web Experie...Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Rich Web Experie...
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Rich Web Experie...Matt Raible
 
Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Matt Raible
 
Front End Development for Back End Java Developers - Jfokus 2020
Front End Development for Back End Java Developers - Jfokus 2020Front End Development for Back End Java Developers - Jfokus 2020
Front End Development for Back End Java Developers - Jfokus 2020Matt Raible
 
Play Framework vs Grails Smackdown - JavaOne 2013
Play Framework vs Grails Smackdown - JavaOne 2013Play Framework vs Grails Smackdown - JavaOne 2013
Play Framework vs Grails Smackdown - JavaOne 2013Matt Raible
 
The Modern Java Web Developer - JavaOne 2013
The Modern Java Web Developer - JavaOne 2013The Modern Java Web Developer - JavaOne 2013
The Modern Java Web Developer - JavaOne 2013Matt Raible
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
 
Spark IT 2011 - Java EE 6 Workshop
Spark IT 2011 - Java EE 6 WorkshopSpark IT 2011 - Java EE 6 Workshop
Spark IT 2011 - Java EE 6 WorkshopArun Gupta
 
Spark IT 2011 - Developing RESTful Web services with JAX-RS
Spark IT 2011 - Developing RESTful Web services with JAX-RSSpark IT 2011 - Developing RESTful Web services with JAX-RS
Spark IT 2011 - Developing RESTful Web services with JAX-RSArun Gupta
 
JAX-RS JavaOne Hyderabad, India 2011
JAX-RS JavaOne Hyderabad, India 2011JAX-RS JavaOne Hyderabad, India 2011
JAX-RS JavaOne Hyderabad, India 2011Shreedhar Ganapathy
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015Matt Raible
 
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019Matt Raible
 
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020Matt Raible
 
Comparing JVM Web Frameworks - Rich Web Experience 2010
Comparing JVM Web Frameworks - Rich Web Experience 2010Comparing JVM Web Frameworks - Rich Web Experience 2010
Comparing JVM Web Frameworks - Rich Web Experience 2010Matt Raible
 
Choosing a Java Web Framework
Choosing a Java Web FrameworkChoosing a Java Web Framework
Choosing a Java Web FrameworkWill Iverson
 
Java REST API Framework Comparison - PWX 2021
Java REST API Framework Comparison - PWX 2021Java REST API Framework Comparison - PWX 2021
Java REST API Framework Comparison - PWX 2021Matt Raible
 
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Matt Raible
 
Developing, Testing and Scaling with Apache Camel - UberConf 2015
Developing, Testing and Scaling with Apache Camel - UberConf 2015Developing, Testing and Scaling with Apache Camel - UberConf 2015
Developing, Testing and Scaling with Apache Camel - UberConf 2015Matt Raible
 
HTML5 with Play Scala, CoffeeScript and Jade - Jfokus 2012
HTML5 with Play Scala, CoffeeScript and Jade - Jfokus 2012HTML5 with Play Scala, CoffeeScript and Jade - Jfokus 2012
HTML5 with Play Scala, CoffeeScript and Jade - Jfokus 2012Matt Raible
 

Mais conteúdo relacionado

Mais procurados

JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudArun Gupta
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Matt Raible
 
Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021Matt Raible
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Rich Web Experie...
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Rich Web Experie...Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Rich Web Experie...
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Rich Web Experie...Matt Raible
 
Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Matt Raible
 
Front End Development for Back End Java Developers - Jfokus 2020
Front End Development for Back End Java Developers - Jfokus 2020Front End Development for Back End Java Developers - Jfokus 2020
Front End Development for Back End Java Developers - Jfokus 2020Matt Raible
 
Play Framework vs Grails Smackdown - JavaOne 2013
Play Framework vs Grails Smackdown - JavaOne 2013Play Framework vs Grails Smackdown - JavaOne 2013
Play Framework vs Grails Smackdown - JavaOne 2013Matt Raible
 
The Modern Java Web Developer - JavaOne 2013
The Modern Java Web Developer - JavaOne 2013The Modern Java Web Developer - JavaOne 2013
The Modern Java Web Developer - JavaOne 2013Matt Raible
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
 
Spark IT 2011 - Java EE 6 Workshop
Spark IT 2011 - Java EE 6 WorkshopSpark IT 2011 - Java EE 6 Workshop
Spark IT 2011 - Java EE 6 WorkshopArun Gupta
 
Spark IT 2011 - Developing RESTful Web services with JAX-RS
Spark IT 2011 - Developing RESTful Web services with JAX-RSSpark IT 2011 - Developing RESTful Web services with JAX-RS
Spark IT 2011 - Developing RESTful Web services with JAX-RSArun Gupta
 
JAX-RS JavaOne Hyderabad, India 2011
JAX-RS JavaOne Hyderabad, India 2011JAX-RS JavaOne Hyderabad, India 2011
JAX-RS JavaOne Hyderabad, India 2011Shreedhar Ganapathy
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015Matt Raible
 
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019Matt Raible
 
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020Matt Raible
 
Comparing JVM Web Frameworks - Rich Web Experience 2010
Comparing JVM Web Frameworks - Rich Web Experience 2010Comparing JVM Web Frameworks - Rich Web Experience 2010
Comparing JVM Web Frameworks - Rich Web Experience 2010Matt Raible
 
Choosing a Java Web Framework
Choosing a Java Web FrameworkChoosing a Java Web Framework
Choosing a Java Web FrameworkWill Iverson
 
Java REST API Framework Comparison - PWX 2021
Java REST API Framework Comparison - PWX 2021Java REST API Framework Comparison - PWX 2021
Java REST API Framework Comparison - PWX 2021Matt Raible
 
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Matt Raible
 

Mais procurados (20)

JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
 
Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Rich Web Experie...
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Rich Web Experie...Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Rich Web Experie...
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Rich Web Experie...
 
Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013
 
Front End Development for Back End Java Developers - Jfokus 2020
Front End Development for Back End Java Developers - Jfokus 2020Front End Development for Back End Java Developers - Jfokus 2020
Front End Development for Back End Java Developers - Jfokus 2020
 
Play Framework vs Grails Smackdown - JavaOne 2013
Play Framework vs Grails Smackdown - JavaOne 2013Play Framework vs Grails Smackdown - JavaOne 2013
Play Framework vs Grails Smackdown - JavaOne 2013
 
The Modern Java Web Developer - JavaOne 2013
The Modern Java Web Developer - JavaOne 2013The Modern Java Web Developer - JavaOne 2013
The Modern Java Web Developer - JavaOne 2013
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
 
Spark IT 2011 - Java EE 6 Workshop
Spark IT 2011 - Java EE 6 WorkshopSpark IT 2011 - Java EE 6 Workshop
Spark IT 2011 - Java EE 6 Workshop
 
Spark IT 2011 - Developing RESTful Web services with JAX-RS
Spark IT 2011 - Developing RESTful Web services with JAX-RSSpark IT 2011 - Developing RESTful Web services with JAX-RS
Spark IT 2011 - Developing RESTful Web services with JAX-RS
 
JAX-RS JavaOne Hyderabad, India 2011
JAX-RS JavaOne Hyderabad, India 2011JAX-RS JavaOne Hyderabad, India 2011
JAX-RS JavaOne Hyderabad, India 2011
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015
 
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
 
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
 
Comparing JVM Web Frameworks - Rich Web Experience 2010
Comparing JVM Web Frameworks - Rich Web Experience 2010Comparing JVM Web Frameworks - Rich Web Experience 2010
Comparing JVM Web Frameworks - Rich Web Experience 2010
 
Choosing a Java Web Framework
Choosing a Java Web FrameworkChoosing a Java Web Framework
Choosing a Java Web Framework
 
Java REST API Framework Comparison - PWX 2021
Java REST API Framework Comparison - PWX 2021Java REST API Framework Comparison - PWX 2021
Java REST API Framework Comparison - PWX 2021
 
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
 

Destaque

Developing, Testing and Scaling with Apache Camel - UberConf 2015
Developing, Testing and Scaling with Apache Camel - UberConf 2015Developing, Testing and Scaling with Apache Camel - UberConf 2015
Developing, Testing and Scaling with Apache Camel - UberConf 2015Matt Raible
 
HTML5 with Play Scala, CoffeeScript and Jade - Jfokus 2012
HTML5 with Play Scala, CoffeeScript and Jade - Jfokus 2012HTML5 with Play Scala, CoffeeScript and Jade - Jfokus 2012
HTML5 with Play Scala, CoffeeScript and Jade - Jfokus 2012Matt Raible
 
The Modern Java Web Developer - Denver JUG 2013
The Modern Java Web Developer - Denver JUG 2013The Modern Java Web Developer - Denver JUG 2013
The Modern Java Web Developer - Denver JUG 2013Matt Raible
 
Comparing JVM Web Frameworks - Jfokus 2012
Comparing JVM Web Frameworks - Jfokus 2012Comparing JVM Web Frameworks - Jfokus 2012
Comparing JVM Web Frameworks - Jfokus 2012Matt Raible
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015Matt Raible
 
Comparing Hot JavaScript Frameworks: AngularJS, Ember.js and React.js - Sprin...
Comparing Hot JavaScript Frameworks: AngularJS, Ember.js and React.js - Sprin...Comparing Hot JavaScript Frameworks: AngularJS, Ember.js and React.js - Sprin...
Comparing Hot JavaScript Frameworks: AngularJS, Ember.js and React.js - Sprin...Matt Raible
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
GFI - Seguridad en tus APIs
GFI - Seguridad en tus APIsGFI - Seguridad en tus APIs
GFI - Seguridad en tus APIsGFI Informática
 
Supercharged java 8 : with cyclops-react
Supercharged java 8 : with cyclops-reactSupercharged java 8 : with cyclops-react
Supercharged java 8 : with cyclops-reactJohn McClean
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Les nouveaux moyens de paiement : quelles solutions demain ?
Les nouveaux moyens de paiement : quelles solutions demain ?Les nouveaux moyens de paiement : quelles solutions demain ?
Les nouveaux moyens de paiement : quelles solutions demain ?Harris Interactive France
 
Reactive programming with examples
Reactive programming with examplesReactive programming with examples
Reactive programming with examplesPeter Lawrey
 
Reactive Programming in Java 8 with Rx-Java
Reactive Programming in Java 8 with Rx-JavaReactive Programming in Java 8 with Rx-Java
Reactive Programming in Java 8 with Rx-JavaKasun Indrasiri
 
Extending the Power of Consent with User-Managed Access & OpenUMA
Extending the Power of Consent with User-Managed Access & OpenUMAExtending the Power of Consent with User-Managed Access & OpenUMA
Extending the Power of Consent with User-Managed Access & OpenUMAkantarainitiative
 
AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application Carlo Bonamico
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 

Destaque (17)

Developing, Testing and Scaling with Apache Camel - UberConf 2015
Developing, Testing and Scaling with Apache Camel - UberConf 2015Developing, Testing and Scaling with Apache Camel - UberConf 2015
Developing, Testing and Scaling with Apache Camel - UberConf 2015
 
HTML5 with Play Scala, CoffeeScript and Jade - Jfokus 2012
HTML5 with Play Scala, CoffeeScript and Jade - Jfokus 2012HTML5 with Play Scala, CoffeeScript and Jade - Jfokus 2012
HTML5 with Play Scala, CoffeeScript and Jade - Jfokus 2012
 
The Modern Java Web Developer - Denver JUG 2013
The Modern Java Web Developer - Denver JUG 2013The Modern Java Web Developer - Denver JUG 2013
The Modern Java Web Developer - Denver JUG 2013
 
Comparing JVM Web Frameworks - Jfokus 2012
Comparing JVM Web Frameworks - Jfokus 2012Comparing JVM Web Frameworks - Jfokus 2012
Comparing JVM Web Frameworks - Jfokus 2012
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
 
Comparing Hot JavaScript Frameworks: AngularJS, Ember.js and React.js - Sprin...
Comparing Hot JavaScript Frameworks: AngularJS, Ember.js and React.js - Sprin...Comparing Hot JavaScript Frameworks: AngularJS, Ember.js and React.js - Sprin...
Comparing Hot JavaScript Frameworks: AngularJS, Ember.js and React.js - Sprin...
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIRO
 
Introducing Java 7
Introducing Java 7Introducing Java 7
Introducing Java 7
 
GFI - Seguridad en tus APIs
GFI - Seguridad en tus APIsGFI - Seguridad en tus APIs
GFI - Seguridad en tus APIs
 
Supercharged java 8 : with cyclops-react
Supercharged java 8 : with cyclops-reactSupercharged java 8 : with cyclops-react
Supercharged java 8 : with cyclops-react
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Les nouveaux moyens de paiement : quelles solutions demain ?
Les nouveaux moyens de paiement : quelles solutions demain ?Les nouveaux moyens de paiement : quelles solutions demain ?
Les nouveaux moyens de paiement : quelles solutions demain ?
 
Reactive programming with examples
Reactive programming with examplesReactive programming with examples
Reactive programming with examples
 
Reactive Programming in Java 8 with Rx-Java
Reactive Programming in Java 8 with Rx-JavaReactive Programming in Java 8 with Rx-Java
Reactive Programming in Java 8 with Rx-Java
 
Extending the Power of Consent with User-Managed Access & OpenUMA
Extending the Power of Consent with User-Managed Access & OpenUMAExtending the Power of Consent with User-Managed Access & OpenUMA
Extending the Power of Consent with User-Managed Access & OpenUMA
 
AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 

Semelhante a Java Web Application Security - Utah JUG 2011

OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE Magno Logan
 
Oracle WebLogic Server 12.2.1 Do More with Less
Oracle WebLogic Server 12.2.1 Do More with LessOracle WebLogic Server 12.2.1 Do More with Less
Oracle WebLogic Server 12.2.1 Do More with LessEd Burns
 
Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Alex Kosowski
 
Modern App Development with Oracle Cloud
Modern App Development with Oracle CloudModern App Development with Oracle Cloud
Modern App Development with Oracle CloudJuan Carlos Ruiz Rico
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...OracleIDM
 
Java2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudJava2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudWerner Keil
 
Cloud native Microservices using Spring Boot
Cloud native Microservices using Spring BootCloud native Microservices using Spring Boot
Cloud native Microservices using Spring BootSufyaan Kazi
 
WebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testingWebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testingDaniel Chivescu
 
Oracle REST Data Services
Oracle REST Data ServicesOracle REST Data Services
Oracle REST Data ServicesChris Muir
 
Comparing JVM Web Frameworks - TSSJS 2011
Comparing JVM Web Frameworks - TSSJS 2011Comparing JVM Web Frameworks - TSSJS 2011
Comparing JVM Web Frameworks - TSSJS 2011Matt Raible
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationPrathan Phongthiproek
 
Apache shiro security framework
Apache shiro security frameworkApache shiro security framework
Apache shiro security frameworkAshokkumar T A
 
Open Architecture in the Adobe Marketing Cloud - Summit 2014
Open Architecture in the Adobe Marketing Cloud - Summit 2014Open Architecture in the Adobe Marketing Cloud - Summit 2014
Open Architecture in the Adobe Marketing Cloud - Summit 2014Paolo Mottadelli
 
Polyglot! A Lightweight Cloud Platform for Java SE, Node, and More
Polyglot! A Lightweight Cloud Platform for Java SE, Node, and MorePolyglot! A Lightweight Cloud Platform for Java SE, Node, and More
Polyglot! A Lightweight Cloud Platform for Java SE, Node, and MoreShaun Smith
 
Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014Paolo Mottadelli
 
A Crash Course in Rapid Application Development
A Crash Course in Rapid Application DevelopmentA Crash Course in Rapid Application Development
A Crash Course in Rapid Application DevelopmentProgress
 

Semelhante a Java Web Application Security - Utah JUG 2011 (20)

OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
Oracle WebLogic Server 12.2.1 Do More with Less
Oracle WebLogic Server 12.2.1 Do More with LessOracle WebLogic Server 12.2.1 Do More with Less
Oracle WebLogic Server 12.2.1 Do More with Less
 
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško Vukmanović
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško VukmanovićJavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško Vukmanović
JavaCro'14 - WebLogic-GlassFish-JaaS Strategy and Roadmap – Duško Vukmanović
 
Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Finally, EE Security API JSR 375
Finally, EE Security API JSR 375
 
MVC 1.0 / JSR 371
MVC 1.0 / JSR 371MVC 1.0 / JSR 371
MVC 1.0 / JSR 371
 
Rahul Resume.doc
Rahul Resume.docRahul Resume.doc
Rahul Resume.doc
 
Modern App Development with Oracle Cloud
Modern App Development with Oracle CloudModern App Development with Oracle Cloud
Modern App Development with Oracle Cloud
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
 
Java2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudJava2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the Cloud
 
Cloud native Microservices using Spring Boot
Cloud native Microservices using Spring BootCloud native Microservices using Spring Boot
Cloud native Microservices using Spring Boot
 
WebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testingWebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testing
 
Oracle REST Data Services
Oracle REST Data ServicesOracle REST Data Services
Oracle REST Data Services
 
Comparing JVM Web Frameworks - TSSJS 2011
Comparing JVM Web Frameworks - TSSJS 2011Comparing JVM Web Frameworks - TSSJS 2011
Comparing JVM Web Frameworks - TSSJS 2011
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Apache shiro security framework
Apache shiro security frameworkApache shiro security framework
Apache shiro security framework
 
Web presentation
Web presentationWeb presentation
Web presentation
 
Open Architecture in the Adobe Marketing Cloud - Summit 2014
Open Architecture in the Adobe Marketing Cloud - Summit 2014Open Architecture in the Adobe Marketing Cloud - Summit 2014
Open Architecture in the Adobe Marketing Cloud - Summit 2014
 
Polyglot! A Lightweight Cloud Platform for Java SE, Node, and More
Polyglot! A Lightweight Cloud Platform for Java SE, Node, and MorePolyglot! A Lightweight Cloud Platform for Java SE, Node, and More
Polyglot! A Lightweight Cloud Platform for Java SE, Node, and More
 
Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014
 
A Crash Course in Rapid Application Development
A Crash Course in Rapid Application DevelopmentA Crash Course in Rapid Application Development
A Crash Course in Rapid Application Development
 

Mais de Matt Raible

Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022Matt Raible
 
Micro Frontends for Java Microservices - Belfast JUG 2022
Micro Frontends for Java Microservices - Belfast JUG 2022Micro Frontends for Java Microservices - Belfast JUG 2022
Micro Frontends for Java Microservices - Belfast JUG 2022Matt Raible
 
Micro Frontends for Java Microservices - Dublin JUG 2022
Micro Frontends for Java Microservices - Dublin JUG 2022Micro Frontends for Java Microservices - Dublin JUG 2022
Micro Frontends for Java Microservices - Dublin JUG 2022Matt Raible
 
Micro Frontends for Java Microservices - Cork JUG 2022
Micro Frontends for Java Microservices - Cork JUG 2022Micro Frontends for Java Microservices - Cork JUG 2022
Micro Frontends for Java Microservices - Cork JUG 2022Matt Raible
 
Comparing Native Java REST API Frameworks - Seattle JUG 2022
Comparing Native Java REST API Frameworks - Seattle JUG 2022Comparing Native Java REST API Frameworks - Seattle JUG 2022
Comparing Native Java REST API Frameworks - Seattle JUG 2022Matt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022Matt Raible
 
Comparing Native Java REST API Frameworks - Devoxx France 2022
Comparing Native Java REST API Frameworks - Devoxx France 2022Comparing Native Java REST API Frameworks - Devoxx France 2022
Comparing Native Java REST API Frameworks - Devoxx France 2022Matt Raible
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...Matt Raible
 
Native Java with Spring Boot and JHipster - Garden State JUG 2021
Native Java with Spring Boot and JHipster - Garden State JUG 2021Native Java with Spring Boot and JHipster - Garden State JUG 2021
Native Java with Spring Boot and JHipster - Garden State JUG 2021Matt Raible
 
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...Matt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...Matt Raible
 
Java REST API Framework Comparison - UberConf 2021
Java REST API Framework Comparison - UberConf 2021Java REST API Framework Comparison - UberConf 2021
Java REST API Framework Comparison - UberConf 2021Matt Raible
 
Native Java with Spring Boot and JHipster - SF JUG 2021
Native Java with Spring Boot and JHipster - SF JUG 2021Native Java with Spring Boot and JHipster - SF JUG 2021
Native Java with Spring Boot and JHipster - SF JUG 2021Matt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021Matt Raible
 
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Get Hip with JHipster - Colorado Springs Open Source User Group 2021Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Get Hip with JHipster - Colorado Springs Open Source User Group 2021Matt Raible
 
JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020Matt Raible
 
Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Matt Raible
 
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Security Patterns for Microservice Architectures - ADTMag Microservices & API...Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Security Patterns for Microservice Architectures - ADTMag Microservices & API...Matt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...Matt Raible
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
 

Mais de Matt Raible (20)

Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
 
Micro Frontends for Java Microservices - Belfast JUG 2022
Micro Frontends for Java Microservices - Belfast JUG 2022Micro Frontends for Java Microservices - Belfast JUG 2022
Micro Frontends for Java Microservices - Belfast JUG 2022
 
Micro Frontends for Java Microservices - Dublin JUG 2022
Micro Frontends for Java Microservices - Dublin JUG 2022Micro Frontends for Java Microservices - Dublin JUG 2022
Micro Frontends for Java Microservices - Dublin JUG 2022
 
Micro Frontends for Java Microservices - Cork JUG 2022
Micro Frontends for Java Microservices - Cork JUG 2022Micro Frontends for Java Microservices - Cork JUG 2022
Micro Frontends for Java Microservices - Cork JUG 2022
 
Comparing Native Java REST API Frameworks - Seattle JUG 2022
Comparing Native Java REST API Frameworks - Seattle JUG 2022Comparing Native Java REST API Frameworks - Seattle JUG 2022
Comparing Native Java REST API Frameworks - Seattle JUG 2022
 
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
 
Comparing Native Java REST API Frameworks - Devoxx France 2022
Comparing Native Java REST API Frameworks - Devoxx France 2022Comparing Native Java REST API Frameworks - Devoxx France 2022
Comparing Native Java REST API Frameworks - Devoxx France 2022
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
 
Native Java with Spring Boot and JHipster - Garden State JUG 2021
Native Java with Spring Boot and JHipster - Garden State JUG 2021Native Java with Spring Boot and JHipster - Garden State JUG 2021
Native Java with Spring Boot and JHipster - Garden State JUG 2021
 
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
 
Java REST API Framework Comparison - UberConf 2021
Java REST API Framework Comparison - UberConf 2021Java REST API Framework Comparison - UberConf 2021
Java REST API Framework Comparison - UberConf 2021
 
Native Java with Spring Boot and JHipster - SF JUG 2021
Native Java with Spring Boot and JHipster - SF JUG 2021Native Java with Spring Boot and JHipster - SF JUG 2021
Native Java with Spring Boot and JHipster - SF JUG 2021
 
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
 
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Get Hip with JHipster - Colorado Springs Open Source User Group 2021Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
 
JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020
 
Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020
 
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Security Patterns for Microservice Architectures - ADTMag Microservices & API...Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020
 

Último

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Último (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

Java Web Application Security - Utah JUG 2011

  • 1. Java Web Application Security Develop. Penetrate. Protect. Relax. Matt Raible http://raibledesigns.com @mraible Images by Stuck in Customs - http://www.flickr.com/photos/stuckincustoms © 2011 Raible Designs
  • 2. Introductions Your experience with web development? Your experience with implementing security? Have you used Java EE 6, Spring Security or Apache Shiro? What do you want to get from this talk? © 2011 Raible Designs
  • 3. Blogger on Father, Skier, raibledesigns.com Cyclist Founder of AppFuse Web Framework Connoisseur Who is Matt Raible? © 2011 Raible Designs
  • 4. Session Agenda Security Development Java EE 6, Spring Security, Apache Shiro SSL and Testing Verifying Security OWASP Top 10 Commercial Tools and Services Q and A Develop Penetrate Protect Relax © 2011 Raible Designs
  • 5. Why am I here? Purpose To learn more about Java webapp security and transform myself into a security expert. Goals Show how to implement Java webapp security. Show how to penetrate a Java webapp. Show how to fix vulnerabilities. © 2011 Raible Designs
  • 6. Develop © 2011 Raible Designs
  • 7. Dynamic Language Support? If it deploys on Tomcat, it has a web.xml. Grails JRuby on Rails Lift Play! Framework © 2011 Raible Designs
  • 8. Java EE 6 Security constraints defined in web.xml web resource collection - URLs and methods authorization constraints - role names user data constraint - HTTP or HTTPS User Realm defined by App Server Declarative or Programmatic Authentication Annotations Support © 2011 Raible Designs
  • 9. Java EE 6 Demo http://www.youtube.com/watch?v=8bXBGU7uo4o © 2011 Raible Designs
  • 10. Servlet 3.0 HttpServletRequest authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2011 Raible Designs
  • 11. Servlet 3.0 and JSR 250 Annotations @ServletSecurity @HttpMethodConstraint @HttpConstraint @RolesAllowed @PermitAll @DenyAll © 2011 Raible Designs
  • 12. Java EE Security Limitations No error messages for failed logins No Remember Me Container has to be configured Doesn’t support regular expressions for URLs © 2011 Raible Designs
  • 13. Spring Security Filter defined in web.xml Separate security context file loaded by Spring Defines URLs, Roles and Authentication Providers Defines UserService (provided or custom) Password Encoding Remember Me © 2011 Raible Designs
  • 15. Securing Methods <global-method-security secured-annotations="enabled"/> @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account readAccount(Long id); @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account[] findAccounts(); @Secured("ROLE_TELLER") public Account post(Account account, double amount); <global-method-security jsr250-annotations="enabled"/> © 2011 Raible Designs
  • 16. Securing Methods 3.0 <global-method-security pre-post-annotations="enabled"/> @PreAuthorize("isAnonymous()") public Account readAccount(Long id); @PreAuthorize("isAnonymous()") public Account[] findAccounts(); @PreAuthorize("hasAuthority('ROLE_TELLER')") public Account post(Account account, double amount); © 2011 Raible Designs
  • 17. Spring Security Limitations Authentication mechanism in WAR Securing methods only works on Spring beans My remember me example doesn’t work © 2011 Raible Designs
  • 18. Apache Shiro Filter defined in web.xml shiro.ini loaded from classpath [main], [urls], [roles] Cryptography Session Management © 2011 Raible Designs
  • 20. Testing with SSL Cargo doesn’t support http and https at same time Jetty and Tomcat plugins work for both Pass javax.net.ssl.trustStore & javax.net.ssl.trustStorePassword to maven-failsafe-plugin as <systemPropertyVariables> © 2011 Raible Designs
  • 22. Securing a REST API Use Basic or Form Authentication Use Developer Keys Use OAuth © 2011 Raible Designs
  • 23. OAuth © 2011 Raible Designs
  • 24. REST Security and OAuth Demo http://raibledesigns.com/rd/entry/implementing_oauth_with_gwt http://raibledesigns.com/rd/entry/grails_oauth_and_linkedin_apis © 2011 Raible Designs
  • 25. Penetrate OWASP Testing Guide and Code Review Guide OWASP Top 10 OWASP Zed Attack Proxy Burp Suite OWASP WebGoat © 2011 Raible Designs
  • 26. OWASP The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. At OWASP you’ll find free and open ... Application security tools, complete books, standard security controls and libraries, cutting edge research http://www.owasp.org © 2011 Raible Designs
  • 27. OWASP Top 10 for 2010 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) © 2011 Raible Designs
  • 28. OWASP Top 10 for 2010 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10.Unvalidated Redirects and Forwards © 2011 Raible Designs
  • 29. Protect Firewalls IDS and IDPs Audits Penetration Tests Code Reviews with Static Analysis Tools © 2011 Raible Designs
  • 30. Firewalls Stateless Firewalls Stateful Firewalls Invented by Nir Zuk at Check Point in the mid-90s Web App Firewalls Inspired by the 1996 PHF CGI exploit WAF Market $234m in 2010 © 2011 Raible Designs
  • 31. Gartner on Firewalls © 2011 Raible Designs
  • 32. Relax Web App Firewalls: Imperva, F5, Trustwave Open Source: WebNight and ModSecurity Stateful Firewalls: Palo Alto, Juniper IDP/IDS: Sourcefire, TippingPoint Audits: ENY, PWC, Grant Thornton Pen Testing: Electric Alchemy, FishNet Security, Immunity Static Analysis: Fortify, Veracode © 2011 Raible Designs
  • 33. Questions? Contact Information http://raibledesigns.com @mraible My Presentations http://slideshare.net/mraible © 2011 Raible Designs