Posted by yamsellem terribly early in the morning: April 18th, 2011
Authenticating users is an important part of an application. Limiting the access to resources with authorization too. Spring Security is a reference in web environment. However, it is tied to the Spring technology and the size of the library — more than 10 JAR of dependencies — may restrain its use. Moreover, its lack of integration with Guice or the recurrent deployment of an App Engine application may exclude it. This is the opportunity to take a closer look at Apache Shiro.
- Introduction to HTTP Authentication
- Shiro servlet filter
- Secure a resource
- Test integration
- Realm and Matcher for the authentication
- A powerful permission model
- Authorize with annotations
- Shiro, a true challenger
Posted by Mark Bakker mid-afternoon: March 15th, 2011
Last week I got a presentation for a security device I had never heard about.
Most times this means it is something which is not commodity, or has no real use-case.
But this time I was really impressed. The device is a possible replacement for IBM Datapower XML Security Gateway. But the way they designed the device is totally different.
What CrossCheck networks did was creating a device with just security as main use case. First of all it was an XML gateway, nowadays is does support HTML, XML, SOAP, FTP, JMS and others.
It also translates different flavors of JMS to each other, it can even convert from IBM MQ to JBoss MQ directly.
Posted by Jan Vermeir around lunchtime: September 7th, 2009
In this post I will describe the proof of concept I’ve done for one of our customers in the Netherlands. The assignment was to implement Single Sign On using Weblogic Platform 10.2 infrastructure. I will explain the options available to pass security information around and describe the solution we’ve implemented.
(more…)
Posted by Serge Beaumont in the early afternoon: May 8th, 2008
Call me old-skool, but I don’t like pulling in huge frameworks like Acegi for some simple authentication and authorization stuff. This post will show you how I connected Wicket security to an LDAP through JAAS. This leverages the LDAP configuration and access on the appserver level and keeps the application clean. This was done on JBoss, so YMMV on another server, but this post should help you along when you need to tweak the solution.
Caveat: this solution does NOT get you logged in as far as the appserver is concerned, so you’ll not be able to use container calls like isUserInRole(). If you find out how, let me know. For our purposes we didn’t need it, but it’s nice to know anyway.
Posted by Viktor Grgic in the early evening: May 5th, 2008
Last week Rik de Groot published the #9: Versioning. This week it’s time for #8.
SOA security is like having a well-protected Middle Ages city, but at the same time asking citizens to permit many more people from inside and outside the city into their homes. They would really have hard time properly securing their belongings.
Introduction of SOA should be accompanied by at least SPRINT business impact assessment of security vulnerabilities (confidentiality, data integrity and availability) and definition of required measures. Introduction of SOA also requires rethinking your security architecture.
(more…)
Posted by Sunil Prakash Inteti in the early afternoon: December 11th, 2007
I wanted to write a blog on Security Protocols. This was the course I liked the most during my College days. Lets look at some protocols and some of the ways these protocols can be attacked. These are some protocols that i studied during my college days.
The two most common words in Security world is Confidentiality and Integrity. Understanding these two terms is very crucial. In simple words Confidentiality means that only authorized entities can read information. Integrity means reassuring the recipient of the message that the message has not been altered since it was generated by a legitimate source. (more…)
Posted by Vikas Hazrati around lunchtime: July 16th, 2007
Recently, on one of our projects we had a requirement to allow the ROLE_ADMIN to login as another user without knowing or changing the password of that user. For example ‘Jack’ has the ROLE_ADMIN and ‘Suzy’ has the ROLE_USER. Now ‘Jack’ wants to login as ‘Suzy’ without knowing her password and carry out some tasks on her behalf acting as her when ‘Suzy’ is unavailable and some work needs to be done, of course you should provide a mechanism to audit and log whenever ‘Jack’ wants to play a different role.
This is fairly easy to implement using Acegi
The SwitchUserProcessingFilter in Acegi helps to achieve this functionality. The steps below will show how to configure and use it
Posted by Okke Harsta in the early morning: March 4th, 2007
In a previous blog I described the minimal basic configuration of the Acegi framework. In this blog I’ll show you how easy it is to implement your own security provider. There can be many reasons why you would want to implement such a customized security provider. In my case I had to secure an application using user information that was being maintained by an external php-based application. The user information could only be retrieved using a web service. In this blog I will demonstrate several ways to implement your own security provider.
Posted by Okke Harsta in the early morning: March 4th, 2007
How to get started with the Acegi framework and implement your own Security provider?
In the old days folks used the J2EE securing capabilities of the app server. This is of course still an option, but there are superior alternatives like the Acegi framework. Acegi is far from new and with the latest releases it has become a very stable and easy-to-use framework, especially when combined with Spring. I had to implement a custom security provider for a customer and was very surprised how easy this was accomplished. This blog describes the steps I took to get started with Acegi.