security « security « Java Enterprise Q&A





1. Creating a REST webserver with security    stackoverflow.com

I am very new to creating webservers - and I have had several goes at trying to understand them and write a quick webserver, but it's never quite 'clicked'. At ...

2. Solutions for Java User Account Management    stackoverflow.com

I currently work on a Java web application that has relies on a permissions mechanism to manage user content. This of course means that we need to manage users. Our current ...

3. Java EE security - application clients    stackoverflow.com

I'm writing on a Java EE project which will have everything from 3-6 different clients. The project is open source, and I wonder what security mechanisms one could/should use. The problem ...

4. How best to sanitize input in Java webapp    stackoverflow.com

We use jsp, servlets, beans with mysql database. We don't want to restrict the characters entered by users on form fields. So how do I sanitize the input and how to ...

5. how to create a secure licensed j2ee application?    stackoverflow.com

We are developing a j2ee application backed by any database of customer choice. We will sell to customers based on per user license price. How do I make sure, the application ...

6. AccessController.doPrivileged    stackoverflow.com

I am trying to figure out what some legacy code is doing. What exactly is this line doing, and why would I need it this way?

String lineSeparator = (String) java.security.AccessController.doPrivileged(
  ...

7. Should I use Security Manager in Java web applications?    stackoverflow.com

Is it sufficient to secure a Java web application with the rights of the user that is running the application server process or is it reasonable also to use SecurityManager with ...

8. How does one protect a webapp to be accessed only by localhost?    stackoverflow.com

I am planning to run a java web application and solr in the same java container. I want the web application to be publicly accessible but solr to be accessible only ...

9. Alternative ways to configure security constraints with container managed security outside web.xml?    stackoverflow.com

if you use Java EE 6 container managed security, you can configure security constraints for resources inside the web.xml deployment descriptor. Are there alternative ways to do this? For example the container ...





10. OWSM custom security policy for JAX-WS, GenericFault    stackoverflow.com

I tried creating custom security and policy as given here: http://download.oracle.com/docs/cd/E15523_01/relnotes.1111/e10132/owsm.htm#CIADFGGC when I run the service client custom assertion is executed, returning successfully.

   public IResult execute(IContext context) throws WSMException ...

11. why it is good idea to disable REFRESH in web application(for security purposes)    stackoverflow.com

we are doing XSRF fixes for our code. we are using the session token to request token comparison method to achieve this. in case when session token is not equal to ...

12. websphere-mq security changes in 7.0 + - Is it possible to secure MQ objects without using security exits    stackoverflow.com

We are using security exits in WebsphereMQ 6.0 to provide security in java clients connecting to MQ and MQ - MQ connectivity. We use security exits to provide secure way to ...

13. user access management in j2ee web application    stackoverflow.com

I am working with jsp/servlet project and i have to complete the module of access management to my jsps since I have more than one user with different profile. I defined a ...

14. On Linux do people chroot a Java Web Application or use IPTables and run as non-root?    stackoverflow.com

When you run a Java Servlet Container that you would like to serve both static and dynamic content on port 80 you have the classic question of whether to run the ...

15. Security in distributed web applications system    stackoverflow.com

I have a set of three web application systems - A, B & C that are used to service my application. The A system has the core business logic and ...

16. Looking for Tutorial/How To for JAX-WS Client Security    stackoverflow.com

I have been given a WSDL to generate a client against which uses a security policy. This is my first time using a security policy and although I've read about ...





17. Use Enum type as value parameter for @RolesAllowed-Annotation    stackoverflow.com

I'm developing a Java Enterprise application, currently doing JEE-Security stuff to restrict access for particular functions to specific users. I configured the application server and everything, now i'm using the RolesAllowed-annotation ...

18. Data Access control in J2EE technologies    stackoverflow.com

I am working on a project that requires that i implement a mechanism for controlling data access to the content that displayed on the pages. First off to clarify, i am ...

19. Getting a trusted signature for a Java Web Start application    stackoverflow.com

I'm planning to distribute an application over the internet with Java Web Start, and I'm aware that I'll need to sign the application to enable certain security privileges (network connections, dynamic ...

20. Java EE 6 Security Model: How to add or delete user    stackoverflow.com

I read most of the documentation, I only see the use of @RolesAllowed or @DeclareRoles, how can I add user or delete user. I have a table of users with username ...

21. get 2035 on connecting to the base queue    stackoverflow.com

I am running a simple Java client to connect to a remote MQ queue.

  1. When I run the Java code to read write messages with Alias queue name, it works fine.
  2. When ...

22. Open source web app more prone to hacking?    stackoverflow.com

At a recent interview, I was asked: Open source web app (say built on Struts/Spring) is more prone to hacking since anyone can access the source code and change it. How do ...

23. MQ security - getting a 2035 on one queue    stackoverflow.com

I have a application that is trying to put a message to a queue(LOG.TRANSACTION.IN) on a remote queue manager. The message ends up failing with a 2035 and is put ...

24. java ee6 security - use user entity class    stackoverflow.com

All I need is a simple login page that will check against the username and password of a simple User entity class. Is that possible with JAVA EE6? In the tutorials they ...

25. Best way to handle standardized look/feel and security across web applications?    stackoverflow.com

I received a request from my users that they want is a common "portal" for any web applications from my development group. Currently, if we have X number of web apps, ...

26. After implementing OWASP, application works in IE and Firefox but not Safari    stackoverflow.com

Recently we implemented OWASP security solutions with OWASP.jar. After this, our application was working fine in IE 7 and Firefox 3.5. But the application is not working in Safari 4.0.5 or ...

27. detecting vulnerabilities in web applications and desktop applications    stackoverflow.com

Sorry, this is not a question about a specific programming language, but i need opinion on this. Please don't vote for close. where do I learn about detecting vulnerabilities from the scratch? I ...

28. Exploitable Java functions    stackoverflow.com

This question is similar to Exploitable PHP Functions. Tainted data comes from the user, or more specifically an attacker. When a tainted variable reaches a sink function, then ...

29. java.lang.SecurityException: class "org.apache.log4j.Logger" does not match trust level of other classes in the same package    stackoverflow.com

For an java web application, I got this error when using JRE 1.6.0_22, however, it works fine when using JRE 1.6.0_13. I searched in google, and find the there is a security ...

30. Specifying access control in a Java EE deployment descriptor    stackoverflow.com

I'm using JSF 2 with Glassfish 3 and I'm about to configure access control. As I understand it, this is done in web.xml with security-constraint containing web-resource-collection and auth-constraint. Lets say ...

31. Inter application communication internet wide    stackoverflow.com

I've done some searching and found lots of answers that don't quite give me what I'm looking for, so here goes. Firstly I'm looking into an area I'm not really familiar with, ...

32. Java .policy file - how to prevent java.util.Date() from being accessible    stackoverflow.com

I am playing around with the java .policy file and was wondering how I could go about doing something like preventing calls to java.util.Date(), as an example. I just want to get ...

33. secure webapplication online    stackoverflow.com

I have a webapplication which id like to host online. The user logon consists of a hashed password which is saved in the db and verified via the code, simple but ...

34. How to manage a large number of permissions?    stackoverflow.com

I am working on a large JEE web-app with CRM functionalit and we are looking for a security approach/library/solution/anything. Basic role-based security won't work since access control must be based on ...

35. Question on jvm-wide properties and multithreading    stackoverflow.com


I need to use (at the moment) some java apis that -unfortunatelly- can be "configured" only via jvm properties.
I understand that this can affect multithreading, since it can be the case ...

36. Question (again) on eclipse debugging java apis    stackoverflow.com


I have a question that pops up occusionally.
I am trying to debug some jdk apis using eclipse.
I have tried:
1) Using the jre inside jdk (containing the jdk src) as the jre ...

37. How to log to application log and security log from the same application    stackoverflow.com

I have an application that needs to log "application log messages" to an appender and "security log messages" to another appender (security log messages cannot appear in the application log). I ...

38. Possible causes can be invoking https when the application is not configured for security    stackoverflow.com

I create web service

@WebService(serviceName = "DynamipsService2")
@Stateless()
public class DynamipsService2 {

    @WebMethod(operationName = "StartSession")
    public static String StartSession(@WebParam(name = "key") String key) {
     ...

39. How to add access checks to a method (and create a new method based on the "advised" method) with AspectJ?    stackoverflow.com

Consider this code:

class DatabaseAction(/* ... */) {
  public void deleteUser(User userToDelete, User currentUser) {
    /* ... */
  }  
}
Is it possible to add an aspect-based ...

40. How to get the value of an annotation parameter for usage in AspectJ?    stackoverflow.com

Consider this method:

@Access(rights = GUEST)
public void foo() {
  doSomething();
}
This pointcut basically matches if the method has an @Access annotation:
pointcut check() : 
execution(@Access * *(..));
But how can I access the field ...

41. How to add a method to a class where the method name is based on an existing, annotated method in AspectJ?    stackoverflow.com

Consider this code:

class DatabaseCommands {

    @Privilege(ADMIN)
    public void delete(Something thingToDelete, User currentUser) {
        /* ... */
   ...

42. Security flaws in code with veracode tool    stackoverflow.com

i ran my application for security compilance in veracode tool. And whenever the tool find any logging it detected as a flaw in code
And the flaw says below quote Improper Output Neutralization for ...

43. How can I provide security in a web-application by jdbcRealm when I have few user tables    stackoverflow.com

I have a problem with security in Java EE. I have an application that supposed to be a kind of e-shop. I have three entities: User class that is not mapped into ...

44. HANDSHAKE_FAILURE alert received    stackoverflow.com

I am writing a Java client (on weblogic 10.3) to invoke a secure web service. I have been provided with a client certificate which I have installed in cacerts, DemoIdentity.jks and DemoTrust,jks In ...

45. e-commerce website architecture    stackoverflow.com

I would like to create a rest architecture for an e-commerce website application. In fact, there would be :

  • the front office web site
  • the back office web site which acts as a content ...

46. How to change the original requested page used by j_security_check?    stackoverflow.com

When an unauthenticated user request some resources, he will be redirected to a login page but j_security_check will keep the original requested resource. If the user login successfully, it will be ...

47. Use Application Server based User management or Custom User management?    stackoverflow.com

I'm following the JEE6 tutorial and am reading the part related to security. In the examples, the user management is done using the features provided with the ...

48. Container Managed Security for Web APplication    stackoverflow.com

I am completely new to Container managed security and need some help with configuring it in my web application. I want to restrict access to the jsp's within my web application. This ...

49. How can queues be made private/secure in RabbitMQ in a multitenancy system?    stackoverflow.com

I have read the Get Started guide provided by RabbitMQ and have even contributed the sixth example to stormed-amqp, so I have an inkling of knowledge about ...

50. Java client for the X.509 secured web-service    stackoverflow.com

I have remote web-service which is secured with X.509 certificate.
I generated web-service client stuff (using jax-ws) but need to configure if for the certificate's usage.
How should I proceed?
I guess I should ...

51. How to pass other data with j_security_check?    stackoverflow.com

I use IBM Websphere Application Server 6.1 and my login screen have controls as:

  <form action="j_security_check" method="POST">

     User Name:      [ Admin ...

52. Uses of Java Security Manager    stackoverflow.com

I was reading some article on Java Security, and came across uses of java.policy files for granting permission to the source code coming from different code sources. My question is, do we ...

53. How to implement a logout when using form based security    stackoverflow.com

I use a JDBC form based security realm, and i want to implement a logout, but when i click on the link i see this exception:

java.lang.RuntimeException: java.security.AccessControlException: access ...

54. Insecure WAR in a server machine    stackoverflow.com

I'm going to deploy my webapp (WAR) in a server machine. But, server machine is in client people hand, and they take database dump(so new data can be created), and WAR ...

55. Cannot modify Quality of Service Security attributes. Use Development Defaults always enabled.    forums.netbeans.org

Hi all. Having some issues setting the attributes for securing a web service. I am using NB 6.5 and Glassfish 2.1. In the Quality of Service Tab I enable the Secure ...

56. Security:MessageDigest.isEqual()    forums.netbeans.org

Hi, i've the following method to encrypt a password and addthe pair(login,hashedPassword) to a hash table. When later i try to compare the byte value of(hashedPassword) in the Hashtable to the ...

57. Issues w/ J Security Check    forums.netbeans.org

Using form-based authentication with j_security_check in glassfish. The first logon works. User presses back button. The second logon fails. The browser URL after the second logon fails is http://(mydomain/j_security_check. "404 Not ...

58. RE: Issues w/ J Security Check    forums.netbeans.org

The question has nothing to do with NetBeans and you may have more luck getting a meaningful response in one of the Glassfish forums. I had recently the same problem (but ...

59. Problems runing simple security scenarios    forums.netbeans.org

I'm trying to run sample applications from http://archive.moreservlets.com ilustrating basic and form based web application security. I've create the security realm in my Glassfish server and created a few user with ...

60. Re: Problems runing simple security scenarios    forums.netbeans.org

Hi Techy, This may be related to a problem I have found with IE and Ajax. Here is the message that I put up for my users: Due to a quirk ...

61. Re: Problems runing simple security scenarios    forums.netbeans.org

Thanks. While it did not change the behavior or IE it inspired me to switch to Mozilla. And, with Mozilla, at least when I manually delete the password cache it does ...

62. Re: Issues w/ J Security Check    forums.netbeans.org

The question has nothing to do with NetBeans and you may have more luck getting a meaningful response in one of the Glassfish forums. I had recently the same problem (but ...

63. Applet View Problems -java.security.AccessControlException: access denied (java.lang.RuntimePermission modifyThreadGroup)    forums.netbeans.org

I have a relatively large Applet that runs in the browser, but just recently won't run in applet viewer. (In fact nothing will run, even simple blank applets). NB 6.8, Jdk ...

64. Either bug or mistake? Netbeans and security manager    forums.netbeans.org

Dear developers, I have already mentioned this earlier, but my question did not receive any attention. I am observing bizzare netbeans behaviour, which may be a bug. Full Netbeans distribution v 6.9.1 Apache Tomcat (comes with netbeans) 6.0.26 How to recreate: 1. create new empty Web Application project, select Apache Tomcat for deployment. 2. right click Apache Tomcat server in Services ...

65. Security issue    forums.netbeans.org

66. Java EE6 and security constraints    forums.netbeans.org

How do I setup SSL for a Web Service in a Java Enterprise Application? In a Web Application I add a Security Constraint in web.xml, but what about Enterprise Applications? There's no web.xml there. I noticed i can add a standard deployment descriptor (ejb-jar.xml). I'm not sure if it's the same as web.xml and i don't know where i should put ...

67. Advanced security options    forums.netbeans.org

Hi, I'm developing a soap web service client that asserts a signed saml assertion token, then signs and encrypt the entire message. The wsdl file for the service indicates those, so I set up everything by setting the web service's attribute. When I print the soap request out, I can see that the message is indeed encrypted and signed. However, the ...

68. deploy a security realm?    forums.netbeans.org

69. Security Policy file in windows ?    forums.netbeans.org

However when I try to run the server I get errors java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:1099 connect,resolve) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkConnect(SecurityManager.java:1034) at java.net.Socket.connect(Socket.java:513) at java.net.Socket.connect(Socket.java:469) at java.net.Socket.(Socket.java:366) at java.net.Socket.(Socket.java:180) at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketFactory.java:22) at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMasterSocketFactory.java:128) at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:595) at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:198) at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:184) at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:322) at sun.rmi.registry.RegistryImpl_Stub.rebind(Unknown Source) at java.rmi.Naming.rebind(Naming.java:160) at examples.network.StudentEnrollment.main(StudentEnrollment.java:24) It seems that the policy file is not being ...

70. ehache 1.7.2 Update check posing security threat    forums.terracotta.org

Setting it in the pom doesn't necessary mean it'll apply to your app. It means, there's a property in your Maven project. How are you using Ehcache? In a stand alone app? in a webapp? How do you start the app? Or are you running as Maven test? posting your pom.xml would help here. If you're using Linux, you can check ...

71. security web application    coderanch.com

I think that you may use a variable in your session. Once you are logged, you set the variable to true (if the login is correct, of course). Every time that you access a ressource, you must first check if your variable is set to true, if not you redirect to login.html, else you continue your business logic. I think there ...

72. 10 Web App Security Vulnerabilities    coderanch.com

73. Web application security...    coderanch.com

I'm planning out an admin section for a web site I'm working on, and security is something I have a question about. Typically, I'd set a String to session when a user logs in and check for that variable on every "admin page". This works ok, but the session doesn't always die out until they close the browser window (even after ...

74. Web App security    coderanch.com

Hello, What are the basic securing methods(implementations) that should be noticed when coding JSP/Servlet/Filter based Web applications? I don't mean just https connections, but things like: login securing URLs that are not meant to used directly security options in web.xml global errorpages defined to web.xml to catch exceptions groups access rights How these are usually handled in Web Application? Are there ...

75. J2EE Security..    coderanch.com

76. web app security constraints    coderanch.com

77. implementing security for a web application    coderanch.com

Hi Sejal, this probably varies a little according to what Servlet container you're using. But in general, you'll probably want to get a certificate and configure your app server accordingly. This will let you use https. As for security constraints and other stuff, just follow the standard (declaring security constraints and such in your servlet container's config file)

79. web app security issues    coderanch.com

Hi, I am trying to implement web app security. I have a web-app called security running on my tomcat. I am able to implement authentication and authorization,but am not able to implement data confidentiality. The problem that I am running into are listed below: 1) Whenever I try to implement data confidentiality, I get a page cannot be displayed error. But ...

82. web app security authorization question    coderanch.com

I've tested and used the tomcat-user.xml file in conjunction with the tags in DD to limit access to certain pages. Using this method, I've defined username, passwords and roles in the tomcat-user.xml file. I was wondering how this is handled in bigger applications where it wouldn't be efficient to declare all users ...

83. How to handle Security in a Webapp with a JDBCRealm    coderanch.com

Hello everybody I'm reading a lot about Webapp Security in the Moment and I try to implement this the official way with and Realms and so on. I have two parts in my Webapp I need to secure URLPattern: /command/admin/* and /command/client/* My Problem is: Can I use different Login-Pages for this two Sections? Something like multiple ? Because the ...

84. J2EE Security    coderanch.com

I'm trying to set up application security for a project I'm working on and I'm running into a bit of difficulty. In my deployment descriptor, I have this: mainSecurity SecureStrutsActions /*.do GET POST administrator CONFIDENTIAL FORM /html/login.html /html/error.html administrator What I'd really like to have happen is ...

85. Aplication Servers and Row/Column level security    coderanch.com

In oracle database there are three methods for implementing row/column level security : - views and access control over these views. - Virtual Private Database. - Oracle Label Security. But all of them use the user account utilized to logging into database. The context of my question is : user --> webServer --> EJBserver --> DataBase In a application server (oracleAS, ...

86. Security For my web-application    coderanch.com

87. J2EE Security Concerns and Confusions    coderanch.com

I have no knowledge about j2ee security but I am giving it a second look now. I have been studying this for a while now but cant get my head to understand all the concepts. I have been involved in web projects that runs on the company's local Intranet only. As I have checked, there's no security constraints appended to it. ...

88. Recommended Security Architecture    coderanch.com

I am assigned a task to work on Portal based upon Portlet 2.0 that will be deployed on Tomcat using Jetspeed 2.2.1. However in future this must be deployable on other portlet servers like IBM WebSphere. In first step I have to work out the possible security model for the application. Major requirements for security: - Based on some standard - ...

89. Encoding action Url for increasing the web app security    coderanch.com

To expand on Madhan's recommendation: packet sniffing isn't the issue. Unless every millimetre of the cable between client and server are physically isolated, people can sniff packets. Even then you're not totally safe, since tricks like monitoring the "radio noise" generated by computers and network equipment have been done. The key is to make the "sniffed" data unusable, and that means ...

90. Installing Site Minder for security reasons to the application    coderanch.com

Our ALUI Portal is hosted in IIS. For security reasons, we have now included Site Minder. After enabling the site minder, the portlet applications configured in the Portal is not coming up. Getting the following error " cannot be displayed because the remote server returned an invalid HTTP response code.". Please help me know, how this can be fixed. Thanks, Saveetha ...

91. Stripes security question    java-forums.org

Hi, I have setup a StripesSecurityFilter class which handles authorization and authentication for my site. It works great, but as i am now going back and cleaning up and refactoring some code, i'm realizing it would be great if i could access the ActionBeanContext class from my StripesSecurityFilter class. This is because currently the StripesSecurityFilter class uses hard coded strings such ...

92. Enforcing security in web applications?    forums.oracle.com

Hello, I am fairly new to Java. Just needed a advise from you. Say suppose i made roles in my web.xml as well as configured login and error page. Now when unauthenticated user comes to site login page is displayed. Then the user enters username and password. But how to determine from the password and username that the user belongs to ...

93. Validating user security in a Java webapp...    forums.oracle.com

1) The "Pages (regular)" pages may not need to be secure but the forms generated and submitted to the server MUST be done using HTTPS using POST. 2) The session attribute will be identified by a session Cookie (or something similar). This needs to be impossible to intercept or forge or you are wide open. 3) You should have a 'timeout' ...

94. Web App Security    forums.oracle.com

Hello, I'll soon be developing a web application in which security is a major concern, and I'd like some advices about some technologies I'm evaluating to get the job done. I couldn't get comparisons on security power offered by each. - Web tier: I have some experience on JSP and JS; besides HTTPS, JSF seems to provide better, out-of-the-box, support for ...

95. log4j problem with RMI security manager    forums.oracle.com

It happens because you haven't granted yourself one or more permissions that log4j needs to initialize itself. Run your program with -Djava.security.debug=access,failure to see what permission(s) it requires and add them to your security .policy file. I find it a bit odd that you have a server log and a client log in the same class, i.e. in the same JVM. ...

96. jini security policy setting    forums.oracle.com

hi, I am getting this exception in jini . Please give me solution. what steps is required to solve this problem. how to set ExecOptionPermission is existing policy. rmid: (WARNING) restart service throws: java.security.AccessControlException: access denied (com.sun.rmi.rmid.ExecOptionPermission -Djava.security.policy=c:\policy) at sun.rmi.server.Activation$DefaultExecPolicy.checkPermission(Activation.java:1857) at sun.rmi.server.Activation$DefaultExecPolicy.checkExecCommand(Activation.java:1747) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at sun.rmi.server.Activation.checkArgs(Activation.java:1369) at sun.rmi.server.Activation.access$400(Activation.java:118) at sun.rmi.server.Activation$GroupEntry.getInstantiator(Activation.java:1166) at sun.rmi.server.Activation$GroupEntry.activate(Activation.java:1090) at sun.rmi.server.Activation$GroupEntry.restartServices(Activation.java:800) ...

97. j2ee security and page flow problem    forums.oracle.com

To give more details about the problem I have, user likes to put a URL in the browser, then press enter. User likes to see the running results. However, user is not able to see the results because j2ee security requires user log in. After sucessful login, user is going to see the index page. My question is how user be ...