Jazzon 2011, Day 3 – Web Security: Develop. Penetrate. Smile. – Matt Raible

26. June, 2011

Web Security: Develop. Penetrate. Smile. – Matt Raible

Matt demonstrated how to “implement authentication in your Java web applications using Spring Security, Apache Shiro and good ol’ Java EE Container Manager Authentication. You’ll also learn how to secure your REST API with OAuth and do it all securely with SSL.”

Nothing spectacular but the usual mix of nice code and how to avoid the most common pitfalls.

Some things to remember: Firewalls don’t work, not even if they’re stateful and inspect the HTTP stream.

If you’re interested in web app security, you should have a look at OWASP. Right now, there are a lot of non-developers there. What we all desperately need is web frameworks which make it more simple to configure a secure web app correctly than configuring a normal web app.

Links:


Jazoon 2011, Day 1 – Java Security Trends: How to Leverage Growing Security Trends in Building Trust into Your Java Applications – James Gould and Srikanth Veeramachaneni

26. June, 2011

Java Security Trends: How to Leverage Growing Security Trends in Building Trust into Your Java Applications – James Gould and Srikanth Veeramachaneni

Nothing spectacular here for me. There was a nice diagram of an SSL handshake, some tips to debug SSL problems, code how to create keystores with the Java tools and how to convert a PEM key into something that Java’s keytool can use.

After that James gave an overview of DNSSEC and how to use it from Java (including code examples).

What I liked about the code examples is that they covered more than the trivial cases. For example, it showed how to specify per-key passwords (in addition to the usual per-keystore password).