prev
next
out of 23

Securing java web applications

  • View
    40

  • Download
    2

Embed Size (px)

Text of Securing java web applications

  1. 1. Securing Java Web Applications An introduction Jonas Flesch me@jonasesch.com
  2. 2. Index Spring Security Passwords Sql Injection JSTL Client sent content Stacktraces Test Legal issues
  3. 3. STEP 1 Use Spring Security!!
  4. 4. Spring Security Authentication .formLogin() .loginPage("/login") .loginProcessingUrl("/authenticate") .failureUrl("/login?error=true") .usernameParameter("username") .passwordParameter("password") .permitAll();
  5. 5. Spring Security Authorization @Controller @Secured(Roles.ROLE_ADMINISTRATOR) @RequestMapping(UserController.BASE_URL) public class UserController extends BaseController {
  6. 6. Spring Security Cross Site Request Forgery Token
  7. 7. Spring Security Good practices headers
  8. 8. Step 2 Passwords
  9. 9. Passwords Store it using a strong salted hash Bcrypt Never send it by e-mail or store it in plain text Protect user creation/password recovery forms with captcha Recaptcha when possible JCaptcha second choice
  10. 10. Step 3 SQL Injection
  11. 11. SQL Injection Always use SQL Parameters: @SqlUpdate("UPDATE User ug " + " SET DsEmail = :dsEmail" + " WHERE idUser = :idUser")
  12. 12. Step 4 Use JSTL carefully
  13. 13. JSTL Wrong: Correct: Why? />/ > c:out escapes the string with html entities like <

Recommended

JENA – Java Framework for Building Semantic Web Applications
JENA – Java Framework for Building Semantic Web Applications
Documents
Securing Debian Howto
Securing Debian Howto
Documents
Bonnes pratiques des applications java prêtes pour la production
Bonnes pratiques des applications java prêtes pour la production
Technology
Excel, .NET 및JAVA 환경에서사용가능한 Java Web COM .NET Deploying Applications with MATLAB.exe…
Excel, .NET 및JAVA 환경에서사용가능한 Java Web COM .NET Deploying Applications with MATLAB.exe…
Documents
Palestra sobre Securing DMZ
Palestra sobre Securing DMZ
Documents
Securing America’s Future: Global Education for a Global ?· iv SECURING AMERICA’S FUTURE: GLOBAL…
Securing America’s Future: Global Education for a Global ?· iv SECURING AMERICA’S FUTURE: GLOBAL…
Documents
Securing Java in the Server Room
Securing Java in the Server Room
Technology
Building Java HTML5/WebSocket Applications with ??Building Java HTML5/WebSocket Applications with JSR 356 . ... ServerEndpointConfig serverConfiguration = (
Building Java HTML5/WebSocket Applications with ??Building Java HTML5/WebSocket Applications with JSR 356 . ... ServerEndpointConfig serverConfiguration = (
Documents
Industrial Programming Java - Lection Pack 02 - Distributed applications - Lavrentyev Fedor
Industrial Programming Java - Lection Pack 02 - Distributed applications - Lavrentyev Fedor
Software
GRIS - Securing DMZ - Palestra sobre Securing DMZ
GRIS - Securing DMZ - Palestra sobre Securing DMZ
Documents
Java EE Java Enterprise Edition. Java EE - Objectifs Faciliter le développement de nouvelles applications à base de composants Intégration avec les systèmes
Java EE Java Enterprise Edition. Java EE - Objectifs Faciliter le développement de nouvelles applications à base de composants Intégration avec les systèmes
Documents
HACKING & SECURING ASTERISK
HACKING & SECURING ASTERISK
Documents
View more >