“Security Patterns revealed” Talk at Devoxx08

December 18th, 2008 by nils

This talk was given by Mike Wiesner, Senior Consultant at SpringSource.

Missing input validation is the root of all evil!
– Mike Wiesner, Devoxx 2008

Mike started by showing an overview of the most important security threats in web applications. The top three are cross-site scripting, SQL injection and directory traversal (Example). In other words, by paying attention to proper input validation in your web application, you can prevent about 80% of potential security issues.

He talked in depth about the following patterns:

Intercepting Validator

  • Client-side validation is just a way to make the application more user friendly, it can not replace server side validation
  • JSR 303 – Bean Validation -> AOP can be used as Intercepting Validator

Single Accesss Point

  • Reference Monitor with AOP
  • security is applied by annotations on method level
  • advantage is that you can test security and functionality separately -> security tests don’t execute application logic and security can be disabled for functional tests

These are a few other patterns he mentioned:

  • Role Based Access Control or Role Based Security (Wikipedia article)
  • Role-Rights Definition
  • Controlled Object Factory
  • Data Driven Security
  • Multi-Level Security
  • Security Session

An other interesting thing he mentioned is XACML, a security policy management standard from OASIS that defines security policies in XML.

Apart from the patterns, that are definitely worth looking at, what I took home from this talk is that the most important thing when implementing security is to think. Patterns are just abstract ideas to help creating a good design for your application. They are not blue prints that can be applied blindly.

“JAX-RS: The Java API for RESTful Web Services” Talk at Devoxx08

December 15th, 2008 by nils

This talk was given by Paul Sandoz. He showed a few examples and listed the following existing implementations of JSR 311 (JAX-RS):

He was testing the services on a command line with curl (i.e. curl -v -d x=1 -H “Accept: application/xml” http://localhost:8080/xyz or “Accept: application/json”).

The JAX-RS Overview is supposed to be a good starting point to implement RESTful web services. His presentation and a zip file wih examples can be downloaded from his blog.

“Easy Entity Versioning with Envers” Talk at Devoxx08

December 13th, 2008 by nils

This talk was given by Adam Warski. He is the creator of Envers, a framework that provides entity versioning for hibernate. It does this by creating additional auditing tables and inserting data to them on update/insert and delete. This creates global revisions, similar to the way it is done in Subversion. In order to activate versioning for a class, the @Versioned annotation is used. User information is not automatically stored with the revisions but can be added by implementing a custom RevisionListener.

Envers is now a hibernate core module and will be included in the next release of hibernate.

Here is a link to the current version of Envers

JavaRebel

December 10th, 2008 by nils

Just came across this at Devoxx: JavaRebel – like JVM HotSwap but without all the limitations. And I got a 90 day free license card… Nice!

Let’s go!

December 9th, 2008 by nils

Done! My new website is online… just in time for Devoxx ’08. Tomorrow morning I’ll be heading over to Antwerp and hopefully arrive at around 10:30, in time to miss a boring presentation about JavaFX and instead hear what the IBM people have to say about RFID. Hope to be blogging from there, so stay tuned!


View Larger Map

Cheers, Nils