Nils Preusker » Devoxx

“Security Patterns revealed” Talk at Devoxx08

nils — Thu, 18 Dec 2008 10:51:18 +0000

This talk was given by Mike Wiesner, Senior Consultant at SpringSource.

Missing input validation is the root of all evil!
- Mike Wiesner, Devoxx 2008

Mike started by showing an overview of the most important security threats in web applications. The top three are cross-site scripting, SQL injection and directory traversal (Example). In other words, by paying attention to proper input validation in your web application, you can prevent about 80% of potential security issues.

He talked in depth about the following patterns:

Intercepting Validator

Client-side validation is just a way to make the application more user friendly, it can not replace server side validation
JSR 303 – Bean Validation -> AOP can be used as Intercepting Validator

Single Accesss Point

Reference Monitor with AOP
security is applied by annotations on method level
advantage is that you can test security and functionality separately -> security tests don’t execute application logic and security can be disabled for functional tests

These are a few other patterns he mentioned:

Role Based Access Control or Role Based Security (Wikipedia article)
Role-Rights Definition
Controlled Object Factory
Data Driven Security
Multi-Level Security
Security Session

An other interesting thing he mentioned is XACML, a security policy management standard from OASIS that defines security policies in XML.

Apart from the patterns, that are definitely worth looking at, what I took home from this talk is that the most important thing when implementing security is to think. Patterns are just abstract ideas to help creating a good design for your application. They are not blue prints that can be applied blindly.

“JAX-RS: The Java API for RESTful Web Services” Talk at Devoxx08

nils — Mon, 15 Dec 2008 20:04:21 +0000

This talk was given by Paul Sandoz. He showed a few examples and listed the following existing implementations of JSR 311 (JAX-RS):

He was testing the services on a command line with curl (i.e. curl -v -d x=1 -H “Accept: application/xml” http://localhost:8080/xyz or “Accept: application/json”).

The JAX-RS Overview is supposed to be a good starting point to implement RESTful web services. His presentation and a zip file wih examples can be downloaded from his blog.

“Easy Entity Versioning with Envers” Talk at Devoxx08

nils — Sat, 13 Dec 2008 01:03:08 +0000

This talk was given by Adam Warski. He is the creator of Envers, a framework that provides entity versioning for hibernate. It does this by creating additional auditing tables and inserting data to them on update/insert and delete. This creates global revisions, similar to the way it is done in Subversion. In order to activate versioning for a class, the @Versioned annotation is used. User information is not automatically stored with the revisions but can be added by implementing a custom RevisionListener.

Envers is now a hibernate core module and will be included in the next release of hibernate.

Here is a link to the current version of Envers

JavaRebel

nils — Wed, 10 Dec 2008 13:39:18 +0000

Just came across this at Devoxx: JavaRebel – like JVM HotSwap but without all the limitations. And I got a 90 day free license card… Nice!

Let’s go!

nils — Tue, 09 Dec 2008 18:33:21 +0000

Done! My new website is online… just in time for Devoxx ‘08. Tomorrow morning I’ll be heading over to Antwerp and hopefully arrive at around 10:30, in time to miss a boring presentation about JavaFX and instead hear what the IBM people have to say about RFID. Hope to be blogging from there, so stay tuned!

View Larger Map

Cheers, Nils