All Questions

Tagged with
1,818 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
15votes
1answer
7kviews

java - deserialization of untrusted data workaround

Last year we encountered the so-called java object deserialization vulnerability (not a java's problem as it looks), which is deserializing an object which might lead to Remote Code Execution (RCE) or ...
user avatar
  • 415
10votes
1answer
1kviews

Unable to send cookie with HTTPOnly flag in request header in safari

I created cookies with HTTPOnly flag in Safari browser using java See Response header below. Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer:http://anil....
user avatar
  • 153
10votes
1answer
222views

Annotation based security restriction does not work for web socket triggered method calls

I did some research on this, but I couldn't find the solution. I have a class like this @Stateless class ConfigBean { @RequiresRole("administrator") public void reloadConfiguration(){ ........
user avatar
  • 1,016
9votes
1answer
3kviews

How to verify old password with Keycloak Admin Java API?

I have application which uses Keycloak 3.1.x, the application is using following dependency to interact with Keycloak remotely: <dependency> <groupId>org.keycloak</groupId> &...
user avatar
  • 1,445
9votes
0answers
3kviews

Java - Security - Retrieve CRL data from a Certificate

Goal: Retrieve the Certificate Revocation List information for a given Certificate. Reason: When a java.security.cert.PKIXParameters object is set to enable checking of certificate revocation status ...
user avatar
9votes
0answers
354views

All Site Permissions for jnlp web start file for Mac Yosemite

I am using a WebStart file, launched with a jnlp file. Actually downloaded it locally. I used the same jnlp file on a windows machine, I changed the permissions through the java.policy file. The ...
user avatar
  • 11.2k
7votes
0answers
1kviews

How to use JGit https authentication using Kerberos

I am trying to clone a git repository over https from a windows server. This server uses single-sign-on and therefore relates to kerberos5. Having little knowledge with that my simple code: ...
user avatar
  • 447
7votes
0answers
1kviews

Passing a custom java security policy file to surefire maven test fails, results in access control error for everything

I'm trying to pass a custom security policy file to surefire to run some tests. (Specifically, I'm adding classes in java.lang to test a profiler and I want permission to define classes in there.) I'...
user avatar
  • 1,330
7votes
0answers
883views

Storing secret key in KeyStore without the ProtectionParameter

Until now I have used to store my application secrets into the KeyStore with the following code: // creating a instance KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); // ...
user avatar
  • 171
7votes
2answers
1kviews

Authorized Flash Client to Java Server connection

I'm building a Flash-based Facebook game with a Java backend, and I'm planning to use a RESTful approach to connect the two of them (not a persistent socket connection). I'm using the AS3 library to ...
user avatar
  • 2,626
6votes
0answers
406views

How to avoid java Security Information popup?

Problem - Java security information popup appears when applet based application loads in the browser. When I check "Always trust content from the publisher" and click run, the application runs and ...
user avatar
  • 1,125
6votes
0answers
473views

Web Start security level j2ee-application-client-permissions still possible?

According to the JNLP file syntax there are three security levels: sandbox (default if no level is explicitly specified) j2ee-application-client-permissions all-permissions In recent Java versions ...
user avatar
  • 125
6votes
0answers
592views

shiro configuration [urls] section dynamically

I am new to Shiro, I want to use this for securing my web application. I have tested it's various features. I have also tested [urls] /login.xhtml = authc /logout = logout /admin/** = user, roles[...
user avatar
6votes
1answer
6kviews

can I check if a Java applet certificate is trusted before running my applet?

I have a signed applet on a website. Because of this, the Java security dialog appears, and the user needs to grant permission to the applet before it can do it's work. What I want to do is this: I ...
user avatar
6votes
2answers
1kviews

Is possible to user char[] instead of Strings in a Servlet for password storing?

I read several articles and posts about security regarding (note Comparing input password to stored hashed password in a web app or Why is char[] preferred over String for passwords? Since to ...
user avatar
5votes
0answers
778views

What is best way to secure secret keys with Docker in spring boot application

Recently, started building docker image for my application. Application uses few secret keys which are used to connect other microservices. I read about the docker secrets with swarm mode which hold ...
user avatar
5votes
0answers
218views

Load security class with custom classloader

We are creating a javassist based custom class-loader modifying some classes byte code on loading. Part of the project is also a signed jar containing a security provider. The initialization of the ...
user avatar
  • 2,375
5votes
1answer
4kviews

JSON Injection fix for jackson

My static scan is giving a vulnerability saying I am writing unvalidated input into JSON. It advises that all serialization to JSON is performed using a safe serialization function that delimits ...
user avatar
  • 381
5votes
0answers
1kviews

How can I reproduce and prevent the Billion Laughs attack in Java?

After a bit of research here's a code sample I've come up that I think should be vulnerable to the Billion Laughs attack. However it doesn't seem to be working, Done. is printed to the console much ...
user avatar
  • 12.7k
5votes
0answers
399views

How to get SSH input/output from single command (ssh exec) in Java (current: sshj)?

tl;dr: how can I get I/O when sending an exec command using sshj? Alternatively, what other Java SSH libraries provide a similar level of abstraction but might work better for my use case? Apart from ...
user avatar
  • 2,027
5votes
0answers
1kviews

RSA_padding_check_PKCS1_type_1:block type is not 01

When do decrypting on Android I got the error : javax.crypto.BadPaddingException: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 My code are as follows : cipher = ...
user avatar
  • 53
5votes
2answers
3kviews

Impacts of changing Java default truststore password

I recently had to add my corporate root CA (based on AD CS) into the JRE default truststore (the $JAVA_HOME/lib/security/cacerts file). I then discovered (as I am new to this) that the default ...
user avatar
  • 65
5votes
0answers
2kviews

OAuth2 - handle password change in Spring Security

I'm implementing OAuth2 for my REST Service (password grant type) with help of Spring security module. I' using postgreSQL as my Token Store. All works fine, but I need to add the possibility to ...
user avatar
5votes
0answers
468views

OAuth2 and email authorization for REST API backend

Overview I am building a RESTful API application as mobile\web backend (let's call it MyBackendApp) and I'm looking for a contemporary solution for both Authentication AND Authorization of app users. ...
user avatar
  • 1,455
5votes
2answers
13kviews

Failed to create WebSocket connection when Spring Security is on

Im using Java WebSocket client that subscribe to a Spring-Boot based server application. Everything worked just fine, but after adding support for Spring Security in order to authenticate and ...
user avatar
5votes
1answer
244views

Java Security Error

When I run my jnlp file WelcomeApplet.jnlp this security message displays on the screen: Application Blocked by Java Security. I checked on the Internet there are three security levels: very high, ...
user avatar
  • 97
5votes
0answers
2kviews

Spring OAuth2 restrict user to authenticate via a client

I am implementing a Spring OAuth2 application where I have different clients using a resource. The clients are mobile applications, so I use the Resource Owner Password Flow. There are 2 roles in ...
user avatar
5votes
0answers
2kviews

java.security.SignatureException Signature length not correct: got 128 but was expecting 512

I am using Shiboleth opensaml (http://shibboleth.net/downloads/java-opensaml/) library for SAML and recently, after upgrading the libraries (the reason for upgrade was a NoSuchMethodError), the server ...
user avatar
5votes
4answers
3kviews

ApacheDS and Kerberos Setup

I am tasked with setting up an ApacheDS 2.0.0 LDAP + Kerberos (including KDC) server for use in our testing environment. I followed this guide, but am unable to successfully authenticate with my LDAP ...
user avatar
  • 51
5votes
0answers
1kviews

Java enable MD2 algorithm programmatically

Java 1.7 has disabled the use of the MD2 algorithm due to its weak nature. It is automatically set in the JAVAHOME/lib/security/java.security file as follows: jdk.certpath.disabledAlgorithms=MD2 I'm ...
user avatar
  • 307
5votes
2answers
2kviews

antisamy parser force closing tag

I use Antisamy for validating HTML. My policy allow iframes, like youtube videos. Problem is - if tag is empty(like this): <iframe src="//www.youtube.com/embed/uswzriFIf_k?feature=...
user avatar
  • 9,312
5votes
0answers
909views

Insert smart card issue while initializing keystore in java

I' working around eToken using Applet. I'm initializing key store using below code. KeyStore keyStore = null; try { keyStore = KeyStore.getInstance("Windows-MY", "SunMSCAPI"); ...
user avatar
  • 3,607
5votes
2answers
310views

Java latest update security pop up

How should I remove the security pop up from developer side? I don't want the user to keep clicking "don't block". I have all my *.jar file signed. Any help? and if I have click more information ...
user avatar
  • 3,905
4votes
0answers
681views

Keycloak SSO with SAML via webservice call/java api

I'm currently working on a keycloak client to authentificate the user with SAML 2.0. Instead of redirecting the user to the login page, we want to authentificate the user directly over a webservice ...
user avatar
  • 41
4votes
1answer
3kviews

FIPS 140-2 compliant random number generator - Java

I need to write a random number generator that uses an algorithm that is FIPS 140-2 compliant/certified. I am having a tough time finding anything that will work for me. Anyone done this before? I don'...
user avatar
4votes
0answers
611views

securing jax-rs with roles

I'm currently looking into securing jax-rs web services. The following URL is very interesting: https://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm#RESTF256. I am especially looking at the ...
user avatar
  • 311
4votes
0answers
4kviews

Path does not chain with any of the trust anchors, when working with custom jks file

2016-11-05T18:34:42.381+0530|Severe: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Path does not chain with any of the ...
user avatar
  • 632
4votes
0answers
439views

Local jnlp application blocked by java security

I have an HP Proliant remote application card installed in my server, and it uses a java app (jnlp) for KVM access. Due to the incorrect way it's configured, no browser will run the jnlp file it ...
user avatar
  • 13.4k
4votes
1answer
343views

JPasswordField.getPassword() is still not secured?

Sorry to bring this topic up again, I have carefully read another similar question Why does JPasswordField.getPassword() create a String with the password in it? However I still think there is a ...
user avatar
  • 1,133
4votes
0answers
140views

Apache Shiro: Howto set principalSuffix in JndiLdapContextFactory?

In Shiro's DefaultLdapContextFactory it was possible to set a principalSuffix. Since DefaultLdapContextFactory deprecated and JndiLdapContextFactory should be used instead, I wonder how to set a ...
user avatar
  • 2,204
4votes
1answer
4kviews

What is the best way to avoid XPath Injection attack in Java?

I am using XPath to retrieve values from XML. My code scanner break the build because of the following reason: invokes an XPath query built using unvalidated input. This call could allow an ...
user avatar
4votes
1answer
96views

How to secure application Java code from user code?

In our app, application loads user module using custom class loader. What would be the best way to protect wild behavior of the user module? We want to prevent: user code to modify any application ...
user avatar
  • 9,364
4votes
1answer
235views

Spring + hibrnate = getting error while creating session fectory

I am using hibernate with spring. I am getting following error while calling getCurrentSession method protected Session getCurrentSession(){ return getSessionFactory().openSession(); } Error: ...
user avatar
4votes
0answers
794views

SOAP KeyInfo values

I am trying to set up my Signature for a SOAP message. The only part I have left is to populate KeyInfo as such: > <KeyInfo> > <wsse:SecurityTokenReference> > <...
user avatar
  • 41
4votes
1answer
286views

Securing untrusted java code

I have a server application that receives java code uploaded from its clients and then needs to be processed according to the method calls inside it. My first thought was compile it - run it but when ...
user avatar
  • 324
4votes
1answer
644views

Debugging JNLP security problems

The error message generally produced by JNLP clients, not least Sun's/Oracle's own Java Web Start client, are generally oriented towards end-users and not very helpful for figuring out the root cause ...
user avatar
  • 24.2k
4votes
1answer
1kviews

Java data encryption/decryption

I have a spring-mvc stack that stores data in MySQL. Some of this data needs to be protected, so I am thinking I should encrypt it. Since I may need to use this data later (credit cards, SSN, other) ...
user avatar
  • 4,791
4votes
1answer
490views

In-App Billing v3 reliability flaw

First, thanks Google for new IAB API which seems to be much easier in use comparison to previous one. Also new example is a great leap forward comparison to old one, so far only one crash at ...
user avatar
  • 3,068
4votes
1answer
2kviews

Setting up security in JAVA EE6 Webservice

I am currently researching how Java EE6 Security can secure our applications using GlassFish. I know how to make realms, roles and users. I managed to get a nice basic login with a servlet. 'Normal'...
user avatar
4votes
1answer
446views

Does jar file change the contents of an encoded text file, when we reimport it?

I have a Java application where I need to protect contents in a text file before it is exported in a jar file. So I encode the file using BlowFish algorithm provided by "javax.crypto.Cipher". And I ...
user avatar
  • 5,755

15 30 50 per page
1
2 3 4 5
37