I was testing WildFly 8.1 across XXE vulnerability and I've found pretty annoying thing. JAXB by default uses secure parsing and respect entityExpansionLimit property (default to 64k). Since it works in Spring MVC in RestEasy it's being ignored (no problem to crash server with big expansion).
Does anyone know if it's possible to secure WildFly/RestEasy across XXE? I've found only support for XML External Entity protection (resteasy.document.expand.entity.references=false)
Related
We are using Lotus Notes technology for web application development. In order to make our application more secured, we are trying to fix some security level issues. One such issue that we are trying to fix is : Cross Site Scripting.
Here are the issue details. As part of application functionality data is getting processing from one web page to other web page to full fill the workflow process. During the process of data we require help to handle richtext fields data form special characters () to provide the security for hacking at third party level becuse our application is public domain.
Cross Site Scripting vulnerability is one that enables a hacker to place client side scripts (usually JavaScript) into web pages. XSS vulnerabilities generally occur when an application takes user input and outputs it in a page without validating, encoding or escaping it.
We are trying to solve the above issue for CKeditor (Third party tool) being used in our application. The CKeditor contains Richtext field data. We are unable to handle the request from backend to prevent the hacker from altering the request parameters.
For your kind information, We are using the domino Release 9.0.1 FP4 on windows/Longhom 6.2 intel and the version of CKeditor is 4.4.6. We searched online for various solutions for handling xss for rich text field(ck Editor) but could not find any. We also saw that CK Editor upgraded versions do not provide any fix for the XSS issue.
Kindly please provide a code level help to handle this issue to fix the XSS vulnerability?
Look at Content Filtering (ACF):
https://ckeditor.com/docs/ckeditor4/latest/guide/dev_acf.html
We migrated our application to an OSGi based application. We are now running on Felix 4.2.1.
Previously we managed our security using the standard Java Security Model using a policy file. This comes down to providing security manager settings as start up parameters to our Java start up process:
-Djava.security.policy==.policy -Djava.security.manager
Previously, before the migration to OSGi, these exact same security settings were picked up by our application.
Now these security settings don't seem to be applied any more and basically we lost all our Java Security settings.
I have searched here, the internet, consulted some books and all suggest solutions similar to as described here, basically granting all permissions to OSGi and enable OSGi security.
However I could not find any confirmation this is absolutely needed to have Security enabled. For now I would like to avoid changing our security configuration too much for OSGi and reuse what we have.
So, is there a way to reuse an existing Java Security policy file in an OSGi environment? Or am I missing something trivial here?
For Felix you'll need to also add the felix security bundle.
A description of it can be found here.
With that enabled you should be safe on re-using your security policies.
We have never found any 'official' confirmation whether this was needed so in the end we decided to bite the bullet and implement OSGi security.
I need to create a JSON service to get and post data from a local and remote http/https server on Linux for my mobile apps. -I'm using MySQL as DB engine-
I tried with Glassfish EJB/JSP (I like Java), but it was a kind of frustrating, due the poor support that my linux development machine (mint 13) has for Oracle Glassfish.
In your opinion, what is the best way to make a remote JSON server on that environment? which alternatives do I have?
If you want to accept and send back JSON, you want a JAX-RS-based service, not a JSP one.
You will most likely use Jersey, RESTEasy, CXF, or similar implementations of the JAX-RS specification.
Sending back JSON from a JAX-RS implementation is trivial; that's what JAX-RS is designed to do. Generally speaking, JSP is used for web applications (where HTML, CSS, images, and JavaScript are returned), while JAX-RS is used for RESTful web services, where JSON, XML, and YAML is returned. You can use JSP to produce JSON, but it is not common.
As far as your overall architecture is concerned, any webserver is fine (Apache, Tomcat, etc.) and you can use either Springframework or a full app server like JBoss or Glassfish. Springframework has its own REST support, but I've used JAX-RS several times with Spring and it works very well. Since you already are using Glassfish, integrating a JAX-RS implementation should be straightforward. This article from Oracle shows you how.
Well, I guess you need to find a good framework where you feel confident.
I use Zend PHP + Doctrine to serve my apps. Why? I just create simple controllers in a good MVC like Zend and use all power from Doctrine to handle queries. Ok, but why? Because I develop quick and neat code on it.
Best
I am trying to learn the concepts of Java EE (EJB,JSF...) and therefore I am working on an example application.
Unfortunately I have problems to understand how some concepts should work together and if I am doing it in an correct professional manner. At this point, I am really confused about all these different methods and hope someone can help me out.
The core functionality of my application consists of a document server where registered users can upload documents and describe it with useful information.
The Documents should simply be saved on the Server and all Information should be stored in a MySQL Database.
I created three Projects with Netbeans.
Enterprise Application Project (DocApp)
EJB Module (DocApp-ejb)
and a Web Application Project (DocApp-war).
The main things work fine like
accessing the database with JPA
uploading files with primefaces FileUploader
injecting JSF with EJB
and even the user authorization with JDBC-Realm as shown in this tutorial
http://jugojava.blogspot.de/2011/02/jdbc-security-realm-with-glassfish-and.html
My Problem now is, that all pages in a specific subdirectory should only be accessible by registered users.
The only way i see is to use one SessionScoped ManagedBean, instead of using multiple RequestScoped ManagedBeans .
This seems to be a bad practice but I have no Idea how to handle this otherwise.
The way i understand it, there should be one ManagedBeand for every JSF Page (xhtml).
Is there a good way to handle this or am i doing anything wrong?
The default mechanism to give access to a whole sub directory is adding a security constraint in web.xml for the URL pattern representing that directory.
Every registered user should get a role that represents being registered, eg "REGISTERED"
This role is then added to the security constraint in web.xml.
The interaction between JSF and the Servlet container managed security is a little awkward, but it does work.
I've been asked by a freelancer friend of mine to join him on a JSF 2.0 project, and I'm slowly picking up speed and putting the pieces together. Coming from a Windows Forms .NET world, I have a lot to learn to say the least.
My major concern is with the lack of apparent consensus on how to protect a JSF application.
Some methods have been proposed here on SO, including using Spring security, Seam security, custom phase listeners, or simply using the rendered="#{...}" attribute to show/hide components based on user authentication.
I have tried to implement some of these methods, for example Spring security, only to find out that it gets easily defeated by the JSF navigation mechanism that forwards to views instead of redirecting. In other words, Spring security will work fine if the user types in the url of a secured page directly, but not if a h:commandButton's action takes him there.
In view of this, some have suggested to force a redirect by using "faces-redirect=true", but we feel that this could become a performance issue as this causes 2 requests from the browser each time.
On the other hand, I gave up trying to implement Seam security after getting so many missing dependencies errors.
The best solution I have found so far is a custom phase listener from Duncan Mills - Effective Page Authorization In JavaServer Faces, but I'm not 100% convinced this should be used on public facing JSF applications.
So finally, what does this leave us with ? I know this is a pretty wide open ended question, but I honestly have no clue where to go next. I'm pretty sure I have followed the different tutorials to the letter, for example Spring tutorials, but I'm still not satisfied with the way it works.
Could anyone at least confirm/infirm the fact that Spring security is supposed to work across JSF forwards, as I've seen many posts by others having the same issue ? That would at least give me a direction to keep going.
Thank you.
Combination of servlet filter for page validation (applied to the faces servlet), identity session bean (storing user attributes e.g. Role, login id) and a few methods for entitlement checks (e.g. isAdmin(), canViewRecord(recordID)) well ised throughout your page.
You see, when it comes to security I opt for not leaving it in anybody else's hand. also, I validate in several places (hiding a component won't keep folks from forging the right POST request to trigger specific bean methods so watch out).
When I work with JSF I use spring-security.
About the behavior that you comment that spring security allows redirections done with commands button, is weird you must have a wrong configuration because it seams working fine in my project (I just tested).
In any case you can also use the spring security tags to render or not components according to the user's role.
This is a project that can help you to implement the tags.
http://www.dominikdorn.com/facelets/
Hope this helps..