Category: Java

  • Java-Web-Security – Sichere Webanwendungen mit Java entwickeln

    My (German) book Java-Web-Security – Sichere Webanwendungen mit Java entwickeln is available at dpunkt.verlag since February 25th 2014 and of course in every book store out there.

  • Java-Web-Security: Sichere Webanwendungen mit Java entwickeln

    Early 2014 in a bookstore near you Java-Web-Security: Sichere Webanwendungen mit Java entwickeln (German only, at least at the moment…)

  • JBoss AS 7 context-root manipulation for web services

    I recently had a requirement for web service availability at root context level on JBoss AS 7. Without any configuration, a web service URL (as the rest of the web application) contains the jars’ name like http://localhost:8080/MyJar/MyService/MyEndpoint whereas my desired URL looked like http://localhost:8080/MyService/MyEndpoint without the jars’ name. Adding the jboss-webservices.xml file to the META-INF […]

  • Remove Checkstyle warnings for certain classes

    Checkstyle warnings for generated or automatically filled classes like in Eclipse RCP can be annoying. But even without the .checkstyle file under version control, it is possible to deactivate Checkstyle warnings for selected files. First you have to add the SuppressionFilter module to your Checkstyle configuration file: <module name=”SuppressionFilter”>  <property name=”file” value=”${samedir}suppressions.xml”/> </module> The […]

  • Java Security Myths session at DOAG 2013

    I’ll be speaking about Java Security Myths at the DOAG 2013 conference in Nürnberg. My (German) session is on November 21st at 10 a.m.

  • A little bit more security for Java in the browser

    Oracle just released Java 7 update 21, containing once more many security fixes (install it right away). And some changes for applet usage und handling. First of all, the preference dialog does not contain the low security setting any more. Which forces more user interaction when launching unsigned applets. Unsigned applets therefore require at least […]

  • Java in the browser is dead

    So its certificates now. Looks like Java applets don‘t care about certificate revocation lists at all. Signed applets gain full access to the system. An invalid certificate should prevent that. Which means a certificate revocation list is kind of important. But no, let’s forget about that check. No need to hack the sandbox this time […]

  • OWASP Top 10 2013 release candidate published

    The first release candidate of the new OWASP Top 10 2013 was published a couple of days ago (PDF). And the top 10 changed quite a bit (see the project wiki): A1 Injection A2 Broken Authentication and Session Management (was formerly A3) A3 Cross-Site Scripting (XSS) (was formerly A2) A4 Insecure Direct Object References A5 […]

  • Making Java secure again

    The recent total failure of Java security is neither the first one, nor will it be the last one. Java in the browser (in the form of Java applets) is not secure and will never be secure. Oracle can provide all the security patches they want, the next major security breach is just around the […]

  • Java 7 update 11 available, addressing the latest major security flaw

    So, Oracle released Java 7 update 11 today, addressing the latest major security flaw with Java applets. Guess we are safe now for about a week. Of course I strongly recommend installing the new release as quickly as possible. But keep Java disabled in your browser! In case you do need a Java applet I’ll […]