Java, Secure Development and other IT related Thoughts

  • My two security sessions at JavaOne 2014

    Awesome news today, my two security sessions at JavaOne 2014 have been accepted! I’ll be speaking about Security starts in the head(er) (CON2371) and 7 security tools and libraries every developer should know (CON2585) (see the session information below). Flight and hotel are booked; hope to see you in San Francisco! Security starts in the…

  • JSF stateless views and CSRF protection

    JavaServer Faces (JSF) – especially since version 2.2 – provides a good Cross-Site Request Forgery (CSRF) protection. To achieve this, every form automatically receives a random hidden token: Nothing more to do for the developer, JSF takes care of comparing the token’s value against the one stored in the server side session. Without the correct…

  • A look back at JavaLand 2014

    JavaLand 2014 is over, and it has been a great first edition of the conference! It was a great privilege speaking there. The sessions I’ve attended were interesting, I ended up with a lot of new ideas for the weeks to come. The different community activities made it really easy to get in touch with…

  • JavaLand interview with Steve Chin/ NightHacking

    Unfortunately, todays recording at JavaLand by Steve Chin (NightHacking) did not work out as expected, but one picture remains:

  • JSF – Referencing resources in stylesheets

    I recently ran into some trouble when trying to show a background image in a JSF page which was included via a stylesheet. When using <h:outputStylesheet library=”css” value=”styles/styles.css” name=”styles.css” /> to include the stylesheet into the JSF page, referencing resources (like images) in the CSS file need a special URL form. The typical form html…

  • Java-Web-Security – Sichere Webanwendungen mit Java entwickeln

    My (German) book Java-Web-Security – Sichere Webanwendungen mit Java entwickeln is available at dpunkt.verlag since February 25th 2014 and of course in every book store out there.

  • Java Security Myths at Berlin Expert Days on April 3rd/4th 2014

    I’ll be speaking about Java Security Myths at Berlin Expert Days (BED-Con) on April 3rd/4th 2014. Hope to see you there, it’s about time to develop secure Java web applications!

  • JCrypTool 1.0.0 Release Candidate 7 available

    JCrypTool 1.0.0 Release Candidate 7 is available for download! We fixed a lot of bugs, enhanced a lot of features and integrated six new crypto plug-ins: New visualization plug-in Extended RSA New visualization plug-in Signature Demonstration New visualization plug-in Public-Key Infrastructure New visualization plug-in Huffman Coding New visualization plug-in Shanks Babystep-Giantstep New games plug-in Divide…

  • Java-Web-Security: Sichere Webanwendungen mit Java entwickeln

    Early 2014 in a bookstore near you Java-Web-Security: Sichere Webanwendungen mit Java entwickeln (German only, at least at the moment…)

  • JBoss AS 7 context-root manipulation for web services

    I recently had a requirement for web service availability at root context level on JBoss AS 7. Without any configuration, a web service URL (as the rest of the web application) contains the jars’ name like http://localhost:8080/MyJar/MyService/MyEndpoint whereas my desired URL looked like http://localhost:8080/MyService/MyEndpoint without the jars’ name. Adding the jboss-webservices.xml file to the META-INF…