w3hello.com logo
Home PHP C# C++ Android Java Javascript Python IOS SQL HTML videos Categories
java.lang.ClassNotFoundException: org.springframework.security.access.expression.SecurityExpressionHandler when using tag
When I checked my WEB-INF/lib folder I found that I had different versions of spring-security jars, some had 3.1.4 and others 3.0.2. It's working well now with all jars on 3.1.4 version ! Thank you Luke, your comment gave me the answer !

Categories : Spring

Explain the difference between Java *client* security concerns and *server* security concerns
Generally speaking you don't see many CVEs that affect the server side because the server side virtually never runs user provided code (or an attacker's code). The vulnerabilities with server side are mostly failure to properly handle input, and issues with configuration, so not Java's fault. The client side however (applets being a great example) has lots of CVEs because the user's local JVM is actually running byte code that was provided by the attacker. Vulnerabilities in the JVM can then be triggered and exploited. These same vulnerabilities are usually present on the server side, but they aren't accessible to attackers. Another reason you don't see many server side CVEs is because most of the server side vulnerabilities are application/implementation specific, and only affect t

Categories : Java

Java Unsigned Applet - Passing VM-argument "java.security.policy" is ignored?
<PARAM name="java_arguments" value="-Djava.security.policy=C:Frustrated.policy"> If it were possible to establish a custom policy through an applet parameter, that would be a (severe) security bug. As an aside. Given this is for "purely academic reasons" I'll add one of my common advices re. applets and academia. Why code an applet? If it is due to spec. by teacher, please refer them to Why CS teachers should stop teaching Java applets.

Categories : Java

java.security.InvalidKeyException: Algorithm not supported with Java WS Core 4.0.8
Ok so I figured out what the problem was. I was converting the certificate to PEM from PKCS using: openssl pkcs12 -in cert.p12 -out usercert.pem -nokeys openssl pkcs12 -in cert.p12 -out userkey.pem -nocerts -nodes Apparently this only extracts the private key from the certificate file but does not actually convert it to PEM format. For that I had to use the following command: openssl pkcs12 -in cert.p12 -nocerts -nodes|openssl rsa -out userkey.pem -des3 This outputs the private key in the required format and grid-proxy-init works fine now.

Categories : Misc

java mvc authorization without spring security
You should still look at Apache Shiro and/or Spring Security. However Spring Security (and container security for that matter) are not so friendly for REST API security. For Spring you will need to implement a custom AuthenticationEntryPoint to avoid the redirect on 403. Shiro might be a little easier for REST API. If you want to do it yourself w/o dependencies or complexities you should look into writing a Servlet Filter and/or leverage container security. A compromise might be this SecurityFilter project. However if you need Roles, ACLs etc... you should seriously reconsider Shiro or Spring Security.

Categories : Java

Declarative security for java ee application
Have you create authorized user of testgroup with file realm. If not you should follow the instructions of following link. http://docs.oracle.com/javaee/6/tutorial/doc/bncbx.html#gjjlk

Categories : Java

Java 7 security restrictions for applets
Some information can be found in Do java applets have to be signed with trusted cert authority with new v7 update 21? and http://www.oracle.com/technetwork/java/javase/7u21-relnotes-1932873.html There will be more restrictions in the next scheduled security update in October 2013. One requirement will be to switch from a selfsigned applet to a certificate from a trusted authority.

Categories : Java

Java Security Manager: how to specify "No Permission"?
Simply don't add any permissions lines. Classes will typically be given permissions to read their own code and resources. (See the API docs for java.io.FilePermission.)

Categories : Java

Java Web Application Role Only Security
Ok, finally I've found a solution that actually is described in this article in the 'Using Identity Assertion for Web Application Authentication' section: I've added these lines into the web.xml: <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> and that worked.

Categories : Java

What replaces Java's sun.security packages?
As of now there are no direct replacment packages from Oracle. If you don't have any plan to run your code in any non sun/oracle jvm this is not an issue. These warnings are meant for highlighting code portability issues with other JVM implementations. If you want to run the code in other JVM you should use the equivalant libraries provided by that JVM. I am not sure about what you meant regarding portability , AFAIK (haven't tested, read it somewhere )sun.security is available in jdk1.7 , not sure about availability in upcoming releases.

Categories : Security

Security issue with jnlp jar for java swing
Especially if you are using a self-signed certificate, you should review Java Applet & Web Start—Code Signing and the new security prompts introduced in Java version 7u21.

Categories : Java

java security restrict access to jar or packages
following method on above code solves my problem.... @Override public void checkPackageAccess(String pkg) { super.checkPackageAccess(pkg); System.out.println("checkPackageAccess.." + pkg); if (!accessOK()) { if (pkg.startsWith("my.specialpackage.path")) { throw new SecurityException("No access to " + pkg); } } }

Categories : Java

java.security.AccessControlException: access denied
Writing to files is not currently supported in app engine. Source: https://developers.google.com/appengine/kb/java?csw=1#writefile The high replication data store (HRD) is fairly easy to use and even easier with projects like Objectify (https://code.google.com/p/objectify-appengine/). I would suggest checking that out.

Categories : Google App Engine

java.security.NoSuchAlgorithmException: Algorithm PBKDF2WithHmacSHA1 not available
Please try to install the Bouncy Castle cryptography provider. It can be found starting from here. Look for PBKDF2WithHmacSHA1 on the front page and you will see that it is supported.

Categories : Java

Get rid of Signed Java Applet Security Dialog
The best way to get rid of the dialog is to import the certificate into the JRE trusted certificate store. Another solution is to modify the Java policy file. Just have a look into Oracle's documentation: http://docs.oracle.com/javase/7/docs/webnotes/tsg/TSG-Desktop/html/plugin.html#gcexdl

Categories : Java

Lotus Notes Agent - Java Security Error
First look at what the error actually is: Access denied (java.lang.RuntimePermission exitVM.0) You are telling the VM to die and you do not have the rights to do this. If you had, you would cause anything else running on that JVM instance to die as well, possibly leading to a hang/crash. Secondly your code is failing in the ClipboardTest.main() method, which you haven't posted any code for. In the agent properties there is an option to add debug data. This will give you the exact line number that is causing the issue. My guess is you have a System.exit() call in the ClipboardTest.main() . It shouldn't be there.

Categories : Java

Spnego keytab test gives a java security exception
I had an error in the login.conf. spnego-client { com.sun.security.auth.module.Krb5LoginModule required; storeKey=true useKeyTab=true keyTab="file:///C:/sys-spn.keytab" principal=sys-spn; }; The semicolon after required should not be there!

Categories : Java

Pending/Approved/Denied workflow security for Java
I'll assume that you are authenticating the users when they click on the given link, because otherwise it's just bad mojo. You can have some privileges assigned to that user and check that to see if you are going to allow the approve or not.

Categories : Java

Java applet security when using rxtx and build 1.7.0_25-b15
When we got that error-message with java 1.7.0_25 the reason was an additional blank after all-permissions in the manifest file. So check wether there is any whitespace between "Permissions: all-permissions" and the following linebreak.

Categories : Java

Java Security - RSA Public Key & Private Key Code Issue
import java.io.BufferedInputStream; import java.io.BufferedOutputStream; import java.io.BufferedReader; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.FileReader; import java.io.IOException; import java.io.InputStream; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.math.BigInteger; import java.security.Key; import java.security.KeyFactory; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.PrivateKey; import java.security.PublicKey; import java.security.spec.KeySpec; import java.security.spec.RSAPrivateKeySpec; import java.security.spec.RSAPublicKeySpec; import javax.crypto.Cipher; import javax.crypto.CipherInputStream; import javax.crypto.CipherOutputStream; class RSA{ public static

Categories : Java

Spring Security: Java Config: How to add the method type?
If you'd check the documentation of antMatchers method, you will see that enumeration of HttpMethod can be passed as the first parameter. So something like this should work: http.authorizeUrls().antMatchers(HttpMethod.POST, "/login").permitAll();

Categories : Java

Webwervice security header in java client code
You need to add few more things and the main problem is how you are deifning and using your password. You are on the correct path but here is how you would make a SOAP Axis 1.4 client: InputStream inConfig = BaseTestCase.class.getClassLoader().getResourceAsStream("axis_client_config.xml"); EngineConfiguration config = new FileProvider(inConfig); PartnerAPILocator locator = new PartnerAPILocator(config); inConfig.close(); stub = locator.getSoap(); Stub axisPort = (Stub) stub; axisPort._setProperty(UsernameToken.PASSWORD_TYPE, WSConstants.PASSWORD_TEXT); axisPort._setProperty(WSHandlerConstants.USER, "ET USERNAME"); axisPort._setProperty(WSHandlerConstants.PW_CALLBACK_REF, new PasswordTokenHandler()); here is my source and

Categories : Java

java.security.NoSuchAlgorithmException: no such algorithm: SHA1WITHRSA for provider BC
Try this, but you should switch for older bouncy castle version. I used 1.45 byte[] signedData = ...; byte[] originalData = ...; CMSSignedDataParser parser = new CMSSignedDataParser(new CMSTypedStream( new ByteArrayInputStream(originalData)), signedData); parser.getSignedContent().drain(); CertStore certs = parser.getCertificatesAndCRLs("Collection", "BC"); SignerInformationStore signers = parser.getSignerInfos(); Collection<?> c = signers.getSigners(); Iterator<?> it = c.iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); Collection<?> certCollection = certs.getCertificates(signer.getSID()); Iterator<?&g

Categories : Misc

Java EE Security - personal user's data visible only for him
No. Java EE's standard security model does not address this kind of per-user security directly. Rather, you will need to manually. Whenever you handle a request for sensitive data, you need to write code that checks the user's identity and allows or refuses the request. You can find the user's identity via EJBContext::getCallerPrincipal, HttpServletRequest::getUserPrincipal, or using JAAS if you have a working JAAS context. Yes, this is incredibly awkward and painful. No, there is really nothing in Java EE that will make this easier. There may well be third-party libraries that help, but i'm afraid i don't know of any.

Categories : Security

Hide "security warning message" in Java Control Panel
Is there any possibility to hide the "security warning message" via java coding? No. If there was, it would be a bug. Depending on what warning is shown, it might be possible to stop it by digitally signing the code. This answer describes one that cannot be changed. This answer goes on to show how it looks when the certificate is generated by the developer. Java has discovered application components that could indicate a security concern. Contact the application vendor to ensure that it has not been tampered with. ..but that is a mixed code warning produced by Java.

Categories : Java

Java 7 update 25 doesn't allow classloading with security manager installed?
Maybe this information will help you find a solution: The release notes for 7u25 state that: The implementation of java.security.AccessController.doPrivileged(PrivilegedAction, AccessControlContext) and AccessController.doPrivileged(PrivilegedExceptionAction, AccessControlContext) have been modified to improve security. Specifically, if a security manager is installed, the AccessControlContext is not created by system code and the caller's ProtectionDomain has not been granted the security permission (java.security.SecurityPermission) createAccessControlContext, then the action is performed with no permissions. See the method "findClass" in URLClassLoader. Note that it searches for a class within a AccessControl.doPrivileged block. Hope this helps, I am struggl

Categories : Java

Java Web Start security warning despite using all-permissions and privileged action
The solution is a big hack, but it's all I could find. Going off of information here, the JWS security manager doesn't have the RMI code listed as trusted code because it was loaded under a separate class loader. Because the code didn't originate from the JNLP, JWS doesn't let it run with the all-permissions security. The hacky fix for this was simply wrapping each lookup with something like: Topic topic = null; SecurityManager prevSecurityManager = System.getSecurityManager(); try { System.setSecurityManager(null); topic = (Topic) context.lookup(name); } finally { System.setSecurityManager(prevSecurityManager); } Setting the SecurityManager to null bypasses the JWS security manager, letting the default one take over. Eventually, I want to find a way to add the RMI code t

Categories : Java

XCode import public key file generated with Java Security
Your Java code does not create a real certificate. You generated a public key. How to get PublicKeyRef from java generated public key is described in this post. You can read this public key in xcode from a file, but then you need to do some additional stuff. - (NSData *) extractPublicKeyFromRawFormattedKey: (NSData *) rawFormattedKey { /* Now strip the uncessary ASN encoding guff at the start */ unsigned char * bytes = (unsigned char *)[rawFormattedKey bytes]; size_t bytesLen = [rawFormattedKey length]; /* Strip the initial stuff */ size_t i = 0; if (bytes[i++] != 0x30) return FALSE; /* Skip size bytes */ if (bytes[i] > 0x80) i += bytes[i] - 0x80 + 1; else i++; if (i >= bytesLen) return FALSE; if (bytes[i] != 0x30) return FALSE; /* Skip OID */ i += 15; if (

Categories : Java

java.security.InvalidAlgorithmParameterException while jClouds MS Azure Blob put operation
This issue has been resolved, actually code which is invoking ReST PUT for azure blob storage. was somehow not able to load java default trust-store. By adding below line to load default cacert System.setProperty("javax.net.ssl.trustStore",PATH_TO_CACERT); System.setProperty("javax.net.ssl.trustStorePassword",PASSWORD);

Categories : Java

In Java, is it a security issue to expose the ID of a thread to arbitrary threads?
Since Thread Id cannot be used to kill the thread (directly), it is safe to use. As applications can assign thread ids at the time of creating threads, I believe its usage is only to help you debug the application when you are looking at logs, thread-dumps, etc. Also, as this link explains, it is not hard to get list of threads that are running in JVM. As long as you are aware of the fact that thread ids can get re-used after a thread has died, and your app's logic takes care of that, you should be alright.

Categories : Java

AES password security using CryptoJS on client and Java's Cipher on server
You are passing a passphrase instead of a key at the client side. So it will do OpenSSL key derivation, probably generating an IV in there as well. Performing SecretPassphrase".getBytes() is something that you should never do either. Use hexadecimals if you want your key to be text, and convert it into binary using hexadecimal decoding.

Categories : Java

java.security.spec.ECPublicKeySpec error while using cfpop in Coldfusion 10
The error makes me think they probably do not have either the Cert or the intermediate cert in their Java keystore. Check out this post: http://www.coldfusionmuse.com/index.cfm/2005/1/29/keystore To fix it you have to "import" the certificate. into the keystore. Welcome to the world of Java and SSL :)

Categories : Java

JButton and ActionListener producing several exceptions in java.awt, security, and event?
Your problem is that you are declaring the JButtons, but not putting them in the instance variables reserved for them. You can fix this by replacing lines like: JButton rightbutton = new JButton("Right Button"); with: rightbutton = new JButton("Right Button"); The first form declares local variables that overshadow the instance variables, so the instance variables disappear. The null pointer exceptions happen when a listener tries to access an instance variable, which is actually null because it has never been initialized. Another way you can fix this problem is by using event.getSource() instead of using the instance variable, in which case the instance variables become superfluous.

Categories : Java

What Java classes/packages are safe to whitelist in a security sandbox?
I suspect you'll discover that instead of starting with a general-purpose programming language and figuring out how to give people access to that and make it safe, it's safer going the other way. My approach would be to start with a domain-specific language and give it access to a sandbox - the aspects of your program's environment which you're willing and happy to have modders affect.

Categories : Java

How to evaluate a SpEL Security expression in custom java code?
I managed to achieve exactly this without any new annotations. The first thing you need to do is wrap your menu item in a sec:authorize tag, where the sec namespace is from spring security taglibs. We use: <sec:authorize access="hasRole('${menuItem.permission}')"></sec:authorzie> where ${menuItem.permission} is the permission field of the current menuItem object (we're looping through menuItems that we've retrieved from the server). The SpEl hasRole() is implemented by spring in the org.springframework.security.access.expression.SecurityExpressionOperations class. That won't give you security though, it'll just make the gui nice. The server also needs to be secured with something like this: @PreAuthorize("hasRole('...')") The @PreAuthorize annotation is also from spring

Categories : Spring

need spring security java config example showing basic auth only
UPDATE: This is fixed in Spring Security 3.2.0.RC1+ This is a bug in the Security Java Configuration that will be resolved for the next release. I have created SEC-2198 to track it. For now, a work around is to use something like the following: @Bean public BasicAuthenticationEntryPoint entryPoint() { BasicAuthenticationEntryPoint basicAuthEntryPoint = new BasicAuthenticationEntryPoint(); basicAuthEntryPoint.setRealmName("My Realm"); return basicAuthEntryPoint; } @Override protected void configure(HttpSecurity http) throws Exception { http .exceptionHandling() .authenticationEntryPoint(entryPoint()) .and() .authorizeUrls() .anyRequest().authenticated() .and() .httpBasic(); } PS: Thanks for

Categories : Spring

*What* Java "security settings have blocked a local application from running"?
It was officially stated (Oracle's response to my school-team's email) that some older remains of virtual machines may actually cause security alerts with applets even if you set security settings to absolute minimum (had it many times with my applet). I guess it is a school/study work (as it is an applet), so it is probably worth trying to run it directly by appletviewer.

Categories : Java

Java SE Security features to protect application data from the user
Is Java SE SecurityManager applicable to protect sensitive application data from the user? No. Whatever security Java provides is all for the user, not for 'protecting us/our code from the users'.

Categories : Java

How to implement a user level security and restriction to access jsp pages in java?
Basing on my recent investigation, most common options to implement security in Java are: JAAS Spring Security Apache Shiro Since you seems to be looking for rather basic mechanisms for permision checks, Apache Shiro may be best option to start with - it is simplier than others, integrates with Spring Framework and also has built-in JSP integration (some tag library to add permission checks right to your JSP page).

Categories : Java

Security concerns of passing around a Java Connection to multiple public functions
Yes, this is possible that the Connection object can run malicious queries. And: No, I don't know a way to prevent this as the Connection (or a DataSource) is needed by the code that executes queries. Some type of this is used e.g. for connection pools. From connection pools you get a Connection object where e.g. the open() and close() methods do not work as intended (as the pool wants to close the connection if needed). And so a connection pool could also override other methods (as Connection is only an interface).

Categories : Java



© Copyright 2017 w3hello.com Publishing Limited. All rights reserved.