Security Libraries and Frameworks for Java
I recently read that OWASP ESAPI will be discontinued and no longer be updated. Is there an alternative to OWASP ESAPI for Java and for Spring based Web Services?
Category Archives: spring-framework
Configure Spring application deployed in AWS Elastic Beanstalk to use SSL
I deployed successfully Spring application into AWS Elastic Beanstalk which us going to be used as Rest endpoint by Angular app deployed into Cloudfront service. I want to encrypt the communication between Angular and Spring with SSL. What… Continue reading Configure Spring application deployed in AWS Elastic Beanstalk to use SSL
Storing Session Id in application logs
Short version: Is it not recommended to store sessionId in log files/database in plaintext (considering it may put active sessions at risk)? If yes, why do I see many queries on how to log sessionId?
Details:
I have come across multiple re… Continue reading Storing Session Id in application logs
Rest Services Aunthentication and Authorization with AWS Cognito
I am designing the authentication and authorization flow of my mobile and web applications. I plan to use the AWS Cognito identity provider.
Use AWS Amplify and signup the user from the front-end.
Question: The signup will happen totally … Continue reading Rest Services Aunthentication and Authorization with AWS Cognito
Why does Spring Security unset and set the same Cookie in one Request?
In the CSRF implementation of Spring Security (https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java#L57) they first "delete" the XS… Continue reading Why does Spring Security unset and set the same Cookie in one Request?
Scope Narrowing Access Token with Refresh token
I have recently picked up the oauth2 spec and decided to use keycloak as an auth server. I am facing difficulties in a certain aspect. I want to be able to request multiple access tokens with narrow scope when a user is first authenticated… Continue reading Scope Narrowing Access Token with Refresh token
SPA Oauth2 and Backchannel (Client)
I am having a problems defining the flow of an application that is supposed to be authenticated / authorized securely with an SPA frontend. Currently using an SPA with a Spring application server as a backchannel / client for Oauth2. The s… Continue reading SPA Oauth2 and Backchannel (Client)
Understanding the difference between POST and PUT when securing against CSRF
Several of my Spring Security based projects expose a RESTful API that support the full range of HTTP verbs: GET, POST, PUT, PATCH, DELETE, etc. For those projects only using GET and POST, everything works as expected. When using PUT, howe… Continue reading Understanding the difference between POST and PUT when securing against CSRF
Spring Boot, Set Up Spring Properties From Java Pojo not from application.properties [migrated]
I have been struggling to set up spring boot properties programmatically. I know how to set up from application.properties file.
but I would like not to use the application.properties because in my use case application properties file is … Continue reading Spring Boot, Set Up Spring Properties From Java Pojo not from application.properties [migrated]
Which Authentication mechanism to choose for PCI-DSS system
I want to create Angular 9 + Spring Boot application with strong security complaint to PCI-DSS security standard.
Which security protocol is preferred for user sessions in order to have high security when we use Angular and Spring Boot:
… Continue reading Which Authentication mechanism to choose for PCI-DSS system