Security Libraries and Frameworks for Java
I recently read that OWASP ESAPI will be discontinued and no longer be updated. Is there an alternative to OWASP ESAPI for Java and for Spring based Web Services?
Collaborate Disseminate
I recently read that OWASP ESAPI will be discontinued and no longer be updated. Is there an alternative to OWASP ESAPI for Java and for Spring based Web Services?
I deployed successfully Spring application into AWS Elastic Beanstalk which us going to be used as Rest endpoint by Angular app deployed into Cloudfront service. I want to encrypt the communication between Angular and Spring with SSL. What… Continue reading Configure Spring application deployed in AWS Elastic Beanstalk to use SSL
Short version: Is it not recommended to store sessionId in log files/database in plaintext (considering it may put active sessions at risk)? If yes, why do I see many queries on how to log sessionId?
Details:
I have come across multiple re… Continue reading Storing Session Id in application logs
I am designing the authentication and authorization flow of my mobile and web applications. I plan to use the AWS Cognito identity provider.
Use AWS Amplify and signup the user from the front-end.
Question: The signup will happen totally … Continue reading Rest Services Aunthentication and Authorization with AWS Cognito
In the CSRF implementation of Spring Security (https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java#L57) they first "delete" the XS… Continue reading Why does Spring Security unset and set the same Cookie in one Request?
I have recently picked up the oauth2 spec and decided to use keycloak as an auth server. I am facing difficulties in a certain aspect. I want to be able to request multiple access tokens with narrow scope when a user is first authenticated… Continue reading Scope Narrowing Access Token with Refresh token
I am having a problems defining the flow of an application that is supposed to be authenticated / authorized securely with an SPA frontend. Currently using an SPA with a Spring application server as a backchannel / client for Oauth2. The s… Continue reading SPA Oauth2 and Backchannel (Client)
Several of my Spring Security based projects expose a RESTful API that support the full range of HTTP verbs: GET, POST, PUT, PATCH, DELETE, etc. For those projects only using GET and POST, everything works as expected. When using PUT, howe… Continue reading Understanding the difference between POST and PUT when securing against CSRF
I have been struggling to set up spring boot properties programmatically. I know how to set up from application.properties file.
but I would like not to use the application.properties because in my use case application properties file is … Continue reading Spring Boot, Set Up Spring Properties From Java Pojo not from application.properties [migrated]
I want to create Angular 9 + Spring Boot application with strong security complaint to PCI-DSS security standard.
Which security protocol is preferred for user sessions in order to have high security when we use Angular and Spring Boot:
… Continue reading Which Authentication mechanism to choose for PCI-DSS system