JavaCro'15 - Secure Web Services Development - Askar Akhmerov

May 20, 20150 likes1,877 views

HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

This document discusses securing web services using Apache CXF. It covers using SSL and X.509 certificates for encryption, developing a JAX-WS service, managing keystores, implementing WS-Security with CXF and WSS4J interceptors, encryption algorithms, security policies, and includes a demo and references. The agenda includes topics on the use case, SSL basics, the JAX-WS service, keystores, interceptors, encryption identifiers, algorithms, writing policies, and a question period.

Secure WebServices
WSDL first approach with Apache CXF
Askar Akhmerov
askar.akhmerov@smava.de

Agenda
● Use case
● SSL basics
● JAX-WS Service
● Keystores
● WS-Security
● CXF Interceptors
● WSS4J Interceptors

Agenda
● encryptionKeyIdentifier
● Encryption Algorithms
● Write Policy
● Demo
● References
● Questions

SSL basics
● use X.509 certificates and hence asymmetric
cryptography
● encrypt the data of network connections in
the application layer
● used webbrowsersmailsoftware

X.509
● Issuer - certification
authority (CA)
● Authorization and
issuing chains

JAX-WS Service
● prepare xsd
● write wsdl
● generate classes
● write cxf config
● generate client

Keystores Manipulations
● generate private keys
● export keys
● import keys
● maven usage

WS-Security
● Based on policies
o requires wsdl adjustments
● Based on interceptors
o preserves wsdl
o customizations done through code
o customizations done through spring context

WSS4J Interceptors
● Password Callback Class
● WSS4JOutInterceptor (Phase.PRE_PROTOCOL)
o action
o signaturePropFile
o signatureParts
o encryptionPropFile
● WSS4JInInterceptor (Phase.PRE_PROTOCOL)
o action
o signaturePropFile
o signatureParts
o decryptionPropFile

Encryption Key Identifiers
● IssuerSerial (default)
● DirectReference
● X509KeyIdentifier
● Thumbprint
● SKIKeyIdentifier
● KeyValue (signature only)
● EncryptedKeySHA1 (encryption only)

Encryption Algorithms
● http://www.w3.org/TR/2002/REC-xmlenc-cor
e-20021210/Overview.html#sec-Algorithms
● Based on JCE
● http://docs.oracle.com/javase/8/docs/technot
es/guides/security/crypto/CryptoSpec.html

Write Policy
● WS-Policy Declaration
<wsp:Policy wsu:Id="UniqueIdentifier">
<wsp:ExactlyOne>
...
</wsp:ExactlyOne>
</wsp:Policy>
● Policy reference
<wsp:PolicyReference URI="#UniqueIdentifier"/>

Demo
https://github.com/Smava/wssecurity

References
http://cxf.apache.org/docs/ws-security.html
http://www.javaworld.com/article/2073287/soa/secure-web-services.html
http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Applications_and_adoption
http://en.wikipedia.org/wiki/X.509
http://msdn.microsoft.com/en-us/library/ff647097.aspx
http://www.ibm.com/developerworks/opensource/library/j-jws18/index.html
http://www.ibm.com/developerworks/opensource/library/j-jws13/index.html
http://www.ibm.com/developerworks/java/library/j-jws14/index.html
http://concentricsky.com/blog/2012/dec/implementing-ws-security-cxf-wsdl-first-web-service
http://www.benoitschweblin.com/2013/03/run-jetty-in-maven-life-cycle.html
http://mojo.codehaus.org/keytool/keytool-maven-plugin/usage.html
http://coheigea.blogspot.de/2013/03/signature-and-encryption-key.html
http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf
http://www.mastertheboss.com/jboss-web-services/apache-cxf-interceptors

Summary
● Use case
● SSL basics
o X.509
● JAX-WS Service
● Keystores
● WS-Security
● CXF Interceptors
● WSS4J Interceptors

Summary
● encryptionKeyIdentifier
● Encryption Algorithms
● Write Policy
● Demo
● References
● Questions

This document discusses service discovery for microservices using Docker and OSGi. It describes how Docker containers can be monitored to dynamically register their services in an OSGi environment. Consul is introduced as a distributed key-value store that can be used for service discovery across multiple hosts. The document concludes with demos of integrating Docker services with OSGi using Consul for service discovery.

Service Discovery in OSGi: Beyond the JVM using Docker and ConsulFrank Lyaruu

ApacheCon Core: Service Discovery in OSGi: Beyond the JVM using Docker and Co...Frank Lyaruu

OSGi offers an excellent service discovery mechanism, but it is limited to services inside the JVM. With Docker nowadays it is trivially easy to deploy all kind of (micro) services, using pretty much any technology stack, so we’d like to discover those as easily as the ones inside the JVM. We will have a look at how we can use the Docker API to discover services in other containers, and how we can use Consul to expand service discovery to other hosts.

Scripting Languages in OSGiFrank Lyaruu

This document discusses using scripting languages in OSGi. It describes how to dynamically add, modify, and remove scripts as OSGi bundles by generating bundles from scripts, exposing the scripts as OSGi services, and allowing declarative dependencies. Key points covered include using the JSR-223 Scripting API, generating bundle and manifest files, exposing services through Declarative Services, determining dependencies, and compiling scripts in OSGi. The presentation concludes that combining scripting languages and OSGi bundles is possible but has some challenges around determining dependencies and classloading.

Web application I have always dreamt ofVictor_Cr

Through years of work have been trying many of Java frameworks which provides different level of abstractions on both server and client-side. Pure Servlet+JSP, JSF, GWT, Struts, Spring MVC, Vaadin, Play!, DWR, you name it. Sometimes it felt good, sometimes not, and with each year number of “good” applications reduced to the critical minimum. Later I tried to bring all the good points I had ever seen together to create “a perfect being” and after years of struggling I feel that I have reached the goal. Let me share it…

Introduce wardenHieu Nguyen Trung

Warden is an authentication library for Ruby on Rails and other Rack-based frameworks that provides a simple and consistent interface for authentication. It handles common tasks like strategies, failures, callbacks, user scopes, and sessions. Compared to Devise, Warden has fewer dependencies, supports all Rack apps not just Rails, and has a simpler implementation with only 733 lines of code versus Devise's 8311 lines. The presenter provides a demo to further explain Warden's concepts and usage.

Introduction to the Nancy FrameworkTim Bourguignon

Nancy is a lightweight, low-ceremony, framework for building HTTP based services on .Net and Mono. The goal of the framework is to stay out of the way as much as possible and provide a super-duper-happy-path to all interactions. Find more about it at nancyfx.org. This Slide deck (in English) used at the DWX Conference in Nürnberg in July 2013 and provides you with an overview of the basic elements of the framework. The presentation material as well as the demo code can be found on github at https://github.com/Timothep/Talk.NancyFx

Tokyo Azure Meetup #6 - Azure Monthly Update - JuneTokyo Azure Meetup

WSO2 Microservices Framework for Java - Product OverviewWSO2

JEE Conf 2015: Less JS!_Dewy_

This document discusses reducing JavaScript usage for backend developers by exploring web components, Polymer, and JavaServer Faces (JSF). It provides an overview of web components goals and standards, introduces Polymer and how it builds on web components, discusses JSF and the PrimeFaces component library, and demos how to use Polymer and PrimeFaces. The goals of web components, Polymer, and PrimeFaces are to reduce code, improve readability and reusability through composable elements. Browser support for the various web component specifications is outlined.

Tokyo Azure Meetup #4 - Build 2016 OverviewTokyo Azure Meetup

Hello All, Let's meet and discuss what are the new announcements from Build 2016 and how we can best leverage them in our business! Here are some of the topics we will cover this time: - Azure Functions - Service Fabric - Azure Storage - Document DB - Azure Container Services - Power BI Embedded - ASP.NET Core - Virtual Machine Scale Sets I will be happy to share my experience from the conference, especially the session I visited and also the conversations I had with various Microsoft representatives. Azure is developing faster than ever and Microsoft is driving the platform in very interesting direction that require us to know and work with more and more new technologies! Come and join us to learn more about Azure! I am arranging the venue but my plan for the meetup is to be on April 25-th or April 27-th from 19:30. I will keep you updated on that! Thank you! Kanio

Microservices with Spring BootRasheed Waraich

The document discusses microservices and their advantages over monolithic applications. It defines microservices as small, independent components that are built, deployed, and scaled independently. The document outlines characteristics of microservices like being organized around business capabilities, infrastructure automation, and evolutionary design. It also discusses tools that can help build microservices architectures.

High performance java ee with j cache and cdiPayara

Run your Dockerized ASP.NET application on Windows and Linux!Alex Thissen

This document discusses running Dockerized ASP.NET applications on both Windows and Linux platforms. It introduces Docker containers as a way to deploy ASP.NET applications without needing different frameworks, tooling, or packages for each platform. The document demonstrates how to use Docker containers on Windows and Linux to build and deploy ASP.NET applications in a consistent manner across operating systems.

Service stack all the thingscyberzeddk

SOA Doing RightSchezarnie Racip

In this CAKE LABS Innovation Session, Chamin and Daham present “Doing SOA Right”. Microservices is all about service oriented architecture (SOA) done right, and has become the latest buzzword in the global IT arena. The inherent issue with Microservices in traditional SOA is that when a particular service fails, it affects the other services inherently, thus crippling the entire system. This traditional monolithic architecture defines a single software application which bundles all the features and is deployed.

Building Services with WSO2 Microservices framework for Java and WSO2 ASKasun Gajasinghe

This document provides an overview of building microservices with WSO2 technologies. It introduces microservices architecture and the WSO2 Microservices Framework for Java (MSF4J). MSF4J allows developing microservices using Java annotations in a lightweight and high-performance way. The document demonstrates hands-on examples of creating microservices with MSF4J and deploying them to Kubernetes. It also discusses the current and future state of the WSO2 Application Server, including its integration with other WSO2 products.

Serverless Computing With Azure FunctionsJaliya Udagedara

The document discusses serverless computing with Azure Functions. It provides an overview of serverless computing and how infrastructure is abstracted and resources are managed by cloud providers. Azure Functions are introduced as an event-driven and serverless platform for developing code. Triggers and bindings in Azure Functions define how functions are invoked and interact with inputs and outputs. Security, proxies, performance considerations and demos of Azure Functions are also summarized.

WSO2 Enterprise Service Bus - Product OverviewWSO2

Glass fish performance tuning tips from the fieldPayara

GlassFish Performance Tuning Tips: 1. Use asadmin commands to discover the GlassFish configuration and identify performance bottlenecks like resource limitations. 2. The tuning process involves measuring performance, analyzing the data to identify issues, generating hypotheses for fixes, changing configurations, and retesting. 3. Standard JVM tools and the GlassFish monitoring interface can be used to measure performance and identify issues like garbage collection delays. 4. Potential configuration changes include JVM tuning, modifying default settings, Grizzly HTTP tuning, logging reductions, and datasource optimizations.

Serverless Code Components Shimon Tolts

Gwt cdi jud_con_berlinhbraun

This document discusses using Google Web Toolkit (GWT) with Context and Dependency Injection (CDI). It covers use cases like invoking CDI beans from GWT clients, exposing domain models to GWT, and requirements like seamless integration and reduction of boilerplate. Key concepts discussed include beans, qualifiers, scopes, and how CDI fits into the build and runtime. Examples demonstrate conversation scoped beans and how clients can manage conversations. The document also mentions related technologies and that the Errai project uses the Weld implementation of CDI.

Apache Syncope 2.0 Enduser UIAndrea Patricelli

Since its birth Apache Syncope developers faced the problem (and the challenge) to have an easy-to-use, intuitive, but complete front-end application to let plain users self-registering, managing own profile, resetting their passwords and other self operations. Up to Syncope 1.2, some features used to be provided via the admin console, but the need for a more dedicated tool was raising.Therefore Apache Syncope developers, decided to deliver with Apache Syncope 2.0 an easy-to-use, client-side, highly customizable AngularJS Enduser application. In his work Andrea Patricelli will explain his personal contribution to development of Apache Syncope 2.0, innovative approaches used to develop Enduser, challenges faced while developing and future perspectives opened by this new Apache Syncope module.

JavaEE Microservices platformsPayara

Microservice - Up to 500k CCUViet Tran

This document discusses building a microservices system to handle 500,000 concurrent users (CCU). It outlines monitoring and distributed tracing using OpenCensus and Jaeger to understand performance. It also describes migrating an existing monolith application to microservices using gRPC and Protocol Buffers for inter-service communication. Finally, it discusses using Istio for service mesh capabilities like control plane, dynamic routing, and failure recovery in the distributed microservices architecture deployed on Kubernetes.

ASP.NET Identity - O Novo componente de Membership do ASP.NETEduardo Pires

This document discusses the evolution of membership providers in ASP.NET, from ASP.NET 1.1 which had no membership provider, through ASP.NET 2.0, 4.0, 4.5 and the latest ASP.NET Identity. It provides an overview of the key features of ASP.NET Identity 1.0 and 2.1, including user profile customization, testing, social authentication, Active Directory integration and extensibility. Examples of storage providers other than SQL Server are also listed. The document encourages reviewing the ASP.NET Identity documentation and code samples to learn more.

Shaping serverless architecture with domain driven design patternsAsher Sterkin

This document discusses using Domain-Driven Design (DDD) patterns to structure serverless applications. It introduces DDD concepts like bounded contexts, aggregates, repositories, and CQRS. Bounded contexts separate domains into cohesive models that are loosely coupled. Aggregates define transactional boundaries and ensure data integrity. Repositories provide storage and retrieval of aggregates. CQRS separates commands and queries using different data models. Applying these DDD patterns can help organize serverless applications as they grow in complexity.

Effective cloud-ready apps with MicroProfilePayara

Presented during Payara Japan Tour 2019 (https://blog.payara.fish/payara-on-tour-in-japan). In this session, you'll learn how to develop applications that evolve according to your needs, can easily run in the cloud and integrate with common cloud technologies. We'll start with a simple application, focusing on business logic. MicroProfile framework, powered by a lightweight opensource Payara Micro runtime, will get us started quickly and allow gradual improvements later. MicroProfile contains a lot of components that make developers productive. It allows separating business logic from common concerns like configuration, failure-recovery, REST service calls, context propagation across service calls and securing services. Adding all of these to existing code is easy. It's also easy to introduce new microservices as needed and adopt cloud technologies as your application grows. I'll show you how, in a step-by-step demo. And if time allows, I'll also show how to run and scale your application effectively with Kubernetes in the cloud.

How to generate a REST CXF3 application from Swagger ApacheConEU 2016johannes_fiala

This presentation shows you how you can generate server stubs from a Swagger contract, configure the jaxrs-cxf language to enable Spring-configuration, Spring-Boot integration + tests, automatic BeanValidation on the server side, generate client code for java and javascript, use/integrate swagger-ui, use swagger2markup use custom Swagger-Codegen templates + how you can create your own language implementation.

Wcf OverviewAmit Narula

WCF Basics and Security overview WCF Overview. WCF security model. Attacks and countermeasures. (If Time Permits) WCF exposes endpoints for clients and services to exchange messages. WCF uses addresses, bindings and contracts (ABC model). Bindings specify protocols, encodings and security. The security model includes transfer security modes (none, transport, message, mixed, both) and credentials (Windows, username/password, certificates, tokens). Common attacks include information disclosure, elevation of privilege, denial of service, and tampering. Countermeasures include configuration, authorization and message inspection.

More Related Content

What's hot (20)

WSO2 Microservices Framework for Java - Product OverviewWSO2

JEE Conf 2015: Less JS!_Dewy_

Tokyo Azure Meetup #4 - Build 2016 OverviewTokyo Azure Meetup

Microservices with Spring BootRasheed Waraich

High performance java ee with j cache and cdiPayara

Run your Dockerized ASP.NET application on Windows and Linux!Alex Thissen

Service stack all the thingscyberzeddk

SOA Doing RightSchezarnie Racip

Building Services with WSO2 Microservices framework for Java and WSO2 ASKasun Gajasinghe

Serverless Computing With Azure FunctionsJaliya Udagedara

WSO2 Enterprise Service Bus - Product OverviewWSO2

Glass fish performance tuning tips from the fieldPayara

Serverless Code Components Shimon Tolts

Gwt cdi jud_con_berlinhbraun

Apache Syncope 2.0 Enduser UIAndrea Patricelli

JavaEE Microservices platformsPayara

Microservice - Up to 500k CCUViet Tran

ASP.NET Identity - O Novo componente de Membership do ASP.NETEduardo Pires

Shaping serverless architecture with domain driven design patternsAsher Sterkin

Effective cloud-ready apps with MicroProfilePayara

WSO2 Microservices Framework for Java - Product OverviewWSO2

JEE Conf 2015: Less JS!_Dewy_

Tokyo Azure Meetup #4 - Build 2016 OverviewTokyo Azure Meetup

Microservices with Spring BootRasheed Waraich

High performance java ee with j cache and cdiPayara

Run your Dockerized ASP.NET application on Windows and Linux!Alex Thissen

Service stack all the thingscyberzeddk

SOA Doing RightSchezarnie Racip

Building Services with WSO2 Microservices framework for Java and WSO2 ASKasun Gajasinghe

Serverless Computing With Azure FunctionsJaliya Udagedara

WSO2 Enterprise Service Bus - Product OverviewWSO2

Glass fish performance tuning tips from the fieldPayara

Serverless Code Components Shimon Tolts

Gwt cdi jud_con_berlinhbraun

Apache Syncope 2.0 Enduser UIAndrea Patricelli

JavaEE Microservices platformsPayara

Microservice - Up to 500k CCUViet Tran

ASP.NET Identity - O Novo componente de Membership do ASP.NETEduardo Pires

Shaping serverless architecture with domain driven design patternsAsher Sterkin

Effective cloud-ready apps with MicroProfilePayara

Similar to JavaCro'15 - Secure Web Services Development - Askar Akhmerov (20)

How to generate a REST CXF3 application from Swagger ApacheConEU 2016johannes_fiala

Wcf OverviewAmit Narula

DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado

Firmware analysis often involves searching firmware images for known file headers and file systems like SquashFS to extract contained files. Automated binary analysis tools like binwalk can help extract files from images. HTTP interfaces are common targets for security testing since they are often exposed without authentication. Testing may uncover vulnerabilities like XSS, CSRF, SQLi or command injection. Wireless interfaces also require testing to check for issues like weak encryption or exposure of credentials in cleartext.

Penetration Testing AWSSanjeev Kumar Jaiswal

The document provides an overview of pentesting AWS environments. It discusses differences from traditional pentesting and covers AWS fundamentals like IAM security issues, S3 misconfigurations, and IMDSv1 vs IMDSv2. Hands-on exercises are demonstrated using tools like Flaws.cloud, CloudGoat scenarios, and the Pacu exploitation framework to find and exploit vulnerabilities. Requirements and best practices for pentesting AWS are also outlined.

Enhancing Security of MySQL Connections using SSL certificatesMydbops

Enhancing Security of MySQL Connections using SSL certificates Mydbops MyWebinar Edition 26 In this informative presentation by Mydbops, explore the world of database security as we delve into the steps to fortify your MySQL connections using SSL certificates. Learn about the working of SSL, the benefits of SSL/TLS encryption, the types of certificates available, and the evolution of SSL/TLS in MySQL. Discover why securing your remote connections and data confidentiality is crucial. Plus, find out how to enable SSL connections in MySQL 8.0. Don't miss this opportunity to bolster your MySQL security knowledge. Watch the webinar recording https://youtu.be/aMSUtQVdFks Visit our Mydbops blog https://www.mydbops.com/blog/ for further insights.

Writing secure codeMadhura P M

Deep Dive In To KerberosIshan A B Ambanwela

- Kerberos is a network authentication protocol developed at MIT in the 1980s to allow clients and servers to authenticate each other over a non-secure network using symmetric-key cryptography and tickets. - It uses a central authentication server (Key Distribution Center) to authenticate users and distribute session keys to allow communication between users and services on the network in a secure manner. - The Kerberos workflow involves a client first authenticating with the KDC to obtain a ticket-granting ticket, then using that to request service tickets from the KDC to access specific services.

Securing Microservices using Play and Akka HTTPRafal Gancarz

Going down the microservices route makes a lot of things around creating and maintaining large systems easier but it comes at a cost too, particularly associated with challenges around security. While securing monolithic applications was a relatively well understood area, the same can't be said about microservice based architectures. This presentation covers how implementing microservices affects the security of distributed systems, outlines pros and cons of several standards and common practices and offers practical suggestions for securing microservice based systems using Play and Akka HTTP.

Securing Kafka confluent

Kafka 2018 - Securing Kafka the Right WaySaylor Twift

The path of secure software by Katy AntonDevSecCon

This document discusses 10 controls (C1 through C10) for developing secure software. Each control is described in 1-2 pages and addresses how it mitigates many of the top 10 risks from the OWASP list, including injection, XSS, sensitive data exposure, access control issues, and more. Specific techniques are provided, such as query parameterization to prevent SQL injection, output encoding to prevent XSS, validating all input, secure authentication and authorization practices, encrypting data, and centralized error handling.

Swagger codegen tool to generate REST servicesdhanup123

This document provides an overview of using Swagger code generation to automatically generate RESTful web services code from an OpenAPI Specification (OAS) file. It describes a two-step process where Swagger codegen first generates an OAS file from database schema metadata, then uses that file to generate the Spring Boot code. Key parts that will be generated include REST controllers, services, and data access object (DAO) classes. Customizations are required via custom codegen templates and configuration files. The detailed steps to generate the code via a request to the codegen tool are also outlined.

Arcsight connector supported_products_flyerBloombase

This document lists the various types of connectors that are developed, maintained, tested, and certified by ArcSight for integrating security products and capturing event information. It provides details on the different categories of connectors including anti-virus/anti-spam, application security, databases, firewalls, IDS/IPS, mail servers, networking devices, operating systems, vulnerability assessment, and more. It also lists the specific supported platforms and versions for installing ArcSight connectors.

Using Apache as an Application ServerPhil Windley

Using Apache as an Application Server allows building web applications with less effort by leveraging Apache's support for request processing, security, logging, and other services. The document discusses how Apache modules can integrate application services by running inside the Apache process and having access to the full HTTP request lifecycle. It provides an example Apache configuration and architecture for implementing a rule interpretation engine as an Apache module to deliver dynamic JavaScript for context-aware web pages.

Advancing Apache Nifi Framework Security With David Handermann | Current 2022HostedbyConfluent

Advancing Apache Nifi Framework Security With David Handermann | Current 2022 As a flexible system for processing data to and from a variety of services, Apache NiFi provides a powerful set of capabilities. Configuration integrity and access security are essential framework features. Recent Apache NiFi releases have included a number of security-oriented improvements, ranging from automated HTTPS configuration to externalization of sensitive application properties. This presentation covers the implementation details involved with automatic certificate generation, password-based key derivation, JSON Web Token signing, repository encryption, and sensitive property management using external services. Through a combination of relevant code samples and capability demonstrations, this presentation describes framework security advances that involve both user interaction and application configuration. Providing a basic summary of selected cryptographic algorithm differences, along with code changes, will enable participants to understand the impact of various improvements. Walking through new and improved configuration capabilities allows administrators to optimize deployment security. Highlighting key implementation details encourages software developers to review and incorporate applicable security strategies.

Lightbend Lagom: Microservices Just Rightmircodotta

Microservices architecture are becoming a de-facto industry standard, but are you satisfied with the current state of the art? We are not, as we believe that building microservices today is more challenging than it should be. Lagom is here to take on this challenge. First, Lagom is opinionated and it will take some of the hard decisions for you, guiding you to produce microservices that adheres to the Reactive tenents. Second, Lagom was built from the ground up around you, the developer, to push your productivity to the next level. If you are familiar with the Play Framework's development environment, imagine that but tuned for building microservices; we are sure you are going to love it! Third, Lagom comes with batteries included for deploying in production: going from development to production could not be easier. In this session, you will get an introduction to the Lightbend Lagom framework. There will be code and live demos to show you in practice how it works and what you can do with it, making you fully equipped to build your next microservices with Lightbend Lagom!

Secure coding in C#Siddharth Bezalwar

- The document discusses common web application vulnerabilities like SQL injection, cross-site scripting, and cross-site request forgery. - It provides examples of vulnerable code and outlines secure coding practices to prevent these vulnerabilities, such as using parameterized queries to prevent SQL injection, encoding user input to prevent XSS, and using anti-forgery tokens to prevent CSRF. - Additional topics covered include secure password storage, configuration hardening through web.config settings, and implementation of security controls like encryption and encoding using libraries like ESAPI.

Deep Dive Series #3: Schema Validation + Structured Audit Logsconfluent

Eine weitere neue sicherheitsrelevante Funktion in Confluent Platform 5.4 sind Structured Audit Logs. Jetzt ist natürlich alles in Kafka ein Log, aber Kafka protokolliert nicht, was Kafka mit Kafka macht - nur das, was in einen Topics geschrieben wird. Im dritten Teil der Deep Dive Sessions besprechen wir neben den Structured Audit Logs außerdem die "Weiterentwicklung" der bereits bekannten Schema Registry: Die Schema Validation agiert auf dem Topic-Level und stellt sicher, dass jede einzelne Message, die zu einem bestimmten Topic erstellt wird in der Schema Registry überprüft wird. Mehr dazu erklären wir in unserem Deep Dive #3.

Drupal and security - Advice for Site Builders and CodersArunkumar Kupppuswamy

The recent SA-CORE-2014-005 vulnerability has demonstrated that hackers have learnt how to take advantage of Drupal’s functionality to infect a site and go unnoticed. Site builders and site maintainers have a large role to play in preventing these kinds of disasters. Security doesn’t have to be a pain to implement and plan for. The primary goal of this session is to give people a solid basis in the most common security issues so they can quickly identify those security issues. From there, we'll move into some other common pain-points of site builders like frequently made mistakes, modules to enhance security, and evaluating contributed module quality.

CS166 Final projectKaya Ota

This document describes a final project for a computer science course involving various cybersecurity vulnerabilities and techniques for preventing them. It discusses SQL injection and demonstrates how to prevent it using prepared statements. It also covers cross-site scripting (XSS), cross-site request forgery (CSRF), and ways to mitigate these risks, such as input validation and using synchronized tokens. The project code repository and demo sites for vulnerable and secure code are provided.

How to generate a REST CXF3 application from Swagger ApacheConEU 2016johannes_fiala

Wcf OverviewAmit Narula

DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado

Penetration Testing AWSSanjeev Kumar Jaiswal

Enhancing Security of MySQL Connections using SSL certificatesMydbops

Writing secure codeMadhura P M

Deep Dive In To KerberosIshan A B Ambanwela

Securing Microservices using Play and Akka HTTPRafal Gancarz

Securing Kafka confluent

Kafka 2018 - Securing Kafka the Right WaySaylor Twift

The path of secure software by Katy AntonDevSecCon

Swagger codegen tool to generate REST servicesdhanup123

Arcsight connector supported_products_flyerBloombase

Using Apache as an Application ServerPhil Windley

Advancing Apache Nifi Framework Security With David Handermann | Current 2022HostedbyConfluent

Lightbend Lagom: Microservices Just Rightmircodotta

Secure coding in C#Siddharth Bezalwar

Deep Dive Series #3: Schema Validation + Structured Audit Logsconfluent

Drupal and security - Advice for Site Builders and CodersArunkumar Kupppuswamy

CS166 Final projectKaya Ota

More from HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association (20)

Java cro'21 the best tools for java developers in 2021 - hujakHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

This document discusses Java development tools and best practices. It provides survey results on topics like the most commonly used Java versions, IDEs, frameworks, testing tools, and more. The document also covers new Java features like switch expressions, which allow switch statements to be used as expressions and simplify control flow without needing breaks. Examples demonstrate using switch expressions to yield values from a switch block.

JavaCro'21 - Java is Here To Stay - HUJAK KeynoteHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

The document discusses Java's continued popularity and evolution. It provides statistics showing Java remains the #1 and #3 most popular programming language. It outlines the various JDK releases available and describes how Java continues to innovate through incremental 6-month releases while ensuring backwards compatibility. It also discusses proposals to shift to releasing long-term support versions every 2 years instead of every 3 years to better meet developer and enterprise needs.

Javantura v7 - Behaviour Driven Development with Cucumber - Ivan LozićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v7 - Behaviour Driven Development with Cucumber - Ivan Lozić Behaviour-Driven Development (or TDD for that matter) is one of the pillars of Software Quality. While it is very important, not many of us do it or do not have the support from the management to invest time in it. Commonly, it has been described as a waste of time or an intangible effort conflicting with the deadlines. In this presentation, I would like to share my experiences with the Behaviour-Driven Development, the effects of not having it at all, as well as the outcomes of working on projects where a significant amount of behavior is automated with Cucumber tool. By attending this session you will be able to learn what BDD and Cucumber are, how to build Cucumber tests and hear about first-hand experiences around automating specifications.

Javantura v7 - The State of Java - Today and Tomowwow - HUJAK's Community Key...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

This document provides an overview of the current state and future of Java. It discusses the continued growth and popularity of Java over 24+ years as the #1 programming language. It summarizes the major Java Development Kit (JDK) releases from JDK 8 to the latest JDK 14 final release candidate, highlighting new features, preview features, and long-term support versions. The document also discusses the different open-source and commercial options for downloading the JDK, such as Oracle JDK, OpenJDK, Azul Zulu, and others.

Javantura v7 - Learning to Scale Yourself: The Journey from Coder to Leader -...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v7 - Learning to Scale Yourself: The Journey from Coder to Leader - Daniel Strmečki Your success depends on others, a 1-man army can only achieve so much. The only way to progress from coder to leader is to learn how to scale yourself. Nowadays, you can become a Senior Developer with just a few years of experience. After that, there are many roads and possibilities you can take. Whether you decide for a developer, architect, manager or a mixed career, at one point, you will need to become a leader. In the first chapter of the lecture we will start a discussion on how to get there. Since your time is limited, you need to mentor, coach, motivate and engage others. Start with making a stable foundation, like setting up a proper onboarding process. If you help people around you, they will for sure talk about it, and your manager will hear it. Also, demonstrate ability in everyday work: coding, project management, client-focus, communication and care about others. Always stick to your values and keep high standards. In the second chapter we will discuss the challenges that turn up once you get there. At that point you will deal with people more than technology. You will need to step away from coding for meetings very often. Interruptions will happen every day and it we be very hard to maintain “the flow”. You will need to learn how to delegate and drive topics without implementing them yourself. Visit the lecture to find out some techniques for dealing with interruptions, meetings, prioritization, people and their motivation.

JavaCro'19 - The State of Java and Software Development in Croatia - Communit...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

The State of Java and Software Development in Croatia (Community Keynote) by dr. sc. Branko Mihaljević, Aleksander Radovan, and doc. dr. sc.Martin Žagar at the 8th International Java Conference in Croatia - JavaCro '19 In this community keynote by HUJAK, we want to present and compare the current state of Java and related software development in Croatia, our part of Europe, and worldwide. Therefore, we will start by discussing the latest global trends in software development and what does it mean in our rapidly evolving world full of new technologies based on IoT, Machine Learning and AI, Blockchain, Virtual Reality, and Robotics, to which we must respond to ASAP. Of course, when addressing those contemporary technology trends, we will focus mostly on our country and the region. In the other part, we will discuss the major events in the world of Java that happened in the last few years since Java 8 and Java 9/10/11 were widely adopted. We will see what Java 11 and 12 brought us and what developers are mostly using (or not) and why, as well as what will be there interesting in Java 13 and beyond, including new features from incubator projects Amber and Valhalla, and new ideas from projects Loom, Panama, Skara, and Metropolis. Once again, we are going to take a typical developer’s point of view on software development challenges in this part of Europe, and we will discuss the future of our software developers from the perspective of how to become one (educational institutions and practice) and how to get/earn a good job (local employers and the job market). We intend to close this keynote with details of (y)our favorite Java community aka HUJAK.

Javantura v6 - Java in Croatia and HUJAK - Branko Mihaljević, Aleksander RadovanHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

This document provides information about HUJAK, a Croatian organization that promotes Java and software development. It discusses HUJAK's role in organizing Java conferences in Croatia, supporting STEM education for children, and connecting Java developers. It also summarizes Java's continued popularity and growth, and outlines some of the upcoming projects that aim to further develop the Java programming language.

Javantura v6 - On the Aspects of Polyglot Programming and Memory Management i...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

This is a story about our exploration of aspects of Polyglot Programming and Memory Management in a (J)VM. The first part is focused on our research of performance of GraalVM, an open-source, high-performance polyglot virtual machine written in Java, as well as an accompanying Graal compiler, supporting JIT and AOT compilation, with outstanding inlining and escape analysis algorithms. In the second part we are dealing with aspects of automatic memory management and garbage collection analysis in an existing JVM, thus comparing the most commonly used (older) garbage collectors such as Serial, Parallel (Old), CMS, and G1, with contemporary and default Parallel Full G1, and new experimental ZGC and Shenandoah, across several JDKs using a common benchmark suite.

Javantura v6 - Case Study: Marketplace App with Java and Hyperledger Fabric -...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - How to help customers report bugs accurately - Miroslav Čerkez...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Bugs happen! It is a developers life fact. Let'e explore one way we the developers can help customers to make batter bug reports. During lifecycle of systems and applications that support complex and long running business processes it is often the challenge to get accurate bug report. In this talk we will present one custom developed solution that we used on several our projects as well as our experiences in using this approach.

Javantura v6 - When remote work really works - the secrets behind successful ...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

With several years of remote work experience in an agile environment, working from beautiful Zagreb for clients abroad and trying out different distributed team setups, we will share the motivation and philosophy behind it. We will also cover best practices, challenges and general tips & tricks in different segments such as work organisation, technical requirements, social requirements, methodology etc. This talk is recommended for all developers who want to start working remotely or improve the way they already do it, employers who consider establishing distributed teams inside of their companies and clients searching for partners who have distributed teams.

Javantura v6 - Kotlin-Java Interop - Matej VidakovićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - Spring HATEOAS hypermedia-driven web services, and clients tha...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

HATEOAS is without a doubt, the least understood pillar of REST. It seems difficult to implement and shows no immediate reward for it, so many developers don't even bother. The truth is, it just has some bad PR and a horrible acronym that sounds like a breakfast cereal. Join me to take a look at the theory and practice behind using hypermedia by examining both web services and web clients. Along the way we will look at some exciting upcoming Spring HATEOAS features, like the Affordances API, and talk about what the future holds for hypermedia in your web services.

Javantura v6 - End to End Continuous Delivery of Microservices for Kubernetes...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

This document discusses continuous delivery of microservices on Kubernetes. It notes that previously there were challenges like big bang releases, lack of automation, and complexity in delivering business value. However, tools like Jenkins X now allow for reimagined continuous integration and continuous delivery (CI/CD) workflows for cloud native applications on Kubernetes, providing faster feedback and delivery of value. The document encourages ongoing learning and communication to improve processes.

Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Individual microservices are relatively easy to develop, but managing a distributed system composed of microservices is never a simple task. Kubernetes helps, but it falls short of providing everything such a system needs. This is where the Istio Service Mesh comes in. Running microservices in production, you'll soon realize you want things like traffic splitting, automatic connection retries, timeouts and failovers, secure communication and authentication between your services, distributed metrics, tracing and logging. By introducing Istio into your architecture, you get all of that and more. And you get most of it without changing your code at all. In this talk, you'll see a demonstration of Istio in action and learn about the tricks that make its magic possible.

Javantura v6 - How can you improve the quality of your application - Ioannis ...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - Automation of web apps testing - Hrvoje RuhekHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - Master the Concepts Behind the Java 10 Challenges and Eliminat...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Bugs are a daily cause of stress in our work as Java developers. Those pesky things can hide behind core concepts in Java 9 and 10—there is no way out of this. If we don’t keep up to date with new Java versions, bugs will take over our projects. But can we have fun hunting them? You bet! How about solving a series of Java puzzles as a way to master concepts and save a lot of time finding those tricky bugs? In this session, attendees can help the bug hunters solve fun Java challenges, gain a clear understanding of what causes the most-stressful bugs—and have fun eliminating them from projects.

Javantura v6 - Building IoT Middleware with Microservices - Mario KusekHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

In H2020 EU project symbIoTe (symbiosis of smart objects across IoT environments) we have been building IoT middleware based on microservices programmed in Java with Spring Boot and Spring Cloud components. Here I will present our experiences in developing such services in distributed team across EU and employed by 15 organizations. I will present organizational and technical advantages and drawbacks as well as our choices in building such system.

Javantura v6 - JDK 11 & JDK 12 - Dalibor TopicHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Java cro'21 the best tools for java developers in 2021 - hujakHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

JavaCro'21 - Java is Here To Stay - HUJAK KeynoteHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v7 - Behaviour Driven Development with Cucumber - Ivan LozićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v7 - The State of Java - Today and Tomowwow - HUJAK's Community Key...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v7 - Learning to Scale Yourself: The Journey from Coder to Leader -...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

JavaCro'19 - The State of Java and Software Development in Croatia - Communit...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - Java in Croatia and HUJAK - Branko Mihaljević, Aleksander RadovanHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - On the Aspects of Polyglot Programming and Memory Management i...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - Case Study: Marketplace App with Java and Hyperledger Fabric -...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - How to help customers report bugs accurately - Miroslav Čerkez...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - When remote work really works - the secrets behind successful ...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - Kotlin-Java Interop - Matej VidakovićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - Spring HATEOAS hypermedia-driven web services, and clients tha...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - End to End Continuous Delivery of Microservices for Kubernetes...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - How can you improve the quality of your application - Ioannis ...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - Automation of web apps testing - Hrvoje RuhekHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - Master the Concepts Behind the Java 10 Challenges and Eliminat...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - Building IoT Middleware with Microservices - Mario KusekHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v6 - JDK 11 & JDK 12 - Dalibor TopicHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Recently uploaded (20)

Manifest Pre-Seed Update | A Humanoid OEM Deeptech In Francechb3

"Client Partnership — the Path to Exponential Growth for Companies Sized 50-5...Fwdays

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...SOFTTECHHUB

I started my online journey with several hosting services before stumbling upon Ai EngineHost. At first, the idea of paying one fee and getting lifetime access seemed too good to pass up. The platform is built on reliable US-based servers, ensuring your projects run at high speeds and remain safe. Let me take you step by step through its benefits and features as I explain why this hosting solution is a perfect fit for digital entrepreneurs.

Mobile App Development Company in Saudi ArabiaSteve Jonas

EmizenTech is a globally recognized software development company, proudly serving businesses since 2013. With over 11+ years of industry experience and a team of 200+ skilled professionals, we have successfully delivered 1200+ projects across various sectors. As a leading Mobile App Development Company In Saudi Arabia we offer end-to-end solutions for iOS, Android, and cross-platform applications. Our apps are known for their user-friendly interfaces, scalability, high performance, and strong security features. We tailor each mobile application to meet the unique needs of different industries, ensuring a seamless user experience. EmizenTech is committed to turning your vision into a powerful digital product that drives growth, innovation, and long-term success in the competitive mobile landscape of Saudi Arabia.

Splunk Security Update | Public Sector Summit Germany 2025Splunk

How Can I use the AI Hype in my Business Context?Daniel Lehner

𝙄𝙨 𝘼𝙄 𝙟𝙪𝙨𝙩 𝙝𝙮𝙥𝙚? 𝙊𝙧 𝙞𝙨 𝙞𝙩 𝙩𝙝𝙚 𝙜𝙖𝙢𝙚 𝙘𝙝𝙖𝙣𝙜𝙚𝙧 𝙮𝙤𝙪𝙧 𝙗𝙪𝙨𝙞𝙣𝙚𝙨𝙨 𝙣𝙚𝙚𝙙𝙨? Everyone’s talking about AI but is anyone really using it to create real value? Most companies want to leverage AI. Few know 𝗵𝗼𝘄. ✅ What exactly should you ask to find real AI opportunities? ✅ Which AI techniques actually fit your business? ✅ Is your data even ready for AI? If you’re not sure, you’re not alone. This is a condensed version of the slides I presented at a Linkedin webinar for Tecnovy on 28.04.2025.

Technology Trends in 2025: AI and Big Data AnalyticsInData Labs

At InData Labs, we have been keeping an ear to the ground, looking out for AI-enabled digital transformation trends coming our way in 2025. Our report will provide a look into the technology landscape of the future, including: -Artificial Intelligence Market Overview -Strategies for AI Adoption in 2025 -Anticipated drivers of AI adoption and transformative technologies -Benefits of AI and Big data for your business -Tips on how to prepare your business for innovation -AI and data privacy: Strategies for securing data privacy in AI models, etc. Download your free copy nowand implement the key findings to improve your business.

Procurement Insights Cost To Value Guide.pptxJon Hansen

Automation Hour 1/28/2022: Capture User Feedback from AnywhereLynda Kane

Automation Dreamin' 2022: Sharing Some Gratitude with Your UsersLynda Kane

Learn the Basics of Agile Development: Your Step-by-Step GuideMarcel David

AI and Data Privacy in 2025: Global TrendsInData Labs

In this infographic, we explore how businesses can implement effective governance frameworks to address AI data privacy. Understanding it is crucial for developing effective strategies that ensure compliance, safeguard customer trust, and leverage AI responsibly. Equip yourself with insights that can drive informed decision-making and position your organization for success in the future of data privacy. This infographic contains: -AI and data privacy: Key findings -Statistics on AI data privacy in the today’s world -Tips on how to overcome data privacy challenges -Benefits of AI data security investments. Keep up-to-date on how AI is reshaping privacy standards and what this entails for both individuals and organizations.

What is Model Context Protocol(MCP) - The new technology for communication bw...Vishnu Singh Chundawat

The MCP (Model Context Protocol) is a framework designed to manage context and interaction within complex systems. This SlideShare presentation will provide a detailed overview of the MCP Model, its applications, and how it plays a crucial role in improving communication and decision-making in distributed systems. We will explore the key concepts behind the protocol, including the importance of context, data management, and how this model enhances system adaptability and responsiveness. Ideal for software developers, system architects, and IT professionals, this presentation will offer valuable insights into how the MCP Model can streamline workflows, improve efficiency, and create more intuitive systems for a wide range of use cases.

Special Meetup Edition - TDX Bengaluru Meetup #52.pptxshyamraj55

Into The Box Conference Keynote Day 1 (ITB2025)Ortus Solutions, Corp

Buckeye Dreamin' 2023: De-fogging Debug LogsLynda Kane

TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc

Most consumers believe they’re making informed decisions about their personal data—adjusting privacy settings, blocking trackers, and opting out where they can. However, our new research reveals that while awareness is high, taking meaningful action is still lacking. On the corporate side, many organizations report strong policies for managing third-party data and consumer consent yet fall short when it comes to consistency, accountability and transparency. This session will explore the research findings from TrustArc’s Privacy Pulse Survey, examining consumer attitudes toward personal data collection and practical suggestions for corporate practices around purchasing third-party data. Attendees will learn: - Consumer awareness around data brokers and what consumers are doing to limit data collection - How businesses assess third-party vendors and their consent management operations - Where business preparedness needs improvement - What these trends mean for the future of privacy governance and public trust This discussion is essential for privacy, risk, and compliance professionals who want to ground their strategies in current data and prepare for what’s next in the privacy landscape.

Semantic Cultivators : The Critical Future Role to Enable AIartmondano

"PHP and MySQL CRUD Operations for Student Management System"Jainul Musani

Manifest Pre-Seed Update | A Humanoid OEM Deeptech In Francechb3

"Client Partnership — the Path to Exponential Growth for Companies Sized 50-5...Fwdays

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...SOFTTECHHUB

Mobile App Development Company in Saudi ArabiaSteve Jonas

Splunk Security Update | Public Sector Summit Germany 2025Splunk

How Can I use the AI Hype in my Business Context?Daniel Lehner

Technology Trends in 2025: AI and Big Data AnalyticsInData Labs

Procurement Insights Cost To Value Guide.pptxJon Hansen

Automation Hour 1/28/2022: Capture User Feedback from AnywhereLynda Kane

Automation Dreamin' 2022: Sharing Some Gratitude with Your UsersLynda Kane

Learn the Basics of Agile Development: Your Step-by-Step GuideMarcel David

AI and Data Privacy in 2025: Global TrendsInData Labs

What is Model Context Protocol(MCP) - The new technology for communication bw...Vishnu Singh Chundawat

Special Meetup Edition - TDX Bengaluru Meetup #52.pptxshyamraj55

Into The Box Conference Keynote Day 1 (ITB2025)Ortus Solutions, Corp

Buckeye Dreamin' 2023: De-fogging Debug LogsLynda Kane

TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc

Semantic Cultivators : The Critical Future Role to Enable AIartmondano

"PHP and MySQL CRUD Operations for Student Management System"Jainul Musani

JavaCro'15 - Secure Web Services Development - Askar Akhmerov

1. Secure WebServices WSDL first approach with Apache CXF Askar Akhmerov [email protected]

2. Agenda ● Use case ● SSL basics ● JAX-WS Service ● Keystores ● WS-Security ● CXF Interceptors ● WSS4J Interceptors

3. Agenda ● encryptionKeyIdentifier ● Encryption Algorithms ● Write Policy ● Demo ● References ● Questions

4. Use case

5. Use case client service

6. SSL basics ● use X.509 certificates and hence asymmetric cryptography ● encrypt the data of network connections in the application layer ● used webbrowsersmailsoftware

7. X.509 ● Issuer - certification authority (CA) ● Authorization and issuing chains

8. JAX-WS Service ● prepare xsd ● write wsdl ● generate classes ● write cxf config ● generate client

9. Keystores Manipulations ● generate private keys ● export keys ● import keys ● maven usage

10. WS-Security ● Based on policies o requires wsdl adjustments ● Based on interceptors o preserves wsdl o customizations done through code o customizations done through spring context

11. CXF Interceptors

12. WSS4J Interceptors ● Password Callback Class ● WSS4JOutInterceptor (Phase.PRE_PROTOCOL) o action o signaturePropFile o signatureParts o encryptionPropFile ● WSS4JInInterceptor (Phase.PRE_PROTOCOL) o action o signaturePropFile o signatureParts o decryptionPropFile

13. Encryption Key Identifiers ● IssuerSerial (default) ● DirectReference ● X509KeyIdentifier ● Thumbprint ● SKIKeyIdentifier ● KeyValue (signature only) ● EncryptedKeySHA1 (encryption only)

14. Encryption Algorithms ● http://www.w3.org/TR/2002/REC-xmlenc-cor e-20021210/Overview.html#sec-Algorithms ● Based on JCE ● http://docs.oracle.com/javase/8/docs/technot es/guides/security/crypto/CryptoSpec.html

15. Write Policy ● WS-Policy Declaration <wsp:Policy wsu:Id="UniqueIdentifier"> <wsp:ExactlyOne> ... </wsp:ExactlyOne> </wsp:Policy> ● Policy reference <wsp:PolicyReference URI="#UniqueIdentifier"/>

16. Demo https://github.com/Smava/wssecurity

18. Summary ● Use case ● SSL basics o X.509 ● JAX-WS Service ● Keystores ● WS-Security ● CXF Interceptors ● WSS4J Interceptors

19. Summary ● encryptionKeyIdentifier ● Encryption Algorithms ● Write Policy ● Demo ● References ● Questions

20. Questions?

JavaCro'15 - Secure Web Services Development - Askar Akhmerov

Recommended

More Related Content

What's hot (20)

Similar to JavaCro'15 - Secure Web Services Development - Askar Akhmerov (20)

More from HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association (20)

Recently uploaded (20)

JavaCro'15 - Secure Web Services Development - Askar Akhmerov