Sean Sell

+ Follow
since Dec 12, 2006
Merit badge: grant badges
For More
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Sean Sell

Gentleman, I realize that the question and answer period is over but I hope you are still around to enterain an additional question. I went out and purchased your book which arrived yesterday and it seems to me that the very first example violates the pricipal you are trying to demonstrate "Limit the Lifetime of Sensitive Data". Your "compliant solution" throws a security exception prior to clearing the password entered by the user. While your assumption may be that the password entered is not valid, in an actual authentication process many other things could prevent the authentication from happening which would result in the valid password potentially being left in memory. The most disturbing would be a denial of service attack against the authentication source in order to exploit this created vulnerability.

Is there some other protection afforded here that I am not concidering, I don't believe that garbage collection is immediate after an exception or that the Console.readPassword() method would help in this situation.

I'm hopeful that the rest of the book is valuable and the examples don't create exposures that I cannot pickup.

--Sean Sell
10 years ago
Hello Damon and S├ębastien,

I was wondering if the book covered how these techniques work off of the Android platform and on the iPhone?

13 years ago
When developing applications for the Android platform(s) how big of a problem are the different vendors and hardware platforms?

Where do the issues typically come up?
13 years ago
Is anyone doing PIV card authentication in weblogic here? I am working on it and finding it hard to believe it requires this much work.

We essentially have it working but it seems very cludgy.

1. We enable 2-way SSL
2. We wrote a custom UserNameMapper class to look in a datbase for a username given a PIV certificate.
3. We use an LDAP Authentication provider to "validate" the returned username and set the groups that the principal(user) has.
4. We create policies in weblogic to map the groups to roles.
5. The application web.xml requires the role and client-cert authentication.

Anyone interested in collaborating on the best way to configure this stuff?

14 years ago

Originally posted by Rahul Bhattacharjee:
I have seen the link that you have sent ,Weblogic 9.2 now really doesn't do it in that way.

In which way? It does appear to require the -D... if you are using JRocket JVM (I removed the entry to make sure that wasn't playing a part.)

Originally posted by Rahul Bhattacharjee:

But this still leaves me with a question as how can one go ahead to make something out of the jvm security specification and I do not see any harm in configuring the login.config in property file.

I think you meant "take something out," I agree, I can understand the need for more options but to make the standard way not work seems dumb.

17 years ago
I am in the process of testing an authentication algorithm for a new Adobe Flex application that will be backending to a Weblogic 9.2 pageflow application.

I added authentication via JAAS to the pageflow but I was looking for a way to set the user in the session within my controller (after authentication). This way the existing pageflow should continue to work by referencing the user as:

this._remoteUser = this.getRequest().getRemoteUser();

17 years ago
I found on the forum a note that Weblogic 9.2 (I'm assuming they mean JRocket) no longer supports the entry in the file. That the authorization config must be specified on as an argument.

I added:\server\lib\sean_jaas.config

to my server startup startWebLogic.cmd and I no longer am getting the Exception. I can't seem to log in but at least the exception is gone.

P.S. I didn't try to run the example but 9.2 still ships with an example that does it the old way.

here's a link to the referenced forum note:

[ December 13, 2006: Message edited by: Sean Sell ]
17 years ago
I'm having the same problem. I'm using the JRocket JVM.

I have added the following to the end of the file:

and the following is my sean_jaas.config:
myrealm { required debug=false;

yet I get the error:
No Configuration was registered that can handle the configuration named myrealm

Did you get yours to work?
17 years ago