Win a copy of OCP Java SE 8 Programmer II Exam Study Guide this week in the OCP forum!

Sean Sell

Greenhorn
+ Follow
since Dec 12, 2006
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Sean Sell

Gentleman, I realize that the question and answer period is over but I hope you are still around to enterain an additional question. I went out and purchased your book which arrived yesterday and it seems to me that the very first example violates the pricipal you are trying to demonstrate "Limit the Lifetime of Sensitive Data". Your "compliant solution" throws a security exception prior to clearing the password entered by the user. While your assumption may be that the password entered is not valid, in an actual authentication process many other things could prevent the authentication from happening which would result in the valid password potentially being left in memory. The most disturbing would be a denial of service attack against the authentication source in order to exploit this created vulnerability.

Is there some other protection afforded here that I am not concidering, I don't believe that garbage collection is immediate after an exception or that the Console.readPassword() method would help in this situation.

I'm hopeful that the rest of the book is valuable and the examples don't create exposures that I cannot pickup.

--Sean Sell
4 years ago
I think that the popularity of the iPod, and iTunes store which locked a lot of peoples music to an iPod device, was largely why sales of the iPhone took off. Just the applility to combine the two devices was originally enough for most people (would have been enough for me if it wasn't on AT&T). The fact that it was a wonderful design helped but honestly I think you could have sold an iPod classic with a telephone keypad if it combined that functionality.

I think that most of the app development came after the initial release.

I think the iPhone apps were key to the success of the iPad if it wasn't for the availability of the already existing apps I think it would have been difficult to sell the device at that price.
7 years ago
iOS
Hello Damon and S├ębastien,

I was wondering if the book covered how these techniques work off of the Android platform and on the iPhone?

--Sean
7 years ago
When developing applications for the Android platform(s) how big of a problem are the different vendors and hardware platforms?

Where do the issues typically come up?
7 years ago
Is anyone doing PIV card authentication in weblogic here? I am working on it and finding it hard to believe it requires this much work.

We essentially have it working but it seems very cludgy.

1. We enable 2-way SSL
2. We wrote a custom UserNameMapper class to look in a datbase for a username given a PIV certificate.
3. We use an LDAP Authentication provider to "validate" the returned username and set the groups that the principal(user) has.
4. We create policies in weblogic to map the groups to roles.
5. The application web.xml requires the role and client-cert authentication.

Anyone interested in collaborating on the best way to configure this stuff?

--Sean
8 years ago

Originally posted by Rahul Bhattacharjee:
I have seen the link that you have sent ,Weblogic 9.2 now really doesn't do it in that way.



In which way? It does appear to require the -D... if you are using JRocket JVM (I removed the java.security entry to make sure that wasn't playing a part.)

Originally posted by Rahul Bhattacharjee:

But this still leaves me with a question as how can one go ahead to make something out of the jvm security specification and I do not see any harm in configuring the login.config in java.security property file.



I think you meant "take something out," I agree, I can understand the need for more options but to make the standard way not work seems dumb.

--Sean
11 years ago
I am in the process of testing an authentication algorithm for a new Adobe Flex application that will be backending to a Weblogic 9.2 pageflow application.

I added authentication via JAAS to the pageflow but I was looking for a way to set the user in the session within my controller (after authentication). This way the existing pageflow should continue to work by referencing the user as:

this._remoteUser = this.getRequest().getRemoteUser();

TIA
11 years ago
I found on the dev2dev.bea.com forum a note that Weblogic 9.2 (I'm assuming they mean JRocket) no longer supports the entry in the java.security file. That the authorization config must be specified on as an argument.

I added:
-Djava.security.auth.login.config=%WL_HOME%\server\lib\sean_jaas.config

to my server startup startWebLogic.cmd and I no longer am getting the Exception. I can't seem to log in but at least the exception is gone.

P.S. I didn't try to run the example but 9.2 still ships with an example that does it the old way.

here's a link to the referenced forum note:
http://forums.bea.com/bea/message.jspa?messageID=600046552&tstart=0

--Sean
[ December 13, 2006: Message edited by: Sean Sell ]
11 years ago
I'm having the same problem. I'm using the JRocket JVM.

I have added the following to the end of the

java.security file:
login.config.url.1=file:${java.home}/jre/lib/security/sean_jaas.config

and the following is my sean_jaas.config:
myrealm {
weblogic.security.auth.login.UsernamePasswordLoginModule required debug=false;
};

yet I get the error:
No Configuration was registered that can handle the configuration named myrealm

Did you get yours to work?
11 years ago