paul nisset wrote:Hi ,
What strategy would you recommend for security in a REST application?
Is passing a token via http headers (once user is authenticated ) ,the best way ?
B. Katz wrote:Greetings Jim and August,
Silviu Burcea wrote:And the last one: we cannot prevent every single attack on Earth ... how much security effort means secure enough?
While there are no clear-cut definitions that state "If 'x' is your system, then 'y' is what you need to be secure...", during this race that the governments have been running to be at the top of the Cyber-powers, they have been coming up with some good guidelines to check against your own applications and systems to see how serious you should be about security, called FIPS-199. (Q.v. NIST FIPS-199 Final PDF)
In a nutshell, it checks three aspects of a given system/dataset/application, namely Confidentiality, Integrity and Availability, against what it would be like if any of those aspects were compromised, and gives a rating to how bad the damage would be considered.
That should give you a good base to start from as to how serious you should take the security of your applications and systems.
Joel Thompson wrote:I was reading somewhere that w/ kerberos certificates you can pass these from the issuer (say website A.com) and inspect them on website b.com for single-signon approach. Also, what would be the approach to integrate with Windows networking, so that if they signed on to the windows domain a kerberos certificate would be created and then presented to the 2nd website b.com and SSO would work too (I'm guessing only via IE, unless there are some plugins available for chrome for this.) I'm hoping to discuss some details with cookies and or transports to understand this type of solution.
I'm looking for an architectural answer and real software that can do this. I'm using Weblogic Server (OHS for webserver) and I'd be interested in discussions with Jboss and Apache too.
Does your book cover this SSO type topic?
Comal Rajagopalaratnam Muthukumar wrote:Hi Jim(Author)
As always,this time also I rushed through the contents of the book to see if it tempts me to buy the book even if i do not rather be declared to receive free , but the negative trend prevailed since there appears to be no Examples provided or at least some topics like appendix where the author always throws his liberal help to the readers/users by such similar topics.
Any example is explained .
With Best Luck
Janeice DelVecchio wrote:When I worked in desktop support, there was a guy who had a notebook of all his passwords. In the notebook, he also kept his "answers" to his security questions.
I made a comment that some answers can be guessed. So he said, "why do you think I write them down?" -- implying that he didn't even know the answers, thus defeating the purpose. If his notebook were burned, he'd have no means of recovery.
I have a list of lies I keep in my head. My high school mascot? First car make/model/color? Street I grew up on? Best friend's name? All lies. Always the same lie so I can remember.
Jeanne Boyarsky wrote:From the one factor thread:
Jim Manico wrote:Last, if you really do not want to implement it, then you need to consider "account lockout" to keep brute force attacks at bay. Account lockout CAN be used to Denial of Service your site so be careful.
This is the design we used to prevent brute force login attempts on this site. I'm curious what weaknesses there are in it. All I can think of is that if you can present a fake IP, you could still do denial of service for logins. Even that wouldn't affect users who were logged in or anonymous users. And it would have to be kept up hour after hour.
Junilu Lacar wrote:
Jim Manico wrote:This defense to protect against phishing is completely useless and many companies are dropping it. A phishing site could take your username, fetch the image, and display it on the phishing site. It's not a good security control.
Huh, now that I think about it, you're right. All an attacker needs to do is steal my username and then he'd still be able to masquerade as the real site and trick me into entering my password.
Abhay Agarwal wrote:Does book also describes different security features that we can apply to Servlets, EJB, Web Services etc. For example - Security in Web service is a very big topic. TO what extent does Security details are covered for these Java programming starlets [ servlets, ejb, web services].
Abhay Agarwal wrote:I read the description of book on Amazon. Seem like most of the topics are covered.
I want to know which application server [ Tomcat, Weblogic, JBoss] was used to explain different web based security mechanisms ?