Howard Hyde

Video Course Author
+ Follow
since Dec 01, 2017
Merit badge: grant badges
Biography
Software Engineer / Architect / Consultant
Author of “Security in Spring Boot REST Web Service Applications” (Video lecture course on Udemy)
For developers, software engineers, architects and Cyber Security professionals
30+ Years IT Experience
Current "center of gravity": Spring Boot and Spring Security
Java 17 Oracle Certified Professional: Java 17 Developer
20+ years Oracle database design, development and PL/SQL programming
Author of video lecture course "Introduction to Database Application Development with Spring Boot, Angular and Postgres" on Udemy
Cows and Likes
Cows
Total received
In last 30 days
0
Forums and Threads

Recent posts by Howard Hyde

Hi Stephan,
I replied to your email.
Are you on LinkedIn?  Connect with me at https://www.linkedIn.com/in/howardhyde
-Howard
1 month ago
Thanks Jeanne and thanks everyone who participated.  Be sure to claim the coupon.  The redemptions are limited and will run out.
1 month ago
P.S. I am looking for my next herd, so if you or anyone you know has a need, don’t hesitate to contact me at hhyde at radinfodesign dot com.
Cheers
1 month ago
Thanks again everyone for a very enjoyable cattle drive. Yee-haw!
Happy (coding) trails!
1 month ago
Tim, Stephan, Saloon Keepers, Bartenders, Sheriffs, Marshalls, The Lone Ranger, Outlaws, Bandits, Butch Casidy and the Sundance Kid etc.,
I'm ready to give you limited credentials to my live demo app and database, AND details on the REST API for you to hack, if you want to try; everything except credentials to a user having the requisite legitimate role.
If you're interested, write to me at hhyde@radinfodesign.com
1 month ago
Thanks Stephan Thanks Tim,
The challenge is to hack my site at fboace.radinfodesign.com (backend currently under maintenance), and I would need to prep the case and let you know when it is ready. Deliberately implementing a vulnerability isn't exactly what I had in mind as I'm trying to prove that it is bullet-prood as it is; or get schooled.  But we can discuss.

As far as source code, I haven't published on a public Git site, but I do provide zip bundles for download in the course, including one version of the main Spring Boot web service in a primitive if not altogether devoid of security state. See the Section 6/Part 5 discourse "Spring Security Inception" regarding that.
The overall README document explaining the source code bundles for the Demo app and its components is attached to the Section 3/Part 2 discourse "Introducing the Demo App and its Components: Overview"

The demo app in all its glory is comprised of 2 Spring Boot web services ("Fortress" and "FboAce"), a common shared library "RadSpringSecurity", an Angular/Typescript client UI application, and a Postgres database.


P.S. SORRY FOR THE CONFUSION re: Sections and Parts
The course consists in 6 parts numbered ZERO (0) to 6. The Udemy couse sections are numbered from 1.  So Section 1 is Part 0, Section 2 is Part 1 etc.

1 month ago
Thanks Miles,
Be sure to fill out the form for the FREE enrollment coupon while they last: https://docs.google.com/forms/d/e/1FAIpQLScBF3TEJq0_J2SPGEAHfkr0PD1d0s6Q_dXYOn_Iwe4s16pHLw/viewform

You may be ahead of me regarding cache, but Redis might be a place to start. Chapter 9 of the book "Cloud Native Spring in Action" by Thomas Vitale touches upon this subject briefly, mostly about distributed session management.  Just a thought.
Cheers
1 month ago
I am thinking of putting out the following Hacker Challenge: $100 to the first attacker who can successfully cause the execution of the following call via CSRF (or XSS or any other attack vector) WITHOUT having possesion of valid credentials.

The following JSON body payload, when HTTP PUT to a certain URL, will result in the pilot Wrongway Feldman being granted a license or certification to fly aircraft of the type "Commercial Jet Airplane". This is a terrifying prospect as Wrongway is a fictional character from an episode of Gilligan's Island who flew World War One-era biplanes and has no business behind the controls of any commercial passenger jet. So this unauthorized update MUST be prevented at all costs.

{ certificationNumber: "4565FK58D", validFromDate: "2024-04-01", expirationDate: "2034-04-01", notes: "", pilotId: 18, aircraftTypeId: 5, pilotName: "Feldman, Wrongway", aircraftTypeName: "Commercial Jet Airplane", name: "Feldman, Wrongway: CJET: 4565FK58D", _deleted: false }

Can you write a CSRF or other attack that would cause a user to unknowingly but successfully execute this transaction? Create a clickbait link that executes this, without knowing an authorized user's name and password? The endpoint requires proof of an authenticated user having the "StaffAdmin" or "SuperAdmin" role; and such a user is assumed to be actively using the app in another tab of the browser.

Any takers if I were to set this up?
1 month ago


Sneak Preview video: Spring Security Filters and Configuration

Servlets, SecurityFilterChain, “Housekeeping”, custom filters and requestMatchers()

From the course "Security in Spring Boot REST Web Service Applications"
2 months ago
To help you make your decision as to whether this course is for you, here is the introductory video:

Click: Intro to "Security in Spring Boot"

This course covers the Spring Security Framework AND
  • Encryption, encoding and hashing
  • HTTP over SSL/TLS (HTTPS)
  • Digital Certificates & Public Key Infrastructure (PKI)
  • Authentication
  • JSON Web Tokens JWT
  • Role-based Authorization

  • With Easy-to-follow tutorials, practical examples
    2 months ago

    Tim Holloway wrote:Byt twe way "DDO" is what you get when a half-blind person types "SSO" with wayward fingers. In case you were wondering.



    I thought it was "Double-Down Ornithology."
    2 months ago
    I will assume the privilege of posting the shameless plug that Coderanch is showcasing my new Udemy video lecture course “Security in Spring Boot REST Web Service Applications” this week, here:  https://coderanch.com/t/783554/frameworks/Howard-Hyde#3574456
    2 months ago
    SSL/TLS/HTTPS encryption with CA-endorsed digital certificate is assumed.
    2 months ago
    There are many expansion topics I’d like to cover as the course evolves, including OAuth2/OpenId, SSO, SAML, Spring Cloud Gateway, Edge Services, Redis, Reactive Spring with Mono and Flux and much more. My priority here has been to focus on the most essential and do my best to ease the learning curve of a complicated and difficult tool.  
    There are so many ways to do so many different things in Spring Security that it can be daunting to figure out how to do one thing one way. For this reason I reduce scope to the Stateless REST/JSON API paradigm and begin with a mostly spoon-fed practical example solution with my demo app.  Then in the last part I expand upon and go into greater depth in theory and academic/pedagogic exercises, utilizing the most common library implementation classes, so that the student may have the tools to accomplish things his/her particular way.

    This is the course I wish had been available when I was learning this subject.
    2 months ago
    Hi Salil, my course doesn’t cover OAuth2, SSO or SAML — yet.  Hoping to add lectures in the future on these and other expansion topics. Cheers.
    2 months ago