Schlagwort-Archive: Security

java.security.AccessControlException kills productivity

Dear IBM, can you please remove the totally useless java policy restrictions? Especially for agents running on the server? I can’t imagine how much life time and customers money was spent during the last decades just to find a workaround … Weiterlesen

Veröffentlicht unter Java, Security | Verschlagwortet mit , , | Hinterlasse einen Kommentar

The anatomy of a LTPA token

LTPA Token LTPA token are widely used in the IBM world for authentication between different physical machines, also known as WebSSO. There are two three types available, LTPA1, LTPA2 and a Domino format. LTPA1 and LTPA2 are commonly used with … Weiterlesen

Veröffentlicht unter Security, Server | Verschlagwortet mit , , , | 1 Kommentar

REST & Security: Why HTTP GET is insecure (and the other methods too)

Yesterday René commented that submitting username and password with HTTP GET is insecure, because they are submitted in clear text over the wire as part of the URI. At the first moment, I did not give some thought about it, because it is known … Weiterlesen

Veröffentlicht unter REST, Security, Server, Web | Verschlagwortet mit , , , | 2 Kommentare

REST & Security: More about the DominoStatelessTokenServlet

During the last days I have refined the DominoStatelessTokenServlet a little bit. It is now a pre-beta release, and I think it is time to explain some details about it. While it is still a proof-of-concept, it demonstrates how a … Weiterlesen

Veröffentlicht unter Allgemein, Java, REST, Security, Web | Verschlagwortet mit , , , , , , , , | 12 Kommentare

REST & Security: A Stateless Token Servlet

I have uploaded some of my projects to GitHub, including an alpha version of a stateless token servlet. The servlet has it’s own authentication mechanism (the password is currently not validated), and for developing purposes it uses HTTP GET. In … Weiterlesen

Veröffentlicht unter Java, REST, Security, Web | Verschlagwortet mit , , , , | Hinterlasse einen Kommentar

REST & Security: Same-Origin Policy / CORS

The „Same-orginin policy„ is an important concept for protecting web applications. In short, only resources from the same domain are allowed, everything else is permitted denied. To allow access other domains in your application, you have to enable „CORS„, a … Weiterlesen

Veröffentlicht unter Java Script, REST, Security, Web | Verschlagwortet mit , , , | 2 Kommentare

Raspberry Pi vs. IBM Bluemix – 1:0

I had some time last night (the whole family had gone to bed early), so I spent some to look at the XPages integration into Bluemix. I found the Greenwell Travel Expenses Demo: But after clicking a link, the page … Weiterlesen

Veröffentlicht unter Security, Web, XPages | Verschlagwortet mit , , , , | 6 Kommentare

Security: Usefull HTTP Response Headers

Here is a list of usefull HTTP headers for responses you should know about: X-Content-Type-Options When set to „nosniff„, this header will prevent browsers from MIME-sniffing a response away from the declared content-type. While this header is more relevant for … Weiterlesen

Veröffentlicht unter Allgemein, Security | Verschlagwortet mit | Hinterlasse einen Kommentar

REST & Security: CSRF Attacks

In this post I will demonstrate how a do a CSRF attack against a XPages REST service. Let’s assume that we have a custom REST service on a XPage. To keep the example as simple as possible, this service returns … Weiterlesen

Veröffentlicht unter REST, Security | Verschlagwortet mit , | 5 Kommentare

REST & Security

I am currently wearing my white hat and doing some pen and vulnerabilty tests for a RESTful API. While this is actually a hot topic in the Domino world, here are some resources: CSRF & REST: Stateless CSRF Protection Stateless Session … Weiterlesen

Veröffentlicht unter Security | Verschlagwortet mit , | 11 Kommentare