This is the last part of a four-part blog post covering my move from WordPress to Hugo, a static website generator. This post outlines some of the benefits from moving to a static website and to Amazon AWS.
I have created a new project named Stripes XSS Interceptor.
This project escapes all the parameters that Stripes Framework binds during its Validation & Binding phase using a wrapped request object (a convenient implementation of the HttpServletRequest interface).
The code follows the XSS (Cross Site Scripting) security guidance posted at OWASP (Open Web Application Security Project).
Please feel free to report any bug you find in the project’s Issue Tracker.…
Sometimes no single login module is enough to meet our needs. Imagine the case of using an external LDAP server to provide the user authentication and a database server to provide the user authorization. A user would be in one repository or the other, and login should succeed if the user is found in either repository.
JBoss allows you to specify multiple login modules for a single security domain. But simple module stacking doesn’t resolve the problem on its own.…
I’ve created the project Secure JSP Taglibs with the ambition to fill some gaps in the security of the presentation layer in a Java web application.
This Taglib allows you to evaluate the nested body content of the tag to test if the user has the specified roles. This is equivalent to the isUserInRole() method, but you can evaluate multiple roles (comma separated) at the same time.
<secure:one roles="role1toevaluate, role2toevaluate"> Show this content if the user has one of the specified roles.…
Data that is not validated or poorly validated is the root cause of a number of serious security vulnerabilities affecting applications, such as Cross Site Scripting and SQL Injection. A paper entitled A Modular Approach to Data Validation in Web Applications presents an approach to performing thorough data validation in modern web applications so that the benefits of modular component based design (extensibility, portability and re-use) can be realised.
It starts with an explanation of the vulnerabilities introduced through poor validation and then goes on to discuss the merits and drawbacks of a number of common data validation strategies such as:…