SSO: What is it?

Single Sign On (SSO) is a term that is used and abused in the industry.  Most of us think we know what it means — and most of us do, but still many of us have a slightly different and occasionally incorrect interpretation.  There are some side issues and assumptions.  This is an exploration around what must be included in a SSO framework. Continue reading

Securing against Cross-site Request Forgery

There is a type of attack (CSRF) that every form post is susceptible to.  User 1 is logged into a site A and has a valid session.  User 2 then sends an email message with a form post to site A, or a link to a rogue web page with a form post to site A.   Since the session is maintained in cookies, this new form post will be accepted by the server as a valid part of the current session. In this way, User 2 can make User 1 make changes in the Site A that User 1 was not expecting. Continue reading

Working Around Java’s SSL Limitations

The Java run-time environment (JVM) is able to support connections to other servers using SSL, but it has this very inconvenient behavior of refusing to connect to self-signed servers.  A self signed server has the public key necessary to ensure private communications, but does not have a certificate that proves who it is.  In the default mode of operation, when connecting to such a server, Java SSL subsystem with throw an exception and prevent all communications.  But there are good reasons why a service that you want to communicate with privately may not have a certificate, and this post tells you how to accomplish this. Continue reading