Security is an important topic and everyone knows it. This post is about a curious social behavior around implementing security procedures that often works against incremental improvement of security. Continue reading
When is it OK to make member variables public? Continue reading
Single Sign On (SSO) is a term that is used and abused in the industry. Most of us think we know what it means — and most of us do, but still many of us have a slightly different and occasionally incorrect interpretation. There are some side issues and assumptions. This is an exploration around what must be included in a SSO framework. Continue reading
There is a type of attack (CSRF) that every form post is susceptible to. User 1 is logged into a site A and has a valid session. User 2 then sends an email message with a form post to site A, or a link to a rogue web page with a form post to site A. Since the session is maintained in cookies, this new form post will be accepted by the server as a valid part of the current session. In this way, User 2 can make User 1 make changes in the Site A that User 1 was not expecting. Continue reading
The Java run-time environment (JVM) is able to support connections to other servers using SSL, but it has this very inconvenient behavior of refusing to connect to self-signed servers. A self signed server has the public key necessary to ensure private communications, but does not have a certificate that proves who it is. In the default mode of operation, when connecting to such a server, Java SSL subsystem with throw an exception and prevent all communications. But there are good reasons why a service that you want to communicate with privately may not have a certificate, and this post tells you how to accomplish this. Continue reading
Agile Software Craftsmanship 