Security
Asynchronous logging with log4j
by ricardoz on Nov.25, 2009, under Articles, Performance, Security
In case you are not doing it already, using asynchronous logging is generally a good idea. You don’t want your application to slow down if the server IO is a little behind flushing all that logging to the filesystem. By making it asynchronous your application can continue running without having to wait for the log lines to be written to their final destination.
My personal choice for Java logging is log4j, there are a lot of different frameworks (including Suns own logging API), but log4j works great and is extremely flexible.
(continue reading…)
Obovweb source code – a Google Appengine sample
by ricardoz on Oct.20, 2009, under Security, Tips, Web related
Someone asked me about the implementation details of the Google Appengine sample I published a few weeks ago (http://obovweb.appspot.com/). Well, you can get a hold of the source code here.
There’s not much to tell, apart from the specific HMAC-SHA1 implementation (which you can check out in Obovs source code) it’s a very simple JSP/DWR application.
Blocking multiple clicks real easy
by ricardoz on Aug.10, 2009, under JavaScript, Performance, Security, Web related
I’ve faced this problem a few times before, but this time I decided to find a generic solution to it. I needed to prevent users from clicking action links in a web application multiple times and therefore triggering some server side action a lot of times when only one time was enough/needed.
After looking around for a few hours for an elegant solution I just couldn’t find one, all the articles/answers I found required controls on each link and/or special handling on the server side code that reacted to them.
(continue reading…)
Trying out Google Appengine – OTP generation app
by ricardoz on Jul.15, 2009, under Security, Web related
I decided to try out the new Java based version of Google Appengine. So i wrote a very simple web app that allows the user to generate one time passwords (OTP) using the HMAC-SHA1 algortihm (see OATH).
You can check it out at http://obovweb.appspot.com. As the name suggests its based on my obov library.
(continue reading…)
Using SSH or SFTP resources from a Java app
by ricardoz on May.22, 2009, under Security
There are many commercial SSH client libraries for Java, but it was hard to find a good open source one. Finally I stumbled upon SSHTools and I have to say it works wonderfully and the API is clean and simple.
(continue reading…)
PHP & Java interoperable encryption
by ricardoz on Jan.16, 2009, under Articles, Security, Tips
I recently faced the problem of encrypting something in PHP and decrypting it using Java, this proved to be a little more of a challenge than what it initially seemed like. (continue reading…)
obov v1.1.0 released
by ricardoz on Aug.04, 2008, under Security
A new version of obov is available for download. Some nice new features were added:
- Methods to generate passwords using the HMAC-SHA1 algorithm
- A handy utility method to generate secret keys (seeds) based on any given string
Go get it!
obov v1.0.0 released
by ricardoz on Jun.27, 2008, under Security
obov stands for OATH Based OTP validator. It’s a 100% pure Java library that provides simple to use methods to validate (and related utilities) one time passwords generated by OATH compliant devices.
(continue reading…)
Authenticate users using i5/OS (AS400) credentials
by ricardoz on May.12, 2008, under Security, Tips
The folks at IBM have a nice API to use i5/OS (AS400) stuff from Java code. Check it out at http://www-03.ibm.com/systems/i/software/toolbox/index.html.
What I particularly find very useful and have used often is to validate user names and passwords with the AS400 authentication services. The following code validates a userName and password.
(continue reading…)
Authenticating users using Unix or Windows credentials
by ricardoz on Apr.22, 2008, under Security, Tips
It’s usually very nice, and sometimes a requirement, to validate usernames and passwords using existing credentials. And in most situations big frameworks or single sign-on systems are just damn overkill and complex.
If you need to check your users credentials via an existing Unix system (that supports PAM) or a Windows domain controller check out (continue reading…)