I have a Spring framework based app in which I have been instructed to add AES-256 encryption. I have added this using the standard Spring security Encryptors.textEncryptor(...)
When I ran it on our development servers I got errors which indicated issues with key lengths so I updated the server's Java with Java JCE's unlimited policy files from Oracle.
However when attempting to get the code deployed to our test servers, the server admins are refusing to update the Java installations.
After talking with security, they suggested down grading the encryption from AES-256 to AES-128 under the assumption that it will work without the unlimited policy files.
As you can tell I'm not greatly knowledgeable in this area.
I've looked online, but it appears that the Spring encryption cannot be downgraded to AES-128.
Does anyone know if this downgrade can be done? or am I have to roll my own encryption setup?
Ended up using the spring source code as a base for rolling our own. Not hard really.
Related
I need to test integration with 3rd party using OAuth 1.0.
I didn't found any working solution except OAuthSampler which mark as deprecated and it states:
Does not work with JMeter v3.2+.
In JMeter 3.1 Plugin Manager it's marked as deprecated,
Can I still use it in JMeter 3.1 and how? Is there a working solution for sending OAuth 1.0 requests?
Is the main problem of plugin is the use of deprecated Base64Encoder?
OAuth has too many faces therefore I doubt the plugin has ever worked. The best way is reaching out to your application developers, if you will be lucky enough you will get a relevant OAuth client library and code snipped which will be producing the required token. If not - you will at least have Consumer Key and Consumer Secret which you can use for building up the proper OAuth login sequence and the necessary signature method (as OAuth requests can be signed using different algorithms)
See How to Run Performance Tests on OAuth Secured Apps with JMeter for more detailed explanation, approaches to bypass OAuth login challenges and code snippets.
Yes, you can use it in JMeter 3.1. The reason many plug-ins do not work with JMeter 3.2 are outlined in Incompatible changes section. Most important reasons are
Logging changes - this is the most popular reason for plug-ins to break. And looking at OAuthSampler, it seems the likely reason for this plug-in as well.
Java 8 version requirement. Could be a problem for some libs.
It's also not too hard to convert sampler to be 3.2 friendly (remove logging completely, or change it to use new standard methods), so you could do that from OAuthSampler source code. You can also use script solution described here
i'm currently working on a project, and my client has established a vulnerability scan on my application with acunetix tool and it's has given him an alert about Directory traversal attack.
The vulnerability was detected on my static folder that contains all the js/css/images folders, i've used spring security to deny access to those folders but the filter has blocked the access from inside the app, no style and js script can be loaded with this approach.
I've found on the internet that users of spring framework should update the version but i'm using spring boot and i think it's still affected by this vulnerability.
How can i fix this problem.
Thanks in advance.
Please check out the Pivotal Security page to:
determine if this vulnerability has already been fixed
send a repro project to the security team using the email address provided on that page
Note that vulnerability scanners often get things wrong, so just joining a generated report will likely be a false positive.
How to secure REST services (OAuth) with Spring Boot?
The closest I can get is:
http://spring.io/guides/gs/securing-web/
http://spring.io/guides/gs/authenticating-ldap/
You could add the OAuth2AuthenticationProcessingFilter pretty easily to a Boot app. The closest sample would probably be the spring-boot-sample-secure, since it explicitly adds a WebSecurityConfigurerAdapter, which is what you'd have to do. There is no native autoconfiguration support for OAuth in Spring Boot yet (but please feel free to add it). It is on the roadmap, but unlikely to get a lot of attention unless more people ask for it.
We are building a Rails application and one of our clients had asked if we are using industry-standard 256-bit encryption to ensure the confidentiality of personal information.
Are there are any gems which can be used to enforce this?
First enforce the use of ssl in rails. A good summary how to do this can be found in http://www.simonecarletti.com/blog/2011/05/configuring-rails-3-https-ssl/
Second you have to configure your webserver, so that it forces clients to use aes256 for secured connections. If you are using apache, you might start reading here http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
That should be about it.
I believe that we can allow Firefox to sent NTLM data to SharePoint sites to do automatic authentication, and I think that this is doable with IIS.
I'd like to do the same thing with an internal Rails site.
Does anyone know of way that I could authenticate NTLM type user information through a Apache/mongrel setup (provided of course that it's already running on a Windows box inside of an Active Directory domain)?
I created tutorial on how to install patched mod_ntlm module for Apache on Linux and how to pass NTLM authenticated username to Rails and how create Rails session from that. So as a result you do not need Windows server for running Rails application.
There you can find also how to enable automatic NTLM authentication in Firefox — enter "about:config" in location field and then search for "network.automatic-ntlm-auth.trusted-uris". There you can enter servers for which you would like to use automatic NTLM authentication.
Bit of extra info in case anyone stumbles across this.
I wanted to do something which I thought should be pretty simple - extract the users windows username using NTLM from a Rails app running on Mongrel/Windows (InstantRails actually). Having written the basic code manage the various handshaking operations (using the great NTLMRuby library at http://rubyforge.org/projects/rubyntlm/) and having got it to work wonderfully in Firefox I was somewhat frustrated to find IE not working.
Mongrel doesn't support keep-alives during the type1/2/3 message exchange (at least natively, I believe there's a hack/fix for it), which IE demands and Firefox gets by without.
So authenticating a Rails server running on Windows against a remote NTLM service (e.g. Sharepoint or another web site) is reasonably straight forward, but authenticating an IE browser against a Rails server running on Windows not so much with Mongrel. IIS would be an option, as might be basic Apache with FastCGI. The former feels a bit clunky and the latter won't be as fast as Mongrel.
I'm assuming you've already worked out which HTTP headers you need to send in order to get firefox and IE to send back the NTLM authentication stuff, and are just needing to handle that on the server side?
You could use some of ruby's win32 libraries to access the underlying windows authentication functions which handle the NTLM.
I'd suggest the path of least resistance might be to see if there is a COM component which can do the authentication for you, and if so, to use it using the Win32OLE ruby library.
If there's no COM component, you might be able to find something in one of those other libraries which can invoke the native win32 methods for you.
If you can't find that, you'd have to write a ruby C extension. I've done this on linux, and extending ruby is pretty easy, but you may find the microsoft authentication API's a bit painful.
Hope that gets you started on the right track :-)
You could also use the Apache ntlm module, which should pass a header onwards to your application with the username of the authenticated user. That module looks a bit old, but suggests some other modules that may suit your needs.
Old question I know but I came across this looking for a similar answer.
you could use the methods described here (http://blog.rayapps.com/2008/12/02/ntlm-windows-domain-authentication-for-rails-application/). However mod_ntlm is for windows authentication on a UNIX/linux machine. mod_auth_sspi is what you'll need for winNT authentication from apache under windows.
This particular project looks promising and is looking for contributors:
Rack middleware for transparent authentication with NTLM.
I haven't yet tried this out. For the moment I plan on implementing Raimonds' solution as it appears to have a lot of success.
Check out Waffle. It provides SSO on Windows to Java servers using Win32 API. There're a number of implemented filters (servlet, tomcat valve, spring-security).