Iasi code camp 20 april 2013 windows authentication-spring security -kerberos

•Download as PPTX, PDF•

1 like•519 views

This document provides an overview and agenda for a presentation on integrating Spring Security with Kerberos authentication. The presentation covers authentication concepts, an overview of Kerberos, how Spring Security implements authentication using filters and managers, and provides a code example of integrating Kerberos authentication with Spring Security.

Technology Business

A bridge between two worlds:
Spring Security & Kerberos
Claudiu Stancu

•Me & the other me
•Security concepts
•Kerberos
•All together
•Code time
Agenda
3

IN YOUR ZONE
About me…
4
Development Discipline Lead at Endava

IN YOUR ZONE
Security concepts – Data types
6
PUBLIC PRIVATE
CONFIDENTIAL SECRET

IN YOUR ZONE
Authentication
7
“The process of verifying that the users of our application
are who they say they are”

IN YOUR ZONE
Authentication
8
Credentials Based

IN YOUR ZONE
Authentication
9
Biometrics Authentication

IN YOUR ZONE
Authentication
10
Two factor authentication

IN YOUR ZONE
Authentication
11
• Browser certificates
• Single Sing On
• Hardware authentication

IN YOUR ZONE
Authorization
12
Assign authenticated Principals to one or more Roles
Assign the Principal’s Role(s) to secured resources

IN YOUR ZONE
Spring Security
13
Servlet Filters
Delegation

IN YOUR ZONE
Spring Security – Filters
14
o.s.s.web.context.SecurityContextPersistenceFilter
o.s.s.web.authentication.logout.LogoutFilter
o.s.s.web.authentication.UsernamePasswordAuthentication
o.s.s.web.session.SessionManagementFilter
Secured Resource
Request Response

IN YOUR ZONE
Spring Security – Fundamentals
15
Security Interceptor
Authentication
Manager
Access Decision
Manager
Run-As
Manager
After-Invocation
Manager

IN YOUR ZONE
Spring Security – Authentication Manager
16
Authentication
Manager
Provider
Manager
LDAP
Authentication
Provider
CAS
Authentication
Provider
Kerberos
Authentication
Provider
DAO
Authentication
Provider
Remember Me
Authentication
Provider

IN YOUR ZONE
Spring Security – Access Decision Manager
17
Affirmative Based
Abstract
Decision Voter
Access Decision
Manager
Abstract Access
Decision
Manager
Consensus Based Unanimous Based Role Voter
Access Decision Manager Grant / Deny access?
Affirmative based At least one voter grant access
Consensus based Majority grant access
Unanimous based If all voters grant access

IN YOUR ZONE
Kerberos
19
{cstancu, 192.168.1.2}
SessionKey1
TGT
TGT
SessionKey1

IN YOUR ZONE
Kerberos
20
{SessionKey1}
Authenticator TGT
{SessionKey2}
Authenticator
Mail Ticket
{SessionKey2}
ok
TGT
SessionKey1
Mail Ticket
{SessionKey1}
SessionKey2
Mail Ticket
SessionKey2

IN YOUR ZONE
All together
21
(1)HTTP GET resource.html

IN YOUR ZONE
All together
22
(3) Kerberos TGS_REQ

IN YOUR ZONE
All together
23
(5)HTTPGETAuthorization
Negotiate w/SPNEGO Token
(6) HTTP 200 – OK
resource.html

IN YOUR ZONE 26
Claudiu Stancu | Development Discipline Lead

This document discusses strategies for protecting against web application attacks. It begins by outlining common attack vectors like exploiting vulnerabilities in content management systems and SQL injection. It then describes hacker reconnaissance methods such as crawling target websites, mass vulnerability scanning, using open forums, and the dark web. The document proceeds to explain how attacks can escalate privileges and maintain access. Finally, it provides recommendations for remediation strategies like securing code, implementing access management policies, adopting patch management, understanding service provider security models, implementing monitoring and staying informed of latest vulnerabilities.

Realities of Security in the Cloud

Alert Logic

This document discusses security challenges in the cloud and Alert Logic's approach to addressing them. It begins by outlining various security services needed in the cloud like monitoring, scanning, and access management. It then describes a hypothetical attack scenario against a web application to illustrate how an attacker may progress from reconnaissance to gaining a persistent foothold. It evaluates what security tools would provide visibility into each stage of the attack. The document concludes by describing Alert Logic's integrated security model which combines infrastructure and application threat visibility, security analytics, and human experts to detect threats across cloud, hosted, and on-premises environments.

20 common security vulnerabilities and misconfiguration in Azure

Cheah Eng Soon

This document outlines 20 common security vulnerabilities and misconfigurations in Microsoft Azure. It discusses issues such as storage accounts being publicly accessible, lack of multi-factor authentication, insecure guest user settings, and features like Azure Security Center and Network Watcher being disabled by default. The document is intended to educate users on important security best practices for securing resources and configurations in Azure.

Azure Penetration Testing

Cheah Eng Soon

Security in Design of Cloud Application

Rafal Korszun

Security Implications of the Cloud - CSS Dallas Azure

Alert Logic

The document summarizes the security implications of cloud computing. It notes that web application attacks are now the number one source of data breaches, but less than 5% of security budgets are spent on application security. It discusses how risks are moving up the application stack as vulnerabilities can be introduced through code changes and dependencies. Defending web applications and workloads in the cloud is complex due to a wide range of attacks at every layer of the stack and a shortage of security expertise. It then provides an example of a data exfiltration attack against a retail company where an attacker exploited known PHP flaws to access critical systems and steal data over 4 months without detection.

Stories from the Security Operations Center

Alert Logic

The document summarizes stories from a security operations center, including examples of initial attacks on WordPress sites through XMLRPC vulnerabilities and subsequent SQL injection attacks. It discusses how web application attacks have become more prevalent as organizations increasingly rely on open source and web apps, and these attacks can enable large scale breaches if not detected early. The document also provides an overview of how Alert Logic detects threats through network monitoring, log collection and analysis, and web application firewalls.

Jenkins Terraform Vault

Shrivatsa Upadhye

The 3 Muskeeters: Jenkins Terraform Vault: Deploying applications securely in multi-cloud environments can get overwhelming very quickly. This is where Infrastructure as code comes to your rescue. You might be already looking at Terraform or better yet, using it. In this talk, we will learn how to secure your Cloud and application keys with "Vault" and extend that to integrate with Jenkins and Terraform. This would allow the DevOps engineer to truly "build, test, deploy, manage and secure" the infrastructure from one place. We will look at a quick demo of these 3 tools working together and understand some of the best practices around them.

1) The Equifax cyber attack compromised the personal information of around 143 million customers by exploiting a vulnerability in the Apache Struts framework that allows remote code execution. 2) The attack occurred from mid-May to July 2017 before it was detected, and shaved $4 billion off Equifax's market capitalization, around 25% of its total value. 3) Using containers may have helped prevent the Equifax attack by isolating vulnerable applications and limiting an attacker's ability to access additional internal resources and exfiltrate sensitive personal information if the vulnerable web application was contained.

Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft

Alert Logic

This document provides an overview of Microsoft Azure's security posture and capabilities. It discusses how Azure is designed to detect security threats using monitoring and machine learning, rapidly respond to incidents, and protect customer data and infrastructure across the cloud platform. Key security controls for Azure include secure multi-tenancy, network protection, data encryption, identity and access management, and the Azure Security Center for centralized security management. The document also emphasizes Microsoft's commitments to transparency, compliance with regulations, and empowering customers to control their security.

The Changing Landscape of Information Security

DevSecOpsSg

Reducing Your Attack Surface

Alert Logic

The document discusses reducing attack surfaces in cloud environments. It notes that understanding your attack surface is critical for deploying proper security controls as attack surfaces differ between cloud and on-premises environments. It also states that web application attacks are now the leading cause of data breaches but less than 5% of security budgets are spent on application security. Common cloud misconfigurations are also discussed as a major risk factor.

WSO2Con EU 2016: Securing APIs: How, What, Why, When

WSO2

Businesses today are rapidly moving from being service enabled to being API enabled. Moving into the world of APIs brings with it its own set of complexities and challenges that are tough to tackle. API security is a key area to be focusing your engineering efforts on. This talk will focus on various security protocols that are available and on leveraging the extensive feature set and extensible nature of the WSO2 platform to secure your APIs.

Alternatives and Enhancements to CAs for a Secure Web

CASCouncil

Node JS reverse shell

Madhu Akula

Privacy Preserving Searchable Encryption with Fine-grained Access Control

JAYAPRAKASH JPINFOTECH

Extending Amazon GuardDuty with Cloud Insight Essentials

Alert Logic

The presentation discusses Alert Logic's Cloud Insight Essentials, which provides automated exposure and vulnerability management for AWS. It integrates with Amazon GuardDuty to provide centralized visibility of AWS assets, identify configuration flaws, and offer immediate remediation advice. Cloud Insight Essentials allows customers to take action sooner on threats in their AWS environments and prevent future compromise through continuous checks and prioritized remediation recommendations with no footprint on AWS. A demo of the product is provided and customers can start a 30-day free trial from the AWS Marketplace.

Cloud Native Security: New Approach for a New Reality

Carlos Andrés García

Tsvi Korren, VP of Product Strategy at Aqua Security CISSP, has been an IT security professional for over 25 years. In previous positions at DEC and CA Inc., he consulted with various industry verticals on the process and organizational aspects of security. As the VP of Product Strategy at Aqua, he is tasked with delivering commercial and open source solutions that make Cloud Native workloads the most secure, compliant and resilient application delivery platform.

Managed Threat Detection and Response

Alert Logic

This document discusses Alert Logic's Security-as-a-Service offering which provides an integrated multi-layer security solution to protect enterprise applications and cloud workloads across hosted data centers and hybrid environments. It protects against web application attacks, server and network activity, and vulnerabilities across software stacks. Alert Logic also provides security experts and services including assessment, blocking, detection, and compliance. The document then discusses best practices for securing an AWS environment including logical network segmentation, access management, configuration management, and understanding the shared responsibility model between cloud providers and customers.

Css sf azure_8-9-17-protecting_web_apps_stephen coty_al

Alert Logic

The document discusses strategies for protecting web applications from security threats. It begins by examining the types of attacks organizations face, including application attacks, brute force attacks, and suspicious activity. It then covers hacker reconnaissance methods such as crawling websites, using vulnerability scanners, and searching open forums and the dark web. The document outlines how attacks can escalate from exploiting web applications to gaining privileged access. It concludes by providing recommendations for developing a secure code, access management policies, patch management, monitoring strategies, and staying informed of the latest vulnerabilities.

Reality Check: Security in the Cloud

Alert Logic

This document discusses security in the cloud and recommends best practices. It notes that while AWS provides many security tools, customers are still responsible for 95% of security failures due to human error. It then outlines various attack types like SQL injection and remote code execution that target web applications. The document recommends leveraging machine learning and multiple detection techniques to identify multi-stage attacks. It emphasizes the need to secure the entire attack surface, including on-premises environments, and highlights services like Alert Logic that provide 24/7 monitoring, analytics, and security experts to help detect and respond to threats.

Extending Amazon GuardDuty with Cloud Insight Essentials

Alert Logic

This document discusses the importance of detection in security and introduces Alert Logic Cloud Insight Essentials. It notes that it takes companies on average 6 months to detect an intrusion. The essentials of security require continuous monitoring, accurate detection, and centralized management. Cloud Insight Essentials provides automated exposure and vulnerability management for AWS that extends GuardDuty findings. It offers visibility, identifies configuration flaws, and provides remediation advice. Cloud Insight Essentials integrates with AWS APIs for no-touch automation and a REST API for integration. It allows taking action sooner on threats with context and prioritized recommendations.

CSS 17: NYC - Stories from the SOC

Alert Logic

DevSecOps: The Open Source Way for CloudExpo 2018

Gordon Haff

DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats. The extensive use of modular open source software from third-parties, distributed development teams, and rapid iterative releases require a commitment to security and the adoption of security approaches that are continuous, adaptive, and heavily automated. In this session, Red Hat Technology Evangelist Gordon Haff look at successful practices that distributed and diverse teams use to iterate rapidly. While still reacting quickly to threats and minimizing business risk. I'll discuss how a container platform can serve as the foundation for DevSecOps in your organization. I'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, I'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.

CSS 17: NYC - Realities of Security in the Cloud

Alert Logic

Compute Security - Host Security

Eng Teong Cheah

This document discusses various compute security topics for hardening endpoints and hosts, including using Azure Security Center to protect endpoints from attacks, implementing privileged access workstations, creating virtual machine templates to improve consistency and security, and how Security Center provides recommendations for security settings, updates, and threat detection. It also mentions demonstrating Azure Firewall and provides a reference link for further information.

News Bytes - December 2015

n|u - The Open Security Community

An Instagram researcher hacked the Instagram server and accessed employee credentials. Juniper firewalls contained an unauthorized code backdoor since 2012. A 19-year-old hacked an airline's website and stole $150,000 by selling fake tickets. 13 million MacKeeper users had their data exposed in an unsecured database. Anonymous declared war on Donald Trump by DDoSing his websites. A Linux vulnerability allowed hacking by pressing backspace 28 times to exploit the Grub2 bootloader.

Configuration Auditing

Albert Campa

This document discusses configuration auditing and summarizes key points: - Configuration auditing involves scanning systems to check for compliance with hardening guides and identify unauthorized changes through agent-based or agentless methods. - Audits should check compliance with standards like DISA, CIS and custom guides, and audit operating systems, services, databases and other configurations. - Tools like Nessus and CIS audit files can be used to perform the audits and generate reports on compliance and non-compliance. - Reports should be tailored based on organizational policies and provide trends over time to track remediation of issues found.

Iasi codecamp 20 april 2013 scrum- agile measurements-dan nicola

Codecamp Romania

Iasi codecamp 20 april 2013 it–a career a life sweat smiles and cries –andrei...

Codecamp Romania

The document discusses the IT industry in Iasi, Romania. It notes that the Iasi IT industry employs over 4,000 professionals, generates over 100 million Euros per year, and includes over 200 companies. Some of the key factors that have contributed to the growth of the IT industry in Iasi include its location, the availability of technical education programs, the transition to capitalism in Romania, multilingual workforce, lower costs compared to Western Europe, and that the industry is still relatively young with potential for continued growth.

What's hot

Equifax cyber attack contained by containers

Aqua Security

Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft

Alert Logic

The Changing Landscape of Information Security

DevSecOpsSg

Reducing Your Attack Surface

Alert Logic

WSO2Con EU 2016: Securing APIs: How, What, Why, When

WSO2

Alternatives and Enhancements to CAs for a Secure Web

CASCouncil

Node JS reverse shell

Madhu Akula

Privacy Preserving Searchable Encryption with Fine-grained Access Control

JAYAPRAKASH JPINFOTECH

Extending Amazon GuardDuty with Cloud Insight Essentials

Alert Logic

Cloud Native Security: New Approach for a New Reality

Carlos Andrés García

Managed Threat Detection and Response

Alert Logic

Css sf azure_8-9-17-protecting_web_apps_stephen coty_al

Alert Logic

Reality Check: Security in the Cloud

Alert Logic

Extending Amazon GuardDuty with Cloud Insight Essentials

Alert Logic

CSS 17: NYC - Stories from the SOC

Alert Logic

DevSecOps: The Open Source Way for CloudExpo 2018

Gordon Haff

CSS 17: NYC - Realities of Security in the Cloud

Alert Logic

Compute Security - Host Security

Eng Teong Cheah

News Bytes - December 2015

n|u - The Open Security Community

Configuration Auditing

Albert Campa

What's hot (20)

Equifax cyber attack contained by containers

Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft

The Changing Landscape of Information Security

Reducing Your Attack Surface

WSO2Con EU 2016: Securing APIs: How, What, Why, When

Alternatives and Enhancements to CAs for a Secure Web

Node JS reverse shell

Privacy Preserving Searchable Encryption with Fine-grained Access Control

Extending Amazon GuardDuty with Cloud Insight Essentials

Cloud Native Security: New Approach for a New Reality

Managed Threat Detection and Response

Css sf azure_8-9-17-protecting_web_apps_stephen coty_al

Reality Check: Security in the Cloud

Extending Amazon GuardDuty with Cloud Insight Essentials

CSS 17: NYC - Stories from the SOC

DevSecOps: The Open Source Way for CloudExpo 2018

CSS 17: NYC - Realities of Security in the Cloud

Compute Security - Host Security

News Bytes - December 2015

Configuration Auditing

Viewers also liked

Iasi codecamp 20 april 2013 scrum- agile measurements-dan nicola

Codecamp Romania

Iasi codecamp 20 april 2013 it–a career a life sweat smiles and cries –andrei...

Codecamp Romania

Georges Chitiga - Introduction to Phonegap - HTML5 & JS to native mobile app

Codecamp Romania

- PhoneGap allows developers to build mobile apps using HTML, CSS, and JavaScript and deploy them across various mobile platforms like iOS, Android, Blackberry, etc. with one codebase. - The PhoneGap API allows access to device features like the camera through JavaScript. Developers can take photos, access photos, and more through the PhoneGap API. - The PhoneGap documentation provides information on using the PhoneGap API to access device features like the camera through options like quality, destination type, and more.

Alex lakatos state of mobile web

Codecamp Romania

The document discusses building mobile web applications. It provides details on mobile hardware specifications in India, including the Intex Cloud FX phone. It lists various web APIs that can be used to build hosted, privileged, and certified mobile apps, such as the vibration, geolocation, and contacts APIs. The document encourages testing apps using Mozilla resources and simulators and concludes by thanking the audience.

Jozua velle + silviu luca dev ops

Codecamp Romania

This document discusses DevOps and the collaboration between development and operations teams. It presents the traditional siloed structure between dev and ops and the benefits of breaking down those silos. Key aspects of DevOps covered include automation, measurement, sharing culture and a customer-centric mindset. The document recommends tools to implement continuous integration, deployment and monitoring in a DevOps workflow.

Alex carcea, radu macovei a story of how java script joined the big league

Codecamp Romania

This document introduces WebSockets and how they enabled real-time communication on the web. It discusses the limitations of HTTP for real-time applications and how earlier technologies like polling tried to solve this problem. WebSockets provide a standardized solution through a full-duplex protocol that avoids header overhead and allows for persistent connections. The document demonstrates how to use the WebSocket API in JavaScript and introduces common WebSocket client libraries.

Iasi codecamp 20 april 2013 sponsors 5 minutes presentations

Codecamp Romania

This document provides information about several companies: Embarcadero Technologies - A software company that develops tools for application development. The document discusses its history, products, and future plans to expand into data governance and multi-device application development. Levi9 - An IT services company with offices in Romania, Serbia, Ukraine, and the Netherlands. The document outlines the types of work developers and testers would do there, the technologies used, and benefits of working there. Continental - A large automotive company with operations in Romania. The document briefly highlights Continental's presence in Romania. TeamNet International - An IT integrator in Romania that has experienced significant revenue growth. The document shares details about the

Ciprian ouatu asertivitate - comportament si comunicare

Codecamp Romania

Viewers also liked (8)

Iasi codecamp 20 april 2013 scrum- agile measurements-dan nicola

Iasi codecamp 20 april 2013 it–a career a life sweat smiles and cries –andrei...

Georges Chitiga - Introduction to Phonegap - HTML5 & JS to native mobile app

Alex lakatos state of mobile web

Jozua velle + silviu luca dev ops

Alex carcea, radu macovei a story of how java script joined the big league

Iasi codecamp 20 april 2013 sponsors 5 minutes presentations

Ciprian ouatu asertivitate - comportament si comunicare

Similar to Iasi code camp 20 april 2013 windows authentication-spring security -kerberos

Foundations of cloud security monitoring

Moshe Ferber

Exploring Advanced Authentication Methods in Novell Access Manager

Novell

Novell Access Manager provides many different levels of authentication beyond a simple user name and password. In this session, you will learn about its more advanced methods of authentication—from emerging standard like OpenID and CardSpace to tokens and certificates. Attendees will also see a demonstration of FreeRADIUS and the Vasco Digipass with Novell eDirectory, the Vasco NMAS method and an Access Manager plug-in that provides SSO to Web applications that expect a static password.

Indianapolis Splunk User Group Dec 22

WesComer2

ZKorum: Building the Next Generation eAgora powered by SSI

SSIMeetup

The immense potential unlocked by SSI in content-centric social networks (forums) is largely unaddressed by the recent wave of decentralized social networks. Enter ZKorum - a network of verifiable communities where members create anonymous polls and discussions. In this episode, Nicolas Gimenez, the Co-Founder and CTO of ZKorum, unveils the Alpha version and delves into its architecture, drawing inspiration from SSI, DWeb, and Password Managers.

Finding Security a Home in a DevOps World

Shannon Lietz

Keeping Secrets on the Internet of Things - Mobile Web Application Security

Kelly Robertson

This document summarizes an information security presentation about keeping secrets in the Internet of Things era. It discusses increasing vulnerabilities and dependencies, limitations of current security approaches, and motivations for lack of trust. It then covers secure software development best practices including threat modeling techniques. Lastly, it discusses solutions for organizations and end users, including encryption, authentication, firewalls, intrusion detection and more. Specific examples of security breaches like Heartbleed, Snapchat, and PlaceRaider are also summarized.

Application security meetup - cloud security best practices 24062021

lior mazor

Hacking mobile apps

kunwaratul hax0r

Securing Your MongoDB Deployment

MongoDB

Security is more critical than ever with new computing environments in the cloud and expanding access to the internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. We'll walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments. Topics will include general security tools and how to configure those for MongoDB, an overview of security features available in MongoDB, including LDAP, SSL, x.509 and Authentication.

Ransomware: Mitigation Through Preparation

Hostway|HOSTING

Ransomware attacks are a growing threat. Zerto provides a virtual replication solution that allows recovery of encrypted files and applications within minutes through continuous replication of changes at the block level. The presentation demonstrated how Zerto can minimize the impact of a ransomware infection by recovering files from seconds before encryption occurred. It also discussed how Zerto helps users prove compliance with regulations by enabling testing and reporting of disaster recovery capabilities.

Shifting security left simplifying security for k8s open shift environments

LibbySchulze

This document discusses securing secrets in Kubernetes. It describes how attackers were able to hijack cloud resources by accessing unprotected credentials stored in a Kubernetes console. It then provides recommendations for securely managing secrets, including using Conjur to establish identity for applications and enforce authorization. It outlines best practices like regularly rotating secrets and removing hard-coded credentials. The document also describes how Conjur can integrate with Kubernetes to verify application identities and issue credentials without exposing secrets.

Simplicity in Hybrid IT Environments – A Security Oxymoron?

Tripwire

Most businesses operate on cloud-based and on-premises servers. This hybrid environment allows for easy access to important data but often creates complexity in properly managing and securing your assets. Now consider IoT devices on your network, and this hybrid environment becomes nearly impossible to maintain. Scott Crawford, Research Director at 451 Research, and David Meltzer, Chief Technology Officer at Tripwire, discuss how to simplify modern network complexities with essential security controls.

Attacking and Defending Mobile Applications

Jerod Brennen

Security Considerations for Microservices and Multi cloud

Neelkamal Gaharwar

Cloud security what to expect (introduction to cloud security)

Moshe Ferber

This document provides an overview of cloud security presented by Moshe Ferber, a certified cloud security professional. It introduces cloud computing models including SaaS, PaaS, and IaaS. For IaaS, the document discusses that while the underlying infrastructure is managed by the cloud provider, customers are responsible for the security of guest operating systems, applications, and data. It also covers key IaaS security considerations like virtual machine access control, network visibility limitations, and the division of security responsibilities between customers and providers.

IoT Security in Action - Boston Sept 2015

Eurotech

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

SecuRing

OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.

Ten Commandments of Secure Coding

Mateusz Olejarka

Securing the cloud

ZIONSECURITY

Whole Process PPT of LC-Latest.pptx

LearningChain

Similar to Iasi code camp 20 april 2013 windows authentication-spring security -kerberos (20)

Foundations of cloud security monitoring

Exploring Advanced Authentication Methods in Novell Access Manager

Indianapolis Splunk User Group Dec 22

ZKorum: Building the Next Generation eAgora powered by SSI

Finding Security a Home in a DevOps World

Keeping Secrets on the Internet of Things - Mobile Web Application Security

Application security meetup - cloud security best practices 24062021

Hacking mobile apps

Securing Your MongoDB Deployment

Ransomware: Mitigation Through Preparation

Shifting security left simplifying security for k8s open shift environments

Simplicity in Hybrid IT Environments – A Security Oxymoron?

Attacking and Defending Mobile Applications

Security Considerations for Microservices and Multi cloud

Cloud security what to expect (introduction to cloud security)

IoT Security in Action - Boston Sept 2015

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

Ten Commandments of Secure Coding

Securing the cloud

Whole Process PPT of LC-Latest.pptx

More from Codecamp Romania

Cezar chitac the edge of experience

Codecamp Romania

This document discusses experience and decision making through three case studies. In Case I, decisions were made hastily under time constraints, resulting in fragile code. Case II involved choosing a database, where Cassandra proved better than the initial choice of MySQL. Case III showed benefits of thorough understanding and high test coverage leading to better outcomes. The conclusion advocates questioning assumptions, respecting experience stages, and using diverse teams to gain different perspectives for improved decision making at the "edge of experience."

Cloud powered search

Codecamp Romania

This document discusses cloud powered search using Azure Search. It begins with an introduction to search engines and how they work using indexing and relevance scoring. Lucene is presented as an example open source search library. The document then covers how Azure Search works as a managed search service, including indexing data from sources like SQL databases, performing CRUD operations, querying, filtering, faceting and highlighting results. Scaling and storage capabilities of Azure Search are also discussed. Examples of using Azure Search for online retail/ecommerce and user generated content are provided.

Ccp

Codecamp Romania

This document discusses important leadership concepts for junior developers to understand early in their careers, including: - Leadership is not defined by formal authority but by influence through trust, communication, and belonging. - As a junior, constantly contributing to the team and product, communicating when extra support is needed, and understanding the bigger picture can help you develop leadership skills. - Small actions can have ripple effects, so it's important to consider how your work may impact others.

Business analysis techniques exercise your 6-pack

Codecamp Romania

Cristian Leon presents six techniques that business analysts can use to better perform their role: (1) Planning, such as using a requirements management plan and RACI matrix; (2) Listening actively to stakeholders; (3) Mind mapping and brainstorming to map concepts; (4) Analyzing requirements using techniques like MoSCoW prioritization; (5) Creating artifacts like user stories with details like acceptance criteria; and (6) Keeping requirements visible and understood by stakeholders through ongoing communication. The presentation aims to help business analysts and those wanting to be analysts exercise their "6-pack" of analysis skills.

Bpm company code camp - configuration or coding with pega

Codecamp Romania

This document discusses configuration vs coding in Pega and provides an overview of the Pega platform. It introduces the presenters and describes what is needed to run Pega including an operating system, application server, and database. The Pega environment is modeled and executes flows using a business rules engine and rules are assembled into Java at runtime. Situational processes are built in frameworks and specialized in frameworks and implementations. Directly capturing objectives can model processes, close the gap between business and IT, and automatically transform objectives into executable Java to automate work.

Andrei prisacaru takingtheunitteststothedatabase

Codecamp Romania

This document outlines an agenda for a presentation with 5 chapters covering contact information, tools for database development and testing, usage of those tools, providing proof of their effectiveness, and closing with a question and answer session. Chapter 1 discusses issues with database development. Chapter 2 introduces tools to help solve problems. Chapter 3 demonstrates creating database and unit test projects, adding tests, and testing transactional behavior. Chapter 4 discusses proving the value of these tools. Chapter 5 allows for questions.

Agility and life

Codecamp Romania

The document discusses agility in life and relationships on micro and middle levels. It argues that an agile approach to life involves experimentation, trust, giving freedom and space to others, focusing on solutions rather than blame, and prioritizing value to "customers" like family and friends through continuous effort. Key aspects of agility include diversity, shared goals, responsibility, courage to change, and appreciating different perspectives. Applying agile principles like experimentation, trust and encouragement can help people and teams grow.

2015 dan ardelean develop for windows 10

Codecamp Romania

This document provides an overview and agenda for developing Windows 10 apps, covering topics like the new Windows Core, universal app platform, app-to-app communications enhancements, and the Action Center for managing notifications. It demonstrates new controls like the RelativePanel and MonthCalendar, and how to use the SplitView control. It also shows how to check for capabilities, target platform versions, and use platform extensions.

The bigrewrite

Codecamp Romania

The document discusses the challenges of deciding whether to rewrite an existing codebase from scratch or work with the legacy code. It outlines reasons for not working with the existing code, such as missing documentation or tools. It also notes potential issues with rewriting from scratch, such as the impact on other teams and office politics. The document recommends starting by automating infrastructure and tests, learning the essential business concepts, and trying to introduce incremental changes to the legacy code before deciding to fully rewrite it.

The case for continuous delivery

Codecamp Romania

The document discusses the benefits of adopting continuous delivery (CD) principles for software development. It outlines how CD can (1) create a repeatable, reliable release process that automates tasks, (2) empower teams through shared responsibility and increased collaboration, and (3) provide business value through faster feedback, consistent processes, and lower costs. While initial costs may increase for training and new tools, CD can ultimately shift costs from releases to other activities and deliver software faster. The document provides a sample deployment pipeline and maturity model, and discusses managing expectations for change when adopting CD practices.

Stefan stolniceanu spritekit, 2 d or not 2d

Codecamp Romania

Sizing epics tales from an agile kingdom

Codecamp Romania

The knights in the Agile Kingdom faced challenges sizing epics due to their variable size, complexity, and uncertainty. They developed two recipes - the Blue Recipe which involved planning poker and multiplication, and the Green Recipe which broke down an epic into user stories first. However, neither scale worked well for very large epics. They adapted by using a recently sized existing epic as a benchmark and rescaling. This allowed them to estimate the sizes of three sample epics as 5, 8, and 20 epic points, providing high-level sizing while addressing the issues of comparing variable epics.

Scale net apps in aws

Codecamp Romania

This document discusses how to auto scale .NET applications in Amazon Web Services. It covers key concepts like scalability versus auto scaling, using a load balancer and solving session issues for web applications, and monitoring applications to enable auto scaling. The document provides an example of scaling an application from 2 web servers and 3 application servers in 2012 to 3 SQL servers and more elastic resources like SQS and ElastiCache by 2015. It also discusses best practices for auto scaling like using out-of-process sessions, log collection, and setting CloudWatch alarms to trigger auto scaling rules.

Raluca butnaru corina cilibiu the unknown universe of a product and the cer...

Codecamp Romania

The document discusses different types of unknowns that can exist for a product including the unknown universe of the product, the certainty nebula, and the unknown unknowns. It also mentions requirements, coding, design, testing, end users, and arrogance. The bottom of the document provides some additional short phrases and includes a link to a Forbes article about what factors can impact companies.

Parallel & async processing using tpl dataflow

Codecamp Romania

This document discusses parallel and asynchronous processing using the Task Parallel Library (TPL) Dataflow. It introduces dataflow as an actor-based programming model for creating data processing pipelines with in-process message passing. TPL Dataflow provides blocks like SourceBlock, TargetBlock, and PropagatorBlock that can be composed into pipelines. It offers benefits like effortless use of multithreading and performance boosts. Examples of where dataflow is useful include robotics, manufacturing, imaging, biology, oil and gas, and finance.

Material design screen transitions in android

Codecamp Romania

This document discusses different techniques for animating screen transitions between Android activities. It covers 8 stages: 1) the default animation, 2) measuring views, 3) removing defaults, 4) setting initial positions, 5) animating to the final position, 6) reversing the animations, 7) using Lollipop screen transitions, and 8) setting custom content entrance and exit transitions. Code examples are provided for each stage and the full code is available on GitHub.

Kickstart your own freelancing career

Codecamp Romania

The document provides tips for starting a freelancing career with no clients or experience. It recommends experimenting daily until finding a client ("getting the fish"), using sites like HackHands and UserTesting to find and attract clients, treating each project like driving a taxi where the goal is to start moving and find a solution, putting the client's needs first with fast responses and over-delivering on promises, genuinely caring about client success, and maintaining high standards while also enjoying financial prosperity.

Ionut grecu the soft stuff is the hard stuff. the agile soft skills toolkit

Codecamp Romania

Ecma6 in the wild

Codecamp Romania

The document discusses ECMAScript 6 (ES6), the next version of JavaScript. It summarizes the new features in ES6 like classes, block scope, arrow functions, and spread/rest operators. It describes the speaker's experience using ES6 in a project since December 2014 by transpiling ES6 code to ES5 using Babel. Key challenges discussed are the learning curve to adopt new syntax and convincing teammates. Features currently used in the project are listed as arrow functions, let, template strings, and default parameters. The document concludes by noting the need to keep adapting to new standards released annually and resources for learning more about ES6 and ES7.

Diana antohi me against myself or how to fail and move forward

Codecamp Romania

This document discusses mindset and how beliefs about intelligence and ability can impact learning and growth. It describes the differences between a fixed mindset, where intelligence is seen as static, and a growth mindset, where intelligence is viewed as malleable. A growth mindset believes that effort and practice can improve abilities over time. The document encourages adopting a growth mindset to overcome challenges through learning from mistakes and setting learning goals rather than performance goals. It advocates failing productively by remaining hopeful and keeping efforts focused on improvement.

More from Codecamp Romania (20)

Cezar chitac the edge of experience

Cloud powered search

Ccp

Business analysis techniques exercise your 6-pack

Bpm company code camp - configuration or coding with pega

Andrei prisacaru takingtheunitteststothedatabase

Agility and life

2015 dan ardelean develop for windows 10

The bigrewrite

The case for continuous delivery

Stefan stolniceanu spritekit, 2 d or not 2d

Sizing epics tales from an agile kingdom

Scale net apps in aws

Raluca butnaru corina cilibiu the unknown universe of a product and the cer...

Parallel & async processing using tpl dataflow

Material design screen transitions in android

Kickstart your own freelancing career

Ionut grecu the soft stuff is the hard stuff. the agile soft skills toolkit

Ecma6 in the wild

Diana antohi me against myself or how to fail and move forward

Recently uploaded

Choosing The Best AWS Service For Your Website + API.pptx

Brandon Minnick, MBA

Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API? Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose? Which one is cheapest? Which one is fastest? Which one will scale to meet our needs? Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!

Apps Break Data

Ivo Velitchkov

How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/ DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen! Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell. Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten. Diese Themen werden behandelt - Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten - Wie funktionieren CCB- und CCX-Lizenzen wirklich? - Verstehen des DLAU-Tools und wie man es am besten nutzt - Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw. - Praxisbeispiele und Best Practices zum sofortigen Umsetzen

What is an RPA CoE? Session 1 – CoE Vision

DianaGray10

Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe

Precisely

Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market. Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.

Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency

ScyllaDB

Artificial Intelligence and Electronic Warfare

Papadakis K.-Cyber-Information Warfare Analyst & Cyber Defense/Security Consultant-Hellenic MoD

Dandelion Hashtable: beyond billion requests per second on a commodity server

Antonios Katsarakis

This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).

Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians

Neo4j

Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...

Pitangent Analytics & Technology Solutions Pvt. Ltd

"Choosing proper type of scaling", Olena Syrota

Fwdays

[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...

Jason Yip

The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.

Generating privacy-protected synthetic data using Secludy and Milvus

Zilliz

During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.

GNSS spoofing via SDR (Criptored Talks 2024)

Javier Junquera

In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security. This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing. The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...

Alex Pruden

Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security. Paper Link: https://eprint.iacr.org/2024/257

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph

Neo4j

Fueling AI with Great Data with Airbyte Webinar

Zilliz

Main news related to the CCS TSI 2023 (2023/1695)

Jakub Marek

An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers. The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 . The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .

Essentials of Automations: Exploring Attributes & Automation Parameters

Safe Software

Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they? Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality. You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.

Mutation Testing for Task-Oriented Chatbots

Pablo Gómez Abajo

Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots. To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.

Recently uploaded (20)

Choosing The Best AWS Service For Your Website + API.pptx

Apps Break Data

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

What is an RPA CoE? Session 1 – CoE Vision

Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe

Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency

Artificial Intelligence and Electronic Warfare

Dandelion Hashtable: beyond billion requests per second on a commodity server

Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians

Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...

"Choosing proper type of scaling", Olena Syrota

[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...

Generating privacy-protected synthetic data using Secludy and Milvus

GNSS spoofing via SDR (Criptored Talks 2024)

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph

Fueling AI with Great Data with Airbyte Webinar

Main news related to the CCS TSI 2023 (2023/1695)

Essentials of Automations: Exploring Attributes & Automation Parameters

Mutation Testing for Task-Oriented Chatbots

Iasi code camp 20 april 2013 windows authentication-spring security -kerberos

1. A bridge between two worlds: Spring Security & Kerberos Claudiu Stancu

3. •Me & the other me •Security concepts •Kerberos •All together •Code time Agenda 3

4. IN YOUR ZONE About me… 4 Development Discipline Lead at Endava

5. IN YOUR ZONE The other me… 5

6. IN YOUR ZONE Security concepts – Data types 6 PUBLIC PRIVATE CONFIDENTIAL SECRET

7. IN YOUR ZONE Authentication 7 “The process of verifying that the users of our application are who they say they are”

8. IN YOUR ZONE Authentication 8 Credentials Based

9. IN YOUR ZONE Authentication 9 Biometrics Authentication

10. IN YOUR ZONE Authentication 10 Two factor authentication

11. IN YOUR ZONE Authentication 11 • Browser certificates • Single Sing On • Hardware authentication

12. IN YOUR ZONE Authorization 12 Assign authenticated Principals to one or more Roles Assign the Principal’s Role(s) to secured resources

13. IN YOUR ZONE Spring Security 13 Servlet Filters Delegation

14. IN YOUR ZONE Spring Security – Filters 14 o.s.s.web.context.SecurityContextPersistenceFilter o.s.s.web.authentication.logout.LogoutFilter o.s.s.web.authentication.UsernamePasswordAuthentication o.s.s.web.session.SessionManagementFilter Secured Resource Request Response

15. IN YOUR ZONE Spring Security – Fundamentals 15 Security Interceptor Authentication Manager Access Decision Manager Run-As Manager After-Invocation Manager

16. IN YOUR ZONE Spring Security – Authentication Manager 16 Authentication Manager Provider Manager LDAP Authentication Provider CAS Authentication Provider Kerberos Authentication Provider DAO Authentication Provider Remember Me Authentication Provider

17. IN YOUR ZONE Spring Security – Access Decision Manager 17 Affirmative Based Abstract Decision Voter Access Decision Manager Abstract Access Decision Manager Consensus Based Unanimous Based Role Voter Access Decision Manager Grant / Deny access? Affirmative based At least one voter grant access Consensus based Majority grant access Unanimous based If all voters grant access

18. IN YOUR ZONE Kerberos 18

19. IN YOUR ZONE Kerberos 19 {cstancu, 192.168.1.2} SessionKey1 TGT TGT SessionKey1

20. IN YOUR ZONE Kerberos 20 {SessionKey1} Authenticator TGT {SessionKey2} Authenticator Mail Ticket {SessionKey2} ok TGT SessionKey1 Mail Ticket {SessionKey1} SessionKey2 Mail Ticket SessionKey2

21. IN YOUR ZONE All together 21 (1)HTTP GET resource.html

22. IN YOUR ZONE All together 22 (3) Kerberos TGS_REQ

23. IN YOUR ZONE All together 23 (5)HTTPGETAuthorization Negotiate w/SPNEGO Token (6) HTTP 200 – OK resource.html

24. IN YOUR ZONE Code time… 24

25. IN YOUR ZONE 25

26. IN YOUR ZONE 26 Claudiu Stancu | Development Discipline Lead

Editor's Notes

The default AccessDecisionManager implementation provides an access granting mechanism based on AccessDecisionVoter and vote aggregation.
Guardian for the underworld: no one can escape or pass the Styx river1st head: Key Distribution Center (KDC) Makes sure you are who you say you are and you provide the right credentialsVouches for the user’s identityRuns on TCP / UDP port 882nd head: Authentication Service (AS)Actually does the authentication thru the network3rd head: Ticket Granting ServiceHelps with tickets
Or:1st head: Kerberos Client2nd head: Kerberized Service3rd head: KDC
Authenticator = {username, network_address, timestamp, lifespan}_sessionKeyService Ticket = {session_key, username, network_address, service_name, lifespan, timestamp}TGT = {sessionKey, }Authenticator can not be used twice: each service has an internal cache for checking

Iasi code camp 20 april 2013 windows authentication-spring security -kerberos

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (8)

Similar to Iasi code camp 20 april 2013 windows authentication-spring security -kerberos

Similar to Iasi code camp 20 april 2013 windows authentication-spring security -kerberos (20)

More from Codecamp Romania

More from Codecamp Romania (20)

Recently uploaded

Recently uploaded (20)

Iasi code camp 20 april 2013 windows authentication-spring security -kerberos

Editor's Notes