Tag: security

Posted on

Shields Up! Disable your browser’s Java plugin until Oracle releases security patches

It pains me as a Java developer to recommend to anyone to disable their Java support in their browsers, but given the recently discovered Java vulnerability that can be exploited by a Java applet running in a browser to do ‘bad things’ to your machine, until this gets patched, it’s worth to disable your Java plugins until it gets patched.

According to some sources, Oracle has known about these vulnerabilities since April, but still has not patched them. Since sites have started showing up that have applets exploiting this vulnerability, it’s worth to play it safe and batten down the hatches, and disabled Java support in your browsers.

Oracle releases security patches for Java every 4 months, the next one is due in October. Until this gets patched, best to play it safe.

To disable the Java plugin on Chrome on Mac OS X:

  • Go to Chrome / Preferences, click on Show Advanced Settings
  • In the Privacy section, click the Content Settings button
  • Scroll down to Plugins, click ‘Disable individual plugins’
  • Scroll down to find the Java plugin, click disable

To disable the Java plugin in Safari on Mac OS X:

  • Go to Safari / Preferences, click the Security icon
  • In the web content section, uncheck ‘Enable Java’

To disable the Java plugin in Firefox on Mac OS X:

  • Go to Firefox / Preferences, click the General icon
  • Click the Manage Add-ons button
  • In the Addons Manager window, click Plugins on the left
  • Scroll down to find Java Applet plugin, click the Disable button
Posted on

Enabling Spring Security Expression-based Access Control for methods in a Spring Roo app

Expression-based Access Control allows you to annotate specific methods with access rules. To enable, add the following element to your webmvc-config.xml file for your Roo webapp (not the security context file, it must be in the context file for the web app):

<security:global-method-security pre-post-annotations="enabled"/>

The explanation for why this needs to be in your webapp context is covered here.

Posted on

Configuring Spring Security for finer grained url pattern matching with a Spring Roo app

By default, after you’ve added Spring Security to your Roo app with ‘security setup’, you get an example config in a applicationContext-security.xml file like this:

    <http auto-config="true" use-expressions="true">
    	<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>
        <logout logout-url="/resources/j_spring_security_logout"/>

        <!-- Configure these elements to secure URIs in your application -->
        <intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')"/>
        <intercept-url pattern="/member/**" access="isAuthenticated()" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/**" access="permitAll" />
    </http>

The default pattern matching approach is to use Ant style path matching. If you need to be more specific for what URLs you need to define security against, then you can change to use regex style pattern matching by adding this attribute to the <http> element:

<http ... path-type="regex" ... >

Now, let’s say you need to have different roles for creating verses listing member records – Spring Roo uses a couple of GET parameters to distinguish between these actions, so using regex you can match on these like this:

        <intercept-url pattern="/member?form" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/member?page.*" access="hasRole('ROLE_USER')" />
Posted on

Carrier IQ scandal blown out of proportion?

I’ve seen the news stories on TV and I’ve read a bunch of articles on many websites (like this one here on cnet).

As an Android user I hope the Carrier IQ software isn’t actually doing more than what they claim, but based on what the claimed purposes of the software are, it seems the coverage on the news has blown way out of proportion.

If my wireless carrier choses to use some software preinstalled on my phone that helps them diagnose network and phone issues to improve the service that I in turn receive as a customer, then thats a good thing and I’m perfectly ok with that.

I can see that it would be easy to jump to the conclusion that this software is tracking you and everything that you do with your phone, but the explanation from Carrier IQ themselves on what the software does doesn’t sound like this is true. Of course I hope what they’re saying is true, but in the meantime I think people need to calm down and stop throwing fearmongering stories out there and spreading FUD.

Isn’t it strange that the guy who released this information has not yet come forward to agree for an interview with anyone? For all we know he was paid rather nicely to put this information out there as disinformation and an attempt to derail the rapidly increasing success of Android and Android based devices. What makes this one guy more believable and trustworthy than the companies that he is accusing of illegal wiretapping? That’s quite a serious allegation. Especially if he overinflated his story.

Proudly powered by WordPress