Toerktumlare
JCHJava Community | Help. Code. Learn.
•Created by Guard on 10/5/2024 in #java-help
Urgent help in a simple cybersecurity project
very hard to help since your question includes basically nothing
6 replies
JCHJava Community | Help. Code. Learn.
•Created by Lana Rhodes™ on 9/30/2024 in #java-help
Simple Infinite loop help
Its because you are in each interation setting i = Cfront
i = 3
3 is not equal to 2 (front)
Inc i by 1 now i is 4
4 is not equal to 2
And around we go…
If i then hits MAX_SIZE
you set i to 0
But then in the forloop you start by setting i = Cfront, writing over your zero.
5 replies
JCHJava Community | Help. Code. Learn.
•Created by jellybeanjester1 on 9/25/2024 in #java-help
need someone to look over my code
why are you posting a javascript script in a JAVA discord?
6 replies
JCHJava Community | Help. Code. Learn.
•Created by bambyzas on 9/27/2024 in #java-help
WebSecurityConfig in java spring app doesnt work
WebSecurityConfigurerAdapter is deprecated so you should not be using it. it was deprecated and then removed in spring security 6. All of this is spring security 5, you should upgrade to spring security 6. Also you can remove the entire configure(AuthenticationManagerBuilder auth) function is not needed. I dont really understand what your question is? .and().formLogin().loginPage("/login").permitAll() here you have configured that there should be a login page. So what is your actual problem?6 replies
JCHJava Community | Help. Code. Learn.
•Created by PleaseBugMeNot | Engineer on 9/23/2024 in #java-help
How to secure apis using JWT in Spring Boot?
Well im not really here to discuss facts that the security community already has agreed upon.
If you personally choose to build unsafe applications that is your choice. But please do not teach those practices to others.
Im provide assistance and help to people that ask, and im answering this persons question.
Have a nice day.
15 replies
JCHJava Community | Help. Code. Learn.
•Created by PleaseBugMeNot | Engineer on 9/23/2024 in #java-help
How to secure apis using JWT in Spring Boot?
I listed the steps you should be learning security incrementally.
And also to be able identify what is bad security. Its worse if you implement bad security thinking its ”good security”.
I prefer people learning correct from the start. Then blindly just googling something.
See this as a learning experience, and follow the steps i wrote above.
15 replies
JCHJava Community | Help. Code. Learn.
•Created by PleaseBugMeNot | Engineer on 9/23/2024 in #java-help
How to secure apis using JWT in Spring Boot?
If you honestly want to build security, and learn it the correct way i would suggest the following.
- Read the spring security docs
- Implement BASIC authentication
- Then try implementing FormLogin
- Try out Spring Security Oauth2Login and implement login against github or google
- Set up your own auth server, like spring authorization server, or Keycloak
- Implement Authorization Code Flow with Pkce using the BFF-pattern (Backend for frontend) using the Oauth2 tools in spring
- Implement a resource server that accepts JWTs.
And for the love of god, dont use the github project that was posted previously, as that app is incredibly insecure.
15 replies
JCHJava Community | Help. Code. Learn.
•Created by PleaseBugMeNot | Engineer on 9/23/2024 in #java-help
How to secure apis using JWT in Spring Boot?
The project posted above is such a project, its implementing some home made JWTFilter, that he has taken from some tutorial on the internet. That filter he has written is not anywhere to be found in spring security. In fact spring security themselfes explicitly speaks against it.
What he has implemented is called a password grant type which basically means you send username and password to server and the server responds with a token. This is bad because of several reasons.
- if I steal the password i can just send it and get as many tokens as i like
- if I do phising on the user so i lure the user to enter their username and password and i pass it to the server i will get the token
- there is no way to invalidate created tokens unless you invalidate all tokens handed out to all users
- you can easy DDoS the application by just flooding it with bogus tokens
- The user themselves cant logout their account or all devices
- If the user wants to for instance change their password, tokens will not be invalidated, so if token is stole, when you change password nothing will happen they are still logged in.
- No way of storing tokens properly in the browser, local storage can be read by any open tab in your browser.
that is why Oauth2 themselves strictly prohibits this type of authentication and is to be removed in the next Oauth2 specification update https://oauth.net/2/grant-types/password/
15 replies
JCHJava Community | Help. Code. Learn.
•Created by PleaseBugMeNot | Engineer on 9/23/2024 in #java-help
How to secure apis using JWT in Spring Boot?
"and I have to make authentication and authorization part using Spring Security and JWT."
This is a very general description. Im going to first explain to you the bad way of doing things. This is the way, most people that have never written security do it. They google spring boot and jwt, find some tutorial that builds a custom JWTFilter and then copies the code in the tutorial. This is not the way to write security, and when someone does this you can imediatly tell that they have no idea how security works.
Now im going to explain to you why this is bad.
Spring security is a security framework. It contains pre implemented authentication and authorization mechanisms, that are based on RFC. Basically standards. Some of the standards that spring security implements are:
- BASIC
- FORM Login
- SAML
- Certificate x509
- Oauth2
Do you see that im not mentioning JWT? Well thats because JWT is not an authentication standard. A JWT is a token format. Its just something that you can present to a server, like the drivers license in your pocket.
15 replies
JCHJava Community | Help. Code. Learn.
•Created by bambyzas on 9/23/2024 in #java-help
how to enable basic auth in java spring app?
what is your actual problem, just saying "can someone help" is not a real question
8 replies
JCHJava Community | Help. Code. Learn.
•Created by 40г белка on 9/20/2024 in #java-help
Need help w init kafka consumer (have an error w listenner)
I hope thats enough for you to get it working
9 replies
JCHJava Community | Help. Code. Learn.
•Created by 40г белка on 9/20/2024 in #java-help
Need help w init kafka consumer (have an error w listenner)
Kafka per default sends Strings, it cant handle anything else. So if you say you are sending an
Object, it will per default send a string. If you on the other hand define KafkaTemplate<String, CommentEvent> kafka will still send it as a string but also include type information in one of its headers so the consumers know what to deserialize the string into. Also if you define the correct type, the consumer will prolly still not work as you have to define in the consumer JsonDeserializer.TRUSTED_PACKAGES in the consumer configuration options. Which is a security feature.
That is there to prevent an unknown producer to produce a malicious string, and then provide malicious type information to tell the consumer to consume the string and deserialize it into some class that will perform code execution on this random malicious string.
If you know that you will not have any unknown producers, then you can disable this security feature by setting props.put(JsonDeserializer.TRUSTED_PACKAGES, "*"); in your consumer config. This says that we trust ever event that comes. In an enterprise environment, you have a shared library that contains the Event class that both the producer and consumer includes so they have the exact same object on both sides and then you define its package as trusted.9 replies
JCHJava Community | Help. Code. Learn.
•Created by 40г белка on 9/20/2024 in #java-help
Need help w init kafka consumer (have an error w listenner)
KafkaTemplate<String, Object>
9 replies
JCHJava Community | Help. Code. Learn.
•Created by 40г белка on 9/20/2024 in #java-help
Need help w init kafka consumer (have an error w listenner)
why have you defined Object in the KafkaTemplate
9 replies