I am trying to securely generate random numbers. It must support NIST standards, that is NIST SP 800-90A, SP 800-90B, SP 800-90C. I’ve read that Java 9 has an implementation of SecureRandom supporting such standards. My question is: is there an implementation supporting these standards in Java 8 (I am using Android)? Ideally I would like it to be built-in
Tag: security
Checkmarx – How to validate and sanitize HttpServletRequest .getInputStream to pass checkmarx scan
Following are checkmarx issue details Unrestricted File Upload Source Object : req (Line No – 39) target Object : getInputStream (Line No -41) request objects get highlighted in checkmarx tool – How do I properly validate, filter, escape, and/or encode user-controllable input to pass a Checkmarx scan? Answer This worked for me – checkmarx pass this high vulnerability I used
How to prevent reflection access only to certain classes
I am developing some licensing code, so I would like to avoid access to one or two classes through reflection. I have tried implement a SecurityManager but with no success. I found that another option would be to define my own policy file but that requires me to set it on JVM launch, and that defeats my purpose, I would
Handle Security exceptions in Spring Boot Resource Server
How can I get my custom ResponseEntityExceptionHandler or OAuth2ExceptionRenderer to handle Exceptions raised by Spring security on a pure resource server? We implemented a so whenever there is an error on the resource server we want it to answer with The resource server uses the application.properties setting: to authenticate and authorize a request against our auth server. However any spring
How to apply Spring Security filter only on secured endpoints?
I have the following Spring Security configuration: The authenticationTokenFilterBean() is applied even on endpoints that do not match /api/** expression. I also tried adding the following configuration code: but this still did not solve my problem. How can I tell Spring Security to apply filters only on endpoints that match the secured URI expression? Answer I have an application with
Security risks when evaluating user input as JavaScript in Java
I want to give the user the possibility of writing symbolic maths formulas which are later evaluated with certain values. The user might – for example – want to enter some formula a * (b + 1) where a and b may be different upon each evaluation. My approach so far was using the built in JavaScript engine in Java
Generate a Secure Random Password in Java with Minimum Special Character Requirements
How do I create a random password that meets the system’s length and character set requirements in Java? I have to create a random password that is 10-14 characters long and has at least one uppercase, one lowercase, and one special character. Unfortunately, some special characters are too special and cannot be used, so I cannot use just printed ASCII.
Signed java applet no longer works in any browser if I set the clock ahead on my computer
I have a Java Applet (for a browser) signed and timestamped with a valid Code Signing Certificate from GoDaddy. The code signing certificate itself expires in a few weeks. Everything I’ve read says that the applet will still be valid after the Code Signing Certificate expires: From here: If a timestamp is discovered, then the code signature is valid until
SSL Java java.io.IOException: Invalid keystore format
I am testing SSL in java with SSLServerSocket and other classes in the java.ssl package. When I run the following code, I get the exception java.io.IOException: Invalid keystore format. My code: File key.txt: 1268312345812304612348712634283427346 I am guessing I should put something else in the key.txt file, but I do not know what to put in it. Probably a searilized object.
How to secure an SFTP password in an APK file
I’m developing an Android app which has a service to upload images/files to a FTP server. To make that possible, the app on the device has to log in into the FTP server before sending data. And here comes my problem. The user does not need to / have to know about the FTP login data. Only the app itself.