encrypt data in database

Tue, 6 May 2008 19:10:51 MDT

Good evening,
I'm developping an application to encrypt data with tripleDES before getting inserted in oracle database.
Another application must consult the database, decrypt the data then show it in a jtable.
I'm a biginner in the security field, i found a source implementing triple DES encryption.
1-some byte from the encrypted data like the cote(') make some problem when executing the query, i'd like to change the type of the encryption bytes, i heard about UTF8 but i don't know how to use it.
2-when I decrypt the data from the resultset and put it in the jtable the first culumn is empty and I receive this error:
"javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with...

LDAP - Authentication

Fri, 2 May 2008 14:46:29 MDT

I am using Sun One directory server 5.2. I needed to extend the default schema to suit my application's needs.
I would be creating a new structural object class(say ExampleUser) containing user id and password. As i understand, Sun One has a password policy.I was wondering if the password policy is meant for user id's that connect to the LDAP server or can it be applied to my object class ExampleUser which contains user id an password.

From what i read, i guess the password policy is only meant for the user id's that connect to the LDAP server. But i am not sure though. Can someone please throw some light? Thanks.

Why i need the file auth.conf?

Wed, 30 Apr 2008 11:56:22 MDT

I write login module for jboss and i need it for the client

keyGenerator.init(int strength)

Mon, 28 Apr 2008 18:06:17 MDT

In the places I have been reading, crypto strengths are given in bits. We usually work in bytes. In general, all caveats apply, does

code:

javax.crypto.KeyGenerator.init(int strength)

expect number of bits?

It would seem so.

KeyGenerator Part II

Thu, 24 Apr 2008 16:04:04 MDT

All,

Okay, I decided to create a new post (rather than continuing the previous post, located here (http://saloon.javaranch.com/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=65&t=001600)).

Sometimes when new questions are introduced, I think people dislike having to read the same long posts with all the same comments.

I figured out how to pass into my KeyGenerator, multiple input seeds! The java.util.UUID class only takes in byte[] so I decided to convert the sequence id and timestamp input seeds into strings and then in in turn convert the strings into a byte[]. The byte[] is then passed into the java.util.UUID.name.UUID() method and voila the magic happens!

Here it is:

How to implement security measures...

Wed, 23 Apr 2008 08:41:59 MDT

Hello friends.......
I am new in this field so please help me out..How can i implement SSL/STL in my shopping related website project.

Bouncy Castle vs. Sun's JCE

Sat, 19 Apr 2008 23:22:26 MDT

What's the difference between Bouncy Castle vs. Sun's JCE?

What are their advantages vs. disadvantages?

Thanks,

James

KeyGenerator using JCE

Sat, 19 Apr 2008 20:28:25 MDT

All,

I built this simple KeyGenerator using the java.util.Random and the java.util.UUID classes.

Am a newbie to security in general and need to use JCE to build something similar.

code:


import java.util.Random;
import java.util.UUID;
 
public class KeyGenerator {
private static final long SEED = 42;
private static final Random rand = new Random(SEED);
 
public static UUID seededUUID(Random rand) {
if (rand == null) {
throw new IllegalArgumentException();
}
 
int size = rand.nextInt(128);
byte[] seed = new byte[size];
rand.nextBytes(seed);
 
return UUID.nameUUIDFromBytes(seed);
}
 
publi...

How to implement it with Acegi?

Sat, 19 Apr 2008 10:12:24 MDT

Our application has the next architecture:
We have a big amount of users and services.
Each user may has the next authorities for each service:
view, edit, delete ... (custom).

The task is to do it with Acegi (Spring Security) and with a big amount of users not to have application failure - because if for each logged in user application will store all authorities for all services and will store it in memory - it is not good idea.

I have read the Acegi Reference to understand how to implement when the concrete user accesses the concrete service to check in database granted authorities (view, edit, delete ....).

After investigation Chapter 21. Secure Object Implementations

Question about role-based security for web application.

Thu, 17 Apr 2008 03:33:26 MDT
If I configure the web application security with
<session-config>
<session-timeout>120</session-timeout>
</session-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>Page</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/servlet/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>

Question about role-based security for web application.

Wed, 16 Apr 2008 23:45:03 MDT
If I configure the web application security with
<session-config>
<session-timeout>120</session-timeout>
</session-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>Page</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/servlet/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>

Best 3rd Party Libraries for Secure Key Generation?

Wed, 16 Apr 2008 18:49:03 MDT
What are the leading (preferably open source or very inexpensive) libraries for serial number / key generation?

What I am looking for should have:

1. Something that is secure, unique, and generates alphanumeric keys.

2. Is something very fast and efficient.

3. Has the capability to handle multiple input seeds.

Thanks!

Best 3rd Party Libraries for Secure Key Generation?

Tue, 15 Apr 2008 22:57:00 MDT
What are the leading (preferably open source or very inexpensive) libraries for serial number / key generation?

What I am looking for should have:

1. Something that is secure, unique, and generates alphanumeric keys.

2. Is something very fast and efficient.

3. Has the capability to handle multiple input seeds.

Thanks!

Best 3rd Party Libraries for Secure Key Generation?

Tue, 15 Apr 2008 18:12:59 MDT
What are the leading (preferably open source or very inexpensive) libraries for serial number / key generation?

What I am looking for should have:

1. Something that is secure, unique, and generates alphanumeric keys.

2. Is something very fast and efficient.

3. Has the capability to handle multiple input seeds.

Thanks!

Best 3rd Party Libraries for Secure Key Generation?

Tue, 15 Apr 2008 17:10:59 MDT
What are the leading (preferably open source or very inexpensive) libraries for serial number / key generation?

What I am looking for should have:

1. Something that is secure, unique, and generates alphanumeric keys.

2. Is something very fast and efficient.

3. Has the capability to handle multiple input seeds.

Thanks!

where to start for x.509 pubkey and KeyStore

Tue, 15 Apr 2008 17:04:59 MDT
I just got literally an hour ago RSA keys that are about 900 decimal digits long. I will soon need to figure out how to place private.getEncoded() in a KeyStore and public.getKeyMaterial in an X.509 format for compliance with existing practice.

I intend the above to be psuedo nomenclature, it should be read purposefully loose as I am trying to save a few steps on where to start.

IOW what to study first. Any suggestions welcome, informed or otherwise.

Create SAML token, verify token and get user id from token

Tue, 15 Apr 2008 16:00:59 MDT
I am using Weblogic 9.2 and I want to create a web service that will be able to do the following: (1) generate a SAML token with username/password, (2) validate that a SAML token is valid , and (3) get the user's id from a SAML token.

Does anyone have experience with this and have some assistance for me?

More than one authentication per thread

Tue, 15 Apr 2008 10:08:58 MDT
Hello friends,

I have an application connecting to a jboss server and i am using JAAS.
This application has a couple of modules and each of them should have different authentication (usernames) to access different services in the same jboss server.

The problem is that when module A authenticates with server it is ok, then later in the thread lifecycle, module B authenticates with server, that is ok too. But even later when module A calls jboss server for second time, it is using the authentication used by module B.

I don't want to do authentication for every call, so is there a way for me to know if a thread has a successfull authentication? And is it possible to change it? like having a cache of log...

More than one authentication per thread

Tue, 15 Apr 2008 03:21:20 MDT
Hello friends,

I have an application connecting to a jboss server and i am using JAAS.
This application has a couple of modules and each of them should have different authentication (usernames) to access different services in the same jboss server.

The problem is that when module A authenticates with server it is ok, then later in the thread lifecycle, module B authenticates with server, that is ok too. But even later when module A calls jboss server for second time, it is using the authentication used by module B.

I don't want to do authentication for every call, so is there a way for me to know if a thread has a successfull authentication? And is it possible to change it? like having a cache of log...

LDAP tutorial and server

Sat, 12 Apr 2008 15:37:12 MDT
Hello Sir,

I just want to use LDAP, can you please suggest me that from where should i start and which LDAP server i should use.

Thanks
Gaurav

Implementing security in Struts 2

Fri, 11 Apr 2008 16:13:09 MDT
Hi,
I am writing a Web Application using Struts 2 and Hibernate. I need to implement security so that only authorised User can access the desired pages. The user names, passwords and their roles are stored in the database.

Any one please guide whether to implement JAAS based security for my web application or any other.

Thanks,
Anmita

login.jsp customized by original target url

Fri, 11 Apr 2008 09:27:08 MDT
I have a web application that uses a form login page to protected web resources using Glassfish v2ur1.

Pretty typical stuff and JAAS authentication works and all that, no complaints.

But... I need to be able to customize my login.jsp to show a different login message depending on what resource the unauthenticated user was attempting to access before the redirect.

I had read about request.getAttribute( "javax.servlet.forward.request_uri" ) which according to the 2.4 Servlet Specication and posts like
this one (http://saloon.javaranch.com/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=65&t=000686) sounds like should tell me the original page that was requested.

Unfortunately, it always returns...

Unable to Create a LoginContext

Thu, 10 Apr 2008 05:49:05 MDT
I am trying to authenticate user by means of username and password using JAAS for which I have used NameCallback and PasswordCallback provided by JAVA.I have setup a configuration file and a policy file and trying to run my client application , yet it is failing to create a LoginContext.
I am trying to implement this (http://java.sun.com/developer/technicalArticles/Security/jaasv2/) code and I did as instructed.Am I missing something here?

New JavaRanch Journal article: Authentication using JAAS

Thu, 10 Apr 2008 03:15:04 MDT
The latest issue of the JavaRanch Journal contains an article by Rahul Bhattacharjee on Authentication using JAAS (http://www.javaranch.com/journal/2008/04/Journal200804.jsp#a5). Go read it while it's fresh, and discuss it in this thread.

generating secure tokens

Tue, 8 Apr 2008 18:11:00 MDT
Hi,

I need to generate tokens that will be used to identify users between two systems. Ideally I'd like the tokens to be strings of a fixed length, containing only ASCII characters. Because the tokens will be used to uniquely identify users, each token generate must be unique (or the possibility of collisions should be very small).

I've had a look in the Java libraries and found the following classes which may be useful:

SecureRandom (http://java.sun.com/j2se/1.4.2/docs/api/java/security/SecureRandom.html)
KeyGeneratory (http://java.sun.com/j2se/1.4.2/docs/api/javax/crypto/KeyGenerator.html)

Can either of these classes be used to generate keys that fit my requirements defined above? If so...

Where did AES go?

Mon, 7 Apr 2008 14:10:56 MDT
I did as much reading and coding as I could absorb. Today in trying to get some useable routines produced I find DES, Triple DES, Blowfish, HMAC-MD5, and HMAC-SHA1 algorithms seem to be the only algorithm that SunJCE supports. Cryptix doesn't seem to have it either even though all the books I could absorb made it definite that AES is the only accepted contemporary practice.

Is it BC wins again? Or am I missing something.

JavaRanch Security

encrypt data in database

LDAP - Authentication

Why i need the file auth.conf?

keyGenerator.init(int strength)

KeyGenerator Part II

How to implement security measures...

Bouncy Castle vs. Sun's JCE

KeyGenerator using JCE

How to implement it with Acegi?

Question about role-based security for web application.

Question about role-based security for web application.

Best 3rd Party Libraries for Secure Key Generation?

Best 3rd Party Libraries for Secure Key Generation?

Best 3rd Party Libraries for Secure Key Generation?

Best 3rd Party Libraries for Secure Key Generation?

where to start for x.509 pubkey and KeyStore

Create SAML token, verify token and get user id from token

More than one authentication per thread

More than one authentication per thread

LDAP tutorial and server

Implementing security in Struts 2

login.jsp customized by original target url

Unable to Create a LoginContext

New JavaRanch Journal article: Authentication using JAAS

generating secure tokens

Where did AES go?