| Home >> All >> com >> jcorporate >> expresso >> core >> [ security Javadoc ] |
• com.jcorporate.expresso.core.security: Javadoc index of package com.jcorporate.expresso.core.security.
Package Samples:
• com.jcorporate.expresso.core.security.filters: This package contains Expresso's security system, switchable from "weak" security (e.g.
• com.jcorporate.expresso.core.security.weakencryption: This package contains Expresso's security system, switchable from "weak" security (e.g.
• com.jcorporate.expresso.core.security.tests
• com.jcorporate.expresso.core.security.strongencryption
Classes:
• FilterManager: The primary purpose of this class is to filer out particular characters from a HTTP respone. The reason for this is that codes can be in- serted into a string that gets returned to a web browser, and these codes can cause the web browser to act on them in a way that is not as the site author inteded, and may be a breach of security. For more on these see: Understanding Malicious Content Mitigation for Web Developers The Filtermanager implements filtering based upon a particular characterset. It maintains a list of all filters that have been used since the initialization of the class. When a particular ...
• Filter: This is the base class for all filters. The purpose of the filter mechanism is to remove possibly harmful html code that could be injected into dynamic html code by a hacker. The resulting code may steal users passwords from clients and do other bad things to their machines. Expresso implements transparent filtering by automatically filtering all string content from databases and input parameters. How to Create your own character-set filter 1 - Derive a class from Filter. The name of the class should be the name of the characterset you're using. If the characterset's name includes hyphens, substitute ...
• DelayThread: Simple class called to suspend thread execution for x many seconds before offering a retry to login. Helps to slow down brute force attacks. [a 40,000 word dictionary attack prolonged by 3 seconds a piece adds potentially 33 hours to the attack time. Yes this can be partially bypassed through simultaneous requests, but it still adds significant reponse time] Why this class instead of just sleep(3000) or whatever? The answer is that this thread is often called from multi-thread handling servers with only one instance. You can't just call sleep() without becoming the Monitor "Owner", but synchronized(this) ...
• StringEncryption: StringEncryption.java Copyright 2000, 2001 Jcorporate Ltd. This class provides basic string encryption. It'll provide the services of password whitening and automatic selection of encryption. Known Vulnerabilities. The actual whitened password remains in memory for performance sake. An attacker may find the actual password by looking at swap files looking for Base64 encoded strings. (Not too hard to grep out) but it requires an attacker to gain access to the swap partition of the server. Do not use this class for a personal encryption program. Byte Array Format Information: An encrypted string ...
• StringEncryption: This class provides basic string encryption. It'll provide the services of password whitening and automatic selection of encryption. Known Vulnerabilities. The actual whitened password remains in memory for performance sake. An attacker may find the actual password by looking at swap files looking for Base64 encoded strings. (Not too hard to grep out) but it requires an attacker to gain access to the swap partition of the server. Do not use this class for a personal encryption program.
• User: This class provides a front-end for maintaining Expresso Users. This class provides an abstraction of the minimum information required for a valid User in Expresso. This class is an "Adaptor" that "adapts" the actual class that implements the User object. "Adaptee" user classes must implement the UserInfo interface. In addition, classes that implement the UserListener interface can listen in on when user objects are added, modified or deleted.
• FilterTreeNode: This class provides a "filter parse tree" interface to the system. It is a dual action object, it's a union of a node, and a leaf. Thus allowing us to play with TreeMap/HashMap quickly. Please Note: This class is unsynchronized for performance reasons, please be careful when using in a multi-threaded environment outisde of the Filter class.
• ISO_8859_1_eForum: This is a bit of an oddity filter. It substitutes :) and :( and embeds predefined image links in their place. Please only use standard filter on this or you'll get smileys stripped out all together. Also, you want to make sure that filters only happen after a normal characterset filtering.s This ONLY does the smiley faces. :-)
• MapBasedUserInfo: A User Info implementation that is Map based instead of database object based. Although this isn't usually used in Expresso, a few cases, where we need a SuperUser, for example when database access doesn't exist. It is not considered something to use on a broad basis, more as a workaround for some special startup conditions.
• FilterTree: A filter tree is a data structure that allows for quick matching and replacement of strings. Use it for a fast 'search and replace' system. Construction and setup is a fairly expensive operation in comparison to the actual searching, so use it for static types of filters that are usually instantiated for a long time.
• SuperUser: This is a user that represents a SuperUser. A SuperUser User has an is == SecuredDBObject.SYSTEM_ACCOUNT, but is encapulated in the Expresso User object. It is mainly used while systems are setting up so that no arg dbobjects can be constructed before the registry can be truly set.
• AllowedHtmlPlusURLFilter: This class provides a filter implementation for HTML output, protecting against XSS exploits, but allows a small subset of HTML through, for simple formatting. It also creates anchor ( ) tags for anything that starts with 'http://', 'www.', etc.
• ISO_8859_1: This class provides a filter implementation of the Filter class for the ISO-8859-1 character set (also known as the Roman Character set) in other words the characters used in the Western European Languages.
• HtmlPlusURLFilter: This class provides a filter implementation for HTML output, protecting against XSS exploits, plus it creates anchor ( ) tags for anything that starts with 'http://', 'www.', etc.
• RandomNumber: Cryptographically Strong Version of the random number generator. Due to the seeding process, the constructor for this class will take a significant amount of time to initialize.
• UserInfo: UserInfo defines the interface to an object that provides information about a user this object may get it's information from LDAP, Database, or any other source
• CryptoManager: CryptoManager.java Singleton Class that acts as a facade for managing if strong or weak crypto is desired. Copyright 2000-2002 Jcorporate Ltd.
• RandomNumber: Weak version of the Randum Number Generator. This version only uses the standard PRNG and nothing even close to cryptographic strength.
• HtmlFilter: This class provides a filter implementation of the Filter class for stripping out HTML tags in order to protect against XSS exploits
• StringHash: Base class for hashing. Takes a string or byte array and returns a byte array that's the hash of the encryption.
• UserGroupTest: A test case to verify the UserGroup functionality and group nesting. Also a good test of valid value updates.
• RawFilter: This class provides a filter implementation of the Filter class for returning raw, unfiltered values
• gb2312: This class provides a filter implementation of the Filter class for the chinese gb2312
• XmlFilter: This class provides a filter implementation of the Filter class for XML
• AbstractStringEncryption: This class represents a StringEncryption Interface
| Home | Contact Us | Privacy Policy | Terms of Service |