Posts by Les Hazlewood

How LinkedIn Could Have Secured Hacked Passwords

Various sources reported today that LinkedIn suffered a major security breach: allegedly, 6.5 million hashed passwords were leaked by a Russian hacker. But this naturally raises big concerns for web developers:  if one of the largest social networks, with all of their engineers, could have a password security breach, how do I keep user passwords secure? Here’s How… …

Spring MVC REST Exception Handling Best Practices (part 2)

In part 1 of this 2-part series, we discussed a best-practice error representation (format) that should be returned to a REST API caller when an error is encountered. In this article (part 2), we’ll show how to produce those representations from a REST API written using Spring MVC. Spring Exception Handling Spring MVC has two …

Spring MVC REST Exception Handling Best Practices (part 1)

If you’re already using Spring to build your application, and you need to serve a ReST API, Spring MVC can be a good choice to write your REST endpoints. However, representing errors or problems cleanly in a RESTful way may not be immediately obvious since Spring MVC is so often referenced for building user interfaces. …

What’s New in Apache Shiro 1.2

Apache Shiro 1.2.0 was released on Tuesday, January 24 2012 with a lot of new features and improvements that most of the community will find useful. Thanks to everyone who contributed to this release; it was a significant undertaking and reflects a big step forward for the project. In this article, we’ll break the improvements …

Strong Password Hashing: Part 2

In my first post on Strong Password Hashing, we discussed that the solution for the most common way to secure passwords, even with the possibility of brute force attacks, was to incorporate a computation time component.  This technique essentially makes the password hashing process computationally expensive such that an attacker using brute force would have …

The New RBAC: Resource-Based Access Control

This article discusses how security policies are managed using the concept of Roles and how the predominant role-based mechanism for securing applications is largely insufficient.  I discuss what I believe is a much better way of securing applications. What is a Role? When speaking about application security, most people are comfortable with the existing concept …

Strong Password Hashing with Apache Shiro

JSON Web Token (JWT) is a useful standard becoming more prevalent, because it sends information that can be verified and trusted with a digital signature. In their most basic form, JWTs allow you to sign information (referred to as claims) with a signature and can be verified at a later time with a secret signing …

What is an X.509 Certificate?

An X.509 certificate is something that can be used in software to both: Verify a person’s identity so you can be sure that the person really is who they say they are. Send the person who owns the certificate encrypted data that only they will be able to decrypt and read. To be fair, X.509 certificates …