Chen Jian's Java Blog 

Add an SPF DNS record if you don't want emails sent by your system defined as spam

by Chen Jian


Posted on 2015-11-25 12:00 in Security


The problem is,    1. Your web application's domain name is www.foo.com   2. Your server IP is 123.123.123.123, and it sends emails to users from  support@foo.com    3. When a user  danni@gmail.com gets an...


Will there be security issues of self-made https certificates ?

by Chen Jian


Posted on 2015-11-03 12:00 in Security


By self-made https certificates, I mean one of the two kinds:  1. A self-signed certificate , for example, the certificate of  https://www.chenjianjx.com  is issued by the author of this article.  2. A certificate issued by an...


What are the HTTPS Certificates in a C/S Communication and How are they verified?

by Chen Jian


Posted on 2015-11-03 12:00 in Security


An Https Certificate (a.k.a X509 certificate) is used to show others that you are really who you says you are.  In a https-based c/s communication, including b/s communication, in most of the cases only the server side has to show a certificate ....


Prevent user attacking in HTTP RESTFul API calls

by Chen Jian


Posted on 2015-11-01 12:00 in Security


This is an incomplete list of things you should consider when you want to prevent your users being attacked by others. Note this is about protecting individual consumers with username/password pairs, rather than application clients such as third-party...


转:https 握手过程

by Chen Jian


Posted on 2013-09-06 12:00 in Security



注意防止jsonp callback中的注入攻击

by Chen Jian


Posted on 2013-01-09 12:00 in Security


callback字符串中如果有JS源码,是可以进行注入攻击的。 服务端应该校验callback中是否有这种注入的东西,比如限定callback串只能由字母和数字组成


系统交互时利用摘要机制来校验参数组合的正确性

by Chen Jian


Posted on 2012-12-19 12:00 in Security


一个系统在处理另一个系统发来的请求时,如果遇到 "种类 = 可乐 & 口味 = 苦味" 这样的无意义参数组合,应该如何甄别出这是一个无效的请求? 因为可乐不可能是苦味的,正常的系统不会发出这样的请求,这种请求只可能是别人伪造出来的。 最直接的甄别手段是在本系统里实现“可乐不可能是苦味”这种业务逻辑,但是本系统是一个基础应用,不应该让特殊的业务逻辑侵入。 另一种方案是让本系统通过RPC回调业务系统,校验是否“可乐,苦味”这种组合的有效性。但这会导致两个系统之...


高人推荐了一款网站漏洞扫描器:Acunetix WVS

by Chen Jian


Posted on 2011-12-21 12:00 in Security


今天有高人推荐了一款网站漏洞扫描器:Acunetix WVS 可以试试


常用认证中心 (CA)

by Chen Jian


Posted on 2010-08-18 12:00 in Security


摘自《Java加密与解密的技术》 CA三巨头: VeriSign, GeoTrust, Thawte  --都很贵,但会提供一些Trial Version 一个免费组织: www.cacert.org 中国各省均设有CA机构,如北京市数字证书认证中心


基于口令加密 -- PBE

by Chen Jian


Posted on 2010-08-16 12:00 in Security


PBE = Password Based Encryption 可以认为这种算法的KEY由两部分组成:   1.口令   -- 人类可读的字符串,较恒久   2.盐     -- 一个随机信息,相同的随机信息极不可能使用两次。


KeyPairGenerator, KeyFactory, KeyStore

by Chen Jian


Posted on 2010-08-16 12:00 in Security


待完善.... KeyGenerator    -- 用于生成Symmertric Key KeyPairGenerator   --用于生成Public/Private Key对 SecretKeyFactory -- 把代表对称密钥的byte[] 变回 Key对象 KeyFactory  -- 把代表非对称密钥的byte[] 变回 Key对象 KeyStore  --  in-memory...


添加Java Security Provider的两种方法

by Chen Jian


Posted on 2010-08-16 12:00 in Security


1.修改JDK的配置文件:%JDK_HOME%\jre\lib\security\java.security //加上 security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider   2.在代码里直接添加 Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());


Java加解密的三大组件及相关APIzz

by Chen Jian


Posted on 2010-08-16 12:00 in Security


本文摘自《Java加密与解密的艺术》(梁栋) Java加解密的三大组件   1. JCA  -- > Cryptography Architecture, 包括certificate, digital signature, digester, key generators etc.   2. JCE  -- > Cryptography Extension, 包括 crypto algorithms等   3. ...


强烈推荐一个 Sniffer: Wireshark

by Chen Jian


Posted on 2010-08-12 12:00 in Security


这个Sniffer可以帮你打印在网络上输入/输出的数据报,支持整个协议栈;并且它是免费的,界面也非常好。  在SSL相关开发时使用这个东西可以帮到很大的忙。 Some useful filters:  1. tcp.port==8080 && http.request.method == "POST" 


Network Security Essentials -- Notes10. Firewall

by Chen Jian


Posted on 2010-08-09 12:00 in Security


Firewall's Goals   1. All traffic must pass through the wall   2. Only authorized traffic is allowed to pass   3. Immune to penetration Techniques   1.Service Control    -- "This IP is blocked"  ...