For example, while SSL is definitely a secure layer, many (if not most) home grown applications simply do not want to pay for a signed certificate (even less in face of the fact that such a certificate is mostly restricted to a single domain) and, thus, simply do not use SSL. Of course, this is worst, but still common practice.

Also, basic authentification is, presumingly with respect to its simplicity, still widespread. However, basic authentification in combination with a non-secure transport layer is a security black hole.

And finally, with SaaS rising, comfortable single sign-on in a multitenant environment must be considered in modern software design. Latter issue, cloud based single sign-on, is supported by the Spring Security (see ref. manual).

There are some more requirements emerging from the evolving cloud: for example, RESTful web services as part of asynchronous data transfer need to be secured on user level. While such scenarios can definitely be realized with the Spring Security, it definitely focuses on securing classic synchronous data transfer and flows (for instance, I would rather not choose Spring Web Flow to implement the flow of an highly AJAXian web application). In order to implement flows based on highly asynchronous communication between the client and server, there is definitely some hacking to do (see e.g. this tutorial).

However, the most important issue in times of millions of home grown smartphone apps is sharing credentials with such a client. Using same password over and over again, because you cannot remember millions of different passwords? Of course, this is worst, but still common practice. Now, what if your credentials are misused by your app? Wouldn’t it be much better, if you would not share your credentials with the client at all?

OAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications. It has been developed with most of the issues that emerged from cloud-based authentification and authorizastion in mind. Furthermore, it is being used by global players like Digg, Jaiku, Flickr, Twitter, and developers of OAuth are hopeful to see Google, Yahoo, and others soon to follow. With so many heavy weight service providers relying on OAuth, it may definitely be considered as quasi standard. Unfortunately, Spring Security is not (yet) shipped with out-of-the-box support of OAuth, although I am pretty sure that the extremely capable Springsource team will deliver Spring with OAuth support as soon as possible.

For those who cannot (and should not) wait, a promising approach is described in OAuth for Spring Security. The purpose of this project is to provide an OAuth implementation for Spring Security. I have tested their implementation, and hereby I strongly recommend their approach. For me, the most striking advantage of this design is the combined power of both, OAuth and Spring Security. While you still have the comfort of Spring and its AOP framework, you have implemented the security of OAuth.

I’ve just installed the package on my private OsX server via MacPorts. However, it took me a while until I found the installation location of all required files. After having touched /etc/hosts.deny (the file used by denyhosts to store suspicious ips for tcp_wrappers to block them), copied /opt/local/share/denyhosts/denyhosts.cfg-dist to somewhere reasonable (e.g. /etc/denyhosts.cfg), modified it to my needs (added E-Mail etc.), I was able to test start DenyHost with:

sudo /opt/local/Library/Frameworks/Python.framework/Versions/2.6/bin/denyhosts.py --config=/etc/denyhosts.cfg

I’ve got a nice email telling me that, deducing from my /var/log/secure.log some IPs were now added to hosts.deny. Furthermore, some interesting data have been stored in /opt/local/share/denyhosts/data.

However, I prefer DenyHost to be running in daemon mode and to synchronize with data collected from the cloud, so I inserted  SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 into denyhosts.cfg and started DenyHost with some additional options:

sudo /opt/local/Library/Frameworks/Python.framework/Versions/2.6/bin/denyhosts.py --config=/etc/denyhosts.cfg --sync --daemon

And now I feel much more comfortable now.

Related Links:

• Preventing SSH Dictionary Attacks With DenyHosts
• Denyhost
• Debian Linux Stop SSH User Hacking / Cracking Attacks with DenyHosts Software

The Suite can be downloaded for free at:

http://www.microsoft.com/Security_Essentials/

BTW, I just learned, that installing Windows Security Essentials will either disable (Vista/Win7) or remove (XP) Windows Defender. Defender is no longer required, because it is being replaced by WSE. However, you really should check if Defender is really disabled/removed. If not, do it.

echo thisismypassphrase|gpg --passphrase-fd 0 --decrypt-files *.gpg

And mind the lack of spaces right and left of the pipe

However, there is a very useful free open-source tool called PDFCreator which is also capable of creating PDF/A documents.  You only need to download PDFCreator and follow these instructions:

• Print any document from any application you like
• As the printer, choose PDFCreator
• Click on “O.K.” or “Print” or whatever
• A dialog pops up. Click on “Properties”
• To the left, click on “Program” (if not already chosen)
• Click on “Ghostscript” (which is actually the engine that creates PDFs)
• Copy and paste the following line into the upper text box (“Additional Ghostscript Parameters”):

  -dPDFA|-f|<gslib>

  
  

• Click on “Save” and again on “Save”

You are done. A PDF/A document is created. You may want to check this. If you have e.g. Adobe^® Acrobate Reader installed, all you need to do is to open the just created PDF and have a look at small bar to the very left. You should see a small icon which reads “PDF” at its top left and shows the letter “i” at its bottom right. This indicates that there are additional information available. Click on that icon. You should see “Conformance. Standard: PDF/A-1B. ISO Name: ISO 19005-1″. If so, you document is actually a PDF/A one.