dschadow/JavaSecurity
Fork: 114 Star: 222 (更新于 1970-01-01 00:00:00)
license: Apache-2.0
Language: Java .
Java web and command line applications demonstrating various security topics
最后发布版本: 2.0.0 ( 2017-03-28 16:12:27)
Java Security
This repository contains several Java web applications and command line applications covering different security topics. Have a look at my slides and publications covering most applications in this repository.
Requirements
- Java 21
- Maven 3
- Mozilla Firefox (recommended, some demos might not be fully working in other browsers)
- Docker (required for running the sample applications as Docker containers)
Web Applications in Detail
Some web applications contain exercises, some are only there to inspect and learn. Instructions are provided in detail on the start page of each web application.
Some web applications are based on Spring Boot and can be started via the main method in the Application class or via mvn spring-boot:run in the project directory. Spring Boot projects can be launched via docker run -p 8080:8080 dschadow/[PROJECT]
after the image has been created using mvn spring-boot:build-image
. The other web applications either contain an embedded Tomcat7 Maven plugin which can be started via mvn tomcat7:run-war, or an embedded Jetty Maven plugin which can be started via mvn jetty:run-war.
access-control-spring-security
Access control demo project utilizing Spring Security in a Spring Boot application. Shows how to safely load user data from a database without using potentially faked frontend values. After launching, open the web application in your browser at http://localhost:8080.
csp-spring-security
Spring Boot based web application using a Content Security Policy (CSP) header. After launching, open the web application in your browser at http://localhost:8080.
csrf-spring-security
Cross-Site Request Forgery (CSRF) demo project based on Spring Boot preventing CSRF in a web application by utilizing Spring Security. After launching, open the web application in your browser at http://localhost:8080.
csrf
Cross-Site Request Forgery (CSRF) demo project preventing CSRF in a JavaServer Pages (JSP) web application by utilizing the Enterprise Security API (ESAPI). After launching, open the web application in your browser at http://localhost:8080/csrf.
direct-object-references
Direct object references (and indirect object references) demo project using Spring Boot and utilizing the Enterprise Security API (ESAPI). After launching, open the web application in your browser at http://localhost:8080.
intercept-me
Spring Boot based web application to experiment with OWASP ZAP as intercepting proxy. Target is to receive SUCCESS from the backend. After launching, open the web application in your browser at http://localhost:8080.
security-header
Security response header demo project which applies X-Content-Type-Options, Cache-Control, X-Frame-Options, HTTP Strict Transport Security (HSTS), X-XSS-Protection and Content Security Policy (CSP) (Level 1 and 2) headers to HTTP responses. After launching, open the web application in your browser at http://localhost:8080/security-header or https://localhost:8443/security-header.
security-logging
Spring Boot based web application utilizing the OWASP Security Logging Project. Demonstrates how to log security relevant incidents in a log file. After launching, open the web application in your browser at http://localhost:8080.
session-handling-spring-security
Session handling demo project based on Spring Boot utilizing Spring Security and jasypt-spring-boot to secure Spring configuration (property) files. Shows how to restrict access to resources (URLs), how to apply method level security and how to securely store and verify passwords. Uses Spring Security for all security related functionality. Requires a system property (or environment variable or command line argument) named jasypt.encryptor.password with the value session-handling-spring-security present on startup. After launching, open the web application in your browser at http://localhost:8080.
session-handling
Session handling demo project using plain Java. Uses plain Java to create and update the session id after logging in. Requires a web server with Servlet 3.1 support. After launching, open the web application in your browser at http://localhost:8080/session-handling.
sql-injection
Spring Boot based web application to experiment with normal (vulnerable) statements, statements with escaped input, and prepared statements. After launching, open the web application in your browser at http://localhost:8080.
xss
Cross-Site Scripting (XSS) demo project preventing XSS in a JavaServer Pages (JSP) web application by utilizing input validation, output escaping with OWASP Java Encoder and the Content Security Policy (CSP). After launching, open the web application in your browser at http://localhost:8080/xss.
Command Line Applications in Detail
The following projects demonstrate crypto usage in Java with different libraries. Each project contains one or more JUnit test classes to test various functionalities of the demo project.
crypto-hash
Crypto demo using Java to hash passwords with different hashing algorithms.
crypto-java
Crypto demo using plain Java to encrypt and decrypt data with asymmetric (RSA) and symmetric (AES) algorithms as well as to sign and verify data (DSA).
crypto-shiro
Crypto demo using Apache Shiro to encrypt and decrypt data with symmetric (AES) algorithms as well as hash data (passwords).
crypto-tink
Crypto demo using Google Tink to encrypt and decrypt data with asymmetric and hybrid encryption, MAC and digital signatures. Depending on the demo, keys are either generated on the fly or stored/loaded from the keysets' directory. The AWS KMS samples (classes with AwsKms in their names) require a configured AWS KMS with an enabled master key.
Meta
最近版本更新:(数据更新于 1970-01-01 00:00:00)
2017-03-28 16:12:27 2.0.0
2016-12-16 04:01:05 1.1.5
2016-04-05 03:00:54 1.1.2
2015-04-12 17:14:10 1.0.2
主题(topics):
appsec, cryptography, csp, csrf, esapi, google-tink, java, java-security, java-web, owasp, security, security-topics, spring, spring-boot, spring-security, xss
dschadow/JavaSecurity同语言 Java最近更新仓库
2024-11-13 09:30:15 Tornaco/Thanox
2024-11-12 09:59:10 mybatis-flex/mybatis-flex
2024-11-11 23:58:45 PBH-BTN/PeerBanHelper
2024-11-10 07:12:10 Stirling-Tools/Stirling-PDF
2024-11-08 23:15:38 yuliskov/SmartTube
2024-11-08 05:44:55 jmdns/jmdns