Java web and command line application demo projects for different security topics
Java HTML CSS
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
access-control-spring-security FailOnMissingWebXml cleanup Jan 9, 2017
crypto-hash Updated to Java Security v. 2.0.0 Jan 7, 2017
crypto-java Updated to Java Security v. 2.0.0 Jan 7, 2017
crypto-keyczar
crypto-shiro Updated to Java Security v. 2.0.0 Jan 7, 2017
crypto-spring FailOnMissingWebXml cleanup Jan 9, 2017
csp-spring-security Updated to Java Security v. 2.0.0 Jan 7, 2017
csrf-spring-security Updated to Java Security v. 2.0.0 Jan 7, 2017
csrf Updated to Java Security v. 2.0.0 Jan 7, 2017
direct-object-references
intercept-me Updated to Java Security v. 2.0.0 Jan 7, 2017
security-header
security-logging Updated to Java Security v. 2.0.0 Jan 7, 2017
session-handling-spring-security
session-handling FailOnMissingWebXml cleanup Jan 9, 2017
sql-injection
xss Updated to Java Security v. 2.0.0 Jan 7, 2017
.gitignore Cleaned up list Oct 27, 2015
.travis.yml Added src:clr to build Dec 25, 2016
LICENSE Initial commit Dec 26, 2013
README.md Added license badge Jan 6, 2017
findbugs-security-exclude.xml Added FindSecurityBugs configuration Mar 9, 2016
findbugs-security-include.xml Added FindSecurityBugs configuration Mar 9, 2016
pom.xml Updated dependencies Feb 19, 2017

README.md

Java Security

This repository contains several Java web applications and command line applications covering different security topics. Have a look at the slides from various events covering the applications in this repository. The Java Web Security Workshop uses all these applications in much greater detail.

Web Applications in Detail

Some web applications contain exercises. Instructions are provided in detail in each web application.

Using Mozilla Firefox as browser is strongly recommended. Some web applications are based on Spring Boot and can be started via the main method in the Application class or via mvn spring-boot:run . The other web applications either contain an embedded Tomcat7 Maven plugin which can be started via mvn tomcat7:run-war or an embedded Jetty Maven plugin which can be started via mvn jetty:run-war.

access-control-spring-security

Access control demo project utilizing Spring Security. Shows how to safely load user data from a database without using potentially faked frontend values. After launching, open the web application in your browser at http://localhost:8080/access-control-spring-security.

crypto-spring

Crypto demo project using Jasypt to secure Spring configuration (property) files. Requires a system property APP_ENCRYPTION_PASSWORD with the value spring-jasypt present on startup (set automatically by the Tomcat7 Maven plugin). After launching, open the web application in your browser at http://localhost:8080/crypto-spring.

csp-spring-security

Content Security Policy (CSP) with Spring Security demo project. After launching, open the web application in your browser at http://localhost:8080/csp-spring-security.

csrf-spring-security

Cross-Site Request Forgery (CSRF) demo project preventing CSRF in a JavaServer Pages (JSP) web application by utilizing Spring Security. After launching, open the web application in your browser at http://localhost:8080/csrf-spring-security.

csrf

Cross-Site Request Forgery (CSRF) demo project preventing CSRF in a JavaServer Pages (JSP) web application. Sample code is based on the Enterprise Security API (ESAPI). After launching, open the web application in your browser at http://localhost:8080/csrf.

direct-object-references

Direct object references (and indirect object references) demo project using plain Java. Sample code is based on the Enterprise Security API (ESAPI). After launching, open the web application in your browser at http://localhost:8080/direct-object-references.

intercept-me

Spring Boot based web application to experiment with OWASP ZAP as intercepting proxy. Target is to receive SUCCESS from the backend. After launching, open the web application in your browser at http://localhost:8080/intercept-me.

security-header

Security response header demo project which applies X-Content-Type-Options, Cache-Control, X-Frame-Options, HTTP Strict Transport Security (HSTS), X-XSS-Protection and Content Security Policy (CSP) (Level 1 and 2) headers to HTTP responses. After launching, open the web application in your browser at http://localhost:8080/security-header or https://localhost:8443/security-header.

security-logging

Security logging demo project based on the OWASP Security Logging Project. After launching, open the web application in your browser at http://localhost:8080/security-logging.

session-handling-spring-security

Session handling demo project utilizing Spring Security. Shows how to restrict access to resources (URLs), how to apply method level security and how to securely store and verify passwords. Uses Spring Security for all security related functionality. Requires a web server with Servlet 3.1 support. After launching, open the web application in your browser at http://localhost:8080/session-handling-spring-security.

session-handling

Session handling demo project using plain Java. Uses plain Java to create and update the session id after logging in. Requires a web server with Servlet 3.1 support. After launching, open the web application in your browser at http://localhost:8080/session-handling.

sql-injection

SQL Injection demo project using normal (vulnerable statements), statements with escaped input, prepared statements and Hibernate Query Language. After launching, open the web application in your browser at http://localhost:8080/sql-injection.

xss

Cross-Site Scripting (XSS) demo project preventing XSS in a JavaServer Pages (JSP) web application by utilizing input validation, output escaping with OWASP Java Encoder and the Content Security Policy (CSP). After launching, open the web application in your browser at http://localhost:8080/xss.

Command Line Applications in Detail

All projects contain main methods to get started.

crypto-hash

Crypto demo project using Java to hash passwords with different hashing algorithms. All classes contain main methods to execute the samples.

crypto-java

Crypto demo project using plain Java to encrypt and decrypt data with asymmetric (RSA) and symmetric (AES) keys as well as to sign and verify data (DSA). All classes contain main methods to execute the samples.

crypto-keyczar

Crypto demo project using Keyczar to encrypt and decrypt data with asymmetric (RSA) and symmetric (AES) keys as well as to sign and verify data (DSA). All classes contain main methods to execute the samples.

crypto-shiro

Crypto demo project using Apache Shiro to encrypt and decrypt data with symmetric (AES) keys as well as hash data (passwords). All classes contain main methods to execute the samples.

Meta

Build Status License