Enabling Java EE and Fortress Security inside an Apache Wicket Web App

2015-03-13 Thread Shawn McKinney


Hello, another post on how a wicket application can be hooked in with 
java EE security and fortress rbac controls:



https://iamfortress.wordpress.com/2015/03/13/enabling-java-ee-and-fortress-security-inside-an-apache-wicket-web-app/

Hope you find it helpful.

Shawn

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Demonstrate End-to-End Security Enforcement using Open Source Software Wicket

2014-10-08 Thread Shawn McKinney

On 08/20/2014 10:08 AM, Shawn McKinney wrote:
 Notably missing from the material is theory or why these types of 
complex security mechanisms are necessary.  I'm working on that now and 
will publish it back here when ready.


Hello again, just now getting back to this thread

***

The fortressdemo2 web app tutorial shows an apache wicket web app 
deployed inside of a tomcat container using both an ldap and db server. 
 It recommends various security layers for end-to-end security which is 
a 'defense in depth' approach.


The fortressdemo2 source code is here:

https://github.com/shawnmckinney/fortressdemo2

The fortress demo2 tutorial page has been moved to a new location:
https://symas.com/kb/demonstrate-end-to-end-security-enforcement-using-open-source/

and on this page are more links to:

a. static html javadoc (hosted on same server) containing instructions 
for actual fortressdemo2 tutorial installation.  The overview page of 
the javadoc describes how to download the example source code and how to 
generate documentation locally.


b. link to presentation given last week at JavaOne

The J1 deck contains two parts:
1. Overview of the security controls used within the fortressdemo2 web app.

2. Description of how to drop the fortressdemo2 (and its associated 
infrastructure) into a cloud foundry PaaS (presented by John Field)


Finally there is an abbreviated version of the slides containing the 
rationale for each layer by comparing to everyday situations:

https://symas.com/javadocs/fortressdemo2/doc-files/AnatomyOfSecureWebApp.pdf

We are donating this material to help others learn the proper way to 
security inside of web app envs.  So there will be less violations and 
breaches of our personal and business data - events that are seemingly 
commonplace today.


Suggestions or comments are welcome.

Thanks for your attention,

Shawn

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket meet-and-greet at JavaOne 2014?

2014-09-09 Thread Shawn McKinney

On 09/08/2014 06:17 PM, Garret Wilson wrote:
Hi, all. I'm traveling at the moment, but I plan to be back in San 
Francisco around the start of JavaOne. Do any Wicket users plan on 
being in town for the conference? Would you like me to organize a 
meet-and-greet at a local restaurant or even (depending on the number 
of guests) at my place? Perhaps it would be helpful and fun to put 
some faces with some names on the list. Let me know if you like the idea.


Hello Garret, I will be there and would like to meet.  Also will be 
presenting at a couple of sessions:


Monday: The Anatomy of a Secure Web Application Using Java [CON3479] : 
https://oracleus.activeevents.com/2014/connect/sessionDetail.ww?SESSION_ID=3479
Tuesday: Open Source Identity and Access Management Expert Panel, Part 3 
[BOF3478] : 
https://oracleus.activeevents.com/2014/connect/sessionDetail.ww?SESSION_ID=3478


Shawn


Re: Demonstrate End-to-End Security Enforcement using Open Source Software Wicket

2014-08-20 Thread Shawn McKinney

On 08/20/2014 08:01 AM, Martin Grigorov wrote:

I am not able to find the tutorial ... :-/
Athttp://iamfortress.org/FortressDemo2  there is only a diagram. At the
bottom there is a link to the Javadocs of the application. But I cannot
find the tutorial.
The steps are contained within the javadoc's overview-summary.html page 
which lists the sections required to install and run the security demo.


The javadoc is generated from the fortress demo2 source bundle located here:

https://github.com/shawnmckinney/fortressdemo2

The README contains instructions for generating javadoc so you may have 
an offline copy:


https://github.com/shawnmckinney/fortressdemo2/blob/master/README.txt





Re: Demonstrate End-to-End Security Enforcement using Open Source Software Wicket

2014-08-20 Thread Shawn McKinney
Notably missing from the material is theory or why these types of 
complex security mechanisms are necessary.  I'm working on that now and 
will publish it back here when ready.


On 08/20/2014 09:43 AM, Martin Grigorov wrote:

OK. Thanks!

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov


On Wed, Aug 20, 2014 at 5:39 PM, Shawn McKinney mckinney-sh...@att.net
wrote:


On 08/20/2014 08:01 AM, Martin Grigorov wrote:


I am not able to find the tutorial ... :-/
Athttp://iamfortress.org/FortressDemo2  there is only a diagram. At the

bottom there is a link to the Javadocs of the application. But I cannot
find the tutorial.


The steps are contained within the javadoc's overview-summary.html page
which lists the sections required to install and run the security demo.

The javadoc is generated from the fortress demo2 source bundle located
here:

https://github.com/shawnmckinney/fortressdemo2

The README contains instructions for generating javadoc so you may have an
offline copy:

https://github.com/shawnmckinney/fortressdemo2/blob/master/README.txt







-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Demonstrate End-to-End Security Enforcement using Open Source Software Wicket

2014-08-17 Thread Shawn McKinney
Posting another security tutorial featuring an Apache Wicket Web sample 
application.  This one provides end-to-end security coverage: 
http://iamfortress.org/FortressDemo2


-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Using ANSI RBAC Security Enforcement inside Wicket 6.x Applications

2013-09-20 Thread Shawn McKinney

Hello again,

In the past couple of weeks I have shared with you articles documenting 
techniques to secure Wicket applications running in Jetty  Tomcat 
containers using basic security principles. Another article in this 
series builds on what was demonstrated before by introducing more 
advanced ANSI RBAC concepts like role activation and dynamic separation 
of duty constraints.


http://iamfortress.org/WicketRbac

A sample Wicket application showing how-to is on GIT Hub:

https://github.com/shawnmckinney/wicketsecurityfortresshttps://github.com/shawnmckinney/fortressdemo1

Enjoy,

Shawn


Using Fortress, Spring and Tomcat to Secure Wicket 6.x Applications

2013-09-11 Thread Shawn McKinney

Hello,

A couple of days ago I published article documenting an approach to 
secure Wicket applications running in Jetty container using a simple 
property file to store credentials.  This new article builds on that by 
adding Fortress, OpenLDAP and Tomcat to the mix.


http://iamfortress.org/WicketFortress

Included is a sample Wicket application demonstrating these techniques 
on GIT Hub.


https://github.com/shawnmckinney/wicketsecurityfortress

Comments are welcome.

Regards,

Shawn


Re: Securing Wicket 6.x Applications with Java EE, Spring Jetty

2013-09-09 Thread Shawn McKinney

On 09/09/2013 01:21 AM, Martin Grigorov wrote:

Thank you very much for sharing your knowledge with us, Shawn!
Please let us know when you publish the second document.


My pleasure Martin.  I've been using this forum and it's time for me to 
contribute something.  Hope it helps.


Shawn

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Securing Wicket 6.x Applications with Java EE, Spring Jetty

2013-09-08 Thread Shawn McKinney

Hello,

I am a new subscriber to the Wicket users list but have been using the 
Wicket framework for about 3 years.


Recently I published an article documenting an approach my company uses 
to secure Wicket applications.  It uses a combination of Java EE 
container security, Spring security and a few custom wicket components 
(for controlling view of component by role and permission).


http://iamfortress.org/WicketSecurity

There is also a sample Wicket application using these controls on GIT Hub.

https://github.com/shawnmckinney/wicketsecurity

I plan on publishing another document later that goes beyond the simple 
Jetty security provider by introducing policy enforcement mechanisms 
more suitable for production.


Comments are welcome.

Regards,

Shawn