comments (not for humans)

The 8th item on the OWASP Top 10 is A8 - Failure to Restrict URL Access. This one is kind of interesting as what you see in the browser and what you see on the server are more often than not two very different things in javascript driven web apps. This is especially true for single page webapps.


[...]
Using JSONp imposes some risk on your system, whether you are a providing data or using data published as JSONp.
[...]
Some of you may have read my earlier post Making a WSS4J client talk to a WSE 3.0 secured web service with x509 certificates. In the original post I used the interop certificates that are issued with WSS4J. In this post I'll explain how you can create your own certificates.
[...]
Some of you may have seen my old posting where I presented some configuration for accessing a WSS4J secured Axis service from .NET using WSE3.0. I have gotten a lot of questions about how to make this work the other way around. This post contains a working configuration for a WSS4J secured client talking to a WSE3.0 secured web service using x509 certificates.
[...]
Making WSS4J work with WSE 2.0 and X509 tokens were quite easy, but after upgrading to WSE 3.0, things suddenly went bad. I kept getting error messages like "Illegal key size" and similar on the java side. In this blog entry you will find a working configuration for WSE 3.0 and WSS4J.
[...]
You may sometimes need to set or retrieve cookies on axis connections to transfer authentication tokens or similar.
[...]
Making Apache axis web services work with .NET technology can be a pain in the neck.
[...]