CodeByAkram: Spring
Showing posts with label Spring. Show all posts
Showing posts with label Spring. Show all posts

How to use / implement OWASP ESAPI Logger in Java

Before going further lets talk about Log Forging or JVM Log Forging. 

Log Forging

According to OWASP , writing invalidated logs can allow attackers to forge log or inject malicious content in log file. Log forging is when attackers tries to add/modify the log content by exploring the security loopholes of application.

Lets understand the log forging by an example.


private void printLog(String amount) {
logger.info("Amount credited in account Rs. {}" + amount);
}
above code will print the logs like:

Amount credited in account Rs. 500

 Now suppose attacker provide the input \n\n Amount debited in account Rs.500

Amount credited in account Rs. 500

Amount debited in account Rs.500

So, attacker forged the logs by making a fake or forge entry in log.


Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using safe logging mechanism such as OWASP ESAPI logger, which will automatically remove unexpected carriage returns. So, to prevent this, we use use ESAPI Logger mechanism.

Here is the dependency of ESAPI: 

<dependency>

<groupId>org.owasp.esapi</groupId>

<artifactId>esapi</artifactId>

<version>2.2.2.0</version>

</dependency>

We can encode the logs using ESAPI‘s Encoder method and interface:


    public String encode(String message) {
    message = message.replace( '\n' ,  '_' ).replace( '\r' , '_' )
      .replace( '\t' , '_' );
    message = ESAPI.encoder().encodeForHTML( message );
    return message;
}
How to use / implement OWASP ESAPI Logger in Java





What do you mean by Aspect, Join Point, Advice?


What’s the difference between @Component, @Controller, @Repository & @Service annotations in Spring?

What do you mean by Aspect, Join Point, Advice?

Pointcut: Pointcut are expressions that is matched with join points to determine whether advice needs to be executed or not. Pointcut uses different kinds of expressions that are matched with the join points and Spring framework uses the AspectJ pointcut expression language.
AOP Advice Types
Before Advice: These advices run before the execution of join point methods. Use @Before annotation to mark an advice type as Before advice.
After (finally) Advice: An advice that gets executed after the join point method finishes executing, whether normally or by throwing an exception. We can create after advice using @After annotation.
After Returning Advice: Sometimes we want advice methods to execute only if the join point method executes normally. We can use @AfterReturning annotation to mark a method as after returning advice.
After Throwing Advice: This advice gets executed only when join point method throws exception, we can use it to rollback the transaction declaratively. We use @AfterThrowing annotation for this type of advice.
Around Advice: This is the most important and powerful advice. This advice surrounds the join point method and we can also choose whether to execute the join point method or not. We can write advice code that gets executed before and after the execution of the join point method. It is the responsibility of around advice to invoke the join point method and return values if the method is returning something. We use @Around annotation to create around advice methods.

What’s the difference between @Component, @Controller, @Repository & @Service annotations in Spring?


Spring Annotations, Codebyakram


Spring 2.5 introduces further stereotype annotations: @Component@Service, and @Controller@Component is a generic stereotype for any Spring-managed component. @Repository@Service, and @Controller are specializations of @Component for more specific use cases, for example, in the persistence, service, and presentation layers, respectively.

You may also like What do you mean by Aspect, Join Point, Advice?

Therefore, you can annotate your component classes with @Component, but by annotating them with @Repository@Service, or @Controller instead, your classes are more properly suited for processing by tools or associating with aspects. For example, these stereotype annotations make ideal targets for pointcuts.

Thus, if you are choosing between using @Component or @Service for your service layer, @Service is clearly the better choice. Similarly, as stated above, @Repository is already supported as a marker for automatic exception translation in your persistence layer.



Differentiate between constructor injection and setter injection

Partial Dependency

In Setter Injection, partial dependency is possible, means if we have 4 dependencies as mentioned below,

Differentiate between constructor injection and setter injection, codebyakram


Then it is not necessary to inject all values if we are using setter injection.

But in Constructor Injection, partial dependency is not possible because we are calling the constructor of that class.

Overriding

Constructor Injection can not override the setter injected properties but Setter injection can override the constructor injected properties.

Changes

Setter injection makes bean class object as mutable but constructor injection makes bean class object as immutable. 

Number of dependencies

If we have dependencies for example 17 in our bean class then, in this case setter injection is not recommended as we need to write almost 17 setters right, bean length will increase.

In this case, Constructor injection is highly recommended, as we can inject all the dependencies with in 3 to 4 lines by calling one constructor.