What is a watering hole attack and how can I defend myself?

Posted by Alexius Dionysius Diakogiannis on in Security

If you have any hunting experience or have been in a beer talk with hunting stories  you probably have came across the term “Watering Hole Attack“. In this attack the hunter is covered near an area with a water hole where animals go in order to drink water, feel safe and usually have their guards down and their instincts more relaxed. So they don’t have to track the prey and attack on the go but wait until it comes to it’s fate on it’s own. Very similar to this approach a hacker targets specific end users by infecting frequently visited websites with malware that spreads to the user’s device.

Continue reading “What is a watering hole attack and how can I defend myself?”

Spring Framework 6.0 goes GA

Posted by Alexius Dionysius Diakogiannis on in Spring

Spring Framework 6.0.0 is generally available from Maven Central now! It was quite some time since a major release last happened but this release focuses on 2023 for embracing current and upcoming innovations in OpenJDK and the Java ecosystem. At the same time, it is carefully designed it as a straightforward upgrade from Spring Framework 5.3.x

Continue reading “Spring Framework 6.0 goes GA”

Logging Failed and Successful Authentication Attempts with SpringBoot

Posted by Alexius Dionysius Diakogiannis on in Core Java, Security, Spring

Introduction

In the latest OWASP top 10 (OWASP Top 10:2021) list with, the well known standard awareness document for developers and web application security that represents a broad consensus about the most critical security risks to web applications, a mentioned is made regarding identification and authentication failures (A07:2021 – Identification and Authentication Failures). Previously known as “Broken authentication” it refers to the dangers a web application has from week authentication implementations. Bellow I am going to demonstrate the implementation of one of the counter measures which is to be able to log authentication attempts whether these are successful or not. Continue reading “Logging Failed and Successful Authentication Attempts with SpringBoot”

Don’t Abuse Java Parallel Streams

Posted by Alexius Dionysius Diakogiannis on in Core Java

A long long time ago I wrote an article regarding Can/Should I use parallel streams in a transaction context? that pointed out a part of the pitfalls regarding the erroneous usage of parallel streams. Recently I am seeing more and more usage of parallel streams with the false assumption that it will increase performance and not taking into account completely the potential issues. So let’s analyze the do’s and dont’s of parallel streams in Java. Continue reading “Don’t Abuse Java Parallel Streams”

[UPDATE] Log4j RCE 0-day vulnerability (CVE-2021-44228) mitigation actions

Posted by Alexius Dionysius Diakogiannis on in Security 3 Comments
CVE-2021-44228 - Log4j RCE 0-day mitigation

UPDATE 14/12/2021

I had an update from my very good friend and excellent consultant Stella Varvarigou in which she explained me that setting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false does not fully mitigate the threat as it is possible to send the exploit code with the request.  [2]

Introduction

Apache Log4j, the most popular logging system, has announced a zero-day exploit CVE-2021-44228 on December 9, 2021 that results in remote code execution. Let’s analyze whys this happened and what can be done in order to mitigate the risk. Continue reading “[UPDATE] Log4j RCE 0-day vulnerability (CVE-2021-44228) mitigation actions”

Dockerizing Java Applications the right way

Posted by Alexius Dionysius Diakogiannis on in Core Java, Docker, Open Source, Spring
alexius diakogiannis dockerizing java applications

I have created a video and I am showing how to place your java application to a docker container BUT in addition I am showing you how to build the application in the container without needing java runtime in the host machine.

Hope you like it

Subscribe to my youtube channel: https://www.youtube.com/channel/UCw_oF0_P645jIECXAlh9Jsw

Use this url to dowload the awesome GitKraken software: https://www.gitkraken.com/invite/pPxN…

Gist: https://gist.github.com/diakogiannis/

Thanks perigialli tavern for giving the space to shoot: https://www.facebook.com/perigiali.estiatorio

Deploying a Quarkus or any java based microservice behind an Nginx reverse proxy with ssl using docker

Posted by Alexius Dionysius Diakogiannis on in Others, Spring 4 Comments
Deploying a Quarkus or any java based microservice behind an Nginx reverse proxy with ssl using docker diakogiannis jee.gr

Reposted in my medium blog here 

It has been a while but as per a friend requested I am going to show you how to deploy a Quarkus microservice behind an Nginx reverse proxy using docker.

What are we going to do…

I am going to install docker and docker-compose on a centos 8 host and I am going to deploy a docker container that will expose Nginx on ports 80 and 443 and a microservice using Quarkus. The same technique can be used with ANY java microservices framework like microprofile, Springboot etc because in the end what you will do is run a simple jar file (java is magic right?).

Let’s start…

I am going to skip the installation details for docker and docker-compose. In case you haven’t heard of docker-compose have look here https://gabrieltanner.org/blog/docker-compose and you’ll love it. It automates your container deployments and it just rocks! Continue reading “Deploying a Quarkus or any java based microservice behind an Nginx reverse proxy with ssl using docker”

Git Essentials Crash Course

Posted by Alexius Dionysius Diakogiannis on in Open Source, Others

Introduction

This is not Java but several newbie developers ask the same question, how to use GIT and how does GIT works so here it goes…

Have you ever work in SVN? Well forget everything you know and lets start over 🙂

What is a GIT repo?

In general there are two mirror repos. Your local repo and the remote repo. Yes TWO REPOS. Everyone in the team has an actual copy of the whole repo so even if your remote server dies you can set it up again and just push (spoiler) your repo to the repote server.
Continue reading “Git Essentials Crash Course”

Can/Should I use parallel streams in a transaction context?

Posted by Alexius Dionysius Diakogiannis on in JEE
Java

Introduction

To make a long story short, you should not use transactions within a parallel stream. This is because each thread in the parallel stream has its own name thus it does participate in the transaction.

The Streams API is designed to work correctly under certain guidelines. In practice, to benefit from parallelism, each operation is not allowed to change the state of shared objects (such operations are called side-effect-free). Provided you follow this guideline, the internal implementation of parallel streams cleverly splits the data, assigns different parts to independent threads, and merges the final result.

Continue reading “Can/Should I use parallel streams in a transaction context?”