Comments for Martin's Weekend Coding

Comment on Jersey and Cross-Site Request Forgery (CSRF) by Ward

Ward — Fri, 03 Feb 2012 22:03:56 +0000

It looks like I misunderstood the previous article, sorry about that.

Comment on Jersey and Cross-Site Request Forgery (CSRF) by Ward

Ward — Thu, 02 Feb 2012 22:46:20 +0000

Hi Martin,

I found the following articles mentioning a flow with this approach. Can you please comment on it?

http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
https://docs.djangoproject.com/en/1.2/releases/1.2.5/#csrf-exception-for-ajax-requests

Comment on Jersey and Cross-Site Request Forgery (CSRF) by andrew

andrew — Wed, 25 Jan 2012 14:59:44 +0000

sorry for previous question, I assked too fast, I found solution

Comment on Jersey and Cross-Site Request Forgery (CSRF) by andrew

andrew — Wed, 25 Jan 2012 14:43:39 +0000

Stupid question, but how to register thie filter?

Comment on Reading Password-Protected ZIP Files in Java by hiblack

hiblack — Fri, 06 Jan 2012 03:49:11 +0000

Thank you, it’s great :-)

Comment on Reading Password-Protected ZIP Files in Java by Martin

Martin — Thu, 01 Dec 2011 04:02:30 +0000

You can use it in any way you want. If you are re-publishing the source code, referring back to this blog in a javadoc comment would be nice.

Comment on Reading Password-Protected ZIP Files in Java by Chris

Chris — Tue, 29 Nov 2011 15:09:54 +0000

Hi Martin!

Thank you very much for your interesting blog!

We think about integrating your source code posted inside this blog entry “Reading Password-Protected ZIP Files in Java” into one of our applications intended to be finally used for production scenarios. Could you please let us know if you have any concerns regarding this approach? Please let us know if there are terms of a license or any other restrictions we might be aware of?

Your help is much appreciated!

Kind Regards,

Chris

Comment on Reading Password-Protected ZIP Files in Java by Martin

Martin — Wed, 23 Nov 2011 18:59:05 +0000

Well, I have been thinking for some time I’d create an open source project for this and add the output stream as well – as I do see this simple post on my blog is getting lots of hits – so seems like it is quite useful. The problem with the output stream is that I won’t be able to do it in a really streaming way because of the way how Java Zip output stream encodes the file – will have to read significant portion of the zip content into memory – so you will have to make sure your zip file is of a reasonable size or that you allocate enough heap. Will see if I get some time over the weekend… :)

Comment on Reading Password-Protected ZIP Files in Java by faheem

faheem — Wed, 23 Nov 2011 15:06:07 +0000

Hi Martin

Congratulations! your program has become a defacto standard to decrypt password-protected zip files.

But my counterparts are expecting me now to send them PKWare encrypted zip files, after an extensive search I could find java programs which uses AES encryption but not PKWare.

I am in gr8 need of ZipEncryptOutputStream :(

Any help ??

Comment on Jersey and Cross-Site Request Forgery (CSRF) by Justin

Justin — Thu, 03 Nov 2011 23:04:46 +0000

In the first reference it states:

These technologies can set custom HTTP headers, but
have security policies built in to prevent web sites from sending requests to each other
unless specifically allowed by policy.

The key thing here is ‘web sites’, what if the you are trying to protect your REST endpoints from CSRF attacks that originate from a browser that you have established trust with. You can’t drop the request to the end point since it comes the same machine!

RESTful services if they remain stateless (which they must to be called RESTful) are forced to trust the browser. If the browser is comprimised then there is nothing that can protect the services.

I have yet to see an argument that can convince me that you could build a html + javascript + REST application that is secure.