Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 3 years ago.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Improve this question
JWT implementations might be exposed to different attacks, one of them is the alg:none attack (see more details here).
I'm using spring-security-jwt dependency in my pom.xml file, and was not able to find out whether this implementation deals with the alg:none attack.
Is this attack mitigated by the spring security JWT implementation?
If you are using spring-security-oauth/spring-security-jwt then yes, This attack is mitigated. As per the link you have shared, one way to mitigate this attack is by considering a JWT token with header with "alg":"none" as invalid or not rely on the alg header when selecting the algorithm.
In the source code for spring-security-jwt file JwtHelper in the decode method does not rely on the alg header when selecting the algorithm.
public static Jwt decode(String token) {
int firstPeriod = token.indexOf('.');
int lastPeriod = token.lastIndexOf('.');
if (firstPeriod <= 0 || lastPeriod <= firstPeriod) {
throw new IllegalArgumentException("JWT must have 3 tokens");
}
CharBuffer buffer = CharBuffer.wrap(token, 0, firstPeriod);
// TODO: Use a Reader which supports CharBuffer
JwtHeader header = JwtHeaderHelper.create(buffer.toString());
buffer.limit(lastPeriod).position(firstPeriod + 1);
byte[] claims = b64UrlDecode(buffer);
boolean emptyCrypto = lastPeriod == token.length() - 1;
byte[] crypto;
if (emptyCrypto) {
if (!"none".equals(header.parameters.alg)) {
throw new IllegalArgumentException(
"Signed or encrypted token must have non-empty crypto segment");
}
crypto = new byte[0];
}
else {
buffer.limit(token.length()).position(lastPeriod + 1);
crypto = b64UrlDecode(buffer);
}
return new JwtImpl(header, claims, crypto);
}
There is no document or compilation of vulnerabilities in spring-security-jwt but you can check the issues section under spring-security-jwt and report any vulnerabilities you think which needs to be patched.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 months ago.
Improve this question
I am searching for go library or work around to flatten the null json value to empty string (""),
from
`{
"foo": {
"jim":null
}
}`
to
map[foo.jim:""]
as of now its being ignored for my use case.
can anybody help me with this.
example code https://go.dev/play/p/9hnMEa6QA2O
you can see that i get the output
map[fee:bar]
but i want
map[foo.jim:"" fee:bar]
after going through the code,
had to check for nil instead of ignoring it in switch case.
default:
if v == nil {
flatMap[newKey] = ""
} else {
flatMap[newKey] = fmt.Sprintf("%v", v)
}
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 6 years ago.
Improve this question
I am tying to download some data from parse (a string) and I get the error
"Value of type 'TableViewController' has no member 'place' on the line that says :
self.place.append(spotdetail.name!)
I have this as a global var :
var place = [""]
and this is my code in the ViewDidLoad:
let query = PFObject.query()
query!.findObjectsInBackgroundWithBlock ({ (objects, error) in
if let skateparks = objects {
for object in skateparks {
if let spotdetail = object as PFObject! {
self.place.append(spotdetail.name!)
self.tableView.reloadData()
}
}
}
print(place)
})
What can I change to make it work as I don't understand why it doesn't recognize the var place as it is in the same view controller (tableView)
thanks!
Everywhere in closure you should use self keyword for properties:
print(self.place)
As originaluser2 pointed out you are using a global variable so you do not need to user self.place. Also i'm not sure what you are subclassing in PFObject, but your func name is findObjectsInBackgroundWithBlock and you are reloading your table data there. Always keep in mind that you can only interact with the UI on the main thread. This will cause errors, so you can either pass back a callback, or do a GCD call to the main queue and then reload the data there.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
How can i GET and POST GLOBAL parameter?
example:
ViewBag.get = 2;
[HttpGet]/or/[HttpPost]
public ActionResult GetString(string? getnumber)
{
...////
}
You want to have global parameter in controller, but not in actions ?
I am not sure I understand you, but the best way to do that is using session. Something like that:
Set:
Session["Number"] = "2";
Get:
int number = (Session["Number"] != null) ? int.Parse(Session["Number"]) : -1;
I hope that helps, if not, specify your question :)
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 6 years ago.
Improve this question
I am making web crawler. I already tried async http client like the one from scala tutorial scaling-out-with-scala-and-akka and spray but i can't manage to make it work. For now performance is not the most important part for me, but later on i would like to easy improve req/s ratio without changing library.
Library should be able to operate on http headers and should not have performance issues with dns resolving. What library should be the best for the task?
Spray should be sufficient for that. Even with this very simple code on a 16mbit connection I can search through around 8 pages per second, i.e. 700,000 pages per day.
It fetches all the links on the main page of wikipedia, loads all those pages and then fetches all the links on those pages.
The problem is that wikipedia's server probably limits the traffic per client, so if I access several sites at once I should get much more speed.
It uses parallel collections to speed it up and avoid delay through dns resolving. But if you write this properly with actors and or futures, using a library like spray I'm guessing it would be faster.
import io.Source
def time[T](f: => T): T = {
val start = System.nanoTime
val r = f
val end = System.nanoTime
val time = (end - start)/1e6
println("time = " + time +"ms")
r
}
val domain = "https://en.wikipedia.org"
val startPage = "/wiki/Main_Page"
val linkRegex = """\"/wiki/[a-zA-Z\-_]+\"""".r
def getLinks(html: String): Set[String] =
linkRegex.findAllMatchIn(html).map(_.toString.replace("\"", "")).toSet
def getHttp(url: String) = {
val in = Source.fromURL(domain + url, "utf8")
val response = in.getLines.mkString
in.close()
response
}
val links = getLinks(getHttp(startPage))
links.foreach(println)
println(links.size)
val allLinks = time(links.par.flatMap(link => getLinks(getHttp(link))))
println(allLinks.size)
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I've seen benchmarks of Actor model implementations done in terms of their actors. For example, Akka actors are very lightweight (600 bytes per actor) and millions of them can be created. However, I've never seen a benchmark done in terms of message-passing throughput.
For example, given some number of actors, how many messages can pass between them per second?
Does anyone have a link to such a performance benchmark (in terms of message-passing throughput)?
Here is a benchmark implemented in
Akka 0.8.1 (Scala)
Scala Actors
Jetlang (Java)
Also see Azul Vega 1 + Scala actors and Azul Fast Bytecodes for Funny Languages and this paper.
When I ran a performance test with this simple actor built around my implementation of the model it had a 444773.906 message per second throughput. Clearly it is a contrived test but it gives you a general idea of how it might perform in the wild.
private class TestActor : Actor<int, bool>
{
protected override void ProcessMessage(AsyncReplyPackage<int, bool> package)
{
package.ReplyChannel.Send(package.Message > 2000000);
}
}
static void Main(string[] args)
{
var r = false;
using (var ts = new TestActor())
using (var rc = new AsyncChannel<bool>())
{
ts.PostWithAsyncReply(0, rc);
r = rc.Receive();
var count = 3000000;
var sw = Stopwatch.StartNew();
for (int i = 0; i < count; i++)
{
ts.PostWithAsyncReply(i, rc);
r = rc.Receive();
}
Console.WriteLine(sw.Elapsed);
}
Console.WriteLine(r);
Console.ReadLine();
}
Size
I broke out the profiler and it looks like my implementation is 944 bytes. :(