https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Tony+GottliebOWASP - User contributions [en]2026-05-27T02:50:46ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=JAAS_Cheat_Sheet&diff=129955JAAS Cheat Sheet2012-05-16T15:54:13Z<p>Tony Gottlieb: </p>
<hr />
<div>= Disclosure =<br />
All of the code in the attached JAAS cheat sheet has been copied verbatim<br />
from the free source. The URL for the free source is http://jaasbook.com/<br />
= Introduction =<br />
== What is JAAS authentication ==<br />
<br />
The process of verifying the identity of a user or another system is authentication. JAAS, as an authentication framework manages the authenticated user’s identity and credentials from login to logout. <br/><br />
<br />
The JAAS authentication lifecycle:<br />
# Create LoginContext<br />
# Read the configuration file for one or more LoginModules to initialize<br />
# Call LoginContext.initialize () for each LoginModule to initialize.<br />
# Call LoginContext.login () for each LoginModule<br />
# If login successful then call LoginContext.commit () else call LoginContext.abort ()<br />
<br />
== Configuration file ==<br />
The JAAS configuration file contains a LoginModule stanza for each LoginModule available for logging on to the application. <br />
<br />
A stanza from a JAAS configuration file:<br />
<pre><br />
Branches<br />
{<br />
USNavy.AppLoginModule required<br />
debug=true<br />
succeeded=true;<br />
}<br />
</pre> <br />
<br />
Note the placement of the semicolons, terminating both LoginModule entries and stanzas. The word required indicates the LoginContext’s login () method must be successful when logging in the user. The LoginModule-specific values debug and succeeded are passed to the LoginModule. They are defined by the LoginModule and their usage is managed inside the LoginModule. Note, Options are Configured using key-value pairing such as debug="true" and the key and value should be separated by a 'equals' sign.<br />
<br />
==Main.java (The client)==<br />
* Execution syntax<br />
<pre><br />
Java –Djava.security.auth.login.config==packageName/packageName.config <br />
packageName.Main Stanza1<br />
Where:<br />
packageName is the directory containing the config file.<br />
packageName.config specifies the config file in the Java package, packageName<br />
packageName.Main specifies Main.java in the Java package, packageName <br />
Stanza1 is the name of the stanza Main () should read from the config file.<br />
</pre><br />
* When executed, the 1st command line argument is the stanza from the config file. The Stanza names the LoginModule to be used. The 2nd argument is the CallbackHandler.<br />
* Create a new LoginContext with the arguments passed to Main.java. <br />
** loginContext = new LoginContext (args[0], new AppCallbackHandler ());<br />
* Call the LoginContext.Login Module<br />
** loginContext.login ();<br />
* The value in succeeded Option is returned from loginContext.login ()<br />
* If the login was successful, a subject was created.<br />
<br />
==LoginModule.java==<br />
A LoginModule must have the following authentication methods:<br />
* initialize ()<br />
* login ()<br />
* commit ()<br />
* abort ()<br />
* logout () <br />
<br />
===initialize ()===<br />
<br />
In Main (), after the LoginContext reads the correct stanza from the config file, the LoginContext instantiates the LoginModule specified in the stanza.<br />
<br />
* initialize () methods signature: <br />
** Public void initialize (Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) <br />
* The arguments above should be saved as follows:<br />
** this.subject = subject;<br />
** this.callbackHandler = callbackHandler;<br />
** this.sharedState = sharedState;<br />
** this.options = options; <br />
* What the initialize () method does:<br />
** Builds a subject object of the Subject class contingent on a successful login ()<br />
** Sets the CallbackHandler which interacts with the user to gather login information<br />
** If a LoginContext specifies 2 or more LoginModules, which is legal, they can share information via a sharedState map<br />
** Saves state information such as debug and succeeded in an options Map<br />
<br />
===login ()===<br />
<br />
Captures user supplied login information. The code snippet below declares an array of two callback objects which, when passed to the callbackHandler.handle method in the callbackHandler.java program, will be loaded with a user name and password provided interactively by the user. <br />
<pre><br />
NameCallback nameCB = new NameCallback("Username");<br />
PasswordCallback passwordCB = new PasswordCallback ("Password", false);<br />
Callback[] callbacks = new Callback[] { nameCB, passwordCB };<br />
callbackHandler.handle (callbacks);<br />
</pre><br />
<br />
* Authenticates the user<br />
* Retrieves the user supplied information from the callback objects:<br />
** String ID = nameCallback.getName ();<br />
** char[] tempPW = passwordCallback.getPassword ();<br />
* Compare name and tempPW to values stored in a repository such as LDAP<br />
* Set the value of the variable succeeded and return to Main ()<br />
<br />
===commit ()===<br />
<br />
Once the users credentials are successfully verified during login (), the JAAS authentication framework associates the credentials, as needed, with the subject. There are two types of credentials, public and private. Public credentials include public keys. Private credentials include passwords and public keys. Principals (i.e. Identities the subject has other than their login name) such as employee number or membership ID in a user group are added to the subject. Below, is an example commit () method where first, for each group the <br />
authenticated user has membership in, the group name is added as a principal to the subject. The subject’s username is then added to their public credentials.<br />
<br />
<br />
Code snippet setting then adding any principals and a public credentials to a subject: :<br />
<pre><br />
public boolean commit() {<br />
If (userAuthenticated) {<br />
Set groups = UserService.findGroups (username);<br />
for (Iterator itr = groups.iterator (); itr.hasNext (); {<br />
String groupName = (String) itr.next ();<br />
UserGroupPrincipal group = new UserGroupPrincipal (GroupName);<br />
subject.getPrincipals ().add (group); <br />
}<br />
UsernameCredential cred = new UsernameCredential (username);<br />
subject.getPublicCredentials().add (cred);<br />
}<br />
} <br />
</pre><br />
<br />
===abort ()===<br />
<br />
The abort () method is called when authentication doesn’t succeed. Before the abort () method exits the LoginModule, care should be taken to reset state including the user name and password input fields.<br />
<br />
===logout ()===<br />
* The release of the users principals and credentials when LoginContext.logout is called.<br />
public boolean logout() {<br />
if (!subject.isReadOnly()) {<br />
Set principals = subject.getPrincipals(UserGroupPrincipal.class);<br />
subject.getPrincipals().removeAll(principals);<br />
Set creds = subject.getPublicCredentials(UsernameCredential.class);<br />
subject.getPublicCredentials().removeAll(creds);<br />
return true;<br />
} else {<br />
return false;<br />
}<br />
}<br />
<br />
<br />
== CallbackHandler.java==<br />
<br />
The callbackHandler is in a source (.java) file separate from any single LoginModule so that it can service a multitude of LoginModules with differing callback objects.<br />
<br />
* Creates instance of the CallbackHandler class and has only one method, handle ().<br />
* A CallbackHandler servicing a LoginModule requiring username & password to login: <br />
<pre><br />
public void handle(Callback[] callbacks) { <br />
for (int i = 0; i < callbacks.length; i++) {<br />
Callback callback = callbacks[i];<br />
if (callback instanceof NameCallback) {<br />
NameCallback nameCallBack = (NameCallback) callback; <br />
nameCallBack.setName(username); <br />
} else if (callback instanceof PasswordCallback) {<br />
PasswordCallback passwordCallBack = (PasswordCallback) callback;<br />
passwordCallBack.setPassword(password.toCharArray());<br />
}<br />
}<br />
}<br />
</pre><br />
<br />
= Related Articles = <br />
* JAAS in Action, Michael Coté, posted on September 27, 2009, URL as 5/14/2012 http://jaasbook.com/<br />
* Pistoia, Marco, Nagaratnam, Nataraj, Koved, Larry, Nadalin, Anthony, "Enterprise Java Security", Addison-Wesley, 2004.<br />
<br />
= Related Cheat Sheets = <br />
{{Cheatsheet_Navigation}}<br />
<br />
= Authors and Primary Editors =<br />
<br />
Dr. A.L. Gottlieb - AnthonyG [at] owasp.org<br />
<br />
[[Category:Cheatsheets]]</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=JAAS_Cheat_Sheet&diff=129954JAAS Cheat Sheet2012-05-16T15:51:37Z<p>Tony Gottlieb: </p>
<hr />
<div>= Disclosure =<br />
All of the code in the attached JAAS cheat sheet has been copied verbatim<br />
from the free source. The URL for the free source is http://jaasbook.com/<br />
= Introduction =<br />
== What is JAAS authentication ==<br />
<br />
The process of verifying the identity of a user or another system is authentication. JAAS, as an authentication framework manages the authenticated user’s identity and credentials from login to logout. <br/><br />
<br />
The JAAS authentication lifecycle:<br />
# Create LoginContext<br />
# Read the configuration file for one or more LoginModules to initialize<br />
# Call LoginContext.initialize () for each LoginModule to initialize.<br />
# Call LoginContext.login () for each LoginModule<br />
# If login successful then call LoginContext.commit () else call LoginContext.abort ()<br />
<br />
== Configuration file ==<br />
The JAAS configuration file contains a LoginModule stanza for each LoginModule available for logging on to the application. <br />
<br />
A stanza from a JAAS configuration file:<br />
<pre><br />
Branches<br />
{<br />
USNavy.AppLoginModule required<br />
debug=true<br />
succeeded=true;<br />
}<br />
</pre> <br />
<br />
Note the placement of the semicolons, terminating both LoginModule entries and stanzas. The word required indicates the LoginContext’s login () method must be successful when logging in the user. The LoginModule-specific values debug and succeeded are passed to the LoginModule. They are defined by the LoginModule and their usage is managed inside the LoginModule. Note, Options are Configured using key-value pairing such as debug="true" and the key and value should be separated by a 'equals' sign.<br />
<br />
==Main.java (The client)==<br />
* Execution syntax<br />
<pre><br />
Java –Djava.security.auth.login.config==packageName/packageName.config <br />
packageName.Main Stanza1<br />
Where:<br />
packageName is the directory containing the config file.<br />
packageName.config specifies the config file in the Java package, packageName<br />
packageName.Main specifies Main.java in the Java package, packageName <br />
Stanza1 is the name of the stanza Main () should read from the config file.<br />
</pre><br />
* When executed, the 1st command line argument is the stanza from the config file. The Stanza names the LoginModule to be used. The 2nd argument is the CallbackHandler.<br />
* Create a new LoginContext with the arguments passed to Main.java. <br />
** loginContext = new LoginContext (args[0], new AppCallbackHandler ());<br />
* Call the LoginContext.Login Module<br />
** loginContext.login ();<br />
* The value in succeeded Option is returned from loginContext.login ()<br />
* If the login was successful, a subject was created.<br />
<br />
==LoginModule.java==<br />
A LoginModule must have the following authentication methods:<br />
* initialize ()<br />
* login ()<br />
* commit ()<br />
* abort ()<br />
* logout () <br />
<br />
===initialize ()===<br />
<br />
In Main (), after the LoginContext reads the correct stanza from the config file, the LoginContext instantiates the LoginModule specified in the stanza.<br />
<br />
* initialize () methods signature: <br />
** Public void initialize (Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) <br />
* The arguments above should be saved as follows:<br />
** this.subject = subject;<br />
** this.callbackHandler = callbackHandler;<br />
** this.sharedState = sharedState;<br />
** this.options = options; <br />
* What the initialize () method does:<br />
** Builds a subject object of the Subject class contingent on a successful login ()<br />
** Sets the CallbackHandler which interacts with the user to gather login information<br />
** If a LoginContext specifies 2 or more LoginModules, which is legal, they can share information via a sharedState map<br />
** Saves state information such as debug and succeeded in an options Map<br />
<br />
===login ()===<br />
<br />
Captures user supplied login information. The code snippet below declares an array of two callback objects which, when passed to the callbackHandler.handle method in the callbackHandler.java program, will be loaded with a user name and password provided interactively by the user. <br />
<pre><br />
NameCallback nameCB = new NameCallback("Username");<br />
PasswordCallback passwordCB = new PasswordCallback ("Password", false);<br />
Callback[] callbacks = new Callback[] { nameCB, passwordCB };<br />
callbackHandler.handle (callbacks);<br />
</pre><br />
<br />
* Authenticates the user<br />
* Retrieves the user supplied information from the callback objects:<br />
** String ID = nameCallback.getName ();<br />
** char[] tempPW = passwordCallback.getPassword ();<br />
* Compare name and tempPW to values stored in a repository such as LDAP<br />
* Set the value of the variable succeeded and return to Main ()<br />
<br />
===commit ()===<br />
<br />
Once the users credentials are successfully verified during login (), the JAAS authentication framework associates the credentials, as needed, with the subject. There are two types of credentials, public and private. Public credentials include public keys. Private credentials include passwords and public keys. Principals (i.e. Identities the subject has other than their login name) such as employee number or membership ID in a user group are added to the subject. Below, is an example commit () method where first, for each group the <br />
authenticated user has membership in, the group name is added to the subject. The subject’s username is then added to their public credentials.<br />
<br />
<br />
Code snippet setting then adding any principals and a public credentials to a subject: :<br />
<pre><br />
public boolean commit() {<br />
If (userAuthenticated) {<br />
Set groups = UserService.findGroups (username);<br />
for (Iterator itr = groups.iterator (); itr.hasNext (); {<br />
String groupName = (String) itr.next ();<br />
UserGroupPrincipal group = new UserGroupPrincipal (GroupName);<br />
subject.getPrincipals ().add (group); <br />
}<br />
UsernameCredential cred = new UsernameCredential (username);<br />
subject.getPublicCredentials().add (cred);<br />
}<br />
} <br />
</pre><br />
<br />
===abort ()===<br />
<br />
The abort () method is called when authentication doesn’t succeed. Before the abort () method exits the LoginModule, care should be taken to reset state including the user name and password input fields.<br />
<br />
===logout ()===<br />
* The release of the users principals and credentials when LoginContext.logout is called.<br />
public boolean logout() {<br />
if (!subject.isReadOnly()) {<br />
Set principals = subject.getPrincipals(UserGroupPrincipal.class);<br />
subject.getPrincipals().removeAll(principals);<br />
Set creds = subject.getPublicCredentials(UsernameCredential.class);<br />
subject.getPublicCredentials().removeAll(creds);<br />
return true;<br />
} else {<br />
return false;<br />
}<br />
}<br />
<br />
<br />
== CallbackHandler.java==<br />
<br />
The callbackHandler is in a source (.java) file separate from any single LoginModule so that it can service a multitude of LoginModules with differing callback objects.<br />
<br />
* Creates instance of the CallbackHandler class and has only one method, handle ().<br />
* A CallbackHandler servicing a LoginModule requiring username & password to login: <br />
<pre><br />
public void handle(Callback[] callbacks) { <br />
for (int i = 0; i < callbacks.length; i++) {<br />
Callback callback = callbacks[i];<br />
if (callback instanceof NameCallback) {<br />
NameCallback nameCallBack = (NameCallback) callback; <br />
nameCallBack.setName(username); <br />
} else if (callback instanceof PasswordCallback) {<br />
PasswordCallback passwordCallBack = (PasswordCallback) callback;<br />
passwordCallBack.setPassword(password.toCharArray());<br />
}<br />
}<br />
}<br />
</pre><br />
<br />
= Related Articles = <br />
* JAAS in Action, Michael Coté, posted on September 27, 2009, URL as 5/14/2012 http://jaasbook.com/<br />
* Pistoia, Marco, Nagaratnam, Nataraj, Koved, Larry, Nadalin, Anthony, "Enterprise Java Security", Addison-Wesley, 2004.<br />
<br />
= Related Cheat Sheets = <br />
{{Cheatsheet_Navigation}}<br />
<br />
= Authors and Primary Editors =<br />
<br />
Dr. A.L. Gottlieb - AnthonyG [at] owasp.org<br />
<br />
[[Category:Cheatsheets]]</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=JAAS_Cheat_Sheet&diff=129953JAAS Cheat Sheet2012-05-16T15:48:27Z<p>Tony Gottlieb: </p>
<hr />
<div>= Introduction =<br />
== What is JAAS authentication ==<br />
<br />
The process of verifying the identity of a user or another system is authentication. JAAS, as an authentication framework manages the authenticated user’s identity and credentials from login to logout. <br/><br />
<br />
The JAAS authentication lifecycle:<br />
# Create LoginContext<br />
# Read the configuration file for one or more LoginModules to initialize<br />
# Call LoginContext.initialize () for each LoginModule to initialize.<br />
# Call LoginContext.login () for each LoginModule<br />
# If login successful then call LoginContext.commit () else call LoginContext.abort ()<br />
<br />
== Configuration file ==<br />
The JAAS configuration file contains a LoginModule stanza for each LoginModule available for logging on to the application. <br />
<br />
A stanza from a JAAS configuration file:<br />
<pre><br />
Branches<br />
{<br />
USNavy.AppLoginModule required<br />
debug=true<br />
succeeded=true;<br />
}<br />
</pre> <br />
<br />
Note the placement of the semicolons, terminating both LoginModule entries and stanzas. The word required indicates the LoginContext’s login () method must be successful when logging in the user. The LoginModule-specific values debug and succeeded are passed to the LoginModule. They are defined by the LoginModule and their usage is managed inside the LoginModule. Note, Options are Configured using key-value pairing such as debug="true" and the key and value should be separated by a 'equals' sign.<br />
<br />
==Main.java (The client)==<br />
* Execution syntax<br />
<pre><br />
Java –Djava.security.auth.login.config==packageName/packageName.config <br />
packageName.Main Stanza1<br />
Where:<br />
packageName is the directory containing the config file.<br />
packageName.config specifies the config file in the Java package, packageName<br />
packageName.Main specifies Main.java in the Java package, packageName <br />
Stanza1 is the name of the stanza Main () should read from the config file.<br />
</pre><br />
* When executed, the 1st command line argument is the stanza from the config file. The Stanza names the LoginModule to be used. The 2nd argument is the CallbackHandler.<br />
* Create a new LoginContext with the arguments passed to Main.java. <br />
** loginContext = new LoginContext (args[0], new AppCallbackHandler ());<br />
* Call the LoginContext.Login Module<br />
** loginContext.login ();<br />
* The value in succeeded Option is returned from loginContext.login ()<br />
* If the login was successful, a subject was created.<br />
<br />
==LoginModule.java==<br />
A LoginModule must have the following authentication methods:<br />
* initialize ()<br />
* login ()<br />
* commit ()<br />
* abort ()<br />
* logout () <br />
<br />
===initialize ()===<br />
<br />
In Main (), after the LoginContext reads the correct stanza from the config file, the LoginContext instantiates the LoginModule specified in the stanza.<br />
<br />
* initialize () methods signature: <br />
** Public void initialize (Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) <br />
* The arguments above should be saved as follows:<br />
** this.subject = subject;<br />
** this.callbackHandler = callbackHandler;<br />
** this.sharedState = sharedState;<br />
** this.options = options; <br />
* What the initialize () method does:<br />
** Builds a subject object of the Subject class contingent on a successful login ()<br />
** Sets the CallbackHandler which interacts with the user to gather login information<br />
** If a LoginContext specifies 2 or more LoginModules, which is legal, they can share information via a sharedState map<br />
** Saves state information such as debug and succeeded in an options Map<br />
<br />
===login ()===<br />
<br />
Captures user supplied login information. The code snippet below declares an array of two callback objects which, when passed to the callbackHandler.handle method in the callbackHandler.java program, will be loaded with a user name and password provided interactively by the user. <br />
<pre><br />
NameCallback nameCB = new NameCallback("Username");<br />
PasswordCallback passwordCB = new PasswordCallback ("Password", false);<br />
Callback[] callbacks = new Callback[] { nameCB, passwordCB };<br />
callbackHandler.handle (callbacks);<br />
</pre><br />
<br />
* Authenticates the user<br />
* Retrieves the user supplied information from the callback objects:<br />
** String ID = nameCallback.getName ();<br />
** char[] tempPW = passwordCallback.getPassword ();<br />
* Compare name and tempPW to values stored in a repository such as LDAP<br />
* Set the value of the variable succeeded and return to Main ()<br />
<br />
===commit ()===<br />
<br />
Once the users credentials are successfully verified during login (), the JAAS authentication framework associates the credentials, as needed, with the subject. There are two types of credentials, public and private. Public credentials include public keys. Private credentials include passwords and public keys. Principals (i.e. Identities the subject has other than their login name) such as employee number or membership ID in a user group are added to the subject. Below, is an example commit () method where first, for each group the <br />
authenticated user has membership in, the group name is added to the subject. The subject’s username is then added to their public credentials.<br />
<br />
<br />
Code snippet setting then adding any principals and a public credentials to a subject: :<br />
<pre><br />
public boolean commit() {<br />
If (userAuthenticated) {<br />
Set groups = UserService.findGroups (username);<br />
for (Iterator itr = groups.iterator (); itr.hasNext (); {<br />
String groupName = (String) itr.next ();<br />
UserGroupPrincipal group = new UserGroupPrincipal (GroupName);<br />
subject.getPrincipals ().add (group); <br />
}<br />
UsernameCredential cred = new UsernameCredential (username);<br />
subject.getPublicCredentials().add (cred);<br />
}<br />
} <br />
</pre><br />
<br />
===abort ()===<br />
<br />
The abort () method is called when authentication doesn’t succeed. Before the abort () method exits the LoginModule, care should be taken to reset state including the user name and password input fields.<br />
<br />
===logout ()===<br />
* The release of the users principals and credentials when LoginContext.logout is called.<br />
public boolean logout() {<br />
if (!subject.isReadOnly()) {<br />
Set principals = subject.getPrincipals(UserGroupPrincipal.class);<br />
subject.getPrincipals().removeAll(principals);<br />
Set creds = subject.getPublicCredentials(UsernameCredential.class);<br />
subject.getPublicCredentials().removeAll(creds);<br />
return true;<br />
} else {<br />
return false;<br />
}<br />
}<br />
<br />
<br />
== CallbackHandler.java==<br />
<br />
The callbackHandler is in a source (.java) file separate from any single LoginModule so that it can service a multitude of LoginModules with differing callback objects.<br />
<br />
* Creates instance of the CallbackHandler class and has only one method, handle ().<br />
* A CallbackHandler servicing a LoginModule requiring username & password to login: <br />
<pre><br />
public void handle(Callback[] callbacks) { <br />
for (int i = 0; i < callbacks.length; i++) {<br />
Callback callback = callbacks[i];<br />
if (callback instanceof NameCallback) {<br />
NameCallback nameCallBack = (NameCallback) callback; <br />
nameCallBack.setName(username); <br />
} else if (callback instanceof PasswordCallback) {<br />
PasswordCallback passwordCallBack = (PasswordCallback) callback;<br />
passwordCallBack.setPassword(password.toCharArray());<br />
}<br />
}<br />
}<br />
</pre><br />
<br />
= Related Articles = <br />
* JAAS in Action, Michael Coté, posted on September 27, 2009, URL as 5/14/2012 http://jaasbook.com/<br />
* Pistoia, Marco, Nagaratnam, Nataraj, Koved, Larry, Nadalin, Anthony, "Enterprise Java Security", Addison-Wesley, 2004.<br />
<br />
= Related Cheat Sheets = <br />
{{Cheatsheet_Navigation}}<br />
<br />
= Authors and Primary Editors =<br />
<br />
Dr. A.L. Gottlieb - AnthonyG [at] owasp.org<br />
<br />
[[Category:Cheatsheets]]</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=JAAS_Cheat_Sheet&diff=129952JAAS Cheat Sheet2012-05-16T15:40:51Z<p>Tony Gottlieb: </p>
<hr />
<div>= Introduction =<br />
== What is JAAS authentication ==<br />
<br />
The process of verifying the identity of a user or another system is authentication. JAAS, as an authentication framework manages the authenticated user’s identity and credentials from login to logout. <br/><br />
<br />
The JAAS authentication lifecycle:<br />
# Create LoginContext<br />
# Read the configuration file for one or more LoginModules to initialize<br />
# Call LoginContext.initialize () for each LoginModule to initialize.<br />
# Call LoginContext.login () for each LoginModule<br />
# If login successful then call LoginContext.commit () else call LoginContext.abort ()<br />
<br />
== Configuration file ==<br />
The JAAS configuration file contains a LoginModule stanza for each LoginModule available for logging on to the application. <br />
<br />
A stanza from a JAAS configuration file:<br />
<pre><br />
Branches<br />
{<br />
USNavy.AppLoginModule required<br />
debug=true<br />
succeeded=true;<br />
}<br />
</pre> <br />
<br />
Note the placement of the semicolons, terminating both LoginModule entries and stanzas. The word required indicates the LoginContext’s login () method must be successful when logging in the user. The LoginModule-specific values debug and succeeded are passed to the LoginModule. They are defined by the LoginModule and their usage is managed inside the LoginModule. Note, Options are Configured using key-value pairing such as debug="true" and the key and value should be separated by a 'equals' sign.<br />
<br />
==Main.java (The client)==<br />
* Execution syntax<br />
<pre><br />
Java –Djava.security.auth.login.config==packageName/packageName.config <br />
packageName.Main Stanza1<br />
Where:<br />
packageName is the directory containing the config file.<br />
packageName.config specifies the config file in the Java package, packageName<br />
packageName.Main specifies Main.java in the Java package, packageName <br />
Stanza1 is the name of the stanza Main () should read from the config file.<br />
</pre><br />
* When executed, the 1st command line argument is the stanza from the config file. The Stanza names the LoginModule to be used. The 2nd argument is the CallbackHandler.<br />
* Create a new LoginContext with the arguments passed to Main.java. <br />
** loginContext = new LoginContext (args[0], new AppCallbackHandler ());<br />
* Call the LoginContext.Login Module<br />
** loginContext.login ();<br />
* The value in succeeded Option is returned from loginContext.login ()<br />
* If the login was successful, a subject was created.<br />
<br />
==LoginModule.java==<br />
A LoginModule must have the following authentication methods:<br />
* initialize ()<br />
* login ()<br />
* commit ()<br />
* abort ()<br />
* logout () <br />
<br />
===initialize ()===<br />
<br />
In Main (), after the LoginContext reads the correct stanza from the config file, the LoginContext instantiates the LoginModule specified in the stanza.<br />
<br />
* initialize () methods signature: <br />
** Public void initialize (Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) <br />
* The arguments above should be saved as follows:<br />
** this.subject = subject;<br />
** this.callbackHandler = callbackHandler;<br />
** this.sharedState = sharedState;<br />
** this.options = options; <br />
* What the initialize () method does:<br />
** Builds a subject object of the Subject class contingent on a successful login ()<br />
** Sets the CallbackHandler which interacts with the user to gather login information<br />
** If a LoginContext specifies 2 or more LoginModules, which is legal, they can share information via a sharedState map<br />
** Saves state information such as debug and succeeded in an options Map<br />
<br />
===login ()===<br />
<br />
Captures user supplied login information. The code snippet below declares an array of two callback objects which, when passed to the callbackHandler.handle method in the callbackHandler.java program, will be loaded with a user name and password provided interactively by the user. <br />
<pre><br />
NameCallback nameCB = new NameCallback("Username");<br />
PasswordCallback passwordCB = new PasswordCallback ("Password", false);<br />
Callback[] callbacks = new Callback[] { nameCB, passwordCB };<br />
callbackHandler.handle (callbacks);<br />
</pre><br />
<br />
* Authenticates the user<br />
* Retrieves the user supplied information from the callback objects:<br />
** String ID = nameCallback.getName ();<br />
** char[] tempPW = passwordCallback.getPassword ();<br />
* Compare name and tempPW to values stored in a repository such as LDAP<br />
* Set the value of the variable succeeded and return to Main ()<br />
<br />
===commit ()===<br />
<br />
Once the users credentials are successfully verified during login (), the JAAS authentication framework associates the credentials, as needed, with the subject. There are two types of credentials, public and private. Public credentials include public keys. Private credentials include passwords and public keys. Principals (i.e. Identities the subject has other than their login name) such as employee number or membership ID in a user group are added to the subject. Below, is an example commit () method where first, for each group the <br />
authenticated user has membership in, the group name is added to the subject. Then subject’s username is added to their public credentials.<br />
<br />
<br />
Code snippet setting then adding any principals and a public credentials to a subject: :<br />
<pre><br />
public boolean commit() {<br />
If (userAuthenticated) {<br />
Set groups = UserService.findGroups (username);<br />
for (Iterator itr = groups.iterator (); itr.hasNext (); {<br />
String groupName = (String) itr.next ();<br />
UserGroupPrincipal group = new UserGroupPrincipal (GroupName);<br />
subject.getPrincipals ().add (group); <br />
}<br />
UsernameCredential cred = new UsernameCredential (username);<br />
subject.getPublicCredentials().add (cred);<br />
}<br />
} <br />
</pre><br />
<br />
===abort ()===<br />
<br />
The abort () method is called when authentication doesn’t succeed. Before the abort () method exits the LoginModule, care should be taken to reset state including the user name and password input fields.<br />
<br />
===logout ()===<br />
* The arguments above should be saved as follows:<br />
** Set principalSet = subject.getPrincipals ();<br />
** principalSet.remove (PR1);<br />
** subject.getPublicCredentials().remove(publicCredential);<br />
** subject.getPrivateCredentials().remove(privateCredential);<br />
<br />
== CallbackHandler.java==<br />
<br />
The callbackHandler is in a source (.java) file separate from any single LoginModule so that it can service a multitude of LoginModules with differing callback objects.<br />
<br />
* Creates instance of the CallbackHandler class and has only one method, handle ().<br />
* A CallbackHandler servicing a LoginModule requiring username & password to login: <br />
<pre><br />
public void handle(Callback[] callbacks) { <br />
for (int i = 0; i < callbacks.length; i++) {<br />
Callback callback = callbacks[i];<br />
if (callback instanceof NameCallback) {<br />
NameCallback nameCallBack = (NameCallback) callback; <br />
nameCallBack.setName(username); <br />
} else if (callback instanceof PasswordCallback) {<br />
PasswordCallback passwordCallBack = (PasswordCallback) callback;<br />
passwordCallBack.setPassword(password.toCharArray());<br />
}<br />
}<br />
}<br />
</pre><br />
<br />
= Related Articles = <br />
* JAAS in Action, Michael Coté, posted on September 27, 2009, URL as 5/14/2012 http://jaasbook.com/<br />
* Pistoia, Marco, Nagaratnam, Nataraj, Koved, Larry, Nadalin, Anthony, "Enterprise Java Security", Addison-Wesley, 2004.<br />
<br />
= Related Cheat Sheets = <br />
{{Cheatsheet_Navigation}}<br />
<br />
= Authors and Primary Editors =<br />
<br />
Dr. A.L. Gottlieb - AnthonyG [at] owasp.org<br />
<br />
[[Category:Cheatsheets]]</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=JAAS_Cheat_Sheet&diff=129831JAAS Cheat Sheet2012-05-14T15:56:45Z<p>Tony Gottlieb: </p>
<hr />
<div>= Introduction =<br />
== What is JAAS authentication ==<br />
<br />
The process of verifying the identity of a user or another system is authentication. JAAS, as an authentication framework manages the authenticated user’s identity and credentials from login to logout. <br/><br />
<br />
The JAAS authentication lifecycle:<br />
# Create LoginContext<br />
# Read the configuration file for one or more LoginModules to initialize<br />
# Call LoginContext.initialize () for each LoginModule to initialize.<br />
# Call LoginContext.login () for each LoginModule<br />
# If login successful then call LoginContext.commit () else call LoginContext.abort ()<br />
<br />
== Configuration file ==<br />
The JAAS configuration file contains a LoginModule stanza for each LoginModule available for logging on to the application. <br />
<br />
A stanza from a JAAS configuration file:<br />
<pre><br />
Branches<br />
{<br />
USNavy.AppLoginModule required<br />
debug=true<br />
succeeded=true;<br />
}<br />
</pre> <br />
<br />
Note the placement of the semicolons, terminating both LoginModule entries and stanzas. The word required indicates the LoginContext’s login () method must be successful when logging in the user. The LoginModule-specific values debug and succeeded are passed to the LoginModule. They are defined by the LoginModule and their usage is managed inside the LoginModule. Note, Options are Configured using key-value pairing such as debug="true" and the key and value should be separated by a 'equals' sign.<br />
<br />
==Main.java (The client)==<br />
* Execution syntax<br />
<pre><br />
Java –Djava.security.auth.login.config==packageName/packageName.config <br />
packageName.Main Stanza1<br />
Where:<br />
packageName is the directory containing the config file.<br />
packageName.config specifies the config file in the Java package, packageName<br />
packageName.Main specifies Main.java in the Java package, packageName <br />
Stanza1 is the name of the stanza Main () should read from the config file.<br />
</pre><br />
* When executed, the 1st command line argument is the stanza from the config file. The Stanza names the LoginModule to be used. The 2nd argument is the CallbackHandler.<br />
* Create a new LoginContext with the arguments passed to Main.java. <br />
** loginContext = new LoginContext (args[0], new AppCallbackHandler ());<br />
* Call the LoginContext.Login Module<br />
** loginContext.login ();<br />
* The value in succeeded Option is returned from loginContext.login ()<br />
* If the login was successful, a subject was created.<br />
<br />
==LoginModule.java==<br />
A LoginModule must have the following authentication methods:<br />
* initialize ()<br />
* login ()<br />
* commit ()<br />
* abort ()<br />
* logout () <br />
<br />
===initialize ()===<br />
<br />
In Main (), after the LoginContext reads the correct stanza from the config file, the LoginContext instantiates the LoginModule specified in the stanza.<br />
<br />
* initialize () methods signature: <br />
** Public void initialize (Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) <br />
* The arguments above should be saved as follows:<br />
** this.subject = subject;<br />
** this.callbackHandler = callbackHandler;<br />
** this.sharedState = sharedState;<br />
** this.options = options; <br />
* What the initialize () method does:<br />
** Builds a subject object of the Subject class contingent on a successful login ()<br />
** Sets the CallbackHandler which interacts with the user to gather login information<br />
** If a LoginContext specifies 2 or more LoginModules, which is legal, they can share information via a sharedState map<br />
** Saves state information such as debug and succeeded in an options Map<br />
<br />
===login ()===<br />
<br />
Captures user supplied login information. The code snippet below declares an array of two callback objects which, when passed to the callbackHandler.handle method in the callbackHandler.java program, will be loaded with a user name and password provided interactively by the user. <br />
<pre><br />
Callback[] callbacks = new Callback [2];<br />
callbacks[0] = new NameCallback (“name”); <br />
callbacks[1] = new PasswordCallback (“password”, false);<br />
callbackHandler.handle (callbacks);<br />
</pre><br />
<br />
* Authenticates the user<br />
* Retrieves the user supplied information from the callback objects:<br />
** String ID = nameCallback.getName ();<br />
** char[] tempPW = passwordCallback.getPassword ();<br />
* Compare name and tempPW to values stored in a repository such as LDAP<br />
* Set the value of the variable succeeded and return to Main ()<br />
<br />
===commit ()===<br />
<br />
Once the users credentials are successfully verified during login (), the JAAS authentication framework associates the credentials, as needed, with the subject. There are two types of credentials, public and private. Public credentials include public keys. Private credentials include passwords and public keys. Principals (i.e. Identities the subject has other than their login name) such as employee number or membership ID in a user group are added to the subject. <br />
<br />
Code snippet setting then adding a principal and two credentials to a subject:<br />
<pre><br />
private Principal PR1 = new DemoPrincipal(“Quarterback”);<br />
private String publicCredential = “Aikman”;<br />
private String privateCredential = “Secret database accessible only password”;<br />
Set principalSet = subject.getPrincipals();<br />
principalSet.add (PR1);<br />
subject.getPublicCredentials().add(publicCredential);<br />
subject.getPrivateCredentials().add(privateCredential); <br />
</pre><br />
<br />
===abort ()===<br />
<br />
The abort () method is called when authentication doesn’t succeed. Before the abort () method exits the LoginModule, care should be taken to reset state including the user name and password input fields.<br />
<br />
===logout ()===<br />
* The arguments above should be saved as follows:<br />
** Set principalSet = subject.getPrincipals ();<br />
** principalSet.remove (PR1);<br />
** subject.getPublicCredentials().remove(publicCredential);<br />
** subject.getPrivateCredentials().remove(privateCredential);<br />
<br />
== CallbackHandler.java==<br />
<br />
The callbackHandler is in a source (.java) file separate from any single LoginModule so that it can service a multitude of LoginModules with differing callback objects.<br />
<br />
* Creates instance of the CallbackHandler class and has only one method, handle ().<br />
* A CallbackHandler servicing a LoginModule requiring username & password to login: <br />
<pre><br />
public void handle(Callback[] callbacks) { <br />
for (int i = 0; i < callbacks.length; i++) {<br />
Callback callback = callbacks[i];<br />
if (callback instanceof NameCallback) {<br />
NameCallback nameCallBack = (NameCallback) callback; <br />
nameCallBack.setName(username); <br />
} else if (callback instanceof PasswordCallback) {<br />
PasswordCallback passwordCallBack = (PasswordCallback) callback;<br />
passwordCallBack.setPassword(password.toCharArray());<br />
}<br />
}<br />
}<br />
</pre><br />
<br />
= References = <br />
[1] JAAS in Action, Michael Coté, posted on September 27, 2009, URL as 5/14/2012 http://jaasbook.com/<br />
[2] Pistoia, Marco, Nagaratnam, Nataraj, Koved, Larry, Nadalin, Anthony, "Enterprise Java Security", Addison-Wesley, 2004.<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
= Authors and Primary Editors =<br />
<br />
Dr. A.L. Gottlieb - AnthonyG [at] owasp.org<br />
<br />
[[Category:Cheatsheets]]</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=JAAS_Cheat_Sheet&diff=129830JAAS Cheat Sheet2012-05-14T15:55:30Z<p>Tony Gottlieb: </p>
<hr />
<div>= Introduction =<br />
== What is JAAS authentication ==<br />
<br />
The process of verifying the identity of a user or another system is authentication. JAAS, as an authentication framework manages the authenticated user’s identity and credentials from login to logout. <br/><br />
<br />
The JAAS authentication lifecycle:<br />
# Create LoginContext<br />
# Read the configuration file for one or more LoginModules to initialize<br />
# Call LoginContext.initialize () for each LoginModule to initialize.<br />
# Call LoginContext.login () for each LoginModule<br />
# If login successful then call LoginContext.commit () else call LoginContext.abort ()<br />
<br />
== Configuration file ==<br />
The JAAS configuration file contains a LoginModule stanza for each LoginModule available for logging on to the application. <br />
<br />
A stanza from a JAAS configuration file:<br />
<pre><br />
Branches<br />
{<br />
USNavy.AppLoginModule required<br />
debug=true<br />
succeeded=true;<br />
}<br />
</pre> <br />
<br />
Note the placement of the semicolons, terminating both LoginModule entries and stanzas. The word required indicates the LoginContext’s login () method must be successful when logging in the user. The LoginModule-specific values debug and succeeded are passed to the LoginModule. They are defined by the LoginModule and their usage is managed inside the LoginModule. Note, Options are Configured using key-value pairing such as debug="true" and the key and value should be separated by a 'equals' sign.<br />
<br />
==Main.java (The client)==<br />
* Execution syntax<br />
<pre><br />
Java –Djava.security.auth.login.config==packageName/packageName.config <br />
packageName.Main Stanza1<br />
Where:<br />
packageName is the directory containing the config file.<br />
packageName.config specifies the config file in the Java package, packageName<br />
packageName.Main specifies Main.java in the Java package, packageName <br />
Stanza1 is the name of the stanza Main () should read from the config file.<br />
</pre><br />
* When executed, the 1st command line argument is the stanza from the config file. The Stanza names the LoginModule to be used. The 2nd argument is the CallbackHandler.<br />
* Create a new LoginContext with the arguments passed to Main.java. <br />
** loginContext = new LoginContext (args[0], new AppCallbackHandler ());<br />
* Call the LoginContext.Login Module<br />
** loginContext.login ();<br />
* The value in succeeded Option is returned from loginContext.login ()<br />
* If the login was successful, a subject was created.<br />
<br />
==LoginModule.java==<br />
A LoginModule must have the following authentication methods:<br />
* initialize ()<br />
* login ()<br />
* commit ()<br />
* abort ()<br />
* logout () <br />
<br />
===initialize ()===<br />
<br />
In Main (), after the LoginContext reads the correct stanza from the config file, the LoginContext instantiates the LoginModule specified in the stanza.<br />
<br />
* initialize () methods signature: <br />
** Public void initialize (Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) <br />
* The arguments above should be saved as follows:<br />
** this.subject = subject;<br />
** this.callbackHandler = callbackHandler;<br />
** this.sharedState = sharedState;<br />
** this.options = options; <br />
* What the initialize () method does:<br />
** Builds a subject object of the Subject class contingent on a successful login ()<br />
** Sets the CallbackHandler which interacts with the user to gather login information<br />
** If a LoginContext specifies 2 or more LoginModules, which is legal, they can share information via a sharedState map<br />
** Saves state information such as debug and succeeded in an options Map<br />
<br />
===login ()===<br />
<br />
Captures user supplied login information. The code snippet below declares an array of two callback objects which, when passed to the callbackHandler.handle method in the callbackHandler.java program, will be loaded with a user name and password provided interactively by the user. <br />
<pre><br />
Callback[] callbacks = new Callback [2];<br />
callbacks[0] = new NameCallback (“name”); <br />
callbacks[1] = new PasswordCallback (“password”, false);<br />
callbackHandler.handle (callbacks);<br />
</pre><br />
<br />
* Authenticates the user<br />
* Retrieves the user supplied information from the callback objects:<br />
** String ID = nameCallback.getName ();<br />
** char[] tempPW = passwordCallback.getPassword ();<br />
* Compare name and tempPW to values stored in a repository such as LDAP<br />
* Set the value of the variable succeeded and return to Main ()<br />
<br />
===commit ()===<br />
<br />
Once the users credentials are successfully verified during login (), the JAAS authentication framework associates the credentials, as needed, with the subject. There are two types of credentials, public and private. Public credentials include public keys. Private credentials include passwords and public keys. Principals (i.e. Identities the subject has other than their login name) such as employee number or membership ID in a user group are added to the subject. <br />
<br />
Code snippet setting then adding a principal and two credentials to a subject:<br />
<pre><br />
private Principal PR1 = new DemoPrincipal(“Quarterback”);<br />
private String publicCredential = “Aikman”;<br />
private String privateCredential = “Secret database accessible only password”;<br />
Set principalSet = subject.getPrincipals();<br />
principalSet.add (PR1);<br />
subject.getPublicCredentials().add(publicCredential);<br />
subject.getPrivateCredentials().add(privateCredential); <br />
</pre><br />
<br />
===abort ()===<br />
<br />
The abort () method is called when authentication doesn’t succeed. Before the abort () method exits the LoginModule, care should be taken to reset state including the user name and password input fields.<br />
<br />
===logout ()===<br />
* The arguments above should be saved as follows:<br />
** Set principalSet = subject.getPrincipals ();<br />
** principalSet.remove (PR1);<br />
** subject.getPublicCredentials().remove(publicCredential);<br />
** subject.getPrivateCredentials().remove(privateCredential);<br />
<br />
== CallbackHandler.java==<br />
<br />
The callbackHandler is in a source (.java) file separate from any single LoginModule so that it can service a multitude of LoginModules with differing callback objects.<br />
<br />
* Creates instance of the CallbackHandler class and has only one method, handle ().<br />
* A CallbackHandler servicing a LoginModule requiring username & password to login: <br />
<pre><br />
public void handle(Callback[] callbacks) { <br />
for (int i = 0; i < callbacks.length; i++) {<br />
Callback callback = callbacks[i];<br />
if (callback instanceof NameCallback) {<br />
NameCallback nameCallBack = (NameCallback) callback; <br />
nameCallBack.setName(username); <br />
} else if (callback instanceof PasswordCallback) {<br />
PasswordCallback passwordCallBack = (PasswordCallback) callback;<br />
passwordCallBack.setPassword(password.toCharArray());<br />
}<br />
}<br />
}<br />
</pre><br />
<br />
= References = <br />
[1] JAAS in Action, Michael Coté, posted on September 27, 2009, URL as 5/14/2012 http://jaasbook.com/<br />
[2] Pistoia, Marco, Nagaratnam Nataraj, Koved, Larry, Nadalin, "Enterprise Java Security", Addison-Wesley, 2004.<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
= Authors and Primary Editors =<br />
<br />
Dr. A.L. Gottlieb - AnthonyG [at] owasp.org<br />
<br />
[[Category:Cheatsheets]]</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=JAAS_Cheat_Sheet&diff=129825JAAS Cheat Sheet2012-05-14T15:50:46Z<p>Tony Gottlieb: </p>
<hr />
<div>= Introduction =<br />
== What is JAAS authentication ==<br />
<br />
The process of verifying the identity of a user or another system is authentication. JAAS, as an authentication framework manages the authenticated user’s identity and credentials from login to logout. <br/><br />
<br />
The JAAS authentication lifecycle:<br />
# Create LoginContext<br />
# Read the configuration file for one or more LoginModules to initialize<br />
# Call LoginContext.initialize () for each LoginModule to initialize.<br />
# Call LoginContext.login () for each LoginModule<br />
# If login successful then call LoginContext.commit () else call LoginContext.abort ()<br />
<br />
== Configuration file ==<br />
The JAAS configuration file contains a LoginModule stanza for each LoginModule available for logging on to the application. <br />
<br />
A stanza from a JAAS configuration file:<br />
<pre><br />
Branches<br />
{<br />
USNavy.AppLoginModule required<br />
debug=true<br />
succeeded=true;<br />
}<br />
</pre> <br />
<br />
Note the placement of the semicolons, terminating both LoginModule entries and stanzas. The word required indicates the LoginContext’s login () method must be successful when logging in the user. The LoginModule-specific values debug and succeeded are passed to the LoginModule. They are defined by the LoginModule and their usage is managed inside the LoginModule. Note, Options are Configured using key-value pairing such as debug="true" and the key and value should be separated by a 'equals' sign.<br />
<br />
==Main.java (The client)==<br />
* Execution syntax<br />
<pre><br />
Java –Djava.security.auth.login.config==packageName/packageName.config <br />
packageName.Main Stanza1<br />
Where:<br />
packageName is the directory containing the config file.<br />
packageName.config specifies the config file in the Java package, packageName<br />
packageName.Main specifies Main.java in the Java package, packageName <br />
Stanza1 is the name of the stanza Main () should read from the config file.<br />
</pre><br />
* When executed, the 1st command line argument is the stanza from the config file. The Stanza names the LoginModule to be used. The 2nd argument is the CallbackHandler.<br />
* Create a new LoginContext with the arguments passed to Main.java. <br />
** loginContext = new LoginContext (args[0], new AppCallbackHandler ());<br />
* Call the LoginContext.Login Module<br />
** loginContext.login ();<br />
* The value in succeeded Option is returned from loginContext.login ()<br />
* If the login was successful, a subject was created.<br />
<br />
==LoginModule.java==<br />
A LoginModule must have the following authentication methods:<br />
* initialize ()<br />
* login ()<br />
* commit ()<br />
* abort ()<br />
* logout () <br />
<br />
===initialize ()===<br />
<br />
In Main (), after the LoginContext reads the correct stanza from the config file, the LoginContext instantiates the LoginModule specified in the stanza.<br />
<br />
* initialize () methods signature: <br />
** Public void initialize (Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) <br />
* The arguments above should be saved as follows:<br />
** this.subject = subject;<br />
** this.callbackHandler = callbackHandler;<br />
** this.sharedState = sharedState;<br />
** this.options = options; <br />
* What the initialize () method does:<br />
** Builds a subject object of the Subject class contingent on a successful login ()<br />
** Sets the CallbackHandler which interacts with the user to gather login information<br />
** If a LoginContext specifies 2 or more LoginModules, which is legal, they can share information via a sharedState map<br />
** Saves state information such as debug and succeeded in an options Map<br />
<br />
===login ()===<br />
<br />
Captures user supplied login information. The code snippet below declares an array of two callback objects which, when passed to the callbackHandler.handle method in the callbackHandler.java program, will be loaded with a user name and password provided interactively by the user. <br />
<pre><br />
Callback[] callbacks = new Callback [2];<br />
callbacks[0] = new NameCallback (“name”); <br />
callbacks[1] = new PasswordCallback (“password”, false);<br />
callbackHandler.handle (callbacks);<br />
</pre><br />
<br />
* Authenticates the user<br />
* Retrieves the user supplied information from the callback objects:<br />
** String ID = nameCallback.getName ();<br />
** char[] tempPW = passwordCallback.getPassword ();<br />
* Compare name and tempPW to values stored in a repository such as LDAP<br />
* Set the value of the variable succeeded and return to Main ()<br />
<br />
===commit ()===<br />
<br />
Once the users credentials are successfully verified during login (), the JAAS authentication framework associates the credentials, as needed, with the subject. There are two types of credentials, public and private. Public credentials include public keys. Private credentials include passwords and public keys. Principals (i.e. Identities the subject has other than their login name) such as employee number or membership ID in a user group are added to the subject. <br />
<br />
Code snippet setting then adding a principal and two credentials to a subject:<br />
<pre><br />
private Principal PR1 = new DemoPrincipal(“Quarterback”);<br />
private String publicCredential = “Aikman”;<br />
private String privateCredential = “Secret database accessible only password”;<br />
Set principalSet = subject.getPrincipals();<br />
principalSet.add (PR1);<br />
subject.getPublicCredentials().add(publicCredential);<br />
subject.getPrivateCredentials().add(privateCredential); <br />
</pre><br />
<br />
===abort ()===<br />
<br />
The abort () method is called when authentication doesn’t succeed. Before the abort () method exits the LoginModule, care should be taken to reset state including the user name and password input fields.<br />
<br />
===logout ()===<br />
* The arguments above should be saved as follows:<br />
** Set principalSet = subject.getPrincipals ();<br />
** principalSet.remove (PR1);<br />
** subject.getPublicCredentials().remove(publicCredential);<br />
** subject.getPrivateCredentials().remove(privateCredential);<br />
<br />
== CallbackHandler.java==<br />
<br />
The callbackHandler is in a source (.java) file separate from any single LoginModule so that it can service a multitude of LoginModules with differing callback objects.<br />
<br />
* Creates instance of the CallbackHandler class and has only one method, handle ().<br />
* A CallbackHandler servicing a LoginModule requiring username & password to login: <br />
<pre><br />
public void handle(Callback[] callbacks) { <br />
for (int i = 0; i < callbacks.length; i++) {<br />
Callback callback = callbacks[i];<br />
if (callback instanceof NameCallback) {<br />
NameCallback nameCallBack = (NameCallback) callback; <br />
nameCallBack.setName(username); <br />
} else if (callback instanceof PasswordCallback) {<br />
PasswordCallback passwordCallBack = (PasswordCallback) callback;<br />
passwordCallBack.setPassword(password.toCharArray());<br />
}<br />
}<br />
}<br />
</pre><br />
<br />
= References = <br />
[1] JAAS in Action, Michael Coté, posted on September 27, 2009, URL as 5/14/2012 http://jaasbook.com/<br />
[2] Pistoia, Marco, Nagaratnam, Koved, Larry, Nadalin, "Enterprise Java Security", Addison-Wesley, 2004.<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
= Authors and Primary Editors =<br />
<br />
Dr. A.L. Gottlieb - AnthonyG [at] owasp.org<br />
<br />
[[Category:Cheatsheets]]</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=JAAS_Cheat_Sheet&diff=129797JAAS Cheat Sheet2012-05-14T15:13:56Z<p>Tony Gottlieb: </p>
<hr />
<div>= Introduction =<br />
== What is JAAS authentication ==<br />
<br />
The process of verifying the identity of a user or another system is authentication. JAAS, as an authentication framework manages the authenticated user’s identity and credentials from login to logout. <br/><br />
<br />
The JAAS authentication lifecycle:<br />
# Create LoginContext<br />
# Read the configuration file for one or more LoginModules to initialize<br />
# Call LoginContext.initialize () for each LoginModule to initialize.<br />
# Call LoginContext.login () for each LoginModule<br />
# If login successful then call LoginContext.commit () else call LoginContext.abort ()<br />
<br />
== Configuration file ==<br />
The JAAS configuration file contains a LoginModule stanza for each LoginModule available for logging on to the application. <br />
<br />
A stanza from a JAAS configuration file:<br />
<pre><br />
Branches<br />
{<br />
USNavy.AppLoginModule required<br />
debug=true<br />
succeeded=true;<br />
}<br />
</pre> <br />
<br />
Note the placement of the semicolons, terminating both LoginModule entries and stanzas. The word required indicates the LoginContext’s login () method must be successful when logging in the user. The LoginModule-specific values debug and succeeded are passed to the LoginModule. They are defined by the LoginModule and their usage is managed inside the LoginModule. Note, Options are Configured using key-value pairing such as debug="true" and the key and value should be separated by a 'equals' sign.<br />
<br />
==Main.java (The client)==<br />
* Execution syntax<br />
<pre><br />
Java –Djava.security.auth.login.config==packageName/packageName.config <br />
packageName.Main Stanza1<br />
Where:<br />
packageName is the directory containing the config file.<br />
packageName.config specifies the config file in the Java package, packageName<br />
packageName.Main specifies Main.java in the Java package, packageName <br />
Stanza1 is the name of the stanza Main () should read from the config file.<br />
</pre><br />
* When executed, the 1st command line argument is the stanza from the config file. The Stanza names the LoginModule to be used. The 2nd argument is the CallbackHandler.<br />
* Create a new LoginContext with the arguments passed to Main.java. <br />
** loginContext = new LoginContext (args[0], new AppCallbackHandler ());<br />
* Call the LoginContext.Login Module<br />
** loginContext.login ();<br />
* The value in succeeded Option is returned from loginContext.login ()<br />
* If the login was successful, a subject was created.<br />
<br />
==LoginModule.java==<br />
A LoginModule must have the following authentication methods:<br />
* initialize ()<br />
* login ()<br />
* commit ()<br />
* abort ()<br />
* logout () <br />
<br />
===initialize ()===<br />
<br />
In Main (), after the LoginContext reads the correct stanza from the config file, the LoginContext instantiates the LoginModule specified in the stanza.<br />
<br />
* initialize () methods signature: <br />
** Public void initialize (Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) <br />
* The arguments above should be saved as follows:<br />
** this.subject = subject;<br />
** this.callbackHandler = callbackHandler;<br />
** this.sharedState = sharedState;<br />
** this.options = options; <br />
* What the initialize () method does:<br />
** Builds a subject object of the Subject class contingent on a successful login ()<br />
** Sets the CallbackHandler which interacts with the user to gather login information<br />
** If a LoginContext specifies 2 or more LoginModules, which is legal, they can share information via a sharedState map<br />
** Saves state information such as debug and succeeded in an options Map<br />
<br />
===login ()===<br />
<br />
Captures user supplied login information. The code snippet below declares an array of two callback objects which, when passed to the callbackHandler.handle method in the callbackHandler.java program, will be loaded with a user name and password provided interactively by the user. <br />
<pre><br />
Callback[] callbacks = new Callback [2];<br />
callbacks[0] = new NameCallback (“name”); <br />
callbacks[1] = new PasswordCallback (“password”, false);<br />
callbackHandler.handle (callbacks);<br />
</pre><br />
<br />
* Authenticates the user<br />
* Retrieves the user supplied information from the callback objects:<br />
** String ID = nameCallback.getName ();<br />
** char[] tempPW = passwordCallback.getPassword ();<br />
* Compare name and tempPW to values stored in a repository such as LDAP<br />
* Set the value of the variable succeeded and return to Main ()<br />
<br />
===commit ()===<br />
<br />
Once the users credentials are successfully verified during login (), the JAAS authentication framework associates the credentials, as needed, with the subject. There are two types of credentials, public and private. Public credentials include public keys. Private credentials include passwords and public keys. Principals (i.e. Identities the subject has other than their login name) such as employee number or membership ID in a user group are added to the subject. <br />
<br />
Code snippet setting then adding a principal and two credentials to a subject:<br />
<pre><br />
private Principal PR1 = new DemoPrincipal(“Quarterback”);<br />
private String publicCredential = “Aikman”;<br />
private String privateCredential = “Secret database accessible only password”;<br />
Set principalSet = subject.getPrincipals();<br />
principalSet.add (PR1);<br />
subject.getPublicCredentials().add(publicCredential);<br />
subject.getPrivateCredentials().add(privateCredential); <br />
</pre><br />
<br />
===abort ()===<br />
<br />
The abort () method is called when authentication doesn’t succeed. Before the abort () method exits the LoginModule, care should be taken to reset state including the user name and password input fields.<br />
<br />
===logout ()===<br />
* The arguments above should be saved as follows:<br />
** Set principalSet = subject.getPrincipals ();<br />
** principalSet.remove (PR1);<br />
** subject.getPublicCredentials().remove(publicCredential);<br />
** subject.getPrivateCredentials().remove(privateCredential);<br />
<br />
== CallbackHandler.java==<br />
<br />
The callbackHandler is in a source (.java) file separate from any single LoginModule so that it can service a multitude of LoginModules with differing callback objects.<br />
<br />
* Creates instance of the CallbackHandler class and has only one method, handle ().<br />
* A CallbackHandler servicing a LoginModule requiring username & password to login: <br />
<pre><br />
public void handle(Callback[] callbacks) { <br />
for (int i = 0; i < callbacks.length; i++) {<br />
Callback callback = callbacks[i];<br />
if (callback instanceof NameCallback) {<br />
NameCallback nameCallBack = (NameCallback) callback; <br />
nameCallBack.setName(username); <br />
} else if (callback instanceof PasswordCallback) {<br />
PasswordCallback passwordCallBack = (PasswordCallback) callback;<br />
passwordCallBack.setPassword(password.toCharArray());<br />
}<br />
}<br />
}<br />
</pre><br />
<br />
= References = <br />
JAAS in Action, Michael Coté, posted on September 27, 2009, URL as 5/14/2012 http://jaasbook.com/<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
= Authors and Primary Editors =<br />
<br />
Dr. A.L. Gottlieb - AnthonyG [at] owasp.org<br />
<br />
[[Category:Cheatsheets]]</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=JAAS_Cheat_Sheet&diff=129796JAAS Cheat Sheet2012-05-14T15:11:55Z<p>Tony Gottlieb: </p>
<hr />
<div>= Introduction =<br />
== What is JAAS authentication ==<br />
<br />
The process of verifying the identity of a user or another system is authentication. JAAS, as an authentication framework manages the authenticated user’s identity and credentials from login to logout. <br/><br />
<br />
The JAAS authentication lifecycle:<br />
# Create LoginContext<br />
# Read the configuration file for one or more LoginModules to initialize<br />
# Call LoginContext.initialize () for each LoginModule to initialize.<br />
# Call LoginContext.login () for each LoginModule<br />
# If login successful then call LoginContext.commit () else call LoginContext.abort ()<br />
<br />
== Configuration file ==<br />
The JAAS configuration file contains a LoginModule stanza for each LoginModule available for logging on to the application. <br />
<br />
A stanza from a JAAS configuration file:<br />
<pre><br />
Branches<br />
{<br />
USNavy.AppLoginModule required<br />
debug=true<br />
succeeded=true;<br />
}<br />
</pre> <br />
<br />
Note the placement of the semicolons, terminating both LoginModule entries and stanzas. The word required indicates the LoginContext’s login () method must be successful when logging in the user. The LoginModule-specific values debug and succeeded are passed to the LoginModule. They are defined by the LoginModule and their usage is managed inside the LoginModule. Note, Options are Configured using key-value pairing such as debug="true" and the key and value should be separated by a 'equals' sign.<br />
<br />
==Main.java (The client)==<br />
* Execution syntax<br />
<pre><br />
Java –Djava.security.auth.login.config==packageName/packageName.config <br />
packageName.Main Stanza1<br />
Where:<br />
packageName is the directory containing the config file.<br />
packageName.config specifies the config file in the Java package, packageName<br />
packageName.Main specifies Main.java in the Java package, packageName <br />
Stanza1 is the name of the stanza Main () should read from the config file.<br />
</pre><br />
* When executed, the 1st command line argument is the stanza from the config file. The Stanza names the LoginModule to be used. The 2nd argument is the CallbackHandler.<br />
* Create a new LoginContext with the arguments passed to Main.java. <br />
** loginContext = new LoginContext (args[0], new AppCallbackHandler ());<br />
* Call the LoginContext.Login Module<br />
** loginContext.login ();<br />
* The value in succeeded Option is returned from loginContext.login ()<br />
* If the login was successful, a subject was created.<br />
<br />
==LoginModule.java==<br />
A LoginModule must have the following authentication methods:<br />
* initialize ()<br />
* login ()<br />
* commit ()<br />
* abort ()<br />
* logout () <br />
<br />
===initialize ()===<br />
<br />
In Main (), after the LoginContext reads the correct stanza from the config file, the LoginContext instantiates the LoginModule specified in the stanza.<br />
<br />
* initialize () methods signature: <br />
** Public void initialize (Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) <br />
* The arguments above should be saved as follows:<br />
** this.subject = subject;<br />
** this.callbackHandler = callbackHandler;<br />
** this.sharedState = sharedState;<br />
** this.options = options; <br />
* What the initialize () method does:<br />
** Builds a subject object of the Subject class contingent on a successful login ()<br />
** Sets the CallbackHandler which interacts with the user to gather login information<br />
** If a LoginContext specifies 2 or more LoginModules, which is legal, they can share information via a sharedState map<br />
** Saves state information such as debug and succeeded in an options Map<br />
<br />
===login ()===<br />
<br />
Captures user supplied login information. The code snippet below declares an array of two callback objects which, when passed to the callbackHandler.handle method in the callbackHandler.java program, will be loaded with a user name and password provided interactively by the user. <br />
<pre><br />
Callback[] callbacks = new Callback [2];<br />
callbacks[0] = new NameCallback (“name”); <br />
callbacks[1] = new PasswordCallback (“password”, false);<br />
callbackHandler.handle (callbacks);<br />
</pre><br />
<br />
* Authenticates the user<br />
* Retrieves the user supplied information from the callback objects:<br />
** String ID = nameCallback.getName ();<br />
** char[] tempPW = passwordCallback.getPassword ();<br />
* Compare name and tempPW to values stored in a repository such as LDAP<br />
* Set the value of the variable succeeded and return to Main ()<br />
<br />
===commit ()===<br />
<br />
Once the users credentials are successfully verified during login (), the JAAS authentication framework associates the credentials, as needed, with the subject. There are two types of credentials, public and private. Public credentials include public keys. Private credentials include passwords and public keys. Principals (i.e. Identities the subject has other than their login name) such as employee number or membership ID in a user group are added to the subject. <br />
<br />
Code snippet setting then adding a principal and two credentials to a subject:<br />
<pre><br />
private Principal PR1 = new DemoPrincipal(“Quarterback”);<br />
private String publicCredential = “Aikman”;<br />
private String privateCredential = “Secret database accessible only password”;<br />
Set principalSet = subject.getPrincipals();<br />
principalSet.add (PR1);<br />
subject.getPublicCredentials().add(publicCredential);<br />
subject.getPrivateCredentials().add(privateCredential); <br />
</pre><br />
<br />
===abort ()===<br />
<br />
The abort () method is called when authentication doesn’t succeed. Before the abort () method exits the LoginModule, care should be taken to reset state including the user name and password input fields.<br />
<br />
===logout ()===<br />
* The arguments above should be saved as follows:<br />
** Set principalSet = subject.getPrincipals ();<br />
** principalSet.remove (PR1);<br />
** subject.getPublicCredentials().remove(publicCredential);<br />
** subject.getPrivateCredentials().remove(privateCredential);<br />
<br />
== CallbackHandler.java==<br />
<br />
The callbackHandler is in a source (.java) file separate from any single LoginModule so that it can service a multitude of LoginModules with differing callback objects.<br />
<br />
* Creates instance of the CallbackHandler class and has only one method, handle ().<br />
* A CallbackHandler servicing a LoginModule requiring username & password to login: <br />
<pre><br />
public void handle(Callback[] callbacks) { <br />
for (int i = 0; i < callbacks.length; i++) {<br />
Callback callback = callbacks[i];<br />
if (callback instanceof NameCallback) {<br />
NameCallback nameCallBack = (NameCallback) callback; <br />
nameCallBack.setName(username); <br />
} else if (callback instanceof PasswordCallback) {<br />
PasswordCallback passwordCallBack = (PasswordCallback) callback;<br />
passwordCallBack.setPassword(password.toCharArray());<br />
}<br />
}<br />
}<br />
</pre><br />
<br />
= References = <br />
JAAS in Action, Michael Coté, posted on September 27, 2009, URL as 5/14/2012 http://jaasbook.com/<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
= Authors and Primary Editors =<br />
<br />
Dr. A.L. Gottlieb - AnthonyG [at] owasp.org<br />
<br />
[[Category:Cheatsheets]]</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=Global_Education_Committee_-_Application_7&diff=107918Global Education Committee - Application 72011-03-30T14:49:28Z<p>Tony Gottlieb: </p>
<hr />
<div>{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Dr. A.L. Gottlieb.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Coordinator/facility host for N. Virginia, OWASP Presenter.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Education Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"|Benjamin Tomhave<br />
| style="width:20%; background:#cccccc" align="center"|OWASP NoVA Program Committee, OWASP GCC member (pending final board approval)<br />
| style="width:57%; background:#cccccc" align="center"|Tony's contributions to OWASP NoVA have been outstanding! He has helped host several chapter meetings, has presented in the past, will be presenting again in April 2011, and is overall a strong supporter of OWASP Education initiatives.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|Stan Wisseman<br />
| style="width:20%; background:#cccccc" align="center"|Coordinator/facility host for N. Virginia<br />
| style="width:57%; background:#cccccc" align="center"|I endorse Tony Gottlieb for the OWASP Global Education Committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|Dan Cornell<br />
| style="width:20%; background:#cccccc" align="center"|San Antonio Chapter Leader, Global Membership Committee Chair<br />
| style="width:57%; background:#cccccc" align="center"|Every time I have been to the OWASP NoVA chapter Tony has been an active and valuable contributor. The Global Education Committee would benefit from his perspective and enthusiasm.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"| John Steven<br />
| style="width:20%; background:#cccccc" align="center"| NoVA Chapter Lead<br />
| style="width:57%; background:#cccccc" align="center"| Hell hath no fury like Tony on a mission to educate.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|Rod Wetsel<br />
| style="width:20%; background:#cccccc" align="center"| OWASP member.<br />
| style="width:57%; background:#cccccc" align="center"|I endorse Tony Gottlieb for the OWASP Global Education Committee.<br />
|}</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=User:Tony_Gottlieb&diff=107742User:Tony Gottlieb2011-03-27T17:24:15Z<p>Tony Gottlieb: </p>
<hr />
<div>'1. Problems with secure software development training<br />
A. No place for developers to get trained where a training path has been laid out<br />
B. Classes ranging from 2 to 3 days don’t cover enough material to elevate job skills <br />
C. Some technologies such as Java require a more robust security curriculum <br />
D. Educators are barred from teaching secure software development courses which<br />
constrains the growth of education services and the number of trained people. <br />
E. Colleges don’t integrate secure development into their curricula despite teaching <br />
architectural illustration using techniques such as UML, data flow, and use cases. <br />
F. Lean or light secure software development should be considered an option when<br />
risk analysis permits, not as a way to cajole developers into dipping their toes into<br />
something they would like to avoid.<br />
G. Despite the existence of attack enumeration services such as CERT and Symantec, <br />
the software development communities at large are not as a matter of course acting<br />
to mitigate these threats.<br />
<br />
2. OWASP Global Education Committee Goals <br />
A. Provide an accessible entrance into secure development for individual developers<br />
B. Provide a path for CIO’s to put their development organizations on<br />
C. Assimilate functional development into secure development (resistance is futile) <br />
D. Stimulate demand for the “Professional Developer”.<br />
E. Offer secure software Ed. Services to young people who wish to begin programming through <br />
OWASP’s Young Developer program.<br />
<br />
3. Specific Projects to satisfy goals<br />
A. Establish secure lifecycle curriculum for training companies and universities<br />
B. Curriculum for how to migrate software development personnel from insecure to secure.<br />
C. Process management / management reporting relative to software security<br />
D. Curriculum for performing Risk Assessment for software<br />
E. Work with marketing and SME community to establish a “Professional Developer”</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=Global_Education_Committee_-_Application_7&diff=107601Global Education Committee - Application 72011-03-25T15:08:35Z<p>Tony Gottlieb: </p>
<hr />
<div>{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Dr. A.L. Gottlieb.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Coordinator/facility host for N. Virginia, OWASP Presenter.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Education Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"|Benjamin Tomhave<br />
| style="width:20%; background:#cccccc" align="center"|OWASP NoVA Program Committee, OWASP GCC member (pending final board approval)<br />
| style="width:57%; background:#cccccc" align="center"|Tony's contributions to OWASP NoVA have been outstanding! He has helped host several chapter meetings, has presented in the past, will be presenting again in April 2011, and is overall a strong supporter of OWASP Education initiatives.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|Stan Wisseman<br />
| style="width:20%; background:#cccccc" align="center"|Coordinator/facility host for N. Virginia<br />
| style="width:57%; background:#cccccc" align="center"|I endorse Tony Gottlieb for the OWASP Global Education Committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|Dan Cornell<br />
| style="width:20%; background:#cccccc" align="center"|San Antonio Chapter Leader, Global Membership Committee Chair<br />
| style="width:57%; background:#cccccc" align="center"|Every time I have been to the OWASP NoVA chapter Tony has been an active and valuable contributor. The Global Education Committee would benefit from his perspective and enthusiasm.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"| John Steven<br />
| style="width:20%; background:#cccccc" align="center"| NoVA Chapter Lead<br />
| style="width:57%; background:#cccccc" align="center"| Hell hath no fury like Tony on a mission to educate.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=User:Tony_Gottlieb&diff=107347User:Tony Gottlieb2011-03-22T20:29:39Z<p>Tony Gottlieb: Tony Gottlieb's plan for the OWASP Global Education Committee</p>
<hr />
<div>'1. Problems with secure software development <br />
A. No place for developers to get trained where a training path has been laid out<br />
B. Classes ranging from 2 to 3 days don’t cover enough material to elevate job skills <br />
C. Some technologies such as Java require a more robust security curriculum <br />
D. Educators are barred from teaching secure software development courses which<br />
constrains the growth of education services and the number of trained people. <br />
E. Colleges don’t integrate secure development into their curricula despite teaching <br />
architectural illustration using techniques such as UML, data flow, and use cases. <br />
F. Lean or light secure software development should be considered an option when<br />
risk analysis permits, not as a way to cajole developers into dipping their toes into<br />
something they would like to avoid.<br />
G. Despite the existence of attack enumeration services such as CERT and Symantec, <br />
the software development communities at large are not as a matter of course acting<br />
to mitigate these threats.<br />
<br />
2. OWASP Global Education Committee Goals <br />
A. Provide an accessible entrance into secure development for individual developers<br />
B. Provide a path for CIO’s to put their development organizations on<br />
C. Assimilate functional development into secure development (resistance is futile) <br />
D. Stimulate demand for the “Professional Developer”.<br />
E. Offer secure software Ed. Services to young people who wish to begin programming through <br />
OWASP’s Young Developer program.<br />
<br />
3. Specific Projects to satisfy goals<br />
A. Establish secure lifecycle curriculum for training companies and universities<br />
B. Curriculum for how to migrate software development personnel from insecure to secure.<br />
C. Process management / management reporting relative to software security<br />
D. Curriculum for performing Risk Assessment for software<br />
E. Work with marketing and SME community to establish a “Professional Developer”</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=Global_Education_Committee_-_Template&diff=106980Global Education Committee - Template2011-03-16T17:33:10Z<p>Tony Gottlieb: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Dr. A.L. Gottlieb.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Coordinator/facility host for N. Virginia, OWASP Presenter.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Education Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|Dan Cornell<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|Benjamin Tomhave<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=Global_Education_Committee_-_Template&diff=106976Global Education Committee - Template2011-03-16T14:55:52Z<p>Tony Gottlieb: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Dr. A.L. Gottlieb.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Coordinator/facility host for N. Virginia, OWASP Presenter.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Education Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"|Kate Hartmann<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|Thomas Brennan<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|Dan Cornell<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|Benjamin Tomhave<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=Global_Education_Committee_-_Template&diff=106837Global Education Committee - Template2011-03-15T12:31:05Z<p>Tony Gottlieb: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Dr. A.L. Gottlieb.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Coordinator/facility host for N. Virginia, OWASP Presenter.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Education Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"|Kate Hartmann<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|Thomas Brennan<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|Dan Cornell<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=Global_Education_Committee_-_Template&diff=106836Global Education Committee - Template2011-03-15T12:29:16Z<p>Tony Gottlieb: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Dr. A.L. Gottlieb.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Coordinator/facility host for N. Virginia, Presenter.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Education Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"|Kate Hartmann<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|Thomas Brennan<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|Dan Cornell<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=Global_Education_Committee_-_Template&diff=106835Global Education Committee - Template2011-03-15T12:25:27Z<p>Tony Gottlieb: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Dr. A.L. Gottlieb.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|List here.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Education Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"|Kate Hartmann<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|Thomas Brennan<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|Dan Cornell<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=Global_Education_Committee_-_Template&diff=106826Global Education Committee - Template2011-03-15T01:50:20Z<p>Tony Gottlieb: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Dr. A.L. Gottlieb.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|List here.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Education Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"|Kate Hartmann<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|Thomas Brennan<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=Global_Education_Committee_-_Template&diff=106825Global Education Committee - Template2011-03-15T01:48:41Z<p>Tony Gottlieb: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Dr. A.L. Gottlieb.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|List here.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Education Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''Kate Hartmann'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''Thomas Brennan'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Tony Gottliebhttps://wiki.owasp.org/index.php?title=Global_Education_Committee_-_Template&diff=106824Global Education Committee - Template2011-03-15T01:46:00Z<p>Tony Gottlieb: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Dr. A.L. Gottlieb.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|List here.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Education Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Tony Gottlieb