• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

Security Pattern

 
Ranch Hand
Posts: 95
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We're implementing a typical Struts -> Stateless Session Bean Service Layer -> DAO -> Backend application. Why I called it a service layer is becuase there may be other clients than the web app we're building, might interact with the service layer.

I have a basic question on implementing security and want to know how people generally handle it. Basically how do I design the service layer interface without requiring some form of user identification for each method? Or is that the way the service layer supposed to be designed?
Hope I'm making it clear. Basically if we say any method can be called after the authentication is done, this is ok for the web app (since the users cannot do anything until they login), but doesn't this leave a hole?

The other question is regarding implementing the authentication itself.
Let's say we require that each service layer method should pass a security token as well. What's the general strategy for generating a Security Token when the user is authenticated? Where can this token be cached and where do we put the logic of revalidating the security token?

In the past, we've authenticated the users against LDAP or database and stored the login and other authorization information for the user in the HttpSession. This worked because the web app was the only client which was consuming the services. How do I make this generic across the clients?

Thanks.
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

I was attending JavaONE lastweek. I picked up a poster and Book preview chapter illustrates "Security patterns for J2EE applications". It sounded like a patterns effort from Sun microsystems. You may able to find some related information for your problems and particularly contacts from "www.coresecuritypatterns.com".

-C






Originally posted by Velmurugan Periasamy:
We're implementing a typical Struts -> Stateless Session Bean Service Layer -> DAO -> Backend application. Why I called it a service layer is becuase there may be other clients than the web app we're building, might interact with the service layer.

I have a basic question on implementing security and want to know how people generally handle it. Basically how do I design the service layer interface without requiring some form of user identification for each method? Or is that the way the service layer supposed to be designed?
Hope I'm making it clear. Basically if we say any method can be called after the authentication is done, this is ok for the web app (since the users cannot do anything until they login), but doesn't this leave a hole?

The other question is regarding implementing the authentication itself.
Let's say we require that each service layer method should pass a security token as well. What's the general strategy for generating a Security Token when the user is authenticated? Where can this token be cached and where do we put the logic of revalidating the security token?

In the past, we've authenticated the users against LDAP or database and stored the login and other authorization information for the user in the HttpSession. This worked because the web app was the only client which was consuming the services. How do I make this generic across the clients?

Thanks.

 
Velmurugan Periasamy
Ranch Hand
Posts: 95
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the information.
 
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
BTW this book is already aviable in Edonkey (P2P) networks.

Originally posted by Craig Anders:
Hello,

I was attending JavaONE lastweek. I picked up a poster and Book preview chapter illustrates "Security patterns for J2EE applications". It sounded like a patterns effort from Sun microsystems. You may able to find some related information for your problems and particularly contacts from "www.coresecuritypatterns.com".

-C






 
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic