Win a copy of Pro Spring MVC with WebFlux: Web Development in Spring Framework 5 and Spring Boot 2 this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Jeanne Boyarsky
  • Liutauras Vilda
Sheriffs:
  • Rob Spoor
  • Bear Bibeault
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Piet Souris
Bartenders:
  • Frits Walraven
  • Himai Minh

To Authors: Custom Security Realms

 
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Every client we have seems to have a different method for achieving single sign-on, so we written various custom security realms when standard realms offered in various J2EE Application Servers are not adequate. This is both tedious and a potential security risk any defects in this code could allow unauthorized access.

What advice do you have for J2EE developers who want to integrate their applications into the wide range of LDAP, Microsoft and other SS systems?
 
Author
Posts: 159
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Randall,

In J2EE Security configuring realms is a vendor-specific practice...the key reason is the J2EE specifications does not dictate how a realm is required to be implemented and configured. All it supposed to do is to store the users, groups and roles. It is also does'nt matter..to use LDAP, ActiveDirectory, RDBMS or even a flat file...each realm has its good and bad characteristics. The key advantage of using LDAP in J2EE...it has JNDI support.

To ensure security of your realm...it is very important to secure the realm information and also the communicaion with a realm. For example, in LDAP based realm you would choose to use SSL for communication and use encryption to secure critical LDAP based info.

From a J2EE security and single sign-on (SSO) standpoint....you may choose to adopt an "Authentication Enforcer and Authorization Enforcer" patterns to support multiple authentication realms and provide a consistent user SSO experience. In both the patterns, we recommend the use of JAAS based authentication and authorization strategies.

Does this help,

/Ramesh
 
Randall Julian
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks! I looked at the TOC and there are more than a few patterns there that look like they might help.
reply
    Bookmark Topic Watch Topic
  • New Topic