Hi,

Please advice me I am in right direction or not?. Please see the following security options.

Web Clients: Using SSL, form based authentication and container provided method level authorizarion at EJB layer.

Swing clients: Using LDAP for authentication and container provided method level authorizarion at EJB layer.

I assumed userId and Password are stored in LDAP. Do you see any loop holes in my security design ?. Do I miss something here ?? Please advice.

Appreciate your help and inputs.

Thanks
Srinivas

I am using the same method for security. I have a login module in the swing client and am using LDAP to authenticate the agent. The swing app then passes the subject when it calls the EJB's.

Any thoughts on this...

Regards,
James.

Why are you using LDAP? Why don't you use some EJB to validate the user and than create the subject?


I would only use LDAP if the company already had all employees data stored using LDAP and my assignment doesn't mention anything about this.


Could you explain why you have choosen this approach?

LDAP usage is a good practice as it provides a single place where employees of a company store their credentials, it allows any app developed in the company to access the same information, it provides a form of re-use.

Using other methods can also provide a form of re-use, but LDAP is a more standard way of doing it.

I Agree with you, but why complicate? I think it is not nice to use different loggin approaches for web/swing.