• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Swing Client Vs Web application -- authentication ..

 
veena madhukar
Ranch Hand
Posts: 86
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Let us say a specific functionality is to be provided both on the web as ejb application and as well as swing application, then how do we go about doing handling security /authentication? any thoughts on the issues to be considered? any useful links???

Thanks in advance, Veena
 
cheenu Dev
Ranch Hand
Posts: 276
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
MOSTLY authentication is done at the web tier is what i saw in many books.
about authorization its done by method basis in EJB.
you can also use do authorization in web tier but security management in ejb is more powerful than web tier.

about swing i have no idea.
 
Ulf Dittmer
Rancher
Posts: 42969
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you handle authentication/authorization at the EJB level, you can put any kind of client access layer (web, Swing, WS, ...) on top of it. That still leaves the question of whether declarative or programmatic security would be used, though.
 
veena madhukar
Ranch Hand
Posts: 86
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
how can authentication be done at the ejb level?
 
Richard Green
Ranch Hand
Posts: 536
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Let us say a specific functionality is to be provided both on the web as ejb application and as well as swing application, then how do we go about doing handling security /authentication? any thoughts on the issues to be considered? any useful links???


We are currently building an application that uses EJB3 as the backend and JSF and Swing as the front ends.

Security checks are done in both front end and back end. The back end simply assumes that the front end is dumb and never trusts the front end. Before you execute any function on the back end, it checks the user's credential and permission levels.

In addition to the security checks done in the back end., some security checks are done in the front end as well (just to maintain sanity).

For example if an user manages to navigate to a page that he is not allowed to visit (ex: via bookmark), then the front end checks the user's permission level and disallows him.

Now in the worst case that the permission levels on the front end are configured incorrently and the user is allowed to visit a page that he is not allowed to., if the user performs an action on the page, a call is made to the backend which checks the user's permission level and disallows the action.

So, in a nutshell your security / permission checks should be in the back end. Whatever security / permission checks you put on the front end would just complement the security checks on the back end.
 
veena madhukar
Ranch Hand
Posts: 86
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you very much. What kind of security check are you doing in the front end? Any tools? When you say security checks are being done at EJB...is it declarative security checks?
 
Ulf Dittmer
Rancher
Posts: 42969
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have just posted a reply to the other thread you started, which delves a bit into the topic.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic