• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

about XML security

 
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I have a question about the XML security. I want to set up a login sevelt and want to use a XML file to process data (the user login name and password) instead of a Database. But I was told that using XML could cause security problem.
Can anyone give me some idea about it? Coz I will use XML to handle other part data once the user login. Any way out to avoid such security problem?
Thank you very much in advance.
Calanthe
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The only security problem I can think of is that you won't need a password to read the file like you would for a database. Seems to me that if the XML file is stored somewhere that the web server can't "see" it you won't have a problem.
Bill
 
Calanthe Wei
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, Bill
Thank you very much!
Would you please tell me the difference between these two methods, I mean the login data stored in database or in XML file? Which one is much better?
Thanks again.
Calanthe
 
William Brogden
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yow! what an open-ended question! Right off the top of my head these are the questions I would ask a commercial client (@ $100/hr)
How many users?
How much data per user?
How frequent the access?
Do you already have a database running?
How familiar are you with database operations (ie, JDBC)?
How familiar are you with XML operations (ie JAXP, etc)?
What kind of system does it have to run on?
 
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you are using your servlet container's built-in security capabilities, then you frequently have the choice to use either a file-based (and probably XML file) solution, or use a database solution.

See here for links on Tomcat's realm configuration
https://coderanch.com/t/81728/Tomcat/do-make-tomcat-users-more

But even if you are using a built-in security model, or building your own, as William showed you, the 'best' option is really a matter of *lots* of different things.

XML seems easy. It doesn't require anything other than a file placed in the location your login servlet expects it to be, and it's easy to update.

But it's a *security* thing. Anyone with administrative access to your servlet container will be able to open the file in a text viewer and observe *everyone's* plain-text usernames and passwords.

Databases are more secure, but perhaps more of a pain to set up.
 
William Brogden
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Good points Mike, but you don't HAVE to store the passwords as plaintext. Java has lots of encryption / message signing, etc classes in the java.security package that could be used to compute some characteristic string derived from user id and password to be stored in the XML.
Unfortunately I have not used any of these so I can't say which would be best.
The disadvantage of this approach is that NOBODY can recover the password if the user forgets it
Bill
 
Mike Curwen
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You're right, they don't have to be plain text. But I would argue that if you're going to do that, then why not save yourself the pain of doing all that code, when:
a) containers provide security through more secure realms, and will do crypto for you if you insist on files.
b) Oracle can do encryption for you.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic