Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security Question - Part 2

 
Vignesh Murali Natarajan
Ranch Hand
Posts: 65
Firefox Browser Hibernate Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I got the Big Smokes assignment for Part 2. One of the NFR is Security. Besides usage of SSL for all internet requests, should I also consider Authentication and Authorization? This is a B2C app and there is no mention about this in any of the use cases. Can I safely scope it out in my assumptions? If not what are the alternatives?
 
John Lincoln
Ranch Hand
Posts: 192
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Check out Ashutosh Sharma's blog

Blog : http://scea5-passingpart2and3.blogspot.com/
 
Sharma Ashutosh
Bartender
Posts: 346
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can assume Authentication and authorization already exists(Also put this in the assumption lists). All such items goes into assumption list.
Apart from this i provided a security class(Servlet filter following intercepting filter) which will make sure all the resources(that one can access only when successfully logged in as a user) are accessed when the user is logged in. There will be some resources(pages) which is available to anybody-like the welcome list page , help , contact us page-you don't have to apply security filter for that. This security filter-one can add these resources into it...)

There are lot of other places one need to apply security-sending data(in encrypted form) to external systems via WS to avoid MITM or Replay attacks etc...
 
Kumar Amit
Ranch Hand
Posts: 103
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sharma Ashutosh wrote:
There are lot of other places one need to apply security-sending data(in encrypted form) to external systems via WS to avoid MITM or Replay attacks etc...

In the assignment is it a fair assumption to document that external system's webservice supports ws-security and suD is encrypting the message using x509 certs to maintain confidentiality
 
Kumar Amit
Ranch Hand
Posts: 103
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sharma Ashutosh wrote:Apart from this i provided a security class(Servlet filter following intercepting filter) which will make sure all the resources(that one can access only when successfully logged in as a user) are accessed when the user is logged in.

I also have a AuthenticationFilter (intercepting) in my application however I am struggling to show its relationship with other components (FacesServlet, JSP, Backing Beans) in component diagram. How did you depicted the same?
 
Sharma Ashutosh
Bartender
Posts: 346
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
On the far left-I have grouped the JSPs as per some logical grouping like Order JSPs.
Group of JSPs---<<Forward>>---><<Intercepting Filters>>---<<Forward>>--><<Controller>>

Where fonts in italics means stereotype on the "--->" arrow
 
Vignesh Murali Natarajan
Ranch Hand
Posts: 65
Firefox Browser Hibernate Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sharma Ashutosh wrote:You can assume Authentication and authorization already exists(Also put this in the assumption lists). All such items goes into assumption list.
Apart from this i provided a security class(Servlet filter following intercepting filter) which will make sure all the resources(that one can access only when successfully logged in as a user) are accessed when the user is logged in. There will be some resources(pages) which is available to anybody-like the welcome list page , help , contact us page-you don't have to apply security filter for that. This security filter-one can add these resources into it...)

There are lot of other places one need to apply security-sending data(in encrypted form) to external systems via WS to avoid MITM or Replay attacks etc...



Thank you Ashutosh and John. I will note that the Authentication and Authorization modules already exist. That clears a hurdle for me. My Class diagram is already bloated with close to 65 classes and I was hesitant to add more classes to it

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic