Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Security Problem in JSF Application  RSS feed

 
Raj Bansilal Champaneriya
Ranch Hand
Posts: 36
Java Linux MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello folks I am trying to use JAAS in JSF application which is hosted on glassfish 3.1 Server. I have successfully created jdbcRealm and make all the required changes but some how I am not able to get it right. So I want to know is there any simple way to make the application secure. This is training project so I have to also deal with EJB and secure them. So I want an alternative security framework. I have heard about Spring Security framework Does it supports EJB and Webservice Security.

Thanks in Advance.
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
J(2)EE has a built-in coarse-grained container-managed security facility which I highly recommend as a first line of defense. For one thing, it's standard, so there's no special training needed to use it. For another, it's built into the J2EE webapp structure (specifically web.xml), which is something that no other security mechanism can boast. Most importantly, it was designed by security professionals, and has successfully withstood the test of time. Every user-designed security system I've ever encountered has only survived the test of time if the time was under 15 minutes.

The container-managed security system is imposed at the server level and implemented by plug-replaceable Realms. You're using the JAAS Realm for Glassfish, but most commercial-grade J2EE servers also come standard with Realms referencing databases, LDAP/Active Directory and various other things. I've created and implemented more than one custom Realm myself over the years.

The great thing about Realms is that since they're pluggable components, you can test with one Realm and run in production with another and not have to make any changes to page definitions or program code to swap them.

To get finer-grained security, you may find it necessary to extend the concept and reference an internal security framework of your own. This can be as simple as setting up a subsystem that employs the user's Realm-validated ID as a key into a database of additional rights and privileges. Or a module that makes JAAS detail enquiries.

That's basically what the Spring Web Security system does. It builds on the tried-and-true J2EE core security framework but adds finer-grained functionality. Like the J2EE standard, it's well-documented and well-tested.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!