Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Login in my Servlet based web  RSS feed

 
Isaac Ferguson
Ranch Hand
Posts: 1054
3
Java Netbeans IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have a web app written in Java 8, I need to use an index.jsp which will be used for login purposes using a user and a password credentials.

The info in the web is very sensitive and if someone break the security, they could destroy the data in the DB.

Which do you think is the best approach in order to solve this?

Any idea?

Regards,
Isaac

 
Stephan van Hulst
Saloon Keeper
Posts: 6967
109
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use a framework that handles this for you. A good one should be able to help out with things such password hashing/verifying, CSRF protection, XSS protection, input sanitation, etc.

It depends on your requirements.
 
Isaac Ferguson
Ranch Hand
Posts: 1054
3
Java Netbeans IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use a framework that handles this for you.


Which framework do you recomend me?
 
Stefan Evans
Bartender
Posts: 1834
10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would think following the standard security authentication models in the servlet container would be a good starting point
i.e. Declarative security via the web.xml file.

That then gives you the flexibility to configure it in the container as appropriate, and means you don't have to re-invent the square wheel.

Also note that as Stephan mentioned, security is more than just a login page.

The strongest door in the world won't keep burglars out if you leave the window wide open.
 
Ron McLeod
Saloon Keeper
Posts: 1424
206
Android Angular Framework Eclipse IDE Java Linux MySQL Database Redhat TypeScript
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Make sure the platforms are secure as well as any infrastructure between them.

You mentioned earlier that your application server and database server were at different physical locations and you were going to interconnect them over the public Internet. If that is still true, that would be the most vulnerable point in your system. Make sure you have the ports for SSH, RDP, CIFS, NFS, LDAP, MySQL (or other database), etc. locked-down.
 
Ron McLeod
Saloon Keeper
Posts: 1424
206
Android Angular Framework Eclipse IDE Java Linux MySQL Database Redhat TypeScript
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Also, make sure you sanitize the user input and use prepared statements so you don't get stung with SQL injection.
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
J2EE/JEE has a standard authentication and authorization framework as part of its implementation specifications (container-managed security).

Unless you are willing to invest a lot of time and effort into using one of the well-known third-party A&A packages, I strongly recommend that you use that. And, it should be noted, it's very common for the third-party packages to build on the built-in security anyway.

Unless you have a full-time, professionally-trained security group of security software specialists in-house, simply "rolling your own" login system has - based on my own observations and those of others - probably a 95% chance that it will have an easily-exploitable security hole in it.

That's right. Most do-it-yourself security systems are about as secure as wet tissue paper and many of them can be circumvented by non-technical people in 15 minutes or less.

Security isn't something you can do in addition to the "important" parts of writing a webapp. Nor should you expect "clever" people to get it right. It's an ugly world out there and even the professionally-designed security systems occasionally turn up to have holes in them. It's why I wish that books on Enterprise Java would stop using "login servlets" as code examples.

I've never heard of anyone breaking through the JEE standard security framework in its approximately 20 years of existence. It acts primarily as a wrapper around your app, so you don't have to code for basic security - and what you don't code can't have bugs/exploits. It's well-documented (DIY systems rarely are). And its flexible. You can define users and roles in an XML file for testing, then use a database and/or Active Directory (LDAP) for production without changing the app. It can be used in a Single-signon environment, again without app changes.

All in all, I've got a list of reasons of Why do-it-yourself Java Security is a Bad Thing. It's not a short list.
 
Marshall Blythe
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Irrespective of your choice in security frameworks, you should definitely become familiar with the OWASP project and its Top 10 web application security flaws. I've found these to be invaluable resources when designing secure web applications.
 
Isaac Ferguson
Ranch Hand
Posts: 1054
3
Java Netbeans IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I want to code it using the standard container-managed security, I found this Java 6 Security tutorial it is for Java 6 Im using Java 8. Do you think I m in the good track?
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think you may mean Java EE 6 and JDK 8. Both of which are about as up-to-date as you can get right now. And yes, they should play well together.

The basic JEE container security is fairly simple and doesn't go through many changed. I believe that maybe about 10 years back some role-related stuff was added and one of the things that came in with JEE over J2EE was the ability to invoke authentication in application code instead of waiting for an authorized URL request, but pretty much any old Enterprise Java reference material is going to be OK to start with.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!