Hi Geeks, I am writing a self learning web application where app users can register themselves and then login to access some services. My question is how to implement secure login logout functionality. No back button problem, users should be authenticated and authorized from database, no session caching by browser etc.
I found the clue that I should implement tomcatJDBC Realm which seems good. Is it proper secure and good practice to proceed in this way..? Or any other approach ..? please help guys. I have great expectations from you guys. Thanks in advance
In software there are almost always alternatives. You would have to have very good reasons, grounded in uncommon requirements, to use them.
posted 2 years ago
Tim Moores wrote:In software there are almost always alternatives. You would have to have very good reasons, grounded in uncommon requirements, to use them.
Yes dear I know there must be some alternate - may be better or similar. I am new in security concept that's why just asking some alternative so that I can figure out which to use when. Thanks for your answer dear.
It was the weekend. I don't get paid for being here, so I usually don't check in on weekends. Don't expect 5-minute response times on the Ranch - that would cost extra and we don't work that way. Be patient, and if someone knows the answer, you'll hear sooner or later.
Tomcat security Realms are Tomcat's implementation of the J2EE and JEE container-managed security standards. Container-managed security is not only directly supported by the standard and its API, it's designed so that many forms of exploit will get bounced by Tomcat without getting anywhere near their intended victim webapp. If there have ever been any cases where it has been circumvented, I am not aware of them.
There are some third-party security frameworks, such as the Spring security framework for webapps. I generally recommend container-managed security, but if you don't (or cannot) use CMS security, the next-best option is one of the well-known third parties. Note that in some cases third-party frameworks act as additional support for CMS. which is more secure and generally gives finer granularity to security that CMS can itself.
The absolute worst options for webapp security is to design your own login system, copy one out of a J2EE book, or use one cooked up by your local shop's "expert" and serving as the corporate standard. In my experience, systems using any of these approach are, about 95% of the time, easily broken by non-technical persons in 15 minutes or less. Security is a chain and even one weak link will break it. Unless you're trained in security and unless security is your full-time job (not something else to do as part of the app), then don't even consider using anything but a well-tested system such as CMS or well-known third party.
And realize that despite everything, no security system is totally unbreakable, so be prepared to deal with the worst.
When it comes to destroying a civilization, gas chambers cannot hold a candle to echo chambers.
This is my favorite tiny ad:
how do I do my own kindle-like thing - without amazon