Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

how to implement production ready secure login/logout in servlet web apps  RSS feed

 
Bhavesh Sangwan
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Geeks, I am writing a self learning web application where app users can register themselves and then login to access some services. My question is how to implement secure login logout functionality. No back button problem, users should be authenticated and authorized from database, no session caching by browser etc.

I found the clue that I should implement tomcat JDBC Realm which seems good. Is it proper secure and good practice to proceed in this way..? Or any other approach ..? please help guys. I have great expectations from you guys. Thanks in advance
 
Tim Moores
Saloon Keeper
Posts: 3511
77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Container-managed security (as implemented by Tomcat Realms) is indeed a good approach to authentication.
 
Bhavesh Sangwan
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Moores wrote:Container-managed security (as implemented by Tomcat Realms) is indeed a good approach to authentication.


Thanks dear..! Is there any other alternative approach ?
 
Tim Moores
Saloon Keeper
Posts: 3511
77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In software there are almost always alternatives. You would have to have very good reasons, grounded in uncommon requirements, to use them.
 
Bhavesh Sangwan
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Moores wrote:In software there are almost always alternatives. You would have to have very good reasons, grounded in uncommon requirements, to use them.

Yes dear I know there must be some alternate - may be better or similar. I am new in security concept that's why just asking some alternative so that I can figure out which to use when. Thanks for your answer dear.
 
Tim Moores
Saloon Keeper
Posts: 3511
77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you don't have a deep grounding in security, then it's best to go with the tried and tested container-managed security.
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It was the weekend. I don't get paid for being here, so I usually don't check in on weekends. Don't expect 5-minute response times on the Ranch - that would cost extra and we don't work that way. Be patient, and if someone knows the answer, you'll hear sooner or later.

Tomcat security Realms are Tomcat's implementation of the J2EE and JEE container-managed security standards. Container-managed security is not only directly supported by the standard and its API, it's designed so that many forms of exploit will get bounced by Tomcat without getting anywhere near their intended victim webapp. If there have ever been any cases where it has been circumvented, I am not aware of them.

There are some third-party security frameworks, such as the Spring security framework for webapps. I generally recommend container-managed security, but if you don't (or cannot) use CMS security, the next-best option is one of the well-known third parties. Note that in some cases third-party frameworks act as additional support for CMS. which is more secure and generally gives finer granularity to security that CMS can itself.

The absolute worst options for webapp security is to design your own login system, copy one out of a J2EE book, or use one cooked up by your local shop's "expert" and serving as the corporate standard. In my experience, systems using any of these approach are, about 95% of the time, easily broken by non-technical persons in 15 minutes or less. Security is a chain and even one weak link will break it. Unless you're trained in security and unless security is your full-time job (not something else to do as part of the app), then don't even consider using anything but a well-tested system such as CMS or well-known third party.

And realize that despite everything, no security system is totally unbreakable, so be prepared to deal with the worst.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!