Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Given a database (MySQL) driven webapp written entirely in vanilla J2EE (no frameworks etc), which has no attempts at security (except a basic database login system). What steps should you take to secure it?
Any resources about this would also be handy. (I’ve found OWASP).
Thanks!
That seems to be a loaded question.
The Spring Security framework is the first thing that comes to my mind, but it appears you might not be inclined to using any frameworks.
If you want to manage the security yourself using a set of database tables, then you would probably want to spend some time designing a proper data model that accounts for users and roles.
You would probably want to create some sort of Servlet filter that will check to see if a logged in user exists for protected resources. If the user exists, then the filter would forward to the protected resource. If the user is not authenticated, then the filter would capture the target page and redirect the user to authentication page.
Some other things to consider:
a). You would probably need to setup ssl for any page that passes login credentials.
b). You would probably want to look into some encryption facility for storing a users password.
c). Being that you are writing a Java EE app, you want probably want to look into managing user principles.
d). if you are deploying to a distributed environment, how will you handle session management. In other words, should the sessions be sticky? or will you employ some sort of shared memory space for authenicated users( i.e. WebSessions, Database persistance, etc)
e). Pay special attention to sql injection attacks; if you are using jdbc prepared statements, this wouldn’t be much of a concern.
f). If you are processing credit card transactions, you would want to make sure that you are PCI compliant
g). Beware of evil bots, try to limit bot activity wherever possible. This can usually be done by employing some sort of captcha utility
h). If you are using any third party tools/frameworks be sure that you are always updated with the latest releases to avoid vulnerabilities
Here are some resources that come to mind:
http://static.springsource.org/spring-security/site/
http://docs.oracle.com/javase/1.4.2/docs/guide/security/jce/JCERefGuide.html
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html
http://docs.oracle.com/javaee/5/tutorial/doc/bnbwk.html
Hope this helps