Fog Creek Software
Discussion Board




Creating a secure web application

I am training my java/j2se knowledge and would like to create a secure web login system.

Ideally I would like to use some of the open source stuff like apache, tomcat and struts. My knowledge of these are limited.

On the database level, I would like to use Oracle and JDBC.

Is there a tutorial online that covers this that I can follow?

I come from a Microsoft background, last 10 years, and am trying to broaden my skills.

Because of the many options of tools to use ...I find my learning curve slower than expected. There are many jargons and frameworks to comprehend...and , at first glance, it is not easy for a novice to know what is good or just hype.

I spent many weeks tackling EJB - at first I though I had become dumber with advancing years. Fortunately many posters to newsgroup have mentioned their similar frustrations. So there is hope for me yet ;)

Ram Dass
Thursday, October 16, 2003

Seems to be a common theme of people getting nauseous over the acronym heavy Java environment. Are you looking to roll your own security or make use of a vender security/session module?

m
Thursday, October 16, 2003

It doesn't matter what language but you can write an simple Authentication system pretty straightforward, but writing an authorization system is difficult if you want a complex system that allows fine tune control over

1) owners, 2) groups of owners, 3) groups of groups,

4) rights, 5) super rights, or groups of rights, 6) super rights that can contain super rights,

7) object, 8) groups of ojects, 9) groups of groups of objects,

and 10) domains.

Hand implemented web sessions also takes a while if you want to support 1) logging and handling of intrusion attacks 2) broken browsers and 3) strong cryptography.

It's pretty painful stuff to do it inhouse, but if you can reuse it across many sites it might be worth it.

Li-fan Chen
Thursday, October 16, 2003

A brief answer as I haven't much time.

Check out the JAAS API in J2EE. If you're using Oracle for the app server too than you'll need to learn about JAZN, which is Oracle's implementation of JAAS. Be aware that it's poorly documented though.

John Topley (www.johntopley.com)
Thursday, October 16, 2003

http://www.owasp.org

Scot
Friday, October 17, 2003

Re: Scot

Buddy, there's nothing there. Just look under projects.

-- David

Li-fan Chen
Friday, October 17, 2003

*  Recent Topics

*  Fog Creek Home