• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

how to do authentication

 
Bartender
Posts: 1810
28
jQuery Netbeans IDE Eclipse IDE Firefox Browser MySQL Database Chrome Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Whenever someone says they are writing a login security system, the advice is "don't do it, use the Java built in security". Ulf Dittmer is always preaching this issue, and it makes sense; leave security to the experts.

But here's the thing; I'm studying for the OCEJWCD, and I'm still studying from HFSJ, which is for the old SCWCD (Java 5). I don't yet have the study materials for the Java 6 stuff so maybe this has changed. But according the HFSJ we only have 4 options for authentication:

Basic - encoded with Base64 but not encrypted. Very weak security.
Digest - encrypted but not widely used due to lack of support by containers.
Client-Cert - very secure but requires certificates so mainly used in B2B applications.
Form - no encoding or encryption, hence not secure at all.

These don't seem like very good options to me. Am I missing something? Maybe Java 6 added another option?
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Those options are defined by the servlet specification, not in the Java language, so no - nothing has changed with Java 6 (or 7, or 8).

Basic auth is very weak indeed, don't use it unless you're also using HTTPS. But then it's a secure option, although more useful for REST API calls - the dialog box that pops up in browsers is an uncommon sight for users, and should be avoided.

As for form auth - used in conjunction with HTTPS that, too, is secure. (The fact that is doesn't use encoding is irrelevant - that doesn't provide any security.)

You raise the important point that encryption is separate from authentication, which in turn is separate from authorization (the latter leading to the getRemoteUser and isUserInRole methods of HttpServletRequest).
 
J. Kevin Robbins
Bartender
Posts: 1810
28
jQuery Netbeans IDE Eclipse IDE Firefox Browser MySQL Database Chrome Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ah, so https provides the secure transport between client and server via encryption and the server then does the authentication and authorization. Makes more sense now. I left https out of the picture.
 
Author
Posts: 53
7
MySQL Database Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One choice is to use Apache SHIRO which has a reasonable configurable authentication layer. http://shiro.apache.org/ It's complex to use, just a warning.

If you want to build it yourself, check out this guide. https://www.owasp.org/index.php/Authentication_Cheat_Sheet

Aloha,
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic