Meaningless Drivel is fun!*
The moose likes Security and the fly likes J2EE Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "J2EE Security" Watch "J2EE Security" New topic
Author

J2EE Security

Scott Guo
Greenhorn

Joined: Jan 27, 2007
Posts: 23
Hi All,

During preparing the SCEA exam, since security is an important non-functional aspect in J2EE, I need to provide some comments or exhibit on this. There is no much security experience on my past work, so could you give some suggestions on enterprise application security?

Two aspects I could applied for now:
SSL
Authorization by J2EE on Web and EJB

Thanks a lot!

Scott


Technology is not just a technology, and it should make people's life better!
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41083
    
  43
The Security FAQ has some links that may get you started. In particular, the Java Security Evolution and Concepts series, and maybe some of the other articles as they relate to your project, e.g. the Guide to Building Secure Web Applications if it's a web app.


Ping & DNS - my free Android networking tools app
Ryan Day
Ranch Hand

Joined: Apr 03, 2006
Posts: 87
I am interested in this topic, thanks for the resources you referenced.

At the risk of repeating a question that has been asked before, can you point me to information on a framework or set of reusable components that addresses the tasks that are normally required on a J2EE website with user logins? I'm thinking of:
- allowing users to create their own login (would be stored in JDBC realm in MySQL database)
- allowing users to have their passwords reset and mailed to them

I'm assuming those are generic enough tasks that someone has implemented something resusable. Not asking you to solve it here, just point me in the right direction.


SCJP, SCWCD
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41083
    
  43
Ryan,

you'd think that this is common enough that someone for someone to make an open source project out of it, but to my knowledge, there isn't one. But when you look at it, it's just a few JSP pages, which need to be adapted anyway for the look and feel of the web site (and possibly for the form fields they contain), so it's not much more work to create this from scratch.
Ryan Day
Ranch Hand

Joined: Apr 03, 2006
Posts: 87
Thanks for your replies Ulf, they've been very helpful. When you say just a few JSP pages, let's see if we are thinking of the same tasks.

Based on how I see other web sites work, I'm assuming the view would ask the model to actually reset the password in the security realm (e.g. a JDBC realm like MySQL) and then the view would email the temporary login information to the email address they already store for that user. And I guess you could track whether the user has to reset the password next time.

Does that sound about right?
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: J2EE Security
 
Similar Threads
What do YOU want from a WebSphere book?
Core Security Patterns ?
Core Security Patterns for J2EE ?
Best J2EE Security Book available
Enterprise Application Security