During preparing the SCEA exam, since security is an important non-functional aspect in J2EE, I need to provide some comments or exhibit on this. There is no much security experience on my past work, so could you give some suggestions on enterprise application security?
Two aspects I could applied for now: SSL Authorization by J2EE on Web and EJB
Thanks a lot!
Technology is not just a technology, and it should make people's life better!
Joined: Mar 22, 2005
The Security FAQ has some links that may get you started. In particular, the Java Security Evolution and Concepts series, and maybe some of the other articles as they relate to your project, e.g. the Guide to Building Secure Web Applications if it's a web app.
I am interested in this topic, thanks for the resources you referenced.
At the risk of repeating a question that has been asked before, can you point me to information on a framework or set of reusable components that addresses the tasks that are normally required on a J2EE website with user logins? I'm thinking of: - allowing users to create their own login (would be stored in JDBC realm in MySQL database) - allowing users to have their passwords reset and mailed to them
I'm assuming those are generic enough tasks that someone has implemented something resusable. Not asking you to solve it here, just point me in the right direction.
Joined: Mar 22, 2005
you'd think that this is common enough that someone for someone to make an open source project out of it, but to my knowledge, there isn't one. But when you look at it, it's just a few JSP pages, which need to be adapted anyway for the look and feel of the web site (and possibly for the form fields they contain), so it's not much more work to create this from scratch.
Joined: Apr 03, 2006
Thanks for your replies Ulf, they've been very helpful. When you say just a few JSP pages, let's see if we are thinking of the same tasks.
Based on how I see other web sites work, I'm assuming the view would ask the model to actually reset the password in the security realm (e.g. a JDBC realm like MySQL) and then the view would email the temporary login information to the email address they already store for that user. And I guess you could track whether the user has to reset the password next time.