This week's book giveaway is in the Mac OS forum.
We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line!
See this thread for details.
The moose likes EJB Certification (SCBCD/OCPJBCD) and the fly likes Swing Client Vs Web application -- authentication .. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Certification » EJB Certification (SCBCD/OCPJBCD)
Bookmark "Swing Client Vs Web application -- authentication .." Watch "Swing Client Vs Web application -- authentication .." New topic
Author

Swing Client Vs Web application -- authentication ..

veena madhukar
Ranch Hand

Joined: Apr 28, 2006
Posts: 86
Let us say a specific functionality is to be provided both on the web as ejb application and as well as swing application, then how do we go about doing handling security /authentication? any thoughts on the issues to be considered? any useful links???

Thanks in advance, Veena
cheenu Dev
Ranch Hand

Joined: Nov 13, 2005
Posts: 276
MOSTLY authentication is done at the web tier is what i saw in many books.
about authorization its done by method basis in EJB.
you can also use do authorization in web tier but security management in ejb is more powerful than web tier.

about swing i have no idea.


cheenujunk@gmail.com
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42050
    
  64
If you handle authentication/authorization at the EJB level, you can put any kind of client access layer (web, Swing, WS, ...) on top of it. That still leaves the question of whether declarative or programmatic security would be used, though.


Ping & DNS - my free Android networking tools app
veena madhukar
Ranch Hand

Joined: Apr 28, 2006
Posts: 86
how can authentication be done at the ejb level?
Richard Green
Ranch Hand

Joined: Aug 25, 2005
Posts: 536
Let us say a specific functionality is to be provided both on the web as ejb application and as well as swing application, then how do we go about doing handling security /authentication? any thoughts on the issues to be considered? any useful links???


We are currently building an application that uses EJB3 as the backend and JSF and Swing as the front ends.

Security checks are done in both front end and back end. The back end simply assumes that the front end is dumb and never trusts the front end. Before you execute any function on the back end, it checks the user's credential and permission levels.

In addition to the security checks done in the back end., some security checks are done in the front end as well (just to maintain sanity).

For example if an user manages to navigate to a page that he is not allowed to visit (ex: via bookmark), then the front end checks the user's permission level and disallows him.

Now in the worst case that the permission levels on the front end are configured incorrently and the user is allowed to visit a page that he is not allowed to., if the user performs an action on the page, a call is made to the backend which checks the user's permission level and disallows the action.

So, in a nutshell your security / permission checks should be in the back end. Whatever security / permission checks you put on the front end would just complement the security checks on the back end.


MCSD, SCJP, SCWCD, SCBCD, SCJD (in progress - URLybird 1.2.1)
veena madhukar
Ranch Hand

Joined: Apr 28, 2006
Posts: 86
Thank you very much. What kind of security check are you doing in the front end? Any tools? When you say security checks are being done at EJB...is it declarative security checks?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42050
    
  64
I have just posted a reply to the other thread you started, which delves a bit into the topic.
 
GeeCON Prague 2014
 
subject: Swing Client Vs Web application -- authentication ..