aspose file tools*
The moose likes Servlets and the fly likes about  XML security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "about  XML security" Watch "about  XML security" New topic
Author

about XML security

Calanthe Wei
Ranch Hand

Joined: Oct 27, 2001
Posts: 42
Hi,
I have a question about the XML security. I want to set up a login sevelt and want to use a XML file to process data (the user login name and password) instead of a Database. But I was told that using XML could cause security problem.
Can anyone give me some idea about it? Coz I will use XML to handle other part data once the user login. Any way out to avoid such security problem?
Thank you very much in advance.
Calanthe
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
The only security problem I can think of is that you won't need a password to read the file like you would for a database. Seems to me that if the XML file is stored somewhere that the web server can't "see" it you won't have a problem.
Bill
Calanthe Wei
Ranch Hand

Joined: Oct 27, 2001
Posts: 42
Hi, Bill
Thank you very much!
Would you please tell me the difference between these two methods, I mean the login data stored in database or in XML file? Which one is much better?
Thanks again.
Calanthe
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
Yow! what an open-ended question! Right off the top of my head these are the questions I would ask a commercial client (@ $100/hr)
How many users?
How much data per user?
How frequent the access?
Do you already have a database running?
How familiar are you with database operations (ie, JDBC)?
How familiar are you with XML operations (ie JAXP, etc)?
What kind of system does it have to run on?
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

If you are using your servlet container's built-in security capabilities, then you frequently have the choice to use either a file-based (and probably XML file) solution, or use a database solution.

See here for links on Tomcat's realm configuration
http://www.coderanch.com/t/81728/Tomcat/do-make-tomcat-users-more

But even if you are using a built-in security model, or building your own, as William showed you, the 'best' option is really a matter of *lots* of different things.

XML seems easy. It doesn't require anything other than a file placed in the location your login servlet expects it to be, and it's easy to update.

But it's a *security* thing. Anyone with administrative access to your servlet container will be able to open the file in a text viewer and observe *everyone's* plain-text usernames and passwords.

Databases are more secure, but perhaps more of a pain to set up.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12769
    
    5
Good points Mike, but you don't HAVE to store the passwords as plaintext. Java has lots of encryption / message signing, etc classes in the java.security package that could be used to compute some characteristic string derived from user id and password to be stored in the XML.
Unfortunately I have not used any of these so I can't say which would be best.
The disadvantage of this approach is that NOBODY can recover the password if the user forgets it
Bill
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

You're right, they don't have to be plain text. But I would argue that if you're going to do that, then why not save yourself the pain of doing all that code, when:
a) containers provide security through more secure realms, and will do crypto for you if you insist on files.
b) Oracle can do encryption for you.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: about XML security