wood burning stoves*
The moose likes Security and the fly likes I need book suggestions for authentication and authorisation for a web app Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "I need book suggestions for authentication and authorisation for a web app" Watch "I need book suggestions for authentication and authorisation for a web app" New topic
Author

I need book suggestions for authentication and authorisation for a web app

Joe Lemmer
Ranch Hand

Joined: Oct 24, 2008
Posts: 171
Hi there,

I'm having to think about security for a web app for the first time and I would be grateful for any suggestions about books, or an explanation about all the technologies out there, because there seem to be sooooo many.

I am still learning Java (studying for SCJP), so I'm not using any frameworks or anything, but I want to be able to acheive the following:

1. Authentication and Authorization of my website's users. I have followed a couple of login tutorials on the internet that seem cool, but I would like to find a book that can give me a greater breadth of understanding about this particular issue (ie preferably something with sample strategies in it).

2. Each of my users may want to store information from my site. I think this will be stored on a separate mySQL table for each user, so I need to be able to configure things so that they can only access their own data. They won't be storing anything too sensitive like credit card numbers or anything, but this must be a common issue and I'd like to make sure than no-one can root about where they're not supposed to in the database. Does anybody know any good books that might explain this?

3. Is this a part of Java Web Services?

4. I'm really just hacking about trying to learn Java, Servlets and JSP, but Website security is obviously something that will come up in almost every project, so I'd like to find some entry level stuff.

I appreciate your time :-)

Cheers

Joe

PS I'm just using Tomcat.


OCPJP 85%
Kj Reddy
Ranch Hand

Joined: Sep 20, 2003
Posts: 1704
In my current project we are using LDAP. Here you can find a simple blog on the same:
http://blog.mc-thias.org/?title=tomcat_ldap_authentication&more=1&c=1&tb=1&pb=1
Joe Lemmer
Ranch Hand

Joined: Oct 24, 2008
Posts: 171
Excellent. Thanks KJ. That looks really useful.

Dennis Labajo
Greenhorn

Joined: Dec 12, 2009
Posts: 27
i used acegi security sometime back (now part of Spring). its a good security framework wth authentication / authorization (and a lot more!) and provides flexibility for you to define your own authentication provider e.g. via user db lookup. may be a little complex if you're new to java or spring but definitely worth the effort to look into.

http://static.springsource.org/spring-security/site/index.html
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41123
    
  45
For starters, the SecurityFaq has a section on web apps.

For Tomcat, check out its Realm concept: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html It ties a user DB in some form (could also be in LDAP) to the relevant concepts in the Servlet API (specifically, to HttpServletRequest.isUserInRole and HttpServletRequest.getRemoteUser) The standardized Servlet security implements a basic username/password/role concept that I've found sufficient for many applications. While there are more full-featured solutions like ACEGI, I don't recommend that you start out with those.


Ping & DNS - my free Android networking tools app
Joe Lemmer
Ranch Hand

Joined: Oct 24, 2008
Posts: 171
Great. Thank you to all who have replied. You've been very helpful.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: I need book suggestions for authentication and authorisation for a web app
 
Similar Threads
Container Managed Security on Tomcat - configuring different auth-methods
Functions and Classes
Security Pattern
Force web app request/user through JAAS login (Bug in cache and timeout?)
What does using JAAS buy me?