• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

I need book suggestions for authentication and authorisation for a web app

 
Joe Lemmer
Ranch Hand
Posts: 171
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi there,

I'm having to think about security for a web app for the first time and I would be grateful for any suggestions about books, or an explanation about all the technologies out there, because there seem to be sooooo many.

I am still learning Java (studying for SCJP), so I'm not using any frameworks or anything, but I want to be able to acheive the following:

1. Authentication and Authorization of my website's users. I have followed a couple of login tutorials on the internet that seem cool, but I would like to find a book that can give me a greater breadth of understanding about this particular issue (ie preferably something with sample strategies in it).

2. Each of my users may want to store information from my site. I think this will be stored on a separate mySQL table for each user, so I need to be able to configure things so that they can only access their own data. They won't be storing anything too sensitive like credit card numbers or anything, but this must be a common issue and I'd like to make sure than no-one can root about where they're not supposed to in the database. Does anybody know any good books that might explain this?

3. Is this a part of Java Web Services?

4. I'm really just hacking about trying to learn Java, Servlets and JSP, but Website security is obviously something that will come up in almost every project, so I'd like to find some entry level stuff.

I appreciate your time :-)

Cheers

Joe

PS I'm just using Tomcat.
 
Kj Reddy
Ranch Hand
Posts: 1704
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In my current project we are using LDAP. Here you can find a simple blog on the same:
http://blog.mc-thias.org/?title=tomcat_ldap_authentication&more=1&c=1&tb=1&pb=1
 
Joe Lemmer
Ranch Hand
Posts: 171
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Excellent. Thanks KJ. That looks really useful.

 
Dennis Labajo
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i used acegi security sometime back (now part of Spring). its a good security framework wth authentication / authorization (and a lot more!) and provides flexibility for you to define your own authentication provider e.g. via user db lookup. may be a little complex if you're new to java or spring but definitely worth the effort to look into.

http://static.springsource.org/spring-security/site/index.html
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For starters, the SecurityFaq has a section on web apps.

For Tomcat, check out its Realm concept: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html It ties a user DB in some form (could also be in LDAP) to the relevant concepts in the Servlet API (specifically, to HttpServletRequest.isUserInRole and HttpServletRequest.getRemoteUser) The standardized Servlet security implements a basic username/password/role concept that I've found sufficient for many applications. While there are more full-featured solutions like ACEGI, I don't recommend that you start out with those.
 
Joe Lemmer
Ranch Hand
Posts: 171
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Great. Thank you to all who have replied. You've been very helpful.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic