I'm having to think about security for a web app for the first time and I would be grateful for any suggestions about books, or an explanation about all the technologies out there, because there seem to be sooooo many.
I am still learning Java (studying for SCJP), so I'm not using any frameworks or anything, but I want to be able to acheive the following:
1. Authentication and Authorization of my website's users. I have followed a couple of login tutorials on the internet that seem cool, but I would like to find a book that can give me a greater breadth of understanding about this particular issue (ie preferably something with sample strategies in it).
2. Each of my users may want to store information from my site. I think this will be stored on a separate mySQL table for each user, so I need to be able to configure things so that they can only access their own data. They won't be storing anything too sensitive like credit card numbers or anything, but this must be a common issue and I'd like to make sure than no-one can root about where they're not supposed to in the database. Does anybody know any good books that might explain this?
3. Is this a part of Java Web Services?
4. I'm really just hacking about trying to learn Java, Servlets and JSP, but Website security is obviously something that will come up in almost every project, so I'd like to find some entry level stuff.
i used acegi security sometime back (now part of Spring). its a good security framework wth authentication / authorization (and a lot more!) and provides flexibility for you to define your own authentication provider e.g. via user db lookup. may be a little complex if you're new to java or spring but definitely worth the effort to look into.
For starters, the SecurityFaq has a section on web apps.
For Tomcat, check out its Realm concept: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html It ties a user DB in some form (could also be in LDAP) to the relevant concepts in the Servlet API (specifically, to HttpServletRequest.isUserInRole and HttpServletRequest.getRemoteUser) The standardized Servlet security implements a basic username/password/role concept that I've found sufficient for many applications. While there are more full-featured solutions like ACEGI, I don't recommend that you start out with those.