aspose file tools*
The moose likes Architect Certification (SCEA/OCMJEA) and the fly likes Security Question - Part 2 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Certification » Architect Certification (SCEA/OCMJEA)
Bookmark "Security Question - Part 2" Watch "Security Question - Part 2" New topic
Author

Security Question - Part 2

Vignesh Murali Natarajan
Ranch Hand

Joined: Jul 24, 2006
Posts: 65

Hi,
I got the Big Smokes assignment for Part 2. One of the NFR is Security. Besides usage of SSL for all internet requests, should I also consider Authentication and Authorization? This is a B2C app and there is no mention about this in any of the use cases. Can I safely scope it out in my assumptions? If not what are the alternatives?


ThanQ,
Vignesh Murali N
www.vigneshmurali.com
SCJP(95%), SCWCD(92%), SCBCD(97%), SCDJWS(97%), SCBCD5(100%), OCMJEA
John Lincoln
Ranch Hand

Joined: Feb 11, 2003
Posts: 192
Check out Ashutosh Sharma's blog

Blog : http://scea5-passingpart2and3.blogspot.com/
Sharma Ashutosh
Bartender

Joined: Apr 06, 2001
Posts: 346
You can assume Authentication and authorization already exists(Also put this in the assumption lists). All such items goes into assumption list.
Apart from this i provided a security class(Servlet filter following intercepting filter) which will make sure all the resources(that one can access only when successfully logged in as a user) are accessed when the user is logged in. There will be some resources(pages) which is available to anybody-like the welcome list page , help , contact us page-you don't have to apply security filter for that. This security filter-one can add these resources into it...)

There are lot of other places one need to apply security-sending data(in encrypted form) to external systems via WS to avoid MITM or Replay attacks etc...


Ashutosh Sharma
SCJP 1.2, SCEA 5, Brainbench certified J2EE Developer, Documentum Certified Professional
Blog : http://scea5-passingpart2and3.blogspot.com/
Kumar Amit
Ranch Hand

Joined: Aug 13, 2001
Posts: 103
Sharma Ashutosh wrote:
There are lot of other places one need to apply security-sending data(in encrypted form) to external systems via WS to avoid MITM or Replay attacks etc...

In the assignment is it a fair assumption to document that external system's webservice supports ws-security and suD is encrypting the message using x509 certs to maintain confidentiality


SCJP, SCJD, SCEA
Kumar Amit
Ranch Hand

Joined: Aug 13, 2001
Posts: 103
Sharma Ashutosh wrote:Apart from this i provided a security class(Servlet filter following intercepting filter) which will make sure all the resources(that one can access only when successfully logged in as a user) are accessed when the user is logged in.

I also have a AuthenticationFilter (intercepting) in my application however I am struggling to show its relationship with other components (FacesServlet, JSP, Backing Beans) in component diagram. How did you depicted the same?
Sharma Ashutosh
Bartender

Joined: Apr 06, 2001
Posts: 346
On the far left-I have grouped the JSPs as per some logical grouping like Order JSPs.
Group of JSPs---<<Forward>>---><<Intercepting Filters>>---<<Forward>>--><<Controller>>

Where fonts in italics means stereotype on the "--->" arrow
Vignesh Murali Natarajan
Ranch Hand

Joined: Jul 24, 2006
Posts: 65

Sharma Ashutosh wrote:You can assume Authentication and authorization already exists(Also put this in the assumption lists). All such items goes into assumption list.
Apart from this i provided a security class(Servlet filter following intercepting filter) which will make sure all the resources(that one can access only when successfully logged in as a user) are accessed when the user is logged in. There will be some resources(pages) which is available to anybody-like the welcome list page , help , contact us page-you don't have to apply security filter for that. This security filter-one can add these resources into it...)

There are lot of other places one need to apply security-sending data(in encrypted form) to external systems via WS to avoid MITM or Replay attacks etc...



Thank you Ashutosh and John. I will note that the Authentication and Authorization modules already exist. That clears a hurdle for me. My Class diagram is already bloated with close to 65 classes and I was hesitant to add more classes to it

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security Question - Part 2
 
Similar Threads
SSL and Security basic questions
Security
List of Security Patterns for SCEA 5.0
spring + sec frameworks
Hi future Architects