This week's giveaway is in the EJB and other Java EE Technologies forum.
We're giving away four copies of EJB 3 in Action and have Debu Panda, Reza Rahman, Ryan Cuprak, and Michael Remijan on-line!
See this thread for details.
The moose likes Servlets and the fly likes Writing Secured Web applications. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Writing Secured Web applications." Watch "Writing Secured Web applications." New topic

Writing Secured Web applications.

pawan chopra
Ranch Hand

Joined: Jan 23, 2008
Posts: 408

Hi All,

I would like to study about security in web applications using Java/J2EE. For example security as we see in banking sites. Please refer me some articles or books on these topics.

Pawan Chopra
Abhay Agarwal
Ranch Hand

Joined: Feb 29, 2008
Posts: 1000

secured websites like bank website have security policies being implemented at various tiers (back end , front end , firewalls etc) of application.

Your query is bit not clear but I am providing you one link which will provide basics of implemeting security in web application

Hope this helps you

~ abhay

Oracle Java Web Service Developer (1z0-897), Oracle certified Java 7 Programmer, SCJA 1.0, SCJP 5.0, SCWCD 5.0, Oracle SQL Fundamentals I
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 39534
Security is a huge subject with many facets, also involving operational and human aspects. The SecurityFaq points to much good material on various aspects of the security of information systems.

Ping & DNS - updated with new look and Ping home screen widget
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15627

The most important way to secure systems in J2EE is not to get "clever" and design your own security system. Build on an established platform. J2EE itself has a coarse-grained security system that far too many people ignore, yet it can block an awful lot of attacks before they can even reach application code to exploit it. You can then augment this with finer-grained systems such as the Spring Security framework (formerly known as acegi).

The problem with inventing your own security is that security is subtle and it only takes one weakness to invalidate it. Most of us are primarily expected to produce business functionality, but security is a full-time job in and of itself. So it only makes sense to "outsource" the job to the security professionals and use a pre-designed, pre-debugged framework.

One of my biggest peeves about Java webapp development books is that almost invariably they want to use a "login screen" as an example, and that's the beginning of trouble. Like I said, security isn't something that you can just slap in as an afterthought. I have worked in banking, insurance, and finance for a LONG time - and even seen a military app or 2, and every last one of them that tried to invent their own security was a house of cards. Most of them couldn't stand even 5 minutes in the hands of an "honest" hacker like myself, to say nothing of some truly evil people I know.

Good security should be automatic as much as possible. One of the primary benefits of the J2EE container-managed security system is that you don't have to remember to secure each and every item code, since the URL itself is guarded from the outside. A security audit should be one of the final steps of EVERY system modification, since you only have to forget once to get eaten. Another reason why DIY security should be avoided is that it usually requires embedding security code in the business logic, and since the guy who designed the system probably got laid off 3 years ago, you have no real authority on how or when to secure code changes - unlike the industrial-grade systems whose documentation is as close as the local bookstore or product website.

There's lot's more that can be said, but one final note: security isn't just for the application. Ultimately, the entire shop has to be engaged. If you have so much as one router with a weak password, someone can worm their way in. And that's not counting the human fators. Many of the most infamous exploits were pure social engineering. Plus, the supply of gruntled employees is at an all-time low.

Customer surveys are for companies who didn't pay proper attention to begin with.
pawan chopra
Ranch Hand

Joined: Jan 23, 2008
Posts: 408

Thanks everybody! I got the point that security is a huge topic and I believe that there can not be a single article which can teach me about that. But still I am looking for a book which discuss various points on web security for websites like banking etc.
Abhay Agarwal
Ranch Hand

Joined: Feb 29, 2008
Posts: 1000

refer to this post for books on Security

~ abhay
I agree. Here's the link:
subject: Writing Secured Web applications.
Similar Threads
tell me how J2EE security is implemented
Check this out!
AJAX and security
GWT: Security concerns with JSON interpeter
Security: Cross-Site Scripting