File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Java Security Features Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Java Security Features" Watch "Java Security Features" New topic

Java Security Features

Fawad Ali
Ranch Hand

Joined: Dec 28, 2009
Posts: 115
Hi All:
I do not know if its the right forum or not for my post so forgive my ignorance. I need to develop a Web Application to access some sensitive data. What possible security features should I implement in my application. Right now I can only think of the following 2.
  • provide access for Authenticated users with username and encrypted passwords.
  • Keep a record of the IPs of users accessing the sensitive data.

  • Regards, Fawad Ali.
    Software Engineer, Stafona Inc. - My Blog
    Winston Gutkowski

    Joined: Mar 17, 2011
    Posts: 8927

    Fawad Ali wrote:What possible security features should I implement in my application.

    A couple of others off the top of my head:
    3. Use certificates. Thawte and Verisign work on pretty well all browsers, but you have to pay for them and they will require a pre-audit. There are free ones around, but acceptance is patchy (or used to be). Thawte used to be a lot cheaper, but it's been quite a while since I did that stuff, so you might want to read up on it.
    4. Use HTTPS and/or SSL for everything sensitive (and if you don't know what's sensitive and what isn't, assume it's ALL sensitive ).


    Tip from an old secAdmin: There are two basic paradigms for security:
    1. That which is not specifically allowed is denied.
    2. That which is not specifically denied is allowed.
    The first won't win you any friends, and may have a few teething troubles, but is MUCH easier to administer - and SAFER.
    The latter is much nicer for your users, but you'll feel like the boy with his finger in the dyke.

    Bats fly at night, 'cause they aren't we. And if we tried, we'd hit a tree -- Ogden Nash (or should've been).
    Articles by Winston can be found here
    Ulf Dittmer

    Joined: Mar 22, 2005
    Posts: 42965
    Some things that come to mind, in no particular order:

    1) Encrypt any sensitive data that is stored

    2) Store passwords hashed

    3) Limit access by IP address if possible

    4) Require strong passwords, and deal with failed login attempts (maybe by limiting the number of attempts, or by increasing exponentially the time until a further attempt can be made)

    5) Defend against XSS, SQL injection and other typical attacks on web apps

    6) As much as possible use pre-existing libraries, such as Apache Shiro, instead of developing all this yourself

    7) Think about where you host this, who has access to the host system, and how to safeguard against people inside of your organization doing inappropriate things with the systems and the data

    8) Make frequent backups of everything that you keep both onsite and offsite

    Winston Gutkowski

    Joined: Mar 17, 2011
    Posts: 8927

    Ulf Dittmer wrote:1) Encrypt any sensitive data that is stored


    @Fawad: If you have some good techies in your shop (or who you can call on for advice), this can actually be done at the kernel level on some *xes (Debian springs to mind).

    Diwas Pathak

    Joined: Mar 25, 2013
    Posts: 2
    Hi Everybody,
    Dont know whether this is exact place to post my questions or not, but my problem is quite serious so hope to get some good answers from the expert. My question is as :-
    Is there way to check via Java/JSP if my self-signed certificate is installed in my browser or not?

    Thanks in advance.
    It is sorta covered in the JavaRanch Style Guide.
    subject: Java Security Features
    jQuery in Action, 3rd edition