wood burning stoves 2.0*
The moose likes Security and the fly likes Java Security Features Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Java Security Features" Watch "Java Security Features" New topic
Author

Java Security Features

Fawad Ali
Ranch Hand

Joined: Dec 28, 2009
Posts: 112
Hi All:
I do not know if its the right forum or not for my post so forgive my ignorance. I need to develop a Web Application to access some sensitive data. What possible security features should I implement in my application. Right now I can only think of the following 2.
  • provide access for Authenticated users with username and encrypted passwords.
  • Keep a record of the IPs of users accessing the sensitive data.


  • Regards, Fawad Ali.
    Software Engineer, Stafona Inc. - My Blog
    Winston Gutkowski
    Bartender

    Joined: Mar 17, 2011
    Posts: 7552
        
      18

    Fawad Ali wrote:What possible security features should I implement in my application.

    A couple of others off the top of my head:
    3. Use certificates. Thawte and Verisign work on pretty well all browsers, but you have to pay for them and they will require a pre-audit. There are free ones around, but acceptance is patchy (or used to be). Thawte used to be a lot cheaper, but it's been quite a while since I did that stuff, so you might want to read up on it.
    4. Use HTTPS and/or SSL for everything sensitive (and if you don't know what's sensitive and what isn't, assume it's ALL sensitive ).

    Winston

    Tip from an old secAdmin: There are two basic paradigms for security:
    1. That which is not specifically allowed is denied.
    2. That which is not specifically denied is allowed.
    The first won't win you any friends, and may have a few teething troubles, but is MUCH easier to administer - and SAFER.
    The latter is much nicer for your users, but you'll feel like the boy with his finger in the dyke.

    Isn't it funny how there's always time and money enough to do it WRONG?
    Articles by Winston can be found here
    Ulf Dittmer
    Marshal

    Joined: Mar 22, 2005
    Posts: 41134
        
      45
    Some things that come to mind, in no particular order:

    1) Encrypt any sensitive data that is stored

    2) Store passwords hashed

    3) Limit access by IP address if possible

    4) Require strong passwords, and deal with failed login attempts (maybe by limiting the number of attempts, or by increasing exponentially the time until a further attempt can be made)

    5) Defend against XSS, SQL injection and other typical attacks on web apps

    6) As much as possible use pre-existing libraries, such as Apache Shiro, instead of developing all this yourself

    7) Think about where you host this, who has access to the host system, and how to safeguard against people inside of your organization doing inappropriate things with the systems and the data

    8) Make frequent backups of everything that you keep both onsite and offsite


    Ping & DNS - my free Android networking tools app
    Winston Gutkowski
    Bartender

    Joined: Mar 17, 2011
    Posts: 7552
        
      18

    Ulf Dittmer wrote:1) Encrypt any sensitive data that is stored

    Absolutely.

    @Fawad: If you have some good techies in your shop (or who you can call on for advice), this can actually be done at the kernel level on some *xes (Debian springs to mind).

    Winston
    Diwas Pathak
    Greenhorn

    Joined: Mar 25, 2013
    Posts: 2
    Hi Everybody,
    Dont know whether this is exact place to post my questions or not, but my problem is quite serious so hope to get some good answers from the expert. My question is as :-
    Is there way to check via Java/JSP if my self-signed certificate is installed in my browser or not?

    Thanks in advance.
     
    It is sorta covered in the JavaRanch Style Guide.
     
    subject: Java Security Features
     
    Similar Threads
    Problem with navigation in JSF with Filter
    ISPs, EJB, databases and Security
    Structure of Book - Enterprise Java 2 Security
    printing JTable from JApplet
    Struts 2 and Authentication Interceptor - is this secure?