Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Application Security Suggestions Needed

 
K DeLucia
Ranch Hand
Posts: 68
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure if I should post this question here, or to the Tomcat forum. I have a Tomcat server and (for now) a single application that uses java beans to login to a backend Oracle database. Eventually there will be many applications and many users on the server. I'm going to be developing a portal type application where there will be many application links - a different list of links depending on who is logged in. User A will see (and have access to) links A, B and C. User B will see (and have access to) links X, Y and Z. I've started poking around at some different options, but I'm not really sure what my options are and what I should be looking for. Basic authentication doesn't seem like what I want. Other than that, help! Should I be looking at Tomcat Security Realms? OpenLDAP? JAAS? j_security_check? All of the above? None of the above? Something else?

We're heading towards AD although we're not quite all the way there yet, but can I use that to authenticate access to the various applications?

Basically I just need some pointers on what to research that will do what I outlined above. Am I heading in the right direction? Any pointers on what I should be looking into would be most appreciated! Thanks!
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Basic authentication, Tomcat Security Realms, OpenLDAP, JAAS, j_security_check, AD

There's actually a fair amount of overlap in this list. j_security_check indicates form authentication which -like basic authentication- is one of the forms of web app security as defined by the servlet spec. Tomcat ties these to repositories of user information called realms. Out of the box, Tomcat ships with realms that keep the user information (usernames, passwords and roles) in files, databases, LDAP or JAAS. I believe that AD is accessible via LDAP, so that could be used as well.

Before going into more detail, does this help? Let us know if you have more specific questions (which I think is likely - it's a confusing subject when one first approaches it).
[ July 25, 2008: Message edited by: Ulf Dittmer ]
 
K DeLucia
Ranch Hand
Posts: 68
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I've printed out a ton of information from various sources. I'll look it over this weekend and will be back with questions on Monday I'm sure. Thanks for that bit. It helps get me started!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic