This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Tomcat and the fly likes Application Security Suggestions Needed Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Application Security Suggestions Needed" Watch "Application Security Suggestions Needed" New topic
Author

Application Security Suggestions Needed

K DeLucia
Ranch Hand

Joined: Apr 11, 2008
Posts: 68
I'm not sure if I should post this question here, or to the Tomcat forum. I have a Tomcat server and (for now) a single application that uses java beans to login to a backend Oracle database. Eventually there will be many applications and many users on the server. I'm going to be developing a portal type application where there will be many application links - a different list of links depending on who is logged in. User A will see (and have access to) links A, B and C. User B will see (and have access to) links X, Y and Z. I've started poking around at some different options, but I'm not really sure what my options are and what I should be looking for. Basic authentication doesn't seem like what I want. Other than that, help! Should I be looking at Tomcat Security Realms? OpenLDAP? JAAS? j_security_check? All of the above? None of the above? Something else?

We're heading towards AD although we're not quite all the way there yet, but can I use that to authenticate access to the various applications?

Basically I just need some pointers on what to research that will do what I outlined above. Am I heading in the right direction? Any pointers on what I should be looking into would be most appreciated! Thanks!
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41148
    
  45
Basic authentication, Tomcat Security Realms, OpenLDAP, JAAS, j_security_check, AD

There's actually a fair amount of overlap in this list. j_security_check indicates form authentication which -like basic authentication- is one of the forms of web app security as defined by the servlet spec. Tomcat ties these to repositories of user information called realms. Out of the box, Tomcat ships with realms that keep the user information (usernames, passwords and roles) in files, databases, LDAP or JAAS. I believe that AD is accessible via LDAP, so that could be used as well.

Before going into more detail, does this help? Let us know if you have more specific questions (which I think is likely - it's a confusing subject when one first approaches it).
[ July 25, 2008: Message edited by: Ulf Dittmer ]

Ping & DNS - my free Android networking tools app
K DeLucia
Ranch Hand

Joined: Apr 11, 2008
Posts: 68
I've printed out a ton of information from various sources. I'll look it over this weekend and will be back with questions on Monday I'm sure. Thanks for that bit. It helps get me started!
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Application Security Suggestions Needed
 
Similar Threads
Environment setup/configuration
how trustable is tomcat these days?
Suggestions/help needed creating portal page
Web app Security Confusion
Shared Libraries & Logging