Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
The moose likes Tomcat and the fly likes Application Security Suggestions Needed Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Application Security Suggestions Needed" Watch "Application Security Suggestions Needed" New topic

Application Security Suggestions Needed

K DeLucia
Ranch Hand

Joined: Apr 11, 2008
Posts: 68
I'm not sure if I should post this question here, or to the Tomcat forum. I have a Tomcat server and (for now) a single application that uses java beans to login to a backend Oracle database. Eventually there will be many applications and many users on the server. I'm going to be developing a portal type application where there will be many application links - a different list of links depending on who is logged in. User A will see (and have access to) links A, B and C. User B will see (and have access to) links X, Y and Z. I've started poking around at some different options, but I'm not really sure what my options are and what I should be looking for. Basic authentication doesn't seem like what I want. Other than that, help! Should I be looking at Tomcat Security Realms? OpenLDAP? JAAS? j_security_check? All of the above? None of the above? Something else?

We're heading towards AD although we're not quite all the way there yet, but can I use that to authenticate access to the various applications?

Basically I just need some pointers on what to research that will do what I outlined above. Am I heading in the right direction? Any pointers on what I should be looking into would be most appreciated! Thanks!
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
Basic authentication, Tomcat Security Realms, OpenLDAP, JAAS, j_security_check, AD

There's actually a fair amount of overlap in this list. j_security_check indicates form authentication which -like basic authentication- is one of the forms of web app security as defined by the servlet spec. Tomcat ties these to repositories of user information called realms. Out of the box, Tomcat ships with realms that keep the user information (usernames, passwords and roles) in files, databases, LDAP or JAAS. I believe that AD is accessible via LDAP, so that could be used as well.

Before going into more detail, does this help? Let us know if you have more specific questions (which I think is likely - it's a confusing subject when one first approaches it).
[ July 25, 2008: Message edited by: Ulf Dittmer ]
K DeLucia
Ranch Hand

Joined: Apr 11, 2008
Posts: 68
I've printed out a ton of information from various sources. I'll look it over this weekend and will be back with questions on Monday I'm sure. Thanks for that bit. It helps get me started!
I agree. Here's the link:
subject: Application Security Suggestions Needed
It's not a secret anymore!