Hello friends, I�m developing an online stocks trading app,where in users will register with the broker ,deposit certain amount and place sell or purchase stocks request.If the deposit of a user is falling short of processing a sell request,an email will automatically be sent to the user to update his deposit.Credits Card numbers will be used to make payments. To implement authentication and authorization I thought of using declarative security i.e. I�ll have all users with their username,pwd and rolls defined in tomcat-users.xml and I�ll define all constraint resources ,rolls who can access these resource,etc.in the Deployment Descriptor. But the problem in implementing this is that whenever a new user registers ,I�ll have to put him in the tomcat-users.xml and redeploy the app. I also thought of sticking a dbase connection object in ServletContext and later on use it for authentication and authorization ,but I think this would be time consuming with respect to coding as well as response time of the app.
In what way are users authenticated and authorized in actual web app?
And how should I go about developing the app I mean should consider security aspects before I start or simultaneously with or after coding ?
This is more of a tomcat specific questions as every provider implements their Authentication differently, you access them via the same API in your servlet if you container managed security, but the implementations are completely different.
The database solution is quite common. It is non-trivial to build, but the runtime overhead is usually not a problem. It's also common to map a user to 1..n groups and a group to 1..n rights, with an API like hasRight( userName, right ), e.g. hasRight( "Poonam", "sell" ).
LDAP is often used instead of a database because it offers fast read-mostly access. Google for LDAP security or ACL (access control list) and see what you find.
For a real life trading app (not a school exercise?) I'd get a pro involved. I might build something secure enough to keep honorable gentlemen from reading each other's data, but keeping hackers away from serious money is a different story.
A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi
Weeds: because mother nature refuses to be your personal bitch. But this tiny ad is willing:
Free, earth friendly heat - from the CodeRanch trailboss