Tim Holloway wrote:Oooh, that's just BEGGING for trouble, Evidently you haven't heard me rant on this subject.
Tim Holloway wrote:
I've worked with J2EE since before JSPs were even invented, and without exception EVERY login system I've seen people create has been insecure. Most of them were massively insecure.
Security is very hard. It's a classic "weakest link" situation. One false move and the whole thing is useless. I know a lot of people who think they're clever. They've put a lot of effort into creating clever security systems, some of them for very sensitive applications. And by and large, every last stinking one of their clever systems could be bypassed in under 15 minutes. Usually, in fact, in a single URL request.
Tim Holloway wrote:The J2EE standard DEFINES a secure login system. Or, to be more accurate, a secure Authentication and Authorization system. Secure login doesn't actually mean much if any logged in user can do anything they want.
Tim Holloway wrote:This is a system that was designed, vetted, and tested by security professionals. It has worked without significant changes for over a decade now. It works primarily by taking patterns from the webapp's web.xml file and matching incoming URLs against them. If a URL matches, the container applies security to the request, and if certain minimum requirements aren't met, the URL is bounced before the application can even see it. You can't attack what you can't reach.
So, in short, my advice on how to create a secure login system is: don't. Use the one that's already there. It's been validated, debugged, and best of all, it's mostly transparent, so there's relatively little you have to do to a webapp in order to take advantage of it.