Security is something that no application can afford to ignore, and it is a particularly large challenge for web applications. A web application deployed on the Internet is subject to potential attack from anywhere, whereas an application contained on an internal intranet has at least fewer locations from which it is vulnerable to attack (usually). The HTTP protocol, which most web applications rely on, was not intended as a secure or session-oriented protocol at all. . . .
Security is something that no application can afford to ignore, and it is a particularly large challenge for web applications. A web application deployed on the Internet is subject to potential attack from anywhere, whereas an application contained on an internal intranet has at least fewer locations from which it is vulnerable to attack (usually). The HTTP protocol, which most web applications rely on, was not intended as a secure or session-oriented protocol at all. As a result, web applications must make use of a number of techniques to layer security onto this protocol. Those of who are not in the business of wheel-reinventing will immediately look about for a framework, preferably based on existing standards, to provide these services for us. Sometimes, however, no one framework is a perfect fit for the job at hand. We might want some of the features of one framework, but other features that are only available in another. In this article we'll use as a backdrop for our discussion an open source project designed for just such a purpose, the Keel meta-framework. Its security design is a practical example of a security structure that can be applied to many different projects.

Authentication

The first step in figuring out what someone is allowed to do is to figure out who they are, in a provable manner. Java provides the Java Authentication and Authorization Service (JAAS) API for just this purpose. By selecting and configuring the proper LoginModule (or modules, as more than one can be used) we can easily take advantage of a substantial number of different authentication mechanisms, including LDAP, Microsoft's Active Directory (which is close but not quite LDAP-compliant), file-based and even database-based authentication. Open source LoginModule implementations exist for all of these options, as well as for many more. Multiple LoginModules can even be used to request the user authenticate themselves by more than one means - perhaps a passphrase and a biometric signature, for example.

Ideally, we will use a existing component to provide the front-end for JAAS's LoginModules (which are UI-independent), enabling us to verify the identity of our users with little or no actual coding required. Many frameworks also provide all of the trimmings needed for a complete authentication solution, including a way for a user to request a new password, verify their email address, and other similar operations.

The link for this article located at ebcvg.com is no longer available.