• No replies
1 Post

Pinned topic Choosing the right tools and design for applying security.

‏2011-04-27T21:11:25Z |

Sorry for all the reading but before i get to my question(s) first some context.

As a .Net Developer i'm struggling to grasp java design & architecture for a project in my ever ongoing studies. Being used to its a different thing to learn to apply security in a java. I'm developing my first small server app on a windows platform.

The app should resemble something like an erp application and is spread over the people of the entire class. My part is to develop an invoicing service and deal with user management, authorisation & authentication. The invoicing service is no biggie, just needs good analysis. A simple version of usermanagement is something I could design myself but A & A and secure transmissions is not yet part of my skill set. I do know the fundamentals of networking & windows security though, just no experience on implementing such things.

So, the app will be intended as a server app for clients on a company network. Only intranet, no world wide web.
I'm thinking that the account with which the user logs in on the client should be the same account to use for the application. In other words, if user is logged into the client he has access to the application. Maybe also mention that the userdatabase should live on the server or VM where the application does.

After some studying on the web about jaas and J2EE and reading a newly bought Head First on Servlets & JSP i still am not clear on which path to choose on implementing the whole security with all the available tools and frameworks. (using servlets and JSP is a mandatory subject in the project.)

I know i can secure access to servlets by mapping access in the DD. There is jaas for secure networking. And then there's also J2EE security. I can't yet see how it all fits together, or doesn't, and i need to know this before i can go deeper into any of the 3 or others.

Would i need to design any model as connection to the application or can all be done with setup and configuration. I mean is it like working with a database, you setup the rdbms server (local instance), configure connections and CRUD's and it works. But after that u must create a design around your database access as a datalayer for the application's architecture.

How does this go with connecting application security with remote access to user accounts from the company network. And if possible in such a way that it could be host-OS independent. Am i making sense with this or is it faulty? The project will get in production but for my own experiences i want to deliver something that is usable. The more i learn the better.

Feel free to suggest any solution in a nutshell or the right path for me to follow because as always the time is short and i don't see an out of the box solution :-)

Many thanks in advance.