Off the record

Aller au contenu | Aller au menu | Aller à la recherche

vendredi 28 mars 2008

JEE authentication best practices for the web

4 authentication methods to identify a user with JAAS over HTTP

  • basic authentication : the popup asking for login/password, not encrypting anything :-C
  • digest-authentication : same as basic, with password encryption. Not a really nice user experience (login popups remind of the 90's :( )
  • certificate based authentication : HTTPS, using SSL, secured socket layer. first the usual PKI handshake (asymetric encryption) then the usual symetric encryption for performance. (A variant of this authentication is also managed for installations providing users PKI certificates, chip card format for example)
  • form based authentication, the usual HTML form...

How do i do that?

-> form based authentication, most often used :

  • add a security constraint and a security role in web.xml :
 <security-constraint>  
     <web-resource-collection>  
       <web-resource-name>All JSP direct access</web-resource-name>  
       <url-pattern>private/*</url-pattern>  
       <http-method>POST</http-method>  
       <http-method>GET</http-method>  
     </web-resource-collection>  
     <auth-constraint>  
       <description>  
        No Access  
       </description>  
       <role-name>restricted</role-name>  
      </auth-constraint>  
   </security-constraint> 


   <security-role>  
     <description>NO Access</description>  
     <role-name>restricted</role-name>  
   </security-role> 
  • edit the web.xml file to add a login-config block :
 <login-config>  
   <auth-method>FORM</auth-method>  
   <realm-name>JAASDBRealm</realm-name>  
   <form-login-config>  
     <form-login-page>/blog.html</form-login-page>  
     <form-error-page>/blog.html</form-error-page>  
   </form-login-config>  
 </login-config> 

Then config your JAAS realm. Done. ;-)
-> Seriously. I'll complete the article later.

http://delicious.com/nicobeez/security

mercredi 26 mars 2008

Java annotations

Brief review of the Java annotations.

standard annotations
  • @Deprecated
  • @SuppressWarnings
  • @Override
meta-annotations
  • @Inherited
  • @Retention(RetentionPolicy.SOURCE / RetentionPolicy.CLASS / RetentionPolicy.RUNTIME)
  • @Target(ElementType.CONSTRUCTOR / ElementType.METHOD / ElementType.PACKAGE / ElementType. ) (Note that more than one ElementType is allowed here).
additional annotations

Here we go. Now we want to developp our own annotation. Example...

 @Documented  
 @Retention(SOURCE) 
 public @interface TODO { 
 
 	String value(); 
 	Level  level() default Level.NORMAL; 
 	public static enum Level { MINEUR, NORMAL, IMPORTANT }; 
 
 } 

This will be used as follows :

 @TODO(value="whatever message we want here describing the TODO...", level=NORMAL) 

Afterwards, we will have to tell the APT (annotation processing tool) what he is supposed to do with those annotations.
Source : http://developpez.com