|
|
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Page 6 of 6
At this point, you have successfully authenticated the user to the Web system. Assuming that most business applications on the Web will want to integrate with back-office systems, you can consider a further security step if you desire.
Earlier in the article, I discussed the EJB security model. In that discussion, it was shown that each bean has the ability to have a username/password combination assigned to methods that it contains. You can use this to restrict method use in beans to certain Web applications. In other words, the extranet application can access methods related to the supply chain but not methods related to internal pay scales.
How does this apply to this example? You can create a further security check to ensure that Web users are mapped to either
individual back-office users or user categories (for example, basic to advanced) based on their usernames. One way you could
do this would be to maintain a mapping from the current user to that user's (or that user group's) back-office login information.
The system could retrieve that mapping and populate the User object with this username/password combination. Using this technique, you could protect the back-office systems against a
failure in the protection of a given screen. For example, if a user were able to access an administration page due to a typo
or error in the code, he or she would fail to authorize against the EJB that dealt with the management of the other system
users.
These additional authorization steps are left to the reader for investigation.
Securing a Web system is a major requirement for the development team. This article has put forth a security scheme that leverages the code developed by Sun Microsystems to secure objects in Java. Although this simple approach uses an access control list to regulate user access to protected features, you can expand it based on the requirements of your user community to support additional feature-level variations or user information.
Additional enhancements could include XML and would include the migration of code from a simple object making SQL calls to a bean, possibly even an entity bean.
Much of the discussion put forth in this article stems from the J2EE specification. Currently the containers do not provide a security mechanism as the one presented here. However, as the containers continue to grow, the implementation of both basic and form-based authentication may become present. In addition, a J2EE server without much customization may support the EJB mapping that was described earlier in the article. Java also provides some other additional methods of security ranging from digital signatures to the JAAS specification that can be used to protect the class files against unauthorized access.
A simple security approach can minimize your system development time, and vulnerability to malicious attack, while allowing for expanded features with minimal coding effort. As many companies just relearned, however, software alone cannot secure a Website against all forms of attacks.