tags:

views:

686

answers:

3
+3  Q: 

Java Security Framework

Security always tends to take the last place in a new project. Or you use a framework like Spring where security is already build-in and can be switched on easily. I try to find an open security framework that can be plugged-in to both Swing and Web applications (and JavaFX?), maybe easy to digest. I looked at plain JAAS, JGuard and JSecurity but its just too complicated to get started. Any recommendations or experience to share ? I am working with NB, Glassfish and MySQL. Thanks Sven

+4  A: 

I would strongly recommend learning JAAS. It really isn't that difficult to pick up, and there are some useful tutorials and a reference guide on the Sun web site.

In my experience, JAAS is pretty widely used, so it's definitely something you'll be able to reuse once you're learnt it. It also happens to be one of the building blocks for the Glassfish authentication mechanism!

David Grant  2009-02-12 08:59:36
A: 

I am also confused : owasp java , spring acegi security, HDIV ... which one among the these will be good to go forward..?

 2009-02-12 15:39:06
A: 

I have done a similar research in JAAS for web application and has ran into a "mind roadblock" until I finally realize JAAS is a framework addressing security at a different "layer" then traditional web applications in the Java World. It is build to tackle security issues in J2SE not J2EE.

JAAS is a security framework build for securing things at a much lower level then web-application. Some example of these things are code and resources available at the JVM level, hence all these ability to set policy files in the JVM level.

However, since J2EE is build on top of J2SE, a few modules from JAAS was reuse in J2EE security such as the LoginModules and Callbacks.

On the other hand, Acegi, aka Spring Security, tackles a much higher "layer" in the securing web-application problem. It is build on top of J2EE security hence J2SE hence JAAS. Unless you are looking to secure resources in the J2SE level (classes, System resources), I don't see any real use of JAAS other than the using the common class and interfaces. Just focus on using Acegi or plain old J2EE security which solves a lot of common web application security problems.

At the end of the day, it is important to learn which "layer" of the J2EE-J2SE security issue you are tackling and choose the write tool(s) for the problem.

lsiu  2009-03-30 04:56:05
After some time looking at the options, I believe JSecurity (now called Ki (http://incubator.apache.org/ki/) is a good choice. Still under development but what I tested so far, looks promising.
devdude  2009-04-30 10:01:59

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security