This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Talk:Declarative Access Control in Java
Status
Under review
Authors
- Dave Ferguson
Reviewers
- Pierre Parrend
General Discussion
- global comment: this overview is very quick, but clear and efficient
- Introduction: a remainder of the technical context could be useful - what piece of code do one needs for executing this declarative access control: a servlet container ? a J2EE platform ?
DFerguson - I added some verbiage about JEE-compliant application servers.
- first XML excerpt: no global tag is shown. If I have a real Web App descriptor without security, in which tag should I put the given xml code ?
DFerguson - I added the web-xml root tag before and after the snippet. There is also a link to the servlet spec in the Overview section now, which is for readers who want to see the deployment descriptor in detail.
- authentication methods 'Digest' ad 'Client cert' are evoked. How can they be implemented, i.e what is required on the client side (algorithm, certificate with proper issuer) and on the server side (algorithm for digest and certificate control, access to a trusted certificate database)
DFerguson - This is not my area of expertise, so I would need more time to research, or I would accept help from someone else of course.
- 2 different 'transport guarantees' are evoked, 'integral' and 'confidential'. What specific protocols, algorithms, and data, are required ?
DFerguson - My understanding is that Integral and Confidential causes the container simply enforces SSL communication. I would need more time to research to supplement what is already there.
- SSL is evoked. a pointer toward a SSL page could be useful
DFerguson - I added a link to the OWASP SSL page, but it is just a stub and not very helpful. Any other suggestions where the link should point to?
- no extra link is given. Is it deliberate from the Owasp editor ? Where can I go and look if I need further information ?
DFerguson - other than reference material in the servlet specification and various application server documentation, I don't know where more information is available. That's one of the reasons I thought this page would be helpful. Please let me know about anything that I might be missing.
- I usually recommend storing the JSP files used for form based authentication in the WEB-INF directory. This way they cannot be accessed directly from the browser
DFerguson - I don't understand why that would improve security. What threat is mitigated by having the JSPs inaccessible from the browser?