This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Declarative Access Control in Java"
From OWASP
(→Status) |
Owaspdavef (talk | contribs) |
||
| Line 12: | Line 12: | ||
* Introduction: a remainder of the technical context could be useful - what piece of code do one needs for executing this declarative access control: a servlet container ? a J2EE platform ? | * Introduction: a remainder of the technical context could be useful - what piece of code do one needs for executing this declarative access control: a servlet container ? a J2EE platform ? | ||
| + | |||
| + | ''DFerguson - I added some verbiage about JEE-compliant application servers.'' | ||
* first XML excerpt: no global tag is shown. If I have a real Web App descriptor without security, in which tag should I put the given xml code ? | * first XML excerpt: no global tag is shown. If I have a real Web App descriptor without security, in which tag should I put the given xml code ? | ||
| + | |||
| + | ''DFerguson - I added the web-xml root tag before and after the snippet. There is also a link to the servlet spec in the Overview section now, which is for readers who want to see the deployment descriptor in detail.'' | ||
* authentication methods 'Digest' ad 'Client cert' are evoked. How can they be implemented, i.e what is required on the client side (algorithm, certificate with proper issuer) and on the server side (algorithm for digest and certificate control, access to a trusted certificate database) | * authentication methods 'Digest' ad 'Client cert' are evoked. How can they be implemented, i.e what is required on the client side (algorithm, certificate with proper issuer) and on the server side (algorithm for digest and certificate control, access to a trusted certificate database) | ||
| Line 20: | Line 24: | ||
* SSL is evoked. a pointer toward a SSL page could be useful | * SSL is evoked. a pointer toward a SSL page could be useful | ||
| + | |||
| + | ''DFerguson - I added a link to the OWASP SSL page, which is a stub and not very helpful. Any other idea where the link should point to?'' | ||
* no extra link is given. Is it deliberate from the Owasp editor ? Where can I go and look if I need further information ? | * no extra link is given. Is it deliberate from the Owasp editor ? Where can I go and look if I need further information ? | ||
| + | |||
| + | ''DFerguson - other than reference material in the servlet specification and various application server documentation, I don't know where more information is available. That's one of the reasons I thought this page would be helpful. Please let me know about anything that I might be missing.'' | ||
* I usually recommend storing the JSP files used for form based authentication in the WEB-INF directory. This way they cannot be accessed directly from the browser | * I usually recommend storing the JSP files used for form based authentication in the WEB-INF directory. This way they cannot be accessed directly from the browser | ||
Revision as of 20:55, 17 March 2008
Status
Under review
Authors
- Dave Ferguson
Reviewers
- Pierre Parrend
General Discussion
- global comment: this overview is very quick, but clear and efficient
- Introduction: a remainder of the technical context could be useful - what piece of code do one needs for executing this declarative access control: a servlet container ? a J2EE platform ?
DFerguson - I added some verbiage about JEE-compliant application servers.
- first XML excerpt: no global tag is shown. If I have a real Web App descriptor without security, in which tag should I put the given xml code ?
DFerguson - I added the web-xml root tag before and after the snippet. There is also a link to the servlet spec in the Overview section now, which is for readers who want to see the deployment descriptor in detail.
- authentication methods 'Digest' ad 'Client cert' are evoked. How can they be implemented, i.e what is required on the client side (algorithm, certificate with proper issuer) and on the server side (algorithm for digest and certificate control, access to a trusted certificate database)
- 2 different 'transport guarantees' are evoked, 'integral' and 'confidential'. What specific protocols, algorithms, and data, are required ?
- SSL is evoked. a pointer toward a SSL page could be useful
DFerguson - I added a link to the OWASP SSL page, which is a stub and not very helpful. Any other idea where the link should point to?
- no extra link is given. Is it deliberate from the Owasp editor ? Where can I go and look if I need further information ?
DFerguson - other than reference material in the servlet specification and various application server documentation, I don't know where more information is available. That's one of the reasons I thought this page would be helpful. Please let me know about anything that I might be missing.
- I usually recommend storing the JSP files used for form based authentication in the WEB-INF directory. This way they cannot be accessed directly from the browser
