I have a j2ee web application that is typically accessed over the intranet.
I have a requirement to have only a small set of webpages in the application exposed over the internet. There isn't a large set of users who need the internet access. I dont really want to expose the whole application as is over the internet, since it has some other sensitive data. I'd like to add an extra layer of access restriction/security on top (even though the application has role based access). What would be a good way to achieve that?
Some options that come to mind are below (not given too much thought to it yet)
Figure out something in Apache (our web server) to restrict access to only certain set of URLs in the application. Not sure if something like that is supported out of the box or with some modules.
Mark internet based request with some attribute in Apache, and in the application layer use Spring security to restrict access.
Use something like a citrix server to allow indirect access to the application through a virtual desktop. I wonder if this is easier said than done and if its really buying me anything.
Build another web application that acts as a proxy to my large application for those limited web pages. Initial thought, this sounds like too much work.
Your thoughts? Any Better options, different products?
I would recommend to use Spring MVC.
As you already have role based access in your application, it should be quite easy to develop controllers which will render jsp that are relevant to that logged in user.
Though Spring MVC being a proven and robust framework, compare the effort that you need put in for Spring MVC integration with other solutions.
Related
After one year i have finished the development of my application.
Now when searching the internet i got a new knowledge about the 3tiers applications.
My Application running on 2tier Architecture (Standalone application connecting directly to database server).
My Application Developed using:
- Java SE (Swing).
- MySQL Server as database server.
I want to reconstruct my application to be 3tier application. (Client-Server)
- What technology i have to use?
- What I have to change within my current code?
- The application will run on network, there will be Many concurrent users who will use the application accessing the database (Insert,Update,Delete ... etc).
There are two main approaches. The first involves rewriting the client in HTML/JavaScript with help from one of the many available frameworks (Struts, Spring, Java Server Faces, etc.) Unless you specifically prefer a web application to a Swing application, or your user interface is a very thin layer on top of your business logic, then this is a costly approach.
The second approach involves inserting a server between your user interface and your database. Open source Java-based servers include Jetty, Tomcat, Spring, JBoss/WildFly and GlassFish.
If your code is structured in layers so that the user interface, the business logic and the data access code belong to separate layers, then converting from a two-tier system to a three-tier system should be straightforward once you understand the capabilities of your chosen mid-tier server and how to use them.
The basic technique is:
All user interface/Swing code remains on the client.
All business logic moves to the middle-tier server. The client talks to the business logic using a remote protocol.
All data access code is moved to the server.
Dependency Injection is useful to perform this refactoring step-by-step and also allow you to choose between working in two-tier or three-tier mode if that is needed.
The three main differences between a two-tier and three-tier application are:
Security - there is a new access point into your system. You need to be careful about the access rights it has to the database - do you have one server user that can do everything, or does each user need to use their own connection credentials. You also need to secure the server correctly and be careful not to add security holes in your mid-tier API.
Remote access - some method calls that were previously made within the same process are now made across the network. Server APIs generally need to support less fine-grained operations than local APIs, and the amount of data shipped as arguments and return values may also need to be managed.
The structure of your application becomes more important. The code isn't necessarily very different, but it will need to be organised into different layers.
Java EE is your answer.You could choose a framework like Hibernate/Spring/Struts to build a 3 tier architecture (MVC).You would also need to make a choice for a servlet container.Apache Tomcat should be a good choice.
It would be nice if you could post little more details like complexity , purpose etc. of your application.
I have made a web application that administrate questions for a quiz. The web content is divided into two pieces; One administrating part, and one public part. These interfaces are made for desktop web browsers.
Now, I want mobile devices to be able to browse these questions (with the look and feel of an application).
So I thought of two ways I could do it; Just add another folder in the webcontent named mobile make a custom interface for mobile phones and just add a webview with that URL in Android/iOS etc.
Or, make a Web Service using REST and make a new web application that is interdependent of the question project and act just as a client of it using the REST services.
Does one of the approaches above seem reasonable, or are there other better ways of doing it?
Update
This is a project made with EJB and JSF. Should I just add a folder in the JSF project and point mobile phones to that?
This is typical MVC application where you need to have two type of views
HTMl view for your browser based clients
XML view for Mobile applications (achievable by REST as you mentioned).
I would suggest to have a native mobile application which would talk to the web server via REST APIs.
Not sure which framework you are using here but most of the MVC framework will allow you to create XML views (Please check struts2 rest plugin)
Now the overall idea/design should be :
The web controllers/Actions talk to delegates
The delegates in turn talk to DAOs
DAOs talk to Database.
You will have different controllers for different end users (html for browsers/xml mobile)
Check out ft.com on your iPad, may be Android powered tablet might work as well. I believe this website will demonstrate the richness of HTML5/CSS3 based application.
On the other side there are certain advantages of making native applications but the problem is that you will have to create your app multiple times for different kind of platforms.
There is one solution to the problem above, you can use something similar to Appcelerator Titanium where you will do your coding in Javascirpt and their cross compiler will create native apps for you, if nothing, it's worth looking at once.
This is a very beginner question. I have tried to search for advice but am overwhelmed by the amount of information and would like some help with ideas on approaches to server design or what to search for!
What I would like to set up is a backend server that provides search capabilities and business logic and validation across some fairly basic data. It wont get too large.
I would then like to be able to plug in a website as a front end or a mobile app or a facebook app or even a desktop app..
My question is what is the best way for front ends to hook into the backend? I would like to have various user accounts with permission levels so authorisation would be important.
I generally only code as a hobby so whilst technically I have built a spring based website before the exact semantics of the client server relationship weren't clear to me. Now I want to separate the backend so that is is agnostic of how the data is displayed or entered completely and can run on a separate machine.
Thanks,
Rob
There is a ton on options. I had good expirience with apache CXF rest services (logic encapsulated in java beans, spring configuration) and pico web remoting ( more exotic,
but also rest service and plain java objects providing business logic)
if you ar already using spring, I would recommend to stick with CXF - it integtrates seamlesly ( and is spring configured itself )
I'm fairly new to java development and I have found myself tasked with implementing a functionality authorization system for a desktop application written in java.
Currently the application requires user authentication at startup and users are authenticated against an active directory server via LDAP.
The application as it stands has no user privillage system in place, once a user is authenticated they have full access to the applications entire functionality.
What I need to do is define a number of user roles or groups which have access to different functionality i.e. user:Alice (of group:Admin) may see menuItem:EditCell in a popup menu for a JTable but user:Bob (of group:Peasant) may not.
It has been suggested that I look into Spring security and method/class annotation but I'm finding it a little difficult to get my head around the information I have found so far.
Is there anyone who has had a similar experience around who might be able to offer some assistance?
Cheers,
I would definitely recommend Shiro over Spring for your use case. Take a look at their website and go through the 10 minute quick guide. You'll be surprised at home much you can get done with simple, straightforward code.
For simple testing you can define roles within Shiro itself, but eventually you are going to want to put all the roles into your LDAP.
I'm currently working on implementing the public API of our web application. The application is written in Java.
This is a financial application deployed on Tomcat. My users can manage their sales, customers, purchases, inventory, etc. It's a pretty huge application. The font-end is written in Java/GWT. The backend is written in Java s well. We use the GWT-RPC mechanism between.
What we want is to provide a way to access the financial data (read + write) via a public API. This way, developers will be able to better integrate their application (like a payroll application).
We don't use any framework. No Spring, grails, whatever. Also, no Hibernate, JPA, etc. It's a pretty old app, with lot of proprietary code for the ORM, XML-> javabean. authentication, etc. Cannot change all of that as the application is already in production and it just works that way.
The API infrastructure will be on a different sub-domain and on a different server.
The API should use Oauth to authenticate the users.
I looked into Grails, Play!Framework and Restlet to achieve my goals
Does anyone have some thought on them? Am I going in the wrong way with those frameworks? Is there another framework to look at?
Thank you all
I'd recommend following the example of Amazon and such and expose that API as web services, without regard for UI. Your have a further choice about SOAP versus REST. I think you'll find that REST will be simpler for your clients, because they only need to know about HTTP.
This doesn't mandate the use of any frameworks if you choose not to. The back end will work regardless of whether or not you use Spring, Hibernate, Grails, etc.
You'd have to rework the application you have to call the services if you wanted true reuse, but it might be worth it in the long run. Both your UI and clients would be using a common back end API that way.
I have some thoughts yes. Financial applications tend not to use OAuth. To be clear: nobody with vulnerable data uses OAuth. That includes privacy, medical and financial data.
What kinds of deployment environments do you expect to use this API. That might narrow it down, the standard answer if you have absolutely no idea who your client is, is still supposedly SOAP (since so many people know and accept the buzzword).
If you're going to expose read/write to a Java-based financial services application over the public internet, I would look at SOAP-based web services with JAX-WS as there is a pretty mature security spec in WSS and the API is relatively easy to use and may not require much in the way of changes to your existing app.
REST is perceived as easier in general but for this type of application you might find your target audience is more familiar with SOAP anyway. All depends who your target audience is and exactly what you're trying to achieve, but worth considering.