Is there a security Framework available for Java Desktop Applications? When I searched on google I saw persons talking about Spring Security, however it seems to be chiefly web-based. I have been using ordinary java code(Login forms, jdbc) to implement User Level security but I am not comfortable programming this way. Thanks for your assistance
I have decided to use Apache Shiro Security Framework. It is very easy to use and the website host good documentation. Thanks all for the help.
you can still use rolebased access and some sort of directory service for desktop applications and you could do that with spring it's not necessarily only for web access. not that i'm pushing spring specifically.
regards
It's hard to really answer you without knowing what threat model you're thinking of.
Do you doubt that the signed in user has permission to open your application?
Does the application talk to a server and get data from there?
Are you concerned with the user tampering with code?
In the first case, this seems like something that is better handled with OS level permissions.
In the second case, handle your security on the server, you can't trust the client anyway.
In the third case, good luck.
Related
We have legacy applications written in asp and asp.net on IIS using form based authentication against the Database (Not AD). We are writing a new Java app sitting on glassfish and we want a single sign-on solution to authenticate users so they can move seamlessly between the two without having to sign on again.
Are there any secure solutions to this problem?
I think the best approach in the long term is to decide on a SSO technology / implementation, and then change the legacy applications to use it. I know that changing legacy apps can be painful, but provided it is practical you should do it.
UPDATE
You don't necessarily have to do a complete rewrite of your legacy apps. If you can identify an SSO tech which supports the legacy language too, you can maybe just get away with rewriting the login page and (maybe) access control and/or local account management.
Take a look at spring security (if you're not opposed to using spring for your java app). They support dozens of solutions, probably whatever you're using for your ASP app. http://static.springsource.org/spring-security/site/
Alternatively you could use apache shiro http://shiro.apache.org/ which also supports just about anything out there for security.
I'd advise looking to see if one of these supports what you are using already on your legacy app, it would probably be easier to make the java app support your existing security mechanism rather than trying to backport a new security layer into ASP.
Some years ago I made a Swing application that uses a MySQL database. Now I must change this app to work through Internet.
I can connect directly to a MySQL server through Internet, but I think that it's insecure, so I'm thinking about using webservices.
I know I must change lots of code in my current application, and I don't worry about that. But my problem is that I have never used webservices nor server side technologies in Java, and I don't know where to start.
Do you know any good "webservices for dummies" tutorial? I need authentication (and ACL or similar) and database access.
Thank you!
Easiest adaptation: have a look at apache axis2, it has everything you need for webservices. That would offer to extend you current applicatino by webservices functionality.
If you need to re-engineer everything, either spring or Java EE should be your friend.
Adding web services won't make it any more secure. The best you can do is to enable SSL with JDBC.
Take a look at the core servlets site. There is an EJB tutorial and an AXIS tutorial. As mentioned by Andreas_D, spring and Java EE are both options. I suspect you want a simple REST implementation, in which case, spring is a good option.
I am a traditional .NET developer... now I have to create a web application using JSP.
Is there some sort of framework that handles all the login stuff for me?
Register users (and securely store in database using best practices)
forgot password functionality
session tracking (aka make sure only a logged in user can see the page)
Like I said, I'm mostly familiar with .NET Membership. I'm researching Spring, Struts, and Hibernate but am not sure the pros/cons of each yet.
If you had to create this simple web application using JSP how would you go about it?
Thanks for your help :-)
-Josh
Take a look at Spring Security.
Spring Security is a powerful and highly customizable authentication and access-control framework.
Short answer? No.
There are however, very many security frameworks that you can customize to fit your needs. I would recommend looking at Spring Security as a good all-around tool that should fit your needs.
We currently have a simple portal kind of functionality built based on ASP.NET Forms-based authentication. All the existing apps that make use of this authentication mechanism are ASP.NET based (and run on the same domain). So, all works fine. We have a new requirement to get some new Java-based web applications make use of the same authentication as well. All our apps are accessible over HTTPS.
Can someone advise here please?
Thanks
We opted to use the ASP.NET Application Services for a proof of concept and the output looks promising.
Thanks all
It's hard to understand the specifics of your question, however in general I would guess that Java has the equivalent of Forms/cookie based authentication mechanism in its' web layer, you could then point that API to the same data source as the one your Forms Authentication uses today.
I'm currently working on implementing the public API of our web application. The application is written in Java.
This is a financial application deployed on Tomcat. My users can manage their sales, customers, purchases, inventory, etc. It's a pretty huge application. The font-end is written in Java/GWT. The backend is written in Java s well. We use the GWT-RPC mechanism between.
What we want is to provide a way to access the financial data (read + write) via a public API. This way, developers will be able to better integrate their application (like a payroll application).
We don't use any framework. No Spring, grails, whatever. Also, no Hibernate, JPA, etc. It's a pretty old app, with lot of proprietary code for the ORM, XML-> javabean. authentication, etc. Cannot change all of that as the application is already in production and it just works that way.
The API infrastructure will be on a different sub-domain and on a different server.
The API should use Oauth to authenticate the users.
I looked into Grails, Play!Framework and Restlet to achieve my goals
Does anyone have some thought on them? Am I going in the wrong way with those frameworks? Is there another framework to look at?
Thank you all
I'd recommend following the example of Amazon and such and expose that API as web services, without regard for UI. Your have a further choice about SOAP versus REST. I think you'll find that REST will be simpler for your clients, because they only need to know about HTTP.
This doesn't mandate the use of any frameworks if you choose not to. The back end will work regardless of whether or not you use Spring, Hibernate, Grails, etc.
You'd have to rework the application you have to call the services if you wanted true reuse, but it might be worth it in the long run. Both your UI and clients would be using a common back end API that way.
I have some thoughts yes. Financial applications tend not to use OAuth. To be clear: nobody with vulnerable data uses OAuth. That includes privacy, medical and financial data.
What kinds of deployment environments do you expect to use this API. That might narrow it down, the standard answer if you have absolutely no idea who your client is, is still supposedly SOAP (since so many people know and accept the buzzword).
If you're going to expose read/write to a Java-based financial services application over the public internet, I would look at SOAP-based web services with JAX-WS as there is a pretty mature security spec in WSS and the API is relatively easy to use and may not require much in the way of changes to your existing app.
REST is perceived as easier in general but for this type of application you might find your target audience is more familiar with SOAP anyway. All depends who your target audience is and exactly what you're trying to achieve, but worth considering.