Authentication in webapp.
in [Java Help]
|
Prev: How can I easily open and check pixels of an image?
Next: when call cipher.getInstance(), why throw Exception "The provider BC may not be availled by a trusted mankind"?
From: Daniel Pitts on 7 Jul 2008 14:46 For a personal project, I'm creating a webapp that requires users to log in. I'm using Spring Framework 2.5 as the application framework, Hibernate for persistence, and Resin 3 as the application container. Security isn't yet that much of a concern, but I'd like to make sure I'm headed in the right direction if this ever gets off the ground. So, I have a User class, which has username. I could store password in this class too, but I was thinking about whether I should encrypt it/how to encrypt it, or whether I should externalize the authentication altogether. I don't know much about secure authentication, so any suggestions on libraries or best practices would be appreciated. Oh, and whatever approach I use, I need to support self-service account creation/maintenance. Thanks, Daniel. -- Daniel Pitts' Tech Blog: <http://virtualinfinity.net/wordpress/>
From: Arne Vajhøj on 7 Jul 2008 21:14 Daniel Pitts wrote: > For a personal project, I'm creating a webapp that requires users to log > in. I'm using Spring Framework 2.5 as the application framework, > Hibernate for persistence, and Resin 3 as the application container. > > Security isn't yet that much of a concern, but I'd like to make sure I'm > headed in the right direction if this ever gets off the ground. > > So, I have a User class, which has username. I could store password in > this class too, but I was thinking about whether I should encrypt it/how > to encrypt it, or whether I should externalize the authentication > altogether. > > I don't know much about secure authentication, so any suggestions on > libraries or best practices would be appreciated. Oh, and whatever > approach I use, I need to support self-service account > creation/maintenance. I think you should consider container managed security. http://www.caucho.com/resin/doc/resin-security.xtp#JdbcAuthenticator http://www.caucho.com/resin/doc/resin-security.xtp#custom%20authentication Arne
From: Marcelo Morales on 8 Jul 2008 07:10 I've used acegi (now spring security) successfully http://static.springframework.org/spring-security/site/index.html Regards Marcelo Morales On Jul 7, 2:46 pm, Daniel Pitts <newsgroup.spamfil...(a)virtualinfinity.net> wrote: > For a personal project, I'm creating a webapp that requires users to log > in. I'm using Spring Framework 2.5 as the application framework, > Hibernate for persistence, and Resin 3 as the application container. > > Security isn't yet that much of a concern, but I'd like to make sure I'm > headed in the right direction if this ever gets off the ground. > > So, I have a User class, which has username. I could store password in > this class too, but I was thinking about whether I should encrypt it/how > to encrypt it, or whether I should externalize the authentication > altogether. > > I don't know much about secure authentication, so any suggestions on > libraries or best practices would be appreciated. Oh, and whatever > approach I use, I need to support self-service account > creation/maintenance. > > Thanks, > Daniel. > -- > Daniel Pitts' Tech Blog: <http://virtualinfinity.net/wordpress/>
From: Daniel Pitts on 8 Jul 2008 10:08 Marcelo Morales wrote: > I've used acegi (now spring security) successfully > > http://static.springframework.org/spring-security/site/index.html Thanks, It looks a little heavyweight for me. My project goal is for something more like a high-traffic social network site, so I really don't need so much. -- Daniel Pitts' Tech Blog: <http://virtualinfinity.net/wordpress/>
From: David Segall on 8 Jul 2008 12:00
Daniel Pitts <newsgroup.spamfilter(a)virtualinfinity.net> wrote: >For a personal project, I'm creating a webapp that requires users to log >in. I'm using Spring Framework 2.5 as the application framework, >Hibernate for persistence, and Resin 3 as the application container. I'm writing something comparable using JavaServer Faces, a Derby database and Tomcat respectively. >I don't know much about secure authentication, so any suggestions on >libraries or best practices would be appreciated. Let me tell you what I have done so that either you can treat it as useful advice or someone can tell me why it is insecure. The user logs in with a user name and password and the password is put through an MD5 hash then encoded into base64. The resulting string is compared against the string stored in the database when the user first registered. The actual password is not stored in the database and is only in the computer's memory while it is being entered and encoded. The MD5 hash is included in java.security and the base64 encoding is from Mikael Grev's MiGBase64 <http://sourceforge.net/projects/migbase64>. |