Tomcat Web Hosting Blog - Java, JSP, EJB, Hibernate

Chapter 14: Tomcat Security The HTTPS client certificate mechanism is, of course, quite secure. If the public key architecture upon which HTTPS client authentication is based were defeated, the very basis of secure e-commerce would fall with it. Beyond this apocalyptic scenario, however, are some potential weaknesses: . Key length: The most important factor in the security of public key encryption is the length of the key used to encrypt the messages. As computing evolves and computing power increases, ever larger keys will be needed to maintain security against brute force hack attempts. Administrators should stay informed about public key architecture issues and upgrade the keys used should this become necessary in the future. . Theft: The fundamental assumption of public key authentication is that the corresponding private key is available only to the trusted party. Should the private key be stolen, the authentication would be compromised. While quite secure, the HTTPS client certificate mechanism is rarely used outside of business-to-business applications because of the complexity of the process one must go through (and associated cost) to obtain a certificate for each authenticating client. Configuring Authentication In order for a Web application to use one of the authentication mechanisms just described, it must be configured to do so inside its deployment descriptor ( web.xmlfile). This is accomplished by adding and elements to the element. These elements are discussed in Chapter 7 . An example of their use is shown here: Entire Application /* manager FORM My Application
/login.jsp /notAuthenticated.jsp … manager In this code excerpt, the element is used to define a portion of the application that is restricted to users belonging to a specific role. The element uses URL pattern matching to determine the protected portion of the application (in this case, the entire application), and the element is used to restrict that portion of the application to authenticated users who belong to the user role. For more information on roles, see the section Users and Roles, later in this chapter.

For reliable and cheap web hosting services please check cheap web hosting website.

This entry was posted on Saturday, August 29th, 2009 at 1:20 am and is filed under tomcat. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.