Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Java/Database Secutiry

Options
  • 16-03-2002 1:39am
    #1
    Gavin
    Registered Users Posts: 4,676 ✭✭✭


    Howdy,

    I'm writing some ASP software in Java/JSP. I'm interested in being able to set permissions on certain thing. I.e.
    Only allow certain people to be able to create entries or edit/modify them. I was going to create groups and set permissions
    on the groups. ie have a group table with the group id and columns for each type. In the column for the type ( the type on entry to be allowed )
    would be a value representing read/write/no access. The various users would then be members of the required group.

    I suppose some sort of ACL type thing..


    But.. that's a little bit finicky.. And after getting bored and starting look through the Java API a bit, I came across a bucketload
    of security stuff. Does anyone know if there is anything useful in there to help me out ?
    Or any better ideas/ways for addressing it ? I could do it in the database itself.. but I think I would prefer to keep it in the
    software allowing me leeway when changing DB's.


    Thanks,
    Gav


Comments

  • Options
    #2
    phobos
    Closed Accounts Posts: 1,322 ✭✭✭phobos


    Originally posted by Verb
    Howdy,
    I'm writing some ASP software in Java/JSP.

    I think you're a little confused there. ASP is a language (derived from VB) that lets you create server side web applications. Which also runs on MS IIS. Java on the otherhand is a full programming language that has two sub APIs that enable you to write web applications. Those being the Servlet & JSP APIs. The compiled code will run anywhere a Servlet container or JSP engine is present.
    Originally posted by Verb

    I'm interested in being able to set permissions on certain thing. I.e.
    Only allow certain people to be able to create entries or edit/modify them. I was going to create groups and set permissions
    on the groups. ie have a group table with the group id and columns for each type. In the column for the type ( the type on entry to be allowed )
    would be a value representing read/write/no access. The various users would then be members of the required group.

    For DB interaction in Java make sure you know how to play with JDBC (http://java.sun.com/products/jdbc/).

    The permission based stuff I would implement in the JSP/Servlet code you write, and shell the various connections for each group of user.

    HTH ;)

    ;-phobos-)


  • Options
    #3
    Enygma
    Closed Accounts Posts: 1,651 ✭✭✭Enygma


    ASP can also be Application Service Provider, basically someone writes and app that can be sold to many customers, like an auction or something. AFAIK Application Service Providers also host the apps.

    The best bet with the security issue is to implement your own. You could have a usertype value associated with each user, or their group. When they login set that value into their session.

    In your JSP when you're displaying the buttons for create or editing or whatever just wrap them in if statements to see is this user allowed do whatever the button does.


  • Options
    #4
    jmcc
    Registered Users Posts: 7,410 ✭✭✭jmcc


    Normally the read/write/update/create/drop etc privs would be set at the database side of things using the SQL command 'GRANT'. (the db side idea in your post) This would control access to the relevant tables and it would be a simple case of running an ODBC to connect to the DB. This solution would be trasparent as each db would have the privs set.

    What I think (from reading the post) you want to do is to create a file that can be read by the JAVA client which then allows the user to r/w/u. From a security point of view, this could result in a very easy breach if someone played with the JAVA to bypass this file. The only way I can think of for this (and I would not recommend it) would be to dump and parse the privs table to a text file which would then be read by the JAVA client on connection.

    Regards...jmcc


  • Options
    #5
    Gavin
    Registered Users Posts: 4,676 ✭✭✭Gavin


    Originally posted by phobos


    I think you're a little confused there. ASP is a language (derived from VB) that lets you create server side web applications. Which also runs on MS IIS. Java on the otherhand is a full programming language that has two sub APIs that enable you to write web applications. Those being the Servlet & JSP APIs. The compiled code will run anywhere a Servlet container or JSP engine is present.

    As Enygma says. Application Service Provider. Sorry, I thought that people would figure out the diff.

    For DB interaction in Java make sure you know how to play with JDBC (http://java.sun.com/products/jdbc/).



    The permission based stuff I would implement in the JSP/Servlet code you write, and shell the various connections for each group of user.
    Yes I'm well aware of JDBC alright. I was curious if I could implement the security some way via the java api security package as a pose to writing my own code for security/validation.

    jmcc, I was under the impression that the inbuilt security tables were purely for rough table interaction. Ie interaction in this case by the jsp/servlet/javabeans/whatever as a pose to the actual user. But I don't know.. is it common in a web application to put the application usernames into the db system permission tables ?

    Thanks for the replies,
    Gav


    ok, this seems to be what I was looking for. Thanks again for the replies. http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html


Advertisement