Security for jsp?

[Rivenwry1]

I've been building an online profiling system - basically a way to cut the paperwork for an organization by allowing people to register themselves into the system. Because they are to enter their social security number, however, I need to make the system as secure as I can.

I don't really know how to go about that - the first page is password protected, but beyond that - what can I do to make my site safer?

Thanks a ton!
Rivenwry

[quantum]

Besides log in and password you can use session ids and cookies to increase security. If you want to be paranoid about security you can also use IP address to determine who can access. You can use encryption to send data back and forth. Like mcrypt. I do not know how to use SSL or secured socket layer with JSP but I suggest you look that up too.

What database are you using? I could help you better if it was php. As is I can give you some general idea, you have to look up the syntax.


//This question rather belongs to the web scripting forum. Since it is a JSP and web development question. You can start another thread in there if you wish. Leave this one here so that anyone from java can answer if he wishes.
_________________

Dust fills my eyes / Clouds roll by / and I roll with them / Centuries cry / Orders fly / and I fall again
Afford best design, implement best solution. Outsource your web design.

[Rivenwry1]

Thanks for responding.

By session ID I think you're saying I can have each page check to make sure it's still the same person as who logged in. By cookies, what do you mean? I don't actually know about cookies save that I'm always deleting them from my computer...If it's too complicated just say so and I'll look into it myself.

We're using a MSAccess database with the default JDBCODBC bridge that comes with the java package. PHP...I'm not familiar with that acronym.

Thanks a ton
Rivenwry

[quantum]

Quote:

By cookies, what do you mean?

Cookies does almost the same thing as session ids. In most cases a mixture of session id and cookies are used for increased reliablity. You can also use it for automatic log in. As soon a someone enters your site you write a cookie to his computer and give him the option to automatically log in to your site. Or you can just use cookies to ensure he is a returning user. No, of course, it's not complicated. You just have to learn how to use it. Everything is complicated until you learn how to use it. Right now JSP is complicated to me, 'cause I never used it before. But if I try to learn it, I am sure I will get hold of it in a month. Cookies may take you 3 days.

Quote:

We're using a MSAccess database with the default JDBCODBC bridge that comes with the java package

You are using a java based server and servlets? They are rarely used these days.

Umm..what is php? PHP is acronym for hypertext preprocessor. And this is much much more popular, flexible, powerful, extensible, and widely used as a server side scripting language than any other. Currently, about 60% of all dynamic web sites are done with PHP. This entire quantumcloud site and this forum is written with PHP. Php is best suitable language for any server running on a UNIX machine.

If you would like to learn a very powerful language in a very short time and utilize it then you can give php a try. Since, you already know Java it will may be take you a week to get the hang of PHP. What you are trying to do is a snap with php. It can work with MSAccess and ODBC too.

Check out this thread for more beginner info on php:
[http://www.quantumcloud.com/forum/viewtopic.php?t=146]

and this one too:
[http://www.quantumcloud.com/forum/viewtopic.php?t=4]

I can give more general info on securing a web site given a few hours. I need to sit down cooly for that, you know what I mean.
_________________

Dust fills my eyes / Clouds roll by / and I roll with them / Centuries cry / Orders fly / and I fall again
Afford best design, implement best solution. Outsource your web design.

[quantum]

Rivenwry,

I need to know what web server you are using. Apache or Windows IIS ? I am writing an article on building a secure web site. I can be more specific if you let us know the kind of web server your project is using.
_________________

Dust fills my eyes / Clouds roll by / and I roll with them / Centuries cry / Orders fly / and I fall again
Afford best design, implement best solution. Outsource your web design.

[Rivenwry1]

I'm using Apache.

Thanks a ton!

Rivenwry

[quantum]

Rivenwry1,

Sorry, it seems to be taking too long for me to write the original article on web site security. Mainly because I am busy with some other issues.

Till I get around to finishing it, let me get you the main resources pertinent to your JSP security issues.

A. Here is a very good article on JSP Security for Limiting Access to Application-Internal URLs at:

[http://www.onjava.com/pub/a/]
onjava/2001/06/27/java_security.html

Covers a technique to design and build simple JSP applications that provides some security benefits.


B. Another tutorial on:
[http://www.developer.com/java/article.php/883381]

Discusses the problem of trust management on the low implementation level (code and configuration), as pertaining to the Java Server Pages environment. Accordingly, explains the ways in which malicious user input can manifest itself and alter the intended behavior of an application, and we will consider methods to validate input and reduce undesirable exposure of information and programming interfaces.

C. Another link on JSP development. Discusses security issue breifly:
[http://www.visualbuilder.com/]
jsp/design/ejb_or_jsp_design.asp

D. An article on How to read a Properties file and IP address of a remote machine:
[http://www.visualbuilder.com/sourcecode/viewcode.asp?id=60]

This servlet could be used for basic security in servlet.
When you want to limit the computers that can call a specific servlet.
You read the valid IP address from a properties file.
The IP of the computer calling the servlet (static IP) is compared with value in the property file.If the values are the same then it is called from the correct computer. Otherwise a message is displayed showing the error.

E. A relevent case study, includes authenticating users, getting user preferences, getting current orders, and adding/modifying/deleting orders from the system:
[http://www.theserverside.com/]
discussions/thread.tss?thread_id=24781

Hope this will get you going for now. More Later.
_________________

Dust fills my eyes / Clouds roll by / and I roll with them / Centuries cry / Orders fly / and I fall again
Afford best design, implement best solution. Outsource your web design.


Last edited by quantum on Tue Jun 29, 04 9:00 pm; edited 1 time in total

[Rivenwry1]

What can I say - thanks a boatload.

for those of you who read that real fast, read it again - it says BOAT, you pervs.

Rivenwry

[quantum]

lol, you are most welcome. I will inform you, when I get around to the security issue.
_________________

Dust fills my eyes / Clouds roll by / and I roll with them / Centuries cry / Orders fly / and I fall again
Afford best design, implement best solution. Outsource your web design.

[quantum]

Rivenwry1,

I have added some more tutorial resources that I stumbled upon while surfing. Please check out the web scripting forum's JSP with html thread.

http://www.quantumcloud.com/forum/viewtopic.php?t=255
_________________

Dust fills my eyes / Clouds roll by / and I roll with them / Centuries cry / Orders fly / and I fall again
Afford best design, implement best solution. Outsource your web design.