Task: Security Concerns
The BASICS web site will include some web pages that will need to be secured
with some kind of password authentication. Because the Tomcat web
server implements the Java Servlet 2.2 specification --
http://java.sun.com/products/servlet/download.html -- security
mechanisms are available directly through the server.
A further requirement for the BASICS project is that the list of users,
passwords, and security roles be maintained in the database. This
kind of authentication management is known as JDBC Realms. For details,
go to
http://jakarta.apache.org/tomcat/tomcat-3.2-doc/ and click
on the link for
JDBC Realms.
Your tasks regarding security concerns for the BASICS project are:
-
To educate yourself about the security mechanisms available in the Java
Servlet 2.2 specification.
-
To understand how that mechanism ties into the JDBC Realms support in the
Tomcat server.
-
To design and implement the security support in the BASICS web site.
In the Java Servlet 2.2 specification, you should focus on two chapters:
-
Chapter 11 goes into detail about the standard security mechanisms that
a servlet container such as Tomcat must support.
-
Chapter 13 provides details on the web.xml elements required to
declare the apprioriate security.
The first step would be to implement security in Tomcat without JDBC Realms,
and then add JDBC Realms as a second step. For administrative or
other priviledged purposes, we will probably define virtual URL directories
such as /admin and /private that will be secured; everything
else will be publically accessible. There will be several other issues
along the way, and we will need to discuss those as they come up and as
we debug the security model that we've chosen. It is important, for
example, that passwords are never transmitted in the clear over HTTP.