Talk:Declarative Access Control in Java

Revision as of 14:55, 17 March 2008 by Owaspdavef (talk | contribs)

Jump to: navigation, search


Under review


  • Dave Ferguson


  • Pierre Parrend

General Discussion

  • global comment: this overview is very quick, but clear and efficient
  • Introduction: a remainder of the technical context could be useful - what piece of code do one needs for executing this declarative access control: a servlet container ? a J2EE platform ?

DFerguson - I added some verbiage about JEE-compliant application servers.

  • first XML excerpt: no global tag is shown. If I have a real Web App descriptor without security, in which tag should I put the given xml code ?

DFerguson - I added the web-xml root tag before and after the snippet. There is also a link to the servlet spec in the Overview section now, which is for readers who want to see the deployment descriptor in detail.

  • authentication methods 'Digest' ad 'Client cert' are evoked. How can they be implemented, i.e what is required on the client side (algorithm, certificate with proper issuer) and on the server side (algorithm for digest and certificate control, access to a trusted certificate database)
  • 2 different 'transport guarantees' are evoked, 'integral' and 'confidential'. What specific protocols, algorithms, and data, are required ?
  • SSL is evoked. a pointer toward a SSL page could be useful

DFerguson - I added a link to the OWASP SSL page, which is a stub and not very helpful. Any other idea where the link should point to?

  • no extra link is given. Is it deliberate from the Owasp editor ? Where can I go and look if I need further information ?

DFerguson - other than reference material in the servlet specification and various application server documentation, I don't know where more information is available. That's one of the reasons I thought this page would be helpful. Please let me know about anything that I might be missing.

  • I usually recommend storing the JSP files used for form based authentication in the WEB-INF directory. This way they cannot be accessed directly from the browser