Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>I assume you are creating an overarching security architecture, governing remote connections and other aspects of the overall system. The desktop application security and web security are going to be different, but still solve a lot of the same problems in their own way. </p> <p>Just some of the topics to include will be Authentication, Authorization, and Auditing (AAA), data security in-ransit and at rest, non-repudiation, transport layer security, platform security (e.g. managing platform priviledges).</p> <p>The two most common Java security frameworks are <a href="http://static.springsource.org/spring-security/site" rel="nofollow">Spring Security</a> and <a href="http://shiro.apache.org" rel="nofollow">Apache Shiro</a>. Both of these address a number of topics above, but they are frameworks - meaning you need to define the security architecture and policies, and then configure/extend the frameworks into your specific domain.</p> <p>Bouncy Castle provides a bunch of off the shelf crypto, including being a compliant Java Cryptography Extension (JCE) - it is also FIPS 140-2 compliant, but not certified. There is a whole another game/industry on those selling the certified solutions.</p> <p>Here is an example - let's say that your desktop application is going to use a Smart card with an X.509 certificate to gain access and interact with the web application. In that case, you have a bunch of security things to do with the smart card - PINs, encryption, etc. You then may want to use the client certificate on the server side, and an X.509 authentication provider on the server side. You may even then have some authorization routines based on the Distinguished Name provided in the certificate. You will find trust store access, authentication providers, role based access control and the like within the above security frameworks - but you have to put the pieces together.</p> <p>You may also want to take a look @ OWASP for web security guidelines: <a href="https://www.owasp.org/index.php/Main_Page" rel="nofollow">https://www.owasp.org/index.php/Main_Page</a></p> <p>If you are responsible for providing the security solution and you're starting with looking at the frameworks, I should give you a heads up that there is a knowledge sharing gap between security experts/analysts and software developers -- i.e. the people who tell you about how to exploit the weaknesses are usually not the same people who tell you how to configure the Spring Security or use the JCE API.</p> <p>A decent mitigation strategy is to look at some of the "security wrapper" solutions, that essentially create small enclaves with hardened/secure entry points into the enclave. An example of a product like this would be <a href="http://www.layer7tech.com/" rel="nofollow">Layer-7</a>, which is commonly used as a web services security gateway.</p> <p>Happy hunting!</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload