tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Hardy <g...@gjhconsulting.com>
Subject application security gone mad
Date Fri, 14 Nov 2003 15:22:57 GMT
First let me say this is not a specific tomcat question, rather, a general
application security issue that I'd like to get some feedback on. Secondly,
this is NOT my idea and I already have an opinion about it's ... flaws, to
be kind.

Here's the idea in a nutshell (operative word "nut"):

The app is configured with a set of various security constraints using form
based authentication (JNDIRealm LDAP, actually). A servlet "intercepts" the
clear text username/passowrd and saves them as session attributes... user
marches through the app ... hits the data access layer (i.e. façade class
... EJB client). 

So, the façade class is passed the previously session-saved
username/passowrd. Using that username/passowrd, the LDAP server is searched
for that user's roles. An attribute of each role is concatenated together to
create a java.naming.security.principal string. A file in the local file
system contains java.naming.security.principal and
java.naming.security.credentials pairs. The java.naming.security.credentials
string is retrieved from that file. The principal/credentials are used to
create an InitialContext for EJB client access. Now there's an EJB context
for principal "xxx_yyy_zzz". That context is added to the façade's HashMap
with principal string as the key... and, used to access one of the EJBs. (I
assume I don't have to explain the pooling idea for the façade's HashMap.)

As I type is in, it's making me even MORE nuts! Am I?
Thanks,
gary...


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message