You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Frank Lawlor <fr...@athensgroup.com> on 2001/09/12 22:21:52 UTC

RE: request for suggestions on how to secure a web application... .

Re protection via Realms:
  - a useful mechanism, but by itself might not do the whole job.  For
example, if you
    need to have users log into a specific domain (e.g. different clients
get different data)
    (as happens in many apps) where the userid isn't enough info (one value
of Realms is
    non-unique IDs), then you need to still force people thru a specific
login.
Re object in a session.
  - Note that this can be fabricated by a hacker.  For real security
    you need to look at encrypting it with varying keys.

Frank Lawlor
Athens Group, Inc.
(512) 345-0600 x151
Athens Group, an employee-owned consulting firm integrating technology
strategy and software solutions.