best way to secure a web application

jobless

hi all, im playing around with angular js and am trying to create a sample application with hopefully a restful java backend... what options/frameworks do I have to make the application secure? I.e have a login page that works correctly :-)

oscarBravo

Making applications secure isn't one step in the development process; it's a core part of the process, a way of thinking while developing.

Check out OWASP.

jobless

oscarBravo wrote: »

Making applications secure isn't one step in the development process; it's a core part of the process, a way of thinking while developing.

Check out OWASP.

thanks for the link, i guess from my point of view i would just like to create a simple log on page that friends could use to access the site...

bpmurray

The first thing is that if you allow any input, that you sanitise it to protect against XSS and SQL injection. In other words, never allow HTML input (it's just too much work trying to allow some while blocking other parts), and never use substitution in SQL statements (use prepared statements instead). If there are parts of the site that carry out some function or another, use a nonce to prevent CSRF. And this is only the very beginning.

To do a login, you need to add some authentication mechanism - OpenLDAP is free, but it can be a pain to get right, so maybe a simple DB with usernames/passwords will do. Of course, this is only executed on the server, with enrypted HTTPS communication between the browser and your backend. That means, of course, that you need to have an SSL certificate: you can get a free one and, since they're your friends, they'll probably accept it, but otherwise you have to pay and they're not particularly cheap for a friends-only site.

All in all, it might be easier to have an open site!

ressem

To get something functional up and running you could look at the spring security framework in Java and it's security module.

The Spring framework guide is at
http://spring.io/guides/gs/securing-web/

It's MVC rather than REST, and your friends username and password would be manually added to a text XML file, so yeah, you'd want to make sure that no-one cared if it was broken, and those passwords were not used elsewhere by them.

But it's a big topic. Try to read up on what the other guys are saying, but everyone's got to start somewhere, and usually not at cathedral architect level.

Some of the java specific security buzzwords are explained a bit here...
http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/


Other options include offloading authentication to the likes of oath, facebook, openid, stuffing credentials into databases or LDAP servers, hashing and salting password strings.
Or there is Glassfish Java server specific user management

Synode

If you're not too hung up on a java backend, Ruby on Rails with the Devise gem is ideal

Talisman

I would also suggest that you take a look at Spring Security and Spring Session if you are going the Java route on the server side. Spring Security will give you the user authentication element and Spring Session will give you the session management.

Also search Github, there will be plenty of projects there that would be a good starting point: botanic-ng is an example of one that uses AngularJS and Spring Session.

Definitely read up on the security issues on OWASP before you begin.

jobless

thanks guys, some much appreciated info and links there..... Spring security certainly looks like something worth reading up on..
I work with Java in my job but havent used spring so thats why i was hoping to use a java back end.

The spring documentation looks quite daunting though but i guess i need to take it piecemeal