Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

best way to secure a web application

  • 19-02-2015 10:39pm
    #1
    Registered Users, Registered Users 2 Posts: 2,183 ✭✭✭


    hi all, im playing around with angular js and am trying to create a sample application with hopefully a restful java backend... what options/frameworks do I have to make the application secure? I.e have a login page that works correctly :-)


Comments

  • Technology & Internet Moderators Posts: 28,830 Mod ✭✭✭✭oscarBravo


    Making applications secure isn't one step in the development process; it's a core part of the process, a way of thinking while developing.

    Check out OWASP.


  • Registered Users, Registered Users 2 Posts: 2,183 ✭✭✭jobless


    oscarBravo wrote: »
    Making applications secure isn't one step in the development process; it's a core part of the process, a way of thinking while developing.

    Check out OWASP.

    thanks for the link, i guess from my point of view i would just like to create a simple log on page that friends could use to access the site...


  • Registered Users, Registered Users 2 Posts: 1,275 ✭✭✭bpmurray


    The first thing is that if you allow any input, that you sanitise it to protect against XSS and SQL injection. In other words, never allow HTML input (it's just too much work trying to allow some while blocking other parts), and never use substitution in SQL statements (use prepared statements instead). If there are parts of the site that carry out some function or another, use a nonce to prevent CSRF. And this is only the very beginning.

    To do a login, you need to add some authentication mechanism - OpenLDAP is free, but it can be a pain to get right, so maybe a simple DB with usernames/passwords will do. Of course, this is only executed on the server, with enrypted HTTPS communication between the browser and your backend. That means, of course, that you need to have an SSL certificate: you can get a free one and, since they're your friends, they'll probably accept it, but otherwise you have to pay and they're not particularly cheap for a friends-only site.

    All in all, it might be easier to have an open site!


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    To get something functional up and running you could look at the spring security framework in Java and it's security module.

    The Spring framework guide is at
    http://spring.io/guides/gs/securing-web/

    It's MVC rather than REST, and your friends username and password would be manually added to a text XML file, so yeah, you'd want to make sure that no-one cared if it was broken, and those passwords were not used elsewhere by them.

    But it's a big topic. Try to read up on what the other guys are saying, but everyone's got to start somewhere, and usually not at cathedral architect level.

    Some of the java specific security buzzwords are explained a bit here...
    http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/


    Other options include offloading authentication to the likes of oath, facebook, openid, stuffing credentials into databases or LDAP servers, hashing and salting password strings.
    Or there is Glassfish Java server specific user management


  • Closed Accounts Posts: 7,967 ✭✭✭Synode


    If you're not too hung up on a java backend, Ruby on Rails with the Devise gem is ideal


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6,288 ✭✭✭Talisman


    I would also suggest that you take a look at Spring Security and Spring Session if you are going the Java route on the server side. Spring Security will give you the user authentication element and Spring Session will give you the session management.

    Also search Github, there will be plenty of projects there that would be a good starting point: botanic-ng is an example of one that uses AngularJS and Spring Session.

    Definitely read up on the security issues on OWASP before you begin.


  • Registered Users, Registered Users 2 Posts: 2,183 ✭✭✭jobless


    thanks guys, some much appreciated info and links there..... Spring security certainly looks like something worth reading up on..
    I work with Java in my job but havent used spring so thats why i was hoping to use a java back end.

    The spring documentation looks quite daunting though but i guess i need to take it piecemeal


Advertisement