没有合适的资源?快使用搜索试试~ 我知道了~
温馨提示
试读
40页
What you need to use this book<br>To run the samples in this book, you will need to have the following:<br>❑ A J2EE 1.3 server implementation. All the code in this book was tested on the Sun J2EE 1.3<br>Reference Implementation.<br>❑ A relational database. All the code in this book was tested on MySQL.<br>The book assumes that you are familiar with the development and deployment of J2EE components<br>such as servlets, JSP pages and EJBs.
资源推荐
资源详情
资源评论
What you need to use this book
To run the samples in this book, you will need to have the following:
❑ A J2EE 1.3 server implementation. All the code in this book was tested on the Sun J2EE 1.3
Reference Implementation.
❑ A relational database. All the code in this book was tested on MySQL.
The book assumes that you are familiar with the development and deployment of J2EE components
such as servlets, JSP pages and EJBs.
Summary of Contents
Introduction 1
Chapter 1: Design Patterns Applied to J2EE 7
Chapter 2: Patterns Applied to the Web Tier 41
Chapter 3: Patterns Applied to a Persistence Framework 89
Chapter 4: Patterns Applied to Improve Performance and Scalability 155
Chapter 5: Patterns Applied to Manage Security 199
Chapter 6: Patterns Applied to Enable Enterprise Integration 237
Chapter 7: Patterns Applied to Enable Reusability, Maintainability, and
Extensibility 309
Index 345
Patterns Applied to Manage
Security
In this chapter, we introduce security patterns and their benefits throughout the design of our case study, a
J2EE Web Banking application. We will define the scope and requirements of this application, identify
relevant security patterns, and apply them to the design of both the application and its operating
environment. We will develop use cases, and finally present code for a few of the major Java classes.
What are Security Patterns?
Security patterns provide techniques for addressing known security issues, in the same manner as J2EE
and other object-oriented patterns provide proven techniques for solving known programming problems.
Security patterns work together to form a collection of best practices, whose ultimate goal is to support
an organization's security policy – a policy that addresses not just application security, but host and
network security, as well. Thus they can (and ideally should) be applied to the design and development
of applications, and to the configuration and management of the hosts, and the network within which
these applications operate. Security patterns, however, do not define specific technologies, coding styles,
or programming languages. They do not identify industry vendors, application version numbers, or
patch levels.
Benefits of Using Security Patterns
Similarly to standard object-oriented patterns, security patterns provide the following benefits:
Chapter 5
200
❑ They can be revisited and implemented at anytime to improve the design of a system
❑ Less experienced practitioners can benefit from the experience of more advanced practitioners
❑ They provide a common language of discussion, testing, and development
❑ They can easily be categorized, searched, and refactored
❑ They provide reusable, repeatable, and documented security practices
When to Use Security Patterns
Security patterns can provide guidance when dealing with the following issues:
❑ Whenever data is being sent to or received from an external system, application, or object:
Will it validate the information based on length, value, or type?
Is the communication channel secure? Does it need to be?
What is the origin of the data, is it a trusted or non-trusted source?
❑ Whenever an application is accessible by trusted or non-trusted users:
Who is trying to access the application?
Is their request legitimate? Should it care?
Does it know how to process their request? What should it do if it doesn't?
Does it know about every attempt to access the system? How can it be sure?
❑ Whenever data is considered confidential or sensitive:
How is the data being protected?
Are these means sufficient or unwarranted?
Is the data being stored or backed up elsewhere? Is this adequate?
Secure Programming
As mentioned previously, security patterns are essentially best practices and can assist in the design of
secure applications. However, they are not a replacement for secure programming techniques.
Following proper coding standards in all languages is essential for developing resilient software. The
following are few examples of proper coding:
Data validation
Code, design reviews
Scoping
Synchronized operations
Secure (dynamic) class loading
Proper exception handling, error reporting, logging
Patterns Applied to Manage Security
201
The Web Banking Case Study
The goal of this case study is to apply security patterns to the design of a web banking application. The
application will be a J2EE web-based one, which will act as a front end to an existing banking system. We
will identify the features of the application, and then define the key business and technical requirements.
High-level Overview
The Wrox Bank is a national bank with branch offices and ATMs (Automated Teller Machines) located
across the country, and operates on an existing computing (mainframe) infrastructure. The bank is being
pressured by customers to provide banking services online. A recent survey revealed the following three
services as most important to the customers:
❑ View account balance
❑ View account activity
❑ Transfer funds between accounts
Assumptions
The following assumptions can be made about this case study:
❑ The existing banking infrastructure consists of a trusted mainframe system, which will be
capable of supporting all activity generated by this web-based application
❑ Connectivity to the back-end mainframe occurs over a dedicated, high-speed network
❑ The creation of web-based accounts (including usernames and passwords) is performed at
branch locations and is outside the scope of this online application
Business Requirements
Business requirements define the features or services of an application.
The Wrox Web Banking application will be web-based and accessible over the Internet by standard
web browsers (wireless devices will not be supported at this time). It will be a front end to the existing
banking infrastructure, that is, it will not duplicate the core account information of the mainframe.
There will be three types of users of this application:
❑ Anonymous users are those who access only the public pages of the web site and cannot log in
and thus cannot perform any banking activities.
❑ Regular customers are those who perform the following activities:
Log in to the application: after successful form-based authentication, the application will
create a user session, allowing the customer to access other services
Log out of the application: this will terminate the user session
View account balance: immediately after login, the application will display a list of the
customer's active accounts and their balances
❑ Preferred customers are those who perform all the activities of Regular customers in addition
to the following:
剩余39页未读,继续阅读
资源评论
- saint132012-10-06只有chap 5
- 骆昊的技术专栏2013-12-03这个书还是不错,但是比较老了,讲的都是EJB2.x时代的东西,但是很多好的思想还是可以借鉴的,只有第五章!
shine3935
- 粉丝: 1
- 资源: 8
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功