Patterns Applied to Manage Security
201
The Web Banking Case Study
The goal of this case study is to apply security patterns to the design of a web banking application. The
application will be a J2EE web-based one, which will act as a front end to an existing banking system. We
will identify the features of the application, and then define the key business and technical requirements.
High-level Overview
The Wrox Bank is a national bank with branch offices and ATMs (Automated Teller Machines) located
across the country, and operates on an existing computing (mainframe) infrastructure. The bank is being
pressured by customers to provide banking services online. A recent survey revealed the following three
services as most important to the customers:
❑ View account balance
❑ View account activity
❑ Transfer funds between accounts
Assumptions
The following assumptions can be made about this case study:
❑ The existing banking infrastructure consists of a trusted mainframe system, which will be
capable of supporting all activity generated by this web-based application
❑ Connectivity to the back-end mainframe occurs over a dedicated, high-speed network
❑ The creation of web-based accounts (including usernames and passwords) is performed at
branch locations and is outside the scope of this online application
Business Requirements
Business requirements define the features or services of an application.
The Wrox Web Banking application will be web-based and accessible over the Internet by standard
web browsers (wireless devices will not be supported at this time). It will be a front end to the existing
banking infrastructure, that is, it will not duplicate the core account information of the mainframe.
There will be three types of users of this application:
❑ Anonymous users are those who access only the public pages of the web site and cannot log in
and thus cannot perform any banking activities.
❑ Regular customers are those who perform the following activities:
Log in to the application: after successful form-based authentication, the application will
create a user session, allowing the customer to access other services
Log out of the application: this will terminate the user session
View account balance: immediately after login, the application will display a list of the
customer's active accounts and their balances
❑ Preferred customers are those who perform all the activities of Regular customers in addition
to the following:
