Secure Authentication in Web Based J2EE/JEE Development

Security is always a challenging exercise in enterprise applications. Securing Java or J2EE/JEE based applications can be done in various ways. As far as web applications are concerned there are four known authentication mechanisms.

HTTP Basic Authentication :
An authentication protocol defined within the HTTP protocol (and based on headers). It indicates the HTTP realm for which access is being negotiated and sends passwords with base64 encoding, which cab cracked easily, hence not very secure. For further details refer RFC2068.
HTTP Digest Authentication :
Like HTTP Basic Authentication, but with the password transmitted in an encrypted form. It is more secure than Basic, but less then HTTPS Authentication which uses private keys. Yet it is not currently in widespread use.


HTTPS Authentication :
It also known as SSL Mutual authentication. This security mechanism provides end user authentication using HTTPS (HTTP over SSL - Secure Socket Layer). It performs mutual (which means - client and server) certificate based authentication with a set of different cipher suites.

Form Based Authentication or Login : A standard HTML form (generated via Servlet/JSP, script or a static) for logging in. It can be associated with protection or user domains and is used to authenticate previously unauthenticated users. The major advantage of form based authentication is, that the look and feel of the login screen can be controlled in comparison to the HTTP browser's built in mechanisms.

According to J2EE Specifications, Basic, HTTPS and Form based are mandatory requirement for any J2EE compliant application server (web container here). HTTP Digest Authentication is not a requirement, but web containers are encouraged to support it.

Example: Tomcat web container - is the reference implementation of the Java Servlet API and provides these discussed methods.

NB : Image sourced from Sun J2EE Tutorial - Security

Other useful tips on Java, JEE/J2EE

• J2EE Server Side Debugging in Eclispe
• Serialization in Java/J2EE - Demystified
• Convert java.sql.Timestamp to java.util.Date
• What is the Difference between HashMap and HashTab...
• What are Checked and UnChecked Exceptions
• How to do a deep clone of an object
• What are the common methods used for session track...
• Run EJB client in Eclipse with jndi properties as ...
• How Agile development is being perceived
• Linux Networking Tutorial
• Best Computer Book
• J2EE Tutorial on Integrating Webservices with EJB ...
• J2EE Tutorial on JAX WS Style Webservices using JB...
• J2EE Tutorial on Webservices using JBoss
• Spring Framework - J2EE Development without EJB
• Java - what is the difference between thread and interrupt
• Opensource Cache/Caching Solutions in Java
• J2EE Interview Questions - 5