Task: Security Concerns

The BASICS web site will include some web pages that will need to be secured with some kind of password authentication.  Because the Tomcat web server implements the Java Servlet 2.2 specification -- http://java.sun.com/products/servlet/download.html -- security mechanisms are available directly through the server.

A further requirement for the BASICS project is that the list of users, passwords, and security roles be maintained in the database.  This kind of authentication management is known as JDBC Realms.  For details, go to http://jakarta.apache.org/tomcat/tomcat-3.2-doc/ and click on the link for JDBC Realms.

Your tasks regarding security concerns for the BASICS project are:

In the Java Servlet 2.2 specification, you should focus on two chapters: The first step would be to implement security in Tomcat without JDBC Realms, and then add JDBC Realms as a second step.  For administrative or other priviledged purposes, we will probably define virtual URL directories such as /admin and /private that will be secured; everything else will be publically accessible.  There will be several other issues along the way, and we will need to discuss those as they come up and as we debug the security model that we've chosen.  It is important, for example, that passwords are never transmitted in the clear over HTTP.