Hi,
When looking at model 2 from the standpoint of security, there is something
that concerns me.
The problem is that apparently, JSP/servlets/beans, running usually in DMZ,
IMHO, should not access sensitive resources, such as database, password
protected URLs, FTP sites, etc. In security concious application, such
access should be done from behind a firewall, with username/password file
(maybe XML configuration file) being inaccessible from behind a firewall.
By placing database access from outside the firewall into DMZ any serious
project might run into a problem with hackers even if the company Risk
Management Group slips this design through.
What I usually did in previous designs (granted it was Javascript and HTTPS
in front end in DMZ and Java as back-end behind the firewall) was to encrypt
all the messages circulating between DMZ into the firewall and back using
either TLS/SSL or PGP/RSA encrypted buffers. I believe similar is due for
commercial applications written using JSP.
Thinking of solutions now of embracing model 2 JSP applications and satisfy
the security concerns, the best that comes to my mind is to extend the tiers
by one using the following approach:
1. Controller servlet will be more of a Proxy for remote object. It will
pack the form and action attributes into XML stream and transmit it using
TLS/SSL into the RealController remote object which resides inside the
firewall.
2. (Inside the firewall) RealController will instantiate Command/Action
classes which will do the job. They will retrieve sensitive information from
configuration file accessible only within a firewall, perform
security-sensitive operations (access database, hit FTP site, etc) and
construct a bean class.
3. Resulting bean class is returned back through the same secure channel
(TLS/SSL) to the DMZ residing Proxy/Controller servlet. This could probably
done by making bean serializable, and writing them to the output stream of
TLS/SSL connection.
4. Proxy/Controller servlet (in this scenario, it is really not much of a
Controller, but I keep the name for backward compatibility) will extract the
bean from a stream and other relevant into, such as next JSP page and
deliver it to JSP.
This extention of model 2 by 1 layer and making it distributed would
probably work, based on my past projects experience.
Is there anything simpler than that? Some architecture configuration options
I overlook to make "basic" model 2 secure?
Vadim Shun
NEW Corp
Dulles, VA
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
