I am trying to do some modification to a existing project. The application
is applet->servlet->database 3-tier architecture. We are using Apache and
Jserv servlet engine.
The first thing I want to modify is the security feature. Normally every
user over the internet can use this applet to retrieve the data, but for
some sensitive data and operations to update database, it is doing following:
1. The applet prompt a window for user to enter username and password. Then
the data is send out to server with clear text by opening a URLconnection
to server. This clear text is dangerous, so I plan to use some encryption
or use SSL. Which one is better? If I choose SSL, is there any free library
that I can use with Apache and Jserv? Is it possible for same server to
serve both normal users and previliged ones (the connection is not secure
at first, when the user is prompt for user name and passwd, it change to
SSL)? Is it possible to return SSL to normal channel if the previliged user
choose to do so?
2. After the server get the username and passwd, it pulls up a table from
server side and try to find a match. Server return a status back to applet
base on whether a match has been found. If the status is positive, the
applet set a flag that is stored inside the applet and from now the applet
can do all the previliged orperation. But I think store the flag inside the
applet may be a security hole. The user could tweak the applet to set the
flag and cheat the server. Is this doable? If doable how could he do it?
Could he use some de-compiler to decompile the applet class download to his
browser and modified the source code to cheat the server?
Thanks
Bing
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
