The Research And Practice Of The Security For The J2EE Web-based Financial System

Now more and more corporations move there business platform to Internet. The usercan visit the web system using Brower without installing any client-side software.Internet has many features like system-open and multiple connection type; however ithas more security vulnerabilities than the desktop-application before. Especially forthe web-based bank or financial system, it is critical that the system can protect theprivate data, avoid the invalid user to view or modify data, and keep the system runnormally.Based on the experience of the financial web-based system FWS, this thesis analyzesthe main attack risks now. They can divide to three kinds: user connection risk, userinput risk and data security risk. The ways to solve these three kinds of security risksare analyzed, as how to avoid and detect the possible attack, and how to establish theefficient and easy validation logic. Meanwhile the way to prevent the risk for AJAXtechnology is also in research.In the first chapter of this thesis, the background will be introduced as well as theresearch motivation and the main content.In the second chapter, the related technology and system used in this thesis will besummarized and analyzed. The main attacks and risks that are well known by peopleare listed, and others' idea and research are also brought up on how to detect andprevent them.In the third chapter, the main development environment of the FWS project areintroduced, as well as the main functionality and security requirement of this systemwhich is related with the following chapters.In the fourth chapter, the security risk of user connection is analyzed, and a solutionwill be discussed that uses SiteMinder to manage user entitlement and authorization,uses WebSphere Portal Server to manage user session, and uses HTTPS toencrypt/decrypt the web information.In the fifth chapter, the security risk of user input is analyzed, and the different ways tovalidate user input for several input type is brought up, as well as how to sanitizeapplication output and how to write validation code combined with Struts ValidationFramework. Meanwhile, the security risk of AJAX and the possible solution will bediscussed.In the sixth chapter, the security risk of data security is analyzed, and the solution isdiscussed about how to validate user's privilege when he requests some functionality,or when user requests to view or modify some private data.At last, in the seventh chapter, the summarization of this thesis and the future workwill be introduced.