| Currently the ERP systems based on Web applications have been widely used in all kinds of enterprises. Implementing security for Web applications is a mandatory task for architects and Web application developers. There are two major components of Web application security: authentication and authorization. Different people have different access control rights to different resources. How to authenticate and authorize users is the key to build a stable system.For the opening of the Web applications, user's miss-operation and deliberate behavior may go beyond his rights. So user who wants to login into the system must be authenticated and authorized. In a Web application, user accesses all resources in the form of URL in a web browser. Some users may type a protected page's URL address which he has not enough rights to access without passing through the login page. Or when user has login into the system, he may deliberately type a protected URL which he has no rights to access it. In addition, with the expanding of the business, there are probably new authenticate mechanisms need to be plugged into the system.This paper is focus on these problems. On the J2EE platform, The Web container's inner security mechanism and the JAAS framework have been studied. First, the three types of authentication mechanisms offered by the J2EE-based Web containers have been introduced. Then, the detail that how to protect resources by deploy descriptor has been described. At last, the mechanism of authentication and authorization provided by JAAS has been studied and the sequence diagram in UML of which has been given.In a oil company's ERP system, for the company requires that the terminal user is the exact user in database, so we make use of BES's JDBCLoginModule and J2EE Web Container's form-based authentication, combining with Oracle's self authentication, to authenticate and authorize users who want to access the Web application. As a result the resources that a user can access are limited at Web page level and the security issue considered in development phase is moved to deployment. The business logic and rights management are isolated so that programmers are no need to write codes in each page to examine whether the user have rights to access it. The results show that using JAAS's... |
PDF Full Text Request