Security in Web Applications

Summary

We hope we’ve convinced you that security is pretty easy to add to a web application. It offers many benefits after it’s been added: customization based on role, an auditing log, and password encryption. In our experience, using container-managed security has made our development existence more enjoyable. We’ve done it programmatically by using LDAP and lots of application logic to show or hide links and to allow or deny access to pages. Even though it worked, and it worked well, it took much longer to program initially, and it was quite a nuisance to maintain. On the other hand, if you already have an authentication and authorization framework that offers you all the same benefits, you should, by all means, use it, and if it’s portable and works well, share it!

Our biggest issues with container-managed security have been related to the servlet container’s implementation of the Servlet specification. We recommend testing your application on Tomcat if you’re experiencing problems with configuring security. If your application works on Tomcat, your container might have some problems, and it’s time to do some research or write a workaround, or even to move to a different container (if that’s an option). Developing on Tomcat can be a great time-saver!