ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2647/xml/how-to-fix-it/java-ee.adoc
Egon Okerman 0aa80c7af2
Modify rule S2647: Update to LaYC format (APPSEC-970) (#2917) 
## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
2023-09-05 13:46:16 +00:00

45 lines
1.8 KiB
Plaintext
Raw Blame History

== How to fix it in Java EE
=== Code examples
The following code uses basic authentication to protect web server endpoints.
==== Noncompliant code example
[source,xml,diff-id=201,diff-type=noncompliant]
----
<!-- web.xml -->
<web-app>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
----
==== Compliant solution
[source,xml,diff-id=201,diff-type=compliant]
----
<!-- web.xml -->
<web-app>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>
----
=== How does this work?
include::../../common/fix/token-auth.adoc[]
The Jakarta EE Security API offers robust and standardized methods to handle authentication and authorization in Jakarta EE applications. In the example, form-based authentication is applied to the `web.xml` configuration file. After a user successfully logs into the application, a session is created for the user. A session token is stored in a cookie and is used for subsequent requests.
==== Integrate with an Identity and Access Management (IAM) System
For more advanced authentication and authorization capabilities, consider integrating the backend with an IAM system. Doing so gives access to features like single sign-on (SSO), role-based access control, and centralized user management. As of Jakarta EE 10, support for OpenID Connect (OIDC) is included. Using this authentication method, several OIDC providers can be integrated easily, such as Auth0, Okta, and Azure Active Directory.
include::../../common/fix/ssl.adoc[]
In Jakarta EE, HTTPS traffic can be enabled by setting the `transportGuarantee` attribute to `CONFIDENTIAL` in `web.xml`.
Reference in New Issue View Git Blame Copy Permalink