So far we have imagined that our servlets exist in a perfect world, where everyone is trustworthy and nobody locks their doors at night. Sadly, that’s a 1950s fantasy world: the truth is that the Internet has its share of fiendish rogues. As companies place more and more emphasis on online commerce and begin to load their intranets with sensitive information, security has become one of the most important topics in web programming.
Security is the science of keeping sensitive information in the hands of authorized users. On the Web, this boils down to four important issues:
Being able to verify the identities of the parties involved
Limiting access to resources to a select set of users or programs
Ensuring that only the parties involved can understand the communication
Being able to verify that the content of the communication is not changed during transmission
It helps to think of this in context: a client wants to be sure that it is talking to a legitimate server (authentication), and it also wants to be sure that any information it transmits, such as credit card numbers, is not subject to eavesdropping (confidentiality). The server is also concerned with authentication and confidentiality, as well as authorization. If a company is selling a service or providing sensitive information to its own employees, it has a vested interest in making sure that nobody but an authorized user can access it. Finally, both ...