Web Server Security

I have written many web based application but none required any real security. My current project requires SSL encryption and digital signing of an online document. I am using a Tomcat server and have the following questions....

1. Since this is a JSP WEB app is it ok to use Tomcat alone or should I use Tomcat within an Apache or IIS server.
2. Will I need any other encryption tools other than SSL for the HTML page
3. When a signature is captured using a signature pad how is it stored for retrieval when needed to sign a document.
4. Is there an advantage to using an independent company providing an online signature capture server to handle the document signing rather than saving the signature on the application server
5. Is there a book or online documentation that I be viewed or purchase that will give me a sound understanding of all of the above plus anything of concern that I may have failed to list.

I hope this question makes sense to someone out there but if not perhaps I can find a way to better word it.

Thanks
rf
ivron001Asked:
Who is Participating?
 
AngryBinaryConnect With a Mentor Commented:
1. Gotcha, so you're talking Tomcat vs httpd. It's not so much a matter of security, but of technology choice. Back in the olden days, httpd performed better than Tomcat, but that's no longer the case. In fact, Tomcat outperforms httpd in many Java app server scenarios. The reason to go with httpd is if you want to integrate other technologies like Perl or PHP or other CGI, since that is supposedly easier with httpd. As far as security, there is nothing I've ever found to indicate one is more secure than the other. In fact, pure Tomcat server is used by default in many enterprise level applications (SAP Business Objects, for one) where security undergoes rigorous audits by the organizations that use the product and sensitive data is at stake. So, I won't make any assumptions about your security requirements, but for me, it would be a case of "It's good enough for them, so it's good enough for me."

3. So, you're talking about PDF digital signatures... I'm afraid I don't know enough about PDF forms to tell you how that's executed. It should work one of two ways, though... either the PDF is submitted back to the server in it's signed entirety via an embedded link on the PDF document (you would have to provide a form handling script on the server to store it to disk), or the user would have to save it locally and upload it via a web form (ditto). Either way, the expectation is that you should have a PDF with a digital signature which indicates 1) that a person has agreed to whatever it is that they signed, and 2) that the portion of the PDF covered by the digital signature has absolutely not been modified since it was signed.

5. Well, the goal there was to get you started. Based on the description of the book and reviews of others who have used it, I would buy that book if I wanted a book on SSL practices. I can't properly recommend it since I haven't read it, though. In the days of old, I would go to a book store and skim through hard copies of books on tech subjects to determine if I liked the writing style and if addressed my particularly interests before deciding whether or not to buy.
0
 
AngryBinaryCommented:
1. Tomcat is Apache, if I'm not mistaken. IIS is a useful intermediary if you also want to host ASP.NET applications on the same sub-domain (and/or same port), otherwise it's an unnecessary complication.

2. SSL provides sufficient encryption to transmit data as securely as any other secure site out there.

3. You will need to elaborate on what you mean by "signature pad" - if you have some sort of signature capture device, or a RIA application with a drawing canvas, or use a mobile app, the methods may vary, and we can't necessarily say how the data is transferred to a server without knowing the specific implementation.

4. Possibly. The EU has rules about what data you can and cannot transmit over the Internet, and how that data is handled. Using a third party that is certified compliant with Safe Harbor laws saves you that trouble. There is more information than I can provide here: http://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles

5. There are myriad books on the topic of SSL and secure web practices. I can't provide specific recommendations, but it would generally be wise to consider material that is well-rated by those who have used it. Example: http://www.amazon.com/SSL-TLS-Designing-Building-Systems/dp/0201615983
0
 
ivron001Author Commented:
Thanks for your reply...

1. To my understanding Tomcat is a separate project that exist under the Apache umbrella. It can run as an independent web server or as a plugin for the Apache web server and IIS web server. Your point for the question however is still is valid.

2. Was as suspected however your confirmation makes me feel better

3. What we would like to do is capture a users signature with a digital pad and store that signature on the web server that contains the application. When the user wants to sign a document it would ask for some type of secure code known only to the user and once validated will apply the signature to the document. The documents are generated using the iText PDF library. If this is possible I would need some reference material that explains how to do it.

4. You have given me a starting point with this answer

5. Unfortunately there are tons of books on the subject so if you think the one you recommended is a good place to start I will order it later this afternoon.

If you can let me know if I am on the right track with #3 then my questions will have been answered and I can award you the points.

Thanks
rf
0
 
ivron001Author Commented:
I needed to be put on the right track and I feel the solutions given did just that.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.