ivron001
asked on
Web Server Security
I have written many web based application but none required any real security. My current project requires SSL encryption and digital signing of an online document. I am using a Tomcat server and have the following questions....
1. Since this is a JSP WEB app is it ok to use Tomcat alone or should I use Tomcat within an Apache or IIS server.
2. Will I need any other encryption tools other than SSL for the HTML page
3. When a signature is captured using a signature pad how is it stored for retrieval when needed to sign a document.
4. Is there an advantage to using an independent company providing an online signature capture server to handle the document signing rather than saving the signature on the application server
5. Is there a book or online documentation that I be viewed or purchase that will give me a sound understanding of all of the above plus anything of concern that I may have failed to list.
I hope this question makes sense to someone out there but if not perhaps I can find a way to better word it.
Thanks
rf
1. Since this is a JSP WEB app is it ok to use Tomcat alone or should I use Tomcat within an Apache or IIS server.
2. Will I need any other encryption tools other than SSL for the HTML page
3. When a signature is captured using a signature pad how is it stored for retrieval when needed to sign a document.
4. Is there an advantage to using an independent company providing an online signature capture server to handle the document signing rather than saving the signature on the application server
5. Is there a book or online documentation that I be viewed or purchase that will give me a sound understanding of all of the above plus anything of concern that I may have failed to list.
I hope this question makes sense to someone out there but if not perhaps I can find a way to better word it.
Thanks
rf
ASKER
Thanks for your reply...
1. To my understanding Tomcat is a separate project that exist under the Apache umbrella. It can run as an independent web server or as a plugin for the Apache web server and IIS web server. Your point for the question however is still is valid.
2. Was as suspected however your confirmation makes me feel better
3. What we would like to do is capture a users signature with a digital pad and store that signature on the web server that contains the application. When the user wants to sign a document it would ask for some type of secure code known only to the user and once validated will apply the signature to the document. The documents are generated using the iText PDF library. If this is possible I would need some reference material that explains how to do it.
4. You have given me a starting point with this answer
5. Unfortunately there are tons of books on the subject so if you think the one you recommended is a good place to start I will order it later this afternoon.
If you can let me know if I am on the right track with #3 then my questions will have been answered and I can award you the points.
Thanks
rf
1. To my understanding Tomcat is a separate project that exist under the Apache umbrella. It can run as an independent web server or as a plugin for the Apache web server and IIS web server. Your point for the question however is still is valid.
2. Was as suspected however your confirmation makes me feel better
3. What we would like to do is capture a users signature with a digital pad and store that signature on the web server that contains the application. When the user wants to sign a document it would ask for some type of secure code known only to the user and once validated will apply the signature to the document. The documents are generated using the iText PDF library. If this is possible I would need some reference material that explains how to do it.
4. You have given me a starting point with this answer
5. Unfortunately there are tons of books on the subject so if you think the one you recommended is a good place to start I will order it later this afternoon.
If you can let me know if I am on the right track with #3 then my questions will have been answered and I can award you the points.
Thanks
rf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I needed to be put on the right track and I feel the solutions given did just that.
2. SSL provides sufficient encryption to transmit data as securely as any other secure site out there.
3. You will need to elaborate on what you mean by "signature pad" - if you have some sort of signature capture device, or a RIA application with a drawing canvas, or use a mobile app, the methods may vary, and we can't necessarily say how the data is transferred to a server without knowing the specific implementation.
4. Possibly. The EU has rules about what data you can and cannot transmit over the Internet, and how that data is handled. Using a third party that is certified compliant with Safe Harbor laws saves you that trouble. There is more information than I can provide here: http://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles
5. There are myriad books on the topic of SSL and secure web practices. I can't provide specific recommendations, but it would generally be wise to consider material that is well-rated by those who have used it. Example: http://www.amazon.com/SSL-TLS-Designing-Building-Systems/dp/0201615983