Secured web application development in java

i have asked to do a web application using java (using open source frameworks) which should be a high secured application.

I have an impression that using https will solve all the issues related to communication between browser and server. is it correct ?

if i want to store the login details in to the session object. is it really safe if i do that assuming the connection is https.

please give me some thoughts about how to develop secured(to sustain session ID spoofing etc..) applications using java. all the while i was just doing normal username and password login applications where the system stores user info(like username and role) into session object.

Thanks & Regards,

Venky

Kindly read OWASP Guide before start developing secured web application.

You can use Spring Security to secure your application which makes it easy to handle login and logout routines and access control over your application using annotations, request maps and so on based on roles assigned to user. It handles storing login information. And if you find, that something should be done differently, you can implement your own mechanism to satisfy your needs - Spring Security is highly customizable with interfaces. Possibilities are enormous and for what I know, Spring Security is pretty much standard now for securing web application based on Java.

Personally I'm using Spring Security in grails application, and I'm very satisfied by the way it works and it's possibilities.

I have an impression that using https will solve all the issues related to communication between browser and server. is it correct ?

Yes, because it won't send request in plain form, it will encrypt and send.

if i want to store the login details in to the session object. is it really safe if i do that assuming the connection is https.

It has nothing to do with https, it will be stored on server.

and to enable HTTPS in your webserver you need to configure SSL with your web/app server