Your SlideShare is downloading. ×
Session 4 : securing web application  - Giáo trình Bách Khoa Aptech
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Session 4 : securing web application - Giáo trình Bách Khoa Aptech


Published on

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • getAuthType() – returns the authentication scheme name. getRemoteUser() – If the user is authenticated it returns the login name of the user, else it returns null. getRequestedSessionId() – returns the session ID that is defined by the client.
  • Transcript

    • 1. Slide 1 of 19 Securing Web Application
    • 2. Slide 2 of 19 Overview  Security Concepts  Security Mechanism  Pillar of Security – Http Basic Authentication – Http Digest Authentication – HTTPS Client Authentication – Form-based Authentication  Authentication  Users  Declarative Security  Programmatic Security
    • 3. Slide 3 of 19 Security Concepts  Need of Securing Web Application – Web Application is access over a network such as Internet / Intranet – Access to confidential information by unauthorized users: For example, Personal Identification Number(PIN) – Unauthorized use of resources: For example, a person using the bank account of a customer without authorization from the customer. – Malicious Code: Malicious codes are programs written by hackers to compromise the security of Web applications
    • 4. Slide 4 of 19 Security Mechanisms  Firewall  Digital Signatures  Password Authentication / Authorization
    • 5. Slide 5 of 19 Security Mechanism  HTTP basic authentication  HTTP digest authentication  HTTPS (Secured HTTP) client authentication  Form-based authentication
    • 6. Slide 6 of 19 Http Basic Authentication – Common method to authenticate users by verifying the user name and password – Users are authenticated before allowing them to access the protected resources. – The server enforces security through the Web browser. – The Web browser displays a dialog box to accept the authentication information from the user, when the user tries to access a protected resource.
    • 7. Slide 7 of 19 Http Digest Authentication – Use hash functions to secure web applications – Hash function convert data into a small / complex no. Input Hash Value Fox DFC3478 Fox is running 583DNT89
    • 8. Slide 8 of 19 Https Client Authentication – Authentication of users by establishing a Secure Sockets Layer (SSL) connection between sender and recipient • Sender – SSL Client • Recipient – SSL server – Extra authentication layer in between Http and TCP – This layer confirms the client authentication – Two kinds of Certificated are used • Server Certificates – Contain information about server that allows a client to identify the server before sharing sensitive information • Client Certificates – Contains personal information about the user and introduces the SSL client to the server
    • 9. Slide 9 of 19 Form-based Authentication – A customized login page is created for a Web application. – Web site users can browse the unprotected pages of the Web site, but they are redirected to a login page when they try to access the secured pages of the Web site. – Use base-64 encoding, can expose user name and password unless all connections are over SSL – Does not specify the security realm • A realm is the region in which a security permission applies • A security realm specifies the scope of security data
    • 10. Slide 10 of 19 Authentication  Authentication is specified in web.xml <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/Login.jsp</form-login-page> <form-error-page>/Error.jsp</form-error-page> </form-login-config> </login-config> <login-config> <auth-method>BASIC</auth-method> <realm-name>Managers</realm-name> </login-config>
    • 11. Slide 11 of 19 Users  Users are configured in tomcat-user.xml file <tomcat-users> <role rolename="tomcat"/> <role rolename="manager"/> <role rolename="admin"/> <user username="rahulk" password="rahulk" roles="manager,admin"/> <user username="tomcat" password="tomcat" roles="tomcat"/> </tomcat-users>
    • 12. Slide 12 of 19 Declarative Security  Provides security to resource with the help of the server configuration  Works as a different layer from the web component which it works.  Advantages: – Gives scope to the programmer to ignore the constraints of the programming environment – Updating the mechanism does not require total change in Security model – It is easily maintainable
    • 13. Slide 13 of 19 Declarative Security  Limitation – Access is provided to all or denied – Access is provided by the Server only if the password matches – All the pages use same authentication mechanism – It can not use both form-based and basic authentication for different page
    • 14. Slide 14 of 19 Implementing Declarative Security  Setting up User Names, Passwords, Roles  Setting Authentication mechanism to FORM  Creating Login Page  Creating Error Page  Specify URLs that should be password protected  Specify URLs that Should be available only with SSL  Turning Off the Invoker Servlet
    • 15. Slide 15 of 19 Programmatic Security  Authenticates users and grant access to the users  Servlet/JSP page either authenticates the user or verify that the user has authenticates earlier  Advantages – Ensue total portability – Allowed password matching strategies  Limitation – Much harder to code and maintain – Every resource must use the code
    • 16. Slide 16 of 19 Programmatic Security  HttpServeltRequest – public string getAuthType() – public String getHeader(String name) – public String getRemoteUser() – public String getRequestedSessionId() – public HttpSession getSession() – public boolean isUserInRole(String role) – public boolean isRequestedSessionIdValid() – public Principal getUserPrincipal()
    • 17. Slide 17 of 19 Implementing Programmatic Security  Check whether there is an authorisation request header  Get the String, which contains the encoded user name / password  Reverse the base64 encoding of the user name / password String  Check the user name and password  If authentication fails, send the proper response to the client
    • 18. Slide 18 of 19 Summary  Security Concepts  Security Mechanism  Pillar of Security – Http Basic Authentication – Http Digest Authentication – HTTPS Client Authentication – Form-based Authentication  Authentication – web.xml  Users – tomcat-users.xml
    • 19. Slide 19 of 19 Summary  Declarative Security – Advantages – Limitation – Implementing Declarative Security  Programmatic Security – Advantages – Limitation – Implementing Programmatic Security