Your SlideShare is downloading. ×
Session 4 : securing web application  - Giáo trình Bách Khoa Aptech
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Session 4 : securing web application - Giáo trình Bách Khoa Aptech

809
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
809
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • getAuthType() – returns the authentication scheme name. getRemoteUser() – If the user is authenticated it returns the login name of the user, else it returns null. getRequestedSessionId() – returns the session ID that is defined by the client.
  • Transcript

    • 1. Slide 1 of 19 Securing Web Application
    • 2. Slide 2 of 19 Overview  Security Concepts  Security Mechanism  Pillar of Security – Http Basic Authentication – Http Digest Authentication – HTTPS Client Authentication – Form-based Authentication  Authentication  Users  Declarative Security  Programmatic Security
    • 3. Slide 3 of 19 Security Concepts  Need of Securing Web Application – Web Application is access over a network such as Internet / Intranet – Access to confidential information by unauthorized users: For example, Personal Identification Number(PIN) – Unauthorized use of resources: For example, a person using the bank account of a customer without authorization from the customer. – Malicious Code: Malicious codes are programs written by hackers to compromise the security of Web applications
    • 4. Slide 4 of 19 Security Mechanisms  Firewall  Digital Signatures  Password Authentication / Authorization
    • 5. Slide 5 of 19 Security Mechanism  HTTP basic authentication  HTTP digest authentication  HTTPS (Secured HTTP) client authentication  Form-based authentication
    • 6. Slide 6 of 19 Http Basic Authentication – Common method to authenticate users by verifying the user name and password – Users are authenticated before allowing them to access the protected resources. – The server enforces security through the Web browser. – The Web browser displays a dialog box to accept the authentication information from the user, when the user tries to access a protected resource.
    • 7. Slide 7 of 19 Http Digest Authentication – Use hash functions to secure web applications – Hash function convert data into a small / complex no. Input Hash Value Fox DFC3478 Fox is running 583DNT89
    • 8. Slide 8 of 19 Https Client Authentication – Authentication of users by establishing a Secure Sockets Layer (SSL) connection between sender and recipient • Sender – SSL Client • Recipient – SSL server – Extra authentication layer in between Http and TCP – This layer confirms the client authentication – Two kinds of Certificated are used • Server Certificates – Contain information about server that allows a client to identify the server before sharing sensitive information • Client Certificates – Contains personal information about the user and introduces the SSL client to the server
    • 9. Slide 9 of 19 Form-based Authentication – A customized login page is created for a Web application. – Web site users can browse the unprotected pages of the Web site, but they are redirected to a login page when they try to access the secured pages of the Web site. – Use base-64 encoding, can expose user name and password unless all connections are over SSL – Does not specify the security realm • A realm is the region in which a security permission applies • A security realm specifies the scope of security data
    • 10. Slide 10 of 19 Authentication  Authentication is specified in web.xml <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/Login.jsp</form-login-page> <form-error-page>/Error.jsp</form-error-page> </form-login-config> </login-config> <login-config> <auth-method>BASIC</auth-method> <realm-name>Managers</realm-name> </login-config>
    • 11. Slide 11 of 19 Users  Users are configured in tomcat-user.xml file <tomcat-users> <role rolename="tomcat"/> <role rolename="manager"/> <role rolename="admin"/> <user username="rahulk" password="rahulk" roles="manager,admin"/> <user username="tomcat" password="tomcat" roles="tomcat"/> </tomcat-users>
    • 12. Slide 12 of 19 Declarative Security  Provides security to resource with the help of the server configuration  Works as a different layer from the web component which it works.  Advantages: – Gives scope to the programmer to ignore the constraints of the programming environment – Updating the mechanism does not require total change in Security model – It is easily maintainable
    • 13. Slide 13 of 19 Declarative Security  Limitation – Access is provided to all or denied – Access is provided by the Server only if the password matches – All the pages use same authentication mechanism – It can not use both form-based and basic authentication for different page
    • 14. Slide 14 of 19 Implementing Declarative Security  Setting up User Names, Passwords, Roles  Setting Authentication mechanism to FORM  Creating Login Page  Creating Error Page  Specify URLs that should be password protected  Specify URLs that Should be available only with SSL  Turning Off the Invoker Servlet
    • 15. Slide 15 of 19 Programmatic Security  Authenticates users and grant access to the users  Servlet/JSP page either authenticates the user or verify that the user has authenticates earlier  Advantages – Ensue total portability – Allowed password matching strategies  Limitation – Much harder to code and maintain – Every resource must use the code
    • 16. Slide 16 of 19 Programmatic Security  HttpServeltRequest – public string getAuthType() – public String getHeader(String name) – public String getRemoteUser() – public String getRequestedSessionId() – public HttpSession getSession() – public boolean isUserInRole(String role) – public boolean isRequestedSessionIdValid() – public Principal getUserPrincipal()
    • 17. Slide 17 of 19 Implementing Programmatic Security  Check whether there is an authorisation request header  Get the String, which contains the encoded user name / password  Reverse the base64 encoding of the user name / password String  Check the user name and password  If authentication fails, send the proper response to the client
    • 18. Slide 18 of 19 Summary  Security Concepts  Security Mechanism  Pillar of Security – Http Basic Authentication – Http Digest Authentication – HTTPS Client Authentication – Form-based Authentication  Authentication – web.xml  Users – tomcat-users.xml
    • 19. Slide 19 of 19 Summary  Declarative Security – Advantages – Limitation – Implementing Declarative Security  Programmatic Security – Advantages – Limitation – Implementing Programmatic Security

    ×