Java Security Java Authentication & Session Management
Provided Java Security <ul><li>Java itself </li></ul><ul><li>A number of providers provided to implement a core set of sec...
Java Authentication <ul><li>The process of determining the identity of a user </li></ul><ul><li>Used to restrict access to...
Java Authentication <ul><li>Provided login modules </li></ul><ul><li>located in the  javax.security.suth.spi.LoginModule i...
Java Authentication <ul><li>Enforces two separate approaches  </li></ul><ul><li>Declarative </li></ul><ul><li>Programmatic...
Java Authentication <ul><li>Declarative </li></ul><ul><li>Restricts access to URL’s </li></ul><ul><li>Restricts access to ...
Java Authentication <ul><li>Programmatic </li></ul><ul><li>Provides querying and calling mechanisms </li></ul><ul><li>Deve...
Java Authentication <ul><li>JAAS </li></ul><ul><li>Java Authentication and Authorization Service   </li></ul><ul><li>Uses ...
Java Authentication <ul><li>initialize() </li></ul><ul><li>public static void main(String args[]) { LoginContext lc = new ...
Java Authentication <ul><li>commit() </li></ul><ul><li>f(verification) {subject.getPrincipals().add(userName); …subject.ge...
Java Session Management <ul><li>Provides state management across user requests </li></ul><ul><li>Sessions are used to stor...
Java Session Management <ul><li>Done with four  techniques   </li></ul><ul><li>Cookies </li></ul><ul><li>URLRewriting </li...
Java Session Management Cookies <ul><li>A cookie is a piece of information </li></ul><ul><li>Sent with every request or re...
Java Session Management URLRewriting <ul><li>Place a token or identifier at the end of the URL </li></ul><ul><li>Send name...
Java Session Management Hidden Fields <ul><li>Very much like URLRewriting  </li></ul><ul><li>The value cannot be seen in t...
Java Session Management Session Objects <ul><li>Provided by the javax.servlet.http.HttpSession interface </li></ul><ul><li...
Upcoming SlideShare
Loading in …5
×

Java Security And Authentacation

1,453 views

Published on

A short slide show covering basic Security with java.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,453
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Java Security And Authentacation

  1. 1. Java Security Java Authentication & Session Management
  2. 2. Provided Java Security <ul><li>Java itself </li></ul><ul><li>A number of providers provided to implement a core set of security features </li></ul><ul><li>Cryptography packages </li></ul><ul><li>Secure peer to peer communication protocols </li></ul><ul><li>Allows custom and 3 rd party providers </li></ul>
  3. 3. Java Authentication <ul><li>The process of determining the identity of a user </li></ul><ul><li>Used to restrict access to resources </li></ul><ul><li>The API’s enable “Pluggable” modules for login </li></ul><ul><li>Enabling the independence from the underlying plug-in modules </li></ul>
  4. 4. Java Authentication <ul><li>Provided login modules </li></ul><ul><li>located in the javax.security.suth.spi.LoginModule interface </li></ul><ul><li>Krb5Loginmodule used for Kerberos protocols </li></ul><ul><li>JndiLoginModule for username/password authentication using LDAP or NIS database </li></ul><ul><li>KeyStoreLoginModule for any type of KeyStore, including PKCS#11 </li></ul>
  5. 5. Java Authentication <ul><li>Enforces two separate approaches </li></ul><ul><li>Declarative </li></ul><ul><li>Programmatic </li></ul>
  6. 6. Java Authentication <ul><li>Declarative </li></ul><ul><li>Restricts access to URL’s </li></ul><ul><li>Restricts access to Servlets </li></ul><ul><li>Restricts access to EJB’s </li></ul><ul><li>Automatic redirect to the login page when authentication is requested </li></ul>
  7. 7. Java Authentication <ul><li>Programmatic </li></ul><ul><li>Provides querying and calling mechanisms </li></ul><ul><li>Developer is responsible to enforce security constraints </li></ul>
  8. 8. Java Authentication <ul><li>JAAS </li></ul><ul><li>Java Authentication and Authorization Service </li></ul><ul><li>Uses PAM </li></ul><ul><li>Pluggable Authentication Module </li></ul>
  9. 9. Java Authentication <ul><li>initialize() </li></ul><ul><li>public static void main(String args[]) { LoginContext lc = new LoginContext(&quot;Login&quot;, new MyCallbackHandler(args[0],args[1])); } </li></ul><ul><li>login() </li></ul><ul><li>Callback[] calls=new Callback[2]; calls[0]=new NameCallback(&quot;name&quot;); calls[1]=new PasswordCallback(&quot;Password&quot;,false); callbackHandler.handle(calls); </li></ul>
  10. 10. Java Authentication <ul><li>commit() </li></ul><ul><li>f(verification) {subject.getPrincipals().add(userName); …subject.getPrincipals().add(role); return true; }else return false; </li></ul><ul><li>logout() </li></ul><ul><li>subject.getPrincipals().clear(); verification=false; return true; </li></ul>
  11. 11. Java Session Management <ul><li>Provides state management across user requests </li></ul><ul><li>Sessions are used to store user information </li></ul><ul><li>Sessions are used for application security </li></ul><ul><li>Sessions are used to time out a session </li></ul>
  12. 12. Java Session Management <ul><li>Done with four techniques </li></ul><ul><li>Cookies </li></ul><ul><li>URLRewriting </li></ul><ul><li>Hidden Forms </li></ul><ul><li>Session Objects </li></ul>
  13. 13. Java Session Management Cookies <ul><li>A cookie is a piece of information </li></ul><ul><li>Sent with every request or response </li></ul><ul><li>Sends name/value pairs </li></ul><ul><li>Formatted: </li></ul><ul><li>Cookie ci = new Cookie(“myCookie”,”secret”); </li></ul>
  14. 14. Java Session Management URLRewriting <ul><li>Place a token or identifier at the end of the URL </li></ul><ul><li>Send name/value pairs </li></ul><ul><li>Format: </li></ul><ul><li>url?name1=value1&name2=value2&…. </li></ul><ul><li>Uses the methods: encodeURL() and encodeRedirectURL() </li></ul>
  15. 15. Java Session Management Hidden Fields <ul><li>Very much like URLRewriting </li></ul><ul><li>The value cannot be seen in the URL </li></ul><ul><li>Value can be seen in the HTML source </li></ul><ul><li>Hidden Field require the use of a form </li></ul>
  16. 16. Java Session Management Session Objects <ul><li>Provided by the javax.servlet.http.HttpSession interface </li></ul><ul><li>Used to store objects </li></ul><ul><li>Linked Information to a user </li></ul><ul><li>Get user information with getSession() </li></ul>

×