SlideShare a Scribd company logo

Understanding Web Application Security and Listeners

ā€¢Download as PPTX, PDFā€¢
ā€¢
Smita B Kumar
Smita B Kumar

- Listeners allow monitoring of events in a web application. Main listener types are servlet context listeners, which monitor initialization and destruction of the servlet context, and session listeners, which monitor creation and destruction of sessions. Listeners are implemented by overriding appropriate methods in listener interfaces and declared in web.xml. They provide access to the servlet context and session to monitor changes.

Technology
1 of 33
Security
Agenda ā€¢ Understanding major security concern ā€¢ Declarative v/s programmatic security ā€¢ Using form based authentication ā€¢ Using BASIC authentication
Understanding major security concern ā€¢ Two major components of Web application security - Authentication - Authorization
Understanding major security concern ā€¢ Preventing unauthorized users from accessing sensitive data - Access restriction ā€¢ Identifying which resources need protection ā€¢ Identifying who should have access to them - Authentication ā€¢ Identifying users to determine if they are one of the authorized ones ā€¢ Preventing attackers from stealing network data while it is in transit. - Encryption (usually with SSL)
Declarative Security ā€¢ Servlets or JSPā€™s need not have any security-aware code ā€¢ Security aspects must be handled by the server - Prevent unauthorized access ā€¢ Declare certain URL as protected in web.xml ā€¢ Designate authentication method that server uses - Safeguard network data ā€¢ Certain URL should only be accessed with SSL ā€¢ If users uses regular HTTP then server should automatically redirect them to HTTPS(SSL) equivalent
Programmatic Security ā€¢ Protected Servlets and JSP pages atleast partially manage their own security - Less dependency on server specific setting ā€¢ To prevent unauthorized access - Each Servlets or JSP page must either authenticate the user or verify that the user has been authenticate previously ā€¢ To safeguard network data - Each servlet and JSP page has to check the network protocol used to access it
Web-tier Authentication Schemes ā€¢ HTTP basic authentication based - with or without SSL ā€¢ Form-based authentication based - with or without SSL ā€¢ Client-certificate authentication based - Has to use SSL ā€¢ Digest authentication based - Does not need to use SSL
HTTP Basic Authentication ā€¢ Web server collects user identification (user name and password) through a browser provided dialog box ā€¢ Not secure since user name and password are in ā€œeasily decodableā€ form over the wire - Encoding scheme is Base64 - Someone can easily decode it - Not encrypted
Steps for Basic Authentication 1. Set up username, passwords, and roles (realms) 2. Tell web container that you are using Basic authentication 3. Specify which URLs (web resources) should be access- controlled (password-protected)
Steps for Setting up realms ā€¢ <install-dir>/conf/tomcat-users.xml ā€¢ Unencrypted: not secure but easy to set up and maintain <?xml version='1.0'?> <tomcat-users> <role rolename="manager"/> <role rolename="employee"/> <role rolename="admin"/> <user username="sang" password="sangPassword" roles="manager,employee"/> </tomcat-users>
Step II: Tell your application ā€¢ In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app>
Form based Authentication ā€¢ Web application collects user identification (user name, password, and other information) through a custom login page ā€¢ Not secure since user name and password are in ā€œeasily decodableā€ form over the wire - Encoding scheme is Base64 - Someone can easily decode it - Not encrypted
Authentication Flow
Steps to configure Form Based Authentication 1. Set up username, passwords, and roles (realms) 2. Tell web container that you are using Form-based authentication 3. Create custom ā€œLogin pageā€ 4. Create custom ā€œLogin failure error pageā€ 5. Specify which URLs (web resources) should be access- controlled (password-protected)
Step I : Setting up realms ā€¢ <install-dir>/conf/tomcat-users.xml ā€¢ Unencrypted: not secure but easy to set up and maintain <?xml version='1.0'?> <tomcat-users> <role rolename="manager"/> <role rolename="employee"/> <role rolename="admin"/> <user username="sang" password="sangPassword" roles="manager,employee"/> </tomcat-users>
Step II: Tell your application ā€¢ In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app>
Step IV: Create Login Failure page ā€¢ Can be HTML or JSP page ā€¢ No specific content is mandated
Step III: Create a custom Login page ā€¢ Can be HTML or JSP page ā€¢ Contains HTML form like following <FORM ACTION="j_security_check" METHOD="POST"> ā€¦ <INPUT TYPE="TEXT" NAME="j_username"> ā€¦ <INPUT TYPE="PASSWORD" NAME="j_password"> ā€¦ </FORM>
Summary ā€¢ Main security issues - Preventing access by unauthorized user - Preventing attackers from stealing network data ā€¢ Declarative security - Much less work than programmatic security - Requires server-specific password setup ā€¢ Form-based authentication - Attempts to access restricted resources get redirected to login page. HTML form gathers username and password.Session tracking tracks authenticated users. ā€¢ BASIC authentication - Attempts to access restricted resources results in dialog box. Dialog gathers username and password. HTTP headers track authenticated users.
Understanding Listeners ā€¢ JSP is a template page technology - High level abstraction of Servlets ā€¢ Separation of presentation from logic ā€¢ Even non java programmer can create JSP pages with reasonable ease
Available Listeners ā€¢ Servlet context listeners. - These listeners are notified when the servlet context (i.e.,the Web application) is initialized and destroyed. ā€¢ Servlet context attribute listeners. - These listeners are notified when attributes are added to,removed from, or replaced in the servlet context. ā€¢ Session listeners. - These listeners are notified when session objects are created, invalidated, or timed out. ā€¢ Session attribute listeners. - These listeners are notified when attributes are added to, removed from, or replaced in any session.
Creating a Listeners ā€¢ Implement the appropriate interface. - Use ServletContextListener, ServletContextAttributeListener, - HttpSessionListener, or HttpSessionAttributeListener. ā€¢ Override the methods needed to respond to the events of interest. - Provide empty bodies for the other methods in the interface. ā€¢ Access the important Web application objects. - Six objects that you are likely to use in event-handling methods: ā€¢ The servlet context ā€¢ The name of the servlet context attribute that changed ā€¢ The value of the servlet context attribute that changed ā€¢ The session object ā€¢ The name of the session attribute that changed
Creating a Listeners ā€¢ Use these objects. - This process is application specific, but there are some common themes. For example, with the servlet context, you are most likely to read initialization parameters getInitParameter), store data for later access (setAttribute), and read previously stored data (getAttribute). ā€¢ Declare the listener. - You do this with the listener and listener-class elements of the general Web application deployment descriptor (web.xml) or of a tag library descriptor file. ā€¢ Provide any needed initialization parameters. - Servlet context listeners commonly read context initialization parameters to use as the basis of data that is made available to all servlets and JSP ages. You use the context-param web.xml element to provide the
Monitoring Creation and Destruction ā€¢ The ServletContextListener class responds to the Initialization and destruction of the servlet context. - These events correspond to the creation and shutdown of the Web application itself. ā€¢ ServletContextListener is most commonly used to - Set up application-wide resources like database connection pools - Read the initial values of application-wide data that will be used by multiple servlets and JSP pages.
Implementing ServletContextListener ā€¢ Implement the ServletContextListener interface. ā€¢ Override contextInitialized and contextDestroyed. - contextInitialized is triggered when the Web application is first loaded and the servlet context is created. Most common tasks: ā€¢ Creating application-wide data (e.g., by reading context init params) ā€¢ Storing that data in an easily accessible location . - contextDestroyed is triggered when the Web application is being shut down and the servlet context is about to be destroyed. Most common task: ā€¢ Releasing resources (e.g. closing connections). ā€¢ Obtain a reference to the servlet context. - The contextInitialized and contextDestroyed methods each take a ServletContextEvent as an argument. - The ServletContextEvent class has a getServletContext method that returns the servlet context
Implementing ServletContextListener ā€¢ Use the servlet context. - Read initialization parameters: getInitParameter - Store data:setAttribute - Make log file entries: log. ā€¢ Declare the listener. <listener> <listener-class>package.Listener</listener-class> </listener> ā€¢ Provide needed initialization parameters. <context-param> <param-name>name</param-name> <param-value>value</param-value> </context-param>
Implementing ServletContextAttributeListener ā€¢ Implement ServletContextAttributeListener ā€¢ Override attributeAdded, attributeReplaced, and attributeRemoved. - attributeAdded is triggered when a new attribute name is first added to the servlet context. - attributeReplaced is triggered when a new value is assigned to an existing name. attributeAdded is not triggered in this case. The old value is obtained via event.getValue and the new value is obtained via context. - getAttribute. attributeRemoved is triggered when a servlet context attribute is removed altogether. ā€¢ Obtain references to the attribute name, attribute value, and servlet context. - Call the following methods of the event object: getName,getValue, and getServletContext
Implementing ServletContextAttributeListener ā€¢ Use the objects. - You normally compare attribute name to a stored name to see if it is the one you are monitoring. The attribute value is used in an application-specific manner. The servlet context is usually used to read previously stored attributes (getAttribute), store new or changed attributes (setAttribute), and make entries in the log file (log). ā€¢ Declare the listener. - Use the listener and listener-class elements to list the fully qualified name of the listener class, <listener> <listener-class> somePackage.SomeListener </listener-class> </listener>
Recognizing Session Creation and destruction ā€¢ Implement the HttpSessionListener interface. ā€¢ Override sessionCreated and sessionDestroyed. - sessionCreated is triggered when a new session is created. - sessionDestroyed is triggered when a a session is destroyed. This destruction could be due to an explicit call to the invalidate method or because the elapsed time since the last client access exceeds the session timeout. - Multithreaded access is possible. Synchronize if necessary. ā€¢ Obtain a reference to the session and possibly to the servlet context. - Each of the two HttpSessionListener methods takes an HttpSessionEvent as an argument. The HttpSessionEvent class has a getSession method that provides access to the session object.You almost always want this reference; you occasionally also want a reference to the servlet context. If so, first obtain the session object and then call getServletContext on it
Recognizing Session Creation and destruction ā€¢ Use the objects. - One of the only methods you usually call on the session is setAttribute. Do this in sessionCreated if you want to guarantee that all sessions have a certain attribute. - Wait! What about getAttribute? Nope. In sessionCreated, there is nothing in the session yet, so getAttribute is pointless. In addition, all attributes are removed before sessionDestroyed is called, so calling getAttribute is also pointless there. If you want to clean up attributes that are left in sessions that time out, you use the attributeRemoved method of HttpSessionAttributeListener. So, sessionDestroyed is mostly reserved for listeners that are simply keeping track of the number of sessions in use. ā€¢ Declare the listener. - In web.xml or the TLD file, use listener and listener-class to list fully qualified name of listener class, as below. <listener> <listener-class>package.SomeListener</listener-class> </listener>
Using HttpSessionAttributeListener ā€¢ Implement HttpSessionAttributeListener. ā€¢ Override attributeAdded, attributeReplaced, and attributeRemoved. - attributeAdded is triggered when a new attribute name is first added to a session. - attributeReplaced is triggered when a new value is assigned to an existing name. attributeAdded is not triggered in this case. The old value is obtained via event.getValue and the new value is obtained via session.getAttribute. - attributeRemoved is triggered when a session attribute is removed altogether. This removal can be due to an explicit programmer call to removeAttribute, but is more commonly due to the system removing all attributes of sessions that are about to be deleted because their timeout expired.
Using HttpSessionAttributeListener ā€¢ Obtain references to the attribute name, attribute value, session, & ServletContext. - The HttpSessionAttributeListener methods take an HttpSessionBindingEvent as args. HttpSessionBindingEvent has three useful methods: getName (name of attribute that was changed), getValue (value of changed attributeā€”new value for attributeAdded and previous value for attribute Replaced and attributeRemoved), and getSession (the HttpSession object). If you want access to the servlet context, first obtain the session and then call getServletContext on it. ā€¢ Use the objects. - The attribute name is usually compared to a stored name to see if it is the one you are monitoring. The attribute value is used in an application-specific manner. The session is usually used to read previously stored attributes (getAttribute) or to store new or changed attributes (setAttribute). ā€¢ Declare the listener. - Use listener and listener-class in web.xml as before. `
Summary of Listeners - Servlet context listeners. ā€¢ Notified when servlet context is initialized and destroyed. - Servlet context attribute Listeners. ā€¢ Notified when context attributes are added/removed/replaced - Session listeners. ā€¢ Notified when sessions are created, invalidated, or timed out. - Session attribute listeners. ā€¢ Notified when session attributes are added/removed/replaced

Recommended

Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The BasicsInterSystems Corporation
Ā 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentInterSystems Corporation
Ā 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Lucidworks
Ā 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaJainamParikh3
Ā 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
Ā 
Hive contributors meetup apache sentry
Hive contributors meetup apache sentryHive contributors meetup apache sentry
Hive contributors meetup apache sentryBrock Noland
Ā 
01 session tracking
01 session tracking01 session tracking
01 session trackingdhrubo kayal
Ā 
Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015em_mu
Ā 

Recommended

Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The BasicsInterSystems Corporation
Ā 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentInterSystems Corporation
Ā 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Lucidworks
Ā 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaJainamParikh3
Ā 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
Ā 
Hive contributors meetup apache sentry
Hive contributors meetup apache sentryHive contributors meetup apache sentry
Hive contributors meetup apache sentryBrock Noland
Ā 
01 session tracking
01 session tracking01 session tracking
01 session trackingdhrubo kayal
Ā 
Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015em_mu
Ā 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday
Ā 
A Novel methodology for handling Document Level Security in Search Based Appl...
A Novel methodology for handling Document Level Security in Search Based Appl...A Novel methodology for handling Document Level Security in Search Based Appl...
A Novel methodology for handling Document Level Security in Search Based Appl...lucenerevolution
Ā 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
Ā 
Web security
Web securityWeb security
Web securityGreater Noida Institute Of Technology
Ā 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionMichele Leroux Bustamante
Ā 
Advanced Java
Advanced JavaAdvanced Java
Advanced JavaHossein Mobasher
Ā 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federatedjamielennox
Ā 
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksState of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksLucidworks
Ā 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Martin Toshev
Ā 
Introduction to ASP.Net Viewstate
Introduction to ASP.Net ViewstateIntroduction to ASP.Net Viewstate
Introduction to ASP.Net Viewstaten|u - The Open Security Community
Ā 
Asp.net state management
Asp.net state managementAsp.net state management
Asp.net state managementpriya Nithya
Ā 
Servlets
ServletsServlets
ServletsGeethu Mohan
Ā 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
Ā 
Java Servlets
Java ServletsJava Servlets
Java ServletsBG Java EE Course
Ā 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017Alexander Polce Leary
Ā 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
Ā 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basicsBlueinfy Solutions
Ā 
AAI 2236-Using the New Java Concurrency Utilities with IBM WebSphere
AAI 2236-Using the New Java Concurrency Utilities with IBM WebSphereAAI 2236-Using the New Java Concurrency Utilities with IBM WebSphere
AAI 2236-Using the New Java Concurrency Utilities with IBM WebSphereKevin Sutter
Ā 
4 Basic PHP
4 Basic PHP4 Basic PHP
4 Basic PHPJalpesh Vasa
Ā 
OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack KeystoneDeepti Ramakrishna
Ā 
Advance java session 18
Advance java session 18Advance java session 18
Advance java session 18Smita B Kumar
Ā 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guideihji
Ā 

More Related Content

What's hot

Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday
Ā 
A Novel methodology for handling Document Level Security in Search Based Appl...
A Novel methodology for handling Document Level Security in Search Based Appl...A Novel methodology for handling Document Level Security in Search Based Appl...
A Novel methodology for handling Document Level Security in Search Based Appl...lucenerevolution
Ā 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
Ā 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionMichele Leroux Bustamante
Ā 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federatedjamielennox
Ā 
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksState of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksLucidworks
Ā 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Martin Toshev
Ā 
Asp.net state management
Asp.net state managementAsp.net state management
Asp.net state managementpriya Nithya
Ā 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
Ā 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017Alexander Polce Leary
Ā 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
Ā 
AAI 2236-Using the New Java Concurrency Utilities with IBM WebSphere
AAI 2236-Using the New Java Concurrency Utilities with IBM WebSphereAAI 2236-Using the New Java Concurrency Utilities with IBM WebSphere
AAI 2236-Using the New Java Concurrency Utilities with IBM WebSphereKevin Sutter
Ā 

What's hot (20)

Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
Ā 
A Novel methodology for handling Document Level Security in Search Based Appl...
A Novel methodology for handling Document Level Security in Search Based Appl...A Novel methodology for handling Document Level Security in Search Based Appl...
A Novel methodology for handling Document Level Security in Search Based Appl...
Ā 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
Ā 
Web security
Web securityWeb security
Web security
Ā 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure Solution
Ā 
Advanced Java
Advanced JavaAdvanced Java
Advanced Java
Ā 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federated
Ā 
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksState of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
Ā 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Ā 
Introduction to ASP.Net Viewstate
Introduction to ASP.Net ViewstateIntroduction to ASP.Net Viewstate
Introduction to ASP.Net Viewstate
Ā 
Asp.net state management
Asp.net state managementAsp.net state management
Asp.net state management
Ā 
Servlets
ServletsServlets
Servlets
Ā 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
Ā 
Java Servlets
Java ServletsJava Servlets
Java Servlets
Ā 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017
Ā 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
Ā 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
Ā 
AAI 2236-Using the New Java Concurrency Utilities with IBM WebSphere
AAI 2236-Using the New Java Concurrency Utilities with IBM WebSphereAAI 2236-Using the New Java Concurrency Utilities with IBM WebSphere
AAI 2236-Using the New Java Concurrency Utilities with IBM WebSphere
Ā 
4 Basic PHP
4 Basic PHP4 Basic PHP
4 Basic PHP
Ā 
OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack Keystone
Ā 

Similar to Understanding Web Application Security and Listeners

Advance java session 18
Advance java session 18Advance java session 18
Advance java session 18Smita B Kumar
Ā 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guideihji
Ā 
19servlets
19servlets19servlets
19servletsAdil Jafri
Ā 
session and cookies.ppt
session and cookies.pptsession and cookies.ppt
session and cookies.pptJayaprasanna4
Ā 
Servlets
ServletsServlets
ServletsSharon Cek
Ā 
Servlets Java Slides & Presentation
Servlets Java Slides & Presentation Servlets Java Slides & Presentation
Servlets Java Slides & Presentation Anas Sa
Ā 
Windows 8 Metro apps and the outside world
Windows 8 Metro apps and the outside worldWindows 8 Metro apps and the outside world
Windows 8 Metro apps and the outside worldPrabhakaran Soundarapandian
Ā 
Lecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementLecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementFahad Golra
Ā 
06 web applications
06 web applications06 web applications
06 web applicationsdarwinodb
Ā 
Integrating Servlets and JSP (The MVC Architecture)
Integrating Servlets and JSP (The MVC Architecture)Integrating Servlets and JSP (The MVC Architecture)
Integrating Servlets and JSP (The MVC Architecture)Amit Ranjan
Ā 
Effective out-of-container Integration Testing
Effective out-of-container Integration TestingEffective out-of-container Integration Testing
Effective out-of-container Integration TestingSam Brannen
Ā 
IT2255 Web Essentials - Unit V Servlets and Database Connectivity
IT2255 Web Essentials - Unit V Servlets and Database ConnectivityIT2255 Web Essentials - Unit V Servlets and Database Connectivity
IT2255 Web Essentials - Unit V Servlets and Database Connectivitypkaviya
Ā 
Servlets 3.0 - Asynchronous, Easy, Extensible @ Silicon Valley Code Camp 2010
Servlets 3.0 - Asynchronous, Easy, Extensible @ Silicon Valley Code Camp 2010Servlets 3.0 - Asynchronous, Easy, Extensible @ Silicon Valley Code Camp 2010
Servlets 3.0 - Asynchronous, Easy, Extensible @ Silicon Valley Code Camp 2010Arun Gupta
Ā 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
Ā 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive Smita Raut
Ā 
IBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive trainingIBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive trainingSmita Raut
Ā 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
Ā 
ASP.Net Presentation Part3
ASP.Net Presentation Part3ASP.Net Presentation Part3
ASP.Net Presentation Part3Neeraj Mathur
Ā 

Similar to Understanding Web Application Security and Listeners (20)

Advance java session 18
Advance java session 18Advance java session 18
Advance java session 18
Ā 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
Ā 
19servlets
19servlets19servlets
19servlets
Ā 
Rails Security
Rails SecurityRails Security
Rails Security
Ā 
session and cookies.ppt
session and cookies.pptsession and cookies.ppt
session and cookies.ppt
Ā 
Servlets
ServletsServlets
Servlets
Ā 
Servlets Java Slides & Presentation
Servlets Java Slides & Presentation Servlets Java Slides & Presentation
Servlets Java Slides & Presentation
Ā 
Windows 8 Metro apps and the outside world
Windows 8 Metro apps and the outside worldWindows 8 Metro apps and the outside world
Windows 8 Metro apps and the outside world
Ā 
Web security
Web securityWeb security
Web security
Ā 
Lecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementLecture 3: Servlets - Session Management
Lecture 3: Servlets - Session Management
Ā 
06 web applications
06 web applications06 web applications
06 web applications
Ā 
Integrating Servlets and JSP (The MVC Architecture)
Integrating Servlets and JSP (The MVC Architecture)Integrating Servlets and JSP (The MVC Architecture)
Integrating Servlets and JSP (The MVC Architecture)
Ā 
Effective out-of-container Integration Testing
Effective out-of-container Integration TestingEffective out-of-container Integration Testing
Effective out-of-container Integration Testing
Ā 
IT2255 Web Essentials - Unit V Servlets and Database Connectivity
IT2255 Web Essentials - Unit V Servlets and Database ConnectivityIT2255 Web Essentials - Unit V Servlets and Database Connectivity
IT2255 Web Essentials - Unit V Servlets and Database Connectivity
Ā 
Servlets 3.0 - Asynchronous, Easy, Extensible @ Silicon Valley Code Camp 2010
Servlets 3.0 - Asynchronous, Easy, Extensible @ Silicon Valley Code Camp 2010Servlets 3.0 - Asynchronous, Easy, Extensible @ Silicon Valley Code Camp 2010
Servlets 3.0 - Asynchronous, Easy, Extensible @ Silicon Valley Code Camp 2010
Ā 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
Ā 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
Ā 
IBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive trainingIBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive training
Ā 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
Ā 
ASP.Net Presentation Part3
ASP.Net Presentation Part3ASP.Net Presentation Part3
ASP.Net Presentation Part3
Ā 

More from Smita B Kumar

Advance java session 20
Advance java session 20Advance java session 20
Advance java session 20Smita B Kumar
Ā 
Advance java session 17
Advance java session 17Advance java session 17
Advance java session 17Smita B Kumar
Ā 
Advance java session 16
Advance java session 16Advance java session 16
Advance java session 16Smita B Kumar
Ā 
Advance java session 15
Advance java session 15Advance java session 15
Advance java session 15Smita B Kumar
Ā 
Advance java session 14
Advance java session 14Advance java session 14
Advance java session 14Smita B Kumar
Ā 
Advance java session 13
Advance java session 13Advance java session 13
Advance java session 13Smita B Kumar
Ā 
Advance java session 12
Advance java session 12Advance java session 12
Advance java session 12Smita B Kumar
Ā 
Advance java session 11
Advance java session 11Advance java session 11
Advance java session 11Smita B Kumar
Ā 
Advance java session 10
Advance java session 10Advance java session 10
Advance java session 10Smita B Kumar
Ā 
Advance java session 9
Advance java session 9Advance java session 9
Advance java session 9Smita B Kumar
Ā 
Advance java session 8
Advance java session 8Advance java session 8
Advance java session 8Smita B Kumar
Ā 
Advance java session 7
Advance java session 7Advance java session 7
Advance java session 7Smita B Kumar
Ā 
Advance java session 6
Advance java session 6Advance java session 6
Advance java session 6Smita B Kumar
Ā 
Advance java session 5
Advance java session 5Advance java session 5
Advance java session 5Smita B Kumar
Ā 
Advance java session 4
Advance java session 4Advance java session 4
Advance java session 4Smita B Kumar
Ā 
Advance java session 3
Advance java session 3Advance java session 3
Advance java session 3Smita B Kumar
Ā 
Advance java session 2
Advance java session 2Advance java session 2
Advance java session 2Smita B Kumar
Ā 
01 introduction to struts2
01 introduction to struts201 introduction to struts2
01 introduction to struts2Smita B Kumar
Ā 

More from Smita B Kumar (19)

Advance java session 20
Advance java session 20Advance java session 20
Advance java session 20
Ā 
Advance java session 17
Advance java session 17Advance java session 17
Advance java session 17
Ā 
Advance java session 16
Advance java session 16Advance java session 16
Advance java session 16
Ā 
Advance java session 15
Advance java session 15Advance java session 15
Advance java session 15
Ā 
Advance java session 14
Advance java session 14Advance java session 14
Advance java session 14
Ā 
Advance java session 13
Advance java session 13Advance java session 13
Advance java session 13
Ā 
Advance java session 12
Advance java session 12Advance java session 12
Advance java session 12
Ā 
Advance java session 11
Advance java session 11Advance java session 11
Advance java session 11
Ā 
Advance java session 10
Advance java session 10Advance java session 10
Advance java session 10
Ā 
Advance java session 9
Advance java session 9Advance java session 9
Advance java session 9
Ā 
Advance java session 8
Advance java session 8Advance java session 8
Advance java session 8
Ā 
Advance java session 7
Advance java session 7Advance java session 7
Advance java session 7
Ā 
Advance java session 6
Advance java session 6Advance java session 6
Advance java session 6
Ā 
Advance java session 5
Advance java session 5Advance java session 5
Advance java session 5
Ā 
Advance java session 4
Advance java session 4Advance java session 4
Advance java session 4
Ā 
Advance java session 3
Advance java session 3Advance java session 3
Advance java session 3
Ā 
Advance java session 2
Advance java session 2Advance java session 2
Advance java session 2
Ā 
JEE session 1
JEE session 1JEE session 1
JEE session 1
Ā 
01 introduction to struts2
01 introduction to struts201 introduction to struts2
01 introduction to struts2
Ā 

Recently uploaded

Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
Ā 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
Ā 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
Ā 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
Ā 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
Ā 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
Ā 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
Ā 
Bun (KitWorks Team Study ė…øė³„ė§ˆė£Ø ė°œķ‘œ 2024.4.22)
Bun (KitWorks Team Study ė…øė³„ė§ˆė£Ø ė°œķ‘œ 2024.4.22)Bun (KitWorks Team Study ė…øė³„ė§ˆė£Ø ė°œķ‘œ 2024.4.22)
Bun (KitWorks Team Study ė…øė³„ė§ˆė£Ø ė°œķ‘œ 2024.4.22)Wonjun Hwang
Ā 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
Ā 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
Ā 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
Ā 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
Ā 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
Ā 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
Ā 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
Ā 
Nellā€™iperspazio con Rocket: il Framework Web di Rust!
Nellā€™iperspazio con Rocket: il Framework Web di Rust!Nellā€™iperspazio con Rocket: il Framework Web di Rust!
Nellā€™iperspazio con Rocket: il Framework Web di Rust!Commit University
Ā 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
Ā 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
Ā 

Recently uploaded (20)

Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
Ā 
Hot Sexy call girls in Panjabi Bagh šŸ” 9953056974 šŸ” Delhi escort Service
Hot Sexy call girls in Panjabi Bagh šŸ” 9953056974 šŸ” Delhi escort ServiceHot Sexy call girls in Panjabi Bagh šŸ” 9953056974 šŸ” Delhi escort Service
Hot Sexy call girls in Panjabi Bagh šŸ” 9953056974 šŸ” Delhi escort Service
Ā 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Ā 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
Ā 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
Ā 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Ā 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Ā 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Ā 
Bun (KitWorks Team Study ė…øė³„ė§ˆė£Ø ė°œķ‘œ 2024.4.22)
Bun (KitWorks Team Study ė…øė³„ė§ˆė£Ø ė°œķ‘œ 2024.4.22)Bun (KitWorks Team Study ė…øė³„ė§ˆė£Ø ė°œķ‘œ 2024.4.22)
Bun (KitWorks Team Study ė…øė³„ė§ˆė£Ø ė°œķ‘œ 2024.4.22)
Ā 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Ā 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
Ā 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ā 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Ā 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Ā 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Ā 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
Ā 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Ā 
Nellā€™iperspazio con Rocket: il Framework Web di Rust!
Nellā€™iperspazio con Rocket: il Framework Web di Rust!Nellā€™iperspazio con Rocket: il Framework Web di Rust!
Nellā€™iperspazio con Rocket: il Framework Web di Rust!
Ā 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
Ā 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Ā 

Understanding Web Application Security and Listeners

  • 2. Agenda ā€¢ Understanding major security concern ā€¢ Declarative v/s programmatic security ā€¢ Using form based authentication ā€¢ Using BASIC authentication
  • 3. Understanding major security concern ā€¢ Two major components of Web application security - Authentication - Authorization
  • 4. Understanding major security concern ā€¢ Preventing unauthorized users from accessing sensitive data - Access restriction ā€¢ Identifying which resources need protection ā€¢ Identifying who should have access to them - Authentication ā€¢ Identifying users to determine if they are one of the authorized ones ā€¢ Preventing attackers from stealing network data while it is in transit. - Encryption (usually with SSL)
  • 5. Declarative Security ā€¢ Servlets or JSPā€™s need not have any security-aware code ā€¢ Security aspects must be handled by the server - Prevent unauthorized access ā€¢ Declare certain URL as protected in web.xml ā€¢ Designate authentication method that server uses - Safeguard network data ā€¢ Certain URL should only be accessed with SSL ā€¢ If users uses regular HTTP then server should automatically redirect them to HTTPS(SSL) equivalent
  • 6. Programmatic Security ā€¢ Protected Servlets and JSP pages atleast partially manage their own security - Less dependency on server specific setting ā€¢ To prevent unauthorized access - Each Servlets or JSP page must either authenticate the user or verify that the user has been authenticate previously ā€¢ To safeguard network data - Each servlet and JSP page has to check the network protocol used to access it
  • 7. Web-tier Authentication Schemes ā€¢ HTTP basic authentication based - with or without SSL ā€¢ Form-based authentication based - with or without SSL ā€¢ Client-certificate authentication based - Has to use SSL ā€¢ Digest authentication based - Does not need to use SSL
  • 8. HTTP Basic Authentication ā€¢ Web server collects user identification (user name and password) through a browser provided dialog box ā€¢ Not secure since user name and password are in ā€œeasily decodableā€ form over the wire - Encoding scheme is Base64 - Someone can easily decode it - Not encrypted
  • 9. Steps for Basic Authentication 1. Set up username, passwords, and roles (realms) 2. Tell web container that you are using Basic authentication 3. Specify which URLs (web resources) should be access- controlled (password-protected)
  • 10. Steps for Setting up realms ā€¢ <install-dir>/conf/tomcat-users.xml ā€¢ Unencrypted: not secure but easy to set up and maintain <?xml version='1.0'?> <tomcat-users> <role rolename="manager"/> <role rolename="employee"/> <role rolename="admin"/> <user username="sang" password="sangPassword" roles="manager,employee"/> </tomcat-users>
  • 11. Step II: Tell your application ā€¢ In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app>
  • 12. Form based Authentication ā€¢ Web application collects user identification (user name, password, and other information) through a custom login page ā€¢ Not secure since user name and password are in ā€œeasily decodableā€ form over the wire - Encoding scheme is Base64 - Someone can easily decode it - Not encrypted
  • 14. Steps to configure Form Based Authentication 1. Set up username, passwords, and roles (realms) 2. Tell web container that you are using Form-based authentication 3. Create custom ā€œLogin pageā€ 4. Create custom ā€œLogin failure error pageā€ 5. Specify which URLs (web resources) should be access- controlled (password-protected)
  • 15. Step I : Setting up realms ā€¢ <install-dir>/conf/tomcat-users.xml ā€¢ Unencrypted: not secure but easy to set up and maintain <?xml version='1.0'?> <tomcat-users> <role rolename="manager"/> <role rolename="employee"/> <role rolename="admin"/> <user username="sang" password="sangPassword" roles="manager,employee"/> </tomcat-users>
  • 16. Step II: Tell your application ā€¢ In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app>
  • 17. Step IV: Create Login Failure page ā€¢ Can be HTML or JSP page ā€¢ No specific content is mandated
  • 18. Step III: Create a custom Login page ā€¢ Can be HTML or JSP page ā€¢ Contains HTML form like following <FORM ACTION="j_security_check" METHOD="POST"> ā€¦ <INPUT TYPE="TEXT" NAME="j_username"> ā€¦ <INPUT TYPE="PASSWORD" NAME="j_password"> ā€¦ </FORM>
  • 19. Summary ā€¢ Main security issues - Preventing access by unauthorized user - Preventing attackers from stealing network data ā€¢ Declarative security - Much less work than programmatic security - Requires server-specific password setup ā€¢ Form-based authentication - Attempts to access restricted resources get redirected to login page. HTML form gathers username and password.Session tracking tracks authenticated users. ā€¢ BASIC authentication - Attempts to access restricted resources results in dialog box. Dialog gathers username and password. HTTP headers track authenticated users.
  • 20. Understanding Listeners ā€¢ JSP is a template page technology - High level abstraction of Servlets ā€¢ Separation of presentation from logic ā€¢ Even non java programmer can create JSP pages with reasonable ease
  • 21. Available Listeners ā€¢ Servlet context listeners. - These listeners are notified when the servlet context (i.e.,the Web application) is initialized and destroyed. ā€¢ Servlet context attribute listeners. - These listeners are notified when attributes are added to,removed from, or replaced in the servlet context. ā€¢ Session listeners. - These listeners are notified when session objects are created, invalidated, or timed out. ā€¢ Session attribute listeners. - These listeners are notified when attributes are added to, removed from, or replaced in any session.
  • 22. Creating a Listeners ā€¢ Implement the appropriate interface. - Use ServletContextListener, ServletContextAttributeListener, - HttpSessionListener, or HttpSessionAttributeListener. ā€¢ Override the methods needed to respond to the events of interest. - Provide empty bodies for the other methods in the interface. ā€¢ Access the important Web application objects. - Six objects that you are likely to use in event-handling methods: ā€¢ The servlet context ā€¢ The name of the servlet context attribute that changed ā€¢ The value of the servlet context attribute that changed ā€¢ The session object ā€¢ The name of the session attribute that changed
  • 23. Creating a Listeners ā€¢ Use these objects. - This process is application specific, but there are some common themes. For example, with the servlet context, you are most likely to read initialization parameters getInitParameter), store data for later access (setAttribute), and read previously stored data (getAttribute). ā€¢ Declare the listener. - You do this with the listener and listener-class elements of the general Web application deployment descriptor (web.xml) or of a tag library descriptor file. ā€¢ Provide any needed initialization parameters. - Servlet context listeners commonly read context initialization parameters to use as the basis of data that is made available to all servlets and JSP ages. You use the context-param web.xml element to provide the
  • 24. Monitoring Creation and Destruction ā€¢ The ServletContextListener class responds to the Initialization and destruction of the servlet context. - These events correspond to the creation and shutdown of the Web application itself. ā€¢ ServletContextListener is most commonly used to - Set up application-wide resources like database connection pools - Read the initial values of application-wide data that will be used by multiple servlets and JSP pages.
  • 25. Implementing ServletContextListener ā€¢ Implement the ServletContextListener interface. ā€¢ Override contextInitialized and contextDestroyed. - contextInitialized is triggered when the Web application is first loaded and the servlet context is created. Most common tasks: ā€¢ Creating application-wide data (e.g., by reading context init params) ā€¢ Storing that data in an easily accessible location . - contextDestroyed is triggered when the Web application is being shut down and the servlet context is about to be destroyed. Most common task: ā€¢ Releasing resources (e.g. closing connections). ā€¢ Obtain a reference to the servlet context. - The contextInitialized and contextDestroyed methods each take a ServletContextEvent as an argument. - The ServletContextEvent class has a getServletContext method that returns the servlet context
  • 26. Implementing ServletContextListener ā€¢ Use the servlet context. - Read initialization parameters: getInitParameter - Store data:setAttribute - Make log file entries: log. ā€¢ Declare the listener. <listener> <listener-class>package.Listener</listener-class> </listener> ā€¢ Provide needed initialization parameters. <context-param> <param-name>name</param-name> <param-value>value</param-value> </context-param>
  • 27. Implementing ServletContextAttributeListener ā€¢ Implement ServletContextAttributeListener ā€¢ Override attributeAdded, attributeReplaced, and attributeRemoved. - attributeAdded is triggered when a new attribute name is first added to the servlet context. - attributeReplaced is triggered when a new value is assigned to an existing name. attributeAdded is not triggered in this case. The old value is obtained via event.getValue and the new value is obtained via context. - getAttribute. attributeRemoved is triggered when a servlet context attribute is removed altogether. ā€¢ Obtain references to the attribute name, attribute value, and servlet context. - Call the following methods of the event object: getName,getValue, and getServletContext
  • 28. Implementing ServletContextAttributeListener ā€¢ Use the objects. - You normally compare attribute name to a stored name to see if it is the one you are monitoring. The attribute value is used in an application-specific manner. The servlet context is usually used to read previously stored attributes (getAttribute), store new or changed attributes (setAttribute), and make entries in the log file (log). ā€¢ Declare the listener. - Use the listener and listener-class elements to list the fully qualified name of the listener class, <listener> <listener-class> somePackage.SomeListener </listener-class> </listener>
  • 29. Recognizing Session Creation and destruction ā€¢ Implement the HttpSessionListener interface. ā€¢ Override sessionCreated and sessionDestroyed. - sessionCreated is triggered when a new session is created. - sessionDestroyed is triggered when a a session is destroyed. This destruction could be due to an explicit call to the invalidate method or because the elapsed time since the last client access exceeds the session timeout. - Multithreaded access is possible. Synchronize if necessary. ā€¢ Obtain a reference to the session and possibly to the servlet context. - Each of the two HttpSessionListener methods takes an HttpSessionEvent as an argument. The HttpSessionEvent class has a getSession method that provides access to the session object.You almost always want this reference; you occasionally also want a reference to the servlet context. If so, first obtain the session object and then call getServletContext on it
  • 30. Recognizing Session Creation and destruction ā€¢ Use the objects. - One of the only methods you usually call on the session is setAttribute. Do this in sessionCreated if you want to guarantee that all sessions have a certain attribute. - Wait! What about getAttribute? Nope. In sessionCreated, there is nothing in the session yet, so getAttribute is pointless. In addition, all attributes are removed before sessionDestroyed is called, so calling getAttribute is also pointless there. If you want to clean up attributes that are left in sessions that time out, you use the attributeRemoved method of HttpSessionAttributeListener. So, sessionDestroyed is mostly reserved for listeners that are simply keeping track of the number of sessions in use. ā€¢ Declare the listener. - In web.xml or the TLD file, use listener and listener-class to list fully qualified name of listener class, as below. <listener> <listener-class>package.SomeListener</listener-class> </listener>
  • 31. Using HttpSessionAttributeListener ā€¢ Implement HttpSessionAttributeListener. ā€¢ Override attributeAdded, attributeReplaced, and attributeRemoved. - attributeAdded is triggered when a new attribute name is first added to a session. - attributeReplaced is triggered when a new value is assigned to an existing name. attributeAdded is not triggered in this case. The old value is obtained via event.getValue and the new value is obtained via session.getAttribute. - attributeRemoved is triggered when a session attribute is removed altogether. This removal can be due to an explicit programmer call to removeAttribute, but is more commonly due to the system removing all attributes of sessions that are about to be deleted because their timeout expired.
  • 32. Using HttpSessionAttributeListener ā€¢ Obtain references to the attribute name, attribute value, session, & ServletContext. - The HttpSessionAttributeListener methods take an HttpSessionBindingEvent as args. HttpSessionBindingEvent has three useful methods: getName (name of attribute that was changed), getValue (value of changed attributeā€”new value for attributeAdded and previous value for attribute Replaced and attributeRemoved), and getSession (the HttpSession object). If you want access to the servlet context, first obtain the session and then call getServletContext on it. ā€¢ Use the objects. - The attribute name is usually compared to a stored name to see if it is the one you are monitoring. The attribute value is used in an application-specific manner. The session is usually used to read previously stored attributes (getAttribute) or to store new or changed attributes (setAttribute). ā€¢ Declare the listener. - Use listener and listener-class in web.xml as before. `
  • 33. Summary of Listeners - Servlet context listeners. ā€¢ Notified when servlet context is initialized and destroyed. - Servlet context attribute Listeners. ā€¢ Notified when context attributes are added/removed/replaced - Session listeners. ā€¢ Notified when sessions are created, invalidated, or timed out. - Session attribute listeners. ā€¢ Notified when session attributes are added/removed/replaced