This document discusses security topics related to application programming interfaces (APIs), including authentication, authorization, and protecting data. It covers basic types of authentication like declarative, programmatic, and informative authentication. It also discusses defining roles and resource constraints for authentication and authorization. The document stresses the importance of securing code and concentrating on authentication. It provides examples of container-specific authentication and discusses protecting requested data by using HTTPS.

1. Chapter 12
Security

2. Βασική αναφορά
Κάθε εφαρμογή του ΠΙ μπορεί να
• Αλωθεί
• Προστατευθεί σε μεγάλο βαθμό
• Με αντίστοιχο κόστος
• Δεν υπάρχει λύση
• Μόνον καλές πρακτικές

3. Τρόποι άλλωσης
• Τεχνικοί
• Ψυχολογικοί

4. The bad guys:
Impersonators, Upgraders & Eavesdroppers
Can be basted with
• authentication,
• are who you say you are?
• authorization,
• what are you allowed to …?
• confidentiality, data integrity.
• who sees or messes up with …?

8. Authentication

9. Authentication & Authorization
in detail

10. Two (and a half) basic types
• Declarative
• Programmatic
• Informative

11. Keep security out of the code
• Component-based
• Ever evolving
• Several levels
• …

12. Secure your code
• Declaratively in the DD
• Interfacing between
• Servlet authors
• App administrators
• App deployers

13. Concentrate on Authentication
• Container-specific table containing
• Usernames, passwords & roles
• LDAP

14. Realm: tomcat-users.xml
In the DD

15. Defines roles

16. Define
resource/
method
constraints

17. You
really
need to
be
careful

18. Big picture

19. Multiple
<security-
constraint>
elements

20. Truth table (Union)

21. Programmatic Security

22. Programmatic Security

23. J2EE Container Authentication types
• Basic
• Digest (encoded)
• Client-cert (mainly for B2B)
• Form (custom but no encrypted)

26. Authentication Summary

27. Data Protection

28. Protect
Requested
Data
• Tell browser to use
HTTPs