Slide 1 of 19
Securing Web Application
Slide 2 of 19
Overview
 Security Concepts
 Security Mechanism
 Pillar of Security
– Http Basic Authentication
– Http Di...
Slide 3 of 19
Security Concepts
 Need of Securing Web Application
– Web Application is access over a network such as Inte...
Slide 4 of 19
Security Mechanisms
 Firewall
 Digital Signatures
 Password Authentication / Authorization
Slide 5 of 19
Security Mechanism
 HTTP basic authentication
 HTTP digest authentication
 HTTPS (Secured HTTP) client au...
Slide 6 of 19
Http Basic Authentication
– Common method to authenticate users by
verifying the user name and password
– Us...
Slide 7 of 19
Http Digest Authentication
– Use hash functions to secure web applications
– Hash function convert data into...
Slide 8 of 19
Https Client Authentication
– Authentication of users by establishing a Secure
Sockets Layer (SSL) connectio...
Slide 9 of 19
Form-based Authentication
– A customized login page is created for a Web
application.
– Web site users can b...
Slide 10 of 19
Authentication
 Authentication is specified in web.xml
<login-config>
<auth-method>FORM</auth-method>
<for...
Slide 11 of 19
Users
 Users are configured in tomcat-user.xml file
<tomcat-users>
<role rolename="tomcat"/>
<role rolenam...
Slide 12 of 19
Declarative Security
 Provides security to resource with the help of
the server configuration
 Works as a...
Slide 13 of 19
Declarative Security
 Limitation
– Access is provided to all or denied
– Access is provided by the Server ...
Slide 14 of 19
Implementing Declarative Security
 Setting up User Names, Passwords, Roles
 Setting Authentication mechan...
Slide 15 of 19
Programmatic Security
 Authenticates users and grant access to the
users
 Servlet/JSP page either authent...
Slide 16 of 19
Programmatic Security
 HttpServeltRequest
– public string getAuthType()
– public String getHeader(String n...
Slide 17 of 19
Implementing Programmatic Security
 Check whether there is an authorisation request
header
 Get the Strin...
Slide 18 of 19
Summary
 Security Concepts
 Security Mechanism
 Pillar of Security
– Http Basic Authentication
– Http Di...
Slide 19 of 19
Summary
 Declarative Security
– Advantages
– Limitation
– Implementing Declarative Security
 Programmatic...
Upcoming SlideShare
Loading in …5
×

Session 4 : securing web application - Giáo trình Bách Khoa Aptech

1,129 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,129
On SlideShare
0
From Embeds
0
Number of Embeds
581
Actions
Shares
0
Downloads
24
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • getAuthType() – returns the authentication scheme name. getRemoteUser() – If the user is authenticated it returns the login name of the user, else it returns null. getRequestedSessionId() – returns the session ID that is defined by the client.
  • Session 4 : securing web application - Giáo trình Bách Khoa Aptech

    1. 1. Slide 1 of 19 Securing Web Application
    2. 2. Slide 2 of 19 Overview  Security Concepts  Security Mechanism  Pillar of Security – Http Basic Authentication – Http Digest Authentication – HTTPS Client Authentication – Form-based Authentication  Authentication  Users  Declarative Security  Programmatic Security
    3. 3. Slide 3 of 19 Security Concepts  Need of Securing Web Application – Web Application is access over a network such as Internet / Intranet – Access to confidential information by unauthorized users: For example, Personal Identification Number(PIN) – Unauthorized use of resources: For example, a person using the bank account of a customer without authorization from the customer. – Malicious Code: Malicious codes are programs written by hackers to compromise the security of Web applications
    4. 4. Slide 4 of 19 Security Mechanisms  Firewall  Digital Signatures  Password Authentication / Authorization
    5. 5. Slide 5 of 19 Security Mechanism  HTTP basic authentication  HTTP digest authentication  HTTPS (Secured HTTP) client authentication  Form-based authentication
    6. 6. Slide 6 of 19 Http Basic Authentication – Common method to authenticate users by verifying the user name and password – Users are authenticated before allowing them to access the protected resources. – The server enforces security through the Web browser. – The Web browser displays a dialog box to accept the authentication information from the user, when the user tries to access a protected resource.
    7. 7. Slide 7 of 19 Http Digest Authentication – Use hash functions to secure web applications – Hash function convert data into a small / complex no. Input Hash Value Fox DFC3478 Fox is running 583DNT89
    8. 8. Slide 8 of 19 Https Client Authentication – Authentication of users by establishing a Secure Sockets Layer (SSL) connection between sender and recipient • Sender – SSL Client • Recipient – SSL server – Extra authentication layer in between Http and TCP – This layer confirms the client authentication – Two kinds of Certificated are used • Server Certificates – Contain information about server that allows a client to identify the server before sharing sensitive information • Client Certificates – Contains personal information about the user and introduces the SSL client to the server
    9. 9. Slide 9 of 19 Form-based Authentication – A customized login page is created for a Web application. – Web site users can browse the unprotected pages of the Web site, but they are redirected to a login page when they try to access the secured pages of the Web site. – Use base-64 encoding, can expose user name and password unless all connections are over SSL – Does not specify the security realm • A realm is the region in which a security permission applies • A security realm specifies the scope of security data
    10. 10. Slide 10 of 19 Authentication  Authentication is specified in web.xml <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/Login.jsp</form-login-page> <form-error-page>/Error.jsp</form-error-page> </form-login-config> </login-config> <login-config> <auth-method>BASIC</auth-method> <realm-name>Managers</realm-name> </login-config>
    11. 11. Slide 11 of 19 Users  Users are configured in tomcat-user.xml file <tomcat-users> <role rolename="tomcat"/> <role rolename="manager"/> <role rolename="admin"/> <user username="rahulk" password="rahulk" roles="manager,admin"/> <user username="tomcat" password="tomcat" roles="tomcat"/> </tomcat-users>
    12. 12. Slide 12 of 19 Declarative Security  Provides security to resource with the help of the server configuration  Works as a different layer from the web component which it works.  Advantages: – Gives scope to the programmer to ignore the constraints of the programming environment – Updating the mechanism does not require total change in Security model – It is easily maintainable
    13. 13. Slide 13 of 19 Declarative Security  Limitation – Access is provided to all or denied – Access is provided by the Server only if the password matches – All the pages use same authentication mechanism – It can not use both form-based and basic authentication for different page
    14. 14. Slide 14 of 19 Implementing Declarative Security  Setting up User Names, Passwords, Roles  Setting Authentication mechanism to FORM  Creating Login Page  Creating Error Page  Specify URLs that should be password protected  Specify URLs that Should be available only with SSL  Turning Off the Invoker Servlet
    15. 15. Slide 15 of 19 Programmatic Security  Authenticates users and grant access to the users  Servlet/JSP page either authenticates the user or verify that the user has authenticates earlier  Advantages – Ensue total portability – Allowed password matching strategies  Limitation – Much harder to code and maintain – Every resource must use the code
    16. 16. Slide 16 of 19 Programmatic Security  HttpServeltRequest – public string getAuthType() – public String getHeader(String name) – public String getRemoteUser() – public String getRequestedSessionId() – public HttpSession getSession() – public boolean isUserInRole(String role) – public boolean isRequestedSessionIdValid() – public Principal getUserPrincipal()
    17. 17. Slide 17 of 19 Implementing Programmatic Security  Check whether there is an authorisation request header  Get the String, which contains the encoded user name / password  Reverse the base64 encoding of the user name / password String  Check the user name and password  If authentication fails, send the proper response to the client
    18. 18. Slide 18 of 19 Summary  Security Concepts  Security Mechanism  Pillar of Security – Http Basic Authentication – Http Digest Authentication – HTTPS Client Authentication – Form-based Authentication  Authentication – web.xml  Users – tomcat-users.xml
    19. 19. Slide 19 of 19 Summary  Declarative Security – Advantages – Limitation – Implementing Declarative Security  Programmatic Security – Advantages – Limitation – Implementing Programmatic Security

    ×