1. Slide 1 of 19
Securing Web Application

2. Slide 2 of 19
Overview
 Security Concepts
 Security Mechanism
 Pillar of Security
– Http Basic Authentication
– Http Digest Authentication
– HTTPS Client Authentication
– Form-based Authentication
 Authentication
 Users
 Declarative Security
 Programmatic Security

3. Slide 3 of 19
Security Concepts
 Need of Securing Web Application
– Web Application is access over a network such as Internet /
Intranet
– Access to confidential information by unauthorized
users: For example, Personal Identification Number(PIN)
– Unauthorized use of resources: For example, a person
using the bank account of a customer without
authorization from the customer.
– Malicious Code: Malicious codes are programs written
by hackers to compromise the security of Web
applications

4. Slide 4 of 19
Security Mechanisms
 Firewall
 Digital Signatures
 Password Authentication / Authorization

5. Slide 5 of 19
Security Mechanism
 HTTP basic authentication
 HTTP digest authentication
 HTTPS (Secured HTTP) client authentication
 Form-based authentication

6. Slide 6 of 19
Http Basic Authentication
– Common method to authenticate users by
verifying the user name and password
– Users are authenticated before allowing them to
access the protected resources.
– The server enforces security through the Web
browser.
– The Web browser displays a dialog box to accept
the authentication information from the user,
when the user tries to access a protected
resource.

7. Slide 7 of 19
Http Digest Authentication
– Use hash functions to secure web applications
– Hash function convert data into a small / complex
no.
Input Hash Value
Fox DFC3478
Fox is running 583DNT89

8. Slide 8 of 19
Https Client Authentication
– Authentication of users by establishing a Secure
Sockets Layer (SSL) connection between sender and
recipient
• Sender – SSL Client
• Recipient – SSL server
– Extra authentication layer in between Http and TCP
– This layer confirms the client authentication
– Two kinds of Certificated are used
• Server Certificates
– Contain information about server that allows a client to identify the
server before sharing sensitive information
• Client Certificates
– Contains personal information about the user and introduces the SSL
client to the server

9. Slide 9 of 19
Form-based Authentication
– A customized login page is created for a Web
application.
– Web site users can browse the unprotected pages of
the Web site, but they are redirected to a login page
when they try to access the secured pages of the
Web site.
– Use base-64 encoding, can expose user name and
password unless all connections are over SSL
– Does not specify the security realm
• A realm is the region in which a security permission applies
• A security realm specifies the scope of security data

10. Slide 10 of 19
Authentication
 Authentication is specified in web.xml
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Login.jsp</form-login-page>
<form-error-page>/Error.jsp</form-error-page>
</form-login-config>
</login-config>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Managers</realm-name>
</login-config>

11. Slide 11 of 19
Users
 Users are configured in tomcat-user.xml file
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="manager"/>
<role rolename="admin"/>
<user username="rahulk" password="rahulk"
roles="manager,admin"/>
<user username="tomcat" password="tomcat"
roles="tomcat"/>
</tomcat-users>

12. Slide 12 of 19
Declarative Security
 Provides security to resource with the help of
the server configuration
 Works as a different layer from the web
component which it works.
 Advantages:
– Gives scope to the programmer to ignore the
constraints of the programming environment
– Updating the mechanism does not require total
change in Security model
– It is easily maintainable

13. Slide 13 of 19
Declarative Security
 Limitation
– Access is provided to all or denied
– Access is provided by the Server only if the
password matches
– All the pages use same authentication mechanism
– It can not use both form-based and basic
authentication for different page

14. Slide 14 of 19
Implementing Declarative Security
 Setting up User Names, Passwords, Roles
 Setting Authentication mechanism to FORM
 Creating Login Page
 Creating Error Page
 Specify URLs that should be password protected
 Specify URLs that Should be available only with
SSL
 Turning Off the Invoker Servlet

15. Slide 15 of 19
Programmatic Security
 Authenticates users and grant access to the
users
 Servlet/JSP page either authenticates the user
or verify that the user has authenticates earlier
 Advantages
– Ensue total portability
– Allowed password matching strategies
 Limitation
– Much harder to code and maintain
– Every resource must use the code

16. Slide 16 of 19
Programmatic Security
 HttpServeltRequest
– public string getAuthType()
– public String getHeader(String name)
– public String getRemoteUser()
– public String getRequestedSessionId()
– public HttpSession getSession()
– public boolean isUserInRole(String role)
– public boolean isRequestedSessionIdValid()
– public Principal getUserPrincipal()

17. Slide 17 of 19
Implementing Programmatic Security
 Check whether there is an authorisation request
header
 Get the String, which contains the encoded user
name / password
 Reverse the base64 encoding of the user name /
password String
 Check the user name and password
 If authentication fails, send the proper response
to the client

18. Slide 18 of 19
Summary
 Security Concepts
 Security Mechanism
 Pillar of Security
– Http Basic Authentication
– Http Digest Authentication
– HTTPS Client Authentication
– Form-based Authentication
 Authentication
– web.xml
 Users
– tomcat-users.xml

19. Slide 19 of 19
Summary
 Declarative Security
– Advantages
– Limitation
– Implementing Declarative Security
 Programmatic Security
– Advantages
– Limitation
– Implementing Programmatic Security