3. Slide 3 of 19
Security Concepts
Need of Securing Web Application
– Web Application is access over a network such as Internet /
Intranet
– Access to confidential information by unauthorized
users: For example, Personal Identification Number(PIN)
– Unauthorized use of resources: For example, a person
using the bank account of a customer without
authorization from the customer.
– Malicious Code: Malicious codes are programs written
by hackers to compromise the security of Web
applications
4. Slide 4 of 19
Security Mechanisms
Firewall
Digital Signatures
Password Authentication / Authorization
6. Slide 6 of 19
Http Basic Authentication
– Common method to authenticate users by
verifying the user name and password
– Users are authenticated before allowing them to
access the protected resources.
– The server enforces security through the Web
browser.
– The Web browser displays a dialog box to accept
the authentication information from the user,
when the user tries to access a protected
resource.
7. Slide 7 of 19
Http Digest Authentication
– Use hash functions to secure web applications
– Hash function convert data into a small / complex
no.
Input Hash Value
Fox DFC3478
Fox is running 583DNT89
8. Slide 8 of 19
Https Client Authentication
– Authentication of users by establishing a Secure
Sockets Layer (SSL) connection between sender and
recipient
• Sender – SSL Client
• Recipient – SSL server
– Extra authentication layer in between Http and TCP
– This layer confirms the client authentication
– Two kinds of Certificated are used
• Server Certificates
– Contain information about server that allows a client to identify the
server before sharing sensitive information
• Client Certificates
– Contains personal information about the user and introduces the SSL
client to the server
9. Slide 9 of 19
Form-based Authentication
– A customized login page is created for a Web
application.
– Web site users can browse the unprotected pages of
the Web site, but they are redirected to a login page
when they try to access the secured pages of the
Web site.
– Use base-64 encoding, can expose user name and
password unless all connections are over SSL
– Does not specify the security realm
• A realm is the region in which a security permission applies
• A security realm specifies the scope of security data
10. Slide 10 of 19
Authentication
Authentication is specified in web.xml
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Login.jsp</form-login-page>
<form-error-page>/Error.jsp</form-error-page>
</form-login-config>
</login-config>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Managers</realm-name>
</login-config>
11. Slide 11 of 19
Users
Users are configured in tomcat-user.xml file
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="manager"/>
<role rolename="admin"/>
<user username="rahulk" password="rahulk"
roles="manager,admin"/>
<user username="tomcat" password="tomcat"
roles="tomcat"/>
</tomcat-users>
12. Slide 12 of 19
Declarative Security
Provides security to resource with the help of
the server configuration
Works as a different layer from the web
component which it works.
Advantages:
– Gives scope to the programmer to ignore the
constraints of the programming environment
– Updating the mechanism does not require total
change in Security model
– It is easily maintainable
13. Slide 13 of 19
Declarative Security
Limitation
– Access is provided to all or denied
– Access is provided by the Server only if the
password matches
– All the pages use same authentication mechanism
– It can not use both form-based and basic
authentication for different page
14. Slide 14 of 19
Implementing Declarative Security
Setting up User Names, Passwords, Roles
Setting Authentication mechanism to FORM
Creating Login Page
Creating Error Page
Specify URLs that should be password protected
Specify URLs that Should be available only with
SSL
Turning Off the Invoker Servlet
15. Slide 15 of 19
Programmatic Security
Authenticates users and grant access to the
users
Servlet/JSP page either authenticates the user
or verify that the user has authenticates earlier
Advantages
– Ensue total portability
– Allowed password matching strategies
Limitation
– Much harder to code and maintain
– Every resource must use the code
16. Slide 16 of 19
Programmatic Security
HttpServeltRequest
– public string getAuthType()
– public String getHeader(String name)
– public String getRemoteUser()
– public String getRequestedSessionId()
– public HttpSession getSession()
– public boolean isUserInRole(String role)
– public boolean isRequestedSessionIdValid()
– public Principal getUserPrincipal()
17. Slide 17 of 19
Implementing Programmatic Security
Check whether there is an authorisation request
header
Get the String, which contains the encoded user
name / password
Reverse the base64 encoding of the user name /
password String
Check the user name and password
If authentication fails, send the proper response
to the client
getAuthType() – returns the authentication scheme name. getRemoteUser() – If the user is authenticated it returns the login name of the user, else it returns null. getRequestedSessionId() – returns the session ID that is defined by the client.