session 4 : securing web application - giáo trình bách khoa aptech
Post on 11-Jun-2015
838 Views
Preview:
TRANSCRIPT
Slide 1 of 19
Securing Web Application
Slide 2 of 19
Overview Security Concepts Security Mechanism Pillar of Security– Http Basic Authentication– Http Digest Authentication– HTTPS Client Authentication– Form-based Authentication
Authentication Users Declarative Security Programmatic Security
Slide 3 of 19
Security Concepts Need of Securing Web Application
– Web Application is access over a network such as Internet / Intranet
– Access to confidential information by unauthorized users: For example, Personal Identification Number(PIN)
– Unauthorized use of resources: For example, a person using the bank account of a customer without authorization from the customer.
– Malicious Code: Malicious codes are programs written by hackers to compromise the security of Web applications
Slide 4 of 19
Security Mechanisms
Firewall
Digital Signatures
Password Authentication / Authorization
Slide 5 of 19
Security Mechanism
HTTP basic authentication
HTTP digest authentication
HTTPS (Secured HTTP) client authentication
Form-based authentication
Slide 6 of 19
Http Basic Authentication– Common method to authenticate users by
verifying the user name and password– Users are authenticated before allowing them to
access the protected resources.– The server enforces security through the Web
browser.– The Web browser displays a dialog box to accept
the authentication information from the user, when the user tries to access a protected resource.
Slide 7 of 19
Http Digest Authentication– Use hash functions to secure web applications– Hash function convert data into a small / complex no.
Input Hash Value
Fox DFC3478
Fox is running 583DNT89
Slide 8 of 19
Https Client Authentication– Authentication of users by establishing a Secure
Sockets Layer (SSL) connection between sender and recipient• Sender – SSL Client• Recipient – SSL server
– Extra authentication layer in between Http and TCP– This layer confirms the client authentication– Two kinds of Certificated are used
• Server Certificates– Contain information about server that allows a client to identify the server
before sharing sensitive information
• Client Certificates– Contains personal information about the user and introduces the SSL client to
the server
Slide 9 of 19
Form-based Authentication– A customized login page is created for a Web
application.– Web site users can browse the unprotected pages of
the Web site, but they are redirected to a login page when they try to access the secured pages of the Web site.
– Use base-64 encoding, can expose user name and password unless all connections are over SSL
– Does not specify the security realm• A realm is the region in which a security permission applies• A security realm specifies the scope of security data
Slide 10 of 19
Authentication Authentication is specified in web.xml
<login-config><auth-method>FORM</auth-method><form-login-config>
<form-login-page>/Login.jsp</form-login-page><form-error-page>/Error.jsp</form-error-page>
</form-login-config></login-config>
<login-config><auth-method>BASIC</auth-method><realm-name>Managers</realm-name>
</login-config>
Slide 11 of 19
Users
Users are configured in tomcat-user.xml file<tomcat-users>
<role rolename="tomcat"/><role rolename="manager"/><role rolename="admin"/><user username="rahulk" password="rahulk"
roles="manager,admin"/><user username="tomcat" password="tomcat"
roles="tomcat"/>
</tomcat-users>
Slide 12 of 19
Declarative Security Provides security to resource with the help of
the server configuration Works as a different layer from the web
component which it works. Advantages:– Gives scope to the programmer to ignore the
constraints of the programming environment– Updating the mechanism does not require total
change in Security model– It is easily maintainable
Slide 13 of 19
Declarative Security Limitation– Access is provided to all or denied– Access is provided by the Server only if the
password matches– All the pages use same authentication mechanism– It can not use both form-based and basic
authentication for different page
Slide 14 of 19
Implementing Declarative Security Setting up User Names, Passwords, Roles Setting Authentication mechanism to FORM Creating Login Page Creating Error Page Specify URLs that should be password protected Specify URLs that Should be available only with
SSL Turning Off the Invoker Servlet
Slide 15 of 19
Programmatic Security Authenticates users and grant access to the
users Servlet/JSP page either authenticates the user
or verify that the user has authenticates earlier Advantages– Ensue total portability– Allowed password matching strategies
Limitation– Much harder to code and maintain– Every resource must use the code
Slide 16 of 19
Programmatic Security HttpServeltRequest– public string getAuthType()– public String getHeader(String name)– public String getRemoteUser()– public String getRequestedSessionId()– public HttpSession getSession()
– public boolean isUserInRole(String role)– public boolean isRequestedSessionIdValid()– public Principal getUserPrincipal()
Slide 17 of 19
Implementing Programmatic Security
Check whether there is an authorisation request header
Get the String, which contains the encoded user name / password
Reverse the base64 encoding of the user name / password String
Check the user name and password If authentication fails, send the proper response
to the client
Slide 18 of 19
Summary Security Concepts Security Mechanism Pillar of Security– Http Basic Authentication– Http Digest Authentication– HTTPS Client Authentication– Form-based Authentication
Authentication– web.xml
Users– tomcat-users.xml
Slide 19 of 19
Summary Declarative Security– Advantages– Limitation– Implementing Declarative Security
Programmatic Security– Advantages– Limitation– Implementing Programmatic Security
top related