Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.

Published byRoss Dickerson Modified over 7 years ago

Similar presentations

Presentation on theme: "CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles."— Presentation transcript:

1 CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles

2 Need for Security in Web Applications Potentially large number of users Multiple user types No operating system to rely on

3 Web Application Security request who are you? username/password you’re not authorized to access Authentication Connection Security Authorization (Access Control) ClientServer

4 HTTP Secure (HTTPS) HTTP over SSL/TLS Configure SSL in Tomcat - http://tomcat.apache.org/tomcat-7.0- doc/ssl-howto.html http://tomcat.apache.org/tomcat-7.0- doc/ssl-howto.html

5 SSL and TLS Secure Socket Layer (SSL) Server authentication Client authentication Connection encryption Transport Layer Security (TLS) TLS 1.0 is based on SSL 3.0 IETF standard (RFC 2246)

6 Programmatic Security Security is implemented in the application code Example: Login.jsp Members.jsp Pros?? Cons??

7 Security by Java EE Application Server HTTP Basic HTTP Digest HTTPS Client Form-based

8 HTTP Basic HTTP 1.0, Section 11.1- http://www.w3.org/Protocols/HTTP/1.0/draft- ietf-http-spec.html http://www.w3.org/Protocols/HTTP/1.0/draft- ietf-http-spec.html request for a restricted page prompt for username/password resend request + username & password ClientServer

9 HTTP Basic – Configuration AuthType Basic AuthName "Basic Authentication Example" AuthUserFile /home/cysun/etc/htpasswords Require user cs520

10 HTTP Basic – Request GET /restricted/index.html HTTP/1.0 Host: sun.calstatela.edu Accept: */*

11 HTTP Basic – Server Response HTTP/1.1 401 Authorization Required Date: Tue, 24 Oct 2006 14:57:50 GMT Server: Apache/2.2.2 (Fedora) WWW-Authenticate: Basic realm="Restricted Access Area" Content-Length: 484 Content-Type: text/html; charset=iso-8859-1 401 Authorization Required …

12 HTTP Basic – Request Again GET /restricted/index.html HTTP/1.0 Host: sun.calstatela.edu Accept: */* Authorization: Basic Y3lzdW46YWJjZAo= Base64 Encoding of “cysun:abcd” An online Base64 decoder is at http://www.base64decode.org/http://www.base64decode.org/

13 Improve HTTP Basic (I) HTTP Basic Username and password are sent in plain text. Encrypt username and password.

14 Cryptographic Hash Function… String of arbitrary length  n bits digest Properties 1. Given a hash value, it’s virtually impossible to find a message that hashes to this value 2. Given a message, it’s virtually impossible to find another message that hashes to the same value 3. It’s virtually impossible to find two messages that hash to the same value A.K.A. One-way hashing, message digest, digital fingerprint

15 …Cryptographic Hash Function Common usage Store passwords, software checksum … Popular algorithms MD5 (broken, partially) SHA-1 (broken, sort of) SHA-256 and SHA-512 (recommended)

16 Storing Passwords Why encrypting stored password?? How to check against encrypted passwords?? Common attacks on encrypted passwords Brute force and some variations Dictionary Common defenses Long and random passwords Make cryptographic hash functions slower Salt - https://en.wikipedia.org/wiki/Salt_%28cryptography%29 https://en.wikipedia.org/wiki/Salt_%28cryptography%29

17 Encrypting Password is Not Enough Why?? HTTP Basic Username and password are sent in plain text. Encrypt username and password.

18 Improve HTTP Basic (II) HTTP Basic Username and password are sent in plain text. Encrypt username and password. HTTP Digest Additional measures to prevent common attacks.

19 HTTP Digest RFC 2617 (Part of HTTP 1.1) - http://www.ietf.org/rfc/rfc2617.txt http://www.ietf.org/rfc/rfc2617.txt request for a restricted page prompt for username/password + nonce resend request + message digest

20 HTTP Digest – Server Response HTTP/1.1 401 Authorization Required Date: Tue, 24 Oct 2006 14:57:50 GMT Server: Apache/2.2.2 (Fedora) WWW-Authenticate: Digest realm="Restricted Access Area“, qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", algorithm=“MD5”, opaque="5ccc069c403ebaf9f0171e9517f40e41" Content-Length: 484 Content-Type: text/html; charset=iso-8859-1 401 Authorization Required …

21 HTTP Digest – Request Again GET /restricted/index.html HTTP/1.0 Host: sun.calstatela.edu Accept: */* Authorization: Digest username=“cysun”, realm=“Restricted Access Area", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/restricted/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", opaque="5ccc069c403ebaf9f0171e9517f40e41”, algorithm=“MD5” response="6629fae49393a05397450978507c4ef1" Hash value of the combination of of username, password, realm, uri, nonce, cnonce, nc, qop

22 Form-based Security Unique to J2EE application servers Include authentication and authorization, but not connection security

23 Form-base Security using Tomcat $TOMCAT/conf/tomcat-users.xml Users and roles $APPLICATION/WEB-INF/web.xml Authentication type ( FORM ) Login and login failure page URLs to be protected

24 Example – Users and Roles <user username=“admin" password=“1234“ roles=“admin,member"/> <user username=“cysun" password=“abcd“ roles=“member"/>

25 Example – Directory Layout index.html login.html logout.jsp /admin /member index.html /WEB-INFweb.xml error.html

26 Example – Login Page

27 Example – web.xml … FORM /login.html /error.html

28 … Example – web.xml AdminArea /admin/* admin

29 Declarative Security Security constraints are defined outside application code in some metadata file(s) Advantages Application server provides the security implementation Separate security code from normal code Easy to use and maintain

30 Limitations of Declarative Security by App Servers Application server dependent Not flexible enough Servlet Specification only requires URL access control

Download ppt "CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles."

Similar presentations

SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
User and Security Management. Security Management in Web Applications.

User and Security Management. Security Management in Web Applications.
Cornell CS502 Web Basics and Protocols CS 502 – 20020129 Carl Lagoze Acks to McCracken Syracuse Univ.

Cornell CS502 Web Basics and Protocols CS 502 – Carl Lagoze Acks to McCracken Syracuse Univ.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Web Site Security Representation and Management of Data on the Web.

Web Site Security Representation and Management of Data on the Web.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

Similar presentations

Ads by Google