Presentation is loading. Please wait.

Presentation is loading. Please wait.

WEB2P security Java web application security Dr Jim Briggs.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "WEB2P security Java web application security Dr Jim Briggs."— Presentation transcript:

1 WEB2P security Java web application security Dr Jim Briggs

2 WEB2P security What is security? Usually ensuring that only authorised users can access specific parts of a website Security has two basic concepts: –authentication: who is it? –authorisation: what can they do?

3 WEB2P security Categories of security mechanism Container-managed (e.g. Tomcat) –Specified as part of the Java Servlet Specification –However, the implementation is container specific (and therefore not necessarily portable between containers) Application-managed –Independent of the container –However, you have to write the code yourself (or use some other mechanism)

4 WEB2P security HTTP authentication HTTP provides for authentication - see RFC 2617 Operates on a challenge/response paradigm: –Server receives a request for an access-protected object –Server responds with a "401 Unauthorized" status code –Client must then resend the request with an Authorization header –Most browsers will prompt the user for a username and password Most browsers cache this for the duration of the browser session Some will allow the user to save it between sessions Distinction between Basic Authentication and Digest Authentication: –Basic passes usernames and passwords in clear text (actually in Base64 format, but this is easily translatable) –Digest scrambles the password by sending a checksum (by default, MD5) of the username, the password, a given nonce value, the HTTP method, and the requested URI. The nonce value is sent by the server with the 401 response. Realm is the zone of security –Effectively the store against which credentials are checked

5 WEB2P security Mechanisms for securing Java web applications Fundamentals Container-managed techniques Application-managed techniques Mix and match

6 WEB2P security Fundamentals HTTP authentication Secure Sockets Layer (SSL) HTTP over SSL (HTTPS) –See how to set this up in Apache –See how to set this up in Tomcat –Unlikely to need latter if using Tomcat as auxiliary server (especially via AJP)

7 WEB2P security Container-managed security Security constraints in web.xml file –Authentication –Authorization –Secure transport

8 WEB2P security Authentication BASIC FORM /login.jsp /fail_login.html

9 WEB2P security Authorization Admin /admin/* private

10 WEB2P security Secure transport... CONFIDENTIAL

11 WEB2P security Authentication methods Basic - uses HTTP Basic Authentication Digest - uses HTTP Digest Authentication Form - presents a login form to the user Client certificate - requires digital certificate from client

12 WEB2P security Tomcat realms MemoryRealm –a file (tomcat-users.xml) in the TOMCAT/conf directory JDBCRealm –specify tables and columns of a database that contain usernames, passwords and roles DataSourceRealm –similar, but using a JNDI-named DataSource rather than a specific JDBC driver JNDIRealm –looks up users in an LDAP directory server accessed by a JNDI provider JAASRealm –authenticates users through the Java Authentication & Authorization Service (JAAS) framework

13 WEB2P security Application-managed security 1 Request properties: –request.getRemoteUser() –request.getUserPrincipal() –request.isUserInRole(role) Use session attributes to store the user's identity Use cookies to store username and password (can be persistent between browser sessions)

14 WEB2P security Application-managed security 2 Use a security filter Use a base servlet Use a custom JSP tag –forward request to a login page if the user is not logged in or does not have authorisation) Struts facilities: –Use Struts roles (each action has a roles attribute) –Customise the Struts RequestProcessor specifically the method processPreprocess –Use a Struts Base Action

15 WEB2P security Mix and match Many of the techniques can be used in combination SecurityFilter (from Sourceforge.net) is an application-managed mechanism that mimics container-managed security

Download ppt "WEB2P security Java web application security Dr Jim Briggs."

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.

Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Understanding WebLogic Security

Understanding WebLogic Security
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Authentication and Security Joshua Scotton.  Sessions  Login and Authentication.

Authentication and Security Joshua Scotton.  Sessions  Login and Authentication.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
WEB1P servintro1 Introduction to servlets and JSP Dr Jim Briggs.

WEB1P servintro1 Introduction to servlets and JSP Dr Jim Briggs.
User and Security Management. Security Management in Web Applications.

User and Security Management. Security Management in Web Applications.
Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.

Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web Site Security Representation and Management of Data on the Web.

Web Site Security Representation and Management of Data on the Web.
Web programming for project students Dr Jim Briggs.

Web programming for project students Dr Jim Briggs.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
SE-2840 Dr. Mark L. Hornick1 Java Servlet-based web apps Servlet Architecture.

SE-2840 Dr. Mark L. Hornick1 Java Servlet-based web apps Servlet Architecture.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Similar presentations

Ads by Google