Java web application security - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Java web application security

Description:

Java web application security Dr Jim Briggs What is security? Usually ensuring that only authorised users can access specific parts of a website Security has two ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 16
Provided by: JimBr61
Category:

less

Transcript and Presenter's Notes

Title: Java web application security


1
Java web application security
  • Dr Jim Briggs

2
What is security?
  • Usually ensuring that only authorised users can
    access specific parts of a website
  • Security has two basic concepts
  • authentication who is it?
  • authorisation what can they do?

3
Categories of security mechanism
  • Container-managed (e.g. Tomcat)
  • Specified as part of the Java Servlet
    Specification
  • However, the implementation is container specific
    (and therefore not necessarily portable between
    containers)
  • Application-managed
  • Independent of the container
  • However, you have to write the code yourself (or
    use some other mechanism)

4
HTTP authentication
  • HTTP provides for authentication - see RFC 2617
  • Operates on a challenge/response paradigm
  • Server receives a request for an access-protected
    object
  • Server responds with a "401 Unauthorized" status
    code
  • Client must then resend the request with an
    Authorization header
  • Most browsers will prompt the user for a username
    and password
  • Most browsers cache this for the duration of the
    browser session
  • Some will allow the user to save it between
    sessions
  • Distinction between Basic Authentication and
    Digest Authentication
  • Basic passes usernames and passwords in clear
    text (actually in Base64 format, but this is
    easily translatable)
  • Digest scrambles the password by sending a
    checksum (by default, MD5) of the username, the
    password, a given nonce value, the HTTP method,
    and the requested URI. The nonce value is sent by
    the server with the 401 response.
  • Realm is the zone of security
  • Effectively the store against which credentials
    are checked

5
Mechanisms for securing Java web applications
  • Fundamentals
  • Container-managed techniques
  • Application-managed techniques
  • Mix and match

6
Fundamentals
  • HTTP authentication
  • Secure Sockets Layer (SSL)
  • HTTP over SSL (HTTPS)
  • See how to set this up in Apache
  • See how to set this up in Tomcat
  • Unlikely to need latter if using Tomcat as
    auxiliary server (especially via AJP)

7
Container-managed security
  • Security constraints in web.xml file
  • Authentication
  • Authorization
  • Secure transport

8
Authentication
  • ltlogin-configgt
  •    ltauth-methodgtBASIClt/auth-methodgt
  • lt/login-configgt

ltlogin-configgt ltauth-methodgtFORMlt/auth-methodgt
ltform-login-configgt ltform-login-pagegt/login
.jsplt/form-login-pagegt ltform-error-pagegt/fai
l_login.htmllt/form-error-pagegt
lt/form-login-configgt lt/login-configgt
9
Authorization
  • ltsecurity-constraintgt
  •   ltweb-resource-collectiongt
  •        ltweb-resource-namegtAdminlt/web-resource-nam
    egt
  •        lturl-patterngt/admin/lt/url-patterngt
  •    lt/web-resource-collectiongt
  •    ltauth-constraintgt
  •        ltrole-namegtprivatelt/role-namegt
  •    lt/auth-constraintgt
  • lt/security-constraintgt

10
Secure transport
  • ltsecurity-constraintgt
  •     ...
  • ltuser-data-constraintgt
  • lttransport-guaranteegt
  • CONFIDENTIAL
  • lt/transport-guaranteegt
  • lt/user-data-constraintgt
  • lt/security-constraintgt

11
Authentication methods
  • Basic - uses HTTP Basic Authentication
  • Digest - uses HTTP Digest Authentication
  • Form - presents a login form to the user
  • ltform method"POST" action"j_security_check"gt
  •     ltinput type"text" name"j_username"gt
  •     ltinput type"password" name"j_password"gt
  • lt/formgt
  • Client certificate - requires digital certificate
    from client

12
Tomcat realms
  • MemoryRealm
  • a file (tomcat-users.xml) in the TOMCAT/conf
    directory
  • JDBCRealm
  • specify tables and columns of a database that
    contain usernames, passwords and roles
  • DataSourceRealm
  • similar, but using a JNDI-named DataSource rather
    than a specific JDBC driver
  • JNDIRealm
  • looks up users in an LDAP directory server
    accessed by a JNDI provider
  • JAASRealm
  • authenticates users through the Java
    Authentication Authorization Service (JAAS)
    framework

13
Application-managed security 1
  • Request properties
  • request.getRemoteUser()
  • request.getUserPrincipal()
  • request.isUserInRole(role)
  • Use session attributes to store the user's
    identity
  • Use cookies to store username and password (can
    be persistent between browser sessions)

14
Application-managed security 2
  • Use a security filter
  • Use a base servlet
  • Use a custom JSP tag
  • forward request to a login page if the user is
    not logged in or does not have authorisation)
  • Struts facilities
  • Use Struts roles (each action has a roles
    attribute)
  • Customise the Struts RequestProcessor
  • specifically the method processPreprocess
  • Use a Struts Base Action

15
Mix and match
  • Many of the techniques can be used in combination
  • SecurityFilter (from Sourceforge.net) is an
    application-managed mechanism that mimics
    container-managed security
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Java web application security" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!