CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.

Slides:



Advertisements
Similar presentations
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Advertisements

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Securing web applications using Java EE Dr Jim Briggs 1.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
WEB2P security Java web application security Dr Jim Briggs.
User and Security Management. Security Management in Web Applications.
Cornell CS502 Web Basics and Protocols CS 502 – Carl Lagoze Acks to McCracken Syracuse Univ.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Web Site Security Representation and Management of Data on the Web.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
CSCI 6962: Server-side Design and Programming
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Session 11: Security with ASP.NET
Human-Computer Interface Course 5. ISPs and Internet connection.
Class 8Intro to Databases Authentication and Security Note: What we discuss in class today covers moderate to low security. Before you involve yourself.
Application Layer 2 Figures from Kurose and Ross
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
Browser Web Server Users DB 2a. Redirect to login page plugin 1. access a protected page Login Web Server (https) aislogin.cern.ch edh.cern.ch 3a. Set.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
Web Server Design Week 11 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/24/10.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Zhibi Wang January, 2007.
Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.
Web Server Design Assignment #4: Authentication Due: 04/14/2010 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein.
Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Java Web Server Presented by- Sapna Bansode-03 Nutan Mote-15 Poonam Mote-16.
Slide 1 Web Application Security ©SoftMoore Consulting.
SlideSet #18: HTTP Authentication
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
Web Server Design Week 12 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/31/10.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Web Server Design Week 10 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/17/10.
Security Management in Web Applications. We all know this page...
Authentication & Authorisation Is the user allowed to access the site?
CS5220 Advanced Topics in Web Programming Declarative Security
Authentication & .htaccess
CS5220 Advanced Topics in Web Programming Declarative Security
CS520 Web Programming Declarative Security
Jim Fawcett CSE686 – Internet Programming Summer 2005
Web Server Design Week 11 Old Dominion University
Security in Web Applications
Web Systems Development (CSC-215)
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
CS320 Web and Internet Programming Cookies and Session Tracking
Web Server Design Week 13 Old Dominion University
Web Server Design Week 10 Old Dominion University
Web Server Design Week 13 Old Dominion University
Web Server Design Week 13 Old Dominion University
Web Server Design Week 11 Old Dominion University
CS5220 Advanced Topics in Web Programming Secure REST API
Web Server Design Week 11 Old Dominion University
Web Server Design Week 12 Old Dominion University
Electronic Payment Security Technologies
Web Server Design Week 12 Old Dominion University
Presentation transcript:

CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles

Need for Security in Web Applications Potentially large number of users Multiple user types No operating system to rely on

Web Application Security request who are you? username/password you’re not authorized to access Authentication Connection Security Authorization (Access Control) ClientServer

HTTP Secure (HTTPS) HTTP over SSL/TLS Configure SSL in Tomcat - doc/ssl-howto.html doc/ssl-howto.html

SSL and TLS Secure Socket Layer (SSL) Server authentication Client authentication Connection encryption Transport Layer Security (TLS) TLS 1.0 is based on SSL 3.0 IETF standard (RFC 2246)

Programmatic Security Security is implemented in the application code Example: Login.jsp Members.jsp Pros?? Cons??

Security by Java EE Application Server HTTP Basic HTTP Digest HTTPS Client Form-based

HTTP Basic HTTP 1.0, Section ietf-http-spec.html ietf-http-spec.html request for a restricted page prompt for username/password resend request + username & password ClientServer

HTTP Basic – Configuration AuthType Basic AuthName "Basic Authentication Example" AuthUserFile /home/cysun/etc/htpasswords Require user cs520

HTTP Basic – Request GET /restricted/index.html HTTP/1.0 Host: sun.calstatela.edu Accept: */*

HTTP Basic – Server Response HTTP/ Authorization Required Date: Tue, 24 Oct :57:50 GMT Server: Apache/2.2.2 (Fedora) WWW-Authenticate: Basic realm="Restricted Access Area" Content-Length: 484 Content-Type: text/html; charset=iso Authorization Required …

HTTP Basic – Request Again GET /restricted/index.html HTTP/1.0 Host: sun.calstatela.edu Accept: */* Authorization: Basic Y3lzdW46YWJjZAo= Base64 Encoding of “cysun:abcd” An online Base64 decoder is at

Improve HTTP Basic (I) HTTP Basic Username and password are sent in plain text. Encrypt username and password.

Cryptographic Hash Function… String of arbitrary length  n bits digest Properties 1. Given a hash value, it’s virtually impossible to find a message that hashes to this value 2. Given a message, it’s virtually impossible to find another message that hashes to the same value 3. It’s virtually impossible to find two messages that hash to the same value A.K.A. One-way hashing, message digest, digital fingerprint

…Cryptographic Hash Function Common usage Store passwords, software checksum … Popular algorithms MD5 (broken, partially) SHA-1 (broken, sort of) SHA-256 and SHA-512 (recommended)

Storing Passwords Why encrypting stored password?? How to check against encrypted passwords?? Common attacks on encrypted passwords Brute force and some variations Dictionary Common defenses Long and random passwords Make cryptographic hash functions slower Salt -

Encrypting Password is Not Enough Why?? HTTP Basic Username and password are sent in plain text. Encrypt username and password.

Improve HTTP Basic (II) HTTP Basic Username and password are sent in plain text. Encrypt username and password. HTTP Digest Additional measures to prevent common attacks.

HTTP Digest RFC 2617 (Part of HTTP 1.1) request for a restricted page prompt for username/password + nonce resend request + message digest

HTTP Digest – Server Response HTTP/ Authorization Required Date: Tue, 24 Oct :57:50 GMT Server: Apache/2.2.2 (Fedora) WWW-Authenticate: Digest realm="Restricted Access Area“, qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", algorithm=“MD5”, opaque="5ccc069c403ebaf9f0171e9517f40e41" Content-Length: 484 Content-Type: text/html; charset=iso Authorization Required …

HTTP Digest – Request Again GET /restricted/index.html HTTP/1.0 Host: sun.calstatela.edu Accept: */* Authorization: Digest username=“cysun”, realm=“Restricted Access Area", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/restricted/index.html", qop=auth, nc= , cnonce="0a4f113b", opaque="5ccc069c403ebaf9f0171e9517f40e41”, algorithm=“MD5” response="6629fae49393a c4ef1" Hash value of the combination of of username, password, realm, uri, nonce, cnonce, nc, qop

Form-based Security Unique to J2EE application servers Include authentication and authorization, but not connection security

Form-base Security using Tomcat $TOMCAT/conf/tomcat-users.xml Users and roles $APPLICATION/WEB-INF/web.xml Authentication type ( FORM ) Login and login failure page URLs to be protected

Example – Users and Roles <user username=“admin" password=“1234“ roles=“admin,member"/> <user username=“cysun" password=“abcd“ roles=“member"/>

Example – Directory Layout index.html login.html logout.jsp /admin /member index.html /WEB-INFweb.xml error.html

Example – Login Page

Example – web.xml … FORM /login.html /error.html

… Example – web.xml AdminArea /admin/* admin

Declarative Security Security constraints are defined outside application code in some metadata file(s) Advantages Application server provides the security implementation Separate security code from normal code Easy to use and maintain

Limitations of Declarative Security by App Servers Application server dependent Not flexible enough Servlet Specification only requires URL access control

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.