Authentication and Security Joshua Scotton.  Sessions  Login and Authentication.

Slides:



Advertisements
Similar presentations
7 Copyright © 2005, Oracle. All rights reserved. Maintaining State in J2EE Applications.
Advertisements

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
XML, Uploading, Importing... Joshua Scotton.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Securing web applications using Java EE Dr Jim Briggs 1.
WEB2P security Java web application security Dr Jim Briggs.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web Site Security Representation and Management of Data on the Web.
Servlet Session Tracking II Session API All material and examples are from
All You Ever Wanted To Know About Servlets But Were Afraid to Ask.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
3/26/2003Servlet Security 1 CSCI Research Topics in Computer Science --Web Security Instructor: Dr.Yang Students: Shiyou Li, Gang Zheng.
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
Java Servlet Technology. Introduction Servlets are Java programs that run on a Web server, handle HTTP requests and build Web pages Servlet specification.
JavaScript, Fourth Edition
WaveMaker Visual AJAX Studio 4.0 Training Authentication.
State Management. What is State management Why State management ViewState QueryString Cookies.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Web Programming Language Week 7 Dr. Ken Cosh Security, Sessions & Cookies.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Chapter 8 Cookies And Security JavaScript, Third Edition.
12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.
Session tracking There are a number of problems that arise from the fact that HTTP is a "stateless" protocol. In particular, when you are doing on- line.
16-Oct-15 JSP Implicit Objects. 2 JSP Implicit Objects are the Java objects that the JSP Container makes available to developers in each page and developer.
Session Tracking - 2 Lec 32. Last Lecture Review  Session Tracking – why?  Need to store state – typical solutions Cookies – already learned URL Rewriting.
J2EE training: 1 Course Material Usage Rules PowerPoint slides for use only in full-semester, for-credit courses at degree-granting.
Web Application Development * These slides have been adapted and modified from CoreServlets course material (Marty Hall) and LUMS cs391 (Umair Javed).
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Chapter 9 Session Tracking. Session Tracking Basics Accessing the session object associated with the current request: Call request.getSession to get an.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Session Management.
Module 11: Securing a Microsoft ASP.NET Web Application.
® IBM Software Group © 2007 IBM Corporation Best Practices for Session Management
Web Database Programming Week 7 Session Management & Authentication.
All You Ever Wanted To Know About Servlets But Were Afraid to Ask.
JAVA Sessions 1. What is Session Tracking? There are a number of problems that arise from the fact that HTTP is a "stateless" protocol. In particular,
Li Tak Sing COMPS311F. A web page that counts the number of times that you have visited the page. You can try the page at:
Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.
Slides © Marty Hall, book © Sun Microsystems Press 1 Session Tracking Core Servlets & JSP book: More.
Vakgroep Informatietechnologie – Onderzoeksgroep (naam) Web Centric Design of Distributed Software.
1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.
©SoftMooreSlide 1 Session Tracking with Servlets.
Slide 1 Web Application Security ©SoftMoore Consulting.
CSC 2720 Building Web Applications Managing Users' States – Cookies, URL-Rewriting, Hidden Fields and Session Management APIs.
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
Session Tracking Parts of this presentation was provided by SSE.
Java Programming: Advanced Topics 1 Building Web Applications Chapter 13.
8-Mar-16 More About Servlets Session Tracking. Persistent information A server site typically needs to maintain two kinds of persistent (remembered) information:
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Java Database Connectivity.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
Daniel Doubrovkine (dblock[at]dblock[dot]org) Single Sign-On w/ Tomcat & WAFFLE 6/8/2010 Tomcat -> Waffle ->
JSP Implicit Objects CS 422 Dick Steflik.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
CAS and Web Single Sign-on at UConn
Sessions Many interactive Web sites spread user data entry out over several pages: Ex: add items to cart, enter shipping information, enter billing information.
Session Tracking in Servlets
Sessions.
SESSION TRACKING.
CS320 Web and Internet Programming Cookies and Session Tracking
All You Ever Wanted To Know About Servlets
CS3220 Web and Internet Programming Cookies and Session Tracking
Cookies Cookies are small bits of textual information that a Web server sends to a browser and that the browser returns unchanged when later visiting the.
Sessions Many interactive Web sites spread user data entry out over several pages: Ex: add items to cart, enter shipping information, enter billing information.
CS3220 Web and Internet Programming Cookies and Session Tracking
Pre-assessment Questions
Servlet Session Tracking: Session API
Presentation transcript:

Authentication and Security Joshua Scotton

 Sessions  Login and Authentication

Tracking the User

 Cookies ◦ Store a unique identifier in a cookie for the website  URL Rewriting ◦ Append a unique identifier to the end of each URL  Hidden Form Fields ◦

 Customization ◦ Adaptive Content ◦ Adaptable Content  Security ◦ Restrict areas of the site based on user ◦ User login tracked using session  User Behaviour ◦ Track page accesses  User Information ◦ Store user settings and information

 getAttribute(), getAttributeNames(), setAttribute(), removeAttribute() ◦ These methods are used to set, get and remove objects from a user session  getId() ◦ Every session created by the server has a unique 'id' associated with it in order to identify this session from other sessions.  getCreationTime() ◦ Simple returns a long value indicating the date and time this session was created.  getLastAccessedTime() ◦ Returns a long value indicating the last time user accessed any resource on this server.  getMaxInactiveInterval(), setMaxInactiveInterval() ◦ Return and set the maximum inactive interval in seconds for this session respectively.  isNew() ◦ Returns a boolean value indicating if the session is new.  invalidate() ◦ Simply invalidates a session. Can be used for logout

 Most Java servers will use cookies if the browser supports them, but automatically revert to URL-rewriting when cookies are unsupported or explicitly disabled.

 Sessions can be accessed and managed by both Servlets and JSPs.  This can happen in combination as in the following demo.

public class CounterBean implements Serializable { private Integer count; public CounterBean() { super(); this.count = 0; } public Integer getCount() { return this.count; } public void setCount(Integer count) { this.count = count; } public void incrementCount() { this.count++; } }

The counter was: The counter is now:

PrintWriter out = response.getWriter(); HttpSession session = request.getSession(true); CounterBean counter; if(session.isNew()) { counter = new CounterBean(); session.setAttribute("counter", counter); } counter = ((CounterBean)session.getAttribute("counter")); counter.incrementCount(); out.println("Counter now: " + counter.getCount()); out.close();

Allowing Persistent Storage

1. A user accesses a protected page 2. If the user is authenticated and has permission to access the page then the resource is made available. Otherwise a login page is shown 3. If the name and password cannot be authenticated then an error is shown

 User/Group Database  Access Control List (ACL)  Login Page

 A Principal is a named entity, commonly representing an individual or corporation.  Principal’s can fill one or more Roles.  Resources can be protected by associating them with Roles.  Principals and Roles are similar to Users and Groups in Linux.

... Protected Page /secretPage.jsp employee employee

 /members/*  More than one url-pattern in the web- resource-collection

 Principal getUserPrincipal() ◦ Returns a reference to a java.security.Principal  boolean isUserInRole(String) ◦ Determines whether a user is in a role, specified by the string argument  String getRemoteUser() ◦ Returns the username that was used for login

 String getAuthType() ◦ Returns the authentication type: BASIC, SSL, or null  boolean isSecure() ◦ Returns true if the connection is HTTPS  String getScheme() ◦ Scheme represents transport mechanism: http, https...

 Basic authentication  Form-based authentication  Digest authentication  SSL and client certificate authentication

... BASIC Basic Authentication Example...

 A realm is a database of usernames and passwords  It also contains a list of roles associated with each user  Realms are specific to the server being used

 JDBCRealm - Accesses authentication information stored in a relational database, accessed via a JDBC driver. JDBCRealm  DataSourceRealm - Accesses authentication information stored in a relational database, accessed via a named JNDI JDBC DataSource. DataSourceRealm  JNDIRealm - Accesses authentication information stored in an LDAP based directory server, accessed via a JNDI provider. JNDIRealm  UserDatabaseRealm - Accesses authentication information stored in an UserDatabase JNDI resource, which is typically backed by an XML document (conf/tomcat-users.xml). UserDatabaseRealm  MemoryRealm - Accesses authentication information stored in an in-memory object collection, which is initialized from an XML document (conf/tomcat-users.xml). MemoryRealm  JAASRealm - Accesses authentication information through the Java Authentication & Authorization Service (JAAS) framework. JAASRealm

  Serverwide - conf/server.xml  Per Webapp – META-INF/context.xml

 $TOMCAT_HOME/conf/tomcat-users.xml <user username="tomcat" password="tomcat“ roles="tomcat"/> <user username="both" password="tomcat“ roles="tomcat,role1"/> <user username="role1" password="tomcat“ roles="role1"/>

 members.jsp  web.xml  context.xml

User ' ' has been logged out.

1. The login form associated with the security constraint is sent to the client and the URL path triggering the authentication is stored by the container. 2. The user is asked to fill out the form, including the username and password fields. 3. The client posts the form back to the server. 4. The container attempts to authenticate the user using the information from the form. 5. If authentication fails, the error page is returned using either a forward or a redirect, and the status code of the response is set to If authentication succeeds, the authenticated user's principal is checked to see if it is in an authorized role for accessing the resource. 7. If the user is authorized, the client is redirected to the resource using the stored URL path.

 Create custom login page with the following form fields: ◦ j_username  The name of the username field ◦ j_password  The name of the password field ◦ j_security_check  The login form's action

FORM /login.jsp /error.jsp

 Use a JDBC Database Realm  Create table of usernames and passwords  Create table of usernames and roles  Column name for the username must be the same in both tables

 connectionName  connectionPassword  connectionURL  driverName  roleNameCol  userCredCol  userNameCol  userRoleTable  userTable  doc/JDBCRealm-howto.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.