Web Application Security Representation and Management of Data on the Web.

Slides:



Advertisements
Similar presentations
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Advertisements

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
JSP1 Java Server Pages (JSP) Introducing JavaServer Pages TM (JSP TM ) JSP scripting elements.
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.
® IBM Software Group © 2006 IBM Corporation Securing Your Application With WebSphere Security You will need to develop Login procedures for your web applications.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
CS4273: Distributed System Technologies and Programming I Lecture 10: Web Security Programming Web Application Security1.
Securing web applications using Java EE Dr Jim Briggs 1.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
WEB2P security Java web application security Dr Jim Briggs.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
User and Security Management. Security Management in Web Applications.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.
Java Server Pages Russell Beale. What are Java Server Pages? Separates content from presentation Good to use when lots of HTML to be presented to user,
Web Site Security Representation and Management of Data on the Web.
Session and Security Management. HTTP Cookies Cookies Cookies are a general mechanism that server-side applications can use to both store and retrieve.
Cooperating Teachers: How to Reset Your Password in Tk20 Use this after your initial account set up if you cannot remember your TK20 password.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.
Netbeans – jsp.zip Introduction to JSP Netbeans – jsp.zip.
Lecture 6 – Form processing (Part 1) SFDV3011 – Advanced Web Development 1.

SIMPLE ROUTER The slide made by Salim Malakouti. Next we will create the Router  What do I we mean by a router?  Routers work similar to a map. It receives.
Tutorial 10 Adding Spry Elements and Database Functionality Dreamweaver CS3 Tutorial 101.
WaveMaker Visual AJAX Studio 4.0 Training Authentication.
Copyright 2000 eMation SECURITY - Controlling Data Access with
Troubleshooting Windows Vista Security Chapter 4.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
C HAPTER 12 W EB APP SECURITY. T HE BAD GUYS ARE EVERYWHERE As a web application developer you need to protect your web site There are three main kind.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
HTML FORMS GET/POST METHODS. HTML FORMS HTML Forms HTML forms are used to pass data to a server. A form can contain input elements like text fields, checkboxes,
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Building Secure Web Applications With ASP.Net MVC.
Java server pages. A JSP file basically contains HTML, but with embedded JSP tags with snippets of Java code inside them. A JSP file basically contains.
Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.
Role Management in.NET Shree Shalini Pusapati CS /17/20151.
 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.
How I spend my money Software architecture course Mohan, Maxim.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.
©SoftMoore ConsultingSlide 1 Filters. Filters can be used in a web application to intercept, examine, and possibly transform requests or responses associated.
Slide 1 Web Application Security ©SoftMoore Consulting.
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.
PHP Form Processing * referenced from
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Working with ASP.NET Controls What is ASP.NET Using server controls in your pages Allowing users to create their own accounts Creating a login page Letting.
World Wide Web has been created to share the text document across the world. In static web pages the requesting user has no ability to interact with the.
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Unit 7 Learning Objectives
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Authentication & .htaccess
Java Servlets.
OWASP Secure Coding Practices Quick Reference Guide
Controllers.
This is the Sign In page for the Dashboard
Role Management in .net Vinay Dhareshwar.
Security - Forms Authentication
Presentation transcript:

Web Application Security Representation and Management of Data on the Web

Problem Want to restrict access to certain web pages Must answer the following questions –which pages should be restricted? –who should access restricted pages? –how should users be authenticated? Other issues (not discussed here): Encrypting data when transported

Declarative Security Use web server specific mechanisms to solve problems above Advantage: JSP and Scriptlets do not have to do anything special Disadvantage: Server specific process Disadvantage: All or nothing security, i.e., users can see page or not see it. Page content is not dependant on the user.

Programmatic Security Write code to authenticate/restrict users Advantage: Not server specific Advantage: Very flexible Disadvantage: A lot of work to program + all Servlets and JSP have to cooperate for this to work

Declarative Security: BASIC 1.Set up usernames, passwords, and roles. 2.Tell the server that you are using BASIC authentication. Designate the realm name. 3.Specify which URLs should be password protected. 4.Turn off the invoker servlet.

1. Defining Usernames, Passwords, and Roles Define users, passwords and roles in file: tomcat_home/conf/tomcat-users.xml <user name="snoopy" password="ypoons" roles="special" /> <user name="charlieb " password="beilrahc" roles="special, admin" />

2. Tell the Server to use BASIC Security Add to web.xml file in tomcat_home/webapps/appname/WEB-INF BASIC Some Name

3. Specify URLs to be Protected Add to web.xml: Sensitive /sensitive/* special

4. Disable Invoker Servlet You protect certain URLs that are associated with registered servlet or JSP names. The format of default servlet URLs will probably not match the pattern. Thus, the security restrictions are bypassed when the default URLs are used. You can disable such URLs (details omitted)

Declarative Security: FORM Instead of a dialog box, you can create a form for validating users You can also create your own error page

Add to web.xml FORM /admin/login.jsp /admin/login-error.jsp

Create Login Page … Log In Sorry, you must log in before accessing this resource. User name: Password:

Create Error Page Begone! Begone, ye unauthorized peon.

Adding Some Programmatic Security So far, all or nothing: –can see page or –can't see page Allow page content to be dependant on the authorization of the user Use method isUserInRole of HTTPServletRequest

Example Suppose that a page requires authorized access Both the employee role and the executive role can access the page Put in the page: Something regular employees should not see

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.