SE-2840 Dr. Mark L. Hornick1 Web Application Security.

Slides:



Advertisements
Similar presentations
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Advertisements

DAP-1520 FAQ’s Wireless AC750 Dual Band Range Extender.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Securing web applications using Java EE Dr Jim Briggs 1.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
WEB2P security Java web application security Dr Jim Briggs.
User and Security Management. Security Management in Web Applications.
1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
Web Site Security Representation and Management of Data on the Web.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Web Application Security Representation and Management of Data on the Web.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
SE-2840 Dr. Mark L. Hornick1 Java Servlet-based web apps Servlet Architecture.
4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.
Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007 SSL Security with Alpha Five App Server Protecting sensitive or personal data.
Softsmith Infotech Secure Socket Layer (SSL) and Tomcat.
CSCI 6962: Server-side Design and Programming
Session 11: Security with ASP.NET
3/26/2003Servlet Security 1 CSCI Research Topics in Computer Science --Web Security Instructor: Dr.Yang Students: Shiyou Li, Gang Zheng.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Web application architecture
IT und TK Training Check Point Authentication Methods A short comparison.
WaveMaker Visual AJAX Studio 4.0 Training Authentication.
Copyright 2000 eMation SECURITY - Controlling Data Access with
Creating a FAMWEB User account New FEPMIS Production Site To gain access into New FEPMIS, you must request a new account. Go to the National Fire and Aviation.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
C HAPTER 12 W EB APP SECURITY. T HE BAD GUYS ARE EVERYWHERE As a web application developer you need to protect your web site There are three main kind.
User Access to Router Securing Access.
Running Jakarta/Tomcat CIT304/CSE301 University of Sunderland Harry R. Erwin, PhD.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
Shibboleth 2.0 IdP Training: Authentication January, 2009.
Building Security into Your System Bill Major Gregory Ponto.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
HTML Basics BCIS 3680 Enterprise Programming. Web Client/Server Architecture 2  Your browser (the client) requests a Web page from a remote computer.
Module 11: Securing a Microsoft ASP.NET Web Application.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.
Slide 1 Web Application Security ©SoftMoore Consulting.
Web Server Apache PHP HTTP Request User types URL into browser Address resolved if nec. We use directly Most browsers request.
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
LINCWorks Mesh Networking User Guide. This user guide will give a brief overview of mesh networking followed by step by step instructions for configuring.
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
Tomcat Webapp Security Jason Brittain Software Architect, Mulesoft Co-author, Tomcat: The Definitive Guide.
TOPIC: HTTPS (Security protocol)
Setting and Upload Products
Data Virtualization Tutorial… SSL with CIS Web Data Sources
Virtual Private Networks
Configuring tomcat for https
Secure Sockets Layer (SSL)
IBM Certified WAS 8.5 Administrator
NFX Q-Port on-boarding guide
Security in Web Applications
Created by : Ashish Shah, J.M. PATEL COLLEGE OF COMMERCE
12 STEPS TO A GDPR AWARE NETWORK
Created by : Ashish Shah, J.M. PATEL COLLEGE OF COMMERCE
HTTP GET vs POST SE-2840 Dr. Mark L. Hornick.
The Internet and Electronic mail
Security - Forms Authentication
Presentation transcript:

SE-2840 Dr. Mark L. Hornick1 Web Application Security

There are three main security concerns your web apps need to address Impersonation A client pretends to be someone else in order to gain access to your site Upgrading A client gains access to restricted aspects of your web app Eavesdropping A third-party gains access to confidential information exchanged between your site and a valid user SE-2840 Dr. Mark L. Hornick2

All of these can be managed via the Deployment Descriptor SE-2840 Dr. Mark L. Hornick3 Tomcat incorporates a declarative security model that requires no changes to your Servlets or pages Tomcat itself handles Authentication, Authorization, and Data Encryption

The server.xml file contains configuration specifications for Tomcat operation, including enabling HTTPS: SE-2840 Dr. Mark L. Hornick4 <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile=“C:/Apache/keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> Note: the blue text is (usually) already in this file, although commented out. I rearranged the comments and added the green line that specifies the file containing the generated Certificate.

Encrypting the transport of data ensures that sensitive data (eg. passwords) will not be viewable during transmission either to or from the server SE-2840 Dr. Mark L. Hornick5 <!-- This section declares specific resources whose access is to be constrained by the Tomcat security manager. --> SecuredPages /MyApp/somepage.html /MyApp/page2.jsp /MyApp/myServlet <!-- This specifies that the browser and server establish an encrypted Connection for exchanging request and response data --> CONFIDENTIAL... The default transport is NONE

Demo SE-2840 Dr. Mark L. Hornick6

Generating a certificate (See SE-2840 Dr. Mark L. Hornick7 Note: When prompted for the password, I entered “changeit”

CS-4220 Dr. Mark L. Hornick8

9

SE-2840 Dr. Mark L. Hornick10

admin member <!-- This section declares specific resources to be accessible only by users in certain roles (defined in the separate tomcat-users.xml file. --> SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp... Admin Manager... Authorization allows a web app to restrict access to specific parts of an application SE-2840 Dr. Mark L. Hornick11

The tomcat-users.xml file contains role, username, and password definitions: SE-2840 Dr. Mark L. Hornick12 <!-- NOTE: By default, no user is included in the "manager" role required to operate the "/manager" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary. --> <!-- NOTE: The sample user and role entries below are wrapped in a comment and thus are ignored when reading this file. Do not forget to remove that surrounds them. --> <!-- -->

Demo SE-2840 Dr. Mark L. Hornick13

Authentication allows a web app to validate the identity of a client SE-2840 Dr. Mark L. Hornick14 admin member SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp Admin Manager <!– When you specify a login-config, the container automatically supplies a username/password prompt --> BASIC

admin member SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp Admin Manager CONFIDENTIAL FORM /login.html /loginError.html You can define your own login page if you don’t like the default popup dialog: SE-2840 Dr. Mark L. Hornick15

Login please username: password: The login form must use the indicated action and input field names: SE-2840 Dr. Mark L. Hornick16

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.