C HAPTER 12 W EB APP SECURITY. T HE BAD GUYS ARE EVERYWHERE As a web application developer you need to protect your web site There are three main kind.

Slides:

Advertisements

Similar presentations

Web Service Security CS409 Application Services Even Semester 2007.

Advertisements

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

Understanding WebLogic Security

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Securing web applications using Java EE Dr Jim Briggs 1.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

WEB2P security Java web application security Dr Jim Briggs.

Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.

Web Site Security Representation and Management of Data on the Web.

Web Application Security Representation and Management of Data on the Web.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

UNIT-V The MVC architecture and Struts Framework.

CSCI 6962: Server-side Design and Programming

Managing Client Access

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

3/26/2003Servlet Security 1 CSCI Research Topics in Computer Science --Web Security Instructor: Dr.Yang Students: Shiyou Li, Gang Zheng.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

Java Omar Rana University of South Asia. Course Overview JAVA  C/C++ and JAVA Comparison  OOP in JAVA  Exception Handling  Streams  Graphics User.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Functionality of a web server What does the web server do? Let a user request a resource Find the resource Return something to the user The resource can.

Design Patterns Phil Smith 28 th November Design Patterns There are many ways to produce content via Servlets and JSPs Understanding the good, the.

COMP 321 Week 7. Overview HTML and HTTP Basics Dynamic Web Content ServletsMVC Tomcat in Eclipse Demonstration Lab 7-1 Introduction.

Chapter 8 Script-free pages. Problem with scripting in JSP When you use scripting (declaration, scriplet, expressions) in your JSP, you actually put Java.

Chapter 5 Being a Web App. Very few servlet or JSP stands alone Many times in our application, different servlets or JSPs need to share information 

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.

SE-2840 Dr. Mark L. Hornick1 Web Application Security.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Source: Peter Eeles, Kelli Houston, and Wojtek Kozaczynsky, Building J2EE Applicationa with the Rational Unified Process, Addison Wesley, 2003 Prepared.

SE-2840 Dr. Mark L. Hornick1 Web Application Security.

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

C HAPTER 11 D EPLOYING YOUR WEB APP. WAR FILE A WAR file is simply a snapshot of your web app structure, in a nice portable, compressed form (it is really.

Chapter 2 Web app architecture. High-level web app architecture  When a client request coming in and needs servlet to serve dynamic web content, what.

Jsp (Java Server Page) Is a server side program.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

JSP. Types of JSP Scripting Elements Expressions of the form, which are evaluated and inserted into the servlet's output. Scriptlets of the form, which.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE September Integrating Policy with Applications.

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

©SoftMoore ConsultingSlide 1 Filters. Filters can be used in a web application to intercept, examine, and possibly transform requests or responses associated.

Preface IIntroduction Objectives I-2 Course Overview I-3 1Oracle Application Development Framework Objectives 1-2 J2EE Platform 1-3 Benefits of the J2EE.

Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.

Java Web Server Presented by- Sapna Bansode-03 Nutan Mote-15 Poonam Mote-16.

Slide 1 Web Application Security ©SoftMoore Consulting.

DEVELOPING ENTERPRISE APPLICATIONS USING EJB

15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.

WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.

Chapter 4 Request and Response. Servlets are controlled by the container.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Apache Struts Technology A MVC Framework for Java Web Applications.

A Presentation Presentation On JSP On JSP & Online Shopping Cart Online Shopping Cart.

CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.

Handling Errors in Web Applications

Authentication & .htaccess

Java Servlets By: Tejashri Udavant..

IBM Certified WAS 8.5 Administrator

Using SSL – Secure Socket Layer

Created by : Asst. Prof. Ashish Shah

Electronic Payment Security Technologies

Presentation transcript:

C HAPTER 12 W EB APP SECURITY

T HE BAD GUYS ARE EVERYWHERE As a web application developer you need to protect your web site There are three main kind of bad guys you need to watch out for: Impersonators Upgraders Eavesdroppers

E XAMPLE I MPERSONATOR

E XAMPLE U PGRADER

E XAMPLE E AVESDROPPER

T HE B IG 4 IN SERVLET SECURITY Servlet security boils down to four main concepts Authentication Verify the identity of the subject Authorization Give subject access to restricted resources Confidentiality Information is not leaked to persons who should not have the access Data integrity Data is not modified illegitimately

A UTHENTICATION

A UTHORIZATION

C ONFIDENTIALITY AND D ATA I NTEGRITY

H OW TO AUTHENTICATE IN HTTP W ORLD (B ASIC A UTHENTICATION )

C ONTAINER CAN CONTROL AUTHENTICATION AND AUTHORIZATION In stead of coding authentication and authorization in servlet and jsp programmatically, container can control authentication and authorization Thus the application developer do not have to write authentication and authorization logic for each individual serlvet and jsp program

H OW DID THE C ONTAINER DO THAT ? Perform a lookup on the resource being requested Find out whether the resource has security constraints Authenticate client Find out whether “Bob” really is Bob The Container has to see whether the user, say Bob, is allowed to access the resource

K EEP SECURITY OUT OF THE CODE For most web app, most of the time, the web app’s security constraints should be handled declaratively, in the deployment descriptor Why?

S ECURITY REALM As far as the servlet spec is concerned, a realm is a place where authentication information is stored When you are testing your application in Tomcat, you can use a file called tomcat-users.xml. This file is the realm. Also called memory realm because Tomcat reads this file into memory at startup time Disadvantage: You cannot modify the file’s content without restarting Tomcat

E NABLING AUTHENTICATION To get authentication working, you need to stick something in the Deployment Descriptor. To start using http basic authentication

A UTHORIZATION STEP 1: DEFINE ROLES Define the roles in a vendor-specific file tomcat- users.xml

A UTHORIZATION STEP 1: DEFINE ROLES Map the roles in the vendor-specific “users” file to roles established in the Deployment Descriptor

A UTHORIZATION STEP 2: DEFINING RESOURCE /HTTP METHOD CONSTRAINTS This is where we get to specify, declaratively, that a given resource/method combination is accessible only by users in certain roles

T HE RULES FOR ELEMENTS The purpose of the sub-element is to tell the container which resources and HTTP method combinations should be constrained in such a way that they can be accessed only by the roles in the corresponding tag

U SE PROGRAMMATIC SECURITY WITH DECLARATIVE SECURITY FOR FINE - GRAINED SECURITY CONTROL In stead of authorizing at the HTTP method level (GET, POST, etc.), you can customize a service method to behave based on the user’s role Suppose we defined the role “Manager” in the DD, the following code customize the response to the Manager if (request.isUserInRole(“Manager”)){ //show info related to all employees …… } else { //show info only related to a particular employee …… }

F OUR AUTHENTICATION TYPES BASIC Transmits the login information in an encoded (not encrypted) form Encoding scheme: base64 Very weak security DIGEST Authentication transmits the login information in a more secure way

F OUR AUTHENTICATION TYPES Client-CERT The client need to have a certificate before they can login to the system FORM FORM authentication lets you create your own custom login form out of anything that is legal HTML Form info is transmitted in the least secure way

F ORM - BASED AUTHENTICATION First, you create your own custom HTML form for the user login Then you create a custom HTML error page for the Container to use What you do:

F ORM - BASED AUTHENTICATION

S ECURING DATA IN TRANSIT :HTTPS TO THE RESCUE We can tell a J2EE container to guarantee data to be transmitted over a protected transport layer connection, i.e, use HTTPS To do that, we will use for both confidentiality and integrity by adding an element called in the DD for the application

S ECURING DATA IN TRANSIT :HTTPS TO THE RESCUE Tomcat supports HTTPS out of the box It won’t necessarily have HTTPS configured for your application automatically You still need to generate or apply for a certificate and then configure tomcat to use HTTPS You may refer to howto.htmlhttp://tomcat.apache.org/tomcat-6.0-doc/ssl- howto.html