SE-2840 Dr. Mark L. Hornick1 Web Application Security.

Slides:



Advertisements
Similar presentations
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Advertisements

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
SSL (Secure Socket Layer)
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
WEB2P security Java web application security Dr Jim Briggs.
User and Security Management. Security Management in Web Applications.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Web Site Security Representation and Management of Data on the Web.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
SE-2840 Dr. Mark L. Hornick1 Java Servlet-based web apps Servlet Architecture.
APACHE SERVER By Innovationframes.com »
1 Lecture 5 George Koutsogiannakis/ Summer 2011 CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES.
Softsmith Infotech Secure Socket Layer (SSL) and Tomcat.
CSCI 6962: Server-side Design and Programming
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Web application architecture
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
C HAPTER 12 W EB APP SECURITY. T HE BAD GUYS ARE EVERYWHERE As a web application developer you need to protect your web site There are three main kind.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.
Slide 1 Web Application Security ©SoftMoore Consulting.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Security Management in Web Applications. We all know this page...
LINCWorks Mesh Networking User Guide. This user guide will give a brief overview of mesh networking followed by step by step instructions for configuring.
1 Example security systems n Kerberos n Secure shell.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
Setting and Upload Products
Chapter 5 Electronic Commerce | Security Threats - Solution
Data Virtualization Tutorial… SSL with CIS Web Data Sources
SSL Certificates for Secure Websites
Configuring tomcat for https
Secure Sockets Layer (SSL)
Chapter 5 Electronic Commerce | Security Threats - Solution
Using SSL – Secure Socket Layer
Security in Web Applications
Created by : Ashish Shah, J.M. PATEL COLLEGE OF COMMERCE
Created by : Ashish Shah, J.M. PATEL COLLEGE OF COMMERCE
Electronic Payment Security Technologies
Security - Forms Authentication
Presentation transcript:

SE-2840 Dr. Mark L. Hornick1 Web Application Security

There are three main security concerns your web apps need to address Eavesdropping A third-party gains access to confidential information exchanged between your site and a valid user Your site needs to encrypt communication to prevent this Impersonation A client pretends to be someone else in order to gain access to your site Your site needs to authenticate clients to prevent this Upgrading A client gains access to restricted aspects of your web app The client may be authenticated, but not authorized Your site needs to authorize clients to access privileged information SE-2840 Dr. Mark L. Hornick2

Don’t try to implement security yourself You are unlikely to get it right unless you are an absolute expert Leave it to experts and use well-accepted approaches CS-4220 Dr. Mark L. Hornick3

All of these can be managed via the Deployment Descriptor SE-2840 Dr. Mark L. Hornick4 Tomcat incorporates a declarative security model that requires no changes to your Servlets or pages Tomcat itself handles Authentication, Authorization, and Data Encryption

Types of Encryption One-way hash Data can be encrypted, but not unencrypted Asymmetric keys Data encrypted with a public key can only be decrypted with a private key, and vice-versa Computationally intensive Symmetric keys Encryption and decryption use the same key Computationally simpler CS-4220 Dr. Mark L. Hornick5 “Hello” 7sdf08df7sdlf0d98s230d “Hello” sdfs09deo0e93 “Hello” 9sd8sas09dd89 “Hello”65kl54jdo48xd “Hello”

Encrypting the transport of data ensures that sensitive data (eg. passwords) will not be viewable during transmission either to or from the server SE-2840 Dr. Mark L. Hornick6 <!-- This section declares specific resources whose access is to be constrained by the Tomcat security manager. --> SecuredPages /MyApp/somepage.html /MyApp/page2.jsp /MyApp/myServlet <!-- This specifies that the browser and server establish an encrypted Connection for exchanging request and response data --> CONFIDENTIAL... The default transport is NONE

SSL Encryption requires the exchange of keys between the browser and server The browser asks the server for its public key The server delivers the public key enclosed in a certificate that contains the server’s information The browser checks to see if the certificate is valid by consulting a root certificate authority The user is given a chance to intervene Simplified: The browser accepts the certificate and the server’s enclosed public key, generates a “secret” and sends the secret to the server, encrypted with the server’s public key The server decrypts the secret with its private key The shared secret is used to encrypt subsequent exchanged messages The secret is discarded at the end of the session CS-4220 Dr. Mark L. Hornick7

The server.xml file contains configuration specifications for Tomcat operation, including enabling HTTPS (SSL): SE-2840 Dr. Mark L. Hornick8 <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile=“C:/Apache/keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> Note: the blue text is (usually) already in this file, although commented out. I rearranged the comments and added the green line that specifies the file containing the generated Certificate.

Key generation Demo SE-2840 Dr. Mark L. Hornick9

Generating a certificate (See SE-2840 Dr. Mark L. Hornick10 Note: When prompted for the password, I entered “changeit”

CS-4220 Dr. Mark L. Hornick11

CS-4220 Dr. Mark L. Hornick12

SE-2840 Dr. Mark L. Hornick13

admin member <!-- This section declares specific resources to be accessible only by users in certain roles (defined in the separate tomcat-users.xml file. --> SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp... Admin Manager... Authorization allows a web app to restrict access to specific parts of an application SE-2840 Dr. Mark L. Hornick14

Authorization requires Authentication so that a web app can validate the identity of a client SE-2840 Dr. Mark L. Hornick15 admin member SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp admin manager <!– When you specify a login-config, the container automatically supplies a username/password prompt --> BASIC

The tomcat-users.xml file contains role, username, and password definitions: SE-2840 Dr. Mark L. Hornick16 <!-- NOTE: By default, no user is included in the "manager" role required to operate the "/manager" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary. --> <!-- NOTE: The sample user and role entries below are wrapped in a comment and thus are ignored when reading this file. Do not forget to remove that surrounds them. --> <!-- -->

Tomcat-users.xml Demo SE-2840 Dr. Mark L. Hornick17

Basic login Demo SE-2840 Dr. Mark L. Hornick18

admin member SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp Admin Manager CONFIDENTIAL FORM /autologin.html /autologinError.html You can define your own login page if you don’t like the default popup dialog: SE-2840 Dr. Mark L. Hornick19

Login please username: password: The login form must use the indicated action and input field names: SE-2840 Dr. Mark L. Hornick20

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.