Application Index/Framework Security A. Petrov, 11/21/02.

Slides:

Advertisements

Similar presentations

In Review JAVA C++ GUIs - Windows Webopedia.com.

Advertisements

Servlets Enterprise Systems Programming. Servlets  Servlets: server-side Java programs that enable dynamic processing of web-based requests  Web-based.

Tux2 Database The Architecture of Our System © Juhani Välimäki 2005.

Internet Security Protocols

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Securing web applications using Java EE Dr Jim Briggs 1.

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

Toolbox Mirror -Overview Effective Distributed Learning.

1. Prelude Diebold’s electronic voting system source code was discovered and subsequently leaked due to it being on a Diebold web server. Although it.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

WEB2P security Java web application security Dr Jim Briggs.

Design Aspects. User Type the URL address on the cell phone or web browser Not required to login.

Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE

Asset: Academic Survey System & Evaluation Tool Bert G. Wachsmuth Seton Hall University.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Chapter 5 Database Application Security Models

IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,

Julien Thibault / Phil Brewster / Kristina Doing-Harris

Linux Security.

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SE-2840 Dr. Mark L. Hornick1 Java Servlet-based web apps Servlet Architecture.

SubVersioN – the new Central Service at DESY by Marian Gawron.

Talend 5.4 Architecture Adam Pemble Talend Professional Services.

Course 201 – Administration, Content Inspection and SSL VPN

 2000 Deitel & Associates, Inc. All rights reserved. Chapter 24 – Web Servers (PWS, IIS, Apache, Jigsaw) Outline 24.1Introduction 24.2Microsoft Personal.

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.

1 UTGB Shell An Open-Source Browser Framework for the Integration of Biological Data Taro L. Saito, Shin Sasaki, Budrul Ahsan and.

WIDAR Prototype Testing User Interface Software Kevin Ryan NRAO-DRAO Face-to-Face Meeting April 3, 2006.

Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun.

Postacademic Interuniversity Course in Information Technology – Module C1p1 Contents Data Communications Applications –File & print serving –Mail –Domain.

CRITICAL DESIGN REVIEW Gregory LaFlash Patrick O’Loughlin Zachary Snell Joshua Howell Hao Sun Kira Jones THAT ONE SPECIAL SHOT TOSS

Movie Manager by Patrick Wesley and Chris Grey Internet Database Project for CS 8630 – Summer 2004 Dr. Guimaraes.

Web Site User Management Deborah Lee Soltesz USGS.

National Center for Supercomputing Applications NCSA OPIE Presentation November 2000.

User Access to Router Securing Access.

Running Jakarta/Tomcat CIT304/CSE301 University of Sunderland Harry R. Erwin, PhD.

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

Java Portals and Portlets Submitted By: Rashi Chopra CIS 764 Fall 2007 Rashi Chopra.

The HTTP is a standard that all Web browsers and Web servers must speak in order for the Web portion of the Internet to work.

Running Kuali: A Technical Perspective Ailish Byrne (Indiana University) Jonathan Keller (University of California, Davis)

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.

Facebook is a social utility that connects you with the people around you. Use Facebook to…  Keep up with friends and family  Share photos and videos.

JSP Server Integrated with Oracle8i Project2, CMSC691X Summer02 Ching-li Peng Ying Zhang.

Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.

Preface IIntroduction Objectives I-2 Course Overview I-3 1Oracle Application Development Framework Objectives 1-2 J2EE Platform 1-3 Benefits of the J2EE.

DSpace System Architecture 11 July 2002 DSpace System Architecture.

Web Security. Introduction Webserver hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself These.

15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.

Oct HPS Collaboration Meeting Jeremy McCormick (SLAC) HPS Web 2.0 OR Web Apps and Databases (Oh My!) Jeremy McCormick (SLAC)

…the basics…. Wildland Fire Information and Technology Server Requirements ● Windows 7 Professional or Windows 2003/2008 Server ● Windows 8/10 (discussion)

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

Expense Tracking System Developed by: Ardhita Maharindra Muskan Regmi Nir Gurung Sudeep Karki Tikaprem Gurung Date: December 05 th, 2008.

2 Copyright © 2006, Oracle. All rights reserved. Running a Forms Developer Application.

CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.

COM621: Advanced Interactive Web Development Lecture 10 PHP and MySQL.

APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.

19 Copyright © 2008, Oracle. All rights reserved. Security.

Cloud Computing in Systems Programming Curriculum Gustavo Rodriguez-Rivera, Purdue University Enrique Kortright, IBM.

Progress Apama Fundamentals

Manuel Brugnoli, Elisa Heymann UAB

Web Portal Project.

Jim Fawcett CSE686 – Internet Programming Summer 2005

Web Software Model CS 4640 Programming Languages for Web Applications

Security in Web Applications

A Web-based Integrated Console for Controlling a Set of Networks

asset: Academic Survey System & Evaluation Tool

Chapter 13 Security Methods Part 3.

Presentation transcript:

Application Index/Framework Security A. Petrov, 11/21/02

Obstacles Various types of executable codes (Java classes, HTML, SVG, JScript, … ). Various code sources (shared drives, Apache and Tomcats). Various types of user authentication (via web browser, Kerberos, … )

Obstacles - II It is seemed to be possible to create a manual bypass in almost every case. System is under permanent change and is not understandable as a whole ( at least, for me… )

Goals 1) Create a core application security system to distribute permissions on/for applications. 2) Implement several borders of protection, based on this core system.

Borders Of Protection Application Index – list of available programs depends on actual user privileges. Code sources – against unauthorized code download Security check in App. Framework – against unauthorized launch

Borders Of Protection - II DAE connection – against unauthorized data usage and modification

Application Browser Downloading Code DB From shared drive Static HTML, JARs, … JNLP Generator Launching Based on Framework Not based on Frwrk Servlets Based on Framework Not based on Frwrk Servlets DAE Connection Is implemented Will be implemented

Users A generic VMS table of login names is used, dbo.console_user. APPiX has an additional table with encripted passwords (for web access). GUI to edit users is not provided.

User Privileges VMS classes are used; they considered to be groups in Application Index. Two pseudo-classes are added: PUBLIC and INSIDER; “dynamic” membership, depending on access mode. INSIDER is a subset of PUBLIC.

nameclasses… apetrov console_user_id 807$800… a dbo.console_user record: 1. MCR 2. RemoteMCR 3. CHL 11. AccelPrgrmmer … … INSIDER PUBLIC APPiX groups: Depends on access mode

Application Privileges A special APPiX table is used; every application may have membership in several groups + is_writable flag. Application privileges are used: 1) to define who can start an application 2) as service privileges for DAE 3) to define whether an app. is “writable”.

AppFramework Test Application: 1. MCR 3. CHL 11. AccelPrgrmmer INSIDER APPiX groups: is_writable Service privileges: $802 May start May start: MCR, CHL, AccelPrgrmmer, INSIDER May write May write: MCR, AccelPrgrmmer

Servlet Privileges A special AppixRealm module is developed for Tomcat. Privileges are checked: 1) by Tomcat itself ( web.xml file) 2) by servlets

Servlet Privileges - II All interaction between Application Index database and Application Framework (and Console Application Launcher) takes place via servlets.

User Authentication For servlets – through Tomcat’s AppixRealm. For DAE – through Kerberos. It still looks unclear how to implement Kerberos security when the web-client is a browser (but it’s probably possible for framework-based applications).

User Authentication - II In general, user authentication is not required: a default user has some privileges (through PUBLIC and INSIDER pseudo-classes).

Secure Socket Layer (SSL) DOE does not allow purchasing “real” SSL certificates. (?) … and so: Entering password in Application Index is now forbidden for outside users (all outside users belong to PUBLIC pseudo- class).