Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Site Security Representation and Management of Data on the Web.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Site Security Representation and Management of Data on the Web."— Presentation transcript:

1 Web Site Security Representation and Management of Data on the Web

2 We all know this page...

3 Would we want all to know this page?

4 Problem Want to restrict access to certain Web pages Must answer the following questions -Which pages should be restricted? -Who should access restricted pages? -How should users be authenticated? -Should Authentication data be Encrypted?

5 Authentication Methods Several security methods are used: Declarative Security -Use security mechanisms provided by the server -BASIC and FORM-based will be discussed Programmatic Security -Security is handled by the Web application programs

6 Declarative Security Advantage: Application programs (i.e. JSP and Servlets) do not have to do anything special Advantage: security holes due to bugs are less probable Disadvantage: Server specific process Disadvantage: All or nothing security -users can or cannot see the page -sometimes, what we really want is the page content to be dependent on the user

7 Programmatic Security Advantage: Not server specific Advantage: Very flexible Disadvantage: A lot of work to program + all Servlets and JSP have to cooperate for this to work Disadvantage: Programmer's bugs may lead to security holes

8 Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET E.xsl OK + Content F.xml

9 Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET /a/B.jsp 401 + Basic realm="A" F.xml

10 Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET /a/B.jsp + user:pass OK + Content F.xml

11 Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET /a/A.html + user:pass OK + Content F.xml

12 To restrict a set of pages for certain users, the server designates a realm name for these pages and defines the authorized users (usernames and passwords) When a page is requested without correct authentication information, the server returns a 401 (Unauthorized) response, with the "WWW-Authenticate" header like the following: WWW-Authenticate: Basic realm="realm-name" Declarative Security: BASIC

13 The browser then prompts the user for a username and a password, and sends them in the "Authorization" header: Authorization: Basic username:password The string username:password is trivially encoded (everyone can decode it...) Through the session, the browser automatically sends the latter authorization header when requesting files under the latter request's directory or when asked to authenticate in the same realm An Example

14 BASIC method in Tomcat 1.Set up usernames, passwords and roles 2.Tell the server that your application is using BASIC authentication, and designate a realm name to the application 3.Specify which URLs should be restricted to which roles

15 [more roles...] <user username="snoopy" password="snoopass" roles="special"/> [more users...] 1. Defining Usernames, Passwords, and Roles Define users, passwords and roles in the file $CATALINA_BASE/conf/tomcat-users.xml

16 2. Tell the Server to use BASIC Security + Define a Realm Name Add to the application's web.xml the login method (BASIC) and your chosen realm name BASIC Special Managers

17 3. Define the restrictions in web.xml restricted one /restricted1/* restricted two /restricted2/*

18 special... special

19

20

21 Custom Error Pages The default 401-designated error page is returned with the unauthorized response of the server A 401 page is not shown by the browser, unless -The user cancels the authentication -The page is returned without WWW-Authenticate In Tomcat, you can define an application-specific error page, however the WWW-Authenticate header must be added explicitly

22 A Custom Error Page Example Add to the application's web.xml the following: 401 /error401.jsp

23 A Custom Error Page Example (cont) <% response.setHeader ("WWW-Authenticate", "Basic realm=\"Special Managers\""); %> Unauthorized Go away! You are not authorized!! error401.jsp

24

25

26 Declarative Security: FORM In the BASIC method, it is the browser's responsibility to get the login and password from its user, and to send it throughout the session In the FORM method, this responsibility is the server's, while the browser is not aware of the fact that restricted pages are accessed

27 Declarative Security: FORM (cont) In the first request to a restricted page, the server forwards the request to a login page Using the form in the login page, the user submits its login and password to a special URL of the server, and the latter stores the information in the session object On subsequent requests, the server checks the session to see if it contains suitable authentication, in which case the required page is returned

28 Add to web.xml FORM /admin/login.jsp /admin/login-error.html

29 Create A Login Page Login Log In Sorry, you must log in before accessing this resource. " METHOD="POST"> User name: Password: myApp/admin/login.jsp

30 Create a Login-Error Page Unauthorized Go away! You are not authorized!! myApp/admin/login-error.html

31

32

33

34 Adding Some Programmatic Security So far, all or nothing: -can see page or -can't see page Sometimes we want to allow page content to be dependant on the authorization of the user Use the following request methods to control content restriction: - boolean isUserInRole(String role) - String getRemoteUser()

35 Example salary /salary.jsp executive employees

36 Example (cont) Average Salary Employee average salary: 3895NIS Executive average salary: 42764NIS salary.jsp

37

38

39

40

41 Important: Disable the Servlet Invoker You protect certain URLs in the application The http://host/prefix/servlet/Name format of the Servlet invoker will probably not match the patterns of the protected URLs Thus, the security restrictions are bypassed if the invoker is enabled For this reasons (and others), the invoker should not be used in published applications

42 SSL Connections

43 Security on the Internet The Internet is used to transmit sensitive data from clients to servers and vice versa -User passwords -Credit card numbers -Private client data on remote servers (e.g. Banks) However, data packets are read by several computers on the way from the client to the server and vice versa -Routers, proxies, etc.

44 Security on the Internet (cont) The following should be provided: -Only the server can read the client requests -Only the client can read the server's responses -Only the client can send requests on behalf of itself -Only the server can send responses on behalf of itself In short, no one should be able to interfere in the interaction, either be reading the transferred data or by impersonating to one of the sides

45 Symmetric and Asymmetric Keys Data can be encrypted and decrypted using keys, which are simply large numbers Symmetric keys: the same key is used for both encoding and decoding of the message Asymmetric keys: one key is used to encode the message, and another is used to decode it It is considered practically impossible to decode a message without knowing the decoding key

46 The RSA Cryptography System RSA was developed in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman It is the based on the asymmetric key mechanism: -Each participant has a private key and a public key -The public key is known to all and the private key is kept in secret within its owner -Asymmetric keys: the public key is the encoding key and the private key is the decoding key

47 Secure Connection: A Naive Approach Consider the following protocol: -Server and Client send their public keys to each other -Data is encrypted using the public key of the receiver What is wrong with this protocol? -Decryption methods (public keys) are known to everyone - everyone can impersonate the participants -A participant cannot tell whether its received key was indeed sent by the other participant

48 SSL Connections The SSL (Secure Socket Layer) protocol is used to manage security of message transmission on the Internet Data encryption and decryption is based on symmetric and asymmetric keys The HTTPS (HTTP over Ssl) protocol is actually the HTTP protocol above SSL transportation

49 TCP/IP SSL SSL in the Network Layers HTTP Email Protocols

50 The SSL Handshake Server hello + SSL settings Client SSL Settings + Certificate Is this a good certificate? 1. Client gets the Server's certificate

51 The SSL Handshake Server Client 2. Client creates a master secret and shares it with the server

52 The SSL Handshake Server Client 3. Client and server create symmetric session keys from the master secret

53 The SSL Handshake Server Client Data is transferred using the session keys (Http Response) (Http Request)

54 SSL Certificates To assure that the replier of the first request is the server, the server sends a certificate The certificate contains both the server's name and its public key The certificate is issued by a Certificate Authority (CA), which is known to the client in advance -For example: VeriSign, Thawte, RSA Secure Server, etc. CA signs the certificate using a digital signature, which the client can verify using a method similar to the private-public key method

55 Issuer's Name Public Key Serial Number Validity Period Server's Name The Server's Certificate Issuer's Digital Signature

56 An Example: The Certificate of bankleumi.co.il

57 Authentication via SSL If the server needs to assure the client's identity, the first interaction after the SSL handshake will typically be a clients authentication Client authentication is done using the regular HTTP authentication methods What is the difference, though?

58 SSL in Tomcat 5.0 To use SSL connections in Tomcat 5.0, we need to do the following: -Acquire a certificate -Enable the https service, that listens to a designated port -Declare the pages that require SSL connections

59 Generating a Certificate Acquiring a certificate from a known CA costs money Instead, we will generate our own certificate Naturally, the browser will not recognize the CA as a known one and will alert the user

60 Generating a Certificate (cont) From the Unix shell, type the following: keytool -genkey -alias tomcat -keyalg RSA -keystore keyfile

61 Enable HTTPS Service Add the following to $CATALINA_BASE/conf/server.xml under the Service "catalina": Declare the redirection port for the HTTP Connector:

62 Declare Secured Pages In the application's web.xml, add the following element under the security constraint for which you want SSL to be used CONFIDENTIAL

63

64

65

66

67

Download ppt "Web Site Security Representation and Management of Data on the Web."

Similar presentations

CP3397 ECommerce.

CP3397 ECommerce.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.

SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
User and Security Management. Security Management in Web Applications.

User and Security Management. Security Management in Web Applications.

Similar presentations

Ads by Google