Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Security Representation and Management of Data on the Web.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Application Security Representation and Management of Data on the Web."— Presentation transcript:

1 Web Application Security Representation and Management of Data on the Web

2 Problem Want to restrict access to certain web pages Must answer the following questions –which pages should be restricted? –who should access restricted pages? –how should users be authenticated? Other issues (not discussed here): Encrypting data when transported

3 Declarative Security Use web server specific mechanisms to solve problems above Advantage: JSP and Scriptlets do not have to do anything special Disadvantage: Server specific process Disadvantage: All or nothing security, i.e., users can see page or not see it. Page content is not dependant on the user.

4 Programmatic Security Write code to authenticate/restrict users Advantage: Not server specific Advantage: Very flexible Disadvantage: A lot of work to program + all Servlets and JSP have to cooperate for this to work

5 Declarative Security: BASIC 1.Set up usernames, passwords, and roles. 2.Tell the server that you are using BASIC authentication. Designate the realm name. 3.Specify which URLs should be password protected. 4.Turn off the invoker servlet.

6 1. Defining Usernames, Passwords, and Roles Define users, passwords and roles in file: tomcat_home/conf/tomcat-users.xml <user name="snoopy" password="ypoons" roles="special" /> <user name="charlieb " password="beilrahc" roles="special, admin" />

7 2. Tell the Server to use BASIC Security Add to web.xml file in tomcat_home/webapps/appname/WEB-INF BASIC Some Name

8 3. Specify URLs to be Protected Add to web.xml: Sensitive /sensitive/* special

9 4. Disable Invoker Servlet You protect certain URLs that are associated with registered servlet or JSP names. The http://host/prefix/servlet/Name format of default servlet URLs will probably not match the pattern. Thus, the security restrictions are bypassed when the default URLs are used. You can disable such URLs (details omitted)

10

11 Declarative Security: FORM Instead of a dialog box, you can create a form for validating users You can also create your own error page

12 Add to web.xml FORM /admin/login.jsp /admin/login-error.jsp

13 Create Login Page … Log In Sorry, you must log in before accessing this resource. User name: Password:

14

15 Create Error Page Begone! Begone, ye unauthorized peon.

16 Adding Some Programmatic Security So far, all or nothing: –can see page or –can't see page Allow page content to be dependant on the authorization of the user Use method isUserInRole of HTTPServletRequest

17 Example Suppose that a page requires authorized access Both the employee role and the executive role can access the page Put in the page: Something regular employees should not see

Download ppt "Web Application Security Representation and Management of Data on the Web."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.

Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Www.corewebprogramming.com JSP1 Java Server Pages (JSP) Introducing JavaServer Pages TM (JSP TM ) JSP scripting elements.

JSP1 Java Server Pages (JSP) Introducing JavaServer Pages TM (JSP TM ) JSP scripting elements.
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.

Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.

Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.
® IBM Software Group © 2006 IBM Corporation Securing Your Application With WebSphere Security You will need to develop Login procedures for your web applications.

® IBM Software Group © 2006 IBM Corporation Securing Your Application With WebSphere Security You will need to develop Login procedures for your web applications.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
CS4273: Distributed System Technologies and Programming I Lecture 10: Web Security Programming Web Application Security1.

CS4273: Distributed System Technologies and Programming I Lecture 10: Web Security Programming Web Application Security1.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
User and Security Management. Security Management in Web Applications.

User and Security Management. Security Management in Web Applications.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.

Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.
Java Server Pages Russell Beale. What are Java Server Pages? Separates content from presentation Good to use when lots of HTML to be presented to user,

Java Server Pages Russell Beale. What are Java Server Pages? Separates content from presentation Good to use when lots of HTML to be presented to user,
Web Site Security Representation and Management of Data on the Web.

Web Site Security Representation and Management of Data on the Web.

Similar presentations

Ads by Google