Download presentation
Presentation is loading. Please wait.
Published byLeonard Butler Modified over 9 years ago
1
SE-2840 Dr. Mark L. Hornick1 Web Application Security
2
There are three main security concerns your web apps need to address Impersonation A client pretends to be someone else in order to gain access to your site Upgrading A client gains access to restricted aspects of your web app Eavesdropping A third-party gains access to confidential information exchanged between your site and a valid user SE-2840 Dr. Mark L. Hornick2
3
All of these can be managed via the Deployment Descriptor SE-2840 Dr. Mark L. Hornick3 Tomcat incorporates a declarative security model that requires no changes to your Servlets or pages Tomcat itself handles Authentication, Authorization, and Data Encryption
4
The server.xml file contains configuration specifications for Tomcat operation, including enabling HTTPS: SE-2840 Dr. Mark L. Hornick4 <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile=“C:/Apache/keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> Note: the blue text is (usually) already in this file, although commented out. I rearranged the comments and added the green line that specifies the file containing the generated Certificate.
5
Encrypting the transport of data ensures that sensitive data (eg. passwords) will not be viewable during transmission either to or from the server SE-2840 Dr. Mark L. Hornick5 <!-- This section declares specific resources whose access is to be constrained by the Tomcat security manager. --> SecuredPages /MyApp/somepage.html /MyApp/page2.jsp /MyApp/myServlet <!-- This specifies that the browser and server establish an encrypted Connection for exchanging request and response data --> CONFIDENTIAL... The default transport is NONE
6
Demo SE-2840 Dr. Mark L. Hornick6
7
Generating a certificate (See http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html) SE-2840 Dr. Mark L. Hornick7 Note: When prompted for the password, I entered “changeit”
8
CS-4220 Dr. Mark L. Hornick8
9
9
10
SE-2840 Dr. Mark L. Hornick10
11
admin member <!-- This section declares specific resources to be accessible only by users in certain roles (defined in the separate tomcat-users.xml file. --> SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp... Admin Manager... Authorization allows a web app to restrict access to specific parts of an application SE-2840 Dr. Mark L. Hornick11
12
The tomcat-users.xml file contains role, username, and password definitions: SE-2840 Dr. Mark L. Hornick12 <!-- NOTE: By default, no user is included in the "manager" role required to operate the "/manager" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary. --> <!-- NOTE: The sample user and role entries below are wrapped in a comment and thus are ignored when reading this file. Do not forget to remove that surrounds them. --> <!-- -->
13
Demo SE-2840 Dr. Mark L. Hornick13
14
Authentication allows a web app to validate the identity of a client SE-2840 Dr. Mark L. Hornick14 admin member SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp Admin Manager <!– When you specify a login-config, the container automatically supplies a username/password prompt --> BASIC
15
admin member SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp Admin Manager CONFIDENTIAL FORM /login.html /loginError.html You can define your own login page if you don’t like the default popup dialog: SE-2840 Dr. Mark L. Hornick15
16
Login please username: password: The login form must use the indicated action and input field names: SE-2840 Dr. Mark L. Hornick16
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.