Presentation is loading. Please wait.

Presentation is loading. Please wait.

SE-2840 Dr. Mark L. Hornick1 Web Application Security.

Published byLeonard Butler Modified over 9 years ago

Similar presentations

Presentation on theme: "SE-2840 Dr. Mark L. Hornick1 Web Application Security."— Presentation transcript:

1 SE-2840 Dr. Mark L. Hornick1 Web Application Security

2 There are three main security concerns your web apps need to address Impersonation A client pretends to be someone else in order to gain access to your site Upgrading A client gains access to restricted aspects of your web app Eavesdropping A third-party gains access to confidential information exchanged between your site and a valid user SE-2840 Dr. Mark L. Hornick2

3 All of these can be managed via the Deployment Descriptor SE-2840 Dr. Mark L. Hornick3 Tomcat incorporates a declarative security model that requires no changes to your Servlets or pages Tomcat itself handles Authentication, Authorization, and Data Encryption

4 The server.xml file contains configuration specifications for Tomcat operation, including enabling HTTPS: SE-2840 Dr. Mark L. Hornick4 <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile=“C:/Apache/keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> Note: the blue text is (usually) already in this file, although commented out. I rearranged the comments and added the green line that specifies the file containing the generated Certificate.

5 Encrypting the transport of data ensures that sensitive data (eg. passwords) will not be viewable during transmission either to or from the server SE-2840 Dr. Mark L. Hornick5 <!-- This section declares specific resources whose access is to be constrained by the Tomcat security manager. --> SecuredPages /MyApp/somepage.html /MyApp/page2.jsp /MyApp/myServlet <!-- This specifies that the browser and server establish an encrypted Connection for exchanging request and response data --> CONFIDENTIAL... The default transport is NONE

6 Demo SE-2840 Dr. Mark L. Hornick6

7 Generating a certificate (See http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html) SE-2840 Dr. Mark L. Hornick7 Note: When prompted for the password, I entered “changeit”

8 CS-4220 Dr. Mark L. Hornick8

9 9

10 SE-2840 Dr. Mark L. Hornick10

11 admin member <!-- This section declares specific resources to be accessible only by users in certain roles (defined in the separate tomcat-users.xml file. --> SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp... Admin Manager... Authorization allows a web app to restrict access to specific parts of an application SE-2840 Dr. Mark L. Hornick11

12 The tomcat-users.xml file contains role, username, and password definitions: SE-2840 Dr. Mark L. Hornick12 <!-- NOTE: By default, no user is included in the "manager" role required to operate the "/manager" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary. --> <!-- NOTE: The sample user and role entries below are wrapped in a comment and thus are ignored when reading this file. Do not forget to remove that surrounds them. --> <!-- -->

13 Demo SE-2840 Dr. Mark L. Hornick13

14 Authentication allows a web app to validate the identity of a client SE-2840 Dr. Mark L. Hornick14 admin member SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp Admin Manager <!– When you specify a login-config, the container automatically supplies a username/password prompt --> BASIC

15 admin member SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp Admin Manager CONFIDENTIAL FORM /login.html /loginError.html You can define your own login page if you don’t like the default popup dialog: SE-2840 Dr. Mark L. Hornick15

16 Login please username: password: The login form must use the indicated action and input field names: SE-2840 Dr. Mark L. Hornick16

Download ppt "SE-2840 Dr. Mark L. Hornick1 Web Application Security."

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
DAP-1520 FAQ’s Wireless AC750 Dual Band Range Extender.

DAP-1520 FAQ’s Wireless AC750 Dual Band Range Extender.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.

Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
User and Security Management. Security Management in Web Applications.

User and Security Management. Security Management in Web Applications.
1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.

1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
Web Site Security Representation and Management of Data on the Web.

Web Site Security Representation and Management of Data on the Web.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Web Application Security Representation and Management of Data on the Web.

Web Application Security Representation and Management of Data on the Web.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
SE-2840 Dr. Mark L. Hornick1 Java Servlet-based web apps Servlet Architecture.

SE-2840 Dr. Mark L. Hornick1 Java Servlet-based web apps Servlet Architecture.
4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.

4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.
Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007 SSL Security with Alpha Five App Server Protecting sensitive or personal data.

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007 SSL Security with Alpha Five App Server Protecting sensitive or personal data.
Softsmith Infotech Secure Socket Layer (SSL) and Tomcat.

Softsmith Infotech Secure Socket Layer (SSL) and Tomcat.
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming

Similar presentations

Ads by Google