SlideShare a Scribd company logo

Java Web Programming [9/9] : Web Application Security

IMC Institute
IMC Institute

Presentation for Java Web Programming Course; 2011

Technology
1 of 36
Download to read offline
Module 9: Web Application Security Thanisa Kruawaisayawan Thanachart Numnonda www.imcinstitute.com
Objectives  General security issues  Authentication  Authorization  Data Integrity  Confidentiality  Web-tier Authentication Schemes  BASIC  DIGEST  FORM  CLIENT-CERT  Declarative Authorization 2
General Security Issues  Authentication for identity verification Making sure a user is who he claims he is  Authorization (Access control) Making sure resources are accessible only to users who have access privilege The user has to be authenticated first  Data Integrity - Making suere that information has not been modified by a third party while in transit.  Confidentiality (Privacy) Protecting the sensitive data from prying eyes while it is on the wire 3
Security Requirements at Web-Tier  Preventing unauthorized users from accessing “access controlled” web resource If an unauthenticated user tries to access “access controlled” web resource, web container will automatically ask the user to authenticate himself first Once the user authenticated, web container (and/or web components) then enforces access control  Preventing attackers from changing or reading sensitive data while it is on the wire Data can be protected via SSL 4
Web-Tier Security Scheme Should Address “Authentication” 1. Collecting user identity information from an end user typically through browser interface user identity information usually means username and password this is called “logging in” 1. Transporting collected user identity information to the web server unsecurely (HTTP) or securely (HTTP over SSL) 5
Web-Tier Security Scheme Should Address “Authentication” (cont.) 1. Performing identity checking with backend “security database” (Realms) Web container checks if collected user identity matches with the one in the backend “security database” These backend “security database” are called Realms Realms maintain  Username, password, roles, etc. How these realms are organized and managed are product and operational environment dependent  LDAP, RDBMS, Flat-file, Solaris PAM, Windows AD 6
Web-Tier Security Scheme Should Address “Authentication” (cont.) 1. Web container keep track of previously authenticated users for further HTTP operations Using internally maintained session state, web container knows if the caller of subsequent HTTP requests has been authenticated Web container also creates HttpServletRequest object for subsequent HTTP requests  HttpServletRequest object contains “security context” information Principal, Role, Username 7
Web-Tier Security Scheme Should Address “Access control”  Web application developer and/or deployer specifies access control to web resources Declarative and/or Programmatic access control 8
Web-Tier Security Scheme Should Address “Data confidentiality”  Providing confidentiality of the sensitive data that is being transported over the wire Between browser and web server Example: Credit card number Using SSL 9
Web-tier Authentication Schemes 1. HTTP Basic Authentication 2. HTTP Digest Authentication 3. Form-based Authentication 4. HTTPS Client Authentication 10
1. HTTP Basic Authentication  Web server collects user identification (user name and password) through a browser provided dialog box  Not secure since user name and password are in “easily decode'able” form over the wire Encoding scheme is Base64 Someone can easily decode it Not encrypted  Would need SSL for encrypting password 11
Steps for Basic Authentication-based Web-tier Security 1. Set up username, passwords, and roles (realms) 2. Tell web container that you are using Basic authentication 3. Specify which URLs (web resources) should be access- controlled (password-protected) 4. Specify which URLs should be available only with SSL (data integrity and confidentiality protected) 12
Step 1: Set up username, passwords, and roles (Realms)  Schemes, APIs, and tools for setting up usernames, passwords, and roles (realms) are web container and operational environment specific Flat-file based, Database, LDAP server Passwords could be in either encrypted or unencrypted form  Tomcat 4.0 can work with the following realms default: file, unencrypted form Relational database (via JDBCRealm) LDAP server (via LDAPRealm) 13
Example: Tomcat's default  <install-dir>/conf/tomcat-users.xml  Unencrypted: not secure but easy to set up and maintain <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager"/> <role rolename="admin"/> <role rolename="user"/> <user username="kmitl" password="kmitl" roles="user" /> <user username="root" password="root" roles="manager,admin" /> </tomcat-users> 14
Step 2: Tell web container that you are using Basic authentication  In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app> 15
Step 3: Specify which URLs should be access-controlled <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 16
Step 4: Specify which URLs should be available only with SSL <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name></realm-name> </login-config> ... 17 </web-app>
2. HTTP Digest Authentication  HTTP digest authentication  The HTTP digest authentication also gets the username/password details in a manner similar to that of basic authentication.  However, the authentication is performed by transmitting the password in an encrypted form.  Only some Web browsers and containers support it. 18
3. Form-based Authentication  Web application collects user identification (user name, password, and other information) through a custom login page  Not secure since user name and password are in “easily decode'able” form over the wire Encoding scheme is Base64 Someone can easily decode it Not encrypted  Would need SSL for encrypting password 19
Form-Based Auth. Control Flow Request Response Page Login Error Page Form 1 7 4 5 9 Protected Login.jsp j_security_check Error.html 2 Resource 3 6 8 1. Request made by client 6. Authentication Login succeeded, 2. Is client authenticated? redirected to resource 7. Authorization Permission tested, 3. Unauthenticated client result returned redirected 8. Login failed, redirect to error page 4 . L og i n f or m r et u r n ed t o cl i en t 9. Error page returned to client 5. Client submits login form 20
Steps for Form-based Authentication based Web-tier Security 1. Set up username, passwords, and roles (realms): Same as in Basic-authentication 2. Tell web container that you are using Form-based authentication 3. Create custom “Login page” 4. Create custom “Error page” 5. Specify which URLs (web resources) should be access- controlled (password-protected) 6. Specify which URLs should be available only with SSL (data integrity and confidentiality protected) 21
Step 2: Tell web container that you are using Form-based authentication  In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app> 22
Step 3: Create custom “Login Page”  Can be HTML or JSP page  Contains HTML form like following <FORM ACTION="j_security_check" METHOD="POST"> <INPUT TYPE="TEXT" NAME="j_username"> <INPUT TYPE="PASSWORD" NAME="j_password"> </FORM> 23
Step 4: Create Error page  Can be HTML or JSP page  No specific content is mandated 24
Step 5: Specify which URLs should be access- controlled (Same as Basic Auth) <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 25
Step 6: Specify which URLs should be available only with SSL (Same as Basic Auth) <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 26
Basic and Form-based Form-based Basic Form-based • Uses “browser provided • Uses “web application dialog box” to get provided login page” to username and get username and password password • Only username and • Custom data can be password can be collected collected • Can enforce consistent • Might result in different look and feel look and feel • Form data is used to • HTTP Authentication convey username and header is used to password convey username and • Can enter a new user password name via login page • No good way to enter a 27
4. HTTPS Client Authentication  HTTPS client authentication  End-user authentication using HTTP over SSL (HTTPS) requires the user to possess a public key certificate (PKC).  All the data is transmitted after incorporating public key encryption.  It is the most secure authentication type.  It is supported by all the common browsers. 28
Confidentiality of Passwords  For Basic and Form-based authentication, unless explicitly specified, the password gets transported in unencrypted form (Base64)  The <transport-guarantee> element can contain any of three values:  NONE means no transport guarantee  INTEGRAL means data cannot be changed in transit  CONFIDENTIAL means the contents of a transmission cannot be observed  Example: <user-data-constraint> <description> Integral Transmission </description> <transport-guarantee>INTEGRAL</transport-guarantee> </user-data-constraint> 29
Steps for Declarative Authorization at Web-tier 1. Deployer maps actual user identities to security roles using vendor specific tools 2. Deployer declares security roles in the deployment descriptor 3. Deployer declares URL permissions in the deployment descriptor for each security role This is already covered above under “Web-tier security schemes” segment! 30
Declarative and Programmatic Authorization (Access Control)  They are usually used together Declarative access control for role-based access control Programmatic access control for user instance- based and business logic based access control  User instance  Time of the day  Parameters of the request  Internal state of the web component 31
Steps for Programmatic Authorization at Web-tier 1. Set up username, passwords, and roles (realms) 2. Servlet programmer writes programmatic authorization logic inside the Servlet code using abstract security roles 3. Deployer maps abstract security roles to actual roles (for a particular operational environment) in the web.xml 32
Step 2: Servlet Programmer writes programmatic authorization logic public interface javax.servlet.http.HTTPServletRequest{ ... // Find out who is accessing your web resource public java.security.Principal getUserPrincipal(); public String getRemoteUser(); // Is the caller in a particular role? public boolean isUserInRole(String role); ... } 33
Example: “Employees” can only access their own Salary Information public double getSalary(String employeeId) { java.security.Principal userPrincipal = request.getUserPrincipal(); String callerId = userPrincipal.getName(); // “manager” role can read employee salary information // employee can read only his/her own salary information if ( (request.isUserInRole(“manager”)) || ((request.isUserInRole(“employee”)) && (callerId == employeeId)) ) { // return Salary information for the employee getSalaryInformationSomehow(employeeId); } else { throw new SecurityException(“access denied”); } 34
Acknowledgement Most contents are borrowed from the presentation slides of Sang Shin, Java™ Technology Evangelist, Sun Microsystems, Inc.
Thank you thananum@gmail.com www.facebook.com/imcinstitute www.imcinstitute.com 36

Recommended

Java Web Programming [2/9] : Servlet Basic
Java Web Programming [2/9] : Servlet BasicJava Web Programming [2/9] : Servlet Basic
Java Web Programming [2/9] : Servlet Basic
IMC Institute
 
Java Web Programming [5/9] : EL, JSTL and Custom Tags
Java Web Programming [5/9] : EL, JSTL and Custom TagsJava Web Programming [5/9] : EL, JSTL and Custom Tags
Java Web Programming [5/9] : EL, JSTL and Custom Tags
IMC Institute
 
Java Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXJava Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAX
IMC Institute
 
RESTEasy
RESTEasyRESTEasy
RESTEasy
Massimiliano Dessì
 
Servlets intro
Servlets introServlets intro
Servlets intro
vantinhkhuc
 
Creating a Java EE 7 Websocket Chat Application
Creating a Java EE 7 Websocket Chat ApplicationCreating a Java EE 7 Websocket Chat Application
Creating a Java EE 7 Websocket Chat Application
Micha Kops
 
Java web programming
Java web programmingJava web programming
Java web programming
Ching Yi Chan
 
Jsp/Servlet
Jsp/ServletJsp/Servlet
Jsp/Servlet
Sunil OS
 

Recommended

Java Web Programming [2/9] : Servlet Basic
Java Web Programming [2/9] : Servlet BasicJava Web Programming [2/9] : Servlet Basic
Java Web Programming [2/9] : Servlet Basic
IMC Institute
 
Java Web Programming [5/9] : EL, JSTL and Custom Tags
Java Web Programming [5/9] : EL, JSTL and Custom TagsJava Web Programming [5/9] : EL, JSTL and Custom Tags
Java Web Programming [5/9] : EL, JSTL and Custom Tags
IMC Institute
 
Java Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXJava Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAX
IMC Institute
 
RESTEasy
RESTEasyRESTEasy
RESTEasy
Massimiliano Dessì
 
Servlets intro
Servlets introServlets intro
Servlets intro
vantinhkhuc
 
Creating a Java EE 7 Websocket Chat Application
Creating a Java EE 7 Websocket Chat ApplicationCreating a Java EE 7 Websocket Chat Application
Creating a Java EE 7 Websocket Chat Application
Micha Kops
 
Java web programming
Java web programmingJava web programming
Java web programming
Ching Yi Chan
 
Jsp/Servlet
Jsp/ServletJsp/Servlet
Jsp/Servlet
Sunil OS
 
Lecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementLecture 3: Servlets - Session Management
Lecture 3: Servlets - Session Management
Fahad Golra
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
Java servlet life cycle - methods ppt
Java servlet life cycle - methods pptJava servlet life cycle - methods ppt
Java servlet life cycle - methods ppt
kamal kotecha
 
Spring 4 final xtr_presentation
Spring 4 final xtr_presentationSpring 4 final xtr_presentation
Spring 4 final xtr_presentation
sourabh aggarwal
 
Spring 4 advanced final_xtr_presentation
Spring 4 advanced final_xtr_presentationSpring 4 advanced final_xtr_presentation
Spring 4 advanced final_xtr_presentation
sourabh aggarwal
 
Servlet sessions
Servlet sessionsServlet sessions
Servlet sessions
vantinhkhuc
 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - Java
JainamParikh3
 
Bt0083 server side programing
Bt0083 server side programing Bt0083 server side programing
Bt0083 server side programing
Techglyphs
 
Lecture 7 Web Services JAX-WS & JAX-RS
Lecture 7 Web Services JAX-WS & JAX-RSLecture 7 Web Services JAX-WS & JAX-RS
Lecture 7 Web Services JAX-WS & JAX-RS
Fahad Golra
 
Servlet ppt by vikas jagtap
Servlet ppt by vikas jagtapServlet ppt by vikas jagtap
Servlet ppt by vikas jagtap
Vikas Jagtap
 
Lecture 2
Lecture 2Lecture 2
Lecture 2
Ahmed Madkor
 
Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5
Arun Gupta
 
Java - Servlet - Mazenet Solution
Java - Servlet - Mazenet SolutionJava - Servlet - Mazenet Solution
Java - Servlet - Mazenet Solution
Mazenetsolution
 
Managing user's data with Spring Session
Managing user's data with Spring SessionManaging user's data with Spring Session
Managing user's data with Spring Session
David Gómez García
 
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
mfrancis
 
Servlets
ServletsServlets
Servlets
Geethu Mohan
 
Servlet
Servlet Servlet
Servlet
Dhara Joshi
 
Java Servlets
Java ServletsJava Servlets
Java Servlets
Emprovise
 
JAVA Servlets
JAVA ServletsJAVA Servlets
JAVA Servlets
deepak kumar
 
An Introduction To Java Web Technology
An Introduction To Java Web TechnologyAn Introduction To Java Web Technology
An Introduction To Java Web Technology
vikram singh
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
Ben Abdallah Helmi
 
A graphical password authentication system (ieee 2011) 1
A graphical password authentication system (ieee 2011) 1A graphical password authentication system (ieee 2011) 1
A graphical password authentication system (ieee 2011) 1
Shaibi Varkey
 

More Related Content

What's hot

Servlet sessions
Servlet sessionsServlet sessions
Servlet sessions
vantinhkhuc
 
Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5
Arun Gupta
 
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
mfrancis
 
An Introduction To Java Web Technology
An Introduction To Java Web TechnologyAn Introduction To Java Web Technology
An Introduction To Java Web Technology
vikram singh
 

What's hot (20)

Lecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementLecture 3: Servlets - Session Management
Lecture 3: Servlets - Session Management
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
 
Java servlet life cycle - methods ppt
Java servlet life cycle - methods pptJava servlet life cycle - methods ppt
Java servlet life cycle - methods ppt
 
Spring 4 final xtr_presentation
Spring 4 final xtr_presentationSpring 4 final xtr_presentation
Spring 4 final xtr_presentation
 
Spring 4 advanced final_xtr_presentation
Spring 4 advanced final_xtr_presentationSpring 4 advanced final_xtr_presentation
Spring 4 advanced final_xtr_presentation
 
Servlet sessions
Servlet sessionsServlet sessions
Servlet sessions
 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - Java
 
Bt0083 server side programing
Bt0083 server side programing Bt0083 server side programing
Bt0083 server side programing
 
Lecture 7 Web Services JAX-WS & JAX-RS
Lecture 7 Web Services JAX-WS & JAX-RSLecture 7 Web Services JAX-WS & JAX-RS
Lecture 7 Web Services JAX-WS & JAX-RS
 
Servlet ppt by vikas jagtap
Servlet ppt by vikas jagtapServlet ppt by vikas jagtap
Servlet ppt by vikas jagtap
 
Lecture 2
Lecture 2Lecture 2
Lecture 2
 
Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5
 
Java - Servlet - Mazenet Solution
Java - Servlet - Mazenet SolutionJava - Servlet - Mazenet Solution
Java - Servlet - Mazenet Solution
 
Managing user's data with Spring Session
Managing user's data with Spring SessionManaging user's data with Spring Session
Managing user's data with Spring Session
 
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
 
Servlets
ServletsServlets
Servlets
 
Servlet
Servlet Servlet
Servlet
 
Java Servlets
Java ServletsJava Servlets
Java Servlets
 
JAVA Servlets
JAVA ServletsJAVA Servlets
JAVA Servlets
 
An Introduction To Java Web Technology
An Introduction To Java Web TechnologyAn Introduction To Java Web Technology
An Introduction To Java Web Technology
 

Viewers also liked

A graphical password authentication system (ieee 2011) 1
A graphical password authentication system (ieee 2011) 1A graphical password authentication system (ieee 2011) 1
A graphical password authentication system (ieee 2011) 1
Shaibi Varkey
 
graphical password authentication
graphical password authenticationgraphical password authentication
graphical password authentication
Akhil Kumar
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authentication
Asim Kumar Pathak
 
Level 3 Security solutions
Level 3 Security solutionsLevel 3 Security solutions
Level 3 Security solutions
Alan Rudd
 

Viewers also liked (10)

SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 
A graphical password authentication system (ieee 2011) 1
A graphical password authentication system (ieee 2011) 1A graphical password authentication system (ieee 2011) 1
A graphical password authentication system (ieee 2011) 1
 
3D password
3D password3D password
3D password
 
KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING IN CLOUD
KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING IN CLOUDKEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING IN CLOUD
KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING IN CLOUD
 
Graphical Password Authentication
Graphical Password AuthenticationGraphical Password Authentication
Graphical Password Authentication
 
graphical password authentication
graphical password authenticationgraphical password authentication
graphical password authentication
 
Basic suture patterns
Basic suture patternsBasic suture patterns
Basic suture patterns
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authentication
 
Web Mining
Web Mining Web Mining
Web Mining
 
Level 3 Security solutions
Level 3 Security solutionsLevel 3 Security solutions
Level 3 Security solutions
 

Similar to Java Web Programming [9/9] : Web Application Security

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
webhostingguy
 
Session 4 : securing web application - Giáo trình Bách Khoa Aptech
Session 4 : securing web application - Giáo trình Bách Khoa AptechSession 4 : securing web application - Giáo trình Bách Khoa Aptech
Session 4 : securing web application - Giáo trình Bách Khoa Aptech
MasterCode.vn
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
WebStackAcademy
 

Similar to Java Web Programming [9/9] : Web Application Security (20)

Web security
Web securityWeb security
Web security
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogic
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
Utilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityUtilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE Security
 
Session 4 : securing web application - Giáo trình Bách Khoa Aptech
Session 4 : securing web application - Giáo trình Bách Khoa AptechSession 4 : securing web application - Giáo trình Bách Khoa Aptech
Session 4 : securing web application - Giáo trình Bách Khoa Aptech
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
 
Synapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developerSynapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developer
 
O auth 2
O auth 2O auth 2
O auth 2
 
Advance java session 19
Advance java session 19Advance java session 19
Advance java session 19
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API Security
 
Web security
Web securityWeb security
Web security
 

More from IMC Institute

More from IMC Institute (20)

นิตยสาร Digital Trends ฉบับที่ 14
นิตยสาร Digital Trends ฉบับที่ 14นิตยสาร Digital Trends ฉบับที่ 14
นิตยสาร Digital Trends ฉบับที่ 14
 
Digital trends Vol 4 No. 13 Sep-Dec 2019
Digital trends Vol 4 No. 13 Sep-Dec 2019Digital trends Vol 4 No. 13 Sep-Dec 2019
Digital trends Vol 4 No. 13 Sep-Dec 2019
 
บทความ The evolution of AI
บทความ The evolution of AIบทความ The evolution of AI
บทความ The evolution of AI
 
IT Trends eMagazine Vol 4. No.12
IT Trends eMagazine Vol 4. No.12IT Trends eMagazine Vol 4. No.12
IT Trends eMagazine Vol 4. No.12
 
เพราะเหตุใด Digitization ไม่ตอบโจทย์ Digital Transformation
เพราะเหตุใด Digitization ไม่ตอบโจทย์ Digital Transformationเพราะเหตุใด Digitization ไม่ตอบโจทย์ Digital Transformation
เพราะเหตุใด Digitization ไม่ตอบโจทย์ Digital Transformation
 
IT Trends 2019: Putting Digital Transformation to Work
IT Trends 2019: Putting Digital Transformation to WorkIT Trends 2019: Putting Digital Transformation to Work
IT Trends 2019: Putting Digital Transformation to Work
 
มูลค่าตลาดดิจิทัลไทย 3 อุตสาหกรรม
มูลค่าตลาดดิจิทัลไทย 3 อุตสาหกรรมมูลค่าตลาดดิจิทัลไทย 3 อุตสาหกรรม
มูลค่าตลาดดิจิทัลไทย 3 อุตสาหกรรม
 
IT Trends eMagazine Vol 4. No.11
IT Trends eMagazine Vol 4. No.11IT Trends eMagazine Vol 4. No.11
IT Trends eMagazine Vol 4. No.11
 
แนวทางการทำ Digital transformation
แนวทางการทำ Digital transformationแนวทางการทำ Digital transformation
แนวทางการทำ Digital transformation
 
บทความ The New Silicon Valley
บทความ The New Silicon Valleyบทความ The New Silicon Valley
บทความ The New Silicon Valley
 
นิตยสาร IT Trends ของ IMC Institute ฉบับที่ 10
นิตยสาร IT Trends ของ IMC Institute ฉบับที่ 10นิตยสาร IT Trends ของ IMC Institute ฉบับที่ 10
นิตยสาร IT Trends ของ IMC Institute ฉบับที่ 10
 
แนวทางการทำ Digital transformation
แนวทางการทำ Digital transformationแนวทางการทำ Digital transformation
แนวทางการทำ Digital transformation
 
The Power of Big Data for a new economy (Sample)
The Power of Big Data for a new economy (Sample)The Power of Big Data for a new economy (Sample)
The Power of Big Data for a new economy (Sample)
 
บทความ Robotics แนวโน้มใหม่สู่บริการเฉพาะทาง
บทความ Robotics แนวโน้มใหม่สู่บริการเฉพาะทาง บทความ Robotics แนวโน้มใหม่สู่บริการเฉพาะทาง
บทความ Robotics แนวโน้มใหม่สู่บริการเฉพาะทาง
 
IT Trends eMagazine Vol 3. No.9
IT Trends eMagazine Vol 3. No.9 IT Trends eMagazine Vol 3. No.9
IT Trends eMagazine Vol 3. No.9
 
Thailand software & software market survey 2016
Thailand software & software market survey 2016Thailand software & software market survey 2016
Thailand software & software market survey 2016
 
Developing Business Blockchain Applications on Hyperledger
Developing Business Blockchain Applications on Hyperledger Developing Business Blockchain Applications on Hyperledger
Developing Business Blockchain Applications on Hyperledger
 
Digital transformation @thanachart.org
Digital transformation @thanachart.orgDigital transformation @thanachart.org
Digital transformation @thanachart.org
 
บทความ Big Data จากบล็อก thanachart.org
บทความ Big Data จากบล็อก thanachart.orgบทความ Big Data จากบล็อก thanachart.org
บทความ Big Data จากบล็อก thanachart.org
 
กลยุทธ์ 5 ด้านกับการทำ Digital Transformation
กลยุทธ์ 5 ด้านกับการทำ Digital Transformationกลยุทธ์ 5 ด้านกับการทำ Digital Transformation
กลยุทธ์ 5 ด้านกับการทำ Digital Transformation
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Java Web Programming [9/9] : Web Application Security

  • 1. Module 9: Web Application Security Thanisa Kruawaisayawan Thanachart Numnonda www.imcinstitute.com
  • 2. Objectives  General security issues  Authentication  Authorization  Data Integrity  Confidentiality  Web-tier Authentication Schemes  BASIC  DIGEST  FORM  CLIENT-CERT  Declarative Authorization 2
  • 3. General Security Issues  Authentication for identity verification Making sure a user is who he claims he is  Authorization (Access control) Making sure resources are accessible only to users who have access privilege The user has to be authenticated first  Data Integrity - Making suere that information has not been modified by a third party while in transit.  Confidentiality (Privacy) Protecting the sensitive data from prying eyes while it is on the wire 3
  • 4. Security Requirements at Web-Tier  Preventing unauthorized users from accessing “access controlled” web resource If an unauthenticated user tries to access “access controlled” web resource, web container will automatically ask the user to authenticate himself first Once the user authenticated, web container (and/or web components) then enforces access control  Preventing attackers from changing or reading sensitive data while it is on the wire Data can be protected via SSL 4
  • 5. Web-Tier Security Scheme Should Address “Authentication” 1. Collecting user identity information from an end user typically through browser interface user identity information usually means username and password this is called “logging in” 1. Transporting collected user identity information to the web server unsecurely (HTTP) or securely (HTTP over SSL) 5
  • 6. Web-Tier Security Scheme Should Address “Authentication” (cont.) 1. Performing identity checking with backend “security database” (Realms) Web container checks if collected user identity matches with the one in the backend “security database” These backend “security database” are called Realms Realms maintain  Username, password, roles, etc. How these realms are organized and managed are product and operational environment dependent  LDAP, RDBMS, Flat-file, Solaris PAM, Windows AD 6
  • 7. Web-Tier Security Scheme Should Address “Authentication” (cont.) 1. Web container keep track of previously authenticated users for further HTTP operations Using internally maintained session state, web container knows if the caller of subsequent HTTP requests has been authenticated Web container also creates HttpServletRequest object for subsequent HTTP requests  HttpServletRequest object contains “security context” information Principal, Role, Username 7
  • 8. Web-Tier Security Scheme Should Address “Access control”  Web application developer and/or deployer specifies access control to web resources Declarative and/or Programmatic access control 8
  • 9. Web-Tier Security Scheme Should Address “Data confidentiality”  Providing confidentiality of the sensitive data that is being transported over the wire Between browser and web server Example: Credit card number Using SSL 9
  • 10. Web-tier Authentication Schemes 1. HTTP Basic Authentication 2. HTTP Digest Authentication 3. Form-based Authentication 4. HTTPS Client Authentication 10
  • 11. 1. HTTP Basic Authentication  Web server collects user identification (user name and password) through a browser provided dialog box  Not secure since user name and password are in “easily decode'able” form over the wire Encoding scheme is Base64 Someone can easily decode it Not encrypted  Would need SSL for encrypting password 11
  • 12. Steps for Basic Authentication-based Web-tier Security 1. Set up username, passwords, and roles (realms) 2. Tell web container that you are using Basic authentication 3. Specify which URLs (web resources) should be access- controlled (password-protected) 4. Specify which URLs should be available only with SSL (data integrity and confidentiality protected) 12
  • 13. Step 1: Set up username, passwords, and roles (Realms)  Schemes, APIs, and tools for setting up usernames, passwords, and roles (realms) are web container and operational environment specific Flat-file based, Database, LDAP server Passwords could be in either encrypted or unencrypted form  Tomcat 4.0 can work with the following realms default: file, unencrypted form Relational database (via JDBCRealm) LDAP server (via LDAPRealm) 13
  • 14. Example: Tomcat's default  <install-dir>/conf/tomcat-users.xml  Unencrypted: not secure but easy to set up and maintain <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager"/> <role rolename="admin"/> <role rolename="user"/> <user username="kmitl" password="kmitl" roles="user" /> <user username="root" password="root" roles="manager,admin" /> </tomcat-users> 14
  • 15. Step 2: Tell web container that you are using Basic authentication  In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app> 15
  • 16. Step 3: Specify which URLs should be access-controlled <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 16
  • 17. Step 4: Specify which URLs should be available only with SSL <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name></realm-name> </login-config> ... 17 </web-app>
  • 18. 2. HTTP Digest Authentication  HTTP digest authentication  The HTTP digest authentication also gets the username/password details in a manner similar to that of basic authentication.  However, the authentication is performed by transmitting the password in an encrypted form.  Only some Web browsers and containers support it. 18
  • 19. 3. Form-based Authentication  Web application collects user identification (user name, password, and other information) through a custom login page  Not secure since user name and password are in “easily decode'able” form over the wire Encoding scheme is Base64 Someone can easily decode it Not encrypted  Would need SSL for encrypting password 19
  • 20. Form-Based Auth. Control Flow Request Response Page Login Error Page Form 1 7 4 5 9 Protected Login.jsp j_security_check Error.html 2 Resource 3 6 8 1. Request made by client 6. Authentication Login succeeded, 2. Is client authenticated? redirected to resource 7. Authorization Permission tested, 3. Unauthenticated client result returned redirected 8. Login failed, redirect to error page 4 . L og i n f or m r et u r n ed t o cl i en t 9. Error page returned to client 5. Client submits login form 20
  • 21. Steps for Form-based Authentication based Web-tier Security 1. Set up username, passwords, and roles (realms): Same as in Basic-authentication 2. Tell web container that you are using Form-based authentication 3. Create custom “Login page” 4. Create custom “Error page” 5. Specify which URLs (web resources) should be access- controlled (password-protected) 6. Specify which URLs should be available only with SSL (data integrity and confidentiality protected) 21
  • 22. Step 2: Tell web container that you are using Form-based authentication  In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app> 22
  • 23. Step 3: Create custom “Login Page”  Can be HTML or JSP page  Contains HTML form like following <FORM ACTION="j_security_check" METHOD="POST"> <INPUT TYPE="TEXT" NAME="j_username"> <INPUT TYPE="PASSWORD" NAME="j_password"> </FORM> 23
  • 24. Step 4: Create Error page  Can be HTML or JSP page  No specific content is mandated 24
  • 25. Step 5: Specify which URLs should be access- controlled (Same as Basic Auth) <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 25
  • 26. Step 6: Specify which URLs should be available only with SSL (Same as Basic Auth) <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 26
  • 27. Basic and Form-based Form-based Basic Form-based • Uses “browser provided • Uses “web application dialog box” to get provided login page” to username and get username and password password • Only username and • Custom data can be password can be collected collected • Can enforce consistent • Might result in different look and feel look and feel • Form data is used to • HTTP Authentication convey username and header is used to password convey username and • Can enter a new user password name via login page • No good way to enter a 27
  • 28. 4. HTTPS Client Authentication  HTTPS client authentication  End-user authentication using HTTP over SSL (HTTPS) requires the user to possess a public key certificate (PKC).  All the data is transmitted after incorporating public key encryption.  It is the most secure authentication type.  It is supported by all the common browsers. 28
  • 29. Confidentiality of Passwords  For Basic and Form-based authentication, unless explicitly specified, the password gets transported in unencrypted form (Base64)  The <transport-guarantee> element can contain any of three values:  NONE means no transport guarantee  INTEGRAL means data cannot be changed in transit  CONFIDENTIAL means the contents of a transmission cannot be observed  Example: <user-data-constraint> <description> Integral Transmission </description> <transport-guarantee>INTEGRAL</transport-guarantee> </user-data-constraint> 29
  • 30. Steps for Declarative Authorization at Web-tier 1. Deployer maps actual user identities to security roles using vendor specific tools 2. Deployer declares security roles in the deployment descriptor 3. Deployer declares URL permissions in the deployment descriptor for each security role This is already covered above under “Web-tier security schemes” segment! 30
  • 31. Declarative and Programmatic Authorization (Access Control)  They are usually used together Declarative access control for role-based access control Programmatic access control for user instance- based and business logic based access control  User instance  Time of the day  Parameters of the request  Internal state of the web component 31
  • 32. Steps for Programmatic Authorization at Web-tier 1. Set up username, passwords, and roles (realms) 2. Servlet programmer writes programmatic authorization logic inside the Servlet code using abstract security roles 3. Deployer maps abstract security roles to actual roles (for a particular operational environment) in the web.xml 32
  • 33. Step 2: Servlet Programmer writes programmatic authorization logic public interface javax.servlet.http.HTTPServletRequest{ ... // Find out who is accessing your web resource public java.security.Principal getUserPrincipal(); public String getRemoteUser(); // Is the caller in a particular role? public boolean isUserInRole(String role); ... } 33
  • 34. Example: “Employees” can only access their own Salary Information public double getSalary(String employeeId) { java.security.Principal userPrincipal = request.getUserPrincipal(); String callerId = userPrincipal.getName(); // “manager” role can read employee salary information // employee can read only his/her own salary information if ( (request.isUserInRole(“manager”)) || ((request.isUserInRole(“employee”)) && (callerId == employeeId)) ) { // return Salary information for the employee getSalaryInformationSomehow(employeeId); } else { throw new SecurityException(“access denied”); } 34
  • 35. Acknowledgement Most contents are borrowed from the presentation slides of Sang Shin, Java™ Technology Evangelist, Sun Microsystems, Inc.
  • 36. Thank you thananum@gmail.com www.facebook.com/imcinstitute www.imcinstitute.com 36