SlideShare a Scribd company logo

Java Web Programming [9/9] : Web Application Security

IMC Institute
IMC Institute

This document provides an overview of web application security. It discusses general security issues like authentication, authorization, data integrity and confidentiality. It then describes different web-tier authentication schemes like BASIC, DIGEST, FORM and CLIENT-CERT. Finally, it covers declarative and programmatic authorization approaches for access control at the web-tier.

1 of 36
Downloaded 97 times
1
Module 9: Web Application Security Thanisa Kruawaisayawan Thanachart Numnonda www.imcinstitute.com
2
Objectives  General security issues  Authentication  Authorization  Data Integrity  Confidentiality  Web-tier Authentication Schemes  BASIC  DIGEST  FORM  CLIENT-CERT  Declarative Authorization 2
3
General Security Issues  Authentication for identity verification Making sure a user is who he claims he is  Authorization (Access control) Making sure resources are accessible only to users who have access privilege The user has to be authenticated first  Data Integrity - Making suere that information has not been modified by a third party while in transit.  Confidentiality (Privacy) Protecting the sensitive data from prying eyes while it is on the wire 3
4
Security Requirements at Web-Tier  Preventing unauthorized users from accessing “access controlled” web resource If an unauthenticated user tries to access “access controlled” web resource, web container will automatically ask the user to authenticate himself first Once the user authenticated, web container (and/or web components) then enforces access control  Preventing attackers from changing or reading sensitive data while it is on the wire Data can be protected via SSL 4
5
Web-Tier Security Scheme Should Address “Authentication” 1. Collecting user identity information from an end user typically through browser interface user identity information usually means username and password this is called “logging in” 1. Transporting collected user identity information to the web server unsecurely (HTTP) or securely (HTTP over SSL) 5
6
Web-Tier Security Scheme Should Address “Authentication” (cont.) 1. Performing identity checking with backend “security database” (Realms) Web container checks if collected user identity matches with the one in the backend “security database” These backend “security database” are called Realms Realms maintain  Username, password, roles, etc. How these realms are organized and managed are product and operational environment dependent  LDAP, RDBMS, Flat-file, Solaris PAM, Windows AD 6
7
Web-Tier Security Scheme Should Address “Authentication” (cont.) 1. Web container keep track of previously authenticated users for further HTTP operations Using internally maintained session state, web container knows if the caller of subsequent HTTP requests has been authenticated Web container also creates HttpServletRequest object for subsequent HTTP requests  HttpServletRequest object contains “security context” information Principal, Role, Username 7
8
Web-Tier Security Scheme Should Address “Access control”  Web application developer and/or deployer specifies access control to web resources Declarative and/or Programmatic access control 8
9
Web-Tier Security Scheme Should Address “Data confidentiality”  Providing confidentiality of the sensitive data that is being transported over the wire Between browser and web server Example: Credit card number Using SSL 9
10
Web-tier Authentication Schemes 1. HTTP Basic Authentication 2. HTTP Digest Authentication 3. Form-based Authentication 4. HTTPS Client Authentication 10
11
1. HTTP Basic Authentication  Web server collects user identification (user name and password) through a browser provided dialog box  Not secure since user name and password are in “easily decode'able” form over the wire Encoding scheme is Base64 Someone can easily decode it Not encrypted  Would need SSL for encrypting password 11
12
Steps for Basic Authentication-based Web-tier Security 1. Set up username, passwords, and roles (realms) 2. Tell web container that you are using Basic authentication 3. Specify which URLs (web resources) should be access- controlled (password-protected) 4. Specify which URLs should be available only with SSL (data integrity and confidentiality protected) 12
13
Step 1: Set up username, passwords, and roles (Realms)  Schemes, APIs, and tools for setting up usernames, passwords, and roles (realms) are web container and operational environment specific Flat-file based, Database, LDAP server Passwords could be in either encrypted or unencrypted form  Tomcat 4.0 can work with the following realms default: file, unencrypted form Relational database (via JDBCRealm) LDAP server (via LDAPRealm) 13
14
Example: Tomcat's default  <install-dir>/conf/tomcat-users.xml  Unencrypted: not secure but easy to set up and maintain <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager"/> <role rolename="admin"/> <role rolename="user"/> <user username="kmitl" password="kmitl" roles="user" /> <user username="root" password="root" roles="manager,admin" /> </tomcat-users> 14
15
Step 2: Tell web container that you are using Basic authentication  In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app> 15
16
Step 3: Specify which URLs should be access-controlled <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 16
17
Step 4: Specify which URLs should be available only with SSL <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name></realm-name> </login-config> ... 17 </web-app>
18
2. HTTP Digest Authentication  HTTP digest authentication  The HTTP digest authentication also gets the username/password details in a manner similar to that of basic authentication.  However, the authentication is performed by transmitting the password in an encrypted form.  Only some Web browsers and containers support it. 18
19
3. Form-based Authentication  Web application collects user identification (user name, password, and other information) through a custom login page  Not secure since user name and password are in “easily decode'able” form over the wire Encoding scheme is Base64 Someone can easily decode it Not encrypted  Would need SSL for encrypting password 19
20
Form-Based Auth. Control Flow Request Response Page Login Error Page Form 1 7 4 5 9 Protected Login.jsp j_security_check Error.html 2 Resource 3 6 8 1. Request made by client 6. Authentication Login succeeded, 2. Is client authenticated? redirected to resource 7. Authorization Permission tested, 3. Unauthenticated client result returned redirected 8. Login failed, redirect to error page 4 . L og i n f or m r et u r n ed t o cl i en t 9. Error page returned to client 5. Client submits login form 20
21
Steps for Form-based Authentication based Web-tier Security 1. Set up username, passwords, and roles (realms): Same as in Basic-authentication 2. Tell web container that you are using Form-based authentication 3. Create custom “Login page” 4. Create custom “Error page” 5. Specify which URLs (web resources) should be access- controlled (password-protected) 6. Specify which URLs should be available only with SSL (data integrity and confidentiality protected) 21
22
Step 2: Tell web container that you are using Form-based authentication  In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app> 22
23
Step 3: Create custom “Login Page”  Can be HTML or JSP page  Contains HTML form like following <FORM ACTION="j_security_check" METHOD="POST"> <INPUT TYPE="TEXT" NAME="j_username"> <INPUT TYPE="PASSWORD" NAME="j_password"> </FORM> 23
24
Step 4: Create Error page  Can be HTML or JSP page  No specific content is mandated 24
25
Step 5: Specify which URLs should be access- controlled (Same as Basic Auth) <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 25
26
Step 6: Specify which URLs should be available only with SSL (Same as Basic Auth) <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 26
27
Basic and Form-based Form-based Basic Form-based • Uses “browser provided • Uses “web application dialog box” to get provided login page” to username and get username and password password • Only username and • Custom data can be password can be collected collected • Can enforce consistent • Might result in different look and feel look and feel • Form data is used to • HTTP Authentication convey username and header is used to password convey username and • Can enter a new user password name via login page • No good way to enter a 27
28
4. HTTPS Client Authentication  HTTPS client authentication  End-user authentication using HTTP over SSL (HTTPS) requires the user to possess a public key certificate (PKC).  All the data is transmitted after incorporating public key encryption.  It is the most secure authentication type.  It is supported by all the common browsers. 28
29
Confidentiality of Passwords  For Basic and Form-based authentication, unless explicitly specified, the password gets transported in unencrypted form (Base64)  The <transport-guarantee> element can contain any of three values:  NONE means no transport guarantee  INTEGRAL means data cannot be changed in transit  CONFIDENTIAL means the contents of a transmission cannot be observed  Example: <user-data-constraint> <description> Integral Transmission </description> <transport-guarantee>INTEGRAL</transport-guarantee> </user-data-constraint> 29
30
Steps for Declarative Authorization at Web-tier 1. Deployer maps actual user identities to security roles using vendor specific tools 2. Deployer declares security roles in the deployment descriptor 3. Deployer declares URL permissions in the deployment descriptor for each security role This is already covered above under “Web-tier security schemes” segment! 30
31
Declarative and Programmatic Authorization (Access Control)  They are usually used together Declarative access control for role-based access control Programmatic access control for user instance- based and business logic based access control  User instance  Time of the day  Parameters of the request  Internal state of the web component 31
32
Steps for Programmatic Authorization at Web-tier 1. Set up username, passwords, and roles (realms) 2. Servlet programmer writes programmatic authorization logic inside the Servlet code using abstract security roles 3. Deployer maps abstract security roles to actual roles (for a particular operational environment) in the web.xml 32
33
Step 2: Servlet Programmer writes programmatic authorization logic public interface javax.servlet.http.HTTPServletRequest{ ... // Find out who is accessing your web resource public java.security.Principal getUserPrincipal(); public String getRemoteUser(); // Is the caller in a particular role? public boolean isUserInRole(String role); ... } 33
34
Example: “Employees” can only access their own Salary Information public double getSalary(String employeeId) { java.security.Principal userPrincipal = request.getUserPrincipal(); String callerId = userPrincipal.getName(); // “manager” role can read employee salary information // employee can read only his/her own salary information if ( (request.isUserInRole(“manager”)) || ((request.isUserInRole(“employee”)) && (callerId == employeeId)) ) { // return Salary information for the employee getSalaryInformationSomehow(employeeId); } else { throw new SecurityException(“access denied”); } 34
35
Acknowledgement Most contents are borrowed from the presentation slides of Sang Shin, Java™ Technology Evangelist, Sun Microsystems, Inc.
36
Thank you thananum@gmail.com www.facebook.com/imcinstitute www.imcinstitute.com 36
Module 9: Web Application Security Thanisa Kruawaisayawan Thanachart Numnonda www.imcinstitute.com
Objectives  General security issues  Authentication  Authorization  Data Integrity  Confidentiality  Web-tier Authentication Schemes  BASIC  DIGEST  FORM  CLIENT-CERT  Declarative Authorization 2
General Security Issues  Authentication for identity verification Making sure a user is who he claims he is  Authorization (Access control) Making sure resources are accessible only to users who have access privilege The user has to be authenticated first  Data Integrity - Making suere that information has not been modified by a third party while in transit.  Confidentiality (Privacy) Protecting the sensitive data from prying eyes while it is on the wire 3
Security Requirements at Web-Tier  Preventing unauthorized users from accessing “access controlled” web resource If an unauthenticated user tries to access “access controlled” web resource, web container will automatically ask the user to authenticate himself first Once the user authenticated, web container (and/or web components) then enforces access control  Preventing attackers from changing or reading sensitive data while it is on the wire Data can be protected via SSL 4
Web-Tier Security Scheme Should Address “Authentication” 1. Collecting user identity information from an end user typically through browser interface user identity information usually means username and password this is called “logging in” 1. Transporting collected user identity information to the web server unsecurely (HTTP) or securely (HTTP over SSL) 5
Web-Tier Security Scheme Should Address “Authentication” (cont.) 1. Performing identity checking with backend “security database” (Realms) Web container checks if collected user identity matches with the one in the backend “security database” These backend “security database” are called Realms Realms maintain  Username, password, roles, etc. How these realms are organized and managed are product and operational environment dependent  LDAP, RDBMS, Flat-file, Solaris PAM, Windows AD 6
Web-Tier Security Scheme Should Address “Authentication” (cont.) 1. Web container keep track of previously authenticated users for further HTTP operations Using internally maintained session state, web container knows if the caller of subsequent HTTP requests has been authenticated Web container also creates HttpServletRequest object for subsequent HTTP requests  HttpServletRequest object contains “security context” information Principal, Role, Username 7
Web-Tier Security Scheme Should Address “Access control”  Web application developer and/or deployer specifies access control to web resources Declarative and/or Programmatic access control 8
Web-Tier Security Scheme Should Address “Data confidentiality”  Providing confidentiality of the sensitive data that is being transported over the wire Between browser and web server Example: Credit card number Using SSL 9
Web-tier Authentication Schemes 1. HTTP Basic Authentication 2. HTTP Digest Authentication 3. Form-based Authentication 4. HTTPS Client Authentication 10
1. HTTP Basic Authentication  Web server collects user identification (user name and password) through a browser provided dialog box  Not secure since user name and password are in “easily decode'able” form over the wire Encoding scheme is Base64 Someone can easily decode it Not encrypted  Would need SSL for encrypting password 11
Steps for Basic Authentication-based Web-tier Security 1. Set up username, passwords, and roles (realms) 2. Tell web container that you are using Basic authentication 3. Specify which URLs (web resources) should be access- controlled (password-protected) 4. Specify which URLs should be available only with SSL (data integrity and confidentiality protected) 12
Step 1: Set up username, passwords, and roles (Realms)  Schemes, APIs, and tools for setting up usernames, passwords, and roles (realms) are web container and operational environment specific Flat-file based, Database, LDAP server Passwords could be in either encrypted or unencrypted form  Tomcat 4.0 can work with the following realms default: file, unencrypted form Relational database (via JDBCRealm) LDAP server (via LDAPRealm) 13
Example: Tomcat's default  <install-dir>/conf/tomcat-users.xml  Unencrypted: not secure but easy to set up and maintain <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager"/> <role rolename="admin"/> <role rolename="user"/> <user username="kmitl" password="kmitl" roles="user" /> <user username="root" password="root" roles="manager,admin" /> </tomcat-users> 14
Step 2: Tell web container that you are using Basic authentication  In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app> 15
Step 3: Specify which URLs should be access-controlled <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 16
Step 4: Specify which URLs should be available only with SSL <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name></realm-name> </login-config> ... 17 </web-app>
2. HTTP Digest Authentication  HTTP digest authentication  The HTTP digest authentication also gets the username/password details in a manner similar to that of basic authentication.  However, the authentication is performed by transmitting the password in an encrypted form.  Only some Web browsers and containers support it. 18
3. Form-based Authentication  Web application collects user identification (user name, password, and other information) through a custom login page  Not secure since user name and password are in “easily decode'able” form over the wire Encoding scheme is Base64 Someone can easily decode it Not encrypted  Would need SSL for encrypting password 19
Form-Based Auth. Control Flow Request Response Page Login Error Page Form 1 7 4 5 9 Protected Login.jsp j_security_check Error.html 2 Resource 3 6 8 1. Request made by client 6. Authentication Login succeeded, 2. Is client authenticated? redirected to resource 7. Authorization Permission tested, 3. Unauthenticated client result returned redirected 8. Login failed, redirect to error page 4 . L og i n f or m r et u r n ed t o cl i en t 9. Error page returned to client 5. Client submits login form 20
Steps for Form-based Authentication based Web-tier Security 1. Set up username, passwords, and roles (realms): Same as in Basic-authentication 2. Tell web container that you are using Form-based authentication 3. Create custom “Login page” 4. Create custom “Error page” 5. Specify which URLs (web resources) should be access- controlled (password-protected) 6. Specify which URLs should be available only with SSL (data integrity and confidentiality protected) 21
Step 2: Tell web container that you are using Form-based authentication  In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app> 22
Step 3: Create custom “Login Page”  Can be HTML or JSP page  Contains HTML form like following <FORM ACTION="j_security_check" METHOD="POST"> <INPUT TYPE="TEXT" NAME="j_username"> <INPUT TYPE="PASSWORD" NAME="j_password"> </FORM> 23
Step 4: Create Error page  Can be HTML or JSP page  No specific content is mandated 24
Step 5: Specify which URLs should be access- controlled (Same as Basic Auth) <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 25
Step 6: Specify which URLs should be available only with SSL (Same as Basic Auth) <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 26
Basic and Form-based Form-based Basic Form-based • Uses “browser provided • Uses “web application dialog box” to get provided login page” to username and get username and password password • Only username and • Custom data can be password can be collected collected • Can enforce consistent • Might result in different look and feel look and feel • Form data is used to • HTTP Authentication convey username and header is used to password convey username and • Can enter a new user password name via login page • No good way to enter a 27
4. HTTPS Client Authentication  HTTPS client authentication  End-user authentication using HTTP over SSL (HTTPS) requires the user to possess a public key certificate (PKC).  All the data is transmitted after incorporating public key encryption.  It is the most secure authentication type.  It is supported by all the common browsers. 28
Confidentiality of Passwords  For Basic and Form-based authentication, unless explicitly specified, the password gets transported in unencrypted form (Base64)  The <transport-guarantee> element can contain any of three values:  NONE means no transport guarantee  INTEGRAL means data cannot be changed in transit  CONFIDENTIAL means the contents of a transmission cannot be observed  Example: <user-data-constraint> <description> Integral Transmission </description> <transport-guarantee>INTEGRAL</transport-guarantee> </user-data-constraint> 29
Steps for Declarative Authorization at Web-tier 1. Deployer maps actual user identities to security roles using vendor specific tools 2. Deployer declares security roles in the deployment descriptor 3. Deployer declares URL permissions in the deployment descriptor for each security role This is already covered above under “Web-tier security schemes” segment! 30
Declarative and Programmatic Authorization (Access Control)  They are usually used together Declarative access control for role-based access control Programmatic access control for user instance- based and business logic based access control  User instance  Time of the day  Parameters of the request  Internal state of the web component 31
Steps for Programmatic Authorization at Web-tier 1. Set up username, passwords, and roles (realms) 2. Servlet programmer writes programmatic authorization logic inside the Servlet code using abstract security roles 3. Deployer maps abstract security roles to actual roles (for a particular operational environment) in the web.xml 32
Step 2: Servlet Programmer writes programmatic authorization logic public interface javax.servlet.http.HTTPServletRequest{ ... // Find out who is accessing your web resource public java.security.Principal getUserPrincipal(); public String getRemoteUser(); // Is the caller in a particular role? public boolean isUserInRole(String role); ... } 33
Example: “Employees” can only access their own Salary Information public double getSalary(String employeeId) { java.security.Principal userPrincipal = request.getUserPrincipal(); String callerId = userPrincipal.getName(); // “manager” role can read employee salary information // employee can read only his/her own salary information if ( (request.isUserInRole(“manager”)) || ((request.isUserInRole(“employee”)) && (callerId == employeeId)) ) { // return Salary information for the employee getSalaryInformationSomehow(employeeId); } else { throw new SecurityException(“access denied”); } 34
Acknowledgement Most contents are borrowed from the presentation slides of Sang Shin, Java™ Technology Evangelist, Sun Microsystems, Inc.
Thank you thananum@gmail.com www.facebook.com/imcinstitute www.imcinstitute.com 36
Ad

Recommended

Java Web Programming [2/9] : Servlet Basic
Java Web Programming [2/9] : Servlet BasicJava Web Programming [2/9] : Servlet Basic
Java Web Programming [2/9] : Servlet Basic
IMC Institute
 
Java Web Programming [5/9] : EL, JSTL and Custom Tags
Java Web Programming [5/9] : EL, JSTL and Custom TagsJava Web Programming [5/9] : EL, JSTL and Custom Tags
Java Web Programming [5/9] : EL, JSTL and Custom Tags
IMC Institute
 
Java Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXJava Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAX
IMC Institute
 
RESTEasy
RESTEasyRESTEasy
RESTEasy
Massimiliano Dessì
 
Servlets intro
Servlets introServlets intro
Servlets intro
vantinhkhuc
 
Creating a Java EE 7 Websocket Chat Application
Creating a Java EE 7 Websocket Chat ApplicationCreating a Java EE 7 Websocket Chat Application
Creating a Java EE 7 Websocket Chat Application
Micha Kops
 
Java web programming
Java web programmingJava web programming
Java web programming
Ching Yi Chan
 
Jsp/Servlet
Jsp/ServletJsp/Servlet
Jsp/Servlet
Sunil OS
 
Lecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementLecture 3: Servlets - Session Management
Lecture 3: Servlets - Session Management
Fahad Golra
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
Java servlet life cycle - methods ppt
Java servlet life cycle - methods pptJava servlet life cycle - methods ppt
Java servlet life cycle - methods ppt
kamal kotecha
 
Spring 4 final xtr_presentation
Spring 4 final xtr_presentationSpring 4 final xtr_presentation
Spring 4 final xtr_presentation
sourabh aggarwal
 
Spring 4 advanced final_xtr_presentation
Spring 4 advanced final_xtr_presentationSpring 4 advanced final_xtr_presentation
Spring 4 advanced final_xtr_presentation
sourabh aggarwal
 
Servlet sessions
Servlet sessionsServlet sessions
Servlet sessions
vantinhkhuc
 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - Java
JainamParikh3
 
Bt0083 server side programing
Bt0083 server side programing Bt0083 server side programing
Bt0083 server side programing
Techglyphs
 
Lecture 7 Web Services JAX-WS & JAX-RS
Lecture 7 Web Services JAX-WS & JAX-RSLecture 7 Web Services JAX-WS & JAX-RS
Lecture 7 Web Services JAX-WS & JAX-RS
Fahad Golra
 
Servlet ppt by vikas jagtap
Servlet ppt by vikas jagtapServlet ppt by vikas jagtap
Servlet ppt by vikas jagtap
Vikas Jagtap
 
Lecture 2
Lecture 2Lecture 2
Lecture 2
Ahmed Madkor
 
Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5
Arun Gupta
 
Java - Servlet - Mazenet Solution
Java - Servlet - Mazenet SolutionJava - Servlet - Mazenet Solution
Java - Servlet - Mazenet Solution
Mazenetsolution
 
Managing user's data with Spring Session
Managing user's data with Spring SessionManaging user's data with Spring Session
Managing user's data with Spring Session
David Gómez García
 
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
mfrancis
 
Servlets
ServletsServlets
Servlets
Geethu Mohan
 
Servlet
Servlet Servlet
Servlet
Dhara Joshi
 
Java Servlets
Java ServletsJava Servlets
Java Servlets
Emprovise
 
JAVA Servlets
JAVA ServletsJAVA Servlets
JAVA Servlets
deepak kumar
 
An Introduction To Java Web Technology
An Introduction To Java Web TechnologyAn Introduction To Java Web Technology
An Introduction To Java Web Technology
vikram singh
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
Ben Abdallah Helmi
 
A graphical password authentication system (ieee 2011) 1
A graphical password authentication system (ieee 2011) 1A graphical password authentication system (ieee 2011) 1
A graphical password authentication system (ieee 2011) 1
Shaibi Varkey
 

More Related Content

What's hot (20)

Lecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementLecture 3: Servlets - Session Management
Lecture 3: Servlets - Session Management
Fahad Golra
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
Java servlet life cycle - methods ppt
Java servlet life cycle - methods pptJava servlet life cycle - methods ppt
Java servlet life cycle - methods ppt
kamal kotecha
 
Spring 4 final xtr_presentation
Spring 4 final xtr_presentationSpring 4 final xtr_presentation
Spring 4 final xtr_presentation
sourabh aggarwal
 
Spring 4 advanced final_xtr_presentation
Spring 4 advanced final_xtr_presentationSpring 4 advanced final_xtr_presentation
Spring 4 advanced final_xtr_presentation
sourabh aggarwal
 
Servlet sessions
Servlet sessionsServlet sessions
Servlet sessions
vantinhkhuc
 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - Java
JainamParikh3
 
Bt0083 server side programing
Bt0083 server side programing Bt0083 server side programing
Bt0083 server side programing
Techglyphs
 
Lecture 7 Web Services JAX-WS & JAX-RS
Lecture 7 Web Services JAX-WS & JAX-RSLecture 7 Web Services JAX-WS & JAX-RS
Lecture 7 Web Services JAX-WS & JAX-RS
Fahad Golra
 
Servlet ppt by vikas jagtap
Servlet ppt by vikas jagtapServlet ppt by vikas jagtap
Servlet ppt by vikas jagtap
Vikas Jagtap
 
Lecture 2
Lecture 2Lecture 2
Lecture 2
Ahmed Madkor
 
Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5
Arun Gupta
 
Java - Servlet - Mazenet Solution
Java - Servlet - Mazenet SolutionJava - Servlet - Mazenet Solution
Java - Servlet - Mazenet Solution
Mazenetsolution
 
Managing user's data with Spring Session
Managing user's data with Spring SessionManaging user's data with Spring Session
Managing user's data with Spring Session
David Gómez García
 
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
mfrancis
 
Servlets
ServletsServlets
Servlets
Geethu Mohan
 
Servlet
Servlet Servlet
Servlet
Dhara Joshi
 
Java Servlets
Java ServletsJava Servlets
Java Servlets
Emprovise
 
JAVA Servlets
JAVA ServletsJAVA Servlets
JAVA Servlets
deepak kumar
 
An Introduction To Java Web Technology
An Introduction To Java Web TechnologyAn Introduction To Java Web Technology
An Introduction To Java Web Technology
vikram singh
 
Lecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementLecture 3: Servlets - Session Management
Lecture 3: Servlets - Session Management
Fahad Golra
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
Java servlet life cycle - methods ppt
Java servlet life cycle - methods pptJava servlet life cycle - methods ppt
Java servlet life cycle - methods ppt
kamal kotecha
 
Spring 4 final xtr_presentation
Spring 4 final xtr_presentationSpring 4 final xtr_presentation
Spring 4 final xtr_presentation
sourabh aggarwal
 
Spring 4 advanced final_xtr_presentation
Spring 4 advanced final_xtr_presentationSpring 4 advanced final_xtr_presentation
Spring 4 advanced final_xtr_presentation
sourabh aggarwal
 
Servlet sessions
Servlet sessionsServlet sessions
Servlet sessions
vantinhkhuc
 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - Java
JainamParikh3
 
Bt0083 server side programing
Bt0083 server side programing Bt0083 server side programing
Bt0083 server side programing
Techglyphs
 
Lecture 7 Web Services JAX-WS & JAX-RS
Lecture 7 Web Services JAX-WS & JAX-RSLecture 7 Web Services JAX-WS & JAX-RS
Lecture 7 Web Services JAX-WS & JAX-RS
Fahad Golra
 
Servlet ppt by vikas jagtap
Servlet ppt by vikas jagtapServlet ppt by vikas jagtap
Servlet ppt by vikas jagtap
Vikas Jagtap
 
Lecture 2
Lecture 2Lecture 2
Lecture 2
Ahmed Madkor
 
Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5
Arun Gupta
 
Java - Servlet - Mazenet Solution
Java - Servlet - Mazenet SolutionJava - Servlet - Mazenet Solution
Java - Servlet - Mazenet Solution
Mazenetsolution
 
Managing user's data with Spring Session
Managing user's data with Spring SessionManaging user's data with Spring Session
Managing user's data with Spring Session
David Gómez García
 
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
OSGi and Spring Data for simple (Web) Application Development - Christian Bar...
mfrancis
 
Servlets
ServletsServlets
Servlets
Geethu Mohan
 
Servlet
Servlet Servlet
Servlet
Dhara Joshi
 
Java Servlets
Java ServletsJava Servlets
Java Servlets
Emprovise
 
JAVA Servlets
JAVA ServletsJAVA Servlets
JAVA Servlets
deepak kumar
 
An Introduction To Java Web Technology
An Introduction To Java Web TechnologyAn Introduction To Java Web Technology
An Introduction To Java Web Technology
vikram singh
 

Viewers also liked (10)

SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
Ben Abdallah Helmi
 
A graphical password authentication system (ieee 2011) 1
A graphical password authentication system (ieee 2011) 1A graphical password authentication system (ieee 2011) 1
A graphical password authentication system (ieee 2011) 1
Shaibi Varkey
 
3D password
3D password3D password
3D password
Jaya Sinha
 
KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING IN CLOUD
KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING IN CLOUDKEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING IN CLOUD
KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING IN CLOUD
Naseem nisar
 
Graphical Password Authentication
Graphical Password AuthenticationGraphical Password Authentication
Graphical Password Authentication
Abhijit Akotkar
 
graphical password authentication
graphical password authenticationgraphical password authentication
graphical password authentication
Akhil Kumar
 
Basic suture patterns
Basic suture patternsBasic suture patterns
Basic suture patterns
Satyajeet Singh
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authentication
Asim Kumar Pathak
 
Web Mining
Web Mining Web Mining
Web Mining
guestb73ec6
 
Level 3 Security solutions
Level 3 Security solutionsLevel 3 Security solutions
Level 3 Security solutions
Alan Rudd
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
Ben Abdallah Helmi
 
A graphical password authentication system (ieee 2011) 1
A graphical password authentication system (ieee 2011) 1A graphical password authentication system (ieee 2011) 1
A graphical password authentication system (ieee 2011) 1
Shaibi Varkey
 
3D password
3D password3D password
3D password
Jaya Sinha
 
KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING IN CLOUD
KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING IN CLOUDKEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING IN CLOUD
KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING IN CLOUD
Naseem nisar
 
Graphical Password Authentication
Graphical Password AuthenticationGraphical Password Authentication
Graphical Password Authentication
Abhijit Akotkar
 
graphical password authentication
graphical password authenticationgraphical password authentication
graphical password authentication
Akhil Kumar
 
Basic suture patterns
Basic suture patternsBasic suture patterns
Basic suture patterns
Satyajeet Singh
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authentication
Asim Kumar Pathak
 
Web Mining
Web Mining Web Mining
Web Mining
guestb73ec6
 
Level 3 Security solutions
Level 3 Security solutionsLevel 3 Security solutions
Level 3 Security solutions
Alan Rudd
 
Ad

Similar to Java Web Programming [9/9] : Web Application Security (20)

Web security
Web securityWeb security
Web security
Padam Banthia
 
Spring Security services for web applications
Spring Security services for web applicationsSpring Security services for web applications
Spring Security services for web applications
StephenKoc1
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
Ben Abdallah Helmi
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogic
Harihara sarma
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
webhostingguy
 
Utilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityUtilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE Security
Masoud Kalali
 
Session 4 : securing web application - Giáo trình Bách Khoa Aptech
Session 4 : securing web application - Giáo trình Bách Khoa AptechSession 4 : securing web application - Giáo trình Bách Khoa Aptech
Session 4 : securing web application - Giáo trình Bách Khoa Aptech
MasterCode.vn
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
Randy Connolly
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1
Novell
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
Novell
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
Sang Shin
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Keeping Pace with OAuth’s Evolving Security Practices.pdfKeeping Pace with OAuth’s Evolving Security Practices.pdf
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
WebStackAcademy
 
Synapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developerSynapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developer
saritasingh19866
 
O auth 2
O auth 2O auth 2
O auth 2
Nisha Baswal
 
Advance java session 19
Advance java session 19Advance java session 19
Advance java session 19
Smita B Kumar
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
guest2a1135
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
Web security
Web securityWeb security
Web security
Padam Banthia
 
Spring Security services for web applications
Spring Security services for web applicationsSpring Security services for web applications
Spring Security services for web applications
StephenKoc1
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
Ben Abdallah Helmi
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogic
Harihara sarma
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
webhostingguy
 
Utilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityUtilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE Security
Masoud Kalali
 
Session 4 : securing web application - Giáo trình Bách Khoa Aptech
Session 4 : securing web application - Giáo trình Bách Khoa AptechSession 4 : securing web application - Giáo trình Bách Khoa Aptech
Session 4 : securing web application - Giáo trình Bách Khoa Aptech
MasterCode.vn
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
Randy Connolly
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1
Novell
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
Novell
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
Sang Shin
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Keeping Pace with OAuth’s Evolving Security Practices.pdfKeeping Pace with OAuth’s Evolving Security Practices.pdf
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
WebStackAcademy
 
Synapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developerSynapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developer
saritasingh19866
 
O auth 2
O auth 2O auth 2
O auth 2
Nisha Baswal
 
Advance java session 19
Advance java session 19Advance java session 19
Advance java session 19
Smita B Kumar
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
guest2a1135
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
Ad

More from IMC Institute (20)

นิตยสาร Digital Trends ฉบับที่ 14
นิตยสาร Digital Trends ฉบับที่ 14นิตยสาร Digital Trends ฉบับที่ 14
นิตยสาร Digital Trends ฉบับที่ 14
IMC Institute
 
Digital trends Vol 4 No. 13 Sep-Dec 2019
Digital trends Vol 4 No. 13 Sep-Dec 2019Digital trends Vol 4 No. 13 Sep-Dec 2019
Digital trends Vol 4 No. 13 Sep-Dec 2019
IMC Institute
 
บทความ The evolution of AI
บทความ The evolution of AIบทความ The evolution of AI
บทความ The evolution of AI
IMC Institute
 
IT Trends eMagazine Vol 4. No.12
IT Trends eMagazine Vol 4. No.12IT Trends eMagazine Vol 4. No.12
IT Trends eMagazine Vol 4. No.12
IMC Institute
 
เพราะเหตุใด Digitization ไม่ตอบโจทย์ Digital Transformation
เพราะเหตุใด Digitization ไม่ตอบโจทย์ Digital Transformationเพราะเหตุใด Digitization ไม่ตอบโจทย์ Digital Transformation
เพราะเหตุใด Digitization ไม่ตอบโจทย์ Digital Transformation
IMC Institute
 
IT Trends 2019: Putting Digital Transformation to Work
IT Trends 2019: Putting Digital Transformation to WorkIT Trends 2019: Putting Digital Transformation to Work
IT Trends 2019: Putting Digital Transformation to Work
IMC Institute
 
มูลค่าตลาดดิจิทัลไทย 3 อุตสาหกรรม
มูลค่าตลาดดิจิทัลไทย 3 อุตสาหกรรมมูลค่าตลาดดิจิทัลไทย 3 อุตสาหกรรม
มูลค่าตลาดดิจิทัลไทย 3 อุตสาหกรรม
IMC Institute
 
IT Trends eMagazine Vol 4. No.11
IT Trends eMagazine Vol 4. No.11IT Trends eMagazine Vol 4. No.11
IT Trends eMagazine Vol 4. No.11
IMC Institute
 
แนวทางการทำ Digital transformation
แนวทางการทำ Digital transformationแนวทางการทำ Digital transformation
แนวทางการทำ Digital transformation
IMC Institute
 
บทความ The New Silicon Valley
บทความ The New Silicon Valleyบทความ The New Silicon Valley
บทความ The New Silicon Valley
IMC Institute
 
นิตยสาร IT Trends ของ IMC Institute ฉบับที่ 10
นิตยสาร IT Trends ของ IMC Institute ฉบับที่ 10นิตยสาร IT Trends ของ IMC Institute ฉบับที่ 10
นิตยสาร IT Trends ของ IMC Institute ฉบับที่ 10
IMC Institute
 
แนวทางการทำ Digital transformation
แนวทางการทำ Digital transformationแนวทางการทำ Digital transformation
แนวทางการทำ Digital transformation
IMC Institute
 
The Power of Big Data for a new economy (Sample)
The Power of Big Data for a new economy (Sample)The Power of Big Data for a new economy (Sample)
The Power of Big Data for a new economy (Sample)
IMC Institute
 
บทความ Robotics แนวโน้มใหม่สู่บริการเฉพาะทาง
บทความ Robotics แนวโน้มใหม่สู่บริการเฉพาะทาง บทความ Robotics แนวโน้มใหม่สู่บริการเฉพาะทาง
บทความ Robotics แนวโน้มใหม่สู่บริการเฉพาะทาง
IMC Institute
 
IT Trends eMagazine Vol 3. No.9
IT Trends eMagazine Vol 3. No.9 IT Trends eMagazine Vol 3. No.9
IT Trends eMagazine Vol 3. No.9
IMC Institute
 
Thailand software & software market survey 2016
Thailand software & software market survey 2016Thailand software & software market survey 2016
Thailand software & software market survey 2016
IMC Institute
 
Developing Business Blockchain Applications on Hyperledger
Developing Business Blockchain Applications on Hyperledger Developing Business Blockchain Applications on Hyperledger
Developing Business Blockchain Applications on Hyperledger
IMC Institute
 
Digital transformation @thanachart.org
Digital transformation @thanachart.orgDigital transformation @thanachart.org
Digital transformation @thanachart.org
IMC Institute
 
บทความ Big Data จากบล็อก thanachart.org
บทความ Big Data จากบล็อก thanachart.orgบทความ Big Data จากบล็อก thanachart.org
บทความ Big Data จากบล็อก thanachart.org
IMC Institute
 
กลยุทธ์ 5 ด้านกับการทำ Digital Transformation
กลยุทธ์ 5 ด้านกับการทำ Digital Transformationกลยุทธ์ 5 ด้านกับการทำ Digital Transformation
กลยุทธ์ 5 ด้านกับการทำ Digital Transformation
IMC Institute
 
นิตยสาร Digital Trends ฉบับที่ 14
นิตยสาร Digital Trends ฉบับที่ 14นิตยสาร Digital Trends ฉบับที่ 14
นิตยสาร Digital Trends ฉบับที่ 14
IMC Institute
 
Digital trends Vol 4 No. 13 Sep-Dec 2019
Digital trends Vol 4 No. 13 Sep-Dec 2019Digital trends Vol 4 No. 13 Sep-Dec 2019
Digital trends Vol 4 No. 13 Sep-Dec 2019
IMC Institute
 
บทความ The evolution of AI
บทความ The evolution of AIบทความ The evolution of AI
บทความ The evolution of AI
IMC Institute
 
IT Trends eMagazine Vol 4. No.12
IT Trends eMagazine Vol 4. No.12IT Trends eMagazine Vol 4. No.12
IT Trends eMagazine Vol 4. No.12
IMC Institute
 
เพราะเหตุใด Digitization ไม่ตอบโจทย์ Digital Transformation
เพราะเหตุใด Digitization ไม่ตอบโจทย์ Digital Transformationเพราะเหตุใด Digitization ไม่ตอบโจทย์ Digital Transformation
เพราะเหตุใด Digitization ไม่ตอบโจทย์ Digital Transformation
IMC Institute
 
IT Trends 2019: Putting Digital Transformation to Work
IT Trends 2019: Putting Digital Transformation to WorkIT Trends 2019: Putting Digital Transformation to Work
IT Trends 2019: Putting Digital Transformation to Work
IMC Institute
 
มูลค่าตลาดดิจิทัลไทย 3 อุตสาหกรรม
มูลค่าตลาดดิจิทัลไทย 3 อุตสาหกรรมมูลค่าตลาดดิจิทัลไทย 3 อุตสาหกรรม
มูลค่าตลาดดิจิทัลไทย 3 อุตสาหกรรม
IMC Institute
 
IT Trends eMagazine Vol 4. No.11
IT Trends eMagazine Vol 4. No.11IT Trends eMagazine Vol 4. No.11
IT Trends eMagazine Vol 4. No.11
IMC Institute
 
แนวทางการทำ Digital transformation
แนวทางการทำ Digital transformationแนวทางการทำ Digital transformation
แนวทางการทำ Digital transformation
IMC Institute
 
บทความ The New Silicon Valley
บทความ The New Silicon Valleyบทความ The New Silicon Valley
บทความ The New Silicon Valley
IMC Institute
 
นิตยสาร IT Trends ของ IMC Institute ฉบับที่ 10
นิตยสาร IT Trends ของ IMC Institute ฉบับที่ 10นิตยสาร IT Trends ของ IMC Institute ฉบับที่ 10
นิตยสาร IT Trends ของ IMC Institute ฉบับที่ 10
IMC Institute
 
แนวทางการทำ Digital transformation
แนวทางการทำ Digital transformationแนวทางการทำ Digital transformation
แนวทางการทำ Digital transformation
IMC Institute
 
The Power of Big Data for a new economy (Sample)
The Power of Big Data for a new economy (Sample)The Power of Big Data for a new economy (Sample)
The Power of Big Data for a new economy (Sample)
IMC Institute
 
บทความ Robotics แนวโน้มใหม่สู่บริการเฉพาะทาง
บทความ Robotics แนวโน้มใหม่สู่บริการเฉพาะทาง บทความ Robotics แนวโน้มใหม่สู่บริการเฉพาะทาง
บทความ Robotics แนวโน้มใหม่สู่บริการเฉพาะทาง
IMC Institute
 
IT Trends eMagazine Vol 3. No.9
IT Trends eMagazine Vol 3. No.9 IT Trends eMagazine Vol 3. No.9
IT Trends eMagazine Vol 3. No.9
IMC Institute
 
Thailand software & software market survey 2016
Thailand software & software market survey 2016Thailand software & software market survey 2016
Thailand software & software market survey 2016
IMC Institute
 
Developing Business Blockchain Applications on Hyperledger
Developing Business Blockchain Applications on Hyperledger Developing Business Blockchain Applications on Hyperledger
Developing Business Blockchain Applications on Hyperledger
IMC Institute
 
Digital transformation @thanachart.org
Digital transformation @thanachart.orgDigital transformation @thanachart.org
Digital transformation @thanachart.org
IMC Institute
 
บทความ Big Data จากบล็อก thanachart.org
บทความ Big Data จากบล็อก thanachart.orgบทความ Big Data จากบล็อก thanachart.org
บทความ Big Data จากบล็อก thanachart.org
IMC Institute
 
กลยุทธ์ 5 ด้านกับการทำ Digital Transformation
กลยุทธ์ 5 ด้านกับการทำ Digital Transformationกลยุทธ์ 5 ด้านกับการทำ Digital Transformation
กลยุทธ์ 5 ด้านกับการทำ Digital Transformation
IMC Institute
 

Recently uploaded (20)

“Why It’s Critical to Have an Integrated Development Methodology for Edge AI,...
“Why It’s Critical to Have an Integrated Development Methodology for Edge AI,...“Why It’s Critical to Have an Integrated Development Methodology for Edge AI,...
“Why It’s Critical to Have an Integrated Development Methodology for Edge AI,...
Edge AI and Vision Alliance
 
The State of Web3 Industry- Industry Report
The State of Web3 Industry- Industry ReportThe State of Web3 Industry- Industry Report
The State of Web3 Industry- Industry Report
Liveplex
 
vertical-cnc-processing-centers-drillteq-v-200-en.pdf
vertical-cnc-processing-centers-drillteq-v-200-en.pdfvertical-cnc-processing-centers-drillteq-v-200-en.pdf
vertical-cnc-processing-centers-drillteq-v-200-en.pdf
AmirStern2
 
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
Edge AI and Vision Alliance
 
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Shashikant Jagtap
 
Kubernetes Security Act Now Before It’s Too Late
Kubernetes Security Act Now Before It’s Too LateKubernetes Security Act Now Before It’s Too Late
Kubernetes Security Act Now Before It’s Too Late
Michael Furman
 
High Availability On-Premises FME Flow.pdf
High Availability On-Premises FME Flow.pdfHigh Availability On-Premises FME Flow.pdf
High Availability On-Premises FME Flow.pdf
Safe Software
 
Viral>Wondershare Filmora 14.5.18.12900 Crack Free Download
Viral>Wondershare Filmora 14.5.18.12900 Crack Free DownloadViral>Wondershare Filmora 14.5.18.12900 Crack Free Download
Viral>Wondershare Filmora 14.5.18.12900 Crack Free Download
Puppy jhon
 
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
angelo60207
 
Edge-banding-machines-edgeteq-s-200-en-.pdf
Edge-banding-machines-edgeteq-s-200-en-.pdfEdge-banding-machines-edgeteq-s-200-en-.pdf
Edge-banding-machines-edgeteq-s-200-en-.pdf
AmirStern2
 
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...
Safe Software
 
FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)
FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)
FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)
Safe Software
 
AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...
AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...
AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...
SOFTTECHHUB
 
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
Safe Software
 
“Addressing Evolving AI Model Challenges Through Memory and Storage,” a Prese...
“Addressing Evolving AI Model Challenges Through Memory and Storage,” a Prese...“Addressing Evolving AI Model Challenges Through Memory and Storage,” a Prese...
“Addressing Evolving AI Model Challenges Through Memory and Storage,” a Prese...
Edge AI and Vision Alliance
 
FIDO Alliance Seminar State of Passkeys.pptx
FIDO Alliance Seminar State of Passkeys.pptxFIDO Alliance Seminar State of Passkeys.pptx
FIDO Alliance Seminar State of Passkeys.pptx
FIDO Alliance
 
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptxFIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
FIDO Alliance
 
Providing an OGC API Processes REST Interface for FME Flow
Providing an OGC API Processes REST Interface for FME FlowProviding an OGC API Processes REST Interface for FME Flow
Providing an OGC API Processes REST Interface for FME Flow
Safe Software
 
War_And_Cyber_3_Years_Of_Struggle_And_Lessons_For_Global_Security.pdf
War_And_Cyber_3_Years_Of_Struggle_And_Lessons_For_Global_Security.pdfWar_And_Cyber_3_Years_Of_Struggle_And_Lessons_For_Global_Security.pdf
War_And_Cyber_3_Years_Of_Struggle_And_Lessons_For_Global_Security.pdf
biswajitbanerjee38
 
MuleSoft for AgentForce : Topic Center and API Catalog
MuleSoft for AgentForce : Topic Center and API CatalogMuleSoft for AgentForce : Topic Center and API Catalog
MuleSoft for AgentForce : Topic Center and API Catalog
shyamraj55
 
“Why It’s Critical to Have an Integrated Development Methodology for Edge AI,...
“Why It’s Critical to Have an Integrated Development Methodology for Edge AI,...“Why It’s Critical to Have an Integrated Development Methodology for Edge AI,...
“Why It’s Critical to Have an Integrated Development Methodology for Edge AI,...
Edge AI and Vision Alliance
 
The State of Web3 Industry- Industry Report
The State of Web3 Industry- Industry ReportThe State of Web3 Industry- Industry Report
The State of Web3 Industry- Industry Report
Liveplex
 
vertical-cnc-processing-centers-drillteq-v-200-en.pdf
vertical-cnc-processing-centers-drillteq-v-200-en.pdfvertical-cnc-processing-centers-drillteq-v-200-en.pdf
vertical-cnc-processing-centers-drillteq-v-200-en.pdf
AmirStern2
 
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
Edge AI and Vision Alliance
 
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Shashikant Jagtap
 
Kubernetes Security Act Now Before It’s Too Late
Kubernetes Security Act Now Before It’s Too LateKubernetes Security Act Now Before It’s Too Late
Kubernetes Security Act Now Before It’s Too Late
Michael Furman
 
High Availability On-Premises FME Flow.pdf
High Availability On-Premises FME Flow.pdfHigh Availability On-Premises FME Flow.pdf
High Availability On-Premises FME Flow.pdf
Safe Software
 
Viral>Wondershare Filmora 14.5.18.12900 Crack Free Download
Viral>Wondershare Filmora 14.5.18.12900 Crack Free DownloadViral>Wondershare Filmora 14.5.18.12900 Crack Free Download
Viral>Wondershare Filmora 14.5.18.12900 Crack Free Download
Puppy jhon
 
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
angelo60207
 
Edge-banding-machines-edgeteq-s-200-en-.pdf
Edge-banding-machines-edgeteq-s-200-en-.pdfEdge-banding-machines-edgeteq-s-200-en-.pdf
Edge-banding-machines-edgeteq-s-200-en-.pdf
AmirStern2
 
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...
Safe Software
 
FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)
FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)
FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)
Safe Software
 
AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...
AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...
AudGram Review: Build Visually Appealing, AI-Enhanced Audiograms to Engage Yo...
SOFTTECHHUB
 
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
Safe Software
 
“Addressing Evolving AI Model Challenges Through Memory and Storage,” a Prese...
“Addressing Evolving AI Model Challenges Through Memory and Storage,” a Prese...“Addressing Evolving AI Model Challenges Through Memory and Storage,” a Prese...
“Addressing Evolving AI Model Challenges Through Memory and Storage,” a Prese...
Edge AI and Vision Alliance
 
FIDO Alliance Seminar State of Passkeys.pptx
FIDO Alliance Seminar State of Passkeys.pptxFIDO Alliance Seminar State of Passkeys.pptx
FIDO Alliance Seminar State of Passkeys.pptx
FIDO Alliance
 
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptxFIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
FIDO Alliance
 
Providing an OGC API Processes REST Interface for FME Flow
Providing an OGC API Processes REST Interface for FME FlowProviding an OGC API Processes REST Interface for FME Flow
Providing an OGC API Processes REST Interface for FME Flow
Safe Software
 
War_And_Cyber_3_Years_Of_Struggle_And_Lessons_For_Global_Security.pdf
War_And_Cyber_3_Years_Of_Struggle_And_Lessons_For_Global_Security.pdfWar_And_Cyber_3_Years_Of_Struggle_And_Lessons_For_Global_Security.pdf
War_And_Cyber_3_Years_Of_Struggle_And_Lessons_For_Global_Security.pdf
biswajitbanerjee38
 
MuleSoft for AgentForce : Topic Center and API Catalog
MuleSoft for AgentForce : Topic Center and API CatalogMuleSoft for AgentForce : Topic Center and API Catalog
MuleSoft for AgentForce : Topic Center and API Catalog
shyamraj55
 

Java Web Programming [9/9] : Web Application Security

  • 1. Module 9: Web Application Security Thanisa Kruawaisayawan Thanachart Numnonda www.imcinstitute.com
  • 2. Objectives  General security issues  Authentication  Authorization  Data Integrity  Confidentiality  Web-tier Authentication Schemes  BASIC  DIGEST  FORM  CLIENT-CERT  Declarative Authorization 2
  • 3. General Security Issues  Authentication for identity verification Making sure a user is who he claims he is  Authorization (Access control) Making sure resources are accessible only to users who have access privilege The user has to be authenticated first  Data Integrity - Making suere that information has not been modified by a third party while in transit.  Confidentiality (Privacy) Protecting the sensitive data from prying eyes while it is on the wire 3
  • 4. Security Requirements at Web-Tier  Preventing unauthorized users from accessing “access controlled” web resource If an unauthenticated user tries to access “access controlled” web resource, web container will automatically ask the user to authenticate himself first Once the user authenticated, web container (and/or web components) then enforces access control  Preventing attackers from changing or reading sensitive data while it is on the wire Data can be protected via SSL 4
  • 5. Web-Tier Security Scheme Should Address “Authentication” 1. Collecting user identity information from an end user typically through browser interface user identity information usually means username and password this is called “logging in” 1. Transporting collected user identity information to the web server unsecurely (HTTP) or securely (HTTP over SSL) 5
  • 6. Web-Tier Security Scheme Should Address “Authentication” (cont.) 1. Performing identity checking with backend “security database” (Realms) Web container checks if collected user identity matches with the one in the backend “security database” These backend “security database” are called Realms Realms maintain  Username, password, roles, etc. How these realms are organized and managed are product and operational environment dependent  LDAP, RDBMS, Flat-file, Solaris PAM, Windows AD 6
  • 7. Web-Tier Security Scheme Should Address “Authentication” (cont.) 1. Web container keep track of previously authenticated users for further HTTP operations Using internally maintained session state, web container knows if the caller of subsequent HTTP requests has been authenticated Web container also creates HttpServletRequest object for subsequent HTTP requests  HttpServletRequest object contains “security context” information Principal, Role, Username 7
  • 8. Web-Tier Security Scheme Should Address “Access control”  Web application developer and/or deployer specifies access control to web resources Declarative and/or Programmatic access control 8
  • 9. Web-Tier Security Scheme Should Address “Data confidentiality”  Providing confidentiality of the sensitive data that is being transported over the wire Between browser and web server Example: Credit card number Using SSL 9
  • 10. Web-tier Authentication Schemes 1. HTTP Basic Authentication 2. HTTP Digest Authentication 3. Form-based Authentication 4. HTTPS Client Authentication 10
  • 11. 1. HTTP Basic Authentication  Web server collects user identification (user name and password) through a browser provided dialog box  Not secure since user name and password are in “easily decode'able” form over the wire Encoding scheme is Base64 Someone can easily decode it Not encrypted  Would need SSL for encrypting password 11
  • 12. Steps for Basic Authentication-based Web-tier Security 1. Set up username, passwords, and roles (realms) 2. Tell web container that you are using Basic authentication 3. Specify which URLs (web resources) should be access- controlled (password-protected) 4. Specify which URLs should be available only with SSL (data integrity and confidentiality protected) 12
  • 13. Step 1: Set up username, passwords, and roles (Realms)  Schemes, APIs, and tools for setting up usernames, passwords, and roles (realms) are web container and operational environment specific Flat-file based, Database, LDAP server Passwords could be in either encrypted or unencrypted form  Tomcat 4.0 can work with the following realms default: file, unencrypted form Relational database (via JDBCRealm) LDAP server (via LDAPRealm) 13
  • 14. Example: Tomcat's default  <install-dir>/conf/tomcat-users.xml  Unencrypted: not secure but easy to set up and maintain <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager"/> <role rolename="admin"/> <role rolename="user"/> <user username="kmitl" password="kmitl" roles="user" /> <user username="root" password="root" roles="manager,admin" /> </tomcat-users> 14
  • 15. Step 2: Tell web container that you are using Basic authentication  In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app> 15
  • 16. Step 3: Specify which URLs should be access-controlled <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 16
  • 17. Step 4: Specify which URLs should be available only with SSL <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name></realm-name> </login-config> ... 17 </web-app>
  • 18. 2. HTTP Digest Authentication  HTTP digest authentication  The HTTP digest authentication also gets the username/password details in a manner similar to that of basic authentication.  However, the authentication is performed by transmitting the password in an encrypted form.  Only some Web browsers and containers support it. 18
  • 19. 3. Form-based Authentication  Web application collects user identification (user name, password, and other information) through a custom login page  Not secure since user name and password are in “easily decode'able” form over the wire Encoding scheme is Base64 Someone can easily decode it Not encrypted  Would need SSL for encrypting password 19
  • 20. Form-Based Auth. Control Flow Request Response Page Login Error Page Form 1 7 4 5 9 Protected Login.jsp j_security_check Error.html 2 Resource 3 6 8 1. Request made by client 6. Authentication Login succeeded, 2. Is client authenticated? redirected to resource 7. Authorization Permission tested, 3. Unauthenticated client result returned redirected 8. Login failed, redirect to error page 4 . L og i n f or m r et u r n ed t o cl i en t 9. Error page returned to client 5. Client submits login form 20
  • 21. Steps for Form-based Authentication based Web-tier Security 1. Set up username, passwords, and roles (realms): Same as in Basic-authentication 2. Tell web container that you are using Form-based authentication 3. Create custom “Login page” 4. Create custom “Error page” 5. Specify which URLs (web resources) should be access- controlled (password-protected) 6. Specify which URLs should be available only with SSL (data integrity and confidentiality protected) 21
  • 22. Step 2: Tell web container that you are using Form-based authentication  In web.xml file of your web application <web-app> ... <security-constraint>...</security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>realm name</realm-name> </login-config> ... </web-app> 22
  • 23. Step 3: Create custom “Login Page”  Can be HTML or JSP page  Contains HTML form like following <FORM ACTION="j_security_check" METHOD="POST"> <INPUT TYPE="TEXT" NAME="j_username"> <INPUT TYPE="PASSWORD" NAME="j_password"> </FORM> 23
  • 24. Step 4: Create Error page  Can be HTML or JSP page  No specific content is mandated 24
  • 25. Step 5: Specify which URLs should be access- controlled (Same as Basic Auth) <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 25
  • 26. Step 6: Specify which URLs should be available only with SSL (Same as Basic Auth) <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/loadpricelist</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name></realm-name> </login-config> ... </web-app> 26
  • 27. Basic and Form-based Form-based Basic Form-based • Uses “browser provided • Uses “web application dialog box” to get provided login page” to username and get username and password password • Only username and • Custom data can be password can be collected collected • Can enforce consistent • Might result in different look and feel look and feel • Form data is used to • HTTP Authentication convey username and header is used to password convey username and • Can enter a new user password name via login page • No good way to enter a 27
  • 28. 4. HTTPS Client Authentication  HTTPS client authentication  End-user authentication using HTTP over SSL (HTTPS) requires the user to possess a public key certificate (PKC).  All the data is transmitted after incorporating public key encryption.  It is the most secure authentication type.  It is supported by all the common browsers. 28
  • 29. Confidentiality of Passwords  For Basic and Form-based authentication, unless explicitly specified, the password gets transported in unencrypted form (Base64)  The <transport-guarantee> element can contain any of three values:  NONE means no transport guarantee  INTEGRAL means data cannot be changed in transit  CONFIDENTIAL means the contents of a transmission cannot be observed  Example: <user-data-constraint> <description> Integral Transmission </description> <transport-guarantee>INTEGRAL</transport-guarantee> </user-data-constraint> 29
  • 30. Steps for Declarative Authorization at Web-tier 1. Deployer maps actual user identities to security roles using vendor specific tools 2. Deployer declares security roles in the deployment descriptor 3. Deployer declares URL permissions in the deployment descriptor for each security role This is already covered above under “Web-tier security schemes” segment! 30
  • 31. Declarative and Programmatic Authorization (Access Control)  They are usually used together Declarative access control for role-based access control Programmatic access control for user instance- based and business logic based access control  User instance  Time of the day  Parameters of the request  Internal state of the web component 31
  • 32. Steps for Programmatic Authorization at Web-tier 1. Set up username, passwords, and roles (realms) 2. Servlet programmer writes programmatic authorization logic inside the Servlet code using abstract security roles 3. Deployer maps abstract security roles to actual roles (for a particular operational environment) in the web.xml 32
  • 33. Step 2: Servlet Programmer writes programmatic authorization logic public interface javax.servlet.http.HTTPServletRequest{ ... // Find out who is accessing your web resource public java.security.Principal getUserPrincipal(); public String getRemoteUser(); // Is the caller in a particular role? public boolean isUserInRole(String role); ... } 33
  • 34. Example: “Employees” can only access their own Salary Information public double getSalary(String employeeId) { java.security.Principal userPrincipal = request.getUserPrincipal(); String callerId = userPrincipal.getName(); // “manager” role can read employee salary information // employee can read only his/her own salary information if ( (request.isUserInRole(“manager”)) || ((request.isUserInRole(“employee”)) && (callerId == employeeId)) ) { // return Salary information for the employee getSalaryInformationSomehow(employeeId); } else { throw new SecurityException(“access denied”); } 34
  • 35. Acknowledgement Most contents are borrowed from the presentation slides of Sang Shin, Java™ Technology Evangelist, Sun Microsystems, Inc.
  • 36. Thank you [email protected] www.facebook.com/imcinstitute www.imcinstitute.com 36