WCD Session 23

Slide 1 of 19 Ver. 1.
0
Web Component Development With Servlet and JSP Technologies
In this session, you will learn to:
Identify need for Web security
Identify authentication techniques
Restrict resource usage
Secure Java Web application

Objectives
Slide 2 of 19 Ver. 1.0
A Web application must address the issues relating to
security because such applications deal with data that is
used by organizations to carry out their day to day
operations
Some of the common security threats are as follows:
Unauthorized Access
Malicious Code
To counter security threats, you can implement different
security techniques, such as:
Authentication
Authorization
Data Integrity
Auditing
Overview of Web Security
To counter security threats, you can implement different
security techniques, such as:
Authentication: Is the process of identifying a user.
Authorization: Specifies the rights assigned to an authenticated
user to access resources of a Web application. Using
authorization, a Web application distinguishes what data and
resources are to be made available to what type of users.
Data Integrity: Ensures that data is not modified while being
transferred between the server and the client. There are
different techniques to ensure data integrity, such as data
encryption and digital signature
Auditing: secures Web applications by maintaining a record of
the rights assigned to different types of Web users. Using the
auditing security principle, one can detect if any security flaws
exist in a Web application.
Overview of Web Security (Contd.)
Authentication Techniques
Various types of authentication techniques to validate user
information are:
Basic Authentication
Form-Based Authentication
Digest Authentication
Client-Cert Authentication
Is a technique of authenticating users before allowing them
access to protected resources.
In case of basic authentication, the server enforces security
through the Web browser
Allows creating a customized login page for a Web
application.
Is the most widely used authentication technique to
authorize users.
Is used by most of the banking, e-commerce, and mailing
sites

Is an authentication technique where the administrator
specifies the contents that are to be secured on a Web site
and the users that have access to the content.
When a user tries to access a secured resource, a dialog
box appears on the Web browser that accepts the
username and password.
The user information is encrypted before sending it to the
server. The server, on receiving the information, decrypts
and validates it before granting access to the user.
The server authenticates a client using digital certificates.
The digital certificates are issued by the Certificate Authority
(CA) and provide a mechanism to authenticate the identity
of the certificate holder.
Restricting Resource Usage
In a J2EE Web application, you can protect resources
against unauthorized access, by creating users and user
groups in the application server
You can then define roles for your application and assign roles
to the users during the deployment process.
Creating Authorized Users
To create a user in the Sun Java System Application Server
9, you need to have administrative rights.
Only users authorized as administrator can create and
manage users in the Sun Java System Application Server.

Creating Roles
Role refers to a common name for a group of users having
similar permissions, such as, adding new resources,
removing resources or modifying server settings in the Web
application.
You can create roles using the Sun Java System Application
Server Admin Console.
The deployment descriptor specifies user roles using the
<security-role>, <role-name> and <realm-name>
deployment descriptor tags.

Specifying Authentication Techniques
The authentication type to be used to secure a Web
application is specified during the deployment process of the
Web application.
Specifying the Deployment Descriptor Tags for Basic
Authentication Type
The deployment descriptor of a Web application specifies basic
authentication type using the <login-config>,
<auth-method> and <realm-name> deployment descriptor
tags.
Specifying the Deployment Descriptor Tags for Form-Based
Authentication
The deployment descriptor of a Web application specifies form-
based authentication type using the <login-config>, <auth-
method>, <realm-name>, <form-login-config>,
<form-login-page> and <form-error-page> deployment
descriptor tags.
Specifying Authentication Techniques (Contd.)
Specifying the Deployment Descriptor Tags for Digest
Authentication
The deployment descriptor of a Web application specifies
digest authentication type using the <login-config>,
tags.
Specifying the Deployment Descriptor Tags for Client-Cert
Authentication
The deployment descriptor of a Web application specifies
client-cert authentication type using the <login-config>,
tags.
The Security Constraint for the authentication mechanism
Specifies the Web resources collection that needs to be
protected and the URL pattern that needs be checked before
allowing access to the Web resource collection.
Specifies the role for which the constraint is enforced and the
mechanism as to how data will be transported between the
client and server.

In a secure J2EE Web application, you need to map roles
with the list of users created in the J2EE application server.
Role mapping is required to specify the permissions or
rights associated with a user role.
Roles are mapped during the deployment process of a Web
application.
The deployment descriptor specifies security role mapping
using the <security-role-ref>, <role-name> and <role-link>
deployment descriptor tags.

Demo: Implementing Security
Chris wants to read his e-mails on the server. He sends his
login information to the server, which validates the
information entered by Chris. If the login is successful, the
server should display a login success message or else
display an error message. Chris decides to authenticate his
login information using form-based authentication.

Demo: Implementing Security (Contd.)
Solution:
Create the Web application
Create users using the Sun Java System Application Server
Admin Console
Create a servlet for form-based authentication
Create the login form
Create the error page
Create a security role
Specify the security elements for form-based authentication
Map the security role
Deploy the application
Test the application

In this session, you learned:
To counter security threats the various security techniques that
can be implemented are:
Authentication
Authorization
Data Integrity
Auditing
Authentication is the process of identifying a user.
Authorization specifies the rights assigned to an authenticated
user to access resources of a Web application.
Data integrity ensures that data is not modified while being
transferred between the server and the client.
Auditing secures Web applications by maintaining a record of
the rights assigned to different types of Web users.
Summary
Various types of authentication techniques to validate user
information are:
Basic authentication is a technique of authenticating users
before allowing them access to protected resources.
Form-based authentication allows creating a customized login
page for a Web application.
Digest authentication is an authentication technique where the
administrator specifies the contents that are to be secured on a
Web site and the users that have access to the content.
In client-cert authentication, the server authenticates a client
using digital certificates.
Summary (Contd.)

WCD Session 23

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

WCD Session 23

Загружено:

Авторское право:

Доступные форматы

Slide 1 of 19 Ver. 1.

Вам также может понравиться