8/14/2019 8 Web Application Security

1/15

Web Application Security

8/14/2019 8 Web Application Security

2/15

Different aspects Of web application

Security

Security involves

Authentication

Authorization

Confidentiality

Data Integrity

The web application security constraints is handled

declaratively

programmatically

Our focus

8/14/2019 8 Web Application Security

3/15

Benefits of declarative security

Declarative security has the following benefits,

Allows us to use prewritten Servlets in more

flexible ways.

Reduces ongoing maintenance whenapplication grows.

A way to utilize the Container services.

Supports the idea of component-baseddevelopment.

8/14/2019 8 Web Application Security

4/15

POST

..

..

HTTP request

Server

I got your request,but

how do I know you

are who you say you

are???

Authentication

Client

8/14/2019 8 Web Application Security

5/15

Authorization

POST

..

..

Before I send you the

special page I have to

make sure you are

allowed to see it.

Server

Client

HTTP request

8/14/2019 8 Web Application Security

6/15

Who implements security in a web application?

Administrator

Decides the roles for theapplication. Then adds the

roles(admin,guest) to Containers

users file(vendor specific). For

tomcat it is tomcat-users.xml.

Deployer

Looking at the servlets description

decides which role can access

which Servlet and describe it to theContainer through the

web.xml(DD).

8/14/2019 8 Web Application Security

7/15

The tomcat-users.xml file

/conf/tomcat-users.xml

Mapping user to role in a

vendor-specific way.

Creating roles

8/14/2019 8 Web Application Security

8/15

Security tags in DD

Adding element in web.xml

admin

manager

BASIC

Container will map itsvendor-specific role

information to whatever

s it finds in

the DDs

element.

The tag

enables authentication.

8/14/2019 8 Web Application Security

9/15

8/14/2019 8 Web Application Security

10/15

Testing Security 2

/UpdateController

GET

POST

manager

Authorized to access only one Servlets

If there is no tag that means there is no restriction for

that web resource. If it is a empty tag then no one can access

the resource.

role names are

case sensitive

8/14/2019 8 Web Application Security

11/15

Testing the code in tomcat

index.html

8/14/2019 8 Web Application Security

12/15

This user is

mapped tomanager role .

8/14/2019 8 Web Application Security

13/15

manager is not authorized to access

the url /LoginController.

8/14/2019 8 Web Application Security

14/15

manager

8/14/2019 8 Web Application Security

15/15

manager is authorized

to access the url

/UpdateController