Java web application security

  • Published on

  • View

  • Download

Embed Size (px)


Java web application security. Dr Jim Briggs. What is security?. Usually ensuring that only authorised users can access specific parts of a website Security has two basic concepts: authentication: who is it? authorisation: what can they do?. Categories of security mechanism. - PowerPoint PPT Presentation


<ul><li><p>Java web application securityDr Jim Briggs</p><p>WEB2P security</p></li><li><p>What is security?Usually ensuring that only authorised users can access specific parts of a websiteSecurity has two basic concepts:authentication: who is it?authorisation: what can they do?</p><p>WEB2P security</p></li><li><p>Categories of security mechanismContainer-managed (e.g. Tomcat) Specified as part of the Java Servlet Specification However, the implementation is container specific (and therefore not necessarily portable between containers) Application-managedIndependent of the containerHowever, you have to write the code yourself (or use some other mechanism)</p><p>WEB2P security</p></li><li><p>HTTP authenticationHTTP provides for authentication - see RFC 2617Operates on a challenge/response paradigm:Server receives a request for an access-protected objectServer responds with a "401 Unauthorized" status codeClient must then resend the request with an Authorization headerMost browsers will prompt the user for a username and passwordMost browsers cache this for the duration of the browser sessionSome will allow the user to save it between sessionsDistinction between Basic Authentication and Digest Authentication: Basic passes usernames and passwords in clear text (actually in Base64 format, but this is easily translatable)Digest scrambles the password by sending a checksum (by default, MD5) of the username, the password, a given nonce value, the HTTP method, and the requested URI. The nonce value is sent by the server with the 401 response. Realm is the zone of securityEffectively the store against which credentials are checked</p><p>WEB2P security</p></li><li><p>Mechanisms for securing Java web applicationsFundamentalsContainer-managed techniquesApplication-managed techniquesMix and match</p><p>WEB2P security</p></li><li><p>FundamentalsHTTP authenticationSecure Sockets Layer (SSL)HTTP over SSL (HTTPS)See how to set this up in ApacheSee how to set this up in TomcatUnlikely to need latter if using Tomcat as auxiliary server (especially via AJP)</p><p>WEB2P security</p></li><li><p>Container-managed securitySecurity constraints in web.xml fileAuthenticationAuthorizationSecure transport</p><p>WEB2P security</p></li><li><p>Authentication</p><p> BASIC</p><p> FORM /login.jsp /fail_login.html </p><p>WEB2P security</p></li><li><p>Authorization</p><p> Admin /admin/* private </p><p>WEB2P security</p></li><li><p>Secure transport</p><p>... CONFIDENTIAL </p><p>WEB2P security</p></li><li><p>Authentication methodsBasic - uses HTTP Basic Authentication Digest - uses HTTP Digest Authentication Form - presents a login form to the user </p><p>Client certificate - requires digital certificate from client </p><p>WEB2P security</p></li><li><p>Tomcat realmsMemoryRealma file (tomcat-users.xml) in the TOMCAT/conf directoryJDBCRealmspecify tables and columns of a database that contain usernames, passwords and roles DataSourceRealmsimilar, but using a JNDI-named DataSource rather than a specific JDBC driver JNDIRealmlooks up users in an LDAP directory server accessed by a JNDI providerJAASRealmauthenticates users through the Java Authentication &amp; Authorization Service (JAAS) framework</p><p>WEB2P security</p></li><li><p>Application-managed security 1Request properties:request.getRemoteUser()request.getUserPrincipal()request.isUserInRole(role) Use session attributes to store the user's identityUse cookies to store username and password (can be persistent between browser sessions)</p><p>WEB2P security</p></li><li><p>Application-managed security 2Use a security filterUse a base servletUse a custom JSP tagforward request to a login page if the user is not logged in or does not have authorisation)Struts facilities:Use Struts roles (each action has a roles attribute)Customise the Struts RequestProcessorspecifically the method processPreprocessUse a Struts Base Action</p><p>WEB2P security</p></li><li><p>Mix and matchMany of the techniques can be used in combinationSecurityFilter (from is an application-managed mechanism that mimics container-managed security</p><p>WEB2P security</p></li></ul>


View more >