Slide 1 of 19

Securing Web Application

Slide 2 of 19

Overview Security Concepts Security Mechanism Pillar of Security– Http Basic Authentication– Http Digest Authentication– HTTPS Client Authentication– Form-based Authentication

Authentication Users Declarative Security Programmatic Security

Slide 3 of 19

Security Concepts Need of Securing Web Application

– Web Application is access over a network such as Internet / Intranet

– Access to confidential information by unauthorized users: For example, Personal Identification Number(PIN)

– Unauthorized use of resources: For example, a person using the bank account of a customer without authorization from the customer.

– Malicious Code: Malicious codes are programs written by hackers to compromise the security of Web applications

Slide 4 of 19

Security Mechanisms

Firewall

Digital Signatures

Password Authentication / Authorization

Slide 5 of 19

Security Mechanism

HTTP basic authentication

HTTP digest authentication

HTTPS (Secured HTTP) client authentication

Form-based authentication

Slide 6 of 19

Http Basic Authentication– Common method to authenticate users by

verifying the user name and password– Users are authenticated before allowing them to

access the protected resources.– The server enforces security through the Web

browser.– The Web browser displays a dialog box to accept

the authentication information from the user, when the user tries to access a protected resource.

Slide 7 of 19

Http Digest Authentication– Use hash functions to secure web applications– Hash function convert data into a small / complex no.

Input Hash Value

Fox DFC3478

Fox is running 583DNT89

Slide 8 of 19

Https Client Authentication– Authentication of users by establishing a Secure

Sockets Layer (SSL) connection between sender and recipient• Sender – SSL Client• Recipient – SSL server

– Extra authentication layer in between Http and TCP– This layer confirms the client authentication– Two kinds of Certificated are used

• Server Certificates– Contain information about server that allows a client to identify the server

before sharing sensitive information

• Client Certificates– Contains personal information about the user and introduces the SSL client to

the server

Slide 9 of 19

Form-based Authentication– A customized login page is created for a Web

application.– Web site users can browse the unprotected pages of

the Web site, but they are redirected to a login page when they try to access the secured pages of the Web site.

– Use base-64 encoding, can expose user name and password unless all connections are over SSL

– Does not specify the security realm• A realm is the region in which a security permission applies• A security realm specifies the scope of security data

Slide 10 of 19

Authentication Authentication is specified in web.xml

<login-config><auth-method>FORM</auth-method><form-login-config>

<form-login-page>/Login.jsp</form-login-page><form-error-page>/Error.jsp</form-error-page>

</form-login-config></login-config>

<login-config><auth-method>BASIC</auth-method><realm-name>Managers</realm-name>

</login-config>

Slide 11 of 19

Users

Users are configured in tomcat-user.xml file<tomcat-users>

<role rolename="tomcat"/><role rolename="manager"/><role rolename="admin"/><user username="rahulk" password="rahulk"

roles="manager,admin"/><user username="tomcat" password="tomcat"

roles="tomcat"/>

</tomcat-users>

Slide 12 of 19

Declarative Security Provides security to resource with the help of

the server configuration Works as a different layer from the web

component which it works. Advantages:– Gives scope to the programmer to ignore the

constraints of the programming environment– Updating the mechanism does not require total

change in Security model– It is easily maintainable

Slide 13 of 19

Declarative Security Limitation– Access is provided to all or denied– Access is provided by the Server only if the

password matches– All the pages use same authentication mechanism– It can not use both form-based and basic

authentication for different page

Slide 14 of 19

Implementing Declarative Security Setting up User Names, Passwords, Roles Setting Authentication mechanism to FORM Creating Login Page Creating Error Page Specify URLs that should be password protected Specify URLs that Should be available only with

SSL Turning Off the Invoker Servlet

Slide 15 of 19

Programmatic Security Authenticates users and grant access to the

users Servlet/JSP page either authenticates the user

or verify that the user has authenticates earlier Advantages– Ensue total portability– Allowed password matching strategies

Limitation– Much harder to code and maintain– Every resource must use the code

Slide 16 of 19

Programmatic Security HttpServeltRequest– public string getAuthType()– public String getHeader(String name)– public String getRemoteUser()– public String getRequestedSessionId()– public HttpSession getSession()

– public boolean isUserInRole(String role)– public boolean isRequestedSessionIdValid()– public Principal getUserPrincipal()

Slide 17 of 19

Implementing Programmatic Security

Check whether there is an authorisation request header

Get the String, which contains the encoded user name / password

Reverse the base64 encoding of the user name / password String

Check the user name and password If authentication fails, send the proper response

to the client

Slide 18 of 19

Summary Security Concepts Security Mechanism Pillar of Security– Http Basic Authentication– Http Digest Authentication– HTTPS Client Authentication– Form-based Authentication

Authentication– web.xml

Users– tomcat-users.xml

Slide 19 of 19

Summary Declarative Security– Advantages– Limitation– Implementing Declarative Security

Programmatic Security– Advantages– Limitation– Implementing Programmatic Security