meljun cortes handling error and security
TRANSCRIPT
-
8/11/2019 MELJUN CORTES Handling Error and Security
1/23
HTTP Error CodesAn HTTP response sent from theWeb server to the clientincludes a status code, whichtells the Web browser if therequest was successful orunsuccessful.
400 Bad Request401 Unauthorized
404 Not Found
405 Method Not Allowed
415 Unsupported Media Type
500 Internal Server Error
501 Not Implemented
503 Service Unavailable
MELJUN ORTES
-
8/11/2019 MELJUN CORTES Handling Error and Security
2/23
Example Error Page
-
8/11/2019 MELJUN CORTES Handling Error and Security
3/23
Servlet ExceptionsIn addition to HTTP errors, a Javatechnology Web application can generateexceptions to indicate a problem withprocessing the HTTP request.
public voiddoGet(HttpServletRequestrequest, HttpServletResponseresponse)throws ServletException{ int x = 0, y = 0; try { int z = x / y; } catch (ArithmeticExceptionae) { throw newServletException(ae);}}
-
8/11/2019 MELJUN CORTES Handling Error and Security
4/23
Using Custom Error
PagesThe generic error pages provided bythe Web browser (for HTTP errorcodes) and the Web container (forservlet exceptions) are often uglyand not very informative to the enduser.
Two ways to activate an error pagewithin a Web application:
DeclarativeProgrammatic
-
8/11/2019 MELJUN CORTES Handling Error and Security
5/23
Declaring HTTP Error
PagesThe error-page element in thedeployment descriptor to declareto the Web container that if anHTTP response is being sent backwith a particular status code (forexample, 404 File Not Found),then the HTML of the response is
specified by the error page of yourchoice.
It contains two subelements error-code location
-
8/11/2019 MELJUN CORTES Handling Error and Security
6/23
Example Custom Error Page
404
/error/404.html
-
8/11/2019 MELJUN CORTES Handling Error and Security
7/23
Declaring Servlet
Exception Error Pages
Using the error-page element, theweb container can forward specificexception types to the error pageof your choice.
The exception-type subelement isused to identify the fully qualifiedexception class.
java.lang.NumberFormatException
/error/bad_number
-
8/11/2019 MELJUN CORTES Handling Error and Security
8/23
Programmatic Exception
Handling
The servlet contains codes to catchall exceptions and handle themdirectly.
To handle exceptionsprogrammatically, all error-pronebusiness logic is wrapped in a try-catch block.
-
8/11/2019 MELJUN CORTES Handling Error and Security
9/23
Example//ErrorProneServlet class// Servlet importsimport javax.servlet.http.HttpServlet.*;import javax.servlet.http.*;
import javax.servlet.*;// Support classesimport java.io.IOException;
public final class ErrorProneServlet
extends HttpServlet {
public void doGet(HttpServletRequestrequest,HttpServletResponse response) throws IOException, ServletException{
-
8/11/2019 MELJUN CORTES Handling Error and Security
10/23
Example (cont..)String string = null;
try { // Attempt to access the first character //of a null String object string.charAt(0);
// Catch exceptions and forward to theException Handler servlet } catch (Exception e) { ServletContext context =getServletContext(); RequestDispatcher errorPage
=context.getNamedDispatcher("ExceptionHandler");
request.setAttribute("javax.servlet.error.exception", e);
request.setAttribute("javax.servlet.error.request_uri",
request.getRequestURI());errorPage.forward(request, response);
} }
-
8/11/2019 MELJUN CORTES Handling Error and Security
11/23
Example (cont..)//ExceptionDisplay class
// Servlet imports
import javax.servlet.http.HttpServlet.*;
import javax.servlet.http.*;
import javax.servlet.*;
// Support classes
import java.io.*;
public final class ExceptionDisplay extends
HttpServlet {
public void doGet(HttpServletRequestrequest,HttpServletResponse response)
throws IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
-
8/11/2019 MELJUN CORTES Handling Error and Security
12/23
Example (cont..)Throwable exception = (Throwable)request.getAttribute("javax.servlet.error.exception"); String expTypeFullName
= exception.getClass().getName(); String expTypeName =expTypeFullName.substring(expTypeFullName.lastIndexOf(".")+1); String request_uri = (String)
request.getAttribute("javax.servlet.error.request_uri");
out.println(""); out.println(""); out.println("ServletException");
out.println("");out.println(""); out.println("");
out.println("");out.println(" ");out.println(" ");
-
8/11/2019 MELJUN CORTES Handling Error and Security
13/23
Example (cont..)out.println(" "); out.print(" "); out.print(expTypeName);
out.println(""); out.println(" "); out.println(""); out.println("
-
8/11/2019 MELJUN CORTES Handling Error and Security
14/23
Web Security IssuesSecurity is critical to any Webapplication because the Web serveris exposed to the Internet directly.
Web security is a challenging field.
-
8/11/2019 MELJUN CORTES Handling Error and Security
15/23
AuthenticationAuthentication is the process ofverifying the users identity.
Authentication is a securitymeasure that can be configured inthe Web container.
Authentication techniques:
BASICDIGESTFORMCLIENT-CERT
-
8/11/2019 MELJUN CORTES Handling Error and Security
16/23
Declarative
AuthenticationUse the deployment descriptor todeclare the Web applicationsauthentication technique:
BASIC
-
8/11/2019 MELJUN CORTES Handling Error and Security
17/23
BASIC AuthenticationThe BASIC authentication methoduses the built-in HTTP BASICauthentication protocol.
The Web container verifies the dataagainst the vendor-specific securityrealm.
-
8/11/2019 MELJUN CORTES Handling Error and Security
18/23
Form-based
AuthenticationThe Servlet specification allows youto configure the Web application toperform an authentication usingyour own HTML pages.
This configuration is set in thelogin-config element.
The login form is a special HTMLform. The Servlet specificationmandates that the ACTION attributeof the form must be the phrasej_security_check. The username
and password input fields must bej_username and j_passwordrespectively.
-
8/11/2019 MELJUN CORTES Handling Error and Security
19/23
AuthorizationAuthorization is the process ofpartitioning Web resources basedon user roles.
It is a security measure that can beconfigured in the Web container.
-
8/11/2019 MELJUN CORTES Handling Error and Security
20/23
Declarative Authorization
To implement declarativeauthorization you must:1. Identify the Web resource
collections
2. Identify the roles
3. Map the Web resource collectionto the roles
4. Identify the users in each of thoseroles
-
8/11/2019 MELJUN CORTES Handling Error and Security
21/23
Web Resource
CollectionA Web resource collection is agroup of Web pages and servletUniversal Resource Identifier (URIs).
A Web resource collection isconfigured in the deploymentdescriptor. The web-resource-collection element includes twosubelements: url-pattern and http-method.
-
8/11/2019 MELJUN CORTES Handling Error and Security
22/23
Declaring Security RolesThe next step is to configure thesecurity roles of users that areauthorized to access the Webresource collection. This isconfigured in a security-constraintelement.
An auth-constraint element isincluded in the security constraint.It has a subelement named role-name.
-
8/11/2019 MELJUN CORTES Handling Error and Security
23/23
Security RealmsA security realm is a softwarecomponent for matching users toroles. It also verifies the userspassword. Every Web containermust include a security realm.
Flat-file (MemoryRealm class in theTomcat server)Database tables (JDBCRealm class inthe Tomcat Server)Lightweight Directory Access
ProtocolNetwork Information System