wcd session 23

8/10/2019 WCD Session 23

1/19

Slide 1 of 19Ver. 1.0

Web Component Development With Servlet and JSP Technologies

In this session, you will learn to:

Identify need for Web security

Identify authentication techniques

Restrict resource usage

Secure Java Web application

Objectives


2/19



A Web application must address the issues relating to

security because such applications deal with data that is

used by organizations to carry out their day to day

operations

Some of the common security threats are as follows:Unauthorized Access

Malicious Code

To counter security threats, you can implement different

security techniques, such as:

AuthenticationAuthorization

Data Integrity

Auditing

Overview of Web Security


3/19



To counter security threats, you can implement different

security techniques, such as:

Authentication: Is the process of identifying a user.

Authorization: Specifies the rights assigned to an authenticated

user to access resources of a Web application. Using

authorization, a Web application distinguishes what data and

resources are to be made available to what type of users.

Data Integrity: Ensures that data is not modified while being

transferred between the server and the client. There are

different techniques to ensure data integrity, such as data

encryption and digital signatureAuditing: secures Web applications by maintaining a record of

the rights assigned to different types of Web users. Using the

auditing security principle, one can detect if any security flaws

exist in a Web application.

Overview of Web Security (Contd.)


4/19



Authentication Techniques

Various types of authentication techniques to validate user

information are:

Basic Authentication

Form-Based Authentication

Digest Authentication

Client-Cert Authentication


5/19




Is a technique of authenticating users before allowing them

access to protected resources.

In case of basic authentication, the server enforces security

through the Web browser


6/19




Allows creating a customized login page for a Web

application.

Is the most widely used authentication technique to

authorize users.

Is used by most of the banking, e-commerce, and mailingsites


7/19Slide 7 of 19Ver. 1.0



Is an authentication technique where the administrator

specifies the contents that are to be secured on a Web site

and the users that have access to the content.

When a user tries to access a secured resource, a dialog

box appears on the Web browser that accepts theusername and password.

The user information is encrypted before sending it to the

server. The server, on receiving the information, decrypts

and validates it before granting access to the user.





The server authenticates a client using digital certificates.

The digital certificates are issued by the Certificate Authority

(CA) and provide a mechanism to authenticate the identity

of the certificate holder.




Restricting Resource Usage

In a J2EE Web application, you can protect resources

against unauthorized access, by creating users and user

groups in the application server

You can then define roles for your application and assign roles

to the users during the deployment process.


10/19Slide 10 of 19Ver. 1.0


Creating Authorized Users

To create a user in the Sun Java System Application Server

9, you need to have administrative rights.

Only users authorized as administrator can create and

manage users in the Sun Java System Application Server.


11/19Slide 11 of 19Ver. 1.0


Creating Roles

Role refers to a common name for a group of users having

similar permissions, such as, adding new resources,

removing resources or modifying server settings in the Web

application.

You can create roles using the Sun Java System Application

Server Admin Console.

The deployment descriptor specifies user roles using the

, and

deployment descriptor tags.


12/19Slide 12 of 19Ver. 1.0


Specifying Authentication Techniques

The authentication type to be used to secure a Web

application is specified during the deployment process of the

Web application.

Specifying the Deployment Descriptor Tags for Basic

Authentication Type

The deployment descriptor of a Web application specifies basic

authentication type using the ,

and deployment descriptor

tags.

Specifying the Deployment Descriptor Tags for Form-Based

Authentication

The deployment descriptor of a Web application specifies form-

based authentication type using the , , , ,

and deployment

descriptor tags.


13/19Slide 13 of 19Ver. 1.0


Specifying Authentication Techniques (Contd.)

Specifying the Deployment Descriptor Tags for Digest

Authentication

The deployment descriptor of a Web application specifies

digest authentication type using the ,

and deployment descriptor

tags.

Specifying the Deployment Descriptor Tags for Client-Cert

Authentication

The deployment descriptor of a Web application specifies

client-cert authentication type using the ,

and deployment descriptortags.


14/19Slide 14 of 19Ver. 1.0



The Security Constraint for the authentication mechanism

Specifies the Web resources collection that needs to be

protected and the URL pattern that needs be checked before

allowing access to the Web resource collection.

Specifies the role for which the constraint is enforced and the

mechanism as to how data will be transported between theclient and server.


15/19Slide 15 of 19Ver. 1.0



In a secure J2EE Web application, you need to map roles

with the list of users created in the J2EE application server.

Role mapping is required to specify the permissions or

rights associated with a user role.

Roles are mapped during the deployment process of a Webapplication.

The deployment descriptor specifies security role mapping

using the , and

deployment descriptor tags.


16/19Slide 16 of 19Ver. 1.0


Demo: Implementing Security

Chris wants to read his e-mails on the server. He sends his

login information to the server, which validates the

information entered by Chris. If the login is successful, the

server should display a login success message or else

display an error message. Chris decides to authenticate his

login information using form-based authentication.


17/19Slide 17 of 19Ver. 1.0


Demo: Implementing Security (Contd.)

Solution:

Create the Web application

Create users using the Sun Java System Application Server

Admin Console

Create a servlet for form-based authentication

Create the login form

Create the error page

Create a security role

Specify the security elements for form-based authentication

Map the security role

Deploy the application

Test the application


18/19Slide 18 of 19Ver. 1.0


In this session, you learned:

To counter security threats the various security techniques that

can be implemented are:

Authentication

Authorization

Data Integrity

Auditing

Authentication is the process of identifying a user.

Authorization specifies the rights assigned to an authenticated

user to access resources of a Web application.

Data integrity ensures that data is not modified while beingtransferred between the server and the client.

Auditing secures Web applications by maintaining a record of

the rights assigned to different types of Web users.

Summary


19/19Slide 19 of 19V 1 0


Various types of authentication techniques to validate user

information are:





Basic authentication is a technique of authenticating users

before allowing them access to protected resources.

Form-based authentication allows creating a customized login

page for a Web application.

Digest authentication is an authentication technique where theadministrator specifies the contents that are to be secured on a

Web site and the users that have access to the content.

In client-cert authentication, the server authenticates a client

using digital certificates.

Summary (Contd.)

wcd session 23

Documents