Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Problem
Want to restrict access to certain Web pages
Authentication Methods
Several security methods are used:
Declarative Security
- Use security mechanisms provided by the server - BASIC and FORM-based will be discussed
Programmatic Security
- Security is handled by the Web application programs
Declarative Security
Advantage: Application programs (i.e. JSP and Servlets) do not have to do anything special Advantage: security holes due to bugs are less probable Disadvantage: Server specific process Disadvantage: All or nothing security
- users can or cannot see the page
Programmatic Security
Advantage: Not server specific
An Example
$CATALINA_BASE/conf/tomcat-users.xml
<tomcat-users> <role rolename="special"/> [more roles...] <user username="snoopy" password="snoopass" roles="special"/> [more users...] </tomcat-users>
<login-config>
<auth-method>BASIC</auth-method> <realm-name>Special Managers</realm-name>
</login-config>
<web-resource-collection>
<web-resource-name>restricted one</web-resource-name> <url-pattern>/restricted1/*</url-pattern>
</web-resource-collection>
<web-resource-collection> <web-resource-name>restricted two</web-resource-name> <url-pattern>/restricted2/*</url-pattern> </web-resource-collection>
</security-constraint>
<login-config>...</login-config>
In Tomcat, you can define an application-specific error page, however the WWW-Authenticate header must be added explicitly
<CENTER>
<H1>Go away! You are not authorized!!</H1> </CENTER> </BODY> </HTML>
Add to web.xml
<login-config>
<auth-method>FORM</auth-method>
<form-login-config> <form-login-page>/admin/login.jsp </form-login-page> <form-error-page>/admin/login-error.html </form-error-page> </form-login-config> </login-config>
METHOD="POST">
<TABLE SUMMARY="login form"> <TR><TD>User name:<TD><INPUT TYPE="TEXT" NAME="j_username"> <TR><TD>Password:<TD><INPUT TYPE="PASSWORD" NAME="j_password"> <TR><TD><INPUT TYPE="SUBMIT" VALUE="Log In"> </TABLE> </FORM> </BODY> </HTML>
Sometimes we want to allow page content to be dependant on the authorization of the user Use the following request methods to control content restriction:
- boolean isUserInRole(String role)
- String getRemoteUser()
Example
<security-constraint> <web-resource-collection> <web-resource-name>salary</web-resource-name> <url-pattern>/salary.jsp</url-pattern>
</web-resource-collection>
<auth-constraint> <role-name>executive</role-name>
<role-name>employees</role-name>
</auth-constraint> </security-constraint>
Example (cont)
<HTML> <BODY> <H2>Employee average salary: 3895NIS</H2> <% if(request.isUserInRole("executive")) { %> <H2>Executive average salary: 42764NIS</H2> <% } %> </BODY> salary.jsp
<HEAD><TITLE>Average Salary</TITLE></HEAD>
</HTML>
SSL Connections
However, data packets are read by several computers on the way from the client to the server and vice versa
- Routers, proxies, etc.
In short, no one should be able to interfere in the interaction, either be reading the transferred data or by impersonating to one of the sides
- Asymmetric keys: the public key is the encoding key and the private key is the decoding key
- A participant cannot tell whether its received key was indeed sent by the other participant
SSL Connections
The SSL (Secure Socket Layer) protocol is used
HTTP
TCP/IP
Client
(
Client
Server
Client
Server
Client
SSL Certificates
To assure that the replier of the first request is the server, the server sends a certificate The certificate contains both the server's name and its public key The certificate is issued by a Certificate Authority (CA), which is known to the client in advance
- For example: VeriSign, Thawte, RSA Secure Server, etc.
CA signs the certificate using a digital signature, which the client can verify using a method similar to the private-public key method
Validity Period
Server's Name Issuer's Name Issuer's Digital Signature
to do the following:
- Acquire a certificate - Enable the https service, that listens to a designated port - Declare the pages that require SSL connections
Generating a Certificate
Acquiring a certificate from a known CA costs
money
Instead, we will generate our own certificate
sslProtocol="TLS" keystoreFile="keyfile"
keystorePass="keypass"/>