SCWCD Notes – Security
- Thursday, July 31, 2008, 20:38
- Study Guide
- 189 views
- Add a comment
Type of Bad guys (for whome securiy is needed) -
1. Impersonator- Pretends to be some exsisting user and breaks into the system.
2. Upgrader – Existing user, breachs security and upgrades his rights to avail more facility.
3. Evasdropper – They steal information of clients and misuse them for example stealing credit card info and using.
Four Points in Servlet Security-
1. Authentication (user/password) – Validates identity of user and is meant for Impersonators.
2. Autherization – Filters the rights/accessibility of users and is for Upgraders.
3. Confidentiality- Securing data e.g. encryption. Used to foil evasdroppers.
4. Data Integrity – Used to foil evasdroppers.
Authentication in HTTP: how browser and web server communicate?
1. Browser requests for “update.jsp”. After receiving the request container finds the
URL in security table.
2. If entry found in security table, server checks if the resource is constrained.
3. Constrained yes then server
send 401(“Unauthorized”), with a www-authenticate header and realm info.
4. Browser gets 401 and after getting realm info asks for username password.
5. Browser again asks for “update.jsp” but with security HTTP header and username and
password. Container receives the request and checks the URL in security table.
6. If URL found in security table, that resource is constrained and checks for username and password to make sure they match.
7. If username password matches container checks for role i.e. authoraization and returns
“update.jsp” if role has access to the page. Otherwise 401 is returned.
Implementing Security in web-app
Who:
Servlet Provider : No need to bother about security.
Administrator: Determines the type of roles and descriptions. For example Guest, Member, Admin. Authentication is done by admin.
Deployer: Determines which role will access which resource/servlet. Last three i.e. authorization, confidentiality and data integrity are done by deployer.
Authentication: A users can’t be authorized until he is authenticated. Servlet spec doesn’t talk about how the container should implement authentication, its all vendor dependent how to keep data of username and password.
realm: This is the place where where authentication info(user/password table) is stored. For example tomcat keeps all authentication data in conf/tomcat-users.xml and it applies to all web apps deployed in the servler. this file is not kept in any web-app directory. This is called as memory realm because tomcat loads this file in memory at startup.
<tomcat-users>
<role rolename=”Guest”/>
<role rolename=”Member”/>
<user name=”Bill” password=”coder” roles=”Member, Guest” />
…
</tomcat-users>
Remember, this is not part of DD.
Enabling Authentication: If you want container to ask user name and password, following need to be written in DD.
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
|
Type |
Exam Bible | New Questions & Answers |
Latest Updated |
Download link |
| All Certbible 's Exam Dumps |
597 |
1 days ago | Available |
PassGuide Training Materials & Practice Tests
About the Author
Free Certification Exam Download has written 10018 stories on this site.
If you have any doubts about legality of content or you have another suspicions, feel free to contact us:CertGuard@Gmail.com
Write a Comment
Gravatars are small images that can show your personality. You can get your gravatar for free today!
