SCWCD Notes – Security

Type of Bad guys (for whome securiy is needed) -

1. Impersonator- Pretends to be some exsisting user and breaks into the system.
2. Upgrader – Existing user, breachs security and upgrades his rights to avail more facility.
3. Evasdropper – They steal information of clients and misuse them for example stealing credit card info and using.

Four Points in Servlet Security-

1. Authentication (user/password) – Validates identity of user and is meant for Impersonators.
2. Autherization – Filters the rights/accessibility of users and is for Upgraders.
3. Confidentiality- Securing data e.g. encryption. Used to foil evasdroppers.
4. Data Integrity – Used to foil evasdroppers.

Authentication in HTTP: how browser and web server communicate?

1. Browser requests for “update.jsp”. After receiving the request container finds the
URL in security table.
2. If entry found in security table, server checks if the resource is constrained.
3. Constrained yes then server
send 401(“Unauthorized”), with a www-authenticate header and realm info.
4. Browser gets 401 and after getting realm info asks for username password.
5. Browser again asks for “update.jsp” but with security HTTP header and username and
password. Container receives the request and checks the URL in security table.
6. If URL found in security table, that resource is constrained and checks for username and password to make sure they match.
7. If username password matches container checks for role i.e. authoraization and returns
“update.jsp” if role has access to the page. Otherwise 401 is returned.

Donwload Free PassGuide Braindumps-The Most Realistic Practice Questions and Answers,Help You Pass any Exams

Implementing Security in web-app
Who:
Servlet Provider : No need to bother about security.
Administrator: Determines the type of roles and descriptions. For example Guest, Member, Admin. Authentication is done by admin.
Deployer: Determines which role will access which resource/servlet. Last three i.e. authorization, confidentiality and data integrity are done by deployer.

Authentication: A users can’t be authorized until he is authenticated. Servlet spec doesn’t talk about how the container should implement authentication, its all vendor dependent how to keep data of username and password.
realm: This is the place where where authentication info(user/password table) is stored. For example tomcat keeps all authentication data in conf/tomcat-users.xml and it applies to all web apps deployed in the servler. this file is not kept in any web-app directory. This is called as memory realm because tomcat loads this file in memory at startup.
<tomcat-users>
<role rolename=”Guest”/>
<role rolename=”Member”/>
<user name=”Bill” password=”coder” roles=”Member, Guest” />
…
</tomcat-users>

Remember, this is not part of DD.

passguide scwcd

Enabling Authentication: If you want container to ask user name and password, following need to be written in DD.
<login-config>
<auth-method>BASIC</auth-method>
</login-config>

PassGuide Cisco Exams Questions & Training Materials

1. Free SCWCD Study Guides and Study Notes
2. Free SCWCD Exam Study Kit Second Edition: Java Web Component Developer Certification
3. Free offer* Testout Security+, security plus
4. Free Testout Security+, security plus
5. Free Sun Certified Web Component Developer for J2EE Platform (scwcd)
6. Free Sun Certified Web Component Developer for the Java 2 Platform, Enterprise Edition 1.4 (CX-310-081) – SCWCD
7. Free Testinside 70-431
8. Free Passguide Juniper jncia jn0-562 exam
9. Free IBM Lotus Security Professional – Notes and Domino 7
10. Free SCWCD 5.0
11. Free MCTS: Microsoft SQL Server 2005 Implementation and Maintenance Study Guide: Exam 70-431
12. Free microsoft 70-649 Latest! Pdf Format Passguide Passguide