Monday, June 8, 2009

SCWCD Notes - Security

Type of Bad guys (for whome securiy is needed) -
  1. Impersonator- Pretends to be some exsisting user and breaks into the system.
  2. Upgrader - Existing user, breachs security and upgrades his rights to avail more facility.
  3. Evasdropper - They steal information of clients and misuse them for example stealing credit card info and using.

Four Points in Servlet Security-

  1. Authentication (user/password) - Validates identity of user and is meant for Impersonators.
  2. Autherization - Filters the rights/accessibility of users and is for Upgraders.
  3. Confidentiality- Securing data e.g. encryption. Used to foil evasdroppers.
  4. Data Integrity - Used to foil evasdroppers.

Authentication in HTTP: how browser and web server communicate?

  1. Browser requests for "update.jsp". After receiving the request container finds the
    URL in security table.
  2. If entry found in security table, server checks if the resource is constrained.
  3. Constrained yes then server
    send 401("Unauthorized"), with a www-authenticate header and realm info.
  4. Browser gets 401 and after getting realm info asks for username password.
  5. Browser again asks for "update.jsp" but with security HTTP header and username and
    password. Container receives the request and checks the URL in security table.
  6. If URL found in security table, that resource is constrained and checks for username and password to make sure they match.
  7. If username password matches container checks for role i.e. authoraization and returns
    "update.jsp" if role has access to the page. Otherwise 401 is returned.

Implementing Security in web-app
Servlet Provider : No need to bother about security.
Administrator: Determines the type of roles and descriptions. For example Guest, Member,Admin. Authentication is done by admin.
Deployer: Determines which role will access which resource/servlet. Last three i.e. authorization, confidentiality and data integrity are done by deployer.

Authentication: A users can't be authorized until he is authenticated. Servlet spec doesn't talk about how the container should implement authentication, its all vendor dependent how to keep data of username and password.
realm: This is the place where where authentication info(user/password table) is stored. For example tomcat keeps all authentication data in conf/tomcat-users.xml and it applies to all web apps deployed in the servler. this file is not kept in any web-app directory. This is called as memory realm because tomcat loads this file in memory at startup.
<role rolename="Guest"/>
<role rolename="Member"/>
<user name="Bill" password="coder" roles="Member, Guest" />

Remember, this is not part of DD.

Enabling Authentication: If you want container to ask user name and password, following need to be written in DD.

No comments:

Post a Comment

Amazon Best Sellors

Weblogic - Server Creation - Issues

Datasource creation using python script.  Python Script was failing after creating Datasource. From UI Admin Console, if I try to activat...