Type of Bad guys (for whome securiy is needed) -
realm: This is the place where where authentication info(user/password table) is stored. For example tomcat keeps all authentication data in conf/tomcat-users.xml and it applies to all web apps deployed in the servler. this file is not kept in any web-app directory. This is called as memory realm because tomcat loads this file in memory at startup.
<tomcat-users>
<role rolename="Guest"/>
<role rolename="Member"/>
<user name="Bill" password="coder" roles="Member, Guest" />
...
</tomcat-users>
Remember, this is not part of DD.
Enabling Authentication: If you want container to ask user name and password, following need to be written in DD.
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
- Impersonator- Pretends to be some exsisting user and breaks into the system.
- Upgrader - Existing user, breachs security and upgrades his rights to avail more facility.
- Evasdropper - They steal information of clients and misuse them for example stealing credit card info and using.
Four Points in Servlet Security-
- Authentication (user/password) - Validates identity of user and is meant for Impersonators.
- Autherization - Filters the rights/accessibility of users and is for Upgraders.
- Confidentiality- Securing data e.g. encryption. Used to foil evasdroppers.
- Data Integrity - Used to foil evasdroppers.
Authentication in HTTP: how browser and web server communicate?
- Browser requests for "update.jsp". After receiving the request container finds the
URL in security table. - If entry found in security table, server checks if the resource is constrained.
- Constrained yes then server
send 401("Unauthorized"), with a www-authenticate header and realm info. - Browser gets 401 and after getting realm info asks for username password.
- Browser again asks for "update.jsp" but with security HTTP header and username and
password. Container receives the request and checks the URL in security table. - If URL found in security table, that resource is constrained and checks for username and password to make sure they match.
- If username password matches container checks for role i.e. authoraization and returns
"update.jsp" if role has access to the page. Otherwise 401 is returned.
Implementing Security in web-app
Who:
Servlet Provider : No need to bother about security.
Administrator: Determines the type of roles and descriptions. For example Guest, Member,Admin. Authentication is done by admin.
Deployer: Determines which role will access which resource/servlet. Last three i.e. authorization, confidentiality and data integrity are done by deployer.
realm: This is the place where where authentication info(user/password table) is stored. For example tomcat keeps all authentication data in conf/tomcat-users.xml and it applies to all web apps deployed in the servler. this file is not kept in any web-app directory. This is called as memory realm because tomcat loads this file in memory at startup.
<tomcat-users>
<role rolename="Guest"/>
<role rolename="Member"/>
<user name="Bill" password="coder" roles="Member, Guest" />
...
</tomcat-users>
Remember, this is not part of DD.
Enabling Authentication: If you want container to ask user name and password, following need to be written in DD.
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
No comments:
Post a Comment