8/14/2019 8 Web Application Security
1/15
Web Application Security
8/14/2019 8 Web Application Security
2/15
Different aspects Of web application
Security
Security involves
Authentication
Authorization
Confidentiality
Data Integrity
The web application security constraints is handled
declaratively
programmatically
Our focus
8/14/2019 8 Web Application Security
3/15
Benefits of declarative security
Declarative security has the following benefits,
Allows us to use prewritten Servlets in more
flexible ways.
Reduces ongoing maintenance whenapplication grows.
A way to utilize the Container services.
Supports the idea of component-baseddevelopment.
8/14/2019 8 Web Application Security
4/15
POST
..
..
HTTP request
Server
I got your request,but
how do I know you
are who you say you
are???
Authentication
Client
8/14/2019 8 Web Application Security
5/15
Authorization
POST
..
..
Before I send you the
special page I have to
make sure you are
allowed to see it.
Server
Client
HTTP request
8/14/2019 8 Web Application Security
6/15
Who implements security in a web application?
Administrator
Decides the roles for theapplication. Then adds the
roles(admin,guest) to Containers
users file(vendor specific). For
tomcat it is tomcat-users.xml.
Deployer
Looking at the servlets description
decides which role can access
which Servlet and describe it to theContainer through the
web.xml(DD).
8/14/2019 8 Web Application Security
7/15
The tomcat-users.xml file
/conf/tomcat-users.xml
Mapping user to role in a
vendor-specific way.
Creating roles
8/14/2019 8 Web Application Security
8/15
Security tags in DD
Adding element in web.xml
admin
manager
BASIC
Container will map itsvendor-specific role
information to whatever
s it finds in
the DDs
element.
The tag
enables authentication.
8/14/2019 8 Web Application Security
9/15
8/14/2019 8 Web Application Security
10/15
Testing Security 2
/UpdateController
GET
POST
manager
Authorized to access only one Servlets
If there is no tag that means there is no restriction for
that web resource. If it is a empty tag then no one can access
the resource.
role names are
case sensitive
8/14/2019 8 Web Application Security
11/15
Testing the code in tomcat
index.html
8/14/2019 8 Web Application Security
12/15
This user is
mapped tomanager role .
8/14/2019 8 Web Application Security
13/15
manager is not authorized to access
the url /LoginController.
8/14/2019 8 Web Application Security
14/15
manager
8/14/2019 8 Web Application Security
15/15
manager is authorized
to access the url
/UpdateController