Skip to main content

Security

Security:-
a.)Network security (Network admins will take of this by using firewalls)
b.)Web application security (Programmers should take care of it)
(1)Authentication
(2)Authorization
(3)Data integrity
(4)Data privacy
(1)Authentication:-
-->Checking the identity of a user is called Authentication. It can be done by using username, passwords, thumbs, impressions, iris, face recognition and etc...
(2)Authorization:-
-->Checking the access permissions of a user to use various services that are there in the project comes under authorization
E.g: To get into banking application every one should be authenticated, but to use loan module the user must be manager role user
(3)Data Integrity:-
-->Making sure that, the data sent over the network can't be tampered(modification( by using encryption techniques is called Data integrity
(4)Data Privacy/Data Confidentiality:-
-->Making sure that sensitive data like username, passwords are not visible and accessible to others users while sending over the network
(5)Authentication Providers:-
-->It is the component/ repository /realm where username, passwords, roles will be maintained. The providers are
a.)Text files/XML files
b.)DB softwares
c.)LDAP server(we can't get password but we can reset password)
-->Always maintain user details in realm having roles like designation(manager, admin and etc...)
-->Don't provide access permissions based on username, always provide based on roles
-->Tomcat server gives <tomcat_home>\conf\tomcat-users.xml file as Security realm /Authentication provider, we can add users, roles as shown below
<role rolename="employee"/>
<role rolename="manager"/>
<user username="teja" password="hair" roles="employee"/>
<user username="vinod" password="mahi" roles="manager, employee"/>

(1)Browser gives request to servlet component
(2)Web container realizes that component is enabled with security, it sends 401 status code response to browser
(3)Browser displays dialog box asking username and password, end user submits the request from dialog box
(4)Container takes the request and verifies the credentials against the security realm
(5)Valid, if found valid container allows the request going to servlet component
(5)Invalid, container sends 401 response to browser to display the dialog box again
(6)Servlet component process the request and sends response to browser as dynamic web page
Security Models:-
a.)Programmatic Model(Not recommended)
-->We must write logics of Authentication & Authorization explicitly
b.)Declarative Model
-->Uses ServletContainer/Server managed security service
-->Based on the configurations done in web.xml , the container takes care of security operations
Different models of Authentication  in Declarative Model:-
a.)BASIC
b.)DIGEST
c.)FORM
d.)CLIENT-CERT
a.)BASIC:-
-->Uses Base64 algorithm for encoding and decoding of username and password
-->Makes browser to display fixed dialog box asking username and password from browser
-->Works in all browsers
-->Simple to use
-->Can't control the look and feel of dialog box asking username and password
b.)DIGEST:-
-->Same as BASIC but uses MD5 algorithm for encryption and decryption
-->Few browsers don't support this model
E.g
BASIC-DIGESTSecurityApp
|-->java resources
     |-->src
          |-->FirstServlet.java(servlet on which we want to enable security)
|-->WebContent
      |-->WEB-INF
            |-->web.xml
Note: To enable security model, we need to specify the following
1.)URI patterns of web components
2.)request methods
3.)role names
4.)Authentication Modes
5.)Realm names and etc...
-->While working with declarative security management, if Authentication fails when we get 401 error response page, based on these browser displays the dialog box asking username and password
-->If Authorization fails 403 error response will be generated
(3)FORM Model:-
-->Same as BASIC, allows to configure our form page instead of dialog box to get username and password details and also allows to configure our choice error page
-->While designing form page for authentication, we must take fixed names for form components and action urls
  1. Action url--> j_security_check
  2. User text box name-->j_username
  3. User password box name-->j_password
In web.xml
We can configure our form page and error page while working with form model authentication  as shown below
  1. <login-config>
  2.  <auth-method>FORM</auth-method>
  3. <realm-name>myrealm</realm-name>
  4. <form-login-page>/login.html</form-login-name>
  5. <form-error-page>/login_fail.html</form-error-page>
  6. </form-login-config>
  7. </login-config>
E.g
FormSecApp
|-->webcontent
      |-->main.jsp(jsp on which we want to enable security)
      |-->login.html(our form page)
      |-->login_fail.html(our error page)

(4)CLIENT-CERT:-
-->Allows to configure digital certificates to the server for encryption of data by enabling protocol https(http over SSL{Secured Socket Layer})
-->To generate these digital certificates we can use RSA, VeriSign and etc... algorithms
Procedure:-
a.)Generate digital certificates using RSA algorithms
Cmd>keytool -genkey -alias tomcat -keyalg RSA
Enter various details including password
•••
•••
-->Generate the digital certification in c:\users\mlec folder with the file name.keystore
b.)Configure digital certificate with server by enabling https protocol
In server.xml
  1. <connector
  2. protocol="org.apache.coyote.http11.Http11NioProtocol"
  3.  port="1025" maxThread="200"
  4.  scheme="https" secure="true" SSLEnabled="true"
  5.  keystoreFile="c:\users\mlec\.keystore
  6.  keystorePass="tejaa"
  7.  clientAuth="true" SSLProtocol="TLS"/>
c.)Given request to any web application of that server using protocol https and accept and install digital certificate
Note: Now onwards browser sends data to server using encryption techniques mentioned in the digital certificate
https://localhost:1025/DBApp
-->Accept and install digital certificate
Flow of Execution
-->After configuring digital certificate we give request to web server from browser->server sends digital certificates to browser along with the response ->Browser receives & install digital certificates ->Now onwards the data sent by browser to server will travel as encrypted data with the support of digital certificate

Comments

Popular posts from this blog

JSP Comments

Comments in JSP:- -->Compiler /Interpreter doesn't take commented code for compilation /Interpretation, so the commented code doesn't participate in execution JSP supports 3 types of comments:- a.)HTML comments /Template text comments/ Output comments Syn :- <!---text---> -->Recognized by html interpreter of browser b.)JSP comments /Hidden comments Syn :- <%--text--%> -->JSP page compiler recognize these comments c.)Java comments /Scripting comments Syn :- //-->For single line /*-- -----*/-->For multiple line -->Java compiler(java) recognize these comments -->In Eclipse IDE JES class for first.jsp comes in our(workspace)folder/.metadata/.plugins/.org eclipse Comments (1)JSP comment<%--%> (2)Java comment(// or /*--*/) (3)HTML comments(<!---> JES Source Code (1)No (2)Yes (3)Yes In JES compiled code (1)No (2)No (3)Yes In the code going to browser (1)No (2)No (3)Yes Output (1)No (2)No (3)No -->Jsp comments are not visible in any phase

Scripting Tags

JSP Tags/ Elements (1)Scriptlet     Standard syn:-         <%.........%>     xml syn:-        <jsp:scriptlet>...</jsp:scriptlet> Note: All scripting tags allows us to place script code(java code) 1.)The code placed in scriptlet go to _jspService(-,-) of JES class 2.)In a jsp page we can have zero or more scriptlets 3.)We place request processing logics in scriptlets 4.)Variables declared in scriptlets becomes the local variables in _jspService(-,-) of JES class in first.jsp In first.jsp: <% int a=10;  out.println("square:"+(a*a));%> In first_jsp.java(JES): public class first_jsp extends..{     public void _jspService(-,-){        int t=30;        out.println(“Square:”+(t*t));     }  } The code placed in scriptlet can use implicit objects of jsp because implicit objects and the code placed scriptlet goes to _jspService(-,-) method of JES class first.jsp Browser s/w name: <%out.println(request.getHeader("user-agent");%> first_jsp.java pu

Project Architecture's

1.) Functional flow/ Architecture a.) Only for 6+/7+years b.) Explain the flow of process/business 2.) Technical Flow/Architecture a.) Upto 5+ years b.) Explain technologies /components that are involved in the project Servlet & JSP Project Architecture:- 1.)What is need of Business Deligate to convert VO class object to DTO class object ? a.) If Business Deligate is not there servlet component directly prepares DTO class object by receiving and translating form data and passes to service class, if service class excepts certain input in other format like numeric employee number as string employee number then we need to modify servlet component code i.e For the changes that happened in business tier service component we have to modify servlet component of presentation tier b.) If Business Deligate is taken then it gets original form data as VO class object having string inputs and converts VO class object to DTO class object to pass to service class c.) If service class excepts