Security:-
a.)Network security (Network admins will take of this by using firewalls)
b.)Web application security (Programmers should take care of it)
(1)Authentication
(2)Authorization
(3)Data integrity
(4)Data privacy
(1)Authentication:-
-->Checking the identity of a user is called Authentication. It can be done by using username, passwords, thumbs, impressions, iris, face recognition and etc...
(2)Authorization:-
-->Checking the access permissions of a user to use various services that are there in the project comes under authorization
E.g: To get into banking application every one should be authenticated, but to use loan module the user must be manager role user
(3)Data Integrity:-
-->Making sure that, the data sent over the network can't be tampered(modification( by using encryption techniques is called Data integrity
(4)Data Privacy/Data Confidentiality:-
-->Making sure that sensitive data like username, passwords are not visible and accessible to others users while sending over the network
(5)Authentication Providers:-
-->It is the component/ repository /realm where username, passwords, roles will be maintained. The providers are
a.)Text files/XML files
b.)DB softwares
c.)LDAP server(we can't get password but we can reset password)
-->Always maintain user details in realm having roles like designation(manager, admin and etc...)
-->Don't provide access permissions based on username, always provide based on roles
-->Tomcat server gives <tomcat_home>\conf\tomcat-users.xml file as Security realm /Authentication provider, we can add users, roles as shown below
<role rolename="employee"/>
<role rolename="manager"/>
<user username="teja" password="hair" roles="employee"/>
<user username="vinod" password="mahi" roles="manager, employee"/>
(1)Browser gives request to servlet component
(2)Web container realizes that component is enabled with security, it sends 401 status code response to browser
(3)Browser displays dialog box asking username and password, end user submits the request from dialog box
(4)Container takes the request and verifies the credentials against the security realm
(5)Valid, if found valid container allows the request going to servlet component
(5)Invalid, container sends 401 response to browser to display the dialog box again
(6)Servlet component process the request and sends response to browser as dynamic web page
Security Models:-
a.)Programmatic Model(Not recommended)
-->We must write logics of Authentication & Authorization explicitly
b.)Declarative Model
-->Uses ServletContainer/Server managed security service
-->Based on the configurations done in web.xml , the container takes care of security operations
Different models of Authentication in Declarative Model:-
a.)BASIC
b.)DIGEST
c.)FORM
d.)CLIENT-CERT
a.)BASIC:-
-->Uses Base64 algorithm for encoding and decoding of username and password
-->Makes browser to display fixed dialog box asking username and password from browser
-->Works in all browsers
-->Simple to use
-->Can't control the look and feel of dialog box asking username and password
b.)DIGEST:-
-->Same as BASIC but uses MD5 algorithm for encryption and decryption
-->Few browsers don't support this model
E.g
BASIC-DIGESTSecurityApp
|-->java resources
|-->src
|-->FirstServlet.java(servlet on which we want to enable security)
|-->WebContent
|-->WEB-INF
|-->web.xml
Note: To enable security model, we need to specify the following
1.)URI patterns of web components
2.)request methods
3.)role names
4.)Authentication Modes
5.)Realm names and etc...
-->While working with declarative security management, if Authentication fails when we get 401 error response page, based on these browser displays the dialog box asking username and password
-->If Authorization fails 403 error response will be generated
(3)FORM Model:-
-->Same as BASIC, allows to configure our form page instead of dialog box to get username and password details and also allows to configure our choice error page
-->While designing form page for authentication, we must take fixed names for form components and action urls
- Action url--> j_security_check
- User text box name-->j_username
- User password box name-->j_password
In web.xml
We can configure our form page and error page while working with form model authentication as shown below
- <login-config>
- <auth-method>FORM</auth-method>
- <realm-name>myrealm</realm-name>
- <form-login-page>/login.html</form-login-name>
- <form-error-page>/login_fail.html</form-error-page>
- </form-login-config>
- </login-config>
E.g
FormSecApp
|-->webcontent
|-->main.jsp(jsp on which we want to enable security)
|-->login.html(our form page)
|-->login_fail.html(our error page)
(4)CLIENT-CERT:-
-->Allows to configure digital certificates to the server for encryption of data by enabling protocol https(http over SSL{Secured Socket Layer})
-->To generate these digital certificates we can use RSA, VeriSign and etc... algorithms
Procedure:-
a.)Generate digital certificates using RSA algorithms
Cmd>keytool -genkey -alias tomcat -keyalg RSA
Enter various details including password
•••
•••
-->Generate the digital certification in c:\users\mlec folder with the file name.keystore
b.)Configure digital certificate with server by enabling https protocol
In server.xml
- <connector
- protocol="org.apache.coyote.http11.Http11NioProtocol"
- port="1025" maxThread="200"
- scheme="https" secure="true" SSLEnabled="true"
- keystoreFile="c:\users\mlec\.keystore
- keystorePass="tejaa"
- clientAuth="true" SSLProtocol="TLS"/>
c.)Given request to any web application of that server using protocol https and accept and install digital certificate
Note: Now onwards browser sends data to server using encryption techniques mentioned in the digital certificate
https://localhost:1025/DBApp
-->Accept and install digital certificate
Flow of Execution
-->After configuring digital certificate we give request to web server from browser->server sends digital certificates to browser along with the response ->Browser receives & install digital certificates ->Now onwards the data sent by browser to server will travel as encrypted data with the support of digital certificate
Comments
Post a Comment