Saturday, February 9, 2013

Head First Servlets and JSP: Chapter 11 Deploying your web app & Chapter 12 Web Security



you cannot access anything under Web-INF or Meta-INF directly


Servlet initialization 
servlet initialized when they are called you can change this behaviour like this




WEB Security
when we talk about security we are talking about
1- Authentication
2- Authorization
3- Confidentiality
4- Data Integrity

NOTE: In security we talk about REALM, simply it means where the authentication information are stored. for example in tomcat you can store the authentication information in tomcat-users.xml, tomcat will load this information to memeory. However it is better to implement this information in the deployment descriptor.

Authorization
to do it in tomcat-users.xml and in the deployment descriptor like this:


and you should set the Authentication Method in the DD

<login-config>
  <auth-method>BASIC</auth-method>
</login-config>

so as you can see the first thing you do is defining the roles in DD, now to assign these roles to a url we define a security-constraint:


as you can see we set a url-pattern and http-method and auth-contraint

of-course you can define multiple constraint, and if there is a conflict different roles will apply.

Programmatic Security
it is better to define security in xml, however you can do that in code


3 important functions when we talk about security:
1- isUserInRole
2-getUserPrincipal(): used in JEE
3- getRemoteUser(): is not used alot

Authentication
we have 4 types:

1- BASIC: uses HTTP specification, weak as there is  no encryption we just use base64, and it is an http standard so it is supported by all browsers
2- DIGEST: uses HTTP specificaiton, it is strong but not SSL, it is optional for browsers or the container to support it.
3- CLIENT-CERT: j2ee specification, uses a certificate to encrypt, it is strong
4- FORM: j2ee specification, weak as no encryption.

so in BASIC, DIGEST and CLIENT-CERT, we basically uses the browser to handle the Authentication, in FORM we are using our own form.

when see that the method is weak it means you should use HTTPs with this method.

Integrity and confidentiality
when we talk about integrity it means that the data must not changed along the way
when we talk about confidentiality, it means that the data must not be seen by anybody

you can set this value by





Permitted values

  • NONE - no special transport guarantees (this is the default if there is no user-data-constraint defined)
  • INTEGRAL - data must be sent in a way that guarantees it cannot be changed during transmission (ie: data is checksummed, SSL achieves this)
  • CONFIDENTIAL - data must be sent in a way that guarantees it canot be observed (or changed) during transmission (ie: data is encrypted, SSL achieves this)

so basically what tomcat does, if a request comes and it is not secure, it will send 301 redirect to https address so the browser can do the request again.




No comments:

Post a Comment