Security

Security:-
a.)Network security (Network admins will take of this by using firewalls)
b.)Web application security (Programmers should take care of it)
(1)Authentication
(2)Authorization
(3)Data integrity
(4)Data privacy
(1)Authentication:-
-->Checking the identity of a user is called Authentication. It can be done by using username, passwords, thumbs, impressions, iris, face recognition and etc...
(2)Authorization:-
-->Checking the access permissions of a user to use various services that are there in the project comes under authorization
E.g: To get into banking application every one should be authenticated, but to use loan module the user must be manager role user
(3)Data Integrity:-
-->Making sure that, the data sent over the network can't be tampered(modification( by using encryption techniques is called Data integrity
(4)Data Privacy/Data Confidentiality:-
-->Making sure that sensitive data like username, passwords are not visible and accessible to others users while sending over the network
(5)Authentication Providers:-
-->It is the component/ repository /realm where username, passwords, roles will be maintained. The providers are
a.)Text files/XML files
b.)DB softwares
c.)LDAP server(we can't get password but we can reset password)
-->Always maintain user details in realm having roles like designation(manager, admin and etc...)
-->Don't provide access permissions based on username, always provide based on roles
-->Tomcat server gives <tomcat_home>\conf\tomcat-users.xml file as Security realm /Authentication provider, we can add users, roles as shown below
<role rolename="employee"/>
<role rolename="manager"/>
<user username="teja" password="hair" roles="employee"/>
<user username="vinod" password="mahi" roles="manager, employee"/>

(1)Browser gives request to servlet component
(2)Web container realizes that component is enabled with security, it sends 401 status code response to browser
(3)Browser displays dialog box asking username and password, end user submits the request from dialog box
(4)Container takes the request and verifies the credentials against the security realm
(5)Valid, if found valid container allows the request going to servlet component
(5)Invalid, container sends 401 response to browser to display the dialog box again
(6)Servlet component process the request and sends response to browser as dynamic web page
Security Models:-
a.)Programmatic Model(Not recommended)
-->We must write logics of Authentication & Authorization explicitly
b.)Declarative Model
-->Uses ServletContainer/Server managed security service
-->Based on the configurations done in web.xml , the container takes care of security operations
Different models of Authentication  in Declarative Model:-
a.)BASIC
b.)DIGEST
c.)FORM
d.)CLIENT-CERT
a.)BASIC:-
-->Uses Base64 algorithm for encoding and decoding of username and password
-->Makes browser to display fixed dialog box asking username and password from browser
-->Works in all browsers
-->Simple to use
-->Can't control the look and feel of dialog box asking username and password
b.)DIGEST:-
-->Same as BASIC but uses MD5 algorithm for encryption and decryption
-->Few browsers don't support this model
E.g
BASIC-DIGESTSecurityApp
|-->java resources
     |-->src
          |-->FirstServlet.java(servlet on which we want to enable security)
|-->WebContent
      |-->WEB-INF
            |-->web.xml
Note: To enable security model, we need to specify the following
1.)URI patterns of web components
2.)request methods
3.)role names
4.)Authentication Modes
5.)Realm names and etc...
-->While working with declarative security management, if Authentication fails when we get 401 error response page, based on these browser displays the dialog box asking username and password
-->If Authorization fails 403 error response will be generated
(3)FORM Model:-
-->Same as BASIC, allows to configure our form page instead of dialog box to get username and password details and also allows to configure our choice error page
-->While designing form page for authentication, we must take fixed names for form components and action urls
  1. Action url--> j_security_check
  2. User text box name-->j_username
  3. User password box name-->j_password
In web.xml
We can configure our form page and error page while working with form model authentication  as shown below
  1. <login-config>
  2.  <auth-method>FORM</auth-method>
  3. <realm-name>myrealm</realm-name>
  4. <form-login-page>/login.html</form-login-name>
  5. <form-error-page>/login_fail.html</form-error-page>
  6. </form-login-config>
  7. </login-config>
E.g
FormSecApp
|-->webcontent
      |-->main.jsp(jsp on which we want to enable security)
      |-->login.html(our form page)
      |-->login_fail.html(our error page)

(4)CLIENT-CERT:-
-->Allows to configure digital certificates to the server for encryption of data by enabling protocol https(http over SSL{Secured Socket Layer})
-->To generate these digital certificates we can use RSA, VeriSign and etc... algorithms
Procedure:-
a.)Generate digital certificates using RSA algorithms
Cmd>keytool -genkey -alias tomcat -keyalg RSA
Enter various details including password
•••
•••
-->Generate the digital certification in c:\users\mlec folder with the file name.keystore
b.)Configure digital certificate with server by enabling https protocol
In server.xml
  1. <connector
  2. protocol="org.apache.coyote.http11.Http11NioProtocol"
  3.  port="1025" maxThread="200"
  4.  scheme="https" secure="true" SSLEnabled="true"
  5.  keystoreFile="c:\users\mlec\.keystore
  6.  keystorePass="tejaa"
  7.  clientAuth="true" SSLProtocol="TLS"/>
c.)Given request to any web application of that server using protocol https and accept and install digital certificate
Note: Now onwards browser sends data to server using encryption techniques mentioned in the digital certificate
https://localhost:1025/DBApp
-->Accept and install digital certificate
Flow of Execution
-->After configuring digital certificate we give request to web server from browser->server sends digital certificates to browser along with the response ->Browser receives & install digital certificates ->Now onwards the data sent by browser to server will travel as encrypted data with the support of digital certificate

Comments

Post a Comment

Express your feelings

Popular posts from this blog

Project Architecture's

Image
1.) Functional flow/ Architecture a.) Only for 6+/7+years b.) Explain the flow of process/business 2.) Technical Flow/Architecture a.) Upto 5+ years b.) Explain technologies /components that are involved in the project Servlet & JSP Project Architecture:- 1.)What is need of Business Deligate to convert VO class object to DTO class object ? a.) If Business Deligate is not there servlet component directly prepares DTO class object by receiving and translating form data and passes to service class, if service class excepts certain input in other format like numeric employee number as string employee number then we need to modify servlet component code i.e For the changes that happened in business tier service component we have to modify servlet component of presentation tier b.) If Business Deligate is taken then it gets original form data as VO class object having string inputs and converts VO class object to DTO class object to pass to service class c.) If serv
Next »

JSP Life Cycle

Image
a.)InstantiationEvent(when container creates JES class object) Life cycle methods These life cycle methods will be called through servlet life cycle method(init(ServletConfig)) 1.) jspInit()->for programmers initailization logic 2.) _jspInit()->for container initialization logic b.)Request Processing Event Life cycle methods These method will be called through servlet life cycle method 1st service(req,res) 1.) _jspService(-,-) c.)Destruction Event(When container is about to destroy JES class object) Life cycle methods These methods will be called through destroy() life cycle method of servlet component 1.) jspDestroy()-->for programmer 2.) _jspDestroy()-->for container JSP life cycle methods are called through servlet life cycle methods with support of JES class super class(HttpJspBase in tomcat server) Two phases of JSP a.)Phase-1(Translation Phase) Here jsp pages will be translated into an equivalent servlet class
Next »

AdvertisementRotator

Add Rotator App(AdvertisementRotator): 1.)Add should come as graphical hyper link 2.)Add should come randomly 3.)Add should be changed at regular intervals 4.)Follow mvc1 architecture (jsp with java class /java bean) AddRotatorApp |-->java resources      |-->src          |-->xyz.bean               |-->Rotator.java |-->webcontent      |-->addrotator.jsp      |-->1.png, 2.png, 3.png, 4.png, 5.png      |-->WEB-INF          |-->web.xml Rotator.java package xyz.bean; import java.util.Random; public class Rotator { int addNo;   private String images[] = { "1.png", "2.png", "3.png", "4.png", "5.png" };   private String links[] = { "http://www.raymond.in", "http://onlyvimal.co.in",      "https://www.peterengland.com", "http://www.siyaram.com", "https://www.ramrajcotton.in" };    public void nextAdd() {       Random rad = n
Next »