Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
cse 510 web data engineering

CSE 510 Web Data Engineering Access Control Authentication & - PowerPoint PPT Presentation

Oct 09, 2023 •272 likes •542 views

CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web Data Engineering Access Control Mechanisms Declarative Authorization using Realms The expression of app security external to the app

  1. CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web Data Engineering

  2. Access Control Mechanisms • Declarative Authorization using Realms – The expression of app security external to the app – Separate from your JSP and Java code – Based on specifying centralized policy – Based on static roles who are groups of users that have access to particular resources (typically pages) – Configured in web.xml • Programmatic – Your code is responsible – Choose when you need to create intricate access control strategies 2 UB CSE 510 Web Data Engineering

  3. Declarative Authorization Using Realms • PLUS: Really simple! • MINUS: Static policy (very rarely a problem) • Memory, JDBC, DataSource and JNDI Realms are “ready out of the box” • Memory Realm – Users’ info is static – Clear text passwords – Define in <TOMCAT_HOME>/conf/tomcat-user.xml • JDBC Realm – Users’ info is stored in DB (preferred) • Authentication Method – BASIC, DIGEST, FORM 3 UB CSE 510 Web Data Engineering

  4. Authentication Method – 1: BASIC Usage: • Pop up a dialog box • Browser-based authentication • User & Password are sent in every HTTP request • Must exit the browser to logout 4 UB CSE 510 Web Data Engineering

  5. Authentication Method – 2: DIGEST Usage: • Same as BASIC • Username and password are encrypted into a message digest value 5 UB CSE 510 Web Data Engineering

  6. Authentication Method – 3: FORM Usage: • Define your own login and error page • Authentication is defined in servlet session • Logout by session.invalidate() 6 UB CSE 510 Web Data Engineering

  7. Authentication Method – 4: Client Usage • Implemented with SSL (Secure Sockets Layer) • Requires the client to possess a public key certificate • Most secure, but costly 7 UB CSE 510 Web Data Engineering

  8. Memory Realm Example • Using tomcat-users.xml file • Two classes of users: student, admin • All http://host/app/admins/* pages will be accessed only by administrators • All http://host/app/students/* pages will be accessed by students and administrators • “john” is a student • “ted” is a student • “yvette” is an administrator 8 UB CSE 510 Web Data Engineering

  9. Security Constraints web.xml <security-constraint> <web-resource-collection> <web-resource-name> Students Area </web-resource-name> <!-- Define the context-relative URL(s) to protect --> <url-pattern> /students/* </url-pattern> </web-resource-collection> <auth-constraint> <role-name> student </role-name> <role-name> admin </role-name> </auth-constraint> </security-constraint> 9 UB CSE 510 Web Data Engineering

  10. Security Constraints (cont’d) <security-constraint> <web-resource-collection> <web-resource-name> Admin Area </web-resource-name> <!-- Define the context-relative URL(s) to protect --> <url-pattern> /admins/* </url-pattern> </web-resource-collection> <auth-constraint> <role-name> admin </role-name> </auth-constraint> </security-constraint> 10 UB CSE 510 Web Data Engineering

  11. tomcat-users.xml <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename=" student "/> <role rolename=" admin "/> <user username="john" password="john" roles=" student "/> <user username="ted" password="ted" roles=" student "/> <user username="yvette" password="yvette" roles=" admin "/> </tomcat-users> 11 UB CSE 510 Web Data Engineering

  12. Login Configuration web.xml <!-- Login configuration uses form-based authentication --> <login-config> <auth-method> FORM </auth-method> <realm-name> Admissions Form-Based Authentication Area </realm-name> <form-login-config> <form-login-page> /login.jsp </form-login-page> <form-error-page> /loginerror.jsp </form-error-page> </form-login-config> </login-config> 12 UB CSE 510 Web Data Engineering

  13. login.jsp <form method="POST" action=" j_security_check "> Username: <input size="12" name=" j_username " type="text"/><br /> Password: <input size="12" name=" j_password " type="password"/><br /> <input type="submit" value="Login"/> </form> 13 UB CSE 510 Web Data Engineering

  14. Access Authentication Info • getRemoteUser() • getAuthType() • isUserInRole() • getUserPrincipal() – Principal is an object to identify user User Principal: <%= request.getUserPrincipal().getName() %> Username: <%= request.getRemoteUser() %> Authenticatin Method: <%= request.getAuthType() %> <% if( request.isUserInRole("admin") ) { %> You are in <i>admin</i> role<br/> <% } %> 14 UB CSE 510 Web Data Engineering

  15. Declarative Authorization • Accessing protected pages is the only way to invoke the login page • If you try to access protected page A: – Login page will pop up – After you login successfully, you will be directed to page A • However, if you go to login page directly, after you login, which page you are directed to? – Tomcat doesn’t know and there is no way to specify! 15 UB CSE 510 Web Data Engineering

  16. Dynamic DB-Driven Access Control • tomcat-users.xml is a kind of Security Realm , that is, a provider of user credentials • JDBCRealm : User credentials are stored in a relational database, accessed via JDBC • DataSourceRealm : User credentials are stored in a JNDI named JDBC DataSource – no need to specify connection details again • JNDIRealm : User credentials are stored in a directory server, accessed via JNDI 16 UB CSE 510 Web Data Engineering

  17. DataSourceRealm META-INF/config.xml <Realm className="org.apache.catalina.realm.DataSourceRealm" debug="99" dataSourceName="jdbc/ClassesDBPool" localDataSource="true" users userTable="users" username password userNameCol="username" john john userCredCol="password" ted ted userRoleTable="userroles" yvette yvette roleNameCol="role" digest="MD5"/> userroles username role john student ted student yvette admin 17 UB CSE 510 Web Data Engineering

  18. Scope of Realm • If you place declaration in context.xml, that is, at Context Level , then realm applies only to the enclosing app • If you place declaration in server.xml, at Engine Level , then realm applies to all apps 18 UB CSE 510 Web Data Engineering

  19. Hiding Passwords // Assume pwd has password, user has user name and // con is connection to database of DataSourceRealm used for security String encMD5Pwd = org.apache.catalina.realm. RealmBase.Digest(pwd, "MD5") ; // returns MD5 encoding, which you insert in DB PreparedStatement makeNewUser = con.prepareStatement( "INSERT INTO users(username, password) VALUES(?, ?)" ); makeNewUser.setString(1, user); makeNewUser.setString(2, encMD5Pwd); makeNewUser.execute(); 19 UB CSE 510 Web Data Engineering

  20. Hiding Passwords - Alternative // Assume pwd has password, user has user name and con is a // connection to a MySQL DB of DataSourceRealm used for security // use MySQL’s MD5 function PreparedStatement makeNewUser = con.prepareStatement( "INSERT INTO users(username, password) VALUES (?, MD5( ? ) )" ); makeNewUser.setString(1, user); makeNewUser.setString(2, pwd); makeNewUser.execute(); 20 UB CSE 510 Web Data Engineering

  21. Enabling Secure Sockets Layers (SSL) 1. Generate Certificate – Web server’s assurance to the web client 2. Configure Tomcat 3. Configure Web Application 21 UB CSE 510 Web Data Engineering

  22. Generate Certificate • Create a certificate keystore by executing the following command: • Windows: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA • Unix: $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA • This command will create a new file, in the home directory of the user under which you run it, named .keystore 22 UB CSE 510 Web Data Engineering

  23. Configure Tomcat • Uncomment the SSL HTTP/1.1 Connector entry in <TOMCAT_HOME>/conf/ server.xml <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150” scheme="https" secure="true” keystoreFile="${user.home}/.keystore” keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> 23 UB CSE 510 Web Data Engineering

  24. Configure Web Application web.xml <!-- Force SSL on all application pages --> <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern> /* </url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee> CONFIDENTIAL </transport-guarantee> </user-data-constraint> </security-constraint> 24 UB CSE 510 Web Data Engineering

Recommend

CSE 510 Web Data Engineering Java Server Pages (JSPs) UB CSE 510 Web Data Engineering Java

CSE 510 Web Data Engineering Java Server Pages (JSPs) UB CSE 510 Web Data Engineering Java

CSE 510 Web Data Engineering Java Server Pages (JSPs) UB CSE 510 Web Data Engineering Java Server Pages: Embedding Java Code in Static Content 2 UB CSE 510 Web Data Engineering Why JSPs? Need to separate the business logic

443 views • 31 slides
CSE 510 Web Data Engineering Java Servlets UB CSE 510 Web Data Engineering Install and Check

CSE 510 Web Data Engineering Java Servlets UB CSE 510 Web Data Engineering Install and Check

CSE 510 Web Data Engineering Java Servlets UB CSE 510 Web Data Engineering Install and Check Tomcat 2 UB CSE 510 Web Data Engineering Installing Tomcat Install stable production release We will be using Apache Tomcat version 6.0.20

520 views • 33 slides
CSE 510 Web Data Engineering Data Access Object (DAO) Java Design Pattern UB CSE 510 Web Data

CSE 510 Web Data Engineering Data Access Object (DAO) Java Design Pattern UB CSE 510 Web Data

CSE 510 Web Data Engineering Data Access Object (DAO) Java Design Pattern UB CSE 510 Web Data Engineering Data Access Object (DAO) Java Design Pattern A Data Access Object (DAO) is a bean encapsulating database access code Completely

561 views • 18 slides
CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering Web Programming Paradigms So far we have seen server-side programming Next Enrich user experience, interactivity with client- side

767 views • 24 slides
CSE 510 Web Data Engineering SQL UB CSE 510 Web Data Engineering Applications View of a

CSE 510 Web Data Engineering SQL UB CSE 510 Web Data Engineering Applications View of a

CSE 510 Web Data Engineering SQL UB CSE 510 Web Data Engineering Applications View of a Relational Database Management System (RDBMS) Application Persistent data structure Large volume of data RDBMS Client Independent

583 views • 18 slides
CSE 510 Web Data Engineering Java Beans UB CSE 510 Web Data Engineering What is a Java Bean?

CSE 510 Web Data Engineering Java Beans UB CSE 510 Web Data Engineering What is a Java Bean?

CSE 510 Web Data Engineering Java Beans UB CSE 510 Web Data Engineering What is a Java Bean? Simply a class wrapping some data and meets certain restrictions Three components: Default constructor (no arguments) Private

281 views • 11 slides
CSE 510 Web Data Engineering Tag Libraries UB CSE 510 Web Data Engineering Tag Libraries

CSE 510 Web Data Engineering Tag Libraries UB CSE 510 Web Data Engineering Tag Libraries

CSE 510 Web Data Engineering Tag Libraries UB CSE 510 Web Data Engineering Tag Libraries Collections of custom JSP tags Hide Java from JSPs Java classes in special format Methods invoked with XML tags Often looking like

175 views • 16 slides
CSE 510 Web Data Engineering Introduction UB CSE 510 Web Data Engineering Staff Instructor:

CSE 510 Web Data Engineering Introduction UB CSE 510 Web Data Engineering Staff Instructor:

CSE 510 Web Data Engineering Introduction UB CSE 510 Web Data Engineering Staff Instructor: Dr. Michalis Petropoulos Office Hours: Mon &amp; Wed @ 1-2pm Location: 210 Bell Hall TA: Demian Lessa Office Hours: Fri @ 1-3pm Location:

201 views • 19 slides
CSE 510 Web Data Engineering Client-Side Programming Ajax UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming Ajax UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming Ajax UB CSE 510 Web Data Engineering Interactive Applications Using Ajax Ajax is a set of technologies that collectively enable interactive applications Hallmark: Part of a page

817 views • 19 slides
CSE 510 Web Data Engineering Database Design UB CSE 510 Web Data Engineering How to Design a

CSE 510 Web Data Engineering Database Design UB CSE 510 Web Data Engineering How to Design a

CSE 510 Web Data Engineering Database Design UB CSE 510 Web Data Engineering How to Design a Database and Avoid Bad Decisions With experience Learn in CSE462 normalization rules of database design Think entities and

177 views • 14 slides
CSE 510 Web Data Engineering The Struts Framework Logon Example UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering The Struts Framework Logon Example UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering The Struts Framework Logon Example UB CSE 510 Web Data Engineering Example The example implements a dummy logon functionality Do not consider this example to be the best way to implement authorization and

530 views • 21 slides
CSE 510 Web Data Engineering HTML Forms and Hyperlinks UB CSE 510 Web Data Engineering Drop

CSE 510 Web Data Engineering HTML Forms and Hyperlinks UB CSE 510 Web Data Engineering Drop

CSE 510 Web Data Engineering HTML Forms and Hyperlinks UB CSE 510 Web Data Engineering Drop Down Menus &amp; Presetting &lt;html&gt; &lt;head&gt;&lt;title&gt; Multiplier with Drop Down Menu &lt;/title&gt;&lt;/head&gt; &lt;body&gt; &lt;form

243 views • 8 slides
CSE 510 Web Data Engineering The Struts 2 Framework UB CSE 510 Web Data Engineering Whats

CSE 510 Web Data Engineering The Struts 2 Framework UB CSE 510 Web Data Engineering Whats

CSE 510 Web Data Engineering The Struts 2 Framework UB CSE 510 Web Data Engineering Whats The Difference? A new framework that implements the MVC It is said to be simpler for development Features: Action : implements an Action

401 views • 14 slides
CSE 510 Web Data Engineering Connection Pool UB CSE 510 Web Data Engineering Handling Database

CSE 510 Web Data Engineering Connection Pool UB CSE 510 Web Data Engineering Handling Database

CSE 510 Web Data Engineering Connection Pool UB CSE 510 Web Data Engineering Handling Database Connections Within a JSP: Opening a connection for every HTTP request penalizes the DB server (in terms of resources) and the client (in terms

623 views • 10 slides
CSE 510 Web Data Engineering The MVC Design Pattern &amp; The Struts Framework UB CSE 510 Web

CSE 510 Web Data Engineering The MVC Design Pattern &amp; The Struts Framework UB CSE 510 Web

CSE 510 Web Data Engineering The MVC Design Pattern &amp; The Struts Framework UB CSE 510 Web Data Engineering Previous Attempts: Model 1 Design Pattern for every JSP page p for every type of request r to p insert in p code to implement the

220 views • 18 slides
CSE 510 Web Data Engineering XML, XHTML, XSLT and Web Application Programming Evolving as We

CSE 510 Web Data Engineering XML, XHTML, XSLT and Web Application Programming Evolving as We

CSE 510 Web Data Engineering XML, XHTML, XSLT and Web Application Programming Evolving as We Speak UB CSE 510 Web Data Engineering XML-based Model 2 (MVC) Architecture of Today View: XSLT-based presentation XML/XML Schema-defined

438 views • 28 slides
DTTF/NB479: Dszquphsbqiz Day 27 Announcements: Questions? This week: Discrete Logs,

DTTF/NB479: Dszquphsbqiz Day 27 Announcements: Questions? This week: Discrete Logs,

DTTF/NB479: Dszquphsbqiz Day 27 Announcements: Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Birthday attacks Hash Functions Message m Message digest, y (long) Cryptographic hash

648 views • 12 slides
ASIACRYPT 2013 1 Cryptographic Hash Function Public function Input: arbitrary long

ASIACRYPT 2013 1 Cryptographic Hash Function Public function Input: arbitrary long

Improved Cryptanalysis of Reduced RIPEMD-160 Florian Mendel, Thomas Peyrin, Martin Schlffer, Lei Wang, and Shuang Wu ASIACRYPT 2013 1 Cryptographic Hash Function Public function Input: arbitrary long messages Output: short random

846 views • 50 slides
Open-World Probabilistic Databases Guy Van den Broeck FLAIRS May 23, 2017 Overview 1. Why

Open-World Probabilistic Databases Guy Van den Broeck FLAIRS May 23, 2017 Overview 1. Why

Open-World Probabilistic Databases Guy Van den Broeck FLAIRS May 23, 2017 Overview 1. Why probabilistic databases? 2. How probabilistic query evaluation? 3. Why open world? 4. How open-world query evaluation? 5. What is the broader picture? Why

867 views • 51 slides
Open-World Probabilistic Databases Guy Van den Broeck GCAI Oct 21, 2017 Overview 1. Why

Open-World Probabilistic Databases Guy Van den Broeck GCAI Oct 21, 2017 Overview 1. Why

Open-World Probabilistic Databases Guy Van den Broeck GCAI Oct 21, 2017 Overview 1. Why probabilistic databases? 2. How probabilistic query evaluation? 3. Why open world? 4. How open-world query evaluation? 5. What is the broader picture?

2.03k views • 175 slides
TO Y PROGRAMMING Demo of a repository for statically compiled programs 2016 US LLVM

TO Y PROGRAMMING Demo of a repository for statically compiled programs 2016 US LLVM

PUBLIC Sony Interactive Entertainment TO Y PROGRAMMING Demo of a repository for statically compiled programs 2016 US LLVM Developers Meeting Paul Bowen-Huggett paul.huggett@sony.com Agenda Background RFC Is the idea generally

512 views • 17 slides
IT452 Advanced Web and Internet Systems Set 6: Web Servers (operation, configuration, and

IT452 Advanced Web and Internet Systems Set 6: Web Servers (operation, configuration, and

IT452 Advanced Web and Internet Systems Set 6: Web Servers (operation, configuration, and security) (Chapters 16 and 18) Key Questions Popular web servers? What does a web server do? How can I control it? URL re-writing /

328 views • 7 slides
CSCI 4250/6250 Fall 2013 Computer and Networks Security INTRODUCTION TO CRYPTO CHAPTER 8

CSCI 4250/6250 Fall 2013 Computer and Networks Security INTRODUCTION TO CRYPTO CHAPTER 8

CSCI 4250/6250 Fall 2013 Computer and Networks Security INTRODUCTION TO CRYPTO CHAPTER 8 (Goodrich) CHAPTER 2-6 (Kaufman) CHAPTER 8 (Kurose) Slides adapted from Kurose et al., Goodrich et al., and Kaufman et al. Message Integrity

718 views • 36 slides
How To Make Your Commit Seen? Marta Rybczyska Akademy 2012, Tallin Commit message? What for?

How To Make Your Commit Seen? Marta Rybczyska Akademy 2012, Tallin Commit message? What for?

How To Make Your Commit Seen? Marta Rybczyska Akademy 2012, Tallin Commit message? What for? KDE Commit Digest Collaborative Effort http://commit-digest.org Open Source base: Enzyme http://enzyme-project.org/ Review Classification

310 views • 29 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.