ch. 12 security

Chapter 12Security

Βασική αναφοράΚάθε εφαρμογή του ΠΙ μπορεί να

• Αλωθεί

• Προστατευθεί σε μεγάλο βαθμό • Με αντίστοιχο κόστος

• Δεν υπάρχει λύση • Μόνον καλές πρακτικές

Τρόποι άλλωσης

• Τεχνικοί

• Ψυχολογικοί

The bad guys: Impersonators, Upgraders & Eavesdroppers

Can be basted with

• authentication, • are who you say you are?

• authorization, • what are you allowed to …?

• confidentiality, data integrity. • who sees or messes up with …?

Authentication

Authentication & Authorization in detail

Two (and a half) basic types

• Declarative

• Programmatic • Informative

Keep security out of the code

• Component-based

• Ever evolving

• Several levels

• …

Secure your code

• Declaratively in the DD • Interfacing between

• Servlet authors • App administrators • App deployers

Concentrate on Authentication

• Container-specific table containing • Usernames, passwords & roles

• LDAP

Realm: tomcat-users.xml

In the DD

Defines roles

Define resource/method

constraints

You really

need to be

careful

Big picture

Multiple <security-

constraint> elements

Truth table (Union)

Programmatic Security

Programmatic Security

J2EE Container Authentication types

• Basic

• Digest (encoded)

• Client-cert (mainly for B2B)

• Form (custom but no encrypted)

Authentication Summary

Data Protection

Protect Requested

Data

• Tell browser to use HTTPs