ch. 12 security
Post on 06-Jul-2015
319 Views
Preview:
TRANSCRIPT
Chapter 12Security
Βασική αναφοράΚάθε εφαρμογή του ΠΙ μπορεί να
• Αλωθεί
• Προστατευθεί σε μεγάλο βαθμό • Με αντίστοιχο κόστος
• Δεν υπάρχει λύση • Μόνον καλές πρακτικές
Τρόποι άλλωσης
• Τεχνικοί
• Ψυχολογικοί
The bad guys: Impersonators, Upgraders & Eavesdroppers
Can be basted with
• authentication, • are who you say you are?
• authorization, • what are you allowed to …?
• confidentiality, data integrity. • who sees or messes up with …?
Authentication
Authentication & Authorization in detail
Two (and a half) basic types
• Declarative
• Programmatic • Informative
Keep security out of the code
• Component-based
• Ever evolving
• Several levels
• …
Secure your code
• Declaratively in the DD • Interfacing between
• Servlet authors • App administrators • App deployers
Concentrate on Authentication
• Container-specific table containing • Usernames, passwords & roles
• LDAP
Realm: tomcat-users.xml
In the DD
Defines roles
Define resource/method
constraints
You really
need to be
careful
Big picture
Multiple <security-
constraint> elements
Truth table (Union)
Programmatic Security
Programmatic Security
J2EE Container Authentication types
• Basic
• Digest (encoded)
• Client-cert (mainly for B2B)
• Form (custom but no encrypted)
Authentication Summary
Data Protection
Protect Requested
Data
• Tell browser to use HTTPs
top related