{"id":14899,"date":"2016-04-01T13:12:37","date_gmt":"2016-04-01T13:12:37","guid":{"rendered":"https:\/\/www.whizlabs.com\/?p=14899"},"modified":"2020-08-31T12:21:03","modified_gmt":"2020-08-31T12:21:03","slug":"web-application-security","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/web-application-security\/","title":{"rendered":"Web Application Security"},"content":{"rendered":"

Securing web applications in Java involves the very same core security concepts that are known to every InfoSec professional. These concepts and understanding the different authentication mechanisms for the \u2018Web component developer\u2019 exam forms the basis of this post. This post assumes knowledge of servlets, deployment descriptors and the servlet life cycle.<\/span><\/p>\n

The four security mechanisms:<\/span><\/h2>\n

There are four basic security mechanisms that come into play when securing web applications. They are authentication, authorization, confidentiality and data integrity. <\/span><\/p>\n

Authentication is verifying who you really are. Specifying a name and password is one form of enforcing authentication. <\/span><\/p>\n

Authorization is giving individuals specific access to resources on given roles. For example, in any banking hierarchy, the manager might be able to access more information than the tellers and other employees. <\/span><\/p>\n

Confidentiality is making sure that the information that is being transmitted by the sender is received only by the receiver. It should not be viewed by external parties in transit.<\/span><\/p>\n

On similar lines, Data integrity is making sure that the information that is transmitted is not tampered in any way in transit. <\/span><\/p>\n

Having seen the four basic security mechanisms, let us see how they are enforced when working with web applications.<\/span><\/p>\n

Authentication:<\/span><\/h2>\n

a.\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>\u2018BASIC\u2019 authentication:<\/span><\/h3>\n

\u00a0<\/span>The <login-config> method is used to specify authentication in the deployment descriptor or web.xml declaratively using the following way:<\/p>\n

<login-config><\/span><\/i><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <auth-method> BASIC <\/auth-method><\/span><\/i><\/p>\n

\u00a0\u00a0\u00a0 <\/login-config><\/span><\/i><\/p>\n

The <auth-method> can take BASIC, DIGEST or CLIENT-CERT as its values. The BASIC form of authentication uses the browser\u2019s pop-up window for entering the username and password.\u00a0 This is a screen shot of the BASIC form of authentication:<\/span><\/p>\n

\"Article37-Part1\"<\/a><\/p>\n

 <\/p>\n

\u00a0 The web.xml or deployment descriptor when dealing with \u2018BASIC\u2019 form of authentication can be listed as follows:<\/span><\/p>\n

\"Article37-Part2\"<\/a><\/p>\n

These are some key points regarding the BASIC form of authentication:<\/span><\/p>\n

    \n
  1. <\/span>It is the least secure form of authenticating a user since the user name and password are both transmitted in an unencrypted way.<\/span><\/li>\n
  2. <\/span>The BASIC form of authentication is easy to implement but is browser dependant for providing the \u2018username\u2019 and \u2018password\u2019 dialog boxes.<\/span><\/li>\n
  3. <\/span>There can also be only one <login-config> element in the deployment descriptor. <\/span><\/li>\n<\/ol>\n

    The servlet for the above web.xml can be appropriately written. The \u2018username\u2019 and \u2018password\u2019 have to be configured accordingly in the application server. Once the username and password are authenticated, the users based on appropriate roles will be given access to the servlet.<\/span><\/p>\n

    \u00a0<\/span><\/p>\n

    b.\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>The FORM based authentication:<\/span><\/h3>\n

    The \u2018form\u2019 based authentication is another type of authentication that is again not very secure. This is integrated with the rest of the website. \u00a0It can be implemented in the following way in the deployment descriptor:<\/span><\/p>\n

    \"Article37-Part3\"<\/a><\/p>\n

    \u2018login.html\u2019 and \u2018error.html\u2019 are two other files that have to be configured when working with FORM based authentication. <\/span><\/p>\n

    The contents of the login.html and error.html are as follows:<\/span><\/p>\n

    \"Article37-Part4\"<\/a><\/p>\n

    This will be the output of the web.xml with the appropriate servlet being specified. <\/span><\/p>\n

    \"Article37-Part5\"<\/a><\/p>\n

     <\/p>\n

    It should be noted that j_security_check, j_username and j_password<\/b> are all mandatory names that have to be specified when working with FORM based authentication and it is required by the Container.<\/span><\/p>\n

    \u00a0<\/span>Similarly, error.html is specified as follows:<\/p>\n

    \"Article37-Part6\"<\/a><\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

    If the name and password do not match or if an error arises, the error.html is called. This will be the output of error.html.<\/span><\/p>\n

    \"Article37-Part7\"<\/a><\/p>\n

    CLIENT-CERT and DIGEST are other values that can be specified for <auth-method> \u00a0<\/span><\/p>\n

    \u00a0We will explore more about the other security mechanisms in subsequent posts.<\/span><\/p>\n

     <\/p>\n","protected":false},"excerpt":{"rendered":"

    Securing web applications in Java involves the very same core security concepts that are known to every InfoSec professional. These concepts and understanding the different authentication mechanisms for the \u2018Web component developer\u2019 exam forms the basis of this post. This post assumes knowledge of servlets, deployment descriptors and the servlet life cycle. The four security mechanisms: There are four basic security mechanisms that come into play when securing web applications. They are authentication, authorization, confidentiality and data integrity. Authentication is verifying who you really are. Specifying a name and password is one form of enforcing authentication. Authorization is giving individuals […]<\/p>\n","protected":false},"author":13,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[17],"tags":[1594],"class_list":["post-14899","post","type-post","status-publish","format-standard","hentry","category-news-updates","tag-web-application-security"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false,"profile_24":false,"profile_48":false,"profile_96":false,"profile_150":false,"profile_300":false,"tptn_thumbnail":false,"web-stories-poster-portrait":false,"web-stories-publisher-logo":false,"web-stories-thumbnail":false},"uagb_author_info":{"display_name":"Pavan Gumaste","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/pavan\/"},"uagb_comment_info":1,"uagb_excerpt":"Securing web applications in Java involves the very same core security concepts that are known to every InfoSec professional. These concepts and understanding the different authentication mechanisms for the \u2018Web component developer\u2019 exam forms the basis of this post. This post assumes knowledge of servlets, deployment descriptors and the servlet life cycle. The four security…","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/14899","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=14899"}],"version-history":[{"count":1,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/14899\/revisions"}],"predecessor-version":[{"id":75863,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/14899\/revisions\/75863"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=14899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=14899"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=14899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}