{"id":15243,"date":"2016-06-01T11:49:53","date_gmt":"2016-06-01T11:49:53","guid":{"rendered":"https:\/\/www.whizlabs.com\/?p=15243"},"modified":"2020-08-31T12:18:21","modified_gmt":"2020-08-31T12:18:21","slug":"web-application-security-ii","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/web-application-security-ii\/","title":{"rendered":"Web application Security \u2013 II"},"content":{"rendered":"

We have already seen a few basics of web application security in Java in an earlier post. We will continue this post by extending the same discussion. We will discuss the two remaining authentication mechanisms followed by authorization.<\/span><\/p>\n

CLIENT-CERT AUTHENTICATION<\/span><\/span>:<\/span><\/h3>\n

The CLIENT_CERT authentication method is yet another way of authenticating the user. Compared to the BASIC and FORM based authentication, this is the most secure form of authentication. <\/span><\/p>\n

\u00a0Here the server authenticates the user by checking their public key certificate. <\/i><\/b>The public key certificate is generated by an issuing authority such as the \u2018certificate authority\u2019 (CA) The CLIENT-CERT authentication uses HTTP over SSL which is a secure form communication between the client and server. If one is deciding to use CLIENT-CERT form of authentication it is necessary to ensure that the client has a public key certificate.<\/span><\/p>\n

It is specified in the deployment descriptor in the following way:<\/span><\/p>\n

<login-config><\/span><\/i><\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <auth-method>DIGEST<\/auth-method><\/span><\/i><\/b><\/span><\/p>\n

\u00a0\u00a0\u00a0 <\/login-config><\/span><\/i><\/span><\/span><\/p>\n

<\/span><\/p>\n

DIGEST AUTHENTICATION:<\/span><\/h3>\n

The \u2018Digest\u2019 form of authentication is similar to the BASIC form of authentication. The DIGEST form of authentication also uses the browser\u2019s pop-up window for entering the \u2018username\u2019 and \u2018password\u2019. \u00a0But unlike the \u2018BASIC\u2019 of authentication, the passwords are not transmitted in unencrypted format. A cryptographic hash of the password is sent by the client to the container thereby ensuring better security for the application.<\/span><\/p>\n

In the deployment descriptor, the \u2018DIGEST\u2019 form of authentication is specified the following way:<\/span><\/p>\n

\u00a0\u00a0\u00a0 <login-config><\/span><\/i><\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <auth-method>DIGEST<\/auth-method><\/span><\/i><\/b><\/span><\/p>\n

\u00a0\u00a0\u00a0 <\/login-config><\/span><\/i><\/span><\/span><\/p>\n

<\/span><\/p>\n

Having seen the various authentication mechanisms, we will next move to the authorization part of web security in Java.<\/span><\/p>\n

AUTHORIZATION:<\/span><\/h3>\n

Authentication is just a part of providing security for web applications. Authorization is the next stage, wherein users based on roles are allowed access to specific resources. Let us understand this by means of an example:<\/span><\/p>\n

In any business organization, it is the employee\u2019s hierarchy that allows them access to specific resources. In the banking sector, a \u2018teller<\/i><\/b>\u2019 might be allowed access to limited resources while the \u2018manager<\/i><\/b>\u2019 might be given access to more resources.<\/span><\/p>\n

\u2018Manager<\/i><\/b>\u2019 and \u2018teller<\/i><\/b>\u2019 are roles here. It does not matter who the \u2018manager<\/i><\/b>\u2019 is or who the \u2018teller<\/i><\/b>\u2019 is \u2013 it is just that their roles determine their access. <\/span><\/p>\n

This can be declaratively specified in the deployment descriptor by the following elements:<\/span><\/p>\n

    \n
  1. <\/span>Web resource collection specified by :
    \n<\/span><web-resource-collection> element<\/span><\/li>\n
  2. <\/span>Authorization constraint specified by
    \n<\/span><auth-constraint> element<\/span><\/li>\n<\/ol>\n

    Let us discuss the elements of authorization which are vital for web security.\u00a0<\/span><\/p>\n

    <\/span>Web resource collection:
    \n<\/span>The element <security-constraint> is used to represent the elements of authorization and confidentiality. We will first discuss the authorization requirements of the security constraint element.
    \nThe URLs which are meant to be protected and the HTTP methods which protect them are stated in the web resource collection. This is the syntax of the web resource collection:<\/p>\n

    <web-app><\/span><\/i><\/i><\/span><\/p>\n

    \u00a0\u00a0 <security-constraint><\/span><\/i><\/i><\/span><\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0 <web-resource-collection><\/span><\/i><\/i><\/span><\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0<web-resource-name> Hello <\/\u00a0 <web-resource-name><\/span><\/i><\/i><\/span><\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/i><\/i><\/span><\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <url-pattern> \/banking\/teller\/* <\/url-pattern><\/span><\/i><\/i><\/span><\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/web-resource-collection><\/span><\/i><\/i><\/span><\/p>\n

    <\/security-constraint><\/span><\/i><\/i><\/span><\/p>\n

    <\/web-app> <\/span><\/i><\/span><\/p>\n

    \u00a0<\/span><\/span><\/i>The above code states that all resources within the \/banking\/teller directory are protected. It is also important to notice that in the above code that no HTTP methods are specified. When no HTTP methods are specified, all of them are protected from open access (or constrained) This ensures that all methods are protected to access the resources and is an ideal way to ensure web security.<\/p>\n

    On the other hand, specifying a HTTP method the following way ensures that only the particular method (POST, in this case) is constrained and the other methods are for open access.<\/p>\n

    <web-app><\/span><\/i><\/i><\/span><\/p>\n

    \u00a0\u00a0 <security-constraint><\/span><\/i><\/i><\/span><\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0 <web-resource-collection><\/span><\/i><\/i><\/span><\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0<web-resource-name> Hello <\/\u00a0 <web-resource-name><\/span><\/i><\/i><\/span><\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <url-pattern> \/banking\/teller\/* <\/url-pattern><\/span><\/i><\/span><\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <http-method> POST <\/http-method><\/i><\/span><\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/web-resource-collection><\/span><\/i><\/i><\/span><\/p>\n

    <\/security-constraint><\/span><\/i><\/i><\/span><\/p>\n

    <\/web-app><\/span><\/i><\/span><\/p>\n

    The above code states that accessing the resources at \/banking\/teller is constrained only by the POST method. <\/span><\/p>\n

    \u00a0<\/span>We have extended our discussion of web application in Java by talking about authentication and authorization. We will continue this discussion in subsequent posts.<\/p>\n

     <\/p>\n","protected":false},"excerpt":{"rendered":"

    We have already seen a few basics of web application security in Java in an earlier post. We will continue this post by extending the same discussion. We will discuss the two remaining authentication mechanisms followed by authorization. CLIENT-CERT AUTHENTICATION: The CLIENT_CERT authentication method is yet another way of authenticating the user. Compared to the BASIC and FORM based authentication, this is the most secure form of authentication. \u00a0Here the server authenticates the user by checking their public key certificate. The public key certificate is generated by an issuing authority such as the \u2018certificate authority\u2019 (CA) The CLIENT-CERT authentication uses […]<\/p>\n","protected":false},"author":13,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[17],"tags":[179,1594],"class_list":["post-15243","post","type-post","status-publish","format-standard","hentry","category-news-updates","tag-authentication","tag-web-application-security"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false,"profile_24":false,"profile_48":false,"profile_96":false,"profile_150":false,"profile_300":false,"tptn_thumbnail":false,"web-stories-poster-portrait":false,"web-stories-publisher-logo":false,"web-stories-thumbnail":false},"uagb_author_info":{"display_name":"Pavan Gumaste","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/pavan\/"},"uagb_comment_info":0,"uagb_excerpt":"We have already seen a few basics of web application security in Java in an earlier post. We will continue this post by extending the same discussion. We will discuss the two remaining authentication mechanisms followed by authorization. CLIENT-CERT AUTHENTICATION: The CLIENT_CERT authentication method is yet another way of authenticating the user. Compared to the…","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/15243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=15243"}],"version-history":[{"count":1,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/15243\/revisions"}],"predecessor-version":[{"id":75861,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/15243\/revisions\/75861"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=15243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=15243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=15243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}