{"id":15591,"date":"2016-07-19T11:00:03","date_gmt":"2016-07-19T11:00:03","guid":{"rendered":"https:\/\/www.whizlabs.com\/?p=15591"},"modified":"2020-08-31T12:17:41","modified_gmt":"2020-08-31T12:17:41","slug":"what-is-web-application-security-part-3","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/what-is-web-application-security-part-3\/","title":{"rendered":"What is Web application Security – Part 3"},"content":{"rendered":"

\u2018Web application security\u2019 is part of the \u2018Web component developer\u2019 exam and we have already seen two posts relating to it. Recall, that we have already discussed the four authentication methods and the web resource collection element which is part of the authorization. We conclude the discussion of \u2018Web application security\u2019 by talking about the authorization constraint and user data constraint in this post.<\/span><\/p>\n

The different authorization constraints:<\/span><\/h2>\n

Authorization is giving authenticated or unauthenticated roles access to restricted resources. Let us consider the first type of authorization constraint. <\/span><\/p>\n

    \n
  1. <\/span>Here, roles such as \u2018Super user\u2019 and \u2018Normal user\u2019 are allowed to access the resources at \u2018NewServlet\u2019 protected by the \u2018GET\u2019 method. For example, consider the code snippet given below:
    \n<\/span><\/span><servlet>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 <servlet-name>NewServlet<\/servlet-name>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 <servlet-class>NewServlet<\/servlet-class>
    \n<\/span><\/i>\u00a0 \u00a0 <\/servlet><\/span><\/i><servlet-mapping>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 <servlet-name>NewServlet<\/servlet-name>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 <url-pattern>\/NewServlet<\/url-pattern>
    \n<\/span><\/i>\u00a0 \u00a0 <\/servlet-mapping><\/span><\/i><\/p>\n

    \u00a0\u00a0\u00a0 <security-constraint>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 <web-resource-collection>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <web-resource-name> Application <\/web-resource-name>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <url-pattern> \/NewServlet <\/url-pattern>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <http-method> GET <\/http-method>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 <\/web-resource-collection><\/span><\/i><\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <auth-constraint>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <role-name> Super User <\/role-name>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <role-name> Normal\u00a0 User <\/role-name>
    \n<\/span><\/i><\/span>\u00a0 \u00a0 \u00a0 \u00a0 <\/auth-constraint><\/span>
    \n<\/span><\/i>\u00a0<\/security-constraint><\/span><\/i><\/li>\n

  2. The second type of authorization constraint is stated as follows:
    \n<\/span><\/span><auth-constraint>
    \n<\/span>\u00a0 \u00a0 \u00a0 <role-name> * <\/role-name>
    \n<\/strong><\/span>\u00a0 <\/auth-constraint>Specifying <\/span><role-name> * <\/role-name><\/b><\/span> involves giving all roles access to specified resources. It is important to note here that \u2018all roles\u2019 means users who have been authenticated. <\/b>It is specified in the deployment descriptor in the above way.<\/span><\/li>\n
  3. The third type of authorization constraint where an authorization constraint is specified, but no roles are specified, indicates that none of the roles are allowed access to constrained resources. This is stated as follows:
    \n<\/span><\/span><security-constraint>
    \n<\/span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <auth-constraint\/><\/span>
    \n<\/span><\/b>\u00a0 \u00a0 <\/security-constraint><\/li>\n
  4. Not specifying a \u2018<auth-constraint>\u2019 element is the fourth type of authorization constraint.\u00a0 This states that all users in all roles are given access to resources whether they are authenticated or not.
    \n<\/span>Having seen the different authorization constraints, let us see what will happen if two different security constraints are specified in a program.\u00a0\u00a0 <security-constraint><\/i><\/span><\/i><\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0 <web-resource-collection>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <web-resource-name> Listener <\/\u00a0 <web-resource-name>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<url-pattern> \/chapter01\/Listener\/* <\/url-pattern>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<http-method> GET <\/http-method>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 <\/web-resource-collection><\/span><\/i><\/p>\n

    <auth-constraint>
    \n<\/span><\/i>\u00a0 \u00a0 <role-name> Super User <\/role-name>
    \n<\/span><\/i>\u00a0 \u00a0 <role-name> Normal\u00a0 User <\/role-name>
    \n<\/span><\/i><\/auth-constraint><\/span><\/i><\/span><\/p>\n

    <\/security-constraint>
    \n<\/span><\/i><security-constraint><\/span><\/i><\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0 <web-resource-collection>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <web-resource-name> Listener <\/\u00a0 <web-resource-name>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <url-pattern> \/chapter01\/Listener\/* <\/url-pattern>
    \n<\/span><\/i>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<http-method> GET <\/http-method>
    \n<\/span><\/i>\u00a0<\/web-resource-collection><\/span><\/i><\/p>\n

    <auth-constraint>
    \n<\/span><\/i>\u00a0 \u00a0 <role-name> * <\/role-name>
    \n<\/span><\/i><\/auth-constraint><\/span><\/i><\/span><\/p>\n

    <\/security-constraint>
    \n<\/span><\/i><\/web-app><\/span><\/i><\/p>\n

    The first <auth-constraint> specifies two roles<\/b> to access the \u2018\/chapter01\/Listener\u2019 resource and the second <auth-constraint> specifies that all roles are given access to the same resource<\/b>. In such a case, it is the amalgamation of roles that are given access.<\/li>\n<\/ol>\n

    User data constraint:<\/h2>\n

    We have seen how authentication and authorization are implemented to manage web security. Next we see the user data constraint element that is used to implement the security mechanisms of \u2018confidentiality\u2019 and \u2018data integrity\u2019.<\/p>\n

    \u2018Confidentiality\u2019 is making sure that the information that is sent from the sender to the receiver is only received by the receiver and not by other external parties. \u2019Data integrity\u2019 is making sure that the information is not tampered in transit.<\/p>\n

    The user data constraint is specified as follows:<\/p>\n

    <user-data-constraint>
    \n<\/i>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<transport-guarantee> INTEGRAL <\/transport-guarantee>
    \n<\/i>\u00a0 <\/user-data-constraint><\/i><\/span><\/p>\n

    The transport guarantee element takes the values of \u2018INTEGRAL\u2019, \u2018NONE\u2019 OR \u2018CONFIDENTIAL\u2019. \u00a0\u2018CONFIDENTIAL\u2019 makes sure that encryption is enabled on the channel. \u2018INTEGRAL\u2019 makes sure that the integrity of the data is preserved.<\/p>\n

    We have seen the four security mechanisms and their implementations. Enforcing these security mechanisms will make sure that the web applications are more secure.<\/p>\n

    \u00a0<\/span><\/p>\n

    \u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

    \u2018Web application security\u2019 is part of the \u2018Web component developer\u2019 exam and we have already seen two posts relating to it. Recall, that we have already discussed the four authentication methods and the web resource collection element which is part of the authorization. We conclude the discussion of \u2018Web application security\u2019 by talking about the authorization constraint and user data constraint in this post. The different authorization constraints: Authorization is giving authenticated or unauthenticated roles access to restricted resources. Let us consider the first type of authorization constraint. Here, roles such as \u2018Super user\u2019 and \u2018Normal user\u2019 are allowed to […]<\/p>\n","protected":false},"author":13,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[17],"tags":[1594],"class_list":["post-15591","post","type-post","status-publish","format-standard","hentry","category-news-updates","tag-web-application-security"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false,"profile_24":false,"profile_48":false,"profile_96":false,"profile_150":false,"profile_300":false,"tptn_thumbnail":false,"web-stories-poster-portrait":false,"web-stories-publisher-logo":false,"web-stories-thumbnail":false},"uagb_author_info":{"display_name":"Pavan Gumaste","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/pavan\/"},"uagb_comment_info":0,"uagb_excerpt":"\u2018Web application security\u2019 is part of the \u2018Web component developer\u2019 exam and we have already seen two posts relating to it. Recall, that we have already discussed the four authentication methods and the web resource collection element which is part of the authorization. We conclude the discussion of \u2018Web application security\u2019 by talking about the…","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/15591","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=15591"}],"version-history":[{"count":1,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/15591\/revisions"}],"predecessor-version":[{"id":75858,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/15591\/revisions\/75858"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=15591"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=15591"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=15591"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}