Web programmingUnits WEB1P and WEB2P |
Many web applications require the implementation of a security system - usually ensuring that only authorised users can access specific parts of a web site.
Security has two basic concepts: authentication and authorisation. Authentication is how users prove who they say they are. Authorisation is how access to specific features is allowed or disallowed.
Important to note the facilities that HTTP provides for authentication. These are specified in RFC 2617.
HTTP authentication operates on a challenge/response paradigm. If a server receives a request for an access-protected object, and an acceptable Authorization header is not sent, the server responds with a "401 Unauthorized" status code. The client must then resend the request with an Authorization header. To do this, most browsers will prompt the user for a username and password. (Most browsers cache this for the duration of the browser session; some will allow the user to save it between sessions. We leave it as an exercise for the reader as to whether storing a password on the client machine is secure or not!)
Note the distinction between Basic Authentication and Digest Authentication. While the former passes usernames and passwords in clear text (actually in Base64 format, but this is easily translatable), the latter scrambles the password by sending a checksum (by default, MD5) of the username, the password, a given nonce value, the HTTP method, and the requested URI. The nonce value is sent by the server with the 401 response.
HTTP authentication operates within a realm. A realm is essentially the store (e.g. file, database, ...) against which user credentials are checked.
web.xml
Basic (using HTTP) |
<login-config> <auth-method>BASIC</auth-method> </login-config> |
Form-based (see below) |
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/fail_login.html</form-error-page> </form-login-config> </login-config> |
Restrict access to URL to particular role(s) |
<security-constraint> <web-resource-collection> <web-resource-name>Admin</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>private</role-name> </auth-constraint> </security-constraint> |
Define role |
<security-role> <role-name>private</role-name> </security-role> |
<security-constraint> ... <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> |
<form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="password" name="j_password"> </form> |
From the booklist
Last updated by Prof Jim Briggs of the School of Computing at the University of Portsmouth |
||
The web programming units include some material that was formerly part of the WPRMP, WECPP, WPSSM and WEMAM units. |