09 - Access Control

09 - Access Control - CSE 135 Access Control Authentication...

Info iconThis preview shows pages 1–6. Sign up to view the full content.

View Full Document Right Arrow Icon
1 CSE 135 Access Control Authentication & Authorization Access Control Mechanisms Declarative Authorization using Realms – The expression of app security is separate from your JSP and Java code – Access control to resources based on roles – Role: group of users that have access to particular resources – Resources: pages, action URLs in Struts, etc Programmatic 2 – Your code is responsible – Choose when you need to create intricate access control strategies
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Declarative Authorization Using Realms Really simple! Many mechanisms for specifying role/user pairs are “ready out of the box” – Memory, JDBC, DataSource and JNDI Realms Code eventually has access to who is the logged in user and what is his role Memory Realm: access control in <1hr – Users’ info can be provided in 3 <TOMCAT_HOME>/conf/tomcat-user.xml – Unfortunately static and clear text passwords DataSource Realm – Users’ info is stored in DB (preferred – your project) Authentication How does a user prove her identity? – login pages, passwords, etc Methods: BASIC DIGEST FORM (to be used in your projects) 4
Background image of page 2
3 Authentication Method – 1: BASIC Usage: Pop up a dialog box Browser-based authentication User & Password are sent in every HTTP request Must exit the browser to logout 5 Authentication Method – 2: DIGEST Motivation: BASIC sends clear text password over http – Can manually employ HTTPS but will switch back to clear text once How DIGEST solves the problem Browser encrypts (digests) password using the MD5 algorithm (or SHA, MD2) 6 Poor support by browsers has killed method
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4 Encryption and Security Basics – Part I Private key (password) Server stores public key, i.e., encrypted version of private key publicK = f(privateK, randomKey) During logging in, function valid() decides if private key matches public key valid(privateK, publicK) Public key is useless to attacker! 7 Passwords and possibly other data (credit cards) sent by the browser must be encrypted Tricky protocol! Client must verify that server is who it says it is Certificates Authentication Method – 3: FORM Usage: Define your own login and error page Authentication is defined in servlet session Logout by session.invalidate() 8
Background image of page 4
5 Authentication Method – 4: Client Usage Implemented with
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 6
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 15

09 - Access Control - CSE 135 Access Control Authentication...

This preview shows document pages 1 - 6. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online