Java EE Web Security

Security is an important aspect of any web application. This book currently tries to cover the security related topics required to pass the exam for Java EE 6 Web Component Developer Certified Expert Exam.

What will happen if you specify transport guarantee as INTEGRAL or CONFIDENTIAL without configuring certificates?

In the response for first request to a non secure url, you will get a redirect url to a new https url, as you can see from tcpmon capture:

What will happen if you use FORM authentication without configuring a login page?

You will get an error: HTTP Status 500 - No login page was defined for FORM authentication in context.

What will happen if you use CLIENT-CERT authentication without configuring certificates?

You will get an error: HTTP Status 401 - No client certificate chain in this request.

[Demo] Basic and Digest Authentication using Apache Tomcat server Part 2 - Looking into the transmitted password data from client to server

This is the second part of the demo on Basic and Digest Authentication using Apache Tomcat server. We have already created the setup, did necessary configurations within web.xml and tomcat’s tomcat-users.xml, and finally exported it as a war, deployed it into tomcat and tested the basic and digest authentication.

[Demo] Basic and Digest Authentication using Apache Tomcat server Part 1 - Trying it out

We have seen enough theory on Authentication and Authorization. Now we will actually get our hands dirty trying it out for basic and digest authentication.

Steps to configure basic/digest authentication can be summarized as:

  1. Define the type of authentication (here BASIC/DIGEST)

  2. Define roles, users and create mapping between them

  3. Define resource collections to which security should be applied

Introduction to Authorization in Java EE Applications

Authorization is the process of checking if a user is allowed to access a particular resource on the server. To identify the user, we need to first do authentication and hence authentication is the first step towards authorization.

Authorization may be done in different ways, including:

  1. Programmatically controlling access to resources based on individual user’s credentials.

  2. Assigning users into different groups called roles and assigning permissions based on the roles

Introduction to Authentication in Java EE Applications

Authentication is the process of verifying if the user, usually with a username and password. Once authenticated, we may call a user as an authenticated user or a logged in user.

Java EE provides four different ways to authenticate a user:

  1. Basic Authentication

  2. Digest Authentication

  3. Form Authentication

  4. SSL Certificates

Introduction to Java EE Web Application Security from a Developer perspective

Security is one of the most important aspects of almost all web applications.  There are many areas of concern like client and server machine security, transmission channel security, database security etc.

While most security concerns are the responsibility of server or network administrators, application developers should also be concerned about some of the aspects of security such as authentication, authorization, data integrity and confidentiality.

  1. Authentication

Introduction to Data Integrity and Confidentiality in Java EE web applications

Data integrity is the process of verifying if data is transmitted without corruption or modification, thus making sure that the data received at the receiver end is in fact the same message sent by the sender.  Confidentiality is the process of maintaining data privacy wherein we secure the communications channel, to make sure the data is not accessed in its original form by a third party by eavesdropping.

Confidentiality and data integrity are related to securing the communications channel.

Search the Web

Custom Search

Searches whole web. Use the search in the right sidebar to search only within!!!