2_3_2 Programmatic Security.ppt

ProgrammaticSecurity SSEUSTCQingDing Agenda ProblemswithdeclarativesecurityTheadvantagesofdeclarativesecurityusuallyoutweighthedisadvantages Butnotalways Combinationsecurity mixingserver managedandservlet managed programmatic securitySolveoneofthedrawbacksofdeclarativesecuritywithonlyalittlebitofextrawork PureprogrammaticsecuritySolvetheotherdrawbacks butwithaverylotofextrawork ProblemswithPureDeclarativeSecurity Accessisall or nothingUserscanaccessaresourceorbedeniedaccesstoit Nochangesdependingonwhoaccessesresource AccessbasedonexactpasswordmatchesControlledbyserver Involvesserver specificcomponentThusisnotcompletelyportableServersmustsupportsomewaytodesignateusers passwords androles Butdifferentserversdoitdifferentways AllpagesusesamemechanismCan tmixform basedandBASICinsameWebappRequiresweb xmlentriesThismightmatterwhendeployinginpresetWebapp CombiningContainer ManagedandProgrammaticSecurity Relyonthecontainer server forusernames passwords androlesForm basedorBASICauthenticationasbeforeManageaccessexplicitlyfromwithintheservletsorJSPpagesForexample youcanchangetheresultofaparticularpagedependingonwhoaccessesit Withpuredeclarativesecurity itisallornothing UsethefollowingHttpServletRequestmethodsisUserInRolegetRemoteUsergetUserPrincipal CombinationSecurity Example FollowingstepssharedwiththehotdotcomIntranetexample fromBASICauthentication Definitionofusernames passwords androlesweb xmlentrytodesignateBASICauthenticationBASICIntranetweb xmlentriestodesignateprotectedresourcessecurity constraintelementwithurl patternauth constraintelementwithrole nameServerstilltracksusersandsendsdialogboxiftheyareunauthenticated CombinationSecurity Example web xmlExcerpt CombinationSecurity Example Continued employee pay jspweb xmllimitsaccesstoemployeesorexecutives CombinationSecurity Example Continued employee pay jspcontinuedSpecificcodefurtherlimitsaccesstoexecutives CombinationSecurity Example Results Accessbyregularemployee CombinationSecurity Example Results Accessbyexecutive PureProgrammaticSecurity IdeaEachprotectedresourceauthenticatesusersanddecideswhat ifany accesstograntAdvantagesTotallyportableNoserver specificcomponentPermitscustompassword matchingstrategiesNoweb xmlentriesneeded exceptmaybeurl pattern DisadvantagesMuchhardertowriteandmaintainEachandeveryresourcehastousethecodeYoucanbuildreusableinfrastructure e g servletsthatinheritfromcertainclassesorcustomJSPtags butitisstillalotofwork PureProgrammaticSecurity 1 CheckwhetherthereisanAuthorizationrequestheader Ifthereisnosuchheader gotoStep5 2 Gettheencodedusername passwordstring IfthereisanAuthorizationheader itshouldhavethefollowingform Authorization BasicencodedDataSkipoverthewordBasicandthespace theremainingpartistheusernameandpasswordrepresentedinbase64encoding 3 Reversethebase64encodingoftheusername passwordstring UsethedecodeBuffermethodoftheBASE64Decoderclass Thismethodcallresultsinastringoftheformusername password TheBASE64DecoderclassisbundledwiththeJDK inJDK1 3 itcanbefoundinthesun miscpackageinjdk install dir jre lib rt jar PureProgrammaticSecurity Continued 4 Checktheusernameandpassword Themostcommonapproachistouseadatabaseorafiletoobtaintherealusernamesandpasswords Forsimplecases itisalsopossibletoplacethepasswordinformationdirectlyintheservlet Iftheincomingusernameandpasswordmatchoneofthereferenceusername passwordpairs returnthepage Ifnot gotoStep5 Withthisapproachyoucanprovideyourowndefinitionof match Withcontainer managedsecurity youcannot 5 Whenauthenticationfails sendtheappropriateresponsetotheclient Returna401 Unauthorized responsecodeandaheaderofthefollowingform WWW Authenticate BASICrealm some name Thisresponseinstructsthebrowsertopopupadialogboxtellingtheusertoenteranameandpasswordforsome name thentoreconnectwiththatusernameandpasswordembeddedinasinglebase64stringinsidetheAuthorizationheader Example AServletThatGeneratesStockTips AServletThatGeneratesStockTips Continued AServletThatGeneratesStockTips Continued AServletThatGeneratesStockTips Results UsingProgrammaticSecuritywithSSL DeterminingIfSSLIsinUserequest getScheme returns https or http request isSecure returnstrueorfalse RedirectingNon SSLRequestsresponse sendRedirectDiscoveringtheNumberofBitsintheKeyrequest getAttribute javax servlet request key size LookingUptheEncryptionAlgorithmrequest getAttribute javax servlet request cipher suite AccessingClientX509Certificatesrequest getAttribute javax servlet request X509Certificate Example ProgrammaticSecurityandSSL Example ProgrammaticSecurityandSSL Continued Example ProgrammaticSecurityandSSL Results Summary Combinationsecurityobviates allornothing restrictionUseisUserInRoleorgetRemoteUsertochangecontentdependingonwhoaccessesresourceStillrelyonser