06-07-2012, 02:32 PM
Web Security
WebSecurity.ppt (Size: 135.5 KB / Downloads: 95)
HTTP Authentication
Protect web content from those who don’t have a “need to know”
Require users to authenticate using a userid/password before they are allowed access to certain URLs
HTTP/1.1 requires that when a user makes a request for a protected resource the server responds with a authentication request header
WWW-Authenticate
contains enough pertinent information to carry out a “challenge-response” session between the user and the server
WWW-Authenticate
The authentication request received by the browser will look something like:
WWW-Authenticate = Basic realm=“defaultRealm”
Basic indicates the HTTP Basic authentication is requested
realm indicates the context of the login
realms hold all of the parts of security puzzle
Users
Groups
ACLs (Access Control Lists)
Basic Authentication
userid and password are sent base 64 encoded (might as well be plain text)
hacker doesn’t even need to unencode all he has to do is “replay” the blob of information he stole over and over ( this is called a “replay attack”)
Java Cryptographic Packages
Separate packages that are now included as part of JDK
JCE - Java Cryptography classes
JSSE - Java Secure Sockets Extension
JAAS - Java Authentication and Authorization Services
Java GSS API - Java Generic Security Services API
Java Certification Path API
Java GSS-API
adds Kerberos V5 support to the Java platform.
Kerberos originated at the Massachusetts Institute of Technology (MIT) as project Athena back in 1987.
Essentially, a network authentication protocol.
Defined in RFC 1510 from 1993
biggest draw is not having to send passwords over the net.
offers single sign-on within one domain -- if everything within the domain has been Kerberos-enabled.
support is also provided for single sign-on across different security realms over a network.
Used in conjunction with JAAS, once a user's identity is established, future authentication requests are no longer necessary.