1 / 12

CS320 Web and Internet Programming Authentication, Authorization, and SSL

CS320 Web and Internet Programming Authentication, Authorization, and SSL. Chengyu Sun California State University, Los Angeles. Overview. General Information. Everyone. Insider Information. Alumni. Web Site of Alumni Association. Administrators. Admin Information.

tlacy
Download Presentation

CS320 Web and Internet Programming Authentication, Authorization, and SSL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS320 Web and Internet ProgrammingAuthentication, Authorization, and SSL Chengyu Sun California State University, Los Angeles

  2. Overview General Information Everyone Insider Information Alumni Web Site of Alumni Association Administrators Admin Information

  3. Client and Server Interaction Client Server request page x who are you? Authentication username/password Authorization (Access Control) you’re not authorized to access page x Connection Security

  4. Authentication • Basic • Digest • Form • SSL

  5. Authentication – Basic • Part of HTTP protocol • Support by all web servers and browsers request for a restricted page prompt for username/password resend request authorization header field = username & password • Problem?

  6. Authentication – Digest … • Part of HTTP 1.1 protocol • Support by most web servers and browsers request for a restricted page prompt for username/password + nonce resend request + message digest MD5(username + password + nonce + other stuff)

  7. … Authentication – Digest • MD5 • By Ronald Rivest (“R” in RSA) • String of arbitrary length  128bit digest • It’s virtually impossible that two different strings have the same digest • It’s virtually impossible to compute the original string from the digest • How does the server validate the username/password? • Why nonce?

  8. Authentication – Form • Both Basic and Digest authentications are implemented by the HTTP server • Form authentication is implemented by the Servlet/JSP engine • Form and Basic • Username/password are passed as clear text • Login page instead of login prompt

  9. Form Authentication – User File <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager"/> <role rolename="admin"/> <role rolename="test"/> <user username="tomadmin" password=“abcd" fullName="" roles="admin,manager,standard,tomcat"/> <user username="csun" password="abcd" fullName="Chengyu Sun" roles="test"/> </tomcat-users>

  10. Form Authentication – Login Page <form method="post" action="j_security_check"> <input type="text“ name="j_username"> <input type="password" name="j_password"> </form>

  11. web.xml <security-constraint> <web-resource-collection> <web-resource-name>restricted</web-resource-name> <url-pattern>/restricted/*</url-pattern> <web-resource-collection/> <auth-constraint> <role-name>test</role-name> <auth-constraint/> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/FormLogin.html</form-login-page> <form-error-page>/FormError.html</form-error-page> </form-login-config> </login-config>

  12. SSL • HTTPS • Server authentication • Client authentication • Connection encryption

More Related