Summary

 < Free Open Study > 



In this chapter, we saw how we can use server-side policy files to protect against badly-written or malevolent code. Such policy files are especially important when third party code is hosted on a server.

We covered SSL, and the technologies that make it possible including shared secret encryption and public key encryption. We saw how easy it is to configure SSL both on the server and the client side - we configured Tomcat to use SSL and created and imported a certificate into Internet Explorer.

We also explored both declarative and programmatic security. Tomcat 4 provides a highly customizable declarative security implementation, and includes support for container-managed security. Through the use of realms, Tomcat fulfills its authentication and security requirements without becoming platform dependent. Single-sign on with Tomcat demonstrated how we can make a system significantly more user-friendly by avoiding several tedious authentications when a service spans web applications.

Although as much security as possible should be declarative in nature, there are time when we need to define security programmatically. So, we took a quick look at programmatic security to see how it can be used to implement an application's security model.

In the next chapter we're going to turn our attention to how we can effectively debug servlets

A

addPropertyChangeListener() method

  • org.apache.catalina.Realm interface, 17

Apache Tomcat see Tomcat.

asymmetric keys

  • public key encryption, SSL, 6

attributes

  • Realm> element, JDBCRealm, 28

auth-constraint> sub-element

  • security-constraint> element, 20

authenticate() method

  • org.apache.catalina.Realm interface, 17

  • Tomcat authentication, 23.

authentication

  • BASIC authentication, 24

  • FORM-based authentication, 24

  • JDBCRealm, 27

  • multiple authentication requests, 30

  • programmatic security, 35

  • single sign-on, 34

  • SSL guarantee, 6

  • Tomcat 4 methods of, 20

auth-method> sub-element

  • login-config> element, 20

B

BASIC authentication

  • digested passwords, 24

  • multiple authentication requests, 31

  • Tomcat 4 authentication method, 21

business security logic, 16

C

catalina.policy, Tomcat policy file, 2

certification

  • self-signed certificates, 10

Certification Authorities

  • authenticating digital certificates, 8

  • digital certificates, 8

  • public key validation, 7

  • self recognition as, 11

  • transitive trust, 8

  • web sites, 7

cipher suite

  • server authentication, SSL, 9

CLIENT-CERT authentication

  • Tomcat 4 authentication method, 21

container configuration

  • SSL, 9

container managed security, 19

Context> element

  • MemoryRealm, 22

  • multiple authentication requests, 31

  • realm association, 19

D

data encryption see encryption, SSL.

data integrity

  • SSL guarantee, 6

declarative security, 21

  • accessing NetAccessServlet to test, 22

  • FORM-based authentication, 24

  • JDBCRealm, 27

  • multiple authentication requests, 30

  • servlet 2.3 specification, 16

  • single sign-on, 34

DIGEST authentication

  • Tomcat 4 authentication method, 21

digested passwords

  • declarative security in Tomcat 4, 24

digital certificates, SSL

  • authenticating, 8

  • certification authorities, 8

digital signatures, SSL, 7

display-name> sub-element

  • security-constraint> element, 20

E

elements

  • !see also sub-elements.

  • Context> element, 19, 22, 31

  • Engine> element, 19

  • form-error-page> element, 24

  • form-login-page> element, 24

  • Host> element, 19, 31

  • http-method> element, 20

  • login-config> element, 19, 20, 22, 24

  • role-name> element, 20

  • security-constraint> element, 19, 22

  • tomcat-users> element, 22

  • transport-guarantee> element, 20

  • url-pattern> element, 20

encryption, SSL, 6

Engine> element

  • realm association, 19

F

FORM-based authentication

  • declarative security, 24

  • multiple authentication requests, 31

  • Tomcat 4 authentication method, 21

form-error-page> element

  • FORM-based authentication, 24

form-login-config> sub-element

  • login-config> element, 20

form-login-page> element

  • FORM-based authentication, 24

G

getContainer() method

  • org.apache.catalina.Realm interface, 18

getInfo() method

  • org.apache.catalina.Realm interface, 18

getRemoteUser() method

  • HttpServletRequest interface, 35

getUserPrincipal() method

  • HttpServletRequest interface, 35

grant statements

  • policy files, Java 2 security model, 2

H

handshaking

  • public key encryption, SSL, 7

hasRole() method

  • org.apache.catalina.Realm interface, 18

Host> element

  • multiple authentication requests, 31

  • realm association, 19

http-method> element

  • specifying HTTP method, 20

HttpServletRequest interface

  • programmatic security, 35

I

interfaces

  • org.apache.catalina.Realm interface, 17

isUserInRole() method

  • HttpServletRequest interface, 35

J

Java 2 security model, 1

  • policy files, JVM, 1

  • server side policy files, 2

Java Key Store

  • JSSE keystore, 10

java.io.FilePermission, policy files

  • description, 2

java.lang.RuntimePermission, policy files

  • description, 2

java.net.SocketPermission, policy files

  • description, 2

java.security.AllPermission, policy files

  • description, 2

  • Tomcat default startup script, 2

java.util.PropertyPermission, policy files

  • description, 2

JDBCRealm

  • declarative security, 27

  • multiple authentication requests, 31

  • Tomcat, 18

JDK: keytool

  • options, table of, 10

JNDIRealm implementation

  • Tomcat, 18

job functions see roles.

JSSE (Java Secure Socket Extension)

  • installing, 10

  • Java Key Store, 10

  • server-side keystore, 10

  • Tomcat 4 using, 10

  • web site, 10

K

keystore

  • content of keystore command, 11

  • server-side, JSSE, 10

L

localhost, SSL

  • browser authentication of, 14

login-config> element

  • authentication method, 20

  • auth-method> sub-element, 20

  • container managed security, 19

  • declarative security, 22

  • digested passwords, 24

  • FORM-based authentication, 24

  • form-login-config> sub-element, 20

  • realm-name> sub-element, 20

  • sub-elements, 20

M

MD5 algorithm

  • web site, 8

MemoryRealm

  • declarative security, 21

methods

  • addPropertyChangeListener() method, 17

  • authenticate() method, 17, 23

  • getContainer() method, 18

  • getInfo() method, 18

  • getRemoteUser() method, 35

  • getUserPrincipal() method, 35

  • hasRole() method, 18

  • isUserInRole() method, 35

  • removePropertyChangeListener() method, 18

  • setContainer() method, 18

  • userInRole () method, 23

multiple authentication requests

  • declarative security, 30

N

NetAccessServlet

  • testing declarative security, 22

O

org.apache.catalina.Realm interface

  • methods defined, 17

org.apache.catalina.realm.MemoryRealm

  • authenticate() method, 23

P

passwords

  • digested passwords, 24

policy files, Java 2 security model, 1

  • frequently used permissions, 2

  • server side, 2

    • using, 3

  • Tomcat, 2

privacy

  • SSL guarantee, 6

programmatic security

  • authentication, 35

  • servlet 2.3 specification, 16

public key encryption, SSL, 6

  • asymmetric keys, 6

public key validation

  • Certification Authorities, 7

R

Realm> element, JDBCRealm

  • attributes, 28

realm-name> sub-element

  • login-config> element, 20

realms

  • associations, 19

  • configurations in Tomcat 4, 19

  • implementations, 18

  • JDBCRealm, 27

  • MemoryRealm, 21

  • Tomcat, 17

references to web sites

  • Certification Authorities, 7

  • JSSE (Java Secure Socket Extension), 10

  • MD5 algorithm, 8

  • security permissions, policy files, 2

  • SSL (Secure Sockets Layer), 5

  • Thawte, 7

  • VeriSign, 7

removePropertyChangeListener() method

  • org.apache.catalina.Realm interface, 18

responsibilities see roles.

role-name> element

  • auth-constraint> element contains, 20

roles

  • users to roles mapping in Tomcat, 17

  • using in servlet 2.3 security, 15

S

scope

  • inner and outer scope, 19

security

  • access security, 16

  • business security logic, 16

  • container managed, 19

  • declarative security, 16, 21

  • Java 2 security model, 1

  • programmatic security, 16, 35

  • roles, using in servlet 2.3, 15

  • servlet 2.3 specification, 15

  • servlet security, 1

  • Tomcat 4, 17

security permissions

  • policy files, Java 2 security model, 2

    • web site for complete list, 2

security-constraint> element

  • auth-constraint> sub-element, 20

  • container managed security, 19

  • declarative security, 22

  • display-name> sub-element, 20

  • sub-elements, 19

  • user-data-constraint> sub-element, 20

  • web-resource-collection> sub-element, 20

server authentication, SSL, 9

server side policy files see policy files, Java 2

  • security model.

server.xml file

  • configuring Tomcat, 13

  • realm association, 19

servlet 2.3 specification

  • application security model, 16

  • deployer/developer responsibilities, 15

  • security, 15

  • security components, 1

  • security in Tomcat 4, 17

servlet container

  • configuring SSL for, 6

setContainer() method

  • org.apache.catalina.Realm interface, 18

shared secret encryption, SSL, 6

single sign-on

  • declarative security, 34

SSL (Secure Sockets Layer), 5

  • adding SSL connector to Tomcat 4, 13

  • browser authentication of localhost, 14

  • checking Tomcat setup, 13

  • configuring for servlet container, 6

  • digital certificates, 8

  • digital signatures, 7

  • enabling on Tomcat 4, 10

  • encryption, 6

  • guarantees, 6

  • non-SSL access, 14

  • public key encryption, 6

    • handshaking, 7

  • server authentication, 9

  • shared secret encryption, 6

    • communication, 7

  • shared secret encryption, using, 7

  • standalone configuration website, 9

  • Tomcat 4 based website, 9

  • web server front end website, 9

  • web site, 5

sub-elements

  • !see also elements.

  • auth-constraint> sub-element, 20

  • auth-method> sub-element, 20

  • display-name> sub-element, 20

  • form-login-config> sub-element, 20

  • realm-name> sub-element, 20

  • user-data-constraint> sub-element, 20

  • web-resource-collection> sub-element, 20

T

Thawte, certification authority

  • public key validation, 7

  • web site, 7

Tomcat

  • adding SSL connector to Tomcat 4, 13

  • catalina.policy policy file, 2

  • checking setup, 13

  • declarative security in Tomcat 4, 21

  • default startup script, 2

  • enabling SSL on Tomcat 4, 10

  • JDBCRealm implementation, 18

  • JNDIRealm, 18

  • JSSE, used by Tomcat 4, 10

  • keystore creation, 10

  • policy files, Java 2 security model, 2

  • realms, 17

  • security in Tomcat 4, 17

  • SSL based on Tomcat 4, 9

tomcat-users> element

  • declarative security, 22

transitive trust, SSL

  • certification authorities, 8

transport-guarantee> element

  • for <user-data-constraint> element, 20

U

url-pattern> element

  • specifying sets of resources, 20

user-data-constraint> sub-element

  • security-constraint> element, 20

userInRole () method

  • Tomcat authentication, 23

V

VeriSign, certification authority

  • public key validation, 7

  • web site, 7

W

web sites see references to web sites.

web-resource-collection> sub-element

  • security-constraint> element, 20



 < Free Open Study > 



Professional Java Servlets 2.3
Professional Java Servlets 2.3
ISBN: 186100561X
EAN: 2147483647
Year: 2006
Pages: 130

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net