CS 320 Web and Internet Programming Authentication Authorization
CS 320 Web and Internet Programming Authentication, Authorization, and SSL Chengyu Sun California State University, Los Angeles
Overview General Information Everyone Alumni Administrators Admin Information Web Site of Alumni Association Insider Information
Client and Server Interaction request page x Server who are you? username/password you’re not authorized to access page x Connection Security Authorization (Access Control) Authentication Client
Authentication Basic Digest Form SSL
Authentication – Basic Part of HTTP protocol Support by all web servers and browsers request for a restricted page prompt for username/password resend request authorization header field = username & password Problem?
Authentication – Digest … Part of HTTP 1. 1 protocol Support by most web servers and browsers request for a restricted page prompt for username/password + nonce resend request + message digest MD 5(username + password + nonce + other stuff)
… Authentication – Digest MD 5 n n By Ronald Rivest (“R” in RSA) String of arbitrary length 128 bit digest w It’s virtually impossible that two different strings have the same digest w It’s virtually impossible to compute the original string from the digest How does the server validate the username/password? Why nonce?
Authentication – Form Both Basic and Digest authentications are implemented by the HTTP server Form authentication is implemented by the Servlet/JSP engine Form and Basic n n Username/password are passed as clear text Login page instead of login prompt
Form Authentication – User File <? xml version='1. 0' encoding='utf-8'? > <tomcat-users> <rolename="manager"/> <rolename="admin"/> <rolename="test"/> <username="tomadmin" password=“abcd" full. Name="" roles="admin, manager, standard, tomcat"/> <username="csun" password="abcd" full. Name="Chengyu Sun" roles="test"/> </tomcat-users>
Form Authentication – Login Page <form method="post" action="j_security_check"> <input type="text“ name="j_username"> <input type="password" name="j_password"> </form>
web. xml <security-constraint> <web-resource-collection> <web-resource-name>restricted</web-resource-name> <url-pattern>/restricted/*</url-pattern> <web-resource-collection/> <auth-constraint> <role-name>test</role-name> <auth-constraint/> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/Form. Login. html</form-login-page> <form-error-page>/Form. Error. html</form-error-page> </form-login-config> </login-config>
SSL HTTPS n n n Server authentication Client authentication Connection encryption
- Slides: 12