Saturday 25 July 2015

OCEJWCD-12.Web application security

OCEJWCD (SCWCD) - 1Z0-899 - Web Component Developer Certification

 12.1. Understand the role of the container in security

 -Authentication
-Authorization
-Confidentiality
-Data integrity

 The security should be declared in the deployment descriptor (it is possible to use annotations too).

 <security-constraint>

   <web-resource-collection>
    <web-resource-name>EditPage</web-resource-name>
    <url-pattern>/DemoServlet/Edit/*</url-pattern>
    <http-method>POST</http-method>
  </web-resource-collection>

   <auth-constraint>
    <role-name>Admin</role-name>
    <role-name>User1</role-name>
  </auth-constraint>

 </security-constraint>

 When <role-name>*</role-name> or no auth constraint defined all roles have access to the resources described.

 When <auth-constraint/> no roles have access.

 12.2. Describe and implement four authentication models

  • BASIC Data is encoded in base64(not encrypted).
  • DIGEST Data is encrypted (not SSL) but no all JEE containers support it.
  • CLIENT-CERT Using Public key certificates. Clients need to have a certificate to use it.
  • FORM Creating a custom login form. Data are sent in http request with no encryption

The authentication type is declared in DD
<login-config>
  <auth-method>FORM</auth-method>

 In the Form authentication type the loginPage should be defined (using these three fields: j_security_check, j_username, j_password

 <form method="POST" action="j_security_check">
  <input type="text" name="j_username">
  <input type="password" name="j_password">
  <input type="submit" value="Enter">
</form>

 12.3. Force the use of encryption between a web application and the client browser.

 Annotation ServletSecurity.TransportGuarantee
-NONE
-CONFIDENTIAL: All user data must be encrypted by the transport (typically using SSL/TLS).

 @ServletSecurity(@HttpConstraint(transportGuarantee =  TransportGuarantee.CONFIDENTIAL))

 12.4. Understand the role of JAAS in pluggable/extensible authentication for web applications

 JAAS can be used for two purposes:
  • for authentication of users, 
  • for authorization of users to ensure they have the access control rights required to do the actions performed.
More details about how to athenticate a subject (user or service):

 OCEJWCD (SCWCD) - 1Z0-899 - Web Component Developer Certification
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)