Securing your web application is equally important as developing quality applications.An application is comprised of lot of resources which is available for their callers/users.
Security is an important aspect of applications that transport sensitive data over the internet.
It is important to protect the resources from being attacked/illegally accessed.
Basically illegitimate access to the resources of the application have to be stopped/rejected.
There are two main concerns in securing web applications and that need to be addressed:
- Preventing unauthorised users from gaining access to protected content.
- Preventing protected content from being read while it is being transmitted.
We will see some terms and we will jump back to the above 2 concerns.
Let us assume , we have a house(web application), it has lock and its locked(secured). We need key to open the house.
This is exactly called ‘Authentication’. You validate(authenticate) yourself with a key to get into the house.
This is the very first step to get into the house.
In software terms
“Determining whether a user is who he or she claims to be.” Mechanisms such as username/password, smart cards, and Public Key Infrastructure (PKI) can be used to assure authentication.
Authorization or Access Control:
Once you enter into the house,you are allowed to use/touch/access certain things in the house(TV, a room) ,
and you are not allowed to access/touch/use some items(example, the locked table drawer, another room).
This is called ‘access control or authorization’.
In software terms:
Ensures that an authenticated entity can access only those services they are allowed to access. Access control lists are used to implement this.
The above two terms (authentication and authorization or access control) are used to address the #1 concern “Preventing unauthorized users from gaining access to protected content.”
#2 concern, “Protecting data while it is in transit“, typically involves using Transport Layer Security (TLS), or its predecessor, Secure Sockets Layer (SSL), in order to encrypt any data communicated between the client and server.
Web applications are there to serve their callers through either ‘http://’ or ‘https://’ protocol.
What is ‘http’?
Short for Hyper Text Transfer Protocol, HTTP is the underlying protocol used by the World Wide Web.
HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands.
For example, when you enter a URL in your browser, this actually sends an HTTP command to the Web server directing it to fetch and transmit the requested Web page.
What is ‘https‘?
Using HTTPS, the computers agree on a “code” between them, and then they scramble the messages using that “code” so that no one in between can read them. This keeps your information safe from hackers. They use the “code” on a Secure Sockets Layer (SSL), sometimes called Transport Layer Security (TLS) to send the information back and forth.
Common Security Terminologies
The most common security processes are authentication, authorization, realm assignment, and role mapping. The following sections define this terminology.
Authentication verifies the user. For example, the user may enter a username and password in a web browser, and if those credentials match the permanent profile stored in the active realm, the user is authenticated. The user is associated with a security identity for the remainder of the session.
Authorisation permits a user to perform the desired operations, after being authenticated. For example, a human resources application may authorize managers to view personal employee information for all employees, but allow employees to only view their own personal information.
A realm, also called a security policy domain or security domain in the J2EE specification, is a scope over which a common security policy is defined and enforced by the security administrator of the security service. Supported realms in Sun Java System Application Server are file, ldap, certificate, and solaris. For information about how to configure a realm, see Realm Configuration.
A client may be defined in terms of a security role. For example, a company might use its employee database to generate both a company wide phone book application and to generate payroll information. Obviously, while all employees might have access to phone numbers and email addresses, only some employees would have access to the salary information. Employees with the right to view or change salaries might be defined as having a special security role.
A role is different from a user group in that a role defines a function in an application, while a group is a set of users who are related in some way. For example, members of the groups astronauts, scientists, and politicians all fit into the role of SpaceShuttlePassenger.