Java Reference
In-Depth Information
reauthentication of the user to perform certain privileged actions on the Web application. In
the case of such reauthentication, session identiiers and tokens have to be regenerated. he
existing session information should be temporarily stored and transferred to the new session
generated while performing these higher-privilege actions on the Web application.
7.2.4 Authorization—Effective Authorization for a Web Application
Authorization is the process of ensuring that users access only information or resources that they
are allowed (authorized) to view/edit/create/delete. Authorization is a critical element of access
control as it speciies the resources that an authenticated user can have to critical information
assets that are part of the Web application. he following practices are to be implemented for efec-
tive authorization for the Web application.
he irst step toward developing a robust authorization mechanism is by developing an
access
control matrix
(Chapter 6). he access control matrix deines the type of access that user roles have
to the various critical information assets in the application. he access control matrix should also
capture what level of access the user roles have to the critical information assets.
he authorization should be performed from a centralized resource located at the server side.
he resource should control the pages and actions that users are authorized to perform, based on
their roles deined in the application.
7.2.5 Other Best Practices
Apart from a secure authentication, authorization, and session management systems for a Web
application, there are some other considerations that are to be looked into while developing a
secure access control mechanism for a Web application. hey are as follows:
◾
Cross-site request forgery or CSRF is a new but devastating attack against Web applica-
tion. It relies on the fact that a vulnerable Web application allows phantom requests to
be made by the client, on behalf of the legitimate user of the application. he attacker,
through a phishing attack or any other social engineering attack, performs a CSRF attack,
where a request is sent to the Web application, which performs an action or forces a state
change in the Web application. he ideal way to protect against CSRF is by using request
tokens in case of every user request. Request tokens are unique numbers or cryptographi-
cally secure strings that are used as hidden form ield values and are part of every request
made by the user to the application. hese tokens must be an attribute of the user's session,
so that they can be efectively tracked as part of the session and veriied by comparing the
session attribute with the value passed to the server from the hidden form ield.
Security during transmission is an important security consideration as sensitive informa-
◾
tion is passed over the Internet and is susceptible to man-in-the-middle attacks where the
attacker sniing network traic can get usernames, passwords, and other sensitive informa-
tion being passed to the Web application for authentication. Encryption of information
during transmission is a key security requirement to ensure that users of the application
are protected against man-in-the-middle attacks. Encryption over transmission can be per-
formed over HTTPS using SSL/TLS certiicates. Chapter 8 dives deep into encryption of
information in transit.
Search WWH ::
Custom Search