Reading Notes for Chapter 12, Head First Servlets and JSP

Table of Contents

617 Keep it secret, keep it safe 635a Constraints are not at the RESOURCE level. Constraints are at the HTTP REQUEST level. 651 Sharpen your pencil: Security of requests/responses (no answers given)
618 Objectives 635b If you specify an <http-method> element, all the HTTP methods you do NOT specify are UNconstrained! 652 How to implement data confidentiality and integrity sparingly and declaratively
619 The Bad Guys are everywhere 636 Picky <security-constraint> rules for <auth-constraint> sub-elements 653 Protecting the request data
620 And it's not just the SERVER that gets hurt... 637 The way <auth-constraint> works 654 Unauthorized client requests a constrained resource that has NO transport guarantee
621 The Big 4 in servlet security 638 How multiple <security-constraint> elements interact 655 Unauthorized client requests a constrained resource that has a CONFIDENTIALITY transport guarantee
622 A little security story 639 Dueling <auth-constraint> elements 656a To [secure user's login info]..., put a transport guarantee on EVERY constrained resource that could trigger the login process!
623 A little security story [upside-down] 640 There are no dumb questions (about <auth-constraint> and roles) 656b There are no Dumb Questions (about HTTPS)
624 How to Authenticate in HTTP World: the beginning of a secure transaction 641a Alice's recipe servlet, a story about programmatic security... 657 Sharpen your pencil <security-constraint> in the DD
625 A slightly closer look at how the Container does Authentication and Authorization 641b Sharpen your pencil: Security 658 Sharpen your pencil (security goals, and the DD)
626 How did the Container do that? 642 Customizing methods: isUserInRole() 659 Sharpen your pencil ANSWERS (from p. 657)
627 Keep security out of the code! 643 The declarative side of programmatic security 660 Sharpen your pencil ANSWERS (from p. 658)
628 Who implements security in a web app? 644 Sharpen your pencil: <security-constraint> 661 Sharpen your pencil ANSWERS (from p. 644)
629 There are no Dumb Questions (about security) 645 Authentication revisited: The FOUR authentication types 662 Coffee Cram Q1 Q2
630 The Big Jobs in servlet security 646 Implementing Authentication 663 Coffee Cram Q3 Q4 Q5
631 Just enough Authentication to discuss Authorization 647 Form-Based Authentication 664 Coffee Cram Q6 Q7 Q8 Q9
632 Authorization Step 1: defining roles 648 Summary of Authentication types 665 Coffee Cram Answers Q1 Q2
633 Authorization Step 2: defining resource/method constraints 649 She doesn't know about J2EE's "protected transport layer connection" 666 Coffee Cram Answers Q3 Q4 Q5
634 The <security-constraint> rules for <web-resource-collection> elements 650 Securing data in transit: HTTPS to the rescue 667 Coffee Cram Answers Q6 Q7 Q8 Q9

p617 Keep it secret, keep it safe

@@@

p618 Objectives

@@@

p619 The Bad Guys are everywhere

@@@

p620 And it's not just the SERVER that gets hurt...

@@@

p621 The Big 4 in servlet security

@@@

p622 A little security story

@@@

p623 A little security story [upside-down]

@@@

p624 How to Authenticate in HTTP World: the beginning of a secure transaction

@@@

p625 A slightly closer look at how the Container does Authentication and Authorization

@@@

p626 How did the Container do that?

@@@

p627 Keep security out of the code!

@@@

p628 Who implements security in a web app?

@@@

p629 There are no Dumb Questions (about security)

@@@

p630 The Big Jobs in servlet security

@@@

p631 Just enough Authentication to discuss Authorization

@@@

p632 Authorization Step 1: defining roles

Check the unconfirmed errata for this page!

@@@

p633 Authorization Step 2: defining resource/method constraints

@@@

p634 The <security-constraint> rules for <web-resource-collection> elements

@@@

p635a Constraints are not at the RESOURCE level. Constraints are at the HTTP REQUEST level.

@@@

p635b If you specify an <http-method> element, all the HTTP methods you do NOT specify are UNconstrained!

@@@

p636 Picky <security-constraint> rules for <auth-constraint> sub-elements

@@@

p637 The way <auth-constraint> works

@@@

p638 How multiple <security-constraint> elements interact

Check the unconfirmed errata for this page!

@@@

p639 Dueling <auth-constraint> elements

@@@

p640 There are no dumb questions (about <auth-constraint> and roles)

@@@

p641a Alice's recipe servlet, a story about programmatic security...

@@@

p641b Sharpen your pencil: Security

@@@

p642 Customizing methods: isUserInRole()

@@@

p643 The declarative side of programmatic security

@@@

p644 Sharpen your pencil: <security-constraint>

@@@

p645 Authentication revisited: The FOUR authentication types

@@@

p646 Implementing Authentication

@@@

p647 Form-Based Authentication

@@@

p648 Summary of Authentication types

@@@

p649 She doesn't know about J2EE's "protected transport layer connection"

@@@

p650 Securing data in transit: HTTPS to the rescue

@@@

p651 Sharpen your pencil: Security of requests/responses (no answers given)

@@@

p652 How to implement data confidentiality and integrity sparingly and declaratively

@@@

p653 Protecting the request data

@@@

p654 Unauthorized client requests a constrained resource that has NO transport guarantee

@@@

p655 Unauthorized client requests a constrained resource that has a CONFIDENTIALITY transport guarantee

@@@

p656a To [secure user's login info]..., put a transport guarantee on EVERY constrained resource that could trigger the login process!

@@@

p656b There are no Dumb Questions (about HTTPS)

@@@

p657 Sharpen your pencil <security-constraint> in the DD

@@@

p658 Sharpen your pencil (security goals, and the DD)

@@@

p659 Sharpen your pencil ANSWERS (from p. 657)

@@@

p660 Sharpen your pencil ANSWERS (from p. 658)

@@@

p661 Sharpen your pencil ANSWERS (from p. 644)

@@@

p662 Coffee Cram Q1 Q2

@@@

p663 Coffee Cram Q3 Q4 Q5

@@@

p664 Coffee Cram Q6 Q7 Q8 Q9

@@@

p665 Coffee Cram Answers Q1 Q2

@@@

p666 Coffee Cram Answers Q3 Q4 Q5

@@@

p667 Coffee Cram Answers Q6 Q7 Q8 Q9

@@@

End of CISC474 reading notes for HFSJ, Chapter 12

Valid XHTML 1.1 Valid CSS!