Monday, July 14, 2008

Web applications Security Check List

Following a list of web security related functionalities that need to be implemented in a typical web application

  • channel processing checks - redirect certain requests automatically to https and vice versa.
  • maintain a list of urls which will automatically redirect to https
  • concurrent session checks - user is not logged in more than once
  • Http Session Integration processing - populate security context using http session, remembers prev authentication stored in session
  • Logout checks
  • Exception Translation checks - handles authentication and access denied exceptions
  • Authenication processing - delegates to authentication entry point, filter and finally manager
  • Authentication entry points and filters - http basic auth, http form based, http digest, X509 certificates, SiteMinder based
  • login form url ; force use of https ; auth failure url ; default url if target url is blank
  • Remember me checks - no need to relogin if revisiting website within http session timeout
  • Anonymous processing checks - no need to login at all for accessing some resources
  • Filter Security Interceptor - delegates to authentication manager and access decision manager
  • access decision manager associates url / resources with roles
  • Associates url / resources with roles
  • authentication manager -> Authentication Providers
  • Anonymous DAO based ; LDAP based ; Jaas based ; Remote ; X509 based

No comments: