About Question enthuware.ocejws.v6.2.244 :

Moderators: Site Manager, fjwalraven

Post Reply
rkbansal83
Posts: 33
Joined: Sat Nov 24, 2012 8:52 am
Contact:

About Question enthuware.ocejws.v6.2.244 :

Post by rkbansal83 »

I thought "HTTP basic authentication" only ensures "Authentication" security requirement.
You are just validating the user name and password, am I correct?

Can you please elaborate , how does it satisfy below requirements (if possible , please give an example)
  • Confidentiality
    Integrity
    Authorization

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by fjwalraven »

I thought "HTTP basic authentication" only ensures "Authentication" security requirement. You are just validating the user name and password, am I correct?
Correct.
Can you please elaborate , how does it satisfy below requirements (if possible , please give an example)

Confidentiality
Integrity
Authorization
That is satisfied by the second part of the problem statement: "HTTP Basic Authentication is widely used over a HTTPS transport layer. "

Regards,
Frits

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by himaiMinh »

Http basic authentication is to authenticate a user by user name and password.

WS-security is used for confidentiality (encrypt part of the message) and integrity (applied a digital signature).

HTTPS is used for confidentiality (encrypt the whole message) and integrity (the communication channel is secure between two points and it guarantees no man in the middle tamper the message.)

WS-security is a more advanced solution than HTTPS since it can encrypt part of the message. When WS-security is used, the encrypted part of the message remains encrypted when it arrives at the receiver. When HTTPS is used, the encrypted message is decrypted when it arrives at the receiver.

Analogy for HTTPS: a naked motor driver drives through a opaque tunnel. Nobody sees him naked when he is inside the tunnel. But everyone sees him naked when he is outside the tunnel. So, he is only safe inside the tunnel, but not safe outside the tunnel.
Analogy for WS-Security: a dressed motor driver drives through a tunnel (either opaque or transparent). No one sees him naked. So, he is always safe.

However, with http basic authentication over HTTPS, the receiver cannot verify the actual identity of the sender. Someone can steal your username and password to access the service.

The solution is to use client certificate to do mutual authentication. The sender and receiver authenticate each other. The client's and the server's certificates are issued by a trusted authority, such as VeriSign.
The certificates contains identity of client and server respectively.

Analogy: If you claim yourself to your employer that you are Oracle certified expert, who can believe in you? You show your employer your Oracle certificate. Your employer trusts your certificate because your employer trust Oracle (a trusted authority in this case).

rkbansal83
Posts: 33
Joined: Sat Nov 24, 2012 8:52 am
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by rkbansal83 »

Thanks guys , I can understand confidentiality/integrity as we are sending the message through secure medium but how does HTTPS satisfy authorization aspect ?

Also, you talked about WS-security (encrying part of message) , a more advanced way . But Some part is still in clear text , isn't that vulernable to attack ?

I am sorry If my questions sound stupid to you but since we have hardly used web servces keeping security in mind .
Can you please give me some good reference to go through web services security in detail.

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by himaiMinh »

Do you have Ivan Krizsan's version 5 study guide ? If not, sign up for a free slideshare.com account to download one. His notes is for version 5, but still helpful for version 6. His chapter 8 does a good job in explaining the difference between HTTPS vs WS-Security's message level security.

Encrypting only part of the message has an advantage when you just want to encrypt part of the message.
For example, when you shop online, you want to encrypt only your credit card number.
<order>
<Name>John Smith</Name>
<CreditCard>
<CipherData>.....</CipherData>
</CrdeitCard>
<item>
Ethuware web service mock exam software
</item>
<quantity>1</quantity>
<price>
$30
</price>
</order>
In this case, only the credit card number can be decrypted by the order processing organization, which is the ultimate receiver. There can be intermediate nodes in between the sender and receiver. Those nodes may process other functions, like handling the inventory. Those nodes only need to know what John Smith orders and what total price John Smith has to pay for. Those nodes are not supposed to know John Smith's credit card number.
Also, it is not necessary to encrypt all data in this example because data like name, item, quantity and price are not something confidential.

Regarding to HTTPS basic authentication and authorization, the basic authentication has nothing to do with authorization. Authentication is handled in a web container while authorization is handled in a EJB container. However, you can define a role who can access to a service in the EJB container. So, who belong to that role? You can define some particular users who play that role.
For example, John Smith is a customer and he is authorized to access to some inventory information. But John Smith is not an administrator, who cannot access to an inventory processing subsystem.

In the other words, if the system cannot identify who the user is, the system cannot grant the right permission to that user.

rkbansal83
Posts: 33
Joined: Sat Nov 24, 2012 8:52 am
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by rkbansal83 »

Thanks HimaiMinh.
As problem statement does not talk anything on roles , all it states about HTTP basic authentication and HTTPS transport protocol . So We cant be sure that "authorization" is satisfied with the problem statement in question . Am I right ?

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by fjwalraven »

When you have Basic authentication with SSL in your web application you will typically have a web.xml that looks like:

Code: Select all

<security-constraint>
		<web-resource-collection>
			<web-resource-name>Security WS</web-resource-name>
			<url-pattern>/MathTableImplService</url-pattern>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<role-name>student</role-name>
		</auth-constraint>
		<user-data-constraint>
			<transport-guarantee>CONFIDENTIAL</transport-guarantee>
		</user-data-constraint>
	</security-constraint>
	<login-config>
		<auth-method>BASIC</auth-method>
	</login-config>
This shows that apart from the SSL requirement (CONFIDENTIAL) you will also see the Authentication (auth-constraint) enforcing authentication of the user. The Authorization part is found in the URL that is protected ("/MathTableImplService"). (fine-tuning of Authorization can be done with annotations inside the EJB's.)

Authentication and Authorization requirements both satisfied in the web.xml.

You might want to read and study the security part of the Oracle EE6 tutorial:
http://docs.oracle.com/javaee/6/tutorial/doc/gijrp.html

Regards,
Frits

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by himaiMinh »

rkbansal83 wrote:I thought "HTTP basic authentication" only ensures "Authentication" security requirement.
You are just validating the user name and password, am I correct?

Can you please elaborate , how does it satisfy below requirements (if possible , please give an example)
  • Confidentiality
    Integrity
    Authorization
I just found out that the HTTP "Authorization" header has the username:password encoded in Base64.
An example is shown here: http://en.wikipedia.org/wiki/Basic_acce ... entication
So, when a user sends his/her credentials to the server using the HTTP header, the authorization requirement is also satisfied.

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by fjwalraven »

Yes, that is because Authentication (in java EE) is always enforced in a <web-resource-collection> element with a protected URL (url-pattern). You cannot enforce Authentication (<auth-constraint> element) without giving a protected url-pattern (Authorization requirement).

Regards,
Frits

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by himaiMinh »

Thanks for your reply.

Using HTTPS basic authentication, I believe the confidentiality requirement is satisfied only when the credentials and/or message is not the wire. But when the data leaves the wire and arrives the ultimate receiver, the data is decrypted and not confidential anymore.

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by fjwalraven »

Correct!

sparticle
Posts: 3
Joined: Tue Sep 09, 2014 5:25 am
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by sparticle »

How can Non-Repudiation be the one that fails this solution when "Integrity" is allowed, they both using the same mechanism to enable their features and that is by Digital signatures.

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by fjwalraven »

The key point to this is that the client is not verified is this scenario, only the server.

You might want to check How-to-achieve-non-repudiation and Mutual Authentication for more details.

sparticle
Posts: 3
Joined: Tue Sep 09, 2014 5:25 am
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by sparticle »

Fair enough in the context of the Author of the question there is no Third party to verify the client, but the fact remains in the question it does not state this so any assumption can be made and still be proven correct because all the facts where not layed out, i recommend you append the clause to the question as to prevent confusion and assumptions.

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.244 :

Post by fjwalraven »

Fair enough in the context of the Author of the question there is no Third party to verify the client, but the fact remains in the question it does not state this
The question states that Basic Authentication is used over an HTTPS connection and therefore eliminates the possibility of using mutual Authentication (i.e. HTTPS Client Authentication) which effectively means that in this scenario the non-repudiation requirement is not met.

I am willing to add something to the question if it makes it clearer, so I am open for any suggestions.

Regards,
Frits

Post Reply

Who is online

Users browsing this forum: No registered users and 27 guests