• Check whether your server stores or validates user passwords
  • Do not transmit passwords over the network in clear text format
  • Check whether the security mechanism has provisions to create, modify, delete, and validate user passwords
  • Ensure that the client provides authentication information only after the server has provided its own authentication credential for verification
  • Check if the application ever reissues a password given to it by a client to a third-party application
  • Check if the application supports Kerberos and other authentication methods
  • Avoid allowing the application to support unauthenticated (guest) access
  • Verify if the application uses Open Directory for all authentications
  • Implement built-In session management
  • Ensure login page is SSL-protected
  • To prevent session fixation, Invalidate the HttpSession before login. Take proper care to invalidate session, and clear all authentication related data on Logout
  • Set appropriate session timeout to ensure that sessions are not reused by attackers
  • Ensure proper implementation for forgot password, reset password and Remember-Me functionality as they can compromise security
  • Implement multiple authentication systems (like token authentication, OTP) along with Username password checking
  • Check the user access privileges before accessing resources
  • Validate the URL before accepting or submitting

Module Summary

  • The main purpose of authentication is to verify a user’s access to a protected segment of the web application
  • Authentication is of two types: basic authentication and form-based authentication
  • J2EE container services provide application tiers, and components with authentication and authorization facilities identifying service providers and callers
  • Authentication in a web application is role-based, i.e., a user needs to be assigned a role in order to access the web application, e.g., customer, developer or a manager
  • Authorization is the process that controls access rights of principals to system resources that include: Access to users, Access to processes, Access to machines
  • Authorization shows “who is executing" “where is the code is residing" “who is the owner of the code"
  • Access control comprises three models: discretionary access control (DAC), mandatory access control (MAC) and role-based access control (RBAC)