Logon/Security Quiz
In an application that stores logon information in a cookie, the logon page should be run over HTTPS (which sends encrypted browser requests and encrypted web server responses), but other pages (e.g., those not asking users for sensitive data) can be served up through just plain HTTP.
False.
Authentication and Authorization essentially mean the same thing.
False. False. Authentication means "proving who are you", whereas Authorization means "are you allowed to do what you are asking" (now that we know and trust who you are).
So that a user does not have to log in every time they need to perform an authenticated operation in a secure web application, the logon page should store information about the user in a cookie.
False. False. Do not rely on the client side for anything that needs to be secure. Store info (about the logged on user) into the server side session object.
If you put the database password into java class DbConn, a hacker could see that password when they View Source on a web page produced by your web application.
False. False. Java/JSP code does not show up when you View Source on a web page. Java/JSP code is executed on the web server (e.g., by tomcat) to generate the HTML for a web page.
<%@page contentType="application/json; charset=UTF-8" pageEncoding="UTF-8"%> <%@page language="java" import="dbUtils.DbConn" %> <%@page language="java" import="model.webUser.*" %> <%@page language="java" import="com.google.gson.*" %> <% StringData userStringData = new StringData(); // all fields now set to "" String strEmail = request.getParameter("email"); String strPass = request.getParameter("password"); if (strEmail == null) { System.out.println("bad URL parameter - need email"); userStringData.errorMsg = "must provide email as parameter"; } else if (strPass == null) { System.out.println("bad URL parameter - need password"); userStringData.errorMsg = "must provide password as parameter"; } else { DbConn dbc = new DbConn(); // if there is a db connection error, set error message userStringData.errorMsg = dbc.getErr(); if (userStringData.errorMsg.length() == 0) { // if no db error... userStringData = DbMods.logonFind(strEmail, strPass, dbc); if (userStringData.errorMsg.length() == 0) { session.setAttribute("user", userStringData); } } dbc.close(); } Gson gson = new Gson(); out.print(gson.toJson(userStringData)); %> The JSP page has a database connection leak.
False. false. the DB connection is closed "at the same level" as the DB connection was declared. so there is no DB connection leak.
<%@page contentType="application/json; charset=UTF-8" pageEncoding="UTF-8"%> <%@page language="java" import="dbUtils.DbConn" %> <%@page language="java" import="model.webUser.*" %> <%@page language="java" import="com.google.gson.*" %> <% StringData userStringData = new StringData(); // all fields now set to "" String strEmail = request.getParameter("email"); String strPass = request.getParameter("password"); if (strEmail == null) { System.out.println("bad URL parameter - need email"); userStringData.errorMsg = "must provide email as parameter"; } else if (strPass == null) { System.out.println("bad URL parameter - need password"); userStringData.errorMsg = "must provide password as parameter"; } else { DbConn dbc = new DbConn(); // if there is a db connection error, set error message userStringData.errorMsg = dbc.getErr(); if (userStringData.errorMsg.length() == 0) { // if no db error... userStringData = DbMods.logonFind(strEmail, strPass, dbc); if (userStringData.errorMsg.length() == 0) { session.setAttribute("user", userStringData); } } dbc.close(); } Gson gson = new Gson(); out.print(gson.toJson(userStringData)); %> The logon JSP page logs a user out if they were previously logged on and made a failed attempt to log on again.
False. false. the code only sets the userStringData into the session if logon was successful. There is no "else" clause to invalidate the session otherwise.
If you use java.sql.PreparedStatement instead of java.sql.Statement, your SQL will run faster because the SQL code in a PreparedStatement is pre-compiled (once) whereas the java.sql.Statement is compiled every time before it is executed.
True.
In order to run HTTPS, your organization has to get a HTTPS certificate to prove their identity, then they need to specify certain admin settings for the web application.
True.
Keeping all software updated is important to ensuring the security of a web application - from network software, operating system software, and database software to web software.
True.
REST (Representation State Transfer) is a design philosophy in which a server only has its resources consumed in the act of responding to a request.
True.
Using a JSP implicit session object violates the REST design philosophy.
True.
If the JSP page below (named logonAPI.jsp) were invoked with the following URL: http://[email protected]&pass=myPassword (Links to an external site.) What would you see in the glassfish log? (Please type exactly so you get credit.) <%@page contentType="application/json; charset=UTF-8" pageEncoding="UTF-8"%> <%@page language="java" import="dbUtils.DbConn" %> <%@page language="java" import="model.webUser.*" %> <%@page language="java" import="com.google.gson.*" %> <% StringData userStringData = new StringData(); // all fields now set to "" String strEmail = request.getParameter("email"); String strPass = request.getParameter("password"); if (strEmail == null) { System.out.println("bad URL parameter - need email"); userStringData.errorMsg = "must provide email as parameter"; } else if (strPass == null) { System.out.println("bad URL parameter - need password"); userStringData.errorMsg = "must provide password as parameter"; } else { DbConn dbc = new DbConn(); // if there is a db connection error, set error message userStringData.errorMsg = dbc.getErr(); if (userStringData.errorMsg.length() == 0) { // if no db error... userStringData = DbMods.logonFind(strEmail, strPass, dbc); if (userStringData.errorMsg.length() == 0) { session.setAttribute("user", userStringData); } } dbc.close(); } Gson gson = new Gson(); out.print(gson.toJson(userStringData)); %>
bad URL parameter - need password The code was looking for URL parameter "email" and found it. Then it looked for parameter "password" and did not find it. So, it did a System.out.println of ("bad URL parameter - need password"). The glassfish server log is where you find anything printed by System.out.println.