[go: up one dir, main page]
Scribd
Upload
115 views24 pages

Web App Servers & Security Guide

This document discusses web application servers and security. It describes common web development platforms like ASP.NET, J2EE, and PHP. It also discusses popular web servers like IIS and Apache, noting that IIS is required for ASP.NET. The document then covers the basics of how web servers handle requests from browsers to serve dynamic content. Finally, it outlines some key aspects of web application security like authentication, authorization, and using different access levels for anonymous, registered, and administrative users.

Uploaded by

MOHAMAD FIRDAUS BIN CHE ABDUL RANI
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
115 views24 pages

Web App Servers & Security Guide

This document discusses web application servers and security. It describes common web development platforms like ASP.NET, J2EE, and PHP. It also discusses popular web servers like IIS and Apache, noting that IIS is required for ASP.NET. The document then covers the basics of how web servers handle requests from browsers to serve dynamic content. Finally, it outlines some key aspects of web application security like authentication, authorization, and using different access levels for anonymous, registered, and administrative users.

Uploaded by

MOHAMAD FIRDAUS BIN CHE ABDUL RANI
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

CT050-3-2 Web Applications

Introduction to Servers and Security


Web Application

CT050-3-2-WAPP Introduction to Servers and Security


CT050-3-2-WAPP Introduction to Servers and Security
Common Platform Stacks

CT050-3-2-WAPP Introduction to Servers and Security


Web Development Platforms

CT050-3-2-WAPP Introduction to Servers and Security


ASP.NET vs. J2EE vs. PHP

• All are excellent choices for Web Application


Development
• J2EE has a proven track record over years of
being scalable and reliable
• J2EE and PHP available on multiple platforms
– Greater choice of hardware & software solutions
– Makes support more complicated due to permutations
• ASP.NET is available on Microsoft Systems
– Limiting hardware and software choices
– Makes support easier

CT050-3-2-WAPP Introduction to Servers and Security


Web Servers

• A web server is a software application that


manages web pages
– The hardware on which the web server runs is often
referred to as a web server also
• Makes web resources available over a network
– Resources such as HTML, ASPX, JPEG, GIF
– Local Intranet
– Shared Extranet
– Public Internet

CT050-3-2-WAPP Introduction to Servers and Security


Web Servers

• Over the public Internet, browser and web server are on


separate machines
• In a local environment, it is possible for the web server
and browser to be on the same hardware
– Not always in development groups
– Shared internal server

CT050-3-2-WAPP Introduction to Servers and Security


Web Servers

• Web servers make resources available


– Regardless of setup
– Local machines may only allow local access
– Principle remains the same
• There are many popular web servers available
– Including but not limited to:
– Microsoft Internet Information Services (IIS)
– Apache / Tomcat
• Focus is on Microsoft servers as it is a
requirement of ASP.NET (all versions)

CT050-3-2-WAPP Introduction to Servers and Security


Internet Information Services

• Heavy duty web server


– Available on Windows OS (including Windows
Server)
• Requires the .NET Framework to run
ASP.NET applications
• Stores ASPX and related files, compiling
when necessary and serving them to
browsers

CT050-3-2-WAPP Introduction to Servers and Security


3 minutes Pop Quiz

To answer the questions,

Please scan the QR Code

OR

Click the hyperlink at the


chat section

CT050-3-2-WAPP Introduction to Servers and Security


Requesting Documents

• We mainly focus on 1. HTML files are


created and stored
dynamic web 3. Locate page and create
applications HTML stream. Send to client.

• The static request / Server

response model is
useful to know
• Consists of a basic 2. User requests page

request / response
using plain text and
other resources 4. Browser renders
the HTML
(JPEG, GIF etc.) Client

CT050-3-2-WAPP Introduction to Servers and Security


Requesting Documents

• Dynamic
1. Web author creates 3. Web server locates, compiles if
Content delivery ASPX files and other
application logic.
necessary, and executes code

includes 4. Web server creates a stream of


HTML

additional
stages Server 5. Web server sends HTML stream
to browser

• ASP.NET
includes a
compilation
check and 2. User requests page

execution with a browser, request is


passed to the server
6. Browser renders the
HTML

Client

CT050-3-2-WAPP Introduction to Servers and Security


Web Servers - Applications

• All code is executed on the server


– HTML stream is returned to the browser
• Code is compiled when needed
– Change in source code
– Refresh prompted by server admin
• Compiled code is faster than previous ASP
incarnations
– Classic ASP interprets code on each request
– ASP.NET compiles code on first use
– Compiled code does not require interpreting

CT050-3-2-WAPP Introduction to Servers and Security


Web Application Security

• Web Applications
– Tend to keep sensitive data
– Financial, personal
• Web Applications must consider security
– Hardware – Physical location, Access
– Network – Firewalls, Proxy, DNS
– Application Level – Security Model
• Authentication
• Authorisation

CT050-3-2-WAPP Introduction to Servers and Security


Security Model

• The idea of user level security is very


simple
– Grant access to groups of users on your site
– No need to give them access to everything
• Many sites on the web today utilise a
levelled user security model
– Anonymous users
– Registered users
– Administrators

CT050-3-2-WAPP Introduction to Servers and Security


Anonymous Users

• Users that do not have to divulge anything about


themselves
• Controlling access to resources is useful
– Business model – E.g. news subscription
– Resource use – keep network fast for subscribers
– Protect sensitive / secret info
• It is not prudent to always deny access to
anonymous users
– Many commercial sites allow anonymous users to
browse products and create a shopping cart
– Anonymous users must ‘register’ to purchase the
items

CT050-3-2-WAPP Introduction to Servers and Security


Registered Users

• Allow you to develop a level of trust with the user


– Not complete trust though
– Information and credit card details
• Necessary for doing business
• Registration could be performed in a number of
ways
– Depends on the application
– Music video subscriptions may require credit card
details on sign up or merely personal details at first

CT050-3-2-WAPP Introduction to Servers and Security


Administrators

• Depending on security model


– Have freedom or authority to do anything they like
within the boundaries of the system
– Have the ability to modify global data
• Add/Edit/Update products for example
– Manage user accounts
• Administrative function do not have to be all
encompassing
– Admin of online-banking system should not be able to
adjust account balances
• Out of the realms of the job

CT050-3-2-WAPP Introduction to Servers and Security


Security Model – ASP.NET

• ASP.NET separates the process into two


parts
– Authentication
– Authorisation

CT050-3-2-WAPP Introduction to Servers and Security


Authentication vs. Authorisation

vs.

Who are you? Can you do that?

CT050-3-2-WAPP Introduction to Servers and Security


Authentication

• A process that checks if a user is who they say


they are
• May involve a username and password
• Secret question / answer
• Details submitted need to be checked against a
functional and valid authority
– Database
– Domain server

CT050-3-2-WAPP Introduction to Servers and Security


Authorisation

• The process of granting and giving the user


access to the resources that they are permitted
to have
• Authorization at times can involve authentication
in that a system may first verify who you say you
are before you can prove you can access what
you claim you can access.
• This does not make the two terms synonymous,
however.

CT050-3-2-WAPP Introduction to Servers and Security


Question and Answer Session

Q&A

CT050-3-2-WAPP Introduction to Servers and Security

You might also like