tailieunhanh - Web Security Programming I

To illustrate what can go wrong if we do not design for security in our web applications from the start, consider a simple web server implemented in Java. All this program does is serve documents using HTTP. We will walkthrough the code in the following. (HyperText Transfer Protocol): The communications protocol used to connect to servers on the Web. • Its primary function is to establish a connection with a Web server and transmit HTML pages to the client browser or any other files required by an HTTP application. • Addresses of Web sites begin with an http:// prefix. slides | Web Security Programming I Building Security in from the Start Except where otherwise noted all portions of this work are Copyright (c) 2007 Google and are licensed under the Creative Commons Attribution License A Simple Web Server To illustrate what can go wrong if we do not design for security in our web applications from the start, consider a simple web server implemented in Java. All this program does is serve documents using HTTP. We will walkthrough the code in the following slides. Some Preliminaries (HyperText Transfer Protocol): The communications protocol used to connect to servers on the Web. Its primary function is to establish a connection with a Web server and transmit HTML pages to the client browser or any other files required by an HTTP application. Addresses of Web sites begin with an http:// prefix. Some Preliminaries A typical HTTP request that a browser makes to a web server: Get / HTTP/ When the server receives this request for filename / (which means the root document on the web server), it attempts to load . It sends back: HTTP/ 200 OK followed by the document contents. SimpleWebServer: main() /* This method is called when the program is run from the command line. */ public static void main (String argv[]) throws Exception { /* Create a SimpleWebServer object, and run it */ SimpleWebServer sws = new SimpleWebServer(); (); } Now we walk through the code Main() creates a SimpleWebServer object and calls its run() method. The run() method is just an infinite loop that waits for a connection from a client, and then attempts to process the request. SimpleWebServer Object public class SimpleWebServer { /* Run the HTTP server on this TCP port. */ private static final int PORT = 8080; /* The socket used to process incoming connections from web clients */ private static ServerSocket dServerSocket; public SimpleWebServer () throws Exception { dServerSocket = new ServerSocket . | Web Security Programming I Building Security in from the Start Except where otherwise noted all portions of this work are Copyright (c) 2007 Google and are licensed under the Creative Commons Attribution License A Simple Web Server To illustrate what can go wrong if we do not design for security in our web applications from the start, consider a simple web server implemented in Java. All this program does is serve documents using HTTP. We will walkthrough the code in the following slides. Some Preliminaries (HyperText Transfer Protocol): The communications protocol used to connect to servers on the Web. Its primary function is to establish a connection with a Web server and transmit HTML pages to the client browser or any other files required by an HTTP application. Addresses of Web sites begin with an http:// prefix. Some Preliminaries A typical HTTP request that a browser makes to a web server: Get / HTTP/ When the server receives