NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

351

352

353

354

355

356

357

358

359

360

NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006

8-1

8 Security Considerations

This chapter discusses security considerations to secure data transfer from a web

browser to the web server. The process includes validating a user, verifying whether a

user has access to a particular web resource, and preventing malicious code from

disrupting the NSJSP servlet container.

This chapter includes the following topics:



Securing Web Applications



Establishing a Secure Link



Authenticating a User



Authorizing a User



Validating the Sender



Java Security Manager



Manager Web Application and NSJSP Manager Security

Securing Web Applications

When data flows between a web browser and a web server, and the link established

between the web browser and the web server is not secure, the link is susceptible to

attacks that can lead to data theft. Configuring a secure link between the web browser

and the web server ensures that the data flow is encrypted and provides authentication

mechanisms using certificates. For more information about the secure link that can be

established between a web browser and a web server, see Establishing a Secure Link

on page 8-2.

When the link between the web browser and the web server is secured, the next level

of security is to authenticate users who access the web applications. For more

information about various methods that NSJSP uses to authenticate a user, see

Authenticating a User

on page 8-3.

When the user is authenticated, a web application performs various checks to ensure

that the user is authorized to access the requested web resource. For more information

about authorization, see Authorizing a User on page 8-29.

NSJSP provides certain security features to prevent malicious or erroneous code (such

as invoking system.exit()in a JSP) from affecting the NSJSP container. For more

information about how the security manager can prevent such malicious code from

being executed using the Java Security manager, see Java Security Manager on

page 8-35.

In addition to these various methods of securing web applications, this chapter also

discusses other security features that can filter (allow or prevent) requests originating

from a specific host or with a specified URL pattern. For more information on these

security features, see Validating the Sender on page 8-33.