Java and Web application security

Course Description
This course will change the way you look at your Java code. We'll teach you the common
weaknesses and their consequences that can allow hackers to attack your system, and – more
importantly – best practices you can apply to protect yourself. We cover typical Web vulnerabilities
with a focus on how they affect Java web apps on the entire stack – from the Java runtime
environment to modern AJAX and HTML5-based frontends. In addition, we discuss the security
aspects of the Java platform itself as well as typical Java programming mistakes you need to be
aware of.

Target Audience
Software developer
Programmer

Course Objective

 Understand basic concepts of security, IT security and secure coding

 Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
 Learn about XML security
 Learn how to set up and operate the deployment environment securely
 Learn client-side vulnerabilities and secure coding practices
 Learn to use various security features of the Java development environment
 Have a practical understanding of cryptography
 Learn about typical coding mistakes and how to avoid them
 Get information about some recent vulnerabilities in the Java framework
 Get sources and further readings on secure coding practices

Course Content
Overview of Web Application Security

 Securing Web Applications

 Specifying Security Constraints
 Specifying a Web Resource Collection
 Specifying an Authorization Constraint
 Specifying a Secure Connection
 Specifying Security Constraints for Resources
 Specifying Authentication Mechanisms
 HTTP Basic Authentication
 Form-Based Authentication
  Digest Authentication
 Specifying an Authentication Mechanism in the Deployment Descriptor
 Declaring Security Roles

Using Programmatic Security with Web Applications

 Authenticating Users Programmatically

 Checking Caller Identity Programmatically
 Example Code for Programmatic Security
 Declaring and Linking Role References

Examples: Securing Web Applications

 To Set Up Your System for Running the Security Examples

 The hello2_basicauth Example: Basic Authentication with a Servlet
 Specifying Security for Basic Authentication Using Annotations
 To Run the hello2_basicauth Example
 The hello1_formauth Example: Form-Based Authentication with a JavaServer Faces Application
 Creating the Login Form and the Error Page
 Specifying Security for the Form-Based Authentication Example
 To Build, Package, and Deploy the hello1_formauth Example Using NetBeans IDE
 To Build, Package, and Deploy the hello1_formauth Example Using Ant
 To Run the hello1_formauth Example