Authentication and authorization for Web applications

Web applications need robust authentication and authorization mechanisms. Expert Ramesh Nagappan explains what measures are needed before you deploy Web apps.

I developed a Web application and I put in place some authentication and authorization methods. Each works properly on my local system. But my question is, will this setting be enough to work on the Internet? Or do I have to use some other tool or software to give authentication and authorization there?

Defining authentication and authorization mechanisms for application access doesn't guarantee end-to-end security of an application whether it resides within a local system or made accessible over a network. Authentication and authorization mechanisms just contribute to verifying the user's identity. These mechanisms confirm the user is who he or she claims to be and define what actions the user is allowed to perform after granting access to the system. In addition, you would need to ensure the confidentiality and integrity of the communication and data exchanged during the application access and also to ensure non-repudiation and accountability make sure all actions are logged and available for audit.

Software Security

  • Creating a secure login page with Java
  • How to create a secure login page using ASP.NET
  • OWASP Guide to Building Secure Web Applications and Web Services: Session Management

Prior to your application deployment, make sure that all the Web-based deployment and its security requirements of your application runtime environment (ex. J2EE or Microsoft .NET) and its target host system are addressed and made available to your application. Here is a list of best practices you must consider for your Web deployment:

  1. Minimize and harden the operating system. That is, running the Web and application server. Ensure that all unsolicited and untrusted services are disabled.
  2. Make sure the application deployed Web server or Application server resides in a DMZ (Firewall) environment. Use a stateful firewall inspection to keep track of all Web-tier transmissions and protocol sessions.
  3. Secure Web server user permissions and administrative controls with appropriate access control mechanisms and privileges. All administration tasks must be carried out in an encrypted and trusted communication.
  4. Secure all incoming and outgoing communication to the Web server using HTTP over SSL/TLS (HTTPS) protocol. Enforce strong encryption with stronger ciphers.
  5. Make sure that you don't flip back to HTTP from a HTTPS session.
  6. Disallow all direct access to the application, make sure the application resides on a server accessed via a reverse proxy or Network address translation (NAT) -based IP addresses. Use certificates for server-to-server communication.
  7. Encrypt all application specific properties accessible to the Web server and stored on local disks.
  8. Make sure to verify and validate all input and output form fields and its request/responses. Track all user sessions by identifying the user and the host destination originating the request and receiving the responses.
  9. Log and audit all user actions, security and business functions.
  10. Make sure to set session timeouts for all active sessions and also logout the user from all residual sessions after session expiry.

Dig Deeper on Topics Archive