CT050-3-2 Web Applications

Introduction to Servers and Security

 Web Application

CT050-3-2-WAPP Introduction to Servers and Security

CT050-3-2-WAPP Introduction to Servers and Security
 Common Platform Stacks

CT050-3-2-WAPP Introduction to Servers and Security

 Web Development Platforms

CT050-3-2-WAPP Introduction to Servers and Security

 ASP.NET vs. J2EE vs. PHP

• All are excellent choices for Web Application

Development
• J2EE has a proven track record over years of
being scalable and reliable
• J2EE and PHP available on multiple platforms
– Greater choice of hardware & software solutions
– Makes support more complicated due to permutations
• ASP.NET is available on Microsoft Systems
– Limiting hardware and software choices
– Makes support easier

CT050-3-2-WAPP Introduction to Servers and Security

 Web Servers

• A web server is a software application that

manages web pages
– The hardware on which the web server runs is often
referred to as a web server also
• Makes web resources available over a network
– Resources such as HTML, ASPX, JPEG, GIF
– Local Intranet
– Shared Extranet
– Public Internet

CT050-3-2-WAPP Introduction to Servers and Security

 Web Servers

• Over the public Internet, browser and web server are on

separate machines
• In a local environment, it is possible for the web server
and browser to be on the same hardware
– Not always in development groups
– Shared internal server

CT050-3-2-WAPP Introduction to Servers and Security

 Web Servers

• Web servers make resources available

– Regardless of setup
– Local machines may only allow local access
– Principle remains the same
• There are many popular web servers available
– Including but not limited to:
– Microsoft Internet Information Services (IIS)
– Apache / Tomcat
• Focus is on Microsoft servers as it is a
requirement of ASP.NET (all versions)

CT050-3-2-WAPP Introduction to Servers and Security

 Internet Information Services

• Heavy duty web server

– Available on Windows OS (including Windows
Server)
• Requires the .NET Framework to run
ASP.NET applications
• Stores ASPX and related files, compiling
when necessary and serving them to
browsers

CT050-3-2-WAPP Introduction to Servers and Security

 3 minutes Pop Quiz

To answer the questions,

Please scan the QR Code

OR

Click the hyperlink at the

chat section

CT050-3-2-WAPP Introduction to Servers and Security

 Requesting Documents

• We mainly focus on 1. HTML files are

created and stored
dynamic web 3. Locate page and create
applications HTML stream. Send to client.

• The static request / Server

response model is
useful to know
• Consists of a basic 2. User requests page

request / response
using plain text and
other resources 4. Browser renders
the HTML
(JPEG, GIF etc.) Client

CT050-3-2-WAPP Introduction to Servers and Security

 Requesting Documents

• Dynamic
1. Web author creates 3. Web server locates, compiles if
Content delivery ASPX files and other
application logic.
necessary, and executes code

includes 4. Web server creates a stream of

HTML

additional
stages Server 5. Web server sends HTML stream
to browser

• ASP.NET
includes a
compilation
check and 2. User requests page

execution with a browser, request is

passed to the server
6. Browser renders the
HTML

Client

CT050-3-2-WAPP Introduction to Servers and Security

 Web Servers - Applications

• All code is executed on the server

– HTML stream is returned to the browser
• Code is compiled when needed
– Change in source code
– Refresh prompted by server admin
• Compiled code is faster than previous ASP
incarnations
– Classic ASP interprets code on each request
– ASP.NET compiles code on first use
– Compiled code does not require interpreting

CT050-3-2-WAPP Introduction to Servers and Security

 Web Application Security

• Web Applications
– Tend to keep sensitive data
– Financial, personal
• Web Applications must consider security
– Hardware – Physical location, Access
– Network – Firewalls, Proxy, DNS
– Application Level – Security Model
• Authentication
• Authorisation

CT050-3-2-WAPP Introduction to Servers and Security

 Security Model

• The idea of user level security is very

simple
– Grant access to groups of users on your site
– No need to give them access to everything
• Many sites on the web today utilise a
levelled user security model
– Anonymous users
– Registered users
– Administrators

CT050-3-2-WAPP Introduction to Servers and Security

 Anonymous Users

• Users that do not have to divulge anything about

themselves
• Controlling access to resources is useful
– Business model – E.g. news subscription
– Resource use – keep network fast for subscribers
– Protect sensitive / secret info
• It is not prudent to always deny access to
anonymous users
– Many commercial sites allow anonymous users to
browse products and create a shopping cart
– Anonymous users must ‘register’ to purchase the
items

CT050-3-2-WAPP Introduction to Servers and Security

 Registered Users

• Allow you to develop a level of trust with the user

– Not complete trust though
– Information and credit card details
• Necessary for doing business
• Registration could be performed in a number of
ways
– Depends on the application
– Music video subscriptions may require credit card
details on sign up or merely personal details at first

CT050-3-2-WAPP Introduction to Servers and Security

 Administrators

• Depending on security model

– Have freedom or authority to do anything they like
within the boundaries of the system
– Have the ability to modify global data
• Add/Edit/Update products for example
– Manage user accounts
• Administrative function do not have to be all
encompassing
– Admin of online-banking system should not be able to
adjust account balances
• Out of the realms of the job

CT050-3-2-WAPP Introduction to Servers and Security

 Security Model – ASP.NET

• ASP.NET separates the process into two

parts
– Authentication
– Authorisation

CT050-3-2-WAPP Introduction to Servers and Security

 Authentication vs. Authorisation

vs.

Who are you? Can you do that?

CT050-3-2-WAPP Introduction to Servers and Security

 Authentication

• A process that checks if a user is who they say

they are
• May involve a username and password
• Secret question / answer
• Details submitted need to be checked against a
functional and valid authority
– Database
– Domain server

CT050-3-2-WAPP Introduction to Servers and Security

 Authorisation

• The process of granting and giving the user

access to the resources that they are permitted
to have
• Authorization at times can involve authentication
in that a system may first verify who you say you
are before you can prove you can access what
you claim you can access.
• This does not make the two terms synonymous,
however.

CT050-3-2-WAPP Introduction to Servers and Security

 Question and Answer Session

Q&A

CT050-3-2-WAPP Introduction to Servers and Security