my Computer System Security (CSS)
LAB 03- Authentication-Registration
Meisam Eslahi
[email protected]
Disclaimer:
• This document is produced for the internal student and may be printed for
internal references.
• All the notes and image may be used for the internal education only.
• No part of this document may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying, recording,
or by any information storage and retrieval system, without written
permission from the original publisher.
Objective:
The objective of this lab is to understand the importance of Authentication
by implementing simple registration form. At the end of this lab the students will
be familiar with registration threats (e.g. Bot activities) and countermeasures.
Tools:
This lab requires:
1. Java Development Kit (JDK)
2. NetBeans IDE.
3. MS SQL Server 2012
1
�[email protected] Computer System Security (CSS)
1. Introduction:
The multithreading approach was employed in LAB2 to provide parallel
operations (send/receive) for both client and server. However, the main challenge
is that currently there is no way for server to authenticate the users in client side.
Therefore, an authentication mechanism must be designed and implemented for
our chat system to help server to:
a) Specify which user logged in to the client at any given moment
b) Specify what resources they can access
c) Specify what operations they can perform
In order to implement our authentication
mechanism and ACL the users must be
registered in the system first.
2. Create Database
We assume that the Microsoft SQL Server has been installed on the system.
Therefore, we can simply create our database and tables as follows:
1- Open MS SQL Server Management Studio.
2- Right click on the Database and create New Database.
2
�[email protected] Computer System Security (CSS)
3- Give a name to your database (e.g. CSS) and click on OK.
3
�[email protected] Computer System Security (CSS)
4- Expand the Users and select the tables.
5- Right click on the tables and create New Table
4
�[email protected] Computer System Security (CSS)
6- Define the field and data types as follows:
7- Right click on the ID filed and set it as primary key.
8- Select the ID again, and expand Identify Specification from column
properties.
9- Change “is identify” value to YES.
5
�[email protected] Computer System Security (CSS)
10- Right click on the table tab as select save table.
11- Add users as the table name.
6
�[email protected] Computer System Security (CSS)
3. Registration Form prerequisites
1. Create a form in java and add elements as follows:
The first step is to connect our application to the
database. Therefore we need to install JDBC driver
first.
JDBC is a programming interface allowing external access to SQL database
manipulation and update commands. The first thing to do, of course, is to install
JDBC driver.
1. Download JDBC for MS SQL server from the link below:
http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=11774
7
�[email protected] Computer System Security (CSS)
2. Unzip the downloaded file
Microsoft’s JDBC driver package has two JAR class
libraries, one supports JDBC 3.0 for use with JRE
version 5, and another supports JDBC 4.0 for JRE 6.
The latest version, sqljdbc4.jar, is used in this
tutorial to build database connections
8
�[email protected] Computer System Security (CSS)
3. Open the project properties and select libraries.
4. Add sqljdbc4.jar to the project compile-time libraries.
9
�[email protected] Computer System Security (CSS)
4. Database Connection
The simplest approach to creating a connection to a SQL Server database is
to load the JDBC driver
1. We must first register the JDBC driver as follows:
Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");
Once the driver is loaded, we can establish a
connection by using a getConnection method of
the DriverManager class.
2. We must first register the JDBC driver as follows:
Connection conn = DriverManager.getConnection("sqlserver address ;user;password;database");
10
�[email protected] Computer System Security (CSS)
3. Create Statement object from our connection to submit queries to database:
Now everything is ready to add a new user to the
database.
11
�[email protected] Computer System Security (CSS)
5. Register a User
1. Define variables for users data:
2. Double click on the button and assign fields to the variables
3. Generate INSERT-INTO query to insert a user into database
12
�[email protected] Computer System Security (CSS)
4. Run the application and fill up the fields, and submit
5. Once you submit a query will be generated as follow:
INSERT INTO users (F_name,L_name,username,password,role) VALUES
('meisam','eslahi','mse','123','Admin')
6. Open the SQL server and check your table
MMMM!!! What makes you that happy! There are
several security issues with your application
13
�[email protected] Computer System Security (CSS)
List the security issues with registration application
and submit by next class.
Example:
Issue: inconsideration of “least privileges” concept
Impact: all users can be registered as an Admin!
Possible Impact: all users must be registered as a user; later the DB
administrator can change the role to the Admin
14
