Downloadable code examples from books in the Web Security Topics series by Nigel Chapman and Jenny Chapman
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
AuthAndAuth
TLS
encryption
errata
lib
.gitignore
README.textile
licence.txt

README.textile

Example Code for the Web Design Topics Series

The scripts in this repository contain the code used in A Web Developer’s Guide to Secure Communication and Authentication and Authorization on the Web by Nigel Chapman and Jenny Chapman, published by MacAvon Media.

The purpose of the repository is to allow readers to download the examples from the book so they can experiment with them, and to provide starting points for their own scripts.

The scripts in this repository are provided solely for the purposes of illustrating some principles of cryptography and Web security. They are not intended for serious use in sensitive applications. We strongly recommend that you always use established libraries that provide implementations of current algorithms which are considered secure at the time of use. Neither the publisher nor the authors shall be liable for any consequence arising from the use of scripts in this book for any purpose other than illustration of general principles in the context of learning.

Pull requests will only be accepted for bugs and other errors, because we intend the repository to reflect the book as it was published. If you want to make major changes to the scripts, please fork the repository.

Errata

Notes and corrections to errors discovered after the books were published are included in the errata directory.

Dependencies

Running the examples requires Node.js.

The example application for Authentication and Authorization on the Web depends on Express and uses Node-DBI, and the openid, bcrypt and rbytes modules.

If you want to run the tests in encryption/test, you will need nodeunit.

The most convenient way to install the necessary modules and their dependencies is by using the npm package manager. If you install Node.js using its installer, npm should have been installed, otherwise, you can install npm by hand. For details about installing each module, consult the sites linked to above.

These examples were tested using Node 0.6.7 and Express 2.5.9. They should run under more recent versions.

Contents

Extensions

The lib directory contains some extensions to JavaScript’s built-in objects, which we used in the books, especially A Web Developer’s Guide to Secure Communication, to make the examples more readable. Some simple tests are included.

From the preface:

A somewhat controversial aspect of the example programs is our use of custom extensions to some of JavaScript’s built-in object prototypes. We are aware of the objections to this practice, and would not recommend its use in most production environments. However, it has allowed a significant improvement in the readability of some examples, so we feel that it is justified in this context.

If you want to use similar extensions in your own JavaScript programs, we suggest you look at the underscore.js library.

Encryption

Inside the encryption directory, you can find the scripts implementing the cryptographic algorithms from A Web Developer’s Guide to Secure Communication. Listings 1–6 in the book map to files in the lib sub-directory as follows:

Listing 1 shift-cipher.js
Listing 2 shift-cipher-stream.js
Listing 3 random-shift-cipher-stream.js
Listing 4 xor-base64-cipher-stream.js
Listing 5 transposition-cipher.js
Listing 6 feistel.js

The test sub-directory has some rudimentary tests of the modules in lib.

The examples sub-directory has some short scripts that exercise the modules in lib, and the source for the remaining listings in the book.

Listing 7 openssl-cipher.js
Listing 8 openssl-cipher-file.js
Listing 9 auto-digest.js
Listing 10 auto-hmac.js

The TLS sub-directory has the examples of simple TLS/SSL and HTTPS servers.

Listing 13 echo-plus.js
Listing 14 https.js

To run either of these examples, you will need to create a self-signed certificate and private key.

The line numbering in all the examples matches the line numbers in the listings in the book.

Authentication and Authorization Sample Application

The AuthAndAuth directory contains a rudimentary working version of the noticeboard application from Authentication and Authorization on the Web. This version incorporates all the refinements in the book, including OpenId and role-based authentication, the simpler versions we describe are not included, although you can find the code for checking admin privileges without the use of roles commented out.

You will also find the Things model used in the introduction to demonstrate the persistent objects module.

The SQLite database in the db sub-directory has all the necessary tables defined, but contains no data except for the role names and levels in the roles table. You will have to create your own users. To create the first admin user, you will need create a user and then edit the users table and set their role level appropriately. If you wish to use a table of admin users, you will need to add appropriate rows to the admins table. You safely ignore the schema_migrations table, which is an artefact of the way the database is maintained.

There are some model tests in test, but the changing nature of the Node.js platform and the test frameworks for it made it impossible to construct a stable test suite for the application while the book was being written. We will try again when these components have settled down.

To run the application, cd to the AuthAndAuth directory and type node app.js. Then go to the URL http://localhost:3030 in your browser, where you will see the login page. To set up your initial accounts, follow the link to the account creation page.

Licence

This code is intended for educational purposes and is released under the terms of the The BSD 2-Clause License. See the file licence.txt for details.