Transcript ppt

Web Application Security
Representation and Management
of Data on the Web
Problem
• Want to restrict access to certain web pages
• Must answer the following questions
– which pages should be restricted?
– who should access restricted pages?
– how should users be authenticated?
• Other issues (not discussed here): Encrypting
data when transported
Declarative Security
• Use web server specific mechanisms to solve
problems above
• Advantage: JSP and Scriptlets do not have to
do anything special
• Disadvantage: Server specific process
• Disadvantage: All or nothing security, i.e., users
can see page or not see it. Page content is not
dependant on the user.
Programmatic Security
• Write code to authenticate/restrict
users
• Advantage: Not server specific
• Advantage: Very flexible
• Disadvantage: A lot of work to program +
all Servlets and JSP have to cooperate
for this to work
Declarative Security: BASIC
1. Set up usernames, passwords, and roles.
2. Tell the server that you are using BASIC
authentication. Designate the realm
name.
3. Specify which URLs should be password
protected.
4. Turn off the invoker servlet.
1. Defining Usernames,
Passwords, and Roles
• Define users, passwords and roles in file:
tomcat_home/conf/tomcat-users.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<tomcat-users>
<user name="snoopy" password="ypoons"
roles="special" />
<user name="charlieb " password="beilrahc"
roles="special, admin" />
</tomcat-users>
2. Tell the Server to use
BASIC Security
• Add to web.xml file in
tomcat_home/webapps/appname/WEB-INF
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Some Name</realm-name>
</login-config>
3. Specify URLs to be
Protected
• Add to web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Sensitive</web-resource-name>
<url-pattern>/sensitive/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>special</role-name>
</auth-constraint>
</security-constraint>
4. Disable Invoker Servlet
• You protect certain URLs that are associated
with registered servlet or JSP names.
• The http://host/prefix/servlet/Name format
of default servlet URLs will probably not match
the pattern. Thus, the security restrictions are
bypassed when the default URLs are used.
• You can disable such URLs (details omitted)
Declarative Security: FORM
• Instead of a dialog box, you can create a
form for validating users
• You can also create your own error page
Add to web.xml
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/admin/login.jsp
</form-login-page>
<form-error-page>/admin/login-error.jsp
</form-error-page>
</form-login-config>
</login-config>
…
<BODY>
Create Login Page
<TABLE BORDER=5 ALIGN="CENTER">
<TR><TH CLASS="TITLE">Log In</TABLE>
<P><H3>Sorry, you must log in before
accessing this resource.</H3>
<FORM ACTION="j_security_check" METHOD="POST">
<TABLE>
<TR><TD>User name:
<INPUT TYPE="TEXT" NAME="j_username">
<TR><TD>Password:
<INPUT TYPE="PASSWORD" NAME="j_password">
<TR><TH><INPUT TYPE="SUBMIT" VALUE="Log In">
</TABLE>
</FORM></BODY></HTML>
Create Error Page
<BODY>
<TABLE BORDER=5 ALIGN="CENTER">
<TR><TH CLASS="TITLE">Begone!</TABLE>
<H3>Begone, ye unauthorized peon.</H3>
</BODY>
</HTML>
Adding Some Programmatic
Security
• So far, all or nothing:
– can see page or
– can't see page
• Allow page content to be dependant on
the authorization of the user
• Use method isUserInRole of
HTTPServletRequest
Example
• Suppose that a page requires authorized
access
• Both the employee role and the executive
role can access the page
• Put in the page:
<% if (request.isUserInRole("executive")) { %>
Something regular employees should not see
<% } %>