Chapter 12 Web app security
Download
Report
Transcript Chapter 12 Web app security
CHAPTER 12 WEB APP SECURITY
THE BAD GUYS ARE EVERYWHERE
As a web application developer you need to
protect your web site
There are three main kind of bad guys you need
to watch out for:
Impersonators
Upgraders
Eavesdroppers
EXAMPLE IMPERSONATOR
EXAMPLE UPGRADER
EXAMPLE EAVESDROPPER
THE BIG 4 IN SERVLET SECURITY
Servlet security boils down to four main concepts
Authentication
Authorization
Give subject access to restricted resources
Confidentiality
Verify the identity of the subject
Information is not leaked to persons who should not have
the access
Data integrity
Data is not modified illegitimately
AUTHENTICATION
AUTHORIZATION
CONFIDENTIALITY AND DATA INTEGRITY
HOW TO AUTHENTICATE IN HTTP WORLD
(BASIC AUTHENTICATION)
HOW TO AUTHENTICATE IN HTTP WORLD
(BASIC AUTHENTICATION)
CONTAINER CAN CONTROL
AUTHENTICATION AND AUTHORIZATION
In stead of coding authentication and
authorization in servlet and jsp
programmatically, container can control
authentication and authorization
Thus the application developer do not have to write
authentication and authorization logic for each
individual serlvet and jsp program
HOW DID THE CONTAINER DO THAT?
Perform a lookup on the resource being requested
Authenticate client
Find out whether the resource has security
constraints
Find out whether “Bob” really is Bob
The Container has to see whether the user, say
Bob, is allowed to access the resource
KEEP SECURITY OUT OF THE CODE
For most web app, most of the time, the web
app’s security constraints should be handled
declaratively, in the deployment descriptor
Why?
SECURITY REALM
As far as the servlet spec is concerned, a realm is
a place where authentication information is
stored
When you are testing your application in Tomcat,
you can use a file called tomcat-users.xml. This
file is the realm.
Also called memory realm because Tomcat reads this
file into memory at startup time
Disadvantage: You cannot modify the file’s content
without restarting Tomcat
ENABLING AUTHENTICATION
To get authentication working, you need to stick
something in the Deployment Descriptor.
To start using http basic authentication
AUTHORIZATION STEP 1: DEFINE ROLES
Define the roles in a vendor-specific file tomcatusers.xml
AUTHORIZATION STEP 1: DEFINE ROLES
Map the roles in the vendor-specific “users” file to roles
established in the Deployment Descriptor
AUTHORIZATION STEP 2: DEFINING
RESOURCE/HTTP METHOD CONSTRAINTS
This is where we get to specify, declaratively,
that a given resource/method combination is
accessible only by users in certain roles
THE <SECURITY-CONSTRAINT> RULES FOR
<WEB-RESOURCE-COLLECTION> ELEMENTS
The purpose of the <web-resource-collection>
sub-element is to tell the container which
resources and HTTP method combinations should
be constrained in such a way that they can be
accessed only by the roles in the corresponding
<auth-constraint> tag
USE PROGRAMMATIC SECURITY WITH
DECLARATIVE SECURITY FOR FINE-GRAINED
SECURITY CONTROL
In stead of authorizing at the HTTP method level
(GET, POST, etc.), you can customize a service
method to behave based on the user’s role
Suppose we defined the role “Manager” in the
DD, the following code customize the response to
the Manager
if (request.isUserInRole(“Manager”)){
//show info related to all employees
……
} else {
//show info only related to a particular employee
……
}
FOUR AUTHENTICATION TYPES
BASIC
Transmits the login information in an encoded (not
encrypted) form
Encoding scheme: base64
Very weak security
DIGEST
Authentication transmits the login information in a
more secure way
FOUR AUTHENTICATION TYPES
Client-CERT
The client need to have a certificate before they can
login to the system
FORM
FORM authentication lets you create your own
custom login form out of anything that is legal HTML
Form info is transmitted in the least secure way
FORM-BASED AUTHENTICATION
First, you create your own custom HTML form for the
user login
Then you create a custom HTML error page for the
Container to use
What you do:
FORM-BASED AUTHENTICATION
FORM-BASED AUTHENTICATION
SECURING DATA IN TRANSIT:HTTPS TO
THE RESCUE
We can tell a J2EE container to guarantee data
to be transmitted over a protected transport layer
connection, i.e, use HTTPS
To do that, we will use <security-constraint> for
both confidentiality and integrity by adding an
element called <user-data-constraint> in the DD
for the application
SECURING DATA IN TRANSIT:HTTPS TO
THE RESCUE
Tomcat supports HTTPS out of the box
It won’t necessarily have HTTPS configured for
your application automatically
You still need to generate or apply for a
certificate and then configure tomcat to use
HTTPS
You may refer to
http://tomcat.apache.org/tomcat-6.0-doc/sslhowto.html