Java web application security

Download Report

Transcript Java web application security

Java web application security
Dr Jim Briggs
WEB2P security
What is security?
• Usually ensuring that only authorised
users can access specific parts of a
website
• Security has two basic concepts:
– authentication: who is it?
– authorisation: what can they do?
WEB2P security
Categories of security mechanism
• Container-managed (e.g. Tomcat)
– Specified as part of the Java Servlet
Specification
– However, the implementation is container
specific (and therefore not necessarily
portable between containers)
• Application-managed
– Independent of the container
– However, you have to write the code yourself
(or use some other mechanism)
WEB2P security
HTTP authentication
• HTTP provides for authentication - see RFC 2617
• Operates on a challenge/response paradigm:
–
–
–
–
Server receives a request for an access-protected object
Server responds with a "401 Unauthorized" status code
Client must then resend the request with an Authorization header
Most browsers will prompt the user for a username and password
• Most browsers cache this for the duration of the browser session
• Some will allow the user to save it between sessions
• Distinction between Basic Authentication and Digest Authentication:
– Basic passes usernames and passwords in clear text (actually in
Base64 format, but this is easily translatable)
– Digest scrambles the password by sending a checksum (by default,
MD5) of the username, the password, a given nonce value, the HTTP
method, and the requested URI. The nonce value is sent by the server
with the 401 response.
• Realm is the zone of security
– Effectively the store against which credentials are checked
WEB2P security
Mechanisms for securing Java web
applications
•
•
•
•
Fundamentals
Container-managed techniques
Application-managed techniques
Mix and match
WEB2P security
Fundamentals
• HTTP authentication
• Secure Sockets Layer (SSL)
• HTTP over SSL (HTTPS)
– See how to set this up in Apache
– See how to set this up in Tomcat
– Unlikely to need latter if using Tomcat as
auxiliary server (especially via AJP)
WEB2P security
Container-managed security
• Security constraints in web.xml file
– Authentication
– Authorization
– Secure transport
WEB2P security
Authentication
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/fail_login.html</form-error-page>
</form-login-config>
</login-config>
WEB2P security
Authorization
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin</web-resourcename>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>private</role-name>
</auth-constraint>
</security-constraint>
WEB2P security
Secure transport
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
WEB2P security
Authentication methods
• Basic - uses HTTP Basic Authentication
• Digest - uses HTTP Digest Authentication
• Form - presents a login form to the user
<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
</form>
• Client certificate - requires digital certificate from
client
WEB2P security
Tomcat realms
• MemoryRealm
– a file (tomcat-users.xml) in the TOMCAT/conf directory
• JDBCRealm
– specify tables and columns of a database that contain
usernames, passwords and roles
• DataSourceRealm
– similar, but using a JNDI-named DataSource rather than a
specific JDBC driver
• JNDIRealm
– looks up users in an LDAP directory server accessed by a JNDI
provider
• JAASRealm
– authenticates users through the Java Authentication &
Authorization Service (JAAS) framework
WEB2P security
Application-managed security 1
• Request properties:
– request.getRemoteUser()
– request.getUserPrincipal()
– request.isUserInRole(role)
• Use session attributes to store the user's identity
• Use cookies to store username and password
(can be persistent between browser sessions)
WEB2P security
Application-managed security 2
• Use a security filter
• Use a base servlet
• Use a custom JSP tag
– forward request to a login page if the user is not
logged in or does not have authorisation)
• Struts facilities:
– Use Struts roles (each action has a roles attribute)
– Customise the Struts RequestProcessor
• specifically the method processPreprocess
– Use a Struts Base Action
WEB2P security
Mix and match
• Many of the techniques can be used in
combination
• SecurityFilter (from Sourceforge.net) is an
application-managed mechanism that
mimics container-managed security
WEB2P security