Web Application Security Made Easy with JBoss, Seam, and Hibernate

Download Report

Transcript Web Application Security Made Easy with JBoss, Seam, and Hibernate 

Web Application Security Made Easy
With JBoss, Seam, and Hibernate
PRESENTED BY CHRIS ANDERSON
DECEMBER 10, 2008
Outline
 The Goal
 Technologies used
 Prerequisites
 Database creation
 Application generation
 Application configuration
 Additional security measures
 What’s next?
 Conclusion
The Goal
 Create a secure web application in under 30





minutes
Authenticate users
Role-base validation
Protect against SQL injection
Protect against XSS
Enable SSL
Technologies Used
 Microsoft SQL Server 2005
 JBoss 4.2.0 Application Server
 JBoss Seam 2.0.2 Web Framework
 Hibernate
 Apache Ant
 Eclipse development environment (recommended)
Prerequisites
 JBoss
 Seam
 SQL Server
 Ant
 Java 1.6
Database Creation
 Create users
 JBoss user
 Application user
 Create Tables
 User, Role, User_Role
 Stored Procedures
 Create user
 Change Password
Application Generation
C:\jboss-seam-2.0.2.SP1>seam setup
[input] Enter your Java project workspace (the directory that contains your
Seam projects) [c:/Projects]
[input] Enter your JBoss home directory [C:/jboss/jbossEP-4.2.0.GA/jboss-as]
[input] Enter the project name [testproject]
[input] Do you want to use ICEFaces instead of RichFaces [n] (y, [n])
[input] Select a RichFaces skin [classic] (blueSky, [classic], ruby, wine, d
eepMarine, emeraldTown, sakura, DEFAULT)
[input] Is this project deployed as an EAR (with EJB components) or a WAR (w
ith no EJB support) [ear] ([ear], war)
[input] Enter the Java package name for your session beans [com.uccs.itapps.
testproject.beans.session]
Application Generation
[input] Enter the Java package name for your entity beans [com.uccs.itapps.t
estproject.beans.entity] [
[input] Enter the Java package name for your test cases [com.uccs.itapps.tes
tproject.testcases]
[input] What kind of database are you using? [mssql] (hsql, mysql, oracle, p
ostgres, [mssql], db2, sybase, enterprisedb, h2)
[input] Enter the Hibernate dialect for your database [org.hibernate.dialect
.SQLServerDialect]
[input] Enter the filesystem path to the JDBC driver jar [C:\Program Files\M
icrosort SQL Server 2005 JDBC Driver\sqljdbc_1.2\enu\sqljdbc.jar]
[input] Enter JDBC driver class for your database [com.microsoft.sqlserver.j
dbc.SQLServerDriver]
[input] Enter the JDBC URL for your database [jdbc:sqlserver://localhost]
Application Generation
[input] Enter database username [testdbuser]
[input] Enter database password [testdbuser]
[input] Enter the database schema name (it is OK to leave this blank) [TESTDB]
[input] Enter the database catalog name (it is OK to leave this blank) []
[input] Are you working with tables that already exist in the database? [y] ([y], n)
[input] Do you want to drop and recreate the database tables and data in imp
ort.sql each time you deploy? [n] (y, [n])
C:\jboss-seam-2.0.2.SP1>seam new-project
Building the Application
C:\Projects\demoproject>ant deploy
Application Configuration
 Modify the datasource xml file
 Change
<connection-url>
jdbc:sqlserver://localhost
</connection-url>
 To
<connection-url>
jdbc:sqlserver://127.0.0.1:50853;databaseName=TESTDB
</connection-url>
Start JBoss
C:\jboss\jbossEP-4.2.0.GA2\jboss-as\bin\run.bat -c default
Authentication
 Add entity beans for database tables
 Modify authentication bean for user validation
Authentication
User user = (User) em.createQuery("from User where username = :username and
password = :password")
.setParameter("username", identity.getUsername())
.setParameter("password", getHashedPwd(identity.getPassword()))
.getSingleResult();
if(user.getRoles() != null){
for(Role mr : user.getRoles()){
System.out.println("adding role: " + mr.getRoleName());
identity.addRole(mr.getRoleName());
}
}
Role-Based Security
 Create Administration page
 Create Link for Administration page on menu
 <s:link view="/admin.xhtml" action="administration" value="Administration"
rendered="#{identity.loggedIn &amp;&amp; s:hasRole('ADMIN')}"/>
 Modify pages.xml



<page view-id="/admin.xhtml" login-required="true">
<restrict>#{s:hasRole('ADMIN')}</restrict>
</page>
SSL
 Create a self-signed certificate using Java keytool
keytool -genkey -alias tomcat -keyalg RSA
 Copy the generated .keystore file to the JBoss conf
directory
 Modify the tomcat server.xml file
SSL
<!--Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" /-->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${jboss.server.home.dir}/conf/testproject.keystore"
keystorePass=“Pass_1" />
What’s Next
 Install SSL certificate
 Configure SQL Server or create firewall rules to
block anonymous access to the database server
Conclusion
 Web application security can be easy
 Thanks for listening
 Any questions?