Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Java Programming

Java web application security

advertisement 
Java web application security
Dr Jim Briggs
WEB2P security
What is security?
• Usually ensuring that only authorised
users can access specific parts of a
website
• Security has two basic concepts:
– authentication: who is it?
– authorisation: what can they do?
WEB2P security
Categories of security mechanism
• Container-managed (e.g. Tomcat)
– Specified as part of the Java Servlet
Specification
– However, the implementation is container
specific (and therefore not necessarily
portable between containers)
• Application-managed
– Independent of the container
– However, you have to write the code yourself
(or use some other mechanism)
WEB2P security
HTTP authentication
• HTTP provides for authentication - see RFC 2617
• Operates on a challenge/response paradigm:
–
–
–
–
Server receives a request for an access-protected object
Server responds with a "401 Unauthorized" status code
Client must then resend the request with an Authorization header
Most browsers will prompt the user for a username and password
• Most browsers cache this for the duration of the browser session
• Some will allow the user to save it between sessions
• Distinction between Basic Authentication and Digest Authentication:
– Basic passes usernames and passwords in clear text (actually in
Base64 format, but this is easily translatable)
– Digest scrambles the password by sending a checksum (by default,
MD5) of the username, the password, a given nonce value, the HTTP
method, and the requested URI. The nonce value is sent by the server
with the 401 response.
• Realm is the zone of security
– Effectively the store against which credentials are checked
WEB2P security
Mechanisms for securing Java web
applications
•
•
•
•
Fundamentals
Container-managed techniques
Application-managed techniques
Mix and match
WEB2P security
Fundamentals
• HTTP authentication
• Secure Sockets Layer (SSL)
• HTTP over SSL (HTTPS)
– See how to set this up in Apache
– See how to set this up in Tomcat
– Unlikely to need latter if using Tomcat as
auxiliary server (especially via AJP)
WEB2P security
Container-managed security
• Security constraints in web.xml file
– Authentication
– Authorization
– Secure transport
WEB2P security
Authentication
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/fail_login.html</form-error-page>
</form-login-config>
</login-config>
WEB2P security
Authorization
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin</web-resourcename>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>private</role-name>
</auth-constraint>
</security-constraint>
WEB2P security
Secure transport
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
WEB2P security
Authentication methods
• Basic - uses HTTP Basic Authentication
• Digest - uses HTTP Digest Authentication
• Form - presents a login form to the user
<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
</form>
• Client certificate - requires digital certificate from
client
WEB2P security
Tomcat realms
• MemoryRealm
– a file (tomcat-users.xml) in the TOMCAT/conf directory
• JDBCRealm
– specify tables and columns of a database that contain
usernames, passwords and roles
• DataSourceRealm
– similar, but using a JNDI-named DataSource rather than a
specific JDBC driver
• JNDIRealm
– looks up users in an LDAP directory server accessed by a JNDI
provider
• JAASRealm
– authenticates users through the Java Authentication &
Authorization Service (JAAS) framework
WEB2P security
Application-managed security 1
• Request properties:
– request.getRemoteUser()
– request.getUserPrincipal()
– request.isUserInRole(role)
• Use session attributes to store the user's identity
• Use cookies to store username and password
(can be persistent between browser sessions)
WEB2P security
Application-managed security 2
• Use a security filter
• Use a base servlet
• Use a custom JSP tag
– forward request to a login page if the user is not
logged in or does not have authorisation)
• Struts facilities:
– Use Struts roles (each action has a roles attribute)
– Customise the Struts RequestProcessor
• specifically the method processPreprocess
– Use a Struts Base Action
WEB2P security
Mix and match
• Many of the techniques can be used in
combination
• SecurityFilter (from Sourceforge.net) is an
application-managed mechanism that
mimics container-managed security
WEB2P security
Related documents
Chapter 11 HW
Chapter 11 HW
Davis
Davis
Session Handling - JoshuaScotton.com
Session Handling - JoshuaScotton.com
Hot Topics and Accreditation Issues in Distance Education
Hot Topics and Accreditation Issues in Distance Education
20120516
20120516
ppt
ppt
Slides for lecture 13
Slides for lecture 13
Securing the Enterprise - globaltechnologies.biz
Securing the Enterprise - globaltechnologies.biz
Authentication - Department of Electrical Engineering & Computer
Authentication - Department of Electrical Engineering & Computer
Download
advertisement