Web Application Security

advertisement
CS4273: Distributed System Technologies and Programming I
Lecture 10: Web Security Programming
Web Application Security
1
Outlines
• Major security issues (Authentication and SSL)
• Types of security programming
– Declarative and program security
• Declarative security
– Using BASIC authentication
– Using Form-based authentication
• Combined declarative and program security
• Pure program security
Web Application Security
2
Major security issues
• Prevent unauthorized users from accessing sensitive data
– Authentication: identifying users to determine if they are one of the
authorized ones
– Access control: identifying which resources need protection and who
should have access to them
• Prevent attackers from stealing data from network during
transmission
– Encryption (usually by Secure Sockets Layer)
Web Application Security
3
Authentication
• Collect user ID information from end users (“logging in”)
– usually by means of browser dialog / interface
– user ID information normally refers to username and password
• Transport collected user ID information to the web server
– unsecurely (HTTP) or securely (HTTPS = HTTP over SSL)
• Verify ID and passwd with backend Realms (“security database”)
– Realms maintain username, password, roles, etc., and can be organized by
means of LDAP, RDBMS, Flat-file, etc.
– Validation: the web server checks if the collected user ID & passwd match
with these in the realms.
• Keep track of previously authenticated users for further HTTP
operations
Web Application Security
4
What is Secure Sockets Layer (SSL)?
• A protocol developed in 1996 by Netscape for securely
transmitting private web documents over the Internet.
• It employs private and public key to encrypt data that’s
transmitted over the SSL connection.
• By convention, URLs that require SSL connection start with
https: (port 443) instead of http: (port 80).
Web Application Security
5
Why use SSL?
• SSL is necessary if …
– There is a login or sign in (to protect user name and passwd)
– It transmits sensitive data online, such as credit card information,
HKID #, etc.
– You need to comply with privacy and security requirements
Source: www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/index.html
Web Application Security
6
Use of an SSL Certificate
• To enable secured SSL connections, the server needs an SSL
certificate signed by a Certificate Authority (CA).
– CA verifies the ID of the certificate owner (e.g., www.hsbc.com.hk)
when an SSL certificate is issued.
• Each SSL Certificate contains unique and authenticated
information about the certificate owner, such as ID (in X.500
format), location, public key, and the signature of the CA.
– It confirms that you are who you say you are in the Internet.
• An SSL certificate enables encryption of sensitive information
during online transactions by means of using hybrid
cryptosystem.
Web Application Security
7
A Sample Certificate
This is a certificate issued by Ace CA:
Data
Version: v1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: OU=Ace Certificate Authority, O=Ace Ltd, C=US
Validity: Not Before: Fri Nov 15 00:24:11 1996
Not After: Sat Nov 15 00:24:11 1997
Subject: CN=Jane Doe, O=Ace Industry, C=US
Subject Public Key Info:
Algorithm: PKCS #1 RSA Encryption
Public Key: 00:d0:e5:60:7c:82:19:14:cf:38: F7:5b:f7:35:4e:14:41:2b:ec:24:
33:73:be:06:aa:3d:8b:dc:0d:06: 35:10:92:25:da:8c:c3:ba:b3:d7:
lf:1d:5a:50:6f:9a:86:53:15:f2: 53:63:54:40:88:a2:3f:53:11:ec: 68:fa:e1:f2:57
Public Exponent: 65537 (0x10001)
Signature
Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
12:f6:55:19:3a:76:d4:56:87:a6: 39:65:f2:66:f7:06:f8:10:de:cd:
1f:2d:89:33:90:3d:a7:e3:ec:27: ac:e1:c0:29:c4:5a:69:17:51:dc:
1e:0c:c6:5f:eb:dc:53:55:77:01: 83:8f:4a:ab:41:46:02:d7:c8:9a: fe:7a:91:5c
How SSL Works?
Good video tute at http://www.viddler.com/explore/sdennis/videos/5/
SSL handshake
Browser connects to SSL port 443 on the web server, and Hello msg
exchange btn browser & server on key-exchange, encrypt alg, etc
Web server sends back its SSL certificate. Web browser decides if it wants
to trust the web server’s SSL certificate
Web Browser
Web browser and web server both calculate a session key by agreed
key-generation method
Web browser and web server negotiate an encryption cipher
Web Server
Web browser and web server exchange information encrypted by the
session key and the agreed encryption algorithm
More details at https://ssl.trustwave.com/support/support-how-ssl-works.php
9
CA Root Certificate
• Web browser needs the root certificate of the CA that issued the SSL
certificate to the web-server to verify if the web server is trustable.
• If the browser does not have/trust the CA root certificate, most web
browsers will warn you …
Web Application Security
10
Steps to Enable SSL in Apache Tomcat
1. Obtain an SSL certificate for Apache Tomcat from a CA.
https://knowledge.verisign.com/support/ssl-certificatessupport/index?page=content&id=AR227
2. Install CA’s root certificate and Apache Tomcat’s SSL
certificate to Apache Tomcat’s keystore.
https://knowledge.verisign.com/support/ssl-certificatessupport/index?page=content&id=AR234
3. Set up SSL parameters (port #, count, timeout, etc) by adding
<Connector … scheme="https" secure="true">...</Connector>
XML block in conf/server.xml.
https://knowledge.verisign.com/support/ssl-certificatessupport/index?page=content&id=SO5306
Web Application Security
11
Types of Web Application Security
• There are two major types of web application security
– Declarative security
– Program security
Web Application Security
12
Declarative Security
None of the individual servlets or JSP pages needs any security conscious
code. You only need to do some configurations (on file web.xml) and
the security is automatically handled by the system.
• To prevent unauthorized access
– Use the Web application deployment descriptor (web.xml) to declare that
certain URLs need protection.
– The server automatically prompts users for username and password upon
requests for access to restricted resources, performs verification, and
keeps track of users who have previously been authenticated.
• To safeguard data transmitted over the network
– Use web.xml to configure which URLs should be accessible only with
SSL. If users try to access the protected URLs via regular HTTP, the
server automatically redirects them to the HTTPS (SSL) accordingly.
Web Application Security
13
Program Security
Servlets and JSP pages manage (or partially) their own security. All
security (authentication, access control, etc) is done by user programs.
• To prevent unauthorized access
– Each servlet or JSP page must either authenticate the user or verify that
the user has been authenticated previously.
• To safeguard data transmitted over the network
– SSL is a common method to safeguard the data on network. You need to
redirect requests to https URLs explicitly in programs.
Web Application Security
14
Declarative security approaches
There are two general approaches to the declarative security
for the Web application framework:
• BASIC Authentication
• Form-based Authentication
Web Application Security
15
BASIC Authentication
• By using declarative security, all you need
to do is to put the protected data in a
directory and declare the directory as
protected in <url-pattern> in web.xml (for
restricted servlet, also declare it in <urlpattern>)
• The server will pop up a standard
authentication window asking for username
& passwd upon user’s requests to access
restricted resources (specified directory or
files).
Web Application Security
16
Steps for the BASIC Authentication (1)
Step 1. Setup realms (username, password and role)
– Create a list of users, associated passwords and roles in file <installdir>/conf/tomcat-users.xml as below:
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>
<role rolename="sprole"/>
Two roles defined: sprole and admin
<role rolename="admin"/>
<user username="adminuser" password="adminpwd" roles="sprole,admin"/>
<user username="bigboss" password="bosspwd" roles="sprole,admin"/>
<user username="basicuser" password="basicpwd" roles="sprole"/>
<user username="joedoe" password="joeypwd" roles="sprole"/>
</tomcat-users>
Web Application Security
17
Steps for the BASIC Authentication (2)
Step 2. Specify the use of BASIC authentication
– Add <login-config> block in file web.xml with an <authmethod> BASIC and <realm-name> subelements as below:
<web-app …>
<security-constraint>…</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>BASIC Authentication Example</realm-name>
</login-config>
<… /web-app>
Web Application Security
18
Steps for the BASIC Authentication (3)
Step 3. Specify URLs (file paths) that should be passwd protected
– Configure two subelemetns under <security-constraint> element in web.xml:
1. web-resource-collection specifies URLs that have access control, and
2. auth-constraint specifies user roles that have the access to the protected URLs.
<web-app …>
<security-constraint>
<display-name>Security Checking</display-name>
<web-resource-collection>
<web-resource-name>User Validation</web-resource-name>
<url-pattern>/security/*</url-pattern>
</web-resource-collection>
All resources (because of using /*)
<auth-constraint>
<role-name>sprole</role-name>
under the current web application
</auth-constraint>
can only be accessed by users with
</security-constraint>
role sprole
<login-config>…</login-config>
<… /web-app>
Web Application Security
19
Steps for the BASIC Authentication (4)
Step 4. List all possible roles (categories of users) in the
system (only the roles specified in <auth-constraint>
clause can access the protected resource).
–
List all possible roles in block <security-role> of <web-app…>
<web-app …>
<security-constraint>…</security-constraint>
<security-role>
<role-name>sprole</role-name>
<role-name>admin</role-name>
<role-name>user</role-name>
</security-role>
<…/web-app>
Web Application Security
20
Steps for the BASIC Authentication (5)
Step 5. Specify the URLs that require SSL. When users access
the specified directory, the server redirects requests to https.
– Add <transport-guarantee> block under <user-data-constraint> in
<security-constraint> with value CONFIDENTIAL.
<security-constraint>
…
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
…
</security-constraint>
Web Application Security
21
Do you like BASIC Authentication?
• Is BASIC authentication good enough?
Disadvantages
- No customization is allowed (e.g. no
user defined GUI or login pages)
- Can only get username and
password by default
Web Application Security
22
Form-based Authentication
Web server collects user identification information via a
customized login page, e.g.
Web Application Security
23
Steps for Form-based Authentication (1)
Step 1. Setup realms (username, password and role)
– Same as the BASIC authentication
Step 2a. Specify the user of Form-based authentication
– In web.xml of your web application
<web-app …>
<security-constraint>…</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form-based authentication Example</realm-name>
<form-login-config>
<form-login-page>/html/login.html</form-login-page>
<form-error-page>/html/login-error.html</form-error-page>
</form-login-config>
</login-config>
Specify the location of the login and login<… /web-app>
error pages (under /WEB-INF/html directory)
Web Application Security
24
Steps for Form-based Authentication (2)
Step 2b. Create customized login page
– Can be HTML or JSP page as below:
– HTML form must have ACTION of j_security_check,
METHOD of POST, textfield named j_username, and
password field named j_password as following:
Source code:
<form action="j_security_check" method="POST">
<p>User name: <input type="text" name="j_username" id="j_username" /></p>
<p>Password: <input type="password" name="j_password" id="j_password" /></p>
<p><input type="submit" value="Login" /></p>
</form>
Web Application Security
25
Steps for Form-based Authentication (3)
• Step 2c. Create login failure page
– Can be HTML or JSP page, simply for login failure messages
Web Application Security
26
Steps for Form-based Authentication
Step 3. Specify URLs (file paths) that should be password
protected
Step 4. List all possible abstract roles that will be granted access
to the resource
Step 5. Specify the URLs that require SSL
– All the above 3 steps are the same as the BASIC authentication.
Web Application Security
27
Basic vs. Form-based Authentication
Basic
Form-based
Get username and password by
using browser provided dialog
box
Get username and password by
using a customized login page
Only username and password
can be collected
Customized data can be
collected
HTTP Authentication header is
used to convey username and
password
Form data is used to convey
username and password
Web Application Security
28
Problems with pure declarative security
• Access is all-or-nothing
– Users can access a resource or be denied access to it.
– No options to permit resources to customize their output depending
on the username or role of the client that accesses them (i.e. partial
access to information)
• Access based on exact password matches
– Controlled by server and is case non-sensitive.
• Involves server-specific component
– It is not completely portable. Different servers may have different
ways of settings.
• All pages use same mechanism
– Cannot mix form-based and BASIC in same Web application. (not
flexible)
Web Application Security
29
Combined Declarative with Programming Security
• Rely on the web-server for authentication (i.e., usernames,
passwords, and roles)
– Use Form-based or BASIC authentication
• Access control by programs in the servlets or JSP pages
– E.g. you can change the result of a particular page depending on who
accesses it. With pure declarative security, it is all or nothing.
• Use the following HttpServletRequest methods
– isUserInRole: check if the current user is in a specified role, e.g.,
req.isUserInRole("admin");
– getRemoteUser: return the user-name who makes this request, e.g.,
name = req.getRemoteUser();
– getUserPrincipal: return a java.security.Principal object containing the
name of authenticated user, e.g., name = req.getUserPrincipal().getName();
Web Application Security
30
Combined Security Method
• Follow the steps of setting up authentication (use either
FORM or BASIC method)
• Server can track users and pop up dialog box if they are
unauthenticated
Web Application Security
31
Servlet Program in Combined Security
Servlet program segment
– Specify the information to be accessed by “admin” role users only
(NOTE: web.xml specifies access to both sprole or admin)
String name = getRemoteUser();
if (name == null)
out.println(name + " haven't logged in. <br>" );
else out.println("Hello, " + name + "! <br>");
if (request.isUserInRole(“admin")) {
out.println("<H3>Administrator</H3>");
out.println("Median pay for corporate administrator:");
out.println("<UL>");
out.println(" <LI><B>2004:</B> $500,000.");
out.println(" <LI><B>2005:</B> $600,000.");
…………
out.println("</UL>");
}
Web Application Security
32
Output of the Servlet Program
Data accessed by ordinary users (“sprole” and “admin”) and
by admin user only:
Web Application Security
33
Pure Programming Security
• Authentication & access control are all done by programs.
NO need to setup security in conf files, server.xml, tomcatusers.xml, web.xml.
• Advantages
– Totally portable (No server-specific component)
– Permits custom password-matching strategies
• Disadvantages
– Much harder to write programs and maintain
– Every resource has to use programmed access control
• You can build reusable infrastructure (e.g., servlets that inherit from
certain class or custom JSP tags), but it is still a lot of work
Web Application Security
34
Steps of Programming Security
• Use your own database (or other data structure) to store
usernames and passwords, and use “getParameter” to
collect username and password from client for matching.
• Use sessions to track the users that are already logined to
the system.
• Turn on SSL by using “https” (instead of “http”) of the
web-server in the HTML form (when specifying URL of
CGI to process the username/passwd form).
Web Application Security
35
Programming Authentication with Session Tracking:
an example
protected void doGet(…)… {
// Get the login name and password
String loginName = request.getParameter("UserName");
String password = request.getParameter("Password");
HttpSession session = request.getSession(true);
String xmlResult = "<ServerResponse>";
if (loginName.equals(password)) {
xmlResult += "<LoginResult>Login Success</LoginResult>";
session.setAttribute("Logined", new Boolean(true));
} else {
xmlResult += "<LoginResult>Login Fail</LoginResult>";
session.setAttribute("Logined", new Boolean(false));
}
xmlResult += "</ServerResponse>";
System.out.println("XML Result for Login Servlet: " + xmlResult);
out.print(xmlResult);
}
Web Application Security
36
Programming Security with SSL
• Determining If SSL Is in Use
– request.getScheme()
– request.isSecure()
//returns “https” or “http”
//returns true or false
• Redirecting to an SSL weblink
– response.sendRedirect(“https://www.xyz.com/abc.jsp”)
• Discovering the key-size (Number of bits in the Key)
– request.getAttribute(“javax.servlet.request.key_size”)
• Looking Up the Encryption Algorithm
– request.getAttribute(“javax.servlet.request.cipher_suite”)
• Accessing Client X509 Certificates
– request.getAttribute(“javax.servlet.request.X509Certificate”)
Web Application Security
37
Using Programming Security with SSL
If HTTP is in use, redirect the web page
over HTTPS automatically
Print out information by using the
functions described in the previous slide
Web Application Security
38
Summary
• Declarative security
– Requires security configuration and no programming required.
• BASIC authentication
– Use standard login dialog box.
• Form-based authentication
– User customized login page.
• Combined security
– Use isUserRole or getRemoteUser for access control depending on
who accesses resource
– Still rely on server for authentication
• Pure program security
– User has full control of authentication (passwd match) and access
control
Web Application Security
39
Download