2012 03 27_philly_jug_rewrite_static
DESCRIPTION
TRANSCRIPT
![Page 1: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/1.jpg)
Security and UsabilityURL-rewriting for the next-generation web user
Lincoln Baxter, IIISenior Software Engineer Red Hat, Inc.2012-03-27
Philly Java Users Group
Founderhttp://ocpsoft.org/ “Simpler is better.”
![Page 2: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/2.jpg)
What is URL-rewriting?
Any manipulation of the HTTP Request/Response life-cycle.
![Page 3: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/3.jpg)
Mind the gap.
● Gap #1: “Relocated” or missing resources
● Gap #2: Readability & Clutter
● Gap #3: Revealing sensitive information
● Gap #4: Formatting of useful information
● Gap #5: Validation of user input
● … (and actually many more)
![Page 10: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/10.jpg)
![Page 15: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/15.jpg)
robo.to
![Page 16: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/16.jpg)
github.com
![Page 17: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/17.jpg)
blippy.com
![Page 21: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/21.jpg)
“Either the website sucks or you suck, and neither is going to make anyone happy.”
Translated.
![Page 25: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/25.jpg)
![Page 26: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/26.jpg)
Gap #2: URL-readability
http://www.amazon.com/Kindle-Touch-Wi-Fi-Ink-Display/dp/B005890G8Y/ref=amb_link_357575542_6?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=gateway-center-column&pf_rd_r=1T2J5PYBVZZWBHWN1BP1&pf_rd_t=101&pf_rd_p=1321408942&pf_rd_i=507846
wtf?
![Page 29: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/29.jpg)
Tired of trash in your face?
http://www.amazon.com/Kindle-Touch-Wi-Fi-Ink-Display/dp/B005890G8Y/ref=amb_link_357575542_6?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=gateway-center-
column&pf_rd_r=1T2J5PYBVZZWBHWN1BP1&pf_rd_t=101&pf_rd_p=1321408942&pf_rd_i=507846
![Page 30: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/30.jpg)
There's plenty of space out in space!
http://amazon.com/shop/kindle-touch?tracker=AAasfds3r32ydkl6fd854kdjf84hfidbdgv64n0curnoxydkl6fd854kdjf84hfidb
dgv64n0ge8nfbh...
![Page 31: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/31.jpg)
Gap #3: Revealing sensitive information
Visit: http://microsoft.com/genuine/downloads/faq.aspx
You will be redirected to a page without .aspx suffix
![Page 33: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/33.jpg)
A good magician never reveals the implementation.
![Page 35: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/35.jpg)
35
Be cool.
http://example.com/store/shoes/1http://example.com/store/shoes/1/buy
http://example.com/store?buy=true&category=shoes&item=1
![Page 38: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/38.jpg)
Trust me?http://www.youtube.com/watch?v=oHg5SJYRHA0
![Page 39: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/39.jpg)
Built trust by reducing clutter & using clean URLs
Before:
http://example.com/news.xhtml?p=my-new-post
After:
http://example.com/news/my-new-post/
![Page 40: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/40.jpg)
Gap #5: Validation of user input
URLs are user-input and your website is vulnerable!
![Page 41: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/41.jpg)
Aspect Security says:
Two of three recent security vulnerabilities in web-frameworks are URL-based. *
* https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf
![Page 44: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/44.jpg)
Real Life...
http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp
![Page 46: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/46.jpg)
http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp
http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay?categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp
Vulnerable!
Cluttered!
wtf?
validate?
![Page 47: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/47.jpg)
Mind the gap.
● Gap #1: “Relocated” resources (404)
● Gap #2: Readability & Clutter
● Gap #3: Revealing sensitive information
● Gap #4: Formatting of useful information
● Gap #5: Validation of user input
![Page 49: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/49.jpg)
Basic things we can do with all types of URL-rewriting
● Redirection & Relocation
● Parameterization
● Simple URL validation
● Add/Remove Headers
/store/{category}/{item}/store/$attack-%3/beginAccept-Charset: UTF-8
![Page 54: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/54.jpg)
Cool things we can do with Filter-based Java URL-rewriting
● Transformation and Canonicalization
● Complex Validation
● Data Conversion
● Request interception
● And more...
example.com/project/FOO
example.com/project/foo.when(Path.matches("/store/product/{pid}").where("pid").bindsTo(El.property("productBean.product").convertedBy(ProductConverter.class).validatedBy(ProductValidator.class)))
![Page 55: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/55.jpg)
Some things you should NOT do, with Java URL-rewriting
If it needs to run when your app doesn't... you probably don't want to put it in your app.
![Page 57: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/57.jpg)
Access Control / Timer Demo ( http://access-rewrite.rhcloud.com/ )
● Problem #1: “Relocated” resources (404)
● Problem #2: Readability & Clutter
● Problem #3: Revealing sensitive information
● Problem #4: Formatting useful information
● Problem #5: Validation of user input
![Page 58: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/58.jpg)
Rest Validation/Conversion Demo ( http://rest-rewrite.rhcloud.com )
● Problem #1: “Relocated” resources (404)
● Problem #2: Readability & Clutter
● Problem #3: Revealing sensitive information
● Problem #4: Formatting useful information
● Problem #5: Validation of user input
![Page 59: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/59.jpg)
Composite Query Demo ( http://composite-rewrite.rhcloud.com )
● Problem #1: “Relocated” resources (404)
● Problem #2: Readability & Clutter
● Problem #3: Revealing sensitive information
● Problem #4: Formatting useful information
● Problem #5: Validation of user input
![Page 60: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/60.jpg)
Bonus round!
But client-side web applications are the future,can't I just ignore the URL and use WebSockets?!
![Page 61: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/61.jpg)
Client side browser applications
serves
http://twitter.com/#!/lincolnthree
requests#!/lincolnthree
#!/connect
#!/discover
#!/lincolnthree/status/180710662975143936
#!/li
![Page 62: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/62.jpg)
How can we clean it up?
http://example.com/
request
response
example.com/login
example.com/signup
example.com/lincoln/myprojectrequest
?response
![Page 63: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/63.jpg)
Handling bookmarks
serves
example.com/
example.com/login
example.com/lincoln/myproject
requ
est
/inspects
loginlincoln/...profile
![Page 64: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/64.jpg)
Where am I?
example.com/
example.com/lincoln
example.com/lincoln/myproject
example.com/lincoln/lincoln
How do you determine the Context Root?
example.com/ ?example.com/lincoln ?example.com/lincoln/lincoln ?
![Page 65: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/65.jpg)
Resolve the Context Root
http://example.com/lincoln
request
response
HEAD /lincoln?org.ocpsoft.rewrite.history.ContextPath
request
200 OK - Set Header: ContextPath = /response
/+
![Page 67: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/67.jpg)
Demos
● Access control (Request Interception)
● REST (Validation and Conversion)
● Composite Query (Security and Usability)
● SocialPM Rich Client (Browser Applications)
![Page 68: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/68.jpg)
Mind the gap.
● Gap #1: “Relocated” resources (404)
● Gap #2: Readability & Clutter
● Gap #3: Revealing sensitive information
● Gap #4: Formatting useful information
● Gap #5: Validation of URLs
● … (and actually many more)
![Page 71: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/71.jpg)
@lincolnthree@lincolnthree
@lincolnthree
![Page 72: 2012 03 27_philly_jug_rewrite_static](https://reader034.vdocument.in/reader034/viewer/2022051311/5404f4a08d7f729b768b49a9/html5/thumbnails/72.jpg)
You have options, but if you liked what you saw...
● Try it now: ocpsoft.org/rewrite
● Get involved: github.com/ocpsoft/rewrite