securing web applications using java ee
DESCRIPTION
Securing web applications using Java EE. Dr Jim Briggs. Introduction. Security is a pervasive issue All e-commerce systems require it Three aspects of security: Confidentiality Integrity Availability To achieve these, we distinguish two functions: - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/1.jpg)
1
Securing web applications using Java EE
Dr Jim Briggs
![Page 2: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/2.jpg)
2
Introduction
• Security is a pervasive issue– All e-commerce systems require it
• Three aspects of security:– Confidentiality– Integrity– Availability
• To achieve these, we distinguish two functions:– authentication: how users prove who they say they are– authorisation: how access to specific resources is allowed
or denied
![Page 3: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/3.jpg)
3
Three areas to cover
1. HTTP and other authentication mechanisms2. Application-managed security3. Container-managed security
1. Declarative2. Programmatic
![Page 4: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/4.jpg)
4
AUTHENTICATION MECHANISMS
![Page 5: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/5.jpg)
5
HTTP authentication 1• HTTP provides facilities for authentication
– https://tools.ietf.org/html/rfc7235 • HTTP authentication operates on a challenge/response paradigm
– If server receives a request for an access-protected object, and an acceptable Authorization header is not sent, the server responds with a "401 Unauthorized" status code.
– The client must then resend the request with an Authorization header. • Most browsers will prompt the user for a username and password. • Most browsers cache this for the duration of the browser session; some will
allow the user to save it between sessions.• We leave it as an exercise for the reader as to whether storing a password on
the client machine is secure or not!
![Page 6: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/6.jpg)
6
HTTP authentication 2• Two mechanisms
– Basic Authentication – passes usernames and passwords in clear text (actually in Base64 format, but this is easily translatable)
– Digest Authentication – scrambles the password by sending a checksum (by default, MD5) of:• the username• the password• a given nonce value (sent by the server with the 401 response)• the HTTP method• the requested URI• Why are all of these necessary?
• HTTP authentication operates within a realm. A realm is essentially the store (e.g. file, database, ...) against which user credentials are checked.
![Page 7: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/7.jpg)
7
Transporting passwords
• Problem: Basic authentication sends passwords in clear
• Digest authentication better – only sends password digest
• Secure Sockets Layer (SSL)• HTTPS – secure HTTP
![Page 8: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/8.jpg)
8
Non-HTTP authentication
• Provide user with a login form (HTML)– Boxes for username and password– Typically provides link for forgotten password
• Username and password sent as normal form data
• Server-side processes it like any other form data
![Page 9: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/9.jpg)
9
Identifying a logged-in user
• If using HTTP authentication, browser will resend credentials with all relevant requests– Server effectively rechecks each request
• If using application authentication, server will store user-id in session– Application needs to recheck every request
![Page 10: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/10.jpg)
10
Java Authentication and Authorization Service (JAAS)
• Common to all Java platforms (apps, applets and servlets)
• Two basic concepts (interfaces):– Principal: represents an (authenticated) user– Role: group of principals who share common set
of permissions
![Page 11: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/11.jpg)
11
APPLICATION MANAGED SECURITY
![Page 12: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/12.jpg)
12
Common features
• Mechanism to test authorisation– Code in every servlet
• Or every servlet extends one with the security in-built– Filter applied to all relevant servlets– Framework-specific mechanism (e.g. Interceptor in Struts2)– Java EE standard mechanism
• Mechanism to force authentication– Via HTTP– Via a form– Store result so that it can be reused
![Page 13: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/13.jpg)
13
Java EE facilities
• request.getRemoteUser()• request.getUserPrincipal()• request.isUserInRole(role)• Use session attributes to store the user's
identity• Use cookies to store username and password
(can be persistent between browser sessions)
![Page 14: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/14.jpg)
14
Checking login: business methodpublic User login(String username, String password) throws Exception { Query q = em.createQuery("select p from Person p where
p.username = :username and p.password = :password"); q.setParameter("username", username); q.setParameter("password", password); try { User u = (User) q.getSingleResult(); return u; } catch (NoResultException ex) { return null; } }
![Page 15: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/15.jpg)
15
Checking login: controller methoduser = userMgmt.login(username, password);if (user != null) { request.getSession().setAttribute("LoggedInUser", user); setMessage("Logged in as " + user.getUsername()); log.info(user.getUsername() + " logged in successfully"); return SUCCESS; } else { setMessage("Username and/or password not known"); this.addActionError("Username and/or password not known"); return Constants.LOGIN_FAILED; }
![Page 16: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/16.jpg)
16
Authorisation: check accessuser = request.getSession().getAttribute("LoggedInUser");if (user == null) { // not logged in!
//redirect to a login page
if (user.inRole("admin") {
if (securityManager.isUserinRole(user, "admin")) {
if (securityManager.isAdmin(user)) {
![Page 17: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/17.jpg)
17
Pros and cons of application-managed security
• Pro: complete control• Pro: can fine-tune for performance• Con: you might forget to put it in a method• Con: managing site-wide may be a problem
![Page 18: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/18.jpg)
18
CONTAINER MANAGED SECURITY
![Page 19: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/19.jpg)
19
Container managed security
• Standard set of functionality• Security can span a set of separate web
applications (single sign-on)
![Page 20: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/20.jpg)
20
Java EE security annotations
• @PermitAll• @DenyAll• @RolesAllowed• @DeclareRoles• @RunAs
![Page 21: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/21.jpg)
21
Java EE Configuration• Container (e.g. Glassfish)
– Configure:• realm (and implementation) for container to use• security role mappings (via glassfish-web.xml)
– assign principals and/or groups to roles
• Application– web.xml
• login configuration – basic/digest/form/certificate
• security roles• security constraints
– URL constraints– authentication constraints– data (transport) constraint
![Page 22: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/22.jpg)
22
Accessing a Java EE application
![Page 23: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/23.jpg)
23
Accessing a Java EE application
![Page 24: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/24.jpg)
24
Accessing a Java EE application
![Page 25: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/25.jpg)
25
Accessing a Java EE application
![Page 26: Securing web applications using Java EE](https://reader035.vdocument.in/reader035/viewer/2022062411/56816758550346895ddc1762/html5/thumbnails/26.jpg)
26
Accessing a Java EE application