web application security
DESCRIPTION
Web Application Security. There are three main security concerns your web apps need to address. Impersonation A client pretends to be someone else in order to gain access to your site Your site needs to authenticate clients to prevent this Upgrading - PowerPoint PPT PresentationTRANSCRIPT
SE-2840 Dr. Mark L. Hornick 1
Web Application Security
There are three main security concerns your web apps need to address
Eavesdropping A third-party gains access to confidential information
exchanged between your site and a valid user Your site needs to encrypt communication to prevent this
Impersonation A client pretends to be someone else in order to gain
access to your site Your site needs to authenticate clients to prevent this
Upgrading A client gains access to restricted aspects of your web app
The client may be authenticated, but not authorized Your site needs to authorize clients to access privileged
information
SE-2840 Dr. Mark L. Hornick 2
Don’t try to implement security yourself You are unlikely to get it right unless you are
an absolute expert
Leave it to experts and use well-accepted approaches
CS-4220 Dr. Mark L. Hornick 3
All of these can be managed via the Deployment Descriptor
SE-2840 Dr. Mark L. Hornick 4
Tomcat incorporates a declarative security model that requires no changes to your Servlets or pages
Tomcat itself handles Authentication, Authorization, and Data Encryption
Types of Encryption One-way hash
Data can be encrypted, but not unencrypted
Asymmetric keys Data encrypted with a public key can only be decrypted with a private
key, and vice-versa Computationally intensive
Symmetric keys Encryption and decryption use the same key Computationally simpler
CS-4220 Dr. Mark L. Hornick 5
“Hello” 7sdf08df7sdlf0d98s230d
“Hello” sdfs09deo0e93“Hello”
9sd8sas09dd89
“Hello” 65kl54jdo48xd “Hello”
Encrypting the transport of data ensures that sensitive data (eg. passwords) will not be viewable during transmission either to or from the server
SE-2840 Dr. Mark L. Hornick 6
<?xml version="1.0" encoding="UTF-8"?><web-app><!-- This section declares specific resources whose access is to be constrained
by the Tomcat security manager.-->
<security-constraint><!– Here is where the restricted resources are specified (1 to many)-->
<web-resource-collection> <!– “SecuredPages” is just an arbitrary identifier --> <web-resource-name>SecuredPages</web-resource-name> <!– The constrained resources for this collection: --> <url-pattern>/MyApp/somepage.html</url-pattern> <url-pattern>/MyApp/page2.jsp</url-pattern> <url-pattern>/MyApp/myServlet</url-pattern></web-resource-collection>
<!-- This specifies that the browser and server establish an encryptedConnection for exchanging request and response data --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>
... <!– More resource collections can be added here… --></security-constraint>
<!-- Additional security constraint sections can be added here --></web-app>
The default transport is NONE
SSL Encryption requires the exchange of keys between the browser and server The browser asks the server for its public key The server delivers the public key enclosed in a certificate that
contains the server’s information The browser checks to see if the certificate is valid by consulting a
root certificate authority The user is given a chance to intervene
Simplified: The browser accepts the certificate and the server’s enclosed public key, generates a “secret” and sends the secret to the server, encrypted with the server’s public key
The server decrypts the secret with its private key The shared secret is used to encrypt subsequent exchanged
messages The secret is discarded at the end of the session
CS-4220 Dr. Mark L. Hornick 7
The server.xml file contains configuration specifications for Tomcat operation, including enabling HTTPS (SSL):
SE-2840 Dr. Mark L. Hornick 8
<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using
APR, the connector should be using the OpenSSL style
configuration described in the APR documentation --> <!-- uncommented by MLH --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile=“C:/Apache/keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> <!-- uncommented by MLH -->
Note: the blue text is (usually) already in this file, although commentedout. I rearranged the comments and added the green line that specifiesthe file containing the generated Certificate.
Key generation Demo
SE-2840 Dr. Mark L. Hornick 9
Generating a certificate(See http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html)
SE-2840 Dr. Mark L. Hornick 10
Note: When prompted for the password, I entered “changeit”
CS-4220 Dr. Mark L. Hornick 11
CS-4220 Dr. Mark L. Hornick 12
SE-2840 Dr. Mark L. Hornick 13
<?xml version="1.0" encoding="UTF-8"?><web-app>
<!– Here is where the authorized roles are defined. --> <security-role>
<role-name>admin</role-name> </security-role><security-role>
<role-name>member</role-name></security-role>
<!-- This section declares specific resources to be accessible only by usersin certain roles (defined in the separate tomcat-users.xml file.
--> <security-constraint><!– Here is where the restricted resources are specified (1 to many)-->
<web-resource-collection> <!– “SecuredPages” is just an arbitrary identifier --> <web-resource-name>SecuredPages</web-resource-name> <!– The constrained resources (1 to many) for this collection: --> <url-pattern>/MyApp/admin.jsp</url-pattern> <url-pattern>/MyApp/manage.jsp</url-pattern></web-resource-collection>
... <!– more collections here… --><!– Here is where the authorized roles are specified. -->
<auth-constraint> <role-name>Admin</role-name> <role-name>Manager</role-name>...</auth-constraint>
</security-constraint></web-app>
Authorization allows a web app to restrict access to specific parts of an application
SE-2840 Dr. Mark L. Hornick 14
Authorization requires Authentication so that a web app can validate the identity of a client
SE-2840 Dr. Mark L. Hornick 15
<?xml version="1.0" encoding="UTF-8"?><web-app>
<security-role> <role-name>admin</role-name>
</security-role><security-role>
<role-name>member</role-name></security-role><security-constraint>
<web-resource-collection> <web-resource-name>SecuredPages</web-resource-name> <url-pattern>/MyApp/admin.jsp</url-pattern> <url-pattern>/MyApp/manage.jsp</url-pattern></web-resource-collection><auth-constraint> <role-name>admin</role-name> <role-name>manager</role-name></auth-constraint>
</security-constraint><!– When you specify a login-config, the container automatically supplies
a username/password prompt --> <login-config>
<auth-method>BASIC</auth-method></login-config>
</web-app>
The tomcat-users.xml file contains role, username, and password definitions:
SE-2840 Dr. Mark L. Hornick 16
<tomcat-users><!-- NOTE: By default, no user is included in the "manager" role required to operate the "/manager" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary.--><!-- NOTE: The sample user and role entries below are wrapped in a comment and thus are ignored when reading this file. Do not forget to remove <!.. ..> that surrounds them.--><!-- <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/>-->
<role rolename="manager"/><role rolename="admin"/>
<role rolename="member"/> <user username="tomcat" password="tomcat" roles="manager,admin"/> <user username="mark" password="mlh" roles="member,manager"/></tomcat-users>
Tomcat-users.xml Demo
SE-2840 Dr. Mark L. Hornick 17
Basic login Demo
SE-2840 Dr. Mark L. Hornick 18
<?xml version="1.0" encoding="UTF-8"?><web-app>
<security-role> <role-name>admin</role-name>
</security-role><security-role>
<role-name>member</role-name></security-role><security-constraint>
<web-resource-collection> <web-resource-name>SecuredPages</web-resource-name> <url-pattern>/MyApp/admin.jsp</url-pattern> <url-pattern>/MyApp/manage.jsp</url-pattern></web-resource-collection><auth-constraint> <role-name>Admin</role-name> <role-name>Manager</role-name></auth-constraint>
<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint></security-constraint><login-config> <auth-method>FORM</auth-method>
<form-login-config> <form-login-page>/autologin.html</form-login-page> <form-error-page>/autologinError.html</form-login-page></form-login-config>
</login-config></web-app>
You can define your own login page if you don’t like the default popup dialog:
SE-2840 Dr. Mark L. Hornick 19
<!DOCTYPE html ><html> <head> <meta charset=“ISO-8859-1"> <title>Login please</title> </head> <body> <form method="POST" action="j_security_check"> <p>username:</p> <input type="text" name="j_username"> <p>password:</p> <input type="password" name="j_password"> <input type="submit" value="Login"> </form> </body></html>
The login form must use the indicated action and input field names:
SE-2840 Dr. Mark L. Hornick 20