web application security

20
SE-2840 Dr. Mark L. Hornick 1 Web Application Security

Upload: chesna

Post on 22-Feb-2016

27 views

Category:

Documents


0 download

DESCRIPTION

Web Application Security. There are three main security concerns your web apps need to address. Impersonation A client pretends to be someone else in order to gain access to your site Your site needs to authenticate clients to prevent this Upgrading - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Web Application Security

SE-2840 Dr. Mark L. Hornick 1

Web Application Security

Page 2: Web Application Security

There are three main security concerns your web apps need to address

Eavesdropping A third-party gains access to confidential information

exchanged between your site and a valid user Your site needs to encrypt communication to prevent this

Impersonation A client pretends to be someone else in order to gain

access to your site Your site needs to authenticate clients to prevent this

Upgrading A client gains access to restricted aspects of your web app

The client may be authenticated, but not authorized Your site needs to authorize clients to access privileged

information

SE-2840 Dr. Mark L. Hornick 2

Page 3: Web Application Security

Don’t try to implement security yourself You are unlikely to get it right unless you are

an absolute expert

Leave it to experts and use well-accepted approaches

CS-4220 Dr. Mark L. Hornick 3

Page 4: Web Application Security

All of these can be managed via the Deployment Descriptor

SE-2840 Dr. Mark L. Hornick 4

Tomcat incorporates a declarative security model that requires no changes to your Servlets or pages

Tomcat itself handles Authentication, Authorization, and Data Encryption

Page 5: Web Application Security

Types of Encryption One-way hash

Data can be encrypted, but not unencrypted

Asymmetric keys Data encrypted with a public key can only be decrypted with a private

key, and vice-versa Computationally intensive

Symmetric keys Encryption and decryption use the same key Computationally simpler

CS-4220 Dr. Mark L. Hornick 5

“Hello” 7sdf08df7sdlf0d98s230d

“Hello” sdfs09deo0e93“Hello”

9sd8sas09dd89

“Hello” 65kl54jdo48xd “Hello”

Page 6: Web Application Security

Encrypting the transport of data ensures that sensitive data (eg. passwords) will not be viewable during transmission either to or from the server

SE-2840 Dr. Mark L. Hornick 6

<?xml version="1.0" encoding="UTF-8"?><web-app><!-- This section declares specific resources whose access is to be constrained

by the Tomcat security manager.-->

<security-constraint><!– Here is where the restricted resources are specified (1 to many)-->

<web-resource-collection> <!– “SecuredPages” is just an arbitrary identifier --> <web-resource-name>SecuredPages</web-resource-name> <!– The constrained resources for this collection: --> <url-pattern>/MyApp/somepage.html</url-pattern> <url-pattern>/MyApp/page2.jsp</url-pattern> <url-pattern>/MyApp/myServlet</url-pattern></web-resource-collection>

<!-- This specifies that the browser and server establish an encryptedConnection for exchanging request and response data --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>

... <!– More resource collections can be added here… --></security-constraint>

<!-- Additional security constraint sections can be added here --></web-app>

The default transport is NONE

Page 7: Web Application Security

SSL Encryption requires the exchange of keys between the browser and server The browser asks the server for its public key The server delivers the public key enclosed in a certificate that

contains the server’s information The browser checks to see if the certificate is valid by consulting a

root certificate authority The user is given a chance to intervene

Simplified: The browser accepts the certificate and the server’s enclosed public key, generates a “secret” and sends the secret to the server, encrypted with the server’s public key

The server decrypts the secret with its private key The shared secret is used to encrypt subsequent exchanged

messages The secret is discarded at the end of the session

CS-4220 Dr. Mark L. Hornick 7

Page 8: Web Application Security

The server.xml file contains configuration specifications for Tomcat operation, including enabling HTTPS (SSL):

SE-2840 Dr. Mark L. Hornick 8

<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using

APR, the connector should be using the OpenSSL style

configuration described in the APR documentation --> <!-- uncommented by MLH --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile=“C:/Apache/keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> <!-- uncommented by MLH -->

Note: the blue text is (usually) already in this file, although commentedout. I rearranged the comments and added the green line that specifiesthe file containing the generated Certificate.

Page 9: Web Application Security

Key generation Demo

SE-2840 Dr. Mark L. Hornick 9

Page 10: Web Application Security

Generating a certificate(See http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html)

SE-2840 Dr. Mark L. Hornick 10

Note: When prompted for the password, I entered “changeit”

Page 11: Web Application Security

CS-4220 Dr. Mark L. Hornick 11

Page 12: Web Application Security

CS-4220 Dr. Mark L. Hornick 12

Page 13: Web Application Security

SE-2840 Dr. Mark L. Hornick 13

Page 14: Web Application Security

<?xml version="1.0" encoding="UTF-8"?><web-app>

<!– Here is where the authorized roles are defined. --> <security-role>

<role-name>admin</role-name> </security-role><security-role>

<role-name>member</role-name></security-role>

<!-- This section declares specific resources to be accessible only by usersin certain roles (defined in the separate tomcat-users.xml file.

--> <security-constraint><!– Here is where the restricted resources are specified (1 to many)-->

<web-resource-collection> <!– “SecuredPages” is just an arbitrary identifier --> <web-resource-name>SecuredPages</web-resource-name> <!– The constrained resources (1 to many) for this collection: --> <url-pattern>/MyApp/admin.jsp</url-pattern> <url-pattern>/MyApp/manage.jsp</url-pattern></web-resource-collection>

... <!– more collections here… --><!– Here is where the authorized roles are specified. -->

<auth-constraint> <role-name>Admin</role-name> <role-name>Manager</role-name>...</auth-constraint>

</security-constraint></web-app>

Authorization allows a web app to restrict access to specific parts of an application

SE-2840 Dr. Mark L. Hornick 14

Page 15: Web Application Security

Authorization requires Authentication so that a web app can validate the identity of a client

SE-2840 Dr. Mark L. Hornick 15

<?xml version="1.0" encoding="UTF-8"?><web-app>

<security-role> <role-name>admin</role-name>

</security-role><security-role>

<role-name>member</role-name></security-role><security-constraint>

<web-resource-collection> <web-resource-name>SecuredPages</web-resource-name> <url-pattern>/MyApp/admin.jsp</url-pattern> <url-pattern>/MyApp/manage.jsp</url-pattern></web-resource-collection><auth-constraint> <role-name>admin</role-name> <role-name>manager</role-name></auth-constraint>

</security-constraint><!– When you specify a login-config, the container automatically supplies

a username/password prompt --> <login-config>

<auth-method>BASIC</auth-method></login-config>

</web-app>

Page 16: Web Application Security

The tomcat-users.xml file contains role, username, and password definitions:

SE-2840 Dr. Mark L. Hornick 16

<tomcat-users><!-- NOTE: By default, no user is included in the "manager" role required to operate the "/manager" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary.--><!-- NOTE: The sample user and role entries below are wrapped in a comment and thus are ignored when reading this file. Do not forget to remove <!.. ..> that surrounds them.--><!-- <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/>-->

<role rolename="manager"/><role rolename="admin"/>

<role rolename="member"/> <user username="tomcat" password="tomcat" roles="manager,admin"/> <user username="mark" password="mlh" roles="member,manager"/></tomcat-users>

Page 17: Web Application Security

Tomcat-users.xml Demo

SE-2840 Dr. Mark L. Hornick 17

Page 18: Web Application Security

Basic login Demo

SE-2840 Dr. Mark L. Hornick 18

Page 19: Web Application Security

<?xml version="1.0" encoding="UTF-8"?><web-app>

<security-role> <role-name>admin</role-name>

</security-role><security-role>

<role-name>member</role-name></security-role><security-constraint>

<web-resource-collection> <web-resource-name>SecuredPages</web-resource-name> <url-pattern>/MyApp/admin.jsp</url-pattern> <url-pattern>/MyApp/manage.jsp</url-pattern></web-resource-collection><auth-constraint> <role-name>Admin</role-name> <role-name>Manager</role-name></auth-constraint>

<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint></security-constraint><login-config> <auth-method>FORM</auth-method>

<form-login-config> <form-login-page>/autologin.html</form-login-page> <form-error-page>/autologinError.html</form-login-page></form-login-config>

</login-config></web-app>

You can define your own login page if you don’t like the default popup dialog:

SE-2840 Dr. Mark L. Hornick 19

Page 20: Web Application Security

<!DOCTYPE html ><html> <head> <meta charset=“ISO-8859-1"> <title>Login please</title> </head> <body> <form method="POST" action="j_security_check"> <p>username:</p> <input type="text" name="j_username"> <p>password:</p> <input type="password" name="j_password"> <input type="submit" value="Login"> </form> </body></html>

The login form must use the indicated action and input field names:

SE-2840 Dr. Mark L. Hornick 20