Upload
menefer
View
32
Download
2
Embed Size (px)
DESCRIPTION
Java web application security. Dr Jim Briggs. What is security?. Usually ensuring that only authorised users can access specific parts of a website Security has two basic concepts: authentication: who is it? authorisation: what can they do?. Categories of security mechanism. - PowerPoint PPT Presentation
Citation preview
WEB2P security
Java web application security
Dr Jim Briggs
WEB2P security
What is security?
• Usually ensuring that only authorised users can access specific parts of a website
• Security has two basic concepts:– authentication: who is it?– authorisation: what can they do?
WEB2P security
Categories of security mechanism
• Container-managed (e.g. Tomcat) – Specified as part of the Java Servlet
Specification – However, the implementation is container
specific (and therefore not necessarily portable between containers)
• Application-managed– Independent of the container– However, you have to write the code yourself
(or use some other mechanism)
WEB2P security
HTTP authentication• HTTP provides for authentication - see RFC 2617• Operates on a challenge/response paradigm:
– Server receives a request for an access-protected object– Server responds with a "401 Unauthorized" status code– Client must then resend the request with an Authorization header– Most browsers will prompt the user for a username and password
• Most browsers cache this for the duration of the browser session• Some will allow the user to save it between sessions
• Distinction between Basic Authentication and Digest Authentication: – Basic passes usernames and passwords in clear text (actually in
Base64 format, but this is easily translatable)– Digest scrambles the password by sending a checksum (by default,
MD5) of the username, the password, a given nonce value, the HTTP method, and the requested URI. The nonce value is sent by the server with the 401 response.
• Realm is the zone of security– Effectively the store against which credentials are checked
WEB2P security
Mechanisms for securing Java web applications
• Fundamentals
• Container-managed techniques
• Application-managed techniques
• Mix and match
WEB2P security
Fundamentals
• HTTP authentication
• Secure Sockets Layer (SSL)
• HTTP over SSL (HTTPS)– See how to set this up in Apache– See how to set this up in Tomcat– Unlikely to need latter if using Tomcat as
auxiliary server (especially via AJP)
WEB2P security
Container-managed security
• Security constraints in web.xml file– Authentication– Authorization– Secure transport
WEB2P security
Authentication<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/fail_login.html</form-error-page>
</form-login-config>
</login-config>
WEB2P security
Authorization
<security-constraint> <web-resource-collection> <web-resource-name>Admin</web-resource-
name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>private</role-name> </auth-constraint></security-constraint>
WEB2P security
Secure transport
<security-constraint> ... <user-data-constraint> <transport-guarantee>
CONFIDENTIAL</transport-guarantee>
</user-data-constraint></security-constraint>
WEB2P security
Authentication methods
• Basic - uses HTTP Basic Authentication • Digest - uses HTTP Digest Authentication • Form - presents a login form to the user
<form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="password" name="j_password"></form>
• Client certificate - requires digital certificate from client
WEB2P security
Tomcat realms
• MemoryRealm– a file (tomcat-users.xml) in the TOMCAT/conf directory
• JDBCRealm– specify tables and columns of a database that contain
usernames, passwords and roles • DataSourceRealm
– similar, but using a JNDI-named DataSource rather than a specific JDBC driver
• JNDIRealm– looks up users in an LDAP directory server accessed by a JNDI
provider• JAASRealm
– authenticates users through the Java Authentication & Authorization Service (JAAS) framework
WEB2P security
Application-managed security 1
• Request properties:– request.getRemoteUser()– request.getUserPrincipal()– request.isUserInRole(role)
• Use session attributes to store the user's identity• Use cookies to store username and password
(can be persistent between browser sessions)
WEB2P security
Application-managed security 2
• Use a security filter• Use a base servlet• Use a custom JSP tag
– forward request to a login page if the user is not logged in or does not have authorisation)
• Struts facilities:– Use Struts roles (each action has a roles attribute)– Customise the Struts RequestProcessor
• specifically the method processPreprocess
– Use a Struts Base Action
WEB2P security
Mix and match
• Many of the techniques can be used in combination
• SecurityFilter (from Sourceforge.net) is an application-managed mechanism that mimics container-managed security