If you can't read please download the document
Upload
hoang-son
View
5.970
Download
0
Embed Size (px)
Citation preview
9/10/2011
1
LP TRNH WEB HNG JAVA
Bi 18: K thut security cho ng
dng WebGing vin: ThS. Trnh Tun t
B mn CNPM
Email: [email protected]/[email protected]
B mn Cng ngh Phn mm
Vin CNTT & TT
Trng i hc Bch Khoa H Ni
1DatTT-DSE-SOICT-HUST
Ni dung
1. Cc vn chung v Security
2. Cc k thut v yu cu v Security trn tng Web
3. Xc thc
3.1. K thut xc thc HTTP basic authentication
3.2. K thut xc thc Form-based authentication
3.3. Qun l Realm
3.4. Bo mt Passwords trn ng truyn cho k thut Basic & Form-based Authentications
3.5. Hng dn ci t Security cho tng Web
3.6. Xc thc Client s dng k thut xc thc da trn Certificate 2DatTT-DSE-SOICT-HUST
Ni dung
3.7. Digest Authentication
3.8. Programmatic authentication
4. Authorization
4.1. iu khin truy cp Declarative tng Web
4.2. iu khin truy cp Programmatic tng
Web
3DatTT-DSE-SOICT-HUST
1. Cc vn chung v Security
4DatTT-DSE-SOICT-HUST
Cc vn chung v Security
Xc thc (Authentication)
m bo 1 user ng l ngi m anh ta tuyn b
Phn quyn-Authorization (iu khin truy cp -Access control)
m bo ch nhng ngi c quyn truy cp mi c truy cp ti nguyn
Ngi dng phi c xc thc trc
Bo mt-Confidentiality (Chnh sch-Privacy)
Bo v d liu khi nhng k nghe nn/tm khi ang trn ng truyn
5DatTT-DSE-SOICT-HUST
2. Cc k thut v yu cu v Security trn tng Web
6DatTT-DSE-SOICT-HUST
9/10/2011
2
Cc yu cu v Security trn tng Web
Ngn ngi dng cha xc thc truy cp vp cc ti nguyn c iu khin truy cp
Nu 1 ngi dng cha xc thc c gng truy cp vo ti nguyn web c iu khin truy cp, web container s t ng yu cu user xc thc (authenticate) trc
Mt khi user xc thc, web container (v/hoc web components) tin hnh p dng iu khin truy cp
Ngn attackers thay i hoc c cc d liu nhy cm trn ng truyn
D liu c th c bo v nh SSL
7DatTT-DSE-SOICT-HUST
Cc k thut v Security trn tng Web cn tp trung vo Authentication
Ly v thng tin danh tnh (identity information) ca ngi dng cui
Thng qua giao din trn trnh duyt
Thng tin danh tnh ngi dng bao gm username v password
Gi l logging in
Truyn thng tin danh tnh ly c cho web server
unsecurely (HTTP) hoc securely (HTTP trn SSL)
8DatTT-DSE-SOICT-HUST
Cc k thut v Security trn tng Web cn tp trung vo Authentication (2)
Thc hin kim tra danh tnh, so khp vi security database
Web container kim tra xem danh tnh ngi dng c trng vi danh tnh no trong security database pha sau khng
Security database cn c gi l Realms
Realms lu tr/bo tr
Username, password, roles, ...
Cch thc t chc & qun l cc realms ph thuc vo sn phm, mi trng
LDAP, RDBMS, Flat-file, Solaris PAM, Windows AD
9DatTT-DSE-SOICT-HUST
Cc k thut v Security trn tng Web cn tp trung vo Authentication (3)
Web container lu vt li cc user xc thc cho cc thao tc HTTP v sau
S dng trng thi session c lu tr, web container bit c rng 1 ngi dng khi gi
cc HTTP requests c xc thc cha
Web container cng to cc i tng HttpServletRequest ng vi cc HTTP requests gi n
i tng HttpServletRequest cha cc thng tin security context
Principal, Role, Username10DatTT-DSE-SOICT-HUST
Cc k thut v Security trn tng Web cn tp trung vo Access control
Access control: iu khin truy cp
LTV v nhng ngi trin khai ng dng Web (deployer) ch nh iu khin truy cp cho cc ti nguyn web (web resources)
S dng iu khin truy cp loi Declarativev/hoc loi Programmatic
11DatTT-DSE-SOICT-HUST
Cc k thut v Security trn tng Web cn tp trung vo Data confidentiality
Data confidentiality: bo mt d liu
Cung cp c ch bo mt (confidentiality) cho cc d liu nhy cm (sensitive) trn ng truyn
Gia trnh duyt v web server
V d: s th tn dng (Credit card number)
S dng SSL
12DatTT-DSE-SOICT-HUST
9/10/2011
3
Cc k thut xc thc trn tng Web
Xc thc HTTP c bn (HTTP basic authentication)
S dng hoc khng s dng vi SSL
Xc thc s dng Form (Form-based authentication)
S dng hoc khng s dng vi SSL
Xc thc s dng Client-certificate (Client-certificate authentication)
Phi s dng SSL
Xc thc bin i (Digest authentication)
Khng cn s dng SSL
13DatTT-DSE-SOICT-HUST
3.1. K thut xc thc HTTP basic authentication
14DatTT-DSE-SOICT-HUST
HTTP Basic Authentication
Web server thu thp thng tin danh tnh ngi dng (user name & password) qua 1 hp thoi trn browser
Khng an ton v user name v password dng d dng decodable trn ng truyn
K thut encoding l Base64
Mt ngi bt k d dng thc hin decode
Khng c mt m (encrypted)
Cn SSL mt m password
15DatTT-DSE-SOICT-HUST
Cc bc ci t Basic Authentication
Thit lp username, passwords, v roles (realms)
Thng bo vi web container k thut ang s dng l Basic authentication
Ch nh URLs no (web resources) cn c iu khin truy cp (password-protected)
Ch nh URLs no c cung cp ch vi SSL (data integrity & confidentiality protected)
16DatTT-DSE-SOICT-HUST
Bc 1: Thit lp username, passwords, v roles (Realms)
Cc k thut (Schemes), APIs, v cc cng c thit lp usernames, passwords & roles (realms) ty theo web container v mi trng (operational environment)
Flat-file based, Database, LDAP server
Passwords c th dng m mt (encrypted form) hoc khng
Tomcat 4.0 c th lm vic vi cc loi realms sau
Mc nh: file, dng khng m mt (unencrypted form)
Relational database (qua JDBCRealm)
LDAP server (qua LDAPRealm)
17DatTT-DSE-SOICT-HUST
V d: mc nh trong Tomcat
/config/tomcat-users.xml
Dng khng m mt: khng an ton nhng d ci t v bo tr
18DatTT-DSE-SOICT-HUST
9/10/2011
4
Bc 2: Ch dn web container s dng k thut Basic authentication
Trong file web.xml ca ng dng web:
...
...
BASIC
realm name
...
19DatTT-DSE-SOICT-HUST
Bc 3: Ch nh cc URLs c iu khin truy cp
...
WRCollection/loadpricelistGET
admin
CONFIDENTIAL
BASIC
...
20DatTT-DSE-SOICT-HUST
Bc 4: Ch nh cc resources (URLs) p dng SSL
...
WRCollection/loadpricelistGET
admin
CONFIDENTIAL
BASIC
...
21DatTT-DSE-SOICT-HUST
3.2. K thut xc thc Form-based authentication
22DatTT-DSE-SOICT-HUST
Form-based Authentication
ng dng Web application thu thp thng tin danh tnh ngi dng (user name, password, v cc thng tin khc) qua 1 trang login thng thng
Khng an ton v user name v password dng d dng decodable trn ng truyn
K thut encoding l Base64
Mt ngi bt k d dng thc hin decode
Khng c mt m (encrypted)
Cn SSL mt m password 23DatTT-DSE-SOICT-HUST
Lung iu khin
1. Request made by client
2. Is client authenticated?
3. Unauthenticated client redirected
4. Login form returned to client
5. Client submits login form
6. Authentication Login succeeded, redirected to resource
7. Authorization Permission tested, result returned
8. Login failed, redirect to error page
9. Error page returned to client
1
2ProtectedResource
Login.jsp j_security_check Error.html
RequestResponse
PageLoginForm
Error Page
36 8
7 4 5 9
24DatTT-DSE-SOICT-HUST
9/10/2011
5
Cc bc ci t Form-based Authentication
Thit lp cc username, passwords, and roles (realms)
Thng bo vi web container k thut ang s dng l Form-based authentication
To trang Login page
To trang Login failure error page
Ch nh URLs no (web resources) c iu khin truy cp (password-protected)
Ch nh URLs no c cung cp ch vi SSL (data integrity & confidentiality protected)
25DatTT-DSE-SOICT-HUST
Bc 1: Thit lp username, passwords, v roles (Realms)
Nh trong Basic-authentication
26DatTT-DSE-SOICT-HUST
Bc 2: Ch dn web container s dng k thut Form-based authentication
Trong file web.xml ca ng dng Web:
...
...
FORM
realm name
...
27DatTT-DSE-SOICT-HUST
Bc 3: To trang Login Page
C th l trang HTML hoc JSP
Cha form HTML nh sau:
28DatTT-DSE-SOICT-HUST
Bc 4: To trang login fail
C th l trang HTML hoc JSP
Ni dung bt k
29DatTT-DSE-SOICT-HUST
Bc 5: Ch nh URLs no c iu khin truy cp (nh trong Basic Auth)
...
WRCollection/loadpricelistGET
adminexecutive
CONFIDENTIAL
FORM
...
30DatTT-DSE-SOICT-HUST
9/10/2011
6
Bc 6: Ch nh cc resources (URLs) p dng SSL (nh trong Basic Auth)
...
WRCollection/loadpricelistGET
admin
CONFIDENTIAL
FORM
...
31DatTT-DSE-SOICT-HUST
Form-based
Basic vs. Form-based Authentication
Uses browser provided dialog box to get username and password
Only username and password can be collected
Might result in different look and feel
HTTP Authentication header is used to convey username and password
No good way to enter a new user name
Uses web application provided login page to get username and password
Custom data can be collected
Can enforce consistent look and feel
Form data is used to convey username and password
Can enter a new user name via login page
Basic
32DatTT-DSE-SOICT-HUST
3.3. Qun l Realm
33DatTT-DSE-SOICT-HUST
Qun l Realm
Qun l cc thng tin danh tnh ca ngi dng
username, password, roles, ...
Dng m mt hoc khng
Ph thuc vo container v cc mi trng tnh ton ca n (operational environment)
Tomcat
flat file based, RDBMS, LDAP
GlassFish App server
34DatTT-DSE-SOICT-HUST
Security Roles
S dng cc security roles iu khin truy cp (vi c loi declarative & programmatic)
L cc abstract roles, khng lin quan n usernames, passwords, groups ca h iu hnh
Khi trin khai ng dng, cc abstract security roles cn c map vi cc usernames, passwords, groups ca h iu hnh
Trn thc t, CSDL security realm ngoi (vd: LDAP) c th c s dng cho c ng dng Web v h iu hnh
35DatTT-DSE-SOICT-HUST
V d: Mc nh trong Tomcat
/config/tomcat-users.xml
Dng khng m mt: khng an ton nhng d ci t v bo tr
36DatTT-DSE-SOICT-HUST
9/10/2011
7
Mc nh trong Tomcat
Flat file based realm c lu trong
/config/tomcat-users.xml
C th thay i theo 2 cch
Bng tay - mannually
S dng cng c admin - admintool
37DatTT-DSE-SOICT-HUST
V d-cng c admin ca Tomcat
38DatTT-DSE-SOICT-HUST
GlassFish Admin Console
39DatTT-DSE-SOICT-HUST
3.4. Bo mt Passwords trn ng truyn cho k thut Basic & Form-based Authentications
40DatTT-DSE-SOICT-HUST
Bo mt Passwords
Vi loi Basic & Form-based authentication, tr khi c ch nh r rng, password s c truyn dng khng c m mt (Base64)
Khai bo bo mt cho pasword nh cc loi d liu khc:
Nu chn gi tr CONFIDENTIAL hoc INTEGRAL trong (con ca ),
rng buc ny s c p dng cho tt c cc requests
khp vi cc URL patterns nh ngha trong (khng ch trong login)
s dng SSL
41DatTT-DSE-SOICT-HUST
Ch bo mt SSL p dng cho tt c d liu truyn dn, bao gm c password
...
WRCollection/loadpricelistGET
admin
CONFIDENTIAL
FORM
...
42DatTT-DSE-SOICT-HUST
9/10/2011
8
3.5. Hng dn ci t Security cho tng Web
43DatTT-DSE-SOICT-HUST
Chuyn i gia SSL v non-SSL cho cc ti nguyn Web (Web resources)
Khi chuyn sang ch SSL, khng chp nhn cc request non-SSL trong session
V session ID khng dng m mt, k gi mo c th thc hin cc transaction lin quan n
d liu nhy cm (vd: s th tn dng)
S dng Servlet filter t chi (reject) mi non-SSL requests
44DatTT-DSE-SOICT-HUST
SSL c chi ph cao
Ch s dng SSL cho nhng ti nguyn Web cn n security
45DatTT-DSE-SOICT-HUST
V d demo:
Download m ngun t:
http://archive.moreservlets.com/Chapter7.html
2 v d, s dng Basic Auth v Form-based Auth
hotdotcom-internal.war
hotdotcom.war
Thm usernames, roles (c s dng trong code) thch hp vo trong mi trng Tomcat (tomcat-users.xml)
Khi ng li Tomcat
46DatTT-DSE-SOICT-HUST
Basic Authentication Demo
hotdotcom-internal.war
Financial plan page: cho tt c cc employees
Business plan page: cho tt c cc executives
Employee compensation plan: available to all employees
Th truy cp trang c iu khin truy cp
Th nhp cc username & password gi
Th nhp ng username & password nhng ca ngi khng c quyn truy cp (khng c role ph hp)
47DatTT-DSE-SOICT-HUST
Basic Authentication Demo
48DatTT-DSE-SOICT-HUST
http://archive.moreservlets.com/Chapter7.html
9/10/2011
9
Truy cp trang c iu khin truy cp vi username gi
49DatTT-DSE-SOICT-HUST
Truy cp cc trang access controlled vi ti khon ng
50DatTT-DSE-SOICT-HUST
Form-based Authentication
51DatTT-DSE-SOICT-HUST
Custom login page
52DatTT-DSE-SOICT-HUST
Custom error page
53DatTT-DSE-SOICT-HUST
3.6. Xc thc Client s dng k thut xc thc da trn Certificate
54DatTT-DSE-SOICT-HUST
9/10/2011
10
Ti sao cn xc thc da trn certificate?
Xc thc Username/password khng th s dng xc thc gia chng trnh vi chng trnh
Chng nhn (Certificates) c th c dng danh tnh (identify) ngi dng cui, t chc thng mai, server, hoc cc software entities
Cp Username/password khng em li tin cy
Certificate c th cha nhiu hn ch username
v password55DatTT-DSE-SOICT-HUST
Xc thc da trn certificate
Xc thc Client
Server xc thc (verify) danh tnh ca client
(client's identity)
Xc thc Server
client xc thc danh tnh ca server
Thc hin mt cch trong sut trong giao tip SSL gia trnh duyt v web server
Xc thc ln nhau (Mutual authentication)
C server v client xc thc danh tnh ca nhau
56DatTT-DSE-SOICT-HUST
nh dng Certificate
nh dng chun ca Certificate l X.509
X.509 ch c t nh dng ca certificate nhng khng ch nh r cch thc certificate c trao i
SSL ch nh r cch thc trao i cc certificates
57DatTT-DSE-SOICT-HUST
Xc thc Client s dng k thut xc thc da trn certificate
Client c xc thc bng cch gi Client certificate n Web server
Khi server cng xc thc n vi client, ta gi l xc thc ln nhau (mutual authentication)
Tt c Client (trnh duyt) phi c certificate ca mnh
V vy, khng ph bin nh k thut xc thc
Basic & Form-based authentication
S dng SSL cho HTTP (HTTPS)
58DatTT-DSE-SOICT-HUST
Ch dn web container s dng k thut Client-Cert authentication
Trong file web.xml ca ng dng Web
......
CLIENT-CERTrealm name
...
59DatTT-DSE-SOICT-HUST
3.7. Digest Authentication
60DatTT-DSE-SOICT-HUST
9/10/2011
11
Digest Authentication
User, password c chuyn sang dng digested form trc khi c gi cho server
Ngi dng khng th ly c password gc t password c bin i
Ch thay i 1 bit password gc cng dn n thay i gi tr ca password bin i
user, password khng b l trn ng truyn, ngay
c khi khng s dng kt ni SSL
Server so snh gi tr bin i nhn c vi gi tr
n c, nu trng, vic xc thc l thnh cng
61DatTT-DSE-SOICT-HUST
Ch dn web container s dng k thut xc thc Digest authentication
Trong file web.xml ca ng dng Web
......
DIGESTrealm name
...
62DatTT-DSE-SOICT-HUST
3.8. Xc thc theo kiu Programmatic trong tng Web
63DatTT-DSE-SOICT-HUST
Xc thc theo kiu Programmatic trong tng Web
ng dng Web c th t thc hin xc thc
C nhiu ty bin hn (nhng thng t mang li
li ch)
t c s dng trong thc t
64DatTT-DSE-SOICT-HUST
Cc bc thc hin
Kim tra xem c authorization header khng
Decode username & password ( c encode Base64)
Kim tra cp username/password
Nu ng, thc hin iu khin truy cp tip
Nu c quyn truy cp, tr v trang mong mun
Nu khng, tr v trang thng bo ph hp
Nu khng, (xc thc cha thnh cng), yu cu gi li username & password
65DatTT-DSE-SOICT-HUST
Kim tra c authentication Header khng
public void doGet() {
// Check if authentication header is present in
// HttpServletRequest. If not, ask for it.
String authorization =
request.getHeader("Authorization");
if (authorization == null) {
askForPassword(response);
} else {
...
66DatTT-DSE-SOICT-HUST
9/10/2011
12
Decode Username v Password
if (authorization == null) {
askForPassword(response);
} else {
String userInfo =
authorization.substring(6).trim();
BASE64Decoder decoder = new BASE64Decoder();
String nameAndPassword =
new String(decoder.decodeBuffer(userInfo));
int index = nameAndPassword.indexOf(":");
String user =
nameAndPassword.substring(0, index);
String password =
nameAndPassword.substring(index+1);
...67DatTT-DSE-SOICT-HUST
Nu thnh cng, tr v trang mong mun, nu khng, yu cu username & password mi
if (authorization == null) {
askForPassword(response);
} else {
...
// If authentication succeeds, return page.
// Otherwise, ask for correct username & password
if (areEqualReversed(user, password)) {
showStock(request, response);
} else {
askForPassword(response);
}
}
}
68DatTT-DSE-SOICT-HUST
4. Authorization(iu khin truy cp-Access Control)
69DatTT-DSE-SOICT-HUST
4 loi Authorization (iu khin truy cp) trn J2EE
Tng Web & tng EJB
C th c s dng cng nhau
Declarative & Programmatic
4 loi:
iu khin truy cp Declarative tng Web
iu khin truy cp Programmatic tng Web
iu khin truy cp Declarative tng EJB
iu khin truy cp Programmatic tng EJB
70DatTT-DSE-SOICT-HUST
EJB-tier
Web-tier vs. EJB-tier
(D) Access control to Web resources
(D) Declared in web.xml
(D) Enforced by web container
(P) Coded in servlet or JSP
(D) Access control to bean methods
(D) Declared in EJB deployment descriptor
(D) Enforced by EJB container
(P) Coded in EJB bean
Web-tier
(D): Declarative (P): Programmatic access control71DatTT-DSE-SOICT-HUST
Programmatic
Declarative vs. Programmatic
Access control is declared in deployment descriptor
Container handles access control
Does not handle fine-grained access control, it is all or nothing deal
Access control is coded in your program
Your code handles access control
Can handle fine-grained access control, i.e. instance-based or business logic based access control
Declarative
72DatTT-DSE-SOICT-HUST
9/10/2011
13
4.1. iu khin truy cp Declarative tng Web
73DatTT-DSE-SOICT-HUST
Cc bc iu khin truy cp Declarative tng Web
Ngi trin khai (Deployer) thc hin map nh danh ngi dng tht vi cc security roles (vd: /config/tomcat-users.xml)
Deployer khai bo cc security roles trong file web.xml
Deployer khai bo cc URL permissions trong file web.xml cho mi security role
( trnh by trong phn trc! )
74DatTT-DSE-SOICT-HUST
4.2. iu khin truy cp Programmatic tng Web
75DatTT-DSE-SOICT-HUST
iu khin truy cp declarative & Programmatic
Thng c s dng cng nhau
Declarative: iu khin truy cp da trn role
Programmatic: iu khin truy cp da trn tng thc th user & da trn logic nghip v
User instance
Thi gian trong ngy
Cc Parameters trong request
Cc trng thi bn trong ca cc web component
76DatTT-DSE-SOICT-HUST
Cc bc thc hin iu khin truy cp Programmatic cho tng Web
Thit lp username, passwords, v roles (realms)
LTV vit cc on code Servlet x l logic iu khin truy cp, s dng cc abstract security roles
Trong file web.xml, deployer thc hin map cc abstract security roles vi role trong thc t (VD, Tomcat c flat file based, RDBMS, LDAP)
77DatTT-DSE-SOICT-HUST
Bc 2: LTV vit code Servlet x l iu khin truy cp
public interface javax.servlet.http.HTTPServletRequest{
...
// Find out who is accessing your web resource
public java.security.Principal getUserPrincipal();
public String getRemoteUser();
// Is the caller in a particular role?
public boolean isUserInRole(String role);
...
}
78DatTT-DSE-SOICT-HUST
9/10/2011
14
V d: Employees ch truy cp c thng tin v lng ca chnh h
public double getSalary(String employeeId) {
java.security.Principal userPrincipal =
request.getUserPrincipal();
String callerId = userPrincipal.getName();
// manager role can read employee salary information
// employee can read only his/her own salary information
if ( (request.isUserInRole(manager)) ||
((request.isUserInRole(employee)) &&
(callerId == employeeId)) ) {
// return Salary information for the employee
getSalaryInformationSomehow(employId);
} else {
throw new SecurityException(access denied);
}
}
79DatTT-DSE-SOICT-HUST
Bc 3: Deployer thc hin map cc abstract security roles vi cc roles thc t
...
...
...
manager
managerOfAcme
...
80DatTT-DSE-SOICT-HUST