Web Site Security - PowerPoint PPT Presentation

Web site security l.jpg
Download
1 / 67

  • 383 Views
  • Updated On :
  • Presentation posted in: Internet / Web

Web Site Security Representation and Management of Data on the Web We all know this page... Would we want all to know this page? Problem Want to restrict access to certain Web pages Must answer the following questions Which pages should be restricted? Who should access restricted pages?

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Web Site Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Web site security l.jpg

Web Site Security

Representation and Management of Data on the Web


We all know this page l.jpg

We all know this page...


Would we want all to know this page l.jpg

Would we want all to know this page?


Problem l.jpg

Problem

  • Want to restrict access to certain Web pages

  • Must answer the following questions

    • Which pages should be restricted?

    • Who should access restricted pages?

    • How should users be authenticated?

    • Should Authentication data be Encrypted?


Authentication methods l.jpg

Authentication Methods

  • Several security methods are used:

  • Declarative Security

    • Use security mechanisms provided by the server

    • BASIC and FORM-based will be discussed

  • Programmatic Security

    • Security is handled by the Web application programs


Declarative security l.jpg

Declarative Security

  • Advantage: Application programs (i.e. JSP and Servlets) do not have to do anything special

  • Advantage: security holes due to bugs are less probable

  • Disadvantage: Server specific process

  • Disadvantage: All or nothing security

    • users can or cannot see the page

    • sometimes, what we really want is the page content to be dependent on the user


Programmatic security l.jpg

Programmatic Security

  • Advantage: Not server specific

  • Advantage: Very flexible

  • Disadvantage: A lot of work to program + all Servlets and JSP have to cooperate for this to work

  • Disadvantage: Programmer's bugs may lead to security holes


Declarative security basic l.jpg

GET E.xsl

OK + Content

Declarative Security: BASIC

Realm A

/a/A.html

/a/B.jsp

Realm B

/b/C.css

E.xsl

/b/D.xml

F.xml


Declarative security basic9 l.jpg

GET /a/B.jsp

401 + Basic realm="A"

Declarative Security: BASIC

Realm A

/a/A.html

/a/B.jsp

Realm B

/b/C.css

E.xsl

/b/D.xml

F.xml


Declarative security basic10 l.jpg

GET /a/B.jsp + user:pass

OK + Content

Declarative Security: BASIC

Realm A

/a/A.html

/a/B.jsp

Realm B

/b/C.css

E.xsl

/b/D.xml

F.xml


Declarative security basic11 l.jpg

GET /a/A.html + user:pass

OK + Content

Declarative Security: BASIC

Realm A

/a/A.html

/a/B.jsp

Realm B

/b/C.css

E.xsl

/b/D.xml

F.xml


Declarative security basic12 l.jpg

Declarative Security: BASIC

  • To restrict a set of pages for certain users, the server designates a realm name for these pages and defines the authorized users (usernames and passwords)

  • When a page is requested without correct authentication information, the server returns a 401 (Unauthorized) response, with the "WWW-Authenticate" header like the following:

    WWW-Authenticate:Basic realm="realm-name"


Declarative security basic13 l.jpg

Declarative Security: BASIC

  • The browser then prompts the user for a username and a password, and sends them in the "Authorization" header:

    Authorization:Basicusername:password

  • The string username:password is trivially encoded (everyone can decode it...)

  • Through the session, the browser automatically sends the latter authorization header when requesting files under the latter request's directory or when asked to authenticate in the same realm

An Example


Basic method in tomcat l.jpg

BASIC method in Tomcat

  • Set up usernames, passwords and roles

  • Tell the server that your application is using BASIC authentication, and designate a realm name to the application

  • Specify which URLs should be restricted to which roles


1 defining usernames passwords and roles l.jpg

1. Defining Usernames, Passwords, and Roles

Define users, passwords and roles in the file

$CATALINA_BASE/conf/tomcat-users.xml

<tomcat-users>

<role rolename="special"/>

[more roles...]

<user username="snoopy" password="snoopass"

roles="special"/>

[more users...]

</tomcat-users>


2 tell the server to use basic security define a realm name l.jpg

2. Tell the Server to use BASIC Security + Define a Realm Name

Add to the application's web.xmlthe login method (BASIC) and your chosen realm name

<login-config>

<auth-method>BASIC</auth-method>

    <realm-name>Special Managers</realm-name>

</login-config>


3 define the restrictions in web xml l.jpg

3. Define the restrictions in web.xml

<security-constraint>

<web-resource-collection>

<web-resource-name>restricted one</web-resource-name>

<url-pattern>/restricted1/*</url-pattern>

</web-resource-collection>

<web-resource-collection>

<web-resource-name>restricted two</web-resource-name>

<url-pattern>/restricted2/*</url-pattern>

</web-resource-collection>


Slide18 l.jpg

<auth-constraint>

<role-name>special</role-name>

</auth-constraint>

</security-constraint>

<login-config>...</login-config>

<security-role>

<role-name>special</role-name>

</security-role>  


Custom error pages l.jpg

Custom Error Pages

  • The default 401-designated error page is returned with the unauthorized response of the server

  • A 401 page is not shown by the browser, unless

    • The user cancels the authentication

    • The page is returned without WWW-Authenticate

  • In Tomcat, you can define an application-specific error page, however the WWW-Authenticateheader must be added explicitly


A custom error page example l.jpg

A Custom Error Page Example

Add to the application's web.xml the following:

<error-page>

<error-code>401</error-code>

<location>/error401.jsp</location>

</error-page>


A custom error page example cont l.jpg

A Custom Error Page Example (cont)

error401.jsp

<% response.setHeader

("WWW-Authenticate",

"Basic realm=\"Special Managers\""); %>

<HTML> <HEAD> <TITLE>Unauthorized</TITLE> </HEAD>

<BODY bgcolor="yellow">

<CENTER>

<H1>Go away! You are not authorized!!</H1>

</CENTER>

</BODY>

</HTML>


Declarative security form l.jpg

Declarative Security: FORM

  • In the BASIC method, it is the browser's responsibility to get the login and password from its user, and to send it throughout the session

  • In the FORM method, this responsibility is the server's, while the browser is not aware of the fact that restricted pages are accessed


Declarative security form cont l.jpg

Declarative Security: FORM (cont)

  • In the first request to a restricted page, the server forwards the request to a login page

  • Using the form in the login page, the user submits its login and password to a special URL of the server, and the latter stores the information in the session object

  • On subsequent requests, the server checks the session to see if it contains suitable authentication, in which case the required page is returned


Add to web xml l.jpg

Add to web.xml

<login-config>

<auth-method>FORM</auth-method>

<form-login-config>

<form-login-page>/admin/login.jsp

</form-login-page>

<form-error-page>/admin/login-error.html

</form-error-page>

</form-login-config>

</login-config>


Create a login page l.jpg

Create A Login Page

myApp/admin/login.jsp

<HTML>

<HEAD><TITLE>Login</TITLE></HEAD>

<BODY BGCOLOR="yellow"><H1>Log In</H1>

<H2>Sorry, you must log in before accessing this resource.</H2>

<FORM ACTION="<%= response.encodeURL("j_security_check") %>" METHOD="POST">

<TABLE SUMMARY="login form">

<TR><TD>User name:<TD><INPUT TYPE="TEXT" NAME="j_username">

<TR><TD>Password:<TD><INPUT TYPE="PASSWORD" NAME="j_password">

<TR><TD><INPUT TYPE="SUBMIT" VALUE="Log In">

</TABLE> </FORM> </BODY>

</HTML>


Create a login error page l.jpg

Create a Login-Error Page

myApp/admin/login-error.html

<HTML>

<HEAD> <TITLE>Unauthorized</TITLE> </HEAD>

<BODY bgcolor="yellow">

<CENTER>

<H1>Go away! You are not authorized!!</H1>

</CENTER>

</BODY>

</HTML>


Adding some programmatic security l.jpg

Adding Some Programmatic Security

  • So far, all or nothing:

    • can see page or

    • can't see page

  • Sometimes we want to allow page content to be dependant on the authorization of the user

  • Use the following request methods to control content restriction:

    • boolean isUserInRole(String role)

    • String getRemoteUser()


Example l.jpg

Example

<security-constraint>

<web-resource-collection>

<web-resource-name>salary</web-resource-name>

<url-pattern>/salary.jsp</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>executive</role-name>

<role-name>employees</role-name>

</auth-constraint>

</security-constraint>


Example cont l.jpg

Example (cont)

salary.jsp

<HTML>

<HEAD><TITLE>Average Salary</TITLE></HEAD>

<BODY>

<H2>Employee average salary: 3895NIS</H2>

<% if(request.isUserInRole("executive")) { %>

<H2>Executive average salary: 42764NIS</H2>

<% } %>

</BODY>

</HTML>


Important disable the servlet invoker l.jpg

Important: Disable the Servlet Invoker

  • You protect certain URLs in the application

  • The http://host/prefix/servlet/Name format of the Servlet invoker will probably not match the patterns of the protected URLs

  • Thus, the security restrictions are bypassed if the invoker is enabled

  • For this reasons (and others), the invoker should not be used in published applications


Ssl connections l.jpg

SSL Connections


Security on the internet l.jpg

Security on the Internet

  • The Internet is used to transmit sensitive data from clients to servers and vice versa

    • User passwords

    • Credit card numbers

    • Private client data on remote servers (e.g. Banks)

  • However, data packets are read by several computers on the way from the client to the server and vice versa

    • Routers, proxies, etc.


Security on the internet cont l.jpg

Security on the Internet (cont)

  • The following should be provided:

    • Only the server can read the client requests

    • Only the client can read the server's responses

    • Only the client can send requests on behalf of itself

    • Only the server can send responses on behalf of itself

  • In short, no one should be able to interfere in the interaction, either be reading the transferred data or by impersonating to one of the sides


Symmetric and asymmetric keys l.jpg

Symmetric and Asymmetric Keys

  • Data can be encrypted and decrypted using keys, which are simply large numbers

  • Symmetric keys: the same key is used for both encoding and decoding of the message

  • Asymmetric keys: one key is used to encode the message, and another is used to decode it

  • It is considered practically impossible to decode a message without knowing the decoding key


The rsa cryptography system l.jpg

The RSA Cryptography System

  • RSA was developed in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman

  • It is the based on the asymmetric key mechanism:

    • Each participant has a private key and a public key

    • The public key is known to all and the private key is kept in secret within its owner

    • Asymmetric keys: the public key is the encoding key and the private key is the decoding key


Secure connection a naive approach l.jpg

Secure Connection: A Naive Approach

  • Consider the following protocol:

    • Server and Client send their public keys to each other

    • Data is encrypted using the public key of the receiver

  • What is wrong with this protocol?

    • Decryption methods (public keys) are known to everyone - everyone can impersonate the participants

    • A participant cannot tell whether its received key was indeed sent by the other participant


Ssl connections48 l.jpg

SSL Connections

  • The SSL (Secure Socket Layer) protocol is used to manage security of message transmission on the Internet

  • Data encryption and decryption is based on symmetric and asymmetric keys

  • The HTTPS (HTTP over Ssl) protocol is actually the HTTP protocol above SSL transportation


Ssl in the network layers l.jpg

SSL in the Network Layers

Email Protocols

HTTP

SSL

TCP/IP


The ssl handshake l.jpg

hello + SSL settings

SSL Settings + Certificate

The SSL Handshake

1. Client gets the Server's certificate

Is this a good certificate?

Client

Server


The ssl handshake51 l.jpg

The SSL Handshake

2. Client creates a master secret and shares it with the server

Client

Server


The ssl handshake52 l.jpg

The SSL Handshake

3. Client and server create symmetric session keys from the master secret

Client

Server


The ssl handshake53 l.jpg

(Http Request)

(Http Response)

The SSL Handshake

Data is transferred using the session keys

Client

Server


Ssl certificates l.jpg

SSL Certificates

  • To assure that the replier of the first request is the server, the server sends a certificate

  • The certificate contains both the server's name and its public key

  • The certificate is issued by a Certificate Authority (CA), which is known to the client in advance

    • For example: VeriSign, Thawte, RSA Secure Server, etc.

  • CA signs the certificate using a digital signature, which the client can verify using a method similar to the private-public key method


The server s certificate l.jpg

The Server's Certificate

Public Key

Serial Number

Validity Period

Server's Name

Issuer's Name

Issuer's Digital Signature


An example the certificate of bankleumi co il l.jpg

An Example: The Certificate of bankleumi.co.il


Authentication via ssl l.jpg

Authentication via SSL

  • If the server needs to assure the client's identity, the first interaction after the SSL handshake will typically be a clients authentication

  • Client authentication is done using the regular HTTP authentication methods

  • What is the difference, though?


Ssl in tomcat 5 0 l.jpg

SSL in Tomcat 5.0

  • To use SSL connections in Tomcat 5.0, we need to do the following:

    • Acquire a certificate

    • Enable the https service, that listens to a designated port

    • Declare the pages that require SSL connections


Generating a certificate l.jpg

Generating a Certificate

  • Acquiring a certificate from a known CA costs money

  • Instead, we will generate our own certificate

  • Naturally, the browser will not recognize the CA as a known one and will alert the user


Generating a certificate cont l.jpg

Generating a Certificate (cont)

From the Unix shell, type the following:

keytool -genkey -alias tomcat -keyalg RSA -keystore keyfile


Enable https service l.jpg

Enable HTTPS Service

  • Add the following to $CATALINA_BASE/conf/server.xml under the Service "catalina":

    <Connector port="8443" scheme="https" secure="true" sslProtocol="TLS" keystoreFile="keyfile" keystorePass="keypass"/>

  • Declare the redirection port for the HTTP Connector:

    <Connector port="8090" redirectPort="8443"/>


Declare secured pages l.jpg

Declare Secured Pages

  • In the application's web.xml, add the following element under the security constraint for which you want SSL to be used

    <user-data-constraint>

    <transport-guarantee>CONFIDENTIAL

    </transport-guarantee>

    </user-data-constraint>


  • Login