1 / 15

Java web application security

Java web application security. Dr Jim Briggs. What is security?. Usually ensuring that only authorised users can access specific parts of a website Security has two basic concepts: authentication: who is it? authorisation: what can they do?. Categories of security mechanism.

menefer
Download Presentation

Java web application security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Java web application security Dr Jim Briggs WEB2P security

  2. What is security? • Usually ensuring that only authorised users can access specific parts of a website • Security has two basic concepts: • authentication: who is it? • authorisation: what can they do? WEB2P security

  3. Categories of security mechanism • Container-managed (e.g. Tomcat) • Specified as part of the Java Servlet Specification • However, the implementation is container specific (and therefore not necessarily portable between containers) • Application-managed • Independent of the container • However, you have to write the code yourself (or use some other mechanism) WEB2P security

  4. HTTP authentication • HTTP provides for authentication - see RFC 2617 • Operates on a challenge/response paradigm: • Server receives a request for an access-protected object • Server responds with a "401 Unauthorized" status code • Client must then resend the request with an Authorization header • Most browsers will prompt the user for a username and password • Most browsers cache this for the duration of the browser session • Some will allow the user to save it between sessions • Distinction between Basic Authentication and Digest Authentication: • Basic passes usernames and passwords in clear text (actually in Base64 format, but this is easily translatable) • Digest scrambles the password by sending a checksum (by default, MD5) of the username, the password, a given nonce value, the HTTP method, and the requested URI. The nonce value is sent by the server with the 401 response. • Realm is the zone of security • Effectively the store against which credentials are checked WEB2P security

  5. Mechanisms for securing Java web applications • Fundamentals • Container-managed techniques • Application-managed techniques • Mix and match WEB2P security

  6. Fundamentals • HTTP authentication • Secure Sockets Layer (SSL) • HTTP over SSL (HTTPS) • See how to set this up in Apache • See how to set this up in Tomcat • Unlikely to need latter if using Tomcat as auxiliary server (especially via AJP) WEB2P security

  7. Container-managed security • Security constraints in web.xml file • Authentication • Authorization • Secure transport WEB2P security

  8. Authentication <login-config>    <auth-method>BASIC</auth-method> </login-config> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/fail_login.html</form-error-page> </form-login-config> </login-config> WEB2P security

  9. Authorization <security-constraint>   <web-resource-collection>        <web-resource-name>Admin</web-resource-name>        <url-pattern>/admin/*</url-pattern>    </web-resource-collection>    <auth-constraint>        <role-name>private</role-name>    </auth-constraint> </security-constraint> WEB2P security

  10. Secure transport <security-constraint>     ... <user-data-constraint> <transport-guarantee> CONFIDENTIAL </transport-guarantee> </user-data-constraint> </security-constraint> WEB2P security

  11. Authentication methods • Basic - uses HTTP Basic Authentication • Digest - uses HTTP Digest Authentication • Form - presents a login form to the user <form method="POST" action="j_security_check">     <input type="text" name="j_username">     <input type="password" name="j_password"> </form> • Client certificate - requires digital certificate from client WEB2P security

  12. Tomcat realms • MemoryRealm • a file (tomcat-users.xml) in the TOMCAT/conf directory • JDBCRealm • specify tables and columns of a database that contain usernames, passwords and roles • DataSourceRealm • similar, but using a JNDI-named DataSource rather than a specific JDBC driver • JNDIRealm • looks up users in an LDAP directory server accessed by a JNDI provider • JAASRealm • authenticates users through the Java Authentication & Authorization Service (JAAS) framework WEB2P security

  13. Application-managed security 1 • Request properties: • request.getRemoteUser() • request.getUserPrincipal() • request.isUserInRole(role) • Use session attributes to store the user's identity • Use cookies to store username and password (can be persistent between browser sessions) WEB2P security

  14. Application-managed security 2 • Use a security filter • Use a base servlet • Use a custom JSP tag • forward request to a login page if the user is not logged in or does not have authorisation) • Struts facilities: • Use Struts roles (each action has a roles attribute) • Customise the Struts RequestProcessor • specifically the method processPreprocess • Use a Struts Base Action WEB2P security

  15. Mix and match • Many of the techniques can be used in combination • SecurityFilter (from Sourceforge.net) is an application-managed mechanism that mimics container-managed security WEB2P security

More Related