WEB2P security Java web application security Dr Jim Briggs
WEB2P security What is security? Usually ensuring that only authorised users can access specific parts of a website Security has two basic concepts: –authentication: who is it? –authorisation: what can they do?
WEB2P security Categories of security mechanism Container-managed (e.g. Tomcat) –Specified as part of the Java Servlet Specification –However, the implementation is container specific (and therefore not necessarily portable between containers) Application-managed –Independent of the container –However, you have to write the code yourself (or use some other mechanism)
WEB2P security HTTP authentication HTTP provides for authentication - see RFC 2617 Operates on a challenge/response paradigm: –Server receives a request for an access-protected object –Server responds with a "401 Unauthorized" status code –Client must then resend the request with an Authorization header –Most browsers will prompt the user for a username and password Most browsers cache this for the duration of the browser session Some will allow the user to save it between sessions Distinction between Basic Authentication and Digest Authentication: –Basic passes usernames and passwords in clear text (actually in Base64 format, but this is easily translatable) –Digest scrambles the password by sending a checksum (by default, MD5) of the username, the password, a given nonce value, the HTTP method, and the requested URI. The nonce value is sent by the server with the 401 response. Realm is the zone of security –Effectively the store against which credentials are checked
WEB2P security Mechanisms for securing Java web applications Fundamentals Container-managed techniques Application-managed techniques Mix and match
WEB2P security Fundamentals HTTP authentication Secure Sockets Layer (SSL) HTTP over SSL (HTTPS) –See how to set this up in Apache –See how to set this up in Tomcat –Unlikely to need latter if using Tomcat as auxiliary server (especially via AJP)
WEB2P security Container-managed security Security constraints in web.xml file –Authentication –Authorization –Secure transport
WEB2P security Authentication BASIC FORM /login.jsp /fail_login.html
WEB2P security Authorization Admin /admin/* private
WEB2P security Secure transport... CONFIDENTIAL
WEB2P security Authentication methods Basic - uses HTTP Basic Authentication Digest - uses HTTP Digest Authentication Form - presents a login form to the user Client certificate - requires digital certificate from client
WEB2P security Tomcat realms MemoryRealm –a file (tomcat-users.xml) in the TOMCAT/conf directory JDBCRealm –specify tables and columns of a database that contain usernames, passwords and roles DataSourceRealm –similar, but using a JNDI-named DataSource rather than a specific JDBC driver JNDIRealm –looks up users in an LDAP directory server accessed by a JNDI provider JAASRealm –authenticates users through the Java Authentication & Authorization Service (JAAS) framework
WEB2P security Application-managed security 1 Request properties: –request.getRemoteUser() –request.getUserPrincipal() –request.isUserInRole(role) Use session attributes to store the user's identity Use cookies to store username and password (can be persistent between browser sessions)
WEB2P security Application-managed security 2 Use a security filter Use a base servlet Use a custom JSP tag –forward request to a login page if the user is not logged in or does not have authorisation) Struts facilities: –Use Struts roles (each action has a roles attribute) –Customise the Struts RequestProcessor specifically the method processPreprocess –Use a Struts Base Action
WEB2P security Mix and match Many of the techniques can be used in combination SecurityFilter (from Sourceforge.net) is an application-managed mechanism that mimics container-managed security