SE-2840 Dr. Mark L. Hornick1 Web Application Security
There are three main security concerns your web apps need to address Impersonation A client pretends to be someone else in order to gain access to your site Upgrading A client gains access to restricted aspects of your web app Eavesdropping A third-party gains access to confidential information exchanged between your site and a valid user SE-2840 Dr. Mark L. Hornick2
All of these can be managed via the Deployment Descriptor SE-2840 Dr. Mark L. Hornick3 Tomcat incorporates a declarative security model that requires no changes to your Servlets or pages Tomcat itself handles Authentication, Authorization, and Data Encryption
The server.xml file contains configuration specifications for Tomcat operation, including enabling HTTPS: SE-2840 Dr. Mark L. Hornick4 <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile=“C:/Apache/keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> Note: the blue text is (usually) already in this file, although commented out. I rearranged the comments and added the green line that specifies the file containing the generated Certificate.
Encrypting the transport of data ensures that sensitive data (eg. passwords) will not be viewable during transmission either to or from the server SE-2840 Dr. Mark L. Hornick5 <!-- This section declares specific resources whose access is to be constrained by the Tomcat security manager. --> SecuredPages /MyApp/somepage.html /MyApp/page2.jsp /MyApp/myServlet <!-- This specifies that the browser and server establish an encrypted Connection for exchanging request and response data --> CONFIDENTIAL... The default transport is NONE
Demo SE-2840 Dr. Mark L. Hornick6
Generating a certificate (See SE-2840 Dr. Mark L. Hornick7 Note: When prompted for the password, I entered “changeit”
CS-4220 Dr. Mark L. Hornick8
9
SE-2840 Dr. Mark L. Hornick10
admin member <!-- This section declares specific resources to be accessible only by users in certain roles (defined in the separate tomcat-users.xml file. --> SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp... Admin Manager... Authorization allows a web app to restrict access to specific parts of an application SE-2840 Dr. Mark L. Hornick11
The tomcat-users.xml file contains role, username, and password definitions: SE-2840 Dr. Mark L. Hornick12 <!-- NOTE: By default, no user is included in the "manager" role required to operate the "/manager" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary. --> <!-- NOTE: The sample user and role entries below are wrapped in a comment and thus are ignored when reading this file. Do not forget to remove that surrounds them. --> <!-- -->
Demo SE-2840 Dr. Mark L. Hornick13
Authentication allows a web app to validate the identity of a client SE-2840 Dr. Mark L. Hornick14 admin member SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp Admin Manager <!– When you specify a login-config, the container automatically supplies a username/password prompt --> BASIC
admin member SecuredPages /MyApp/admin.jsp /MyApp/manage.jsp Admin Manager CONFIDENTIAL FORM /login.html /loginError.html You can define your own login page if you don’t like the default popup dialog: SE-2840 Dr. Mark L. Hornick15
Login please username: password: The login form must use the indicated action and input field names: SE-2840 Dr. Mark L. Hornick16