03 Security Declarative

8/2/2019 03 Security Declarative

1/22

2009 Marty Hall

Application Securit

Originals of Slides and Source Code for Examples:

http://courses.coreservlets.com/Course-Materials/msajsp.html

Customized Java EE Training: http://courses.coreservlets.com/Servlets, JSP, Struts, JSF/MyFaces/Facelets, Ajax, GWT, Spring, Hibernate/JPA, Java 5 & 6.

Developed and taught by well-known author and developer. At public venues or onsite at yourlocation.

2009 Marty Hall

For live Java training, please see training courses atp: courses.coreserv e s.com . erv e s, , ru s,JSF, Ajax, GWT, Java 5, Java 6, Spring, Hibernate, JPA,

and customized combinations of to ics.

Taught by the author ofCore Servlets and JSP, More

Customized Java EE Training: http://courses.coreservlets.com/Servlets, JSP, Struts, JSF/MyFaces/Facelets, Ajax, GWT, Spring, Hibernate/JPA, Java 5 & 6.

Developed and taught by well-known author and developer. At public venues or onsite at yourlocation.

, .venues, or customized versions can be held on-site at your

organization. Contact [email protected] for details.


2/22

Agenda

Major security concerns

Declarative vs. programmatic security

Using form-based authenticationSteps

Example

Steps

4

Major Issues

Preventing unauthorized users fromaccessing sensitive data.Access restriction

Identifying who should have access to them

Authentication Identifying users to determine if they are one of theauthorized ones

Preventin attackers from stealin networkdata while it is in transit.Encryption (usually with SSL)

5


3/22

Declarative Security

None of the individual servlets or JSP pages need- .

Instead, both of the major security aspects are handled by the server.

To prevent unauthorized access .

that certain URLs need protection. Designate authentication method that server uses to identify users. At re uest time the server automaticall rom ts users for

usernames and passwords when they try to access restrictedresources, automatically checks the results against a server-specificset of usernames and passwords, and automatically keeps track of

.completely transparent to the servlets and JSP pages.

To safeguard network data be accessible only with SSL. If users try to use a regular HTTPconnection to access one of these URLs, the server automaticallyredirects them to the HTTPS (SSL) equivalent.6

Programmatic Security

Protected servlets and JSP pages at leastpartially manage their own security. Much more work, but totally portable.

- . .and a bit more flexibility is possible.

To prevent unauthorized access ac serv et or page must e t er aut ent cate t e useror verify that the user has been authenticated previously.

Each servlet or JSP page has to check the network

protocol used to access it.

I users try to use a regu ar HTTP connect on to accessone of these URLs, the servlet or JSP page must manually

redirect them to the HTTPS (SSL) equivalent.7


4/22

Form-Based Authentication

When a not-yet-authenticated user tries to

Server automatically redirects user to Web page with anHTML form that asks for username and passwordUsername and password checked against database of

usernames, passwords, and roles (user categories)

If lo in successful and role matches, a e shown If login unsuccesful, error page shown

If login successful but role does not match, 403 error- -

When an already authenticated user tries to

access a protected resource: ro e matc es, page s own

If role does not match, 403 error givenSession trackin used to tell if user alread authenticated8

BASIC Authentication

When a not-yet-authenticated user tries to

Server sends a 401 status code to browser

Browser pops up dialog box asking for username andpassword, and they are sent with request in Authorizationrequest header

Username and password checked against database ofusernames, passwords, and roles (user categories)

If login successful and role matches, page shown ,

When an already authenticated user tries toaccess a protected resource: ro e matc es, page s own

If role does not match, 401 error given

Re uest header used to tell if user alread authenticated9


5/22


1) Set up usernames, passwords, and roles.Designate a list of users and associated passwords and

abstract role(s) such as normal user or administrator. - .

Simplest Tomcat approach: useinstall_dir/conf/tomcat-users.xml:

10


2) Tell server that you are using form-basedauthentication. Designate locations of loginand login-failure page. . - -method ofFORM and form-login-config with

locations of pages.

FORM

/login.jsp

/login-error.html

< orm- og n-con g>

11


6/22


3) Create a login page (HTML or JSP)HTML form with ACTION ofj_security_check,

METHOD ofPOST, textfield named j_username, andassword field named assword. _

_

, , ,set of radio buttons instead of a textfield.

12


4) Create page for failed login attempts. o specific content is mandated.

Perhaps just username and password not found and.

This can be either an HTML or a JSP document.

13


7/22


5) Specify URLs to be password protected. - . .

subelements: the first (web-resource-collection)

designates URLs to which access should be restricted; the second(auth-constraint) specifies abstract roles that should have. -

role-name means no directaccess is allowed.

Sensitive

/sensitive/*

administrator

executive--

...

14


6) List all possible abstract roles (categoriesof users) that will be granted access to anyresource ,

...

administrator

executive< role-name>

15


8/22


7) Specify which URLs require SSL. If server supports SSL, you can stipulate that certain

resources are available only through encrypted HTTPSSSL connections. Use the user-data-constraint

subelement ofsecurity-constraint. Only fullJ2EE servers are requiredto support SSL.

< ranspor -guaran ee>

CONFIDENTIAL

user- a a-cons ra n

16


8) Turn off the invoker servlet.You protect certain URLs that are associated with

registered servlet or JSP names. Thehtt ://host/ re ix/servlet/Name format of default servletURLs will probably not match the pattern. Thus, thesecurity restrictions are bypassed when the default URLs

.

Disabling it

In each Web a lication redirect re uests to other servlet

by normal web.xmlmethod/servlet/*

Server-specific mechanism (e.g. install_dir/conf/server.xml for Tomcat).

17


9/22

Example: Form-Based Security

18

Example: Step 1

Set up usernames, passwords, and roles. install_dir/conf/tomcat-users.xml

" " " "

roles="registered-user" />

19


10/22

Example: Step 2

Tell server that you are using form-basedauthentication. Designate locations of login

and login-failure page.-

FORM

< orm- og n-page>

/admin/login.jsp

/admin/login-error.jsp

20

Example: Step 3

Create a login page

= og n

Sorry, you must log in before

.

User name:

Password:

21


11/22

Example: Step 3 (Result)

22

Example: Step 4

Create page for failed login attempts.

Begone!

Begone, ye unauthorized peon.

23


12/22

Example: Access Rules

Home pageAnyone

Investing page eg stere users

Administrators

Registered users

Via SSL onl

Delete account page

Administrators

24

Example: Step 5

Specify URLs to be password protected.

Investing

/investing/*

- -

registered-user

ro e-name a m n s ra or ro e-name

25


13/22

Example: Step 5 (Continued)

secur y-cons ra n

Account Deletion

/admin/delete-account.jsp

administrator

26

Example: Step 5 (Results)

First attempt toaccess accountstatus page

Result ofsuccessful loginand later attempts

status page27


14/22

Example: Step 6

6) List all possible abstract roles (types ofusers) that will be granted access to any

resource

...

-

registered-user

administrator

28

Example: Step 7

Specify which URLs require SSL.


15/22


http://host/prefix/ssl/buy-stock.jsp orhttps://host/prefix/ssl/buy-stock.jsp

30

Example: Step 8

Turn off the invoker servlet

Redirector

/servlet/*

index.jsp

n ex. m < we come- e>

31


16/22

Example: Step 8 (Continued)

/** Servlet that simply redirects users to the

* Web a lication home a e.

*/

public class RedirectorServlet extends HttpServlet {

public void doGet(HttpServletRequest request,

HttpServletResponse response)

throws ServletException, IOException {

. .

}

public void doPost(HttpServletRequest request,

HttpServletResponse response)

throws ServletException, IOException {

doGet(request, response);

}

32


Attempt to accesshttp://host/hotdotcom/servlet/Anything

33


17/22

Form-Based vs. BASIC

Advantages of form-based ons s en oo an ee

Fits model users expect from ecommerce sites Disadvanta e of form-basedCan fail if server is using URL rewriting for session

tracking. Can fail if browser has cookies disabled.

Doesn't rely on session trackingEasier when you are doing it yourself (programmatic)

Disadvantage of BASIC

Small popup dialog box seems less familiar to most usersCLIENT-CERT (X 509 certificates)

DIGEST (Not widely supported by browsers)34


1. Set up usernames, passwords, and roles. Same as for form-based authentication. Server-specific.

2. Tell the server that you are using BASIC. .

Use the web.xmllogin-config element with an

auth-method subelement ofBASIC and a realm-name subelement (generally used as part of the title ofthe dialog box that the browser opens).

BASIC

ome ame< rea m-name>

35


18/22


3. Specify which URLs should be passwordprotected.

Same as with form-based authentication.

. that will access any protected resource

-

5. Specify which URLs should be availableonly with SSL.

Same as with form-based authentication.

6. Turn off the invoker servlet. Same as with form-based authentication.

36

Example: BASIC Authentication

Home pageAnyone

Financial plan

Employees orexecutives

Business planExecutives

only

37


19/22


Set up usernames, passwords, and roles.< xm vers on= . enco ng= - - >

declarative example is online athttp://archive.moreservlets.com/Security-Code/tomcat-users.xml

38


Tell the server that you are using BASICauthentication. Designate the realm name.

- -

Intranet

39


20/22


Specify which URLs should be passwordprotected.

Financial Plan

/financial-plan.html

employee

executive

40


- -

Business Plan

- -

/business-plan.html

-

executive< role-name>

41


21/22


...

employee

-

executive

-

42


First attemptFor business plan

Failed login

Denied

User not inexecutive role

SuccessUser in

executiverole

You can use the error-

page and error-code

elements to define

43

custom pages status

code 403. See lecture

on web.xml.


22/22

Summary

Main security issues reven ng access y unau or ze users

Preventing attackers from stealing network data Declarative securitMuch less work than programmatic security

Requires server-specific password setup

-Attempts to access restricted resources get redirected to

login page. HTML form gathers username and password.ess on trac ng trac s aut ent cate users.

BASIC authenticationAttem ts to access restricted resources results in dialo

box. Dialog gathers username and password. HTTPheaders track authenticated users.

44

2009 Marty Hall

Questions?

Customized Java EE Training: http://courses.coreservlets.com/

03 Security Declarative

Documents

Transcript of 03 Security Declarative