Embed Size (px)
Citation preview
SE-2840 Dr. Mark L. Hornick 1
Web Application Security
There are three main security concerns your web apps need to address
Impersonation A client pretends to be someone else
in order to gain access to your site Upgrading
A client gains access to restricted aspects of your web app
Eavesdropping A third-party gains access to
confidential information exchangedbetween your site and a valid user
SE-2840 Dr. Mark L. Hornick 2
All of these can be managed via the Deployment Descriptor
SE-2840 Dr. Mark L. Hornick 3
Tomcat incorporates a declarative security model that requires no changes to your Servlets or pages
Tomcat itself handles Authentication, Authorization, and Data Encryption
The server.xml file contains configuration specifications for Tomcat operation, including enabling HTTPS:
SE-2840 Dr. Mark L. Hornick 4
<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using
APR, the connector should be using the OpenSSL style
configuration described in the APR documentation --> <!-- uncommented by MLH --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile=“C:/Apache/keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> <!-- uncommented by MLH -->
Note: the blue text is (usually) already in this file, although commentedout. I rearranged the comments and added the green line that specifiesthe file containing the generated Certificate.
Encrypting the transport of data ensures that sensitive data (eg. passwords) will not be viewable during transmission either to or from the server
SE-2840 Dr. Mark L. Hornick 5
<?xml version="1.0" encoding="UTF-8"?><web-app><!-- This section declares specific resources whose access is to be constrained
by the Tomcat security manager.-->
<security-constraint><!– Here is where the restricted resources are specified (1 to many)-->
<web-resource-collection> <!– “SecuredPages” is just an arbitrary identifier --> <web-resource-name>SecuredPages</web-resource-name> <!– The constrained resources for this collection: --> <url-pattern>/MyApp/somepage.html</url-pattern> <url-pattern>/MyApp/page2.jsp</url-pattern> <url-pattern>/MyApp/myServlet</url-pattern></web-resource-collection>
<!-- This specifies that the browser and server establish an encryptedConnection for exchanging request and response data --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>
... <!– More resource collections can be added here… --></security-constraint>
<!-- Additional security constraint sections can be added here --></web-app>
The default transport is NONE
Demo
SE-2840 Dr. Mark L. Hornick 6
Generating a certificate(See http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html)
SE-2840 Dr. Mark L. Hornick 7
Note: When prompted for the password, I entered “changeit”
CS-4220 Dr. Mark L. Hornick 8
CS-4220 Dr. Mark L. Hornick 9
SE-2840 Dr. Mark L. Hornick 10
<?xml version="1.0" encoding="UTF-8"?><web-app>
<!– Here is where the authorized roles are defined. --> <security-role>
<role-name>admin</role-name> </security-role><security-role>
<role-name>member</role-name></security-role>
<!-- This section declares specific resources to be accessible only by usersin certain roles (defined in the separate tomcat-users.xml file.
--> <security-constraint><!– Here is where the restricted resources are specified (1 to many)-->
<web-resource-collection> <!– “SecuredPages” is just an arbitrary identifier --> <web-resource-name>SecuredPages</web-resource-name> <!– The constrained resources (1 to many) for this collection: --> <url-pattern>/MyApp/admin.jsp</url-pattern> <url-pattern>/MyApp/manage.jsp</url-pattern></web-resource-collection>
... <!– more collections here… --><!– Here is where the authorized roles are specified. -->
<auth-constraint> <role-name>Admin</role-name> <role-name>Manager</role-name>...</auth-constraint>
</security-constraint></web-app>
Authorization allows a web app to restrict access to specific parts of an application
SE-2840 Dr. Mark L. Hornick 11
The tomcat-users.xml file contains role, username, and password definitions:
SE-2840 Dr. Mark L. Hornick 12
<tomcat-users><!-- NOTE: By default, no user is included in the "manager" role required to operate the "/manager" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary.--><!-- NOTE: The sample user and role entries below are wrapped in a comment and thus are ignored when reading this file. Do not forget to remove <!.. ..> that surrounds them.--><!-- <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/>-->
<role rolename="manager"/><role rolename="admin"/>
<role rolename="member"/> <user username="tomcat" password="tomcat" roles="manager,admin"/> <user username="mark" password="mlh" roles="member,manager"/></tomcat-users>
Demo
SE-2840 Dr. Mark L. Hornick 13
Authentication allows a web app to validate the identity of a client
SE-2840 Dr. Mark L. Hornick 14
<?xml version="1.0" encoding="UTF-8"?><web-app>
<security-role> <role-name>admin</role-name>
</security-role><security-role>
<role-name>member</role-name></security-role><security-constraint>
<web-resource-collection> <web-resource-name>SecuredPages</web-resource-name> <url-pattern>/MyApp/admin.jsp</url-pattern> <url-pattern>/MyApp/manage.jsp</url-pattern></web-resource-collection><auth-constraint> <role-name>Admin</role-name> <role-name>Manager</role-name></auth-constraint>
</security-constraint><!– When you specify a login-config, the container automatically supplies
a username/password prompt --> <login-config>
<auth-method>BASIC</auth-method></login-config>
</web-app>
<?xml version="1.0" encoding="UTF-8"?><web-app>
<security-role> <role-name>admin</role-name>
</security-role><security-role>
<role-name>member</role-name></security-role><security-constraint>
<web-resource-collection> <web-resource-name>SecuredPages</web-resource-name> <url-pattern>/MyApp/admin.jsp</url-pattern> <url-pattern>/MyApp/manage.jsp</url-pattern></web-resource-collection><auth-constraint> <role-name>Admin</role-name> <role-name>Manager</role-name></auth-constraint>
<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint></security-constraint><login-config> <auth-method>FORM</auth-method>
<form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/loginError.html</form-login-page></form-login-config>
</login-config></web-app>
You can define your own login page if you don’t like the default popup dialog:
SE-2840 Dr. Mark L. Hornick 15
<!DOCTYPE html ><html> <head> <meta charset=“ISO-8859-1"> <title>Login please</title> </head> <body> <form method="POST" action="j_security_check"> <p>username:</p> <input type="text" name="j_username"> <p>password:</p> <input type="password" name="j_password"> <input type="submit" value="Login"> </form> </body></html>
The login form must use the indicated action and input field names:
SE-2840 Dr. Mark L. Hornick 16
