Securing Large Applications

  • View

  • Download

Embed Size (px)


Securing Large Applications. CSCI 5931 Web Security Rungang Mo, Yingying Sun Revised by A. Yang. Content. Designing an online banking application; Setting up the keys and certificates; Configuring the database; Building a database access tier; Developing a web tier; - PowerPoint PPT Presentation

Text of Securing Large Applications

  • Securing Large ApplicationsCSCI 5931 Web Security Rungang Mo, Yingying Sun

    Revised by A. Yang

  • Content Designing an online banking application;Setting up the keys and certificates;Configuring the database;Building a database access tier;Developing a web tier;Constructing a client application;Looking at areas for improvements.

  • Online bankingMain features:Accept credit cards to open accounts;Allow users to view their own account;Allow finance agent to view all credit card data.Web Interface:EntryRegisterBalance

  • Network topologyCustomer to web server:Most dangerous;Using SSL with mutual authenticationWeb server to middleware: RMI over SSLMiddleware to database: RMI over SSLCredit card viewer to middleware:Using SSL with authenticationConnections

  • Application securityDatabase:Encrypt credit card numbers by public key;Run secure JDBC driver on the database.Middleware (Bank):Only allow connections from web server and credit card client.Credit card client:Decrypt and view credit cards

  • Application security (cont.)Web server:Block access to most ports with a firewall.Web browser:Using client authentication;The browser protects the private key with password-based encryption;

  • Setting up the keys -Relationship between Components


    Trusted Component(s)

    Web Browser

    Web Server

    Web Server (Tomcat)

    Web Browser, Middleware

    Middleware (Bank component)

    Web Server, Credit Card Client, Database

    Credit Card Client


    Database (MySQL)


  • Generate the keysUsing default Java keystore to handle trust and authentication;Create private and public keys for each component;Create truststore for each component that contain the appropriate public keys;Get a key from Thawte for web browser;Using keytool to create the rest of the keys and certificates for credit card client, middleware, and database. (Page 366)

  • Export/ Import the certificatesIn order to establish trust, we need to export all the certificates that need to be trusted:c:\> keytool -export -keystore bankKeyStore -file bank.cerSet up trust by creating trust store:Web Server: need to trust a number of certificatesTrusted certificates in Internet Explorer

  • The DatabaseMySQL:Cross-platform and freely available for non- commercial use;Tables:Accounts: ID, name, balance, certificate serial number.Credit_card: account_id, session_key, cc_number.The database driver:secureDriver_config.xml config. Info for the secure driversecureDriver.policy grant permissions to connect, etc.

  • The Middleware - The BankCreating an interface for clients to use;Building data objects to enable items to be stored in the database;Creating an RMI object to connect the interface to the data objects;Constructing a way of starting the middleware;Configuring the middleware.

  • The Bank InterfaceFour methods contained in the Bank class:register(): register a new account given basic user information.getAccount(): find the account for a given client certificate serial number.getCreditCardDBO(): fetch the encrypted credit card information for a given account ID.getAllCreditCardAccountIDs(): get a list of all the account Ids in the database.

  • Data objectsAccount class: Hold information, which is not encrypted;Contains accountID, balance, customer name, certificate serial number;RegistrationInformation class: Wrap up all of the user-entered information;Contains credit card number, balance, name, certificate serial number;CreditCardDBO class:

  • Data objects (cont.)DatabaseOperations class:Class for performing database operations;Use the JDBC proxy to encrypt the connection using RMI over SSL;Store CreditCardDBO object and Account object in the database separately;Use the BASE64 encoder and decoder classes;

  • Bank ImplementationCreating an RMI object: BankImpl to connect the interface to the data objects;Extend UnicastRemoteObject so that it can be used over RMI;Important methods:BankImpl ();register ();getAccount ();getAllCreditCardAccountIDs ();getCreditCardDBO ();

  • Starting the BankThe BankInit class:Construct a BankImpl object with a Properties object that we read off the file system;Commond-line argument indicates the properties file to read;Call Naming.rebind () on it so that it becomes available for RMI client;A bug in JSSE v.1.0.2 and earlier.

  • define JDBC configuration and the location of the public key;BankInit.policy: start up the bank;Collecting the files:SecureDriverClient.jar;Bank.jar;Associated data: keystore/ truststore/ creditcard.cerRunning the Bank:

  • The Web ServerMain functions:Registration;Account viewing.Using SSL client authentication to identify users;Build the servlets and JSPs for the web tier;Look at packaging the web application and deploying to Tomcat;Run the application;

  • Servlets and JSPs Diagram


  • Servlets and JSPsHTMLs:Register: sends data to RegisterServlet;Login: takes users to the BalanceServlet;Servlets:RegisterServlet: handles creating account;BalanceServlet: loads account information, and sends it to a JSP for displayAbstractEcommerceServlet: init();getCertificate();getRedirectURL();balance.jsp:

  • Packaging the web applicationPolicy file for Tomcat: tomcat.policy Modifying web.xml;Build the WAR file;Copy the WAR file into Tomcat;Delete other Webapps and Add the BankApp;Enable SSL;Enable policy support;Add support fileEdit web server startup scripts

  • Start the applicationStart the RMI registry on the database server;Start the database driver;Start the RMI registry on the bank;Start the bank;Start the web server.

  • Credit Card ClientAllows a user to view all of the credit cards in the database, decrypting them with the private key;Modifications on Chapter 10 example:The GUI for password instead of setting the keystore password on the command line;Adding support for RMI: CreditCardClient class:decryptCreditCardDBO();main();getPassword();

  • Credit Card Client (Cont.)Credit card client policy file: CreditCardClient.policy (Page 409);Packaging the credit card client: create a JAR file, CreditCardClient.jar;create a directory for the credit card client;Running the credit card client:

  • Possible ModificationsLogging:Using SSL:Web browser authentication:The database:Encrypting SSL keys:

  • ReferenceJess Garms, Daniel Somerfield-- Professional Java Security;;;;http://www.mysql.com