Web Application Security
description
Transcript of Web Application Security
![Page 1: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/1.jpg)
SE-2840 Dr. Mark L. Hornick 1
Web Application Security
![Page 2: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/2.jpg)
There are three main security concerns your web apps need to address
Impersonation A client pretends to be someone else
in order to gain access to your site Upgrading
A client gains access to restricted aspects of your web app
Eavesdropping A third-party gains access to
confidential information exchangedbetween your site and a valid user
SE-2840 Dr. Mark L. Hornick 2
![Page 3: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/3.jpg)
All of these can be managed via the Deployment Descriptor
SE-2840 Dr. Mark L. Hornick 3
Tomcat incorporates a declarative security model that requires no changes to your Servlets or pages
Tomcat itself handles Authentication, Authorization, and Data Encryption
![Page 4: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/4.jpg)
The server.xml file contains configuration specifications for Tomcat operation, including enabling HTTPS:
SE-2840 Dr. Mark L. Hornick 4
<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using
APR, the connector should be using the OpenSSL style
configuration described in the APR documentation --> <!-- uncommented by MLH --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile=“C:/Apache/keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> <!-- uncommented by MLH -->
Note: the blue text is (usually) already in this file, although commentedout. I rearranged the comments and added the green line that specifiesthe file containing the generated Certificate.
![Page 5: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/5.jpg)
Encrypting the transport of data ensures that sensitive data (eg. passwords) will not be viewable during transmission either to or from the server
SE-2840 Dr. Mark L. Hornick 5
<?xml version="1.0" encoding="UTF-8"?><web-app><!-- This section declares specific resources whose access is to be constrained
by the Tomcat security manager.-->
<security-constraint><!– Here is where the restricted resources are specified (1 to many)-->
<web-resource-collection> <!– “SecuredPages” is just an arbitrary identifier --> <web-resource-name>SecuredPages</web-resource-name> <!– The constrained resources for this collection: --> <url-pattern>/MyApp/somepage.html</url-pattern> <url-pattern>/MyApp/page2.jsp</url-pattern> <url-pattern>/MyApp/myServlet</url-pattern></web-resource-collection>
<!-- This specifies that the browser and server establish an encryptedConnection for exchanging request and response data --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>
... <!– More resource collections can be added here… --></security-constraint>
<!-- Additional security constraint sections can be added here --></web-app>
The default transport is NONE
![Page 6: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/6.jpg)
Demo
SE-2840 Dr. Mark L. Hornick 6
![Page 7: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/7.jpg)
Generating a certificate(See http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html)
SE-2840 Dr. Mark L. Hornick 7
Note: When prompted for the password, I entered “changeit”
![Page 8: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/8.jpg)
CS-4220 Dr. Mark L. Hornick 8
![Page 9: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/9.jpg)
CS-4220 Dr. Mark L. Hornick 9
![Page 10: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/10.jpg)
SE-2840 Dr. Mark L. Hornick 10
![Page 11: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/11.jpg)
<?xml version="1.0" encoding="UTF-8"?><web-app>
<!– Here is where the authorized roles are defined. --> <security-role>
<role-name>admin</role-name> </security-role><security-role>
<role-name>member</role-name></security-role>
<!-- This section declares specific resources to be accessible only by usersin certain roles (defined in the separate tomcat-users.xml file.
--> <security-constraint><!– Here is where the restricted resources are specified (1 to many)-->
<web-resource-collection> <!– “SecuredPages” is just an arbitrary identifier --> <web-resource-name>SecuredPages</web-resource-name> <!– The constrained resources (1 to many) for this collection: --> <url-pattern>/MyApp/admin.jsp</url-pattern> <url-pattern>/MyApp/manage.jsp</url-pattern></web-resource-collection>
... <!– more collections here… --><!– Here is where the authorized roles are specified. -->
<auth-constraint> <role-name>Admin</role-name> <role-name>Manager</role-name>...</auth-constraint>
</security-constraint></web-app>
Authorization allows a web app to restrict access to specific parts of an application
SE-2840 Dr. Mark L. Hornick 11
![Page 12: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/12.jpg)
The tomcat-users.xml file contains role, username, and password definitions:
SE-2840 Dr. Mark L. Hornick 12
<tomcat-users><!-- NOTE: By default, no user is included in the "manager" role required to operate the "/manager" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary.--><!-- NOTE: The sample user and role entries below are wrapped in a comment and thus are ignored when reading this file. Do not forget to remove <!.. ..> that surrounds them.--><!-- <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/>-->
<role rolename="manager"/><role rolename="admin"/>
<role rolename="member"/> <user username="tomcat" password="tomcat" roles="manager,admin"/> <user username="mark" password="mlh" roles="member,manager"/></tomcat-users>
![Page 13: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/13.jpg)
Demo
SE-2840 Dr. Mark L. Hornick 13
![Page 14: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/14.jpg)
Authentication allows a web app to validate the identity of a client
SE-2840 Dr. Mark L. Hornick 14
<?xml version="1.0" encoding="UTF-8"?><web-app>
<security-role> <role-name>admin</role-name>
</security-role><security-role>
<role-name>member</role-name></security-role><security-constraint>
<web-resource-collection> <web-resource-name>SecuredPages</web-resource-name> <url-pattern>/MyApp/admin.jsp</url-pattern> <url-pattern>/MyApp/manage.jsp</url-pattern></web-resource-collection><auth-constraint> <role-name>Admin</role-name> <role-name>Manager</role-name></auth-constraint>
</security-constraint><!– When you specify a login-config, the container automatically supplies
a username/password prompt --> <login-config>
<auth-method>BASIC</auth-method></login-config>
</web-app>
![Page 15: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/15.jpg)
<?xml version="1.0" encoding="UTF-8"?><web-app>
<security-role> <role-name>admin</role-name>
</security-role><security-role>
<role-name>member</role-name></security-role><security-constraint>
<web-resource-collection> <web-resource-name>SecuredPages</web-resource-name> <url-pattern>/MyApp/admin.jsp</url-pattern> <url-pattern>/MyApp/manage.jsp</url-pattern></web-resource-collection><auth-constraint> <role-name>Admin</role-name> <role-name>Manager</role-name></auth-constraint>
<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint></security-constraint><login-config> <auth-method>FORM</auth-method>
<form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/loginError.html</form-login-page></form-login-config>
</login-config></web-app>
You can define your own login page if you don’t like the default popup dialog:
SE-2840 Dr. Mark L. Hornick 15
![Page 16: Web Application Security](https://reader033.fdocuments.in/reader033/viewer/2022051416/56814020550346895dab7c84/html5/thumbnails/16.jpg)
<!DOCTYPE html ><html> <head> <meta charset=“ISO-8859-1"> <title>Login please</title> </head> <body> <form method="POST" action="j_security_check"> <p>username:</p> <input type="text" name="j_username"> <p>password:</p> <input type="password" name="j_password"> <input type="submit" value="Login"> </form> </body></html>
The login form must use the indicated action and input field names:
SE-2840 Dr. Mark L. Hornick 16