8/2/2019 03 Security Declarative
1/22
2009 Marty Hall
Application Securit
Originals of Slides and Source Code for Examples:
http://courses.coreservlets.com/Course-Materials/msajsp.html
Customized Java EE Training: http://courses.coreservlets.com/Servlets, JSP, Struts, JSF/MyFaces/Facelets, Ajax, GWT, Spring, Hibernate/JPA, Java 5 & 6.
Developed and taught by well-known author and developer. At public venues or onsite at yourlocation.
2009 Marty Hall
For live Java training, please see training courses atp: courses.coreserv e s.com . erv e s, , ru s,JSF, Ajax, GWT, Java 5, Java 6, Spring, Hibernate, JPA,
and customized combinations of to ics.
Taught by the author ofCore Servlets and JSP, More
Customized Java EE Training: http://courses.coreservlets.com/Servlets, JSP, Struts, JSF/MyFaces/Facelets, Ajax, GWT, Spring, Hibernate/JPA, Java 5 & 6.
Developed and taught by well-known author and developer. At public venues or onsite at yourlocation.
, .venues, or customized versions can be held on-site at your
organization. Contact [email protected] for details.
8/2/2019 03 Security Declarative
2/22
Agenda
Major security concerns
Declarative vs. programmatic security
Using form-based authenticationSteps
Example
Steps
4
Major Issues
Preventing unauthorized users fromaccessing sensitive data.Access restriction
Identifying who should have access to them
Authentication Identifying users to determine if they are one of theauthorized ones
Preventin attackers from stealin networkdata while it is in transit.Encryption (usually with SSL)
5
8/2/2019 03 Security Declarative
3/22
Declarative Security
None of the individual servlets or JSP pages need- .
Instead, both of the major security aspects are handled by the server.
To prevent unauthorized access .
that certain URLs need protection. Designate authentication method that server uses to identify users. At re uest time the server automaticall rom ts users for
usernames and passwords when they try to access restrictedresources, automatically checks the results against a server-specificset of usernames and passwords, and automatically keeps track of
.completely transparent to the servlets and JSP pages.
To safeguard network data be accessible only with SSL. If users try to use a regular HTTPconnection to access one of these URLs, the server automaticallyredirects them to the HTTPS (SSL) equivalent.6
Programmatic Security
Protected servlets and JSP pages at leastpartially manage their own security. Much more work, but totally portable.
- . .and a bit more flexibility is possible.
To prevent unauthorized access ac serv et or page must e t er aut ent cate t e useror verify that the user has been authenticated previously.
Each servlet or JSP page has to check the network
protocol used to access it.
I users try to use a regu ar HTTP connect on to accessone of these URLs, the servlet or JSP page must manually
redirect them to the HTTPS (SSL) equivalent.7
8/2/2019 03 Security Declarative
4/22
Form-Based Authentication
When a not-yet-authenticated user tries to
Server automatically redirects user to Web page with anHTML form that asks for username and passwordUsername and password checked against database of
usernames, passwords, and roles (user categories)
If lo in successful and role matches, a e shown If login unsuccesful, error page shown
If login successful but role does not match, 403 error- -
When an already authenticated user tries to
access a protected resource: ro e matc es, page s own
If role does not match, 403 error givenSession trackin used to tell if user alread authenticated8
BASIC Authentication
When a not-yet-authenticated user tries to
Server sends a 401 status code to browser
Browser pops up dialog box asking for username andpassword, and they are sent with request in Authorizationrequest header
Username and password checked against database ofusernames, passwords, and roles (user categories)
If login successful and role matches, page shown ,
When an already authenticated user tries toaccess a protected resource: ro e matc es, page s own
If role does not match, 401 error given
Re uest header used to tell if user alread authenticated9
8/2/2019 03 Security Declarative
5/22
Form-Based Authentication
1) Set up usernames, passwords, and roles.Designate a list of users and associated passwords and
abstract role(s) such as normal user or administrator. - .
Simplest Tomcat approach: useinstall_dir/conf/tomcat-users.xml:
10
Form-Based Authentication
2) Tell server that you are using form-basedauthentication. Designate locations of loginand login-failure page. . - -method ofFORM and form-login-config with
locations of pages.
FORM
/login.jsp
/login-error.html
< orm- og n-con g>
11
8/2/2019 03 Security Declarative
6/22
Form-Based Authentication
3) Create a login page (HTML or JSP)HTML form with ACTION ofj_security_check,
METHOD ofPOST, textfield named j_username, andassword field named assword. _
_
, , ,set of radio buttons instead of a textfield.
12
Form-Based Authentication
4) Create page for failed login attempts. o specific content is mandated.
Perhaps just username and password not found and.
This can be either an HTML or a JSP document.
13
8/2/2019 03 Security Declarative
7/22
Form-Based Authentication
5) Specify URLs to be password protected. - . .
subelements: the first (web-resource-collection)
designates URLs to which access should be restricted; the second(auth-constraint) specifies abstract roles that should have. -
role-name means no directaccess is allowed.
Sensitive
/sensitive/*
administrator
executive--
...
14
Form-Based Authentication
6) List all possible abstract roles (categoriesof users) that will be granted access to anyresource ,
...
administrator
executive< role-name>
15
8/2/2019 03 Security Declarative
8/22
Form-Based Authentication
7) Specify which URLs require SSL. If server supports SSL, you can stipulate that certain
resources are available only through encrypted HTTPSSSL connections. Use the user-data-constraint
subelement ofsecurity-constraint. Only fullJ2EE servers are requiredto support SSL.
< ranspor -guaran ee>
CONFIDENTIAL
user- a a-cons ra n
16
Form-Based Authentication
8) Turn off the invoker servlet.You protect certain URLs that are associated with
registered servlet or JSP names. Thehtt ://host/ re ix/servlet/Name format of default servletURLs will probably not match the pattern. Thus, thesecurity restrictions are bypassed when the default URLs
.
Disabling it
In each Web a lication redirect re uests to other servlet
by normal web.xmlmethod/servlet/*
Server-specific mechanism (e.g. install_dir/conf/server.xml for Tomcat).
17
8/2/2019 03 Security Declarative
9/22
Example: Form-Based Security
18
Example: Step 1
Set up usernames, passwords, and roles. install_dir/conf/tomcat-users.xml
" " " "
roles="registered-user" />
19
8/2/2019 03 Security Declarative
10/22
Example: Step 2
Tell server that you are using form-basedauthentication. Designate locations of login
and login-failure page.-
FORM
< orm- og n-page>
/admin/login.jsp
/admin/login-error.jsp
20
Example: Step 3
Create a login page
= og n
Sorry, you must log in before
.
User name:
Password:
21
8/2/2019 03 Security Declarative
11/22
Example: Step 3 (Result)
22
Example: Step 4
Create page for failed login attempts.
Begone!
Begone, ye unauthorized peon.
23
8/2/2019 03 Security Declarative
12/22
Example: Access Rules
Home pageAnyone
Investing page eg stere users
Administrators
Registered users
Via SSL onl
Delete account page
Administrators
24
Example: Step 5
Specify URLs to be password protected.
Investing
/investing/*
- -
registered-user
ro e-name a m n s ra or ro e-name
25
8/2/2019 03 Security Declarative
13/22
Example: Step 5 (Continued)
secur y-cons ra n
Account Deletion
/admin/delete-account.jsp
administrator
26
Example: Step 5 (Results)
First attempt toaccess accountstatus page
Result ofsuccessful loginand later attempts
status page27
8/2/2019 03 Security Declarative
14/22
Example: Step 6
6) List all possible abstract roles (types ofusers) that will be granted access to any
resource
...
-
registered-user
administrator
28
Example: Step 7
Specify which URLs require SSL.
8/2/2019 03 Security Declarative
15/22
Example: Step 7 (Results)
http://host/prefix/ssl/buy-stock.jsp orhttps://host/prefix/ssl/buy-stock.jsp
30
Example: Step 8
Turn off the invoker servlet
Redirector
/servlet/*
index.jsp
n ex. m < we come- e>
31
8/2/2019 03 Security Declarative
16/22
Example: Step 8 (Continued)
/** Servlet that simply redirects users to the
* Web a lication home a e.
*/
public class RedirectorServlet extends HttpServlet {
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
. .
}
public void doPost(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
32
Example: Step 8 (Results)
Attempt to accesshttp://host/hotdotcom/servlet/Anything
33
8/2/2019 03 Security Declarative
17/22
Form-Based vs. BASIC
Advantages of form-based ons s en oo an ee
Fits model users expect from ecommerce sites Disadvanta e of form-basedCan fail if server is using URL rewriting for session
tracking. Can fail if browser has cookies disabled.
Doesn't rely on session trackingEasier when you are doing it yourself (programmatic)
Disadvantage of BASIC
Small popup dialog box seems less familiar to most usersCLIENT-CERT (X 509 certificates)
DIGEST (Not widely supported by browsers)34
BASIC Authentication
1. Set up usernames, passwords, and roles. Same as for form-based authentication. Server-specific.
2. Tell the server that you are using BASIC. .
Use the web.xmllogin-config element with an
auth-method subelement ofBASIC and a realm-name subelement (generally used as part of the title ofthe dialog box that the browser opens).
BASIC
ome ame< rea m-name>
35
8/2/2019 03 Security Declarative
18/22
BASIC Authentication
3. Specify which URLs should be passwordprotected.
Same as with form-based authentication.
. that will access any protected resource
-
5. Specify which URLs should be availableonly with SSL.
Same as with form-based authentication.
6. Turn off the invoker servlet. Same as with form-based authentication.
36
Example: BASIC Authentication
Home pageAnyone
Financial plan
Employees orexecutives
Business planExecutives
only
37
8/2/2019 03 Security Declarative
19/22
Example: BASIC Authentication
Set up usernames, passwords, and roles.< xm vers on= . enco ng= - - >
declarative example is online athttp://archive.moreservlets.com/Security-Code/tomcat-users.xml
38
Example: BASIC Authentication
Tell the server that you are using BASICauthentication. Designate the realm name.
- -
Intranet
39
8/2/2019 03 Security Declarative
20/22
Example: BASIC Authentication
Specify which URLs should be passwordprotected.
Financial Plan
/financial-plan.html
employee
executive
40
Example: BASIC Authentication
- -
Business Plan
- -
/business-plan.html
-
executive< role-name>
41
8/2/2019 03 Security Declarative
21/22
Example: BASIC Authentication
...
employee
-
executive
-
42
Example: BASIC Authentication
First attemptFor business plan
Failed login
Denied
User not inexecutive role
SuccessUser in
executiverole
You can use the error-
page and error-code
elements to define
43
custom pages status
code 403. See lecture
on web.xml.
8/2/2019 03 Security Declarative
22/22
Summary
Main security issues reven ng access y unau or ze users
Preventing attackers from stealing network data Declarative securitMuch less work than programmatic security
Requires server-specific password setup
-Attempts to access restricted resources get redirected to
login page. HTML form gathers username and password.ess on trac ng trac s aut ent cate users.
BASIC authenticationAttem ts to access restricted resources results in dialo
box. Dialog gathers username and password. HTTPheaders track authenticated users.
44
2009 Marty Hall
Questions?
Customized Java EE Training: http://courses.coreservlets.com/
Top Related