Need for Security in Web Applications
CS520 Web Programming Potentially large number of users Declarative Security Multiple user types No operating system to rely on
Chengyu Sun California State University, Los Angeles
Web Application Security HTTP Secure (HTTPS)
Client Server request HTTP over SSL/TLS Configure SSL in Tomcat -
who are you? http://tomcat.apache.org/tomcat-7.0- doc/ssl-howto.html username/password Authentication
you’re not authorized to access Authorization (Access Control) (Access Connection Security
SSL and TLS Programmatic Security
Secure Socket Layer (SSL) Security is implemented in the
Server authentication application code Client authentication Example: Connection encryption Login.jsp Transport Layer Security (TLS) Members.jsp
TLS 1.0 is based on SSL 3.0 IETF standard (RFC 2246) Pros?? Cons??
1 Security by Java EE Application Server HTTP Basic
HTTP Basic HTTP 1.0, Section 11.1- http://www.w3.org/Protocols/HTTP/1.0/draft- HTTP Digest ietf-http-spec.html HTTPS Client request for a restricted page Form-based Client prompt for username/password Server
resend request + username & password
HTTP Basic – Configuration HTTP Basic – Request
AuthType Basic GET /restricted/index.html HTTP/1.0 AuthName "Basic Authentication Example" Host: sun.calstatela.edu AuthUserFile /home/cysun/etc/htpasswords Accept: */* Require user cs520
HTTP Basic – Server Response HTTP Basic – Request Again
HTTP/1.1 401 Authorization Required Date: Tue, 24 Oct 2006 14:57:50 GMT GET /restricted/index.html HTTP/1.0 Server: Apache/2.2.2 (Fedora) Host: sun.calstatela.edu WWW-Authenticate: Basic realm="Restricted Access Area" Accept: */* Content-Length: 484 Authorization: Basic Y3lzdW46YWJjZAo= Content-Type: text/html; charset=iso-8859-1
Base64 Encoding of “cysun:abcd”
2 Improve HTTP Basic (I) Cryptographic Hash Function…
Username and password are String of arbitrary length n bits digest HTTP Basic sent in plain text. Properties
1. Given a hash value, it’s virtually impossible to find a message that hashes to this value
2. Given a message, it’s virtually impossible to find another Encrypt username and message that hashes to the same value password. 3. It’s virtually impossible to find two messages that hash to the same value A.K.A.
One-way hashing , message digest , digital fingerprint
…Cryptographic Hash Function Storing Passwords
Common usage Why encrypting stored password??
Store passwords , software checksum … Common attacks on encrypted passwords Popular algorithms Brute force and some variations Dictionary MD5 (broken, partially) Common defenses SHA-1 (broken, sort of) Long and random passwords SHA-256 and SHA-512 (recommended) Make cryptographic hash functions slower
Salt
Encrypting Password is Not Enough Improve HTTP Basic (II)
Username and password are Why?? HTTP Basic sent in plain text.
Username and password are HTTP Basic sent in plain text. Encrypt username and password.
Encrypt username and password. Additional measures to prevent HTTP Digest common attacks.
3 HTTP Digest – Server HTTP Digest Response
HTTP/1.1 401 Authorization Required RFC 2617 (Part of HTTP 1.1) - Date: Tue, 24 Oct 2006 14:57:50 GMT http://www.ietf.org/rfc/rfc2617.txt Server: Apache/2.2.2 (Fedora) WWW-Authenticate: Digest realm="Restricted Access Area“, qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", request for a restricted page algorithm=“MD5”, opaque="5ccc069c403ebaf9f0171e9517f40e41" prompt for username/password + nonce Content-Length: 484 Content-Type: text/html; charset=iso-8859-1
resend request + message digest
HTTP Digest – Request Again Form-based Security
GET /restricted/index.html HTTP/1.0 Host: sun.calstatela.edu Unique to J2EE application servers Accept: */* Authorization: Digest username=“cysun”, Include authentication and realm=“Restricted Access Area", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", authorization, but not connection uri="/restricted/index.html", qop=auth, security nc=00000001, cnonce="0a4f113b", opaque="5ccc069c403ebaf9f0171e9517f40e41”, algorithm=“MD5” response="6629fae49393a05397450978507c4ef1"
Hash value of the combination of of username , password , realm , uri , nonce , cnonce , nc , qop
Form-base Security using Tomcat Example – Users and Roles
$TOMCAT/conf/tomcat-users.xml Users and roles
4 Example – Directory Layout Example – Login Page
/admin index.html
/member index.html
error.htmlindex.html
/WEB-INF web.xml
Example – web.xml … … Example – web.xml
Limitations of Declarative Declarative Security Security by App Servers
Security constraints are defined outside Application server dependent application code in some metadata Not flexible enough file(s) Servlet Specification only requires URL Advantages access control Application server provides the security implementation
Separate security code from normal code
Easy to use and maintain
5 Security Requirements of Web Applications Spring Security (SS)
Authentication A security framework for Spring-based Authorization (Access Control) applications
URL Addresses all the security requirements
Method invocation of web applications
Domain object
View
How Does Spring Security Work Servlet Filter
Intercept requests and/or responses Intercept, examine, and/or modify
Servlet filters request and response
Spring handler interceptors Intercept method calls Filter
Spring method interceptors Modify views request response Spring Security Tag Library Servlet/JSP
Servlet Filter Example Spring Handler Interceptor
web.xml Serve the same purpose as servlet filter Configured as Spring beans, i.e. support dependency
request response Controller
6 Intercept Request/Response Intercept Method Call
Request What can we do by What can we do intercepting the BeforeAdvice in BeforeAdvice?? request??
Method Invocation Controller User getUserById(1) /member/index.html
What can we do Response What can we do by AfterAdvice in AfterAdvice?? intercepting the response??
Adding Spring Security to a … Adding Spring Security to a Web Application … Web Application
Dependencies web.xml
spring-security-config
Authentication Sources Authentication Supported
Database Container-based Authentication Manager LDAP JBoss JAAS Jetty Resin Authentication Authentication Authentication CAS Provider Provider Provider Tomcat OpenID SiteMinder Authentication Sources X.509
database LDAP Servlet Windows NTLM Container
7 Authenticate Against a Authenticate Against a Database – Configuration Database – Default Schema
applicationContext.xml create table users ( username string primary key,
Authenticate Against a Implement Your Own Database – Customization UserDetailsService
users-by-username-query security/site/docs/3.1.x/apidocs/org/spri
authorities-by-username-query ngframework/security/core/userdetails/
user-service-ref
Authentication – Login Form and More Customize
8 Default Login URLs and Parameters Authorization Examples
/j_spring_security_check Users must log in to see the user list /j_spring_security_logout A user can only view/edit their own account j_username An administrator can view/edit all accounts Only administrators can create new accounts j_password Operations not available to a user should be hidden from the user
Example: URL Security URL Security
Users must log in to see the user list applicationContext.xml
Spring Expression Language Pattern for
Default to ANT path pattern, e.g. http://static.springsource.org/spring/do /user/list.html cs/current/spring-framework- /user/* reference/html/expressions.html /user/** /user/*/*.html /**/*.html
Case-insensitive
9 Security-Related SpEL Methods and Properties Example: Method Security
hasIpAddress() anonymous A user can only edit their own account hasRole() authenticated hasAnyRole() rememberMe permitAll fullyAuthenticated A user may only invoke userDao.saveUser() denyAll if the user object to be saved has the same id.
http://static.springsource.org/spring- security/site/docs/3.1.x/apidocs/org/springframework/security/ web/access/expression/WebSecurityExpressionRoot.html
Enable Method Security @PreAuthorize(“SpEL expr”)
applicationContext.xml Allow method invocation if the SpEL expression evaluates to true
More Security-Related SpEL About authentication and Properties principal
authentication The Authentication interface - http://static.springsource.org/spring- principal security/site/docs/3.1.x/apidocs/org/springframework Method parameter: #
10 Method Security Example: Object Security
@PreAuthorize ("principal.username == #user.username") A user can only view their own account public User saveUser( User user )
Exercise: implement the following security The user object returned by userDao.getUser() constraints must have the same id as the user invoked the method
An administrator can edit all accounts
Only administrators can create new accounts
Object Security Example: View Security
Operations not available to a user @PostAuthorize ("principal.username == returnObject.username") should be hidden from the user public User getUser( Integer id )
ID Name Operations Exercise: implement the following security
constraints 1 admin Details | Edit An administrator can view all accounts 2 cysun Details | Edit
3 jdoe Details | Edit
Security Tag Library View Security
http://static.springsource.org/spring- security/site/docs/3.1.x/reference/taglib
property
11 Access Authentication Inforamtion in Controller Conclusion
SecurityContextHolder Declarative security vs. Programmatic
Access authentication information, e.g. security username and roles Spring Security provides the best of AuthenticationTrustResolver both worlds
Determine if a user is authenticated or Declarative security framework anonymous Portability and flexibility
See SecurityUtils in CSNS2 Separate security code from regular code
12