Need for Security in Web Applications

CS520 Web Programming Potentially large number of users Declarative Security Multiple user types No operating system to rely on

Chengyu Sun California State University, Los Angeles

Web Application Security HTTP Secure (HTTPS)

Client Server request HTTP over SSL/TLS Configure SSL in Tomcat -

who are you? http://tomcat.apache.org/tomcat-7.0- doc/ssl-howto.html username/password Authentication

you’re not authorized to access Authorization (Access Control) (Access Connection Security

SSL and TLS Programmatic Security

Secure Socket Layer (SSL) Security is implemented in the

 Server authentication application code  Client authentication Example:  Connection encryption  Login.jsp (TLS)  Members.jsp

 TLS 1.0 is based on SSL 3.0  IETF standard (RFC 2246) Pros?? Cons??

1 Security by Java EE Application Server HTTP Basic

HTTP Basic HTTP 1.0, Section 11.1- http://www.w3.org/Protocols/HTTP/1.0/draft- HTTP Digest ietf-http-spec.html HTTPS Client request for a restricted page Form-based Client prompt for username/password Server

resend request + username & password

HTTP Basic – Configuration HTTP Basic – Request

AuthType Basic GET /restricted/index.html HTTP/1.0 AuthName "Basic Authentication Example" Host: sun.calstatela.edu AuthUserFile /home/cysun/etc/htpasswords Accept: */* Require user cs520

HTTP Basic – Server Response HTTP Basic – Request Again

HTTP/1.1 401 Authorization Required Date: Tue, 24 Oct 2006 14:57:50 GMT GET /restricted/index.html HTTP/1.0 Server: Apache/2.2.2 (Fedora) Host: sun.calstatela.edu WWW-Authenticate: Basic realm="Restricted Access Area" Accept: */* Content-Length: 484 Authorization: Basic Y3lzdW46YWJjZAo= Content-Type: text/html; charset=iso-8859-1

Base64 Encoding of “cysun:abcd” 401 Authorization Required … … An online Base64 decoder is at http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

2 Improve HTTP Basic (I) Cryptographic Hash Function…

Username and password are String of arbitrary length  n bits digest HTTP Basic sent in plain text. Properties

1. Given a hash value, it’s virtually impossible to find a message that hashes to this value

2. Given a message, it’s virtually impossible to find another Encrypt username and message that hashes to the same value password. 3. It’s virtually impossible to find two messages that hash to the same value A.K.A.

 One-way hashing , message digest , digital fingerprint

…Cryptographic Hash Function Storing Passwords

Common usage Why encrypting stored password??

 Store passwords , software checksum … Common attacks on encrypted passwords Popular algorithms  Brute force and some variations  Dictionary  MD5 (broken, partially) Common defenses  SHA-1 (broken, sort of)  Long and random passwords  SHA-256 and SHA-512 (recommended)  Make cryptographic hash functions slower

 Salt

Encrypting Password is Not Enough Improve HTTP Basic (II)

Username and password are Why?? HTTP Basic sent in plain text.

Username and password are HTTP Basic sent in plain text. Encrypt username and password.

Encrypt username and password. Additional measures to prevent HTTP Digest common attacks.

3 HTTP Digest – Server HTTP Digest Response

HTTP/1.1 401 Authorization Required RFC 2617 (Part of HTTP 1.1) - Date: Tue, 24 Oct 2006 14:57:50 GMT http://www.ietf.org/rfc/rfc2617.txt Server: Apache/2.2.2 (Fedora) WWW-Authenticate: Digest realm="Restricted Access Area“, qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", request for a restricted page algorithm=“MD5”, opaque="5ccc069c403ebaf9f0171e9517f40e41" prompt for username/password + nonce Content-Length: 484 Content-Type: text/html; charset=iso-8859-1

resend request + message digest 401 Authorization Required … …

HTTP Digest – Request Again Form-based Security

GET /restricted/index.html HTTP/1.0 Host: sun.calstatela.edu Unique to J2EE application servers Accept: */* Authorization: Digest username=“cysun”, Include authentication and realm=“Restricted Access Area", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", authorization, but not connection uri="/restricted/index.html", qop=auth, security nc=00000001, cnonce="0a4f113b", opaque="5ccc069c403ebaf9f0171e9517f40e41”, algorithm=“MD5” response="6629fae49393a05397450978507c4ef1"

Hash value of the combination of of username , password , realm , uri , nonce , cnonce , nc , qop

Form-base Security using Tomcat Example – Users and Roles

$TOMCAT/conf/tomcat-users.xml  Users and roles $APPLICATION/WEB-INF/web.xml  Login and login failure page  URLs to be protected

4 Example – Directory Layout Example – Login Page

/admin index.html

/member index.html

login.html logout.jsp
error.html

index.html

/WEB-INF web.xml

Example – web.xml … … Example – web.xml

FORM AdminArea /admin/* /login.html /error.html admin

Limitations of Declarative Declarative Security Security by App Servers

Security constraints are defined outside Application server dependent application code in some metadata Not flexible enough file(s) Servlet Specification only requires URL Advantages access control  Application server provides the security implementation

 Separate security code from normal code

 Easy to use and maintain

5 Security Requirements of Web Applications Spring Security (SS)

Authentication A security framework for Spring-based Authorization (Access Control) applications

 URL Addresses all the security requirements

 Method invocation of web applications

 Domain object

 View

How Does Spring Security Work Servlet Filter

Intercept requests and/or responses Intercept, examine, and/or modify

 Servlet filters request and response

 Spring handler interceptors Intercept method calls Filter

 Spring method interceptors Modify views request response  Spring Security Tag Library Servlet/JSP

Servlet Filter Example Spring Handler Interceptor

web.xml Serve the same purpose as servlet filter Configured as Spring beans, i.e. support dependency  and injection Modify request Modify response Handler Interceptor

request response Controller

6 Intercept Request/Response Intercept Method Call

Request What can we do by What can we do intercepting the BeforeAdvice in BeforeAdvice?? request??

Method Invocation Controller User getUserById(1) /member/index.html

What can we do Response What can we do by AfterAdvice in AfterAdvice?? intercepting the response??

Adding Spring Security to a … Adding Spring Security to a Web Application … Web Application

Dependencies web.xml

 spring-security-config  spring-security-taglibs springSecurityFilterChain  cglib org.springframework.web.filter.DelegatingFilterProxy

springSecurityFilterChain /*

Authentication Sources Authentication Supported

Database Container-based Authentication Manager LDAP  JBoss JAAS   Authentication Authentication Authentication CAS Provider Provider Provider  Tomcat OpenID SiteMinder Authentication Sources X.509

database LDAP Servlet Windows NTLM Container

7 Authenticate Against a Authenticate Against a Database – Configuration Database – Default Schema

applicationContext.xml create table users ( username string primary key, password string, enabled boolean create table authorities ( username string references users(username), authority string -- role name Spring Security namespace: ); http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd

Authenticate Against a Implement Your Own Database – Customization UserDetailsService

http://static.springsource.org/spring-

 users-by-username-query security/site/docs/3.1.x/apidocs/org/spri

 authorities-by-username-query ngframework/security/core/userdetails/ UserDetailsService.html



 user-service-ref

Authentication – Login Form and More Customize

login-page authentication-failure-url More at http://static.springsource.org/spring- security/site/docs/3.1.x/reference/appe ndix-namespace.html#nsa-form-login

8 Default Login URLs and Parameters Authorization Examples

/j_spring_security_check Users must log in to see the user list /j_spring_security_logout A user can only view/edit their own account j_username An administrator can view/edit all accounts Only administrators can create new accounts j_password Operations not available to a user should be hidden from the user

Example: URL Security URL Security

Users must log in to see the user list applicationContext.xml

Spring Expression Language Pattern for (SpEL)

Default to ANT path pattern, e.g. http://static.springsource.org/spring/do  /user/list.html cs/current/spring-framework-  /user/* reference/html/expressions.html  /user/**  /user/*/*.html  /**/*.html

 Case-insensitive

9 Security-Related SpEL Methods and Properties Example: Method Security

hasIpAddress() anonymous A user can only edit their own account hasRole() authenticated hasAnyRole() rememberMe permitAll fullyAuthenticated A user may only invoke userDao.saveUser() denyAll if the user object to be saved has the same id.

http://static.springsource.org/spring- security/site/docs/3.1.x/apidocs/org/springframework/security/ web/access/expression/WebSecurityExpressionRoot.html

Enable Method Security @PreAuthorize(“SpEL expr”)

applicationContext.xml Allow method invocation if the SpEL expression evaluates to true if the expression evaluates to false

More Security-Related SpEL About authentication and Properties principal

authentication The Authentication interface - http://static.springsource.org/spring- principal security/site/docs/3.1.x/apidocs/org/springframework Method parameter: # /security/core/Authentication.html Usually principal is an object that implements the Method return value: returnObject UserDetails interface - http://static.springsource.org/spring- security/site/docs/3.1.x/apidocs/org/springframework /security/core/userdetails/UserDetails.html

10 Method Security Example: Object Security

@PreAuthorize ("principal.username == #user.username") A user can only view their own account public User saveUser( User user )

Exercise: implement the following security The user object returned by userDao.getUser() constraints must have the same id as the user invoked the method

 An administrator can edit all accounts

 Only administrators can create new accounts

Object Security Example: View Security

Operations not available to a user @PostAuthorize ("principal.username == returnObject.username") should be hidden from the user public User getUser( Integer id )

ID Name Operations Exercise: implement the following security

constraints 1 admin Details | Edit  An administrator can view all accounts 2 cysun Details | Edit

3 jdoe Details | Edit

Security Tag Library View Security

http://static.springsource.org/spring- security/site/docs/3.1.x/reference/taglib Details | Edit  access

 property

11 Access Authentication Inforamtion in Controller Conclusion

SecurityContextHolder Declarative security vs. Programmatic

 Access authentication information, e.g. security username and roles Spring Security provides the best of AuthenticationTrustResolver both worlds

 Determine if a user is authenticated or  Declarative security framework anonymous  Portability and flexibility

See SecurityUtils in CSNS2  Separate security code from regular code

12