Need for Security in Web Applications Web Application Security HTTP
Total Page:16
File Type:pdf, Size:1020Kb
Need for Security in Web Applications CS520 Web Programming Potentially large number of users Declarative Security Multiple user types No operating system to rely on Chengyu Sun California State University, Los Angeles Web Application Security HTTP Secure (HTTPS) Client Server request HTTP over SSL/TLS Configure SSL in Tomcat - who are you? http://tomcat.apache.org/tomcat-7.0- doc/ssl-howto.html username/password Authentication you’re not authorized to access Authorization (Access Control) (Access Connection Security SSL and TLS Programmatic Security Secure Socket Layer (SSL) Security is implemented in the Server authentication application code Client authentication Example: Connection encryption Login.jsp Transport Layer Security (TLS) Members.jsp TLS 1.0 is based on SSL 3.0 IETF standard (RFC 2246) Pros?? Cons?? 1 Security by Java EE Application Server HTTP Basic HTTP Basic HTTP 1.0, Section 11.1- http://www.w3.org/Protocols/HTTP/1.0/draft- HTTP Digest ietf-http-spec.html HTTPS Client request for a restricted page Form-based Client prompt for username/password Server resend request + username & password HTTP Basic – Configuration HTTP Basic – Request AuthType Basic GET /restricted/index.html HTTP/1.0 AuthName "Basic Authentication Example" Host: sun.calstatela.edu AuthUserFile /home/cysun/etc/htpasswords Accept: */* Require user cs520 HTTP Basic – Server Response HTTP Basic – Request Again HTTP/1.1 401 Authorization Required Date: Tue, 24 Oct 2006 14:57:50 GMT GET /restricted/index.html HTTP/1.0 Server: Apache/2.2.2 (Fedora) Host: sun.calstatela.edu WWW-Authenticate: Basic realm="Restricted Access Area" Accept: */* Content-Length: 484 Authorization: Basic Y3lzdW46YWJjZAo= Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> Base64 Encoding of “cysun:abcd” <head><title>401 Authorization Required</title></head> … … </html> An online Base64 decoder is at http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/ 2 Improve HTTP Basic (I) Cryptographic Hash Function… Username and password are String of arbitrary length n bits digest HTTP Basic sent in plain text. Properties 1. Given a hash value, it’s virtually impossible to find a message that hashes to this value 2. Given a message, it’s virtually impossible to find another Encrypt username and message that hashes to the same value password. 3. It’s virtually impossible to find two messages that hash to the same value A.K.A. One-way hashing , message digest , digital fingerprint …Cryptographic Hash Function Storing Passwords Common usage Why encrypting stored password?? Store passwords , software checksum … Common attacks on encrypted passwords Popular algorithms Brute force and some variations Dictionary MD5 (broken, partially) Common defenses SHA-1 (broken, sort of) Long and random passwords SHA-256 and SHA-512 (recommended) Make cryptographic hash functions slower Salt Encrypting Password is Not Enough Improve HTTP Basic (II) Username and password are Why?? HTTP Basic sent in plain text. Username and password are HTTP Basic sent in plain text. Encrypt username and password. Encrypt username and password. Additional measures to prevent HTTP Digest common attacks. 3 HTTP Digest – Server HTTP Digest Response HTTP/1.1 401 Authorization Required RFC 2617 (Part of HTTP 1.1) - Date: Tue, 24 Oct 2006 14:57:50 GMT http://www.ietf.org/rfc/rfc2617.txt Server: Apache/2.2.2 (Fedora) WWW-Authenticate: Digest realm="Restricted Access Area“, qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", request for a restricted page algorithm=“MD5”, opaque="5ccc069c403ebaf9f0171e9517f40e41" prompt for username/password + nonce Content-Length: 484 Content-Type: text/html; charset=iso-8859-1 resend request + message digest <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head><title>401 Authorization Required</title></head> … … </html> HTTP Digest – Request Again Form-based Security GET /restricted/index.html HTTP/1.0 Host: sun.calstatela.edu Unique to J2EE application servers Accept: */* Authorization: Digest username=“cysun”, Include authentication and realm=“Restricted Access Area", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", authorization, but not connection uri="/restricted/index.html", qop=auth, security nc=00000001, cnonce="0a4f113b", opaque="5ccc069c403ebaf9f0171e9517f40e41”, algorithm=“MD5” response="6629fae49393a05397450978507c4ef1" Hash value of the combination of of username , password , realm , uri , nonce , cnonce , nc , qop Form-base Security using Tomcat Example – Users and Roles $TOMCAT/conf/tomcat-users.xml <?xml version='1.0' encoding='utf-8'?> Users and roles <tomcat-users> <role rolename=“admin"/> $APPLICATION/WEB-INF/web.xml <role rolename=“member"/> <user username=“admin" password=“1234“ Authentication type ( FORM ) roles=“admin,member"/> Login and login failure page <user username=“cysun" password=“abcd“ roles=“member"/> URLs to be protected </tomcat-users> 4 Example – Directory Layout Example – Login Page /admin index.html /member index.html <form action="j_security_check" method="post"> <input type="text" name="j_username"> login.html <input type="password" name="j_password"> <input type="submit" name="login" value="Login"> logout.jsp </form> error.html index.html /WEB-INF web.xml Example – web.xml … … Example – web.xml <security-constraint> <login-config> <web-resource-collection> <auth-method>FORM</auth-method> <web-resource-name>AdminArea</web-resource-name> <form-login-config> <url-pattern>/admin/*</url-pattern> <form-login-page>/login.html</form-login-page> </web-resource-collection> <form-error-page>/error.html</form-error-page> <auth-constraint> </form-login-config> <role-name>admin</role-name> </login-config> </auth-constraint> </security-constraint> Limitations of Declarative Declarative Security Security by App Servers Security constraints are defined outside Application server dependent application code in some metadata Not flexible enough file(s) Servlet Specification only requires URL Advantages access control Application server provides the security implementation Separate security code from normal code Easy to use and maintain 5 Security Requirements of Web Applications Spring Security (SS) Authentication A security framework for Spring-based Authorization (Access Control) applications URL Addresses all the security requirements Method invocation of web applications Domain object View How Does Spring Security Work Servlet Filter Intercept requests and/or responses Intercept, examine, and/or modify Servlet filters request and response Spring handler interceptors Intercept method calls Filter Spring method interceptors Modify views request response Spring Security Tag Library Servlet/JSP Servlet Filter Example Spring Handler Interceptor web.xml Serve the same purpose as servlet filter Configured as Spring beans, i.e. support dependency <filter> and <filter-mapping> injection Modify request Modify response Handler Interceptor request response Controller 6 Intercept Request/Response Intercept Method Call Request What can we do by What can we do intercepting the BeforeAdvice in BeforeAdvice?? request?? Method Invocation Controller User getUserById(1) /member/index.html What can we do Response What can we do by AfterAdvice in AfterAdvice?? intercepting the response?? Adding Spring Security to a … Adding Spring Security to a Web Application … Web Application Dependencies web.xml spring-security-config <filter> spring-security-taglibs <filter-name>springSecurityFilterChain</filter-name> <filter-class> cglib org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> Authentication Sources Authentication Supported Database Container-based Authentication Manager LDAP JBoss JAAS Jetty Resin Authentication Authentication Authentication CAS Provider Provider Provider Tomcat OpenID SiteMinder Authentication Sources X.509 database LDAP Servlet Windows NTLM Container 7 Authenticate Against a Authenticate Against a Database – Configuration Database – Default Schema applicationContext.xml create table users ( username string primary key, <authentication-manager> password string, <authentication-provider> enabled boolean <jdbc-user-service ); data-source-ref="dataSource" /> <authentication-provider> create table authorities ( </authentication-manager> username string references users(username), authority string -- role name Spring Security namespace: ); http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd Authenticate Against a Implement Your Own Database – Customization UserDetailsService <jdbc-user-service> http://static.springsource.org/spring- users-by-username-query security/site/docs/3.1.x/apidocs/org/spri authorities-by-username-query ngframework/security/core/userdetails/ <authentication-provider> UserDetailsService.html <password-encoder> user-service-ref Authentication – Login Form and More Customize <form-login> <http auto-config=“true” /> login-page authentication-failure-url More at <http> http://static.springsource.org/spring- <form-login /> security/site/docs/3.1.x/reference/appe <http-basic /> ndix-namespace.html#nsa-form-login <logout /> </http> 8 Default Login URLs and Parameters Authorization Examples /j_spring_security_check Users must log in to see the user list /j_spring_security_logout A user can only view/edit their own account j_username An