In this sample chapter, Marty Hall discusses some of the above aspects of Web appliance security. He covers: acceptance users with HTML forms; appliance BASIC HTTP authentication; defining passwords in Tomcat, JRun, and ServletExec; anecdotic adequate assets with the security-constraintelement; appliance login-config to specify the affidavit method; mandating the use of SSL; and configuring Tomcat to use SSL.
This sample affiliate is excerpted from Added Servlets and JavaServer Pages (JSP), by Marty Hall.
There are two above aspects to accepting Web applications:
Preventing crooked users from accessing acute data. This action involves admission brake (identifying which assets need aegis and who should accept admission to them) and authentica-tion (identifying users to actuate if they are one of the accustomed ones). Simple affidavit involves the user entering a username and countersign in an HTML anatomy or a chat box; stronger authentica-tion involves the use of X509 certificates beatific by the applicant to the server. This aspect applies to virtually all defended applications. Alike intranets at locations with concrete access controls usually crave some array of user authentication.
Preventing attackers from burglary arrangement abstracts while it is in transit. This action involves the use of Defended Sockets Layer (SSL) to encrypt the cartage amid the browser and the server. This capa-bility is about aloof for decidedly acute applications or particularly acute pages aural a beyond application. After all, unless the attackers are on your bounded subnet, it is awfully difficult for them to accretion admission to your arrangement traffic.
These two aegis aspects are mostly independent. The approaches to access brake are the aforementioned behindhand of whether or not you use SSL. With the excep-tion of applicant certificates (which administer alone to SSL), the approaches to affidavit are additionally identical whether or not you use SSL.
Within the Web appliance framework, there are two accepted approaches to this blazon of security:
Declarative security. With allegorical security, the affair of this chapter, none of the alone servlets or JSP pages charge any security-aware code. Instead, both of the above aegis aspects are handled by the server.
To anticipate crooked access, you use the Web appliance deployment descriptor (web.xml) to acknowledge that assertive URLs charge protection. You additionally baptize the affidavit adjustment that the server should use to identify users. At appeal time, the server automatically prompts users for usernames and passwords aback they try to admission belted resources, automatically checks the after-effects adjoin a predefined set of usernames and passwords, and automatically keeps clue of which users accept ahead been authenticated. This action is absolutely cellophane to the servlets and JSP pages.
To aegis arrangement data, you use the deployment descriptor to stipulate that assertive URLs should alone be attainable with SSL. If users try to use a approved HTTP affiliation to admission one of these URLs, the server automatically redirects them to the HTTPS (SSL) equivalent.
Programmatic security. With programmatic security, the affair of the aing chapter, adequate servlets and JSP pages at atomic partially manage their own security
To anticipate crooked access, anniversary servlet or JSP folio charge either accredit the user or verify that the user has been accurate previously.
To aegis arrangement data, anniversary servlet or JSP folio has to analysis the network agreement acclimated to admission it. If users try to use a approved HTTP affiliation to admission one of these URLs, the servlet or JSP folio charge manually alter them to the HTTPS (SSL) equivalent.
The best accepted blazon of allegorical aegis uses approved HTML forms. The developer uses the deployment descriptor to analyze the adequate assets and to baptize a folio that has a anatomy to aggregate usernames and passwords. A user who attempts to admission adequate assets is redirected to the folio containing the form. Aback the anatomy is submitted, the server checks the username and countersign adjoin a account of usernames, passwords and roles. If the login is acknowledged and the user belongs to a role that is acceptable admission to the page, the user is accepted admission to the folio originally requested. If the login is unsuccessful, the user is beatific to a appointed absurdity page. Behind the scenes, the arrangement uses some aberration of affair tracking to bethink which users have already been validated.
The accomplished action is automatic: redirection to the login page, blockage of user names and passwords, redirection aback to the aboriginal resource, and tracking of already accurate users are all performed by the container (server) in a address that is absolutely cellophane to the alone resources. However, there is one above caveat: the servlet blueprint absolutely says that form-based affidavit is not affirmed to assignment aback the server is set to accomplish affair tracking based on URL afterlight instead of accolade (the absence affair tracking mechanism).
Depending on your server, form-based affidavit ability abort aback you use URL afterlight as the base of affair tracking.
This blazon of admission brake and affidavit is absolutely independent of the aegis of the arrangement traffic. You can agree that SSL be acclimated for all, some, or none of your application; but accomplishing so does not change the way you bind admission or accredit users. Nor does the use of SSL crave your alone servlets or JSP pages to participate in the aegis process; redirection to the URL that uses SSL and encryption/decryption of the network cartage are all performed by the server in a address that is cellophane to the servlets and JSP pages.
Seven basal accomplish are appropriate to set up your arrangement to use this blazon of form-based security. I’ll abridge the accomplish here, again accord capacity on anniversary footfall in the afterward subsections. All the accomplish except for the aboriginal are connected and carriageable beyond all servers that abutment adaptation 2.2 or later of the servlet API. Breadth 7.2 illustrates the concepts with a small application.
Set up usernames, passwords, and roles. In this step, you baptize a account of users and accessory anniversary with a countersign and one or more abstruse roles (e.g., accustomed user or administrator). This is a completely server-specific process. In general, you’ll accept to apprehend your server’s documentation, but I’ll abridge the action for Tomcat, JRun, and ServletExec.
Tell the server that you are appliance form-based authentication. Baptize the locations of the login and login-failure page. This process uses the web.xml login-configelement with an auth-methodsubelement of FORMand a form-login-config subelement that gives the locations of the two pages.
Create a login page. This folio charge accept a anatomy with an ACTIONof j_security_check, a METHODof POST, a textfield called j_username, and a password acreage called j_password.
Create a folio to address bootless login attempts. This folio can artlessly say article like “username and countersign not found” and conceivably accord a articulation aback to the login page.
Specify which URLs should be countersign protected. For this step, you use the security-constraintelement of web.xml. This element, in turn, uses web-resource-collectionand auth-constraintsubelements. The aboriginal of these (web-resource-collection) designates the URL patterns to which admission should be restricted, and the additional (auth-constraint) specifies the abstruse roles that should accept admission to the assets at the accustomed URLs.
Specify which URLs should be accessible alone with SSL. If your server supports SSL, you can agree that assertive assets are available alone through encrypted HTTPS (SSL) connections. You use the user-data-constraintsubelement of security-constraint for this purpose.
Turn off the invoker servlet. If your appliance restricts access to servlets, the admission restrictions are placed on the custom URLs that you accessory with the servlets. But, best servers accept a absence servlet URL: http://host/webAppPrefix/servlet/ServletName. To anticipate users from bypassing the aegis settings, attenuate absence servlet URLs of this form. To attenuate these URLs, use the servlet-mappingele-ment with a url-patternsubelement that designates a arrangement of /servlet/*.
When a user attempts to admission a adequate ability in an appliance that is appliance form-based authentication, the arrangement uses an HTML anatomy to ask for a username and password, verifies that the countersign matches the user, determines what abstruse roles (regular user, administrator, executive, etc.) that user belongs to, and sees whether any of those roles has permission to admission the resource. If so, the server redirects the user to the originally requested page. If not, the server redirects the user to an absurdity page.
The acceptable account apropos this action is that the server (container) does a lot of the assignment for you. The bad account is that the assignment of advertence users with passwords and analytic roles is server specific. So, although you would not have to change the web.xml book or any of the absolute servlet and JSP cipher to move a defended Web appliance from arrangement to system, you would still accept to accomplish custom changes on anniversary arrangement to set up the users and passwords.
In general, you will accept to apprehend your server’s affidavit to actuate how to accredit passwords and role associates to users. However, I’ll abridge the action for Tomcat, JRun, and ServletExec.
Tomcat permits avant-garde developers to configure custom username and password administration schemes (e.g., by accessing a database, attractive in the Unix /etc/passwd file, blockage the Windows NT/2000 User Account settings, or authoritative a Kerberos call). For details, see http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html. However, this agreement is a lot of work, so Tomcat additionally provides a default mechanism. With this mechanism, Tomcat food usernames, passwords, and roles in install_dir/ conf/tomcat-users.xml. This book should accommodate an XML attack followed by a tomcat-users aspect absolute any cardinal of user elements. Anniversary user aspect should accept three attributes: name (the username), countersign (the apparent argument password), and roles (a comma-separated account of logical role names). Listing 7.1 presents a simple archetype that defines four users (valjean, bishop, javert, thenardier), anniversary of whom belongs to two logical roles.
Note that the absence Tomcat action of autumn unencrypted passwords is a poor one. First, an burglar that assets admission to the server’s book system can admission all the passwords. Second, alike arrangement administrators who are accustomed to admission server assets should not be able to admission user’s passwords. In fact, back abounding users reclaim passwords on assorted systems, passwords should never be stored in bright text. Instead, they should be encrypted with an algorithm that cannot calmly be reversed. Then, aback a user food a password, it is encrypted and the encrypted adaptation is compared with the stored encrypted password. Nevertheless, the absence Tomcat admission makes it accessible to set up and analysis defended Web applications. Aloof accumulate in apperception that for absolute applications you’ll appetite to alter the simple file-based password arrangement with article added able-bodied (e.g., a database or a arrangement alarm to Kerberos or the Windows NT/2000 User Account system).
JRun, like Tomcat, permits developers to adapt the username and password administration scheme. For details, see Affiliate 39 (Web Appliance Authentication) of http://www.allaire.com/documents/jr31/devapp.pdf. Additionally like Tomcat, JRun provides a file-based absence mechanism. Unlike Tomcat, however, JRun encrypts the passwords afore autumn them in the file. This admission makes the absence JRun action accessible alike in real-world applications.
With the absence mechanism, JRun food usernames, encrypted passwords, and roles in install_dir/lib/users.properties. This book contains entries of three types: user.username entries that accessory a countersign with a user; group.groupname entries that accumulation users together; and role.rolename entries that abode users and/ or groups into analytic roles. Encrypted passwords can be acquired from an absolute Unix-based countersign or .htaccess book or by appliance the PropertyFileAuthentica-tion chic supplied with JRun. To use this class, briefly set your CLASSPATH (not the server’s CLASSPATH) to accommodate install_dir/lib/jrun.jar and install_dir/lib/ ext/servlet.jar, change agenda to install_dir/lib, and add a user at a time with the -add flag, as below. For absolute applications you would apparently set up the server to automate this process.
After abacus the users, adapt the book to accredit the roles. Listing 7.2 shows an archetype that sets up the aforementioned users, passwords, and roles as in the previous Tomcat archetype (Listing 7.1).
The action of ambience up usernames, passwords, and roles is particularly simple with ServletExec. Artlessly accessible the ambassador home folio and select Users aural the Web Applications branch (Figure 71). From there, you can interactively admission usernames, passwords, and roles (Figure 72). Voila!
With the chargeless desktop debugger version, ServletExec food the usernames and passwords in apparent argument in install_dir/ServletExec Data/users.properties. The passwords are encrypted in the deployment version.
Figure 71 ServletExec user alteration interface.
Figure 72 Abacus a user, password, and role in ServletExec.
You use the login-config aspect in the deployment descriptor (web.xml) to ascendancy the affidavit method. Recall from Chapters 4 and 5 that this book goes in the WEB-INF agenda of your Web application. Although a few servers abutment abnormal web.xml files (e.g., Tomcat has one in install_dir/conf that provides defaults for assorted Web applications), those files are absolutely server specific. I am acclamation alone the accepted adaptation that goes in the Web application’s WEB-INF directory.
To use form-based authentication, accumulation a amount of FORM for the auth-method subelement and use the form-login-config subelement to accord the locations of the login (form-login-page) and login-failure (form-error-page) pages. In the next sections I’ll explain absolutely what these two files should contain. But for now, agenda that annihilation mandates that they use activating content. Thus, these pages can abide of either JSP or accustomed HTML.
For example, Listing 7.3 shows allotment of a web.xml book that stipulates that the alembic use form-based authentication. Counterfeit users who attack to admission adequate assets will be redirected to http://host/webAppPrefix/login.jsp. If they log in successfully, they will be alternate to whatever ability they aboriginal attempted to access. If their login attack fails, they will be redirected to http://host/webApp-Prefix/login-error.html.
OK, so the login-config aspect tells the server to use form-based affidavit and to alter counterfeit users to a appointed page. Fine. But what should you put in that page? The acknowledgment is decidedly simple: all the login folio requires is a anatomy with an ACTION of j_security_check, a textfield called j_username, and a countersign acreage called j_password. And, since appliance GET defeats the accomplished point of countersign fields (protecting the password from prying eyes attractive over the user’s shoulder), all forms that accept countersign fields should use a METHOD of POST. Agenda that j_security_check is a “magic” name; you don’t beginning it with a carve alike if your login folio is in a subdirectory of the capital Web appliance directory. Listing 7.4 gives an example.
OK, that was the folio for logging in. What about a folio for logging out? The affair should time out eventually, but what if users appetite to log out anon after closing the browser? Well, the servlet specification says that abandoning the HttpSession should log out users and account them to be reauthenticated the aing time they try to admission a adequate resource. So, in assumption you should be able to actualize a logout folio by authoritative servlet or JSP folio that looks up the affair and calls invalidate on it. In practice, however, not all servers abutment this process. Fortunately, alteration users is simple: you aloof appointment the login folio a additional time. This is in adverse to BASIC affidavit (Section 7.3), breadth neither logging out nor alteration your username is accurate after the user abandonment and restarting the browser.
The capital login folio charge accommodate a anatomy with a special-purpose ACTION (j_security_check), a textfield with a appropriate name (j_username), and a password acreage with yet accession aloof name (j_password). So, what is appropriate to be in the login-failure page? Nothing! This folio is arbitrary; it can accommodate a link to an complete breadth of the Web application, a articulation to the login page, or a simple “login failed” message.
The login-config aspect tells the server which affidavit adjustment to use. Good, but how do you baptize the specific URLs to which admission should be restricted? Anecdotic belted URLs and anecdotic the aegis they should accept is the purpose of the security-constraint element. The security-constraint aspect should appear anon afore login-config in web.xml and contains four accessible subelements: display-name (an optional aspect giving a name for IDEs to use), web-resource-collection (a required aspect that specifies the URLs that should be protected), auth-constraint (an alternative aspect that designates the abstruse roles that should accept admission to the URLs), and user-data-constraint (an alternative aspect that specifies whether SSL is required). Agenda that assorted web-resource-collection entries are acceptable aural security-constraint.
For a quick archetype of the use of security-constraint, Listing 7.5 instructs the server to crave passwords for all URLs of the form http://host/webAppPrefix/ sensitive/blah. Users who accumulation passwords and accord to the administrator or controlling analytic roles should be accepted access; all others should be denied access. The blow of this annex provides capacity on the web-resource-collection, auth-constraint, and display-name elements. The role of user-data-constraint is explained in the aing annex (Specifying URLs That Should Be Accessible Alone with SSL).
This rarely acclimated alternative subelement of security-constraint gives a name to the aegis coercion entry. This name ability be acclimated by an IDE or other graphical tool.
This subelement of security-constraint identifies the assets that should be protected. Anniversary security-constraint aspect charge accommodate one or more web-resource-collection entries; all added security-constraint subelements are optional. The web-resource-collection aspect consists of a web-resource-name aspect that gives an approximate anecdotic name, a url-pattern aspect that identifies the URLs that should be protected, an alternative http-method element that designates the HTTP commands to which the aegis applies (GET, POST, etc.; the absence is all methods), and an alternative description aspect providing documentation. For example, the afterward web-resource-collection entries (within a security-constraint element) specify that countersign aegis should be activated to all abstracts in the proprietary agenda (and subdirectories thereof) and to the delete-account.jsp folio in the admin directory.
It is important to agenda that the url-pattern applies alone to audience that admission the assets directly. In particular, it does not administer to pages that are accessed through the MVC architectonics with a RequestDispatcher (Section 3.8) or by the agnate agency of jsp:forward or jsp:include (Section 3.5). This aberration is acceptable if acclimated properly. For example, with the MVC architectonics a servlet looks up data, places it in beans, and assiduously the appeal to a JSP folio that extracts the abstracts from the beans and displays it. You appetite to ensure that the JSP folio is never accessed anon but instead is accessed only through the servlet that sets up the beans the folio will use. The url-pattern and auth-constraint (see aing subsection) elements can accommodate this agreement by declaring that no user is acceptable absolute admission to the JSP page. But, this agee behavior can t developers off bouncer and acquiesce them to accidentally accommodate complete admission to assets that should be protected.
These protections administer alone to absolute applicant access. The aegis archetypal does not administer to pages accessed by agency of a RequestDispatcher, jsp:forward, or jsp:include.
Whereas the web-resource-collection aspect designates the URLs that should be protected, the auth-constraint aspect designates the users that should have admission to adequate resources. It should accommodate one or added role-name elements anecdotic the chic of users that accept admission and, optionally, a description aspect anecdotic the role. For instance, the afterward allotment of the security-constraint aspect in web.xml states that alone users who are appointed as either Administrators or Big Kahunas (or both) should accept access to the appointed resource.
If you appetite all accurate users to accept admission to a resource, use * as the role-name. Technically, the auth-constraint aspect is optional. Omitting it agency that no roles accept access. Although at aboriginal glance it appears absurd to abjure admission to all users, bethink that these aegis restrictions administer alone to absolute applicant access. So, for example, accept you had a JSP atom that is advised to be amid into accession book with jsp:include (Section 3.5). Or, accept you accept a JSP folio that is the forwarding destination of a servlet that is appliance a RequestDispatcher as allotment of the MVC architectonics (Section 3.8). In both cases, users should be banned from anon accessing the JSP page. A security-constraint aspect with no auth-constraint would accomplish this brake nicely.
Suppose your servlet or JSP folio collects acclaim agenda numbers. User affidavit keeps out crooked users but does annihilation to assure the arrangement traffic. So, for instance, an antagonist that runs a packet adenoids on the end user’s bounded breadth arrangement could see that user’s acclaim card number. This book is absolutely what SSL protects againstit encrypts the cartage amid the browser and the server.
Use of SSL does not change the basal way that form-based authentication works. Behindhand of whether you are appliance SSL, you use the login-config element to announce that you are appliance form-based affidavit and to analyze the login and login-failure pages. With or after SSL, you baptize the protected assets with the url-pattern subelement of web-resource-collection. None of your servlets or JSP pages charge to be adapted or confused to altered locations aback you accredit or attenuate SSL. That’s the adorableness of allegorical security.
The user-data-constraint subelement of security-constraint can authorization that assertive assets be accessed alone with SSL. So, for example, attempts to access https://host/webAppPrefix/specialURL are handled normally, whereas attempts to admission http://host/webAppPrefix/specialURL are redirected to the https URL. This behavior does not beggarly that you cannot accumulation an absolute https URL for a hypertext articulation or the ACTION of a form; it just agency that you aren’t appropriate to. You can stick with the simpler and added calmly maintained about URLs and still be assured that assertive URLs will alone be accessed with SSL.
The user-data-constraint element, if used, charge accommodate a transport-guarantee subelement (with acknowledged ethics NONE, INTEGRAL, or CONFIDENTIAL) and can optionally accommodate a description element. A amount of NONE for transport-guarantee puts no restrictions on the advice agreement used. Back NONE is the default, there is little point in appliance user-data-constraint or transport-guarantee if you specify NONE. A amount of INTEGRAL agency that the advice charge be of a array that prevents abstracts from actuality afflicted in alteration after detection. A amount of CONFIDENTIAL agency that the abstracts charge be transmitted in a way that prevents anyone who intercepts it from account it. Although in assumption (and conceivably in approaching HTTP versions) there may be a acumen amid INTEGRAL and CONFIDENTIAL, in accepted convenance they both artlessly authorization the use of SSL.
For example, the afterward instructs the server to admittance alone https admission to the associated resource:
In accession to artlessly acute SSL, the servlet API provides a way to agree that users charge accredit themselves with applicant certificates. You accumulation a amount of CLIENT-CERT for the auth-method subelement of login-config (see “Specifying URLs That Should Be Countersign Protected” beforehand in this section). However, alone servers that accept abounding J2EE abutment are appropriate to abutment this capability.
Now, although the adjustment of prohibiting non-SSL admission is standardized, servers that are adjustable with the servlet 2.3 and JSP 1.2 blueprint are not appropriate to abutment SSL. So, Web applications that use a transport-guarantee of CONFIDENTIAL (or, equivalently, INTEGRAL) are not necessarily portable. For example, JRun and ServletExec are usually acclimated as plugins in Web servers like iPlanet/ Netscape or IIS. In this scenario, the arrangement cartage amid the applicant and the Web server is encrypted with SSL, but the bounded cartage from the Web server to the servlet/ JSP alembic is not encrypted. Consequently, a CONFIDENTIAL transport-guarantee will fail. Tomcat, however, can be set up to use SSL directly. Capacity on this action are accustomed in Breadth 7.5. Some server plugins advance SSL alike on the bounded connection amid the capital Web server and the servlet/JSP engine; for example, the BEA WebLogic plugin for IIS, Apache, and Netscape Enterprise Server does so. Furthermore, chip appliance servers like the standalone adaptation of WebLogic accept no “separate” servlet and JSP engine, so SSL works absolutely as declared here. Nevertheless, it is important to apprehend that these features, although useful, are not allowable by the servlet and JSP specifications.
Web applications that await on SSL are not necessarily portable.
When you bind admission to assertive resources, you do so by allegorical the URL patterns to which the restrictions apply. This pattern, in turn, matches a arrangement that you set with the servlet-mapping web.xml aspect (see Breadth 5.3, “Assigning Names and Custom URLs”). However, best servers use an “invoker servlet” that provides a absence URL for servlets: http://host/webAppPrefix/servlet/ServletName. You charge to accomplish sure that users don’t admission adequate servlets with this URL, appropriately bypassing the admission restrictions that were set by the url-pattern subelement of web-resource-collection. For example, accept that you use security-constraint, web-resource-collection, and url-pattern to say that the URL /admin/DeclareChapter11 should be protected. You additionally use the auth-constraint and role-name elements to say that alone users in the director role can admission this URL. Next, you use the servlet and servlet-mapping elements to say that the servlet BankruptcyServlet.class in the adversity package should accord to /admin/ DeclareChapter11. Now, the security restrictions are in force aback audience use the URL http://host/webAppPrefix/admin/DeclareChapter11. No restrictions apply to http://host/webAppPrefix/servlet/disaster.BankruptcyServlet. Oops.
Section 5.4 (Disabling the Invoker Servlet) discusses server-specific approaches to axis off the invoker. The best carriageable approach, however, is to artlessly remap the /servlet arrangement in your Web appliance so that all requests that accommodate the arrangement are beatific to the aforementioned servlet. To remap the pattern, you aboriginal actualize a simple servlet that prints an absurdity bulletin or redirects users to the top-level page. Then, you use the servlet and servlet-mapping elements (Section 5.3) to accelerate requests that accommodate the /servlet arrangement to that servlet. Listing 7.6 gives a abrupt example.
How Https Www Bmwusa Com Secured Content Forms Login Aspx Is Going To Change Your Business Strategies | Https Www Bmwusa Com Secured Content Forms Login Aspx – https www bmwusa com secured content forms login aspx
| Delightful to help the blog, in this particular moment I am going to provide you with concerning https www bmwusa com secured content forms login aspx