Title: Web Site Security
1Web Site Security
- Representation and Management of Data on the Web
2We all know this page...
3Would we want all to know this page?
4Problem
- Want to restrict access to certain Web pages
- Must answer the following questions
- Which pages should be restricted?
- Who should access restricted pages?
- How should users be authenticated?
- Should Authentication data be Encrypted?
5Authentication Methods
- Several security methods are used
- Declarative Security
- Use security mechanisms provided by the server
- BASIC and FORM-based will be discussed
- Programmatic Security
- Security is handled by the Web application
programs
6Declarative Security
- Advantage Application programs (i.e. JSP and
Servlets) do not have to do anything special - Advantage security holes due to bugs are less
probable - Disadvantage Server specific process
- Disadvantage All or nothing security
- users can or cannot see the page
- sometimes, what we really want is the page
content to be dependent on the user
7Programmatic Security
- Advantage Not server specific
- Advantage Very flexible
- Disadvantage A lot of work to program all
Servlets and JSP have to cooperate for this to
work - Disadvantage Programmer's bugs may lead to
security holes
8Declarative Security BASIC
Realm A
/a/A.html
/a/B.jsp
Realm B
/b/C.css
E.xsl
/b/D.xml
F.xml
9Declarative Security BASIC
Realm A
/a/A.html
/a/B.jsp
Realm B
/b/C.css
E.xsl
/b/D.xml
F.xml
10Declarative Security BASIC
Realm A
/a/A.html
/a/B.jsp
Realm B
/b/C.css
E.xsl
/b/D.xml
F.xml
11Declarative Security BASIC
Realm A
/a/A.html
/a/B.jsp
Realm B
/b/C.css
E.xsl
/b/D.xml
F.xml
12Declarative Security BASIC
- To restrict a set of pages for certain users, the
server designates a realm name for these pages
and defines the authorized users (usernames and
passwords) - When a page is requested without correct
authentication information, the server returns a
401 (Unauthorized) response, with the
"WWW-Authenticate" header like the following - WWW-Authenticate Basic realm"realm-name"
13Declarative Security BASIC
- The browser then prompts the user for a username
and a password, and sends them in the
"Authorization" header - Authorization Basic usernamepassword
- The string usernamepassword is trivially encoded
(everyone can decode it...) - Through the session, the browser automatically
sends the latter authorization header when
requesting files under the latter request's
directory or when asked to authenticate in the
same realm
An Example
14BASIC method in Tomcat
- Set up usernames, passwords and roles
- Tell the server that your application is using
BASIC authentication, and designate a realm name
to the application - Specify which URLs should be restricted to which
roles
151. Defining Usernames, Passwords, and Roles
- Define users, passwords and roles in the file
- CATALINA_BASE/conf/tomcat-users.xml
lttomcat-usersgt ltrole rolename"special"/gt more
roles... ltuser username"snoopy"
password"snoopass" roles"special"/gt more
users... lt/tomcat-usersgt
162. Tell the Server to use BASIC Security Define
a Realm Name
- Add to the application's web.xml the login method
(BASIC) and your chosen realm name
ltlogin-configgt ltauth-methodgtBASIClt/auth-method
gt ltrealm-namegtSpecial Managerslt/realm-namegt lt/
login-configgt
173. Define the restrictions in web.xml
- ltsecurity-constraintgt
- ltweb-resource-collectiongt
- ltweb-resource-namegtrestricted
onelt/web-resource-namegt - lturl-patterngt/restricted1/lt/url-patterngt
- lt/web-resource-collectiongt
- ltweb-resource-collectiongt
- ltweb-resource-namegtrestricted
twolt/web-resource-namegt - lturl-patterngt/restricted2/lt/url-patterngt
- lt/web-resource-collectiongt
18- ltauth-constraintgt
- ltrole-namegtspeciallt/role-namegt
- lt/auth-constraintgt
- lt/security-constraintgt
- ltlogin-configgt...lt/login-configgt
-
- ltsecurity-rolegt
- ltrole-namegtspeciallt/role-namegt
- lt/security-rolegt
19(No Transcript)
20(No Transcript)
21Custom Error Pages
- The default 401-designated error page is returned
with the unauthorized response of the server - A 401 page is not shown by the browser, unless
- The user cancels the authentication
- The page is returned without WWW-Authenticate
- In Tomcat, you can define an application-specific
error page, however the WWW-Authenticate header
must be added explicitly
22A Custom Error Page Example
- Add to the application's web.xml the following
- lterror-pagegt
- lterror-codegt401lt/error-codegt
- ltlocationgt/error401.jsplt/locationgt
- lt/error-pagegt
23A Custom Error Page Example (cont)
error401.jsp
- lt response.setHeader
- ("WWW-Authenticate",
- "Basic realm\"Special Managers\"") gt
- ltHTMLgt ltHEADgt ltTITLEgtUnauthorizedlt/TITLEgt
lt/HEADgt - ltBODY bgcolor"yellow"gt
- ltCENTERgt
- ltH1gtGo away! You are not
authorized!!lt/H1gt - lt/CENTERgt
- lt/BODYgt
- lt/HTMLgt
24(No Transcript)
25(No Transcript)
26Declarative Security FORM
- In the BASIC method, it is the browser's
responsibility to get the login and password from
its user, and to send it throughout the session - In the FORM method, this responsibility is the
server's, while the browser is not aware of the
fact that restricted pages are accessed
27Declarative Security FORM (cont)
- In the first request to a restricted page, the
server forwards the request to a login page - Using the form in the login page, the user
submits its login and password to a special URL
of the server, and the latter stores the
information in the session object - On subsequent requests, the server checks the
session to see if it contains suitable
authentication, in which case the required page
is returned
28Add to web.xml
ltlogin-configgt ltauth-methodgtFORMlt/auth-methodgt
ltform-login-configgt ltform-login-pagegt/adm
in/login.jsp lt/form-login-pagegt
ltform-error-pagegt/admin/login-error.html
lt/form-error-pagegt lt/form-login-configgt lt/login
-configgt
29Create A Login Page
myApp/admin/login.jsp
- ltHTMLgt
- ltHEADgtltTITLEgtLoginlt/TITLEgtlt/HEADgt
- ltBODY BGCOLOR"yellow"gtltH1gtLog Inlt/H1gt
- ltH2gtSorry, you must log in before accessing
this resource.lt/H2gt - ltFORM ACTION"lt response.encodeURL("j_securit
y_check") gt" METHOD"POST"gt - ltTABLE SUMMARY"login form"gt
- ltTRgtltTDgtUser nameltTDgtltINPUT TYPE"TEXT"
NAME"j_username"gt - ltTRgtltTDgtPasswordltTDgtltINPUT TYPE"PASSWORD"
NAME"j_password"gt - ltTRgtltTDgtltINPUT TYPE"SUBMIT" VALUE"Log
In"gt - lt/TABLEgt lt/FORMgt lt/BODYgt
- lt/HTMLgt
30Create a Login-Error Page
myApp/admin/login-error.html
- ltHTMLgt
- ltHEADgt ltTITLEgtUnauthorizedlt/TITLEgt lt/HEADgt
- ltBODY bgcolor"yellow"gt
- ltCENTERgt
- ltH1gtGo away! You are not
authorized!!lt/H1gt - lt/CENTERgt
- lt/BODYgt
- lt/HTMLgt
31(No Transcript)
32(No Transcript)
33(No Transcript)
34Adding Some Programmatic Security
- So far, all or nothing
- can see page or
- can't see page
- Sometimes we want to allow page content to be
dependant on the authorization of the user - Use the following request methods to control
content restriction - boolean isUserInRole(String role)
- String getRemoteUser()
35Example
- ltsecurity-constraintgt
- ltweb-resource-collectiongt
- ltweb-resource-namegtsalarylt/web-resource-namegt
- lturl-patterngt/salary.jsplt/url-patterngt
- lt/web-resource-collectiongt
- ltauth-constraintgt
- ltrole-namegtexecutivelt/role-namegt
- ltrole-namegtemployeeslt/role-namegt
- lt/auth-constraintgt
- lt/security-constraintgt
36Example (cont)
salary.jsp
- ltHTMLgt
- ltHEADgtltTITLEgtAverage Salarylt/TITLEgtlt/HEADgt
- ltBODYgt
- ltH2gtEmployee average salary 3895NISlt/H2gt
- lt if(request.isUserInRole("executive")) gt
- ltH2gtExecutive average salary 42764NISlt/H2gt
- lt gt
- lt/BODYgt
- lt/HTMLgt
37(No Transcript)
38(No Transcript)
39(No Transcript)
40(No Transcript)
41Important Disable the Servlet Invoker
- You protect certain URLs in the application
- The http//host/prefix/servlet/Name format of the
Servlet invoker will probably not match the
patterns of the protected URLs - Thus, the security restrictions are bypassed if
the invoker is enabled - For this reasons (and others), the invoker should
not be used in published applications
42SSL Connections
43Security on the Internet
- The Internet is used to transmit sensitive data
from clients to servers and vice versa - User passwords
- Credit card numbers
- Private client data on remote servers (e.g.
Banks) - However, data packets are read by several
computers on the way from the client to the
server and vice versa - Routers, proxies, etc.
44Security on the Internet (cont)
- The following should be provided
- Only the server can read the client requests
- Only the client can read the server's responses
- Only the client can send requests on behalf of
itself - Only the server can send responses on behalf of
itself - In short, no one should be able to interfere in
the interaction, either be reading the
transferred data or by impersonating to one of
the sides
45Symmetric and Asymmetric Keys
- Data can be encrypted and decrypted using keys,
which are simply large numbers - Symmetric keys the same key is used for both
encoding and decoding of the message - Asymmetric keys one key is used to encode the
message, and another is used to decode it - It is considered practically impossible to decode
a message without knowing the decoding key
46The RSA Cryptography System
- RSA was developed in 1977 by Ron Rivest, Adi
Shamir and Leonard Adleman - It is the based on the asymmetric key mechanism
- Each participant has a private key and a public
key - The public key is known to all and the private
key is kept in secret within its owner - Asymmetric keys the public key is the encoding
key and the private key is the decoding key
47Secure Connection A Naive Approach
- Consider the following protocol
- Server and Client send their public keys to each
other - Data is encrypted using the public key of the
receiver - What is wrong with this protocol?
- Decryption methods (public keys) are known to
everyone - everyone can impersonate the
participants - A participant cannot tell whether its received
key was indeed sent by the other participant
48SSL Connections
- The SSL (Secure Socket Layer) protocol is used to
manage security of message transmission on the
Internet - Data encryption and decryption is based on
symmetric and asymmetric keys - The HTTPS (HTTP over Ssl) protocol is actually
the HTTP protocol above SSL transportation
49SSL in the Network Layers
Email Protocols
HTTP
SSL
TCP/IP
50The SSL Handshake
1. Client gets the Server's certificate
Is this a good certificate?
Client
Server
51The SSL Handshake
2. Client creates a master secret and shares it
with the server
Client
Server
52The SSL Handshake
3. Client and server create symmetric session
keys from the master secret
Client
Server
53The SSL Handshake
Data is transferred using the session keys
Client
Server
54SSL Certificates
- To assure that the replier of the first request
is the server, the server sends a certificate - The certificate contains both the server's name
and its public key - The certificate is issued by a Certificate
Authority (CA), which is known to the client in
advance - For example VeriSign, Thawte, RSA Secure Server,
etc. - CA signs the certificate using a digital
signature, which the client can verify using a
method similar to the private-public key method
55The Server's Certificate
Public Key
Serial Number
Validity Period
Server's Name
Issuer's Name
Issuer's Digital Signature
56An Example The Certificate of bankleumi.co.il
57Authentication via SSL
- If the server needs to assure the client's
identity, the first interaction after the SSL
handshake will typically be a clients
authentication - Client authentication is done using the regular
HTTP authentication methods - What is the difference, though?
58SSL in Tomcat 5.0
- To use SSL connections in Tomcat 5.0, we need to
do the following - Acquire a certificate
- Enable the https service, that listens to a
designated port - Declare the pages that require SSL connections
59Generating a Certificate
- Acquiring a certificate from a known CA costs
money - Instead, we will generate our own certificate
- Naturally, the browser will not recognize the CA
as a known one and will alert the user
60Generating a Certificate (cont)
- From the Unix shell, type the following
- keytool -genkey -alias tomcat -keyalg RSA
-keystore keyfile
61Enable HTTPS Service
- Add the following to CATALINA_BASE/conf/server.xm
l under the Service "catalina" - ltConnector port"8443" scheme"https"
secure"true" sslProtocol"TLS"
keystoreFile"keyfile" keystorePass"keypass"/gt - Declare the redirection port for the HTTP
Connector - ltConnector port"8090" redirectPort"8443"/gt
62Declare Secured Pages
- In the application's web.xml, add the following
element under the security constraint for which
you want SSL to be used - ltuser-data-constraintgt
- lttransport-guaranteegtCONFIDENTIAL
- lt/transport-guaranteegt
- lt/user-data-constraintgt
63(No Transcript)
64(No Transcript)
65(No Transcript)
66(No Transcript)
67(No Transcript)