Web Site Security - PowerPoint PPT Presentation

About This Presentation
Title:

Web Site Security

Description:

Web Site Security. Representation and Management of Data on the Web. We ... Want to restrict access to certain Web pages. Must answer the following questions ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 68
Provided by: csHu
Category:
Tags: forsee | security | site | web

less

Transcript and Presenter's Notes

Title: Web Site Security


1
Web Site Security
  • Representation and Management of Data on the Web

2
We all know this page...
3
Would we want all to know this page?
4
Problem
  • Want to restrict access to certain Web pages
  • Must answer the following questions
  • Which pages should be restricted?
  • Who should access restricted pages?
  • How should users be authenticated?
  • Should Authentication data be Encrypted?

5
Authentication Methods
  • Several security methods are used
  • Declarative Security
  • Use security mechanisms provided by the server
  • BASIC and FORM-based will be discussed
  • Programmatic Security
  • Security is handled by the Web application
    programs

6
Declarative Security
  • Advantage Application programs (i.e. JSP and
    Servlets) do not have to do anything special
  • Advantage security holes due to bugs are less
    probable
  • Disadvantage Server specific process
  • Disadvantage All or nothing security
  • users can or cannot see the page
  • sometimes, what we really want is the page
    content to be dependent on the user

7
Programmatic Security
  • Advantage Not server specific
  • Advantage Very flexible
  • Disadvantage A lot of work to program all
    Servlets and JSP have to cooperate for this to
    work
  • Disadvantage Programmer's bugs may lead to
    security holes

8
Declarative Security BASIC
Realm A
/a/A.html
/a/B.jsp
Realm B
/b/C.css
E.xsl
/b/D.xml
F.xml
9
Declarative Security BASIC
Realm A
/a/A.html
/a/B.jsp
Realm B
/b/C.css
E.xsl
/b/D.xml
F.xml
10
Declarative Security BASIC
Realm A
/a/A.html
/a/B.jsp
Realm B
/b/C.css
E.xsl
/b/D.xml
F.xml
11
Declarative Security BASIC
Realm A
/a/A.html
/a/B.jsp
Realm B
/b/C.css
E.xsl
/b/D.xml
F.xml
12
Declarative Security BASIC
  • To restrict a set of pages for certain users, the
    server designates a realm name for these pages
    and defines the authorized users (usernames and
    passwords)
  • When a page is requested without correct
    authentication information, the server returns a
    401 (Unauthorized) response, with the
    "WWW-Authenticate" header like the following
  • WWW-Authenticate Basic realm"realm-name"

13
Declarative Security BASIC
  • The browser then prompts the user for a username
    and a password, and sends them in the
    "Authorization" header
  • Authorization Basic usernamepassword
  • The string usernamepassword is trivially encoded
    (everyone can decode it...)
  • Through the session, the browser automatically
    sends the latter authorization header when
    requesting files under the latter request's
    directory or when asked to authenticate in the
    same realm

An Example
14
BASIC method in Tomcat
  1. Set up usernames, passwords and roles
  2. Tell the server that your application is using
    BASIC authentication, and designate a realm name
    to the application
  3. Specify which URLs should be restricted to which
    roles

15
1. Defining Usernames, Passwords, and Roles
  • Define users, passwords and roles in the file
  • CATALINA_BASE/conf/tomcat-users.xml

lttomcat-usersgt ltrole rolename"special"/gt more
roles... ltuser username"snoopy"
password"snoopass" roles"special"/gt more
users... lt/tomcat-usersgt
16
2. Tell the Server to use BASIC Security Define
a Realm Name
  • Add to the application's web.xml the login method
    (BASIC) and your chosen realm name

ltlogin-configgt ltauth-methodgtBASIClt/auth-method
gt     ltrealm-namegtSpecial Managerslt/realm-namegt lt/
login-configgt
17
3. Define the restrictions in web.xml
  • ltsecurity-constraintgt
  • ltweb-resource-collectiongt
  • ltweb-resource-namegtrestricted
    onelt/web-resource-namegt
  • lturl-patterngt/restricted1/lt/url-patterngt
  • lt/web-resource-collectiongt
  • ltweb-resource-collectiongt
  • ltweb-resource-namegtrestricted
    twolt/web-resource-namegt
  • lturl-patterngt/restricted2/lt/url-patterngt
  • lt/web-resource-collectiongt

18
  • ltauth-constraintgt
  • ltrole-namegtspeciallt/role-namegt
  • lt/auth-constraintgt
  • lt/security-constraintgt
  • ltlogin-configgt...lt/login-configgt
  • ltsecurity-rolegt
  • ltrole-namegtspeciallt/role-namegt
  • lt/security-rolegt  

19
(No Transcript)
20
(No Transcript)
21
Custom Error Pages
  • The default 401-designated error page is returned
    with the unauthorized response of the server
  • A 401 page is not shown by the browser, unless
  • The user cancels the authentication
  • The page is returned without WWW-Authenticate
  • In Tomcat, you can define an application-specific
    error page, however the WWW-Authenticate header
    must be added explicitly

22
A Custom Error Page Example
  • Add to the application's web.xml the following
  • lterror-pagegt
  • lterror-codegt401lt/error-codegt
  • ltlocationgt/error401.jsplt/locationgt
  • lt/error-pagegt

23
A Custom Error Page Example (cont)
error401.jsp
  • lt response.setHeader
  • ("WWW-Authenticate",
  • "Basic realm\"Special Managers\"") gt
  • ltHTMLgt ltHEADgt ltTITLEgtUnauthorizedlt/TITLEgt
    lt/HEADgt
  • ltBODY bgcolor"yellow"gt
  • ltCENTERgt
  • ltH1gtGo away! You are not
    authorized!!lt/H1gt
  • lt/CENTERgt
  • lt/BODYgt
  • lt/HTMLgt

24
(No Transcript)
25
(No Transcript)
26
Declarative Security FORM
  • In the BASIC method, it is the browser's
    responsibility to get the login and password from
    its user, and to send it throughout the session
  • In the FORM method, this responsibility is the
    server's, while the browser is not aware of the
    fact that restricted pages are accessed

27
Declarative Security FORM (cont)
  • In the first request to a restricted page, the
    server forwards the request to a login page
  • Using the form in the login page, the user
    submits its login and password to a special URL
    of the server, and the latter stores the
    information in the session object
  • On subsequent requests, the server checks the
    session to see if it contains suitable
    authentication, in which case the required page
    is returned

28
Add to web.xml
ltlogin-configgt ltauth-methodgtFORMlt/auth-methodgt
ltform-login-configgt ltform-login-pagegt/adm
in/login.jsp lt/form-login-pagegt
ltform-error-pagegt/admin/login-error.html
lt/form-error-pagegt lt/form-login-configgt lt/login
-configgt
29
Create A Login Page
myApp/admin/login.jsp
  • ltHTMLgt
  • ltHEADgtltTITLEgtLoginlt/TITLEgtlt/HEADgt
  • ltBODY BGCOLOR"yellow"gtltH1gtLog Inlt/H1gt
  • ltH2gtSorry, you must log in before accessing
    this resource.lt/H2gt
  • ltFORM ACTION"lt response.encodeURL("j_securit
    y_check") gt" METHOD"POST"gt
  • ltTABLE SUMMARY"login form"gt
  • ltTRgtltTDgtUser nameltTDgtltINPUT TYPE"TEXT"
    NAME"j_username"gt
  • ltTRgtltTDgtPasswordltTDgtltINPUT TYPE"PASSWORD"
    NAME"j_password"gt
  • ltTRgtltTDgtltINPUT TYPE"SUBMIT" VALUE"Log
    In"gt
  • lt/TABLEgt lt/FORMgt lt/BODYgt
  • lt/HTMLgt

30
Create a Login-Error Page
myApp/admin/login-error.html
  • ltHTMLgt
  • ltHEADgt ltTITLEgtUnauthorizedlt/TITLEgt lt/HEADgt
  • ltBODY bgcolor"yellow"gt
  • ltCENTERgt
  • ltH1gtGo away! You are not
    authorized!!lt/H1gt
  • lt/CENTERgt
  • lt/BODYgt
  • lt/HTMLgt

31
(No Transcript)
32
(No Transcript)
33
(No Transcript)
34
Adding Some Programmatic Security
  • So far, all or nothing
  • can see page or
  • can't see page
  • Sometimes we want to allow page content to be
    dependant on the authorization of the user
  • Use the following request methods to control
    content restriction
  • boolean isUserInRole(String role)
  • String getRemoteUser()

35
Example
  • ltsecurity-constraintgt
  • ltweb-resource-collectiongt
  • ltweb-resource-namegtsalarylt/web-resource-namegt
  • lturl-patterngt/salary.jsplt/url-patterngt
  • lt/web-resource-collectiongt
  • ltauth-constraintgt
  • ltrole-namegtexecutivelt/role-namegt
  • ltrole-namegtemployeeslt/role-namegt
  • lt/auth-constraintgt
  • lt/security-constraintgt

36
Example (cont)
salary.jsp
  • ltHTMLgt
  • ltHEADgtltTITLEgtAverage Salarylt/TITLEgtlt/HEADgt
  • ltBODYgt
  • ltH2gtEmployee average salary 3895NISlt/H2gt
  • lt if(request.isUserInRole("executive")) gt
  • ltH2gtExecutive average salary 42764NISlt/H2gt
  • lt gt
  • lt/BODYgt
  • lt/HTMLgt

37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
(No Transcript)
41
Important Disable the Servlet Invoker
  • You protect certain URLs in the application
  • The http//host/prefix/servlet/Name format of the
    Servlet invoker will probably not match the
    patterns of the protected URLs
  • Thus, the security restrictions are bypassed if
    the invoker is enabled
  • For this reasons (and others), the invoker should
    not be used in published applications

42
SSL Connections
43
Security on the Internet
  • The Internet is used to transmit sensitive data
    from clients to servers and vice versa
  • User passwords
  • Credit card numbers
  • Private client data on remote servers (e.g.
    Banks)
  • However, data packets are read by several
    computers on the way from the client to the
    server and vice versa
  • Routers, proxies, etc.

44
Security on the Internet (cont)
  • The following should be provided
  • Only the server can read the client requests
  • Only the client can read the server's responses
  • Only the client can send requests on behalf of
    itself
  • Only the server can send responses on behalf of
    itself
  • In short, no one should be able to interfere in
    the interaction, either be reading the
    transferred data or by impersonating to one of
    the sides

45
Symmetric and Asymmetric Keys
  • Data can be encrypted and decrypted using keys,
    which are simply large numbers
  • Symmetric keys the same key is used for both
    encoding and decoding of the message
  • Asymmetric keys one key is used to encode the
    message, and another is used to decode it
  • It is considered practically impossible to decode
    a message without knowing the decoding key

46
The RSA Cryptography System
  • RSA was developed in 1977 by Ron Rivest, Adi
    Shamir and Leonard Adleman
  • It is the based on the asymmetric key mechanism
  • Each participant has a private key and a public
    key
  • The public key is known to all and the private
    key is kept in secret within its owner
  • Asymmetric keys the public key is the encoding
    key and the private key is the decoding key

47
Secure Connection A Naive Approach
  • Consider the following protocol
  • Server and Client send their public keys to each
    other
  • Data is encrypted using the public key of the
    receiver
  • What is wrong with this protocol?
  • Decryption methods (public keys) are known to
    everyone - everyone can impersonate the
    participants
  • A participant cannot tell whether its received
    key was indeed sent by the other participant

48
SSL Connections
  • The SSL (Secure Socket Layer) protocol is used to
    manage security of message transmission on the
    Internet
  • Data encryption and decryption is based on
    symmetric and asymmetric keys
  • The HTTPS (HTTP over Ssl) protocol is actually
    the HTTP protocol above SSL transportation

49
SSL in the Network Layers
Email Protocols
HTTP
SSL
TCP/IP
50
The SSL Handshake
1. Client gets the Server's certificate
Is this a good certificate?
Client
Server
51
The SSL Handshake
2. Client creates a master secret and shares it
with the server
Client
Server
52
The SSL Handshake
3. Client and server create symmetric session
keys from the master secret
Client
Server
53
The SSL Handshake
Data is transferred using the session keys
Client
Server
54
SSL Certificates
  • To assure that the replier of the first request
    is the server, the server sends a certificate
  • The certificate contains both the server's name
    and its public key
  • The certificate is issued by a Certificate
    Authority (CA), which is known to the client in
    advance
  • For example VeriSign, Thawte, RSA Secure Server,
    etc.
  • CA signs the certificate using a digital
    signature, which the client can verify using a
    method similar to the private-public key method

55
The Server's Certificate
Public Key
Serial Number
Validity Period
Server's Name
Issuer's Name
Issuer's Digital Signature
56
An Example The Certificate of bankleumi.co.il
57
Authentication via SSL
  • If the server needs to assure the client's
    identity, the first interaction after the SSL
    handshake will typically be a clients
    authentication
  • Client authentication is done using the regular
    HTTP authentication methods
  • What is the difference, though?

58
SSL in Tomcat 5.0
  • To use SSL connections in Tomcat 5.0, we need to
    do the following
  • Acquire a certificate
  • Enable the https service, that listens to a
    designated port
  • Declare the pages that require SSL connections

59
Generating a Certificate
  • Acquiring a certificate from a known CA costs
    money
  • Instead, we will generate our own certificate
  • Naturally, the browser will not recognize the CA
    as a known one and will alert the user

60
Generating a Certificate (cont)
  • From the Unix shell, type the following
  • keytool -genkey -alias tomcat -keyalg RSA
    -keystore keyfile

61
Enable HTTPS Service
  • Add the following to CATALINA_BASE/conf/server.xm
    l under the Service "catalina"
  • ltConnector port"8443" scheme"https"
    secure"true" sslProtocol"TLS"
    keystoreFile"keyfile" keystorePass"keypass"/gt
  • Declare the redirection port for the HTTP
    Connector
  • ltConnector port"8090" redirectPort"8443"/gt

62
Declare Secured Pages
  • In the application's web.xml, add the following
    element under the security constraint for which
    you want SSL to be used
  • ltuser-data-constraintgt
  • lttransport-guaranteegtCONFIDENTIAL
  • lt/transport-guaranteegt
  • lt/user-data-constraintgt

63
(No Transcript)
64
(No Transcript)
65
(No Transcript)
66
(No Transcript)
67
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com