Bai18 web app_security_scheme

9/10/2011

1

LP TRNH WEB HNG JAVA

Bi 18: K thut security cho ng

dng WebGing vin: ThS. Trnh Tun t

B mn CNPM

Email: [email protected]/[email protected]

B mn Cng ngh Phn mm

Vin CNTT & TT

Trng i hc Bch Khoa H Ni

1DatTT-DSE-SOICT-HUST

Ni dung

1. Cc vn chung v Security

2. Cc k thut v yu cu v Security trn tng Web

3. Xc thc

3.1. K thut xc thc HTTP basic authentication

3.2. K thut xc thc Form-based authentication

3.3. Qun l Realm

3.4. Bo mt Passwords trn ng truyn cho k thut Basic & Form-based Authentications

3.5. Hng dn ci t Security cho tng Web

3.6. Xc thc Client s dng k thut xc thc da trn Certificate 2DatTT-DSE-SOICT-HUST

Ni dung

3.7. Digest Authentication

3.8. Programmatic authentication

4. Authorization

4.1. iu khin truy cp Declarative tng Web

4.2. iu khin truy cp Programmatic tng

Web


1. Cc vn chung v Security


Cc vn chung v Security

Xc thc (Authentication)

m bo 1 user ng l ngi m anh ta tuyn b

Phn quyn-Authorization (iu khin truy cp -Access control)

m bo ch nhng ngi c quyn truy cp mi c truy cp ti nguyn

Ngi dng phi c xc thc trc

Bo mt-Confidentiality (Chnh sch-Privacy)

Bo v d liu khi nhng k nghe nn/tm khi ang trn ng truyn


2. Cc k thut v yu cu v Security trn tng Web


9/10/2011

2

Cc yu cu v Security trn tng Web

Ngn ngi dng cha xc thc truy cp vp cc ti nguyn c iu khin truy cp

Nu 1 ngi dng cha xc thc c gng truy cp vo ti nguyn web c iu khin truy cp, web container s t ng yu cu user xc thc (authenticate) trc

Mt khi user xc thc, web container (v/hoc web components) tin hnh p dng iu khin truy cp

Ngn attackers thay i hoc c cc d liu nhy cm trn ng truyn

D liu c th c bo v nh SSL


Cc k thut v Security trn tng Web cn tp trung vo Authentication

Ly v thng tin danh tnh (identity information) ca ngi dng cui

Thng qua giao din trn trnh duyt

Thng tin danh tnh ngi dng bao gm username v password

Gi l logging in

Truyn thng tin danh tnh ly c cho web server

unsecurely (HTTP) hoc securely (HTTP trn SSL)


Cc k thut v Security trn tng Web cn tp trung vo Authentication (2)

Thc hin kim tra danh tnh, so khp vi security database

Web container kim tra xem danh tnh ngi dng c trng vi danh tnh no trong security database pha sau khng

Security database cn c gi l Realms

Realms lu tr/bo tr

Username, password, roles, ...

Cch thc t chc & qun l cc realms ph thuc vo sn phm, mi trng

LDAP, RDBMS, Flat-file, Solaris PAM, Windows AD


Cc k thut v Security trn tng Web cn tp trung vo Authentication (3)

Web container lu vt li cc user xc thc cho cc thao tc HTTP v sau

S dng trng thi session c lu tr, web container bit c rng 1 ngi dng khi gi

cc HTTP requests c xc thc cha

Web container cng to cc i tng HttpServletRequest ng vi cc HTTP requests gi n

i tng HttpServletRequest cha cc thng tin security context

Principal, Role, Username10DatTT-DSE-SOICT-HUST

Cc k thut v Security trn tng Web cn tp trung vo Access control

Access control: iu khin truy cp

LTV v nhng ngi trin khai ng dng Web (deployer) ch nh iu khin truy cp cho cc ti nguyn web (web resources)

S dng iu khin truy cp loi Declarativev/hoc loi Programmatic


Cc k thut v Security trn tng Web cn tp trung vo Data confidentiality

Data confidentiality: bo mt d liu

Cung cp c ch bo mt (confidentiality) cho cc d liu nhy cm (sensitive) trn ng truyn

Gia trnh duyt v web server

V d: s th tn dng (Credit card number)

S dng SSL


9/10/2011

3

Cc k thut xc thc trn tng Web

Xc thc HTTP c bn (HTTP basic authentication)

S dng hoc khng s dng vi SSL

Xc thc s dng Form (Form-based authentication)

S dng hoc khng s dng vi SSL

Xc thc s dng Client-certificate (Client-certificate authentication)

Phi s dng SSL

Xc thc bin i (Digest authentication)

Khng cn s dng SSL


3.1. K thut xc thc HTTP basic authentication


HTTP Basic Authentication

Web server thu thp thng tin danh tnh ngi dng (user name & password) qua 1 hp thoi trn browser

Khng an ton v user name v password dng d dng decodable trn ng truyn

K thut encoding l Base64

Mt ngi bt k d dng thc hin decode

Khng c mt m (encrypted)

Cn SSL mt m password


Cc bc ci t Basic Authentication

Thit lp username, passwords, v roles (realms)

Thng bo vi web container k thut ang s dng l Basic authentication

Ch nh URLs no (web resources) cn c iu khin truy cp (password-protected)

Ch nh URLs no c cung cp ch vi SSL (data integrity & confidentiality protected)


Bc 1: Thit lp username, passwords, v roles (Realms)

Cc k thut (Schemes), APIs, v cc cng c thit lp usernames, passwords & roles (realms) ty theo web container v mi trng (operational environment)

Flat-file based, Database, LDAP server

Passwords c th dng m mt (encrypted form) hoc khng

Tomcat 4.0 c th lm vic vi cc loi realms sau

Mc nh: file, dng khng m mt (unencrypted form)

Relational database (qua JDBCRealm)

LDAP server (qua LDAPRealm)


V d: mc nh trong Tomcat

/config/tomcat-users.xml

Dng khng m mt: khng an ton nhng d ci t v bo tr


9/10/2011

4

Bc 2: Ch dn web container s dng k thut Basic authentication

Trong file web.xml ca ng dng web:

...

...

BASIC

realm name

...


Bc 3: Ch nh cc URLs c iu khin truy cp

...

WRCollection/loadpricelistGET

admin

CONFIDENTIAL

BASIC

...


Bc 4: Ch nh cc resources (URLs) p dng SSL

...


admin

CONFIDENTIAL

BASIC

...


3.2. K thut xc thc Form-based authentication


Form-based Authentication

ng dng Web application thu thp thng tin danh tnh ngi dng (user name, password, v cc thng tin khc) qua 1 trang login thng thng

Khng an ton v user name v password dng d dng decodable trn ng truyn

K thut encoding l Base64

Mt ngi bt k d dng thc hin decode

Khng c mt m (encrypted)

Cn SSL mt m password 23DatTT-DSE-SOICT-HUST

Lung iu khin

1. Request made by client

2. Is client authenticated?

3. Unauthenticated client redirected

4. Login form returned to client

5. Client submits login form

6. Authentication Login succeeded, redirected to resource

7. Authorization Permission tested, result returned

8. Login failed, redirect to error page

9. Error page returned to client

1

2ProtectedResource

Login.jsp j_security_check Error.html

RequestResponse

PageLoginForm

Error Page

36 8

7 4 5 9


9/10/2011

5

Cc bc ci t Form-based Authentication

Thit lp cc username, passwords, and roles (realms)

Thng bo vi web container k thut ang s dng l Form-based authentication

To trang Login page

To trang Login failure error page

Ch nh URLs no (web resources) c iu khin truy cp (password-protected)

Ch nh URLs no c cung cp ch vi SSL (data integrity & confidentiality protected)


Bc 1: Thit lp username, passwords, v roles (Realms)

Nh trong Basic-authentication


Bc 2: Ch dn web container s dng k thut Form-based authentication

Trong file web.xml ca ng dng Web:

...

...

FORM

realm name

...


Bc 3: To trang Login Page

C th l trang HTML hoc JSP

Cha form HTML nh sau:


Bc 4: To trang login fail

C th l trang HTML hoc JSP

Ni dung bt k


Bc 5: Ch nh URLs no c iu khin truy cp (nh trong Basic Auth)

...


adminexecutive

CONFIDENTIAL

FORM

...


9/10/2011

6

Bc 6: Ch nh cc resources (URLs) p dng SSL (nh trong Basic Auth)

...


admin

CONFIDENTIAL

FORM

...


Form-based

Basic vs. Form-based Authentication

Uses browser provided dialog box to get username and password

Only username and password can be collected

Might result in different look and feel

HTTP Authentication header is used to convey username and password

No good way to enter a new user name

Uses web application provided login page to get username and password

Custom data can be collected

Can enforce consistent look and feel

Form data is used to convey username and password

Can enter a new user name via login page

Basic


3.3. Qun l Realm


Qun l Realm

Qun l cc thng tin danh tnh ca ngi dng

username, password, roles, ...

Dng m mt hoc khng

Ph thuc vo container v cc mi trng tnh ton ca n (operational environment)

Tomcat

flat file based, RDBMS, LDAP

GlassFish App server


Security Roles

S dng cc security roles iu khin truy cp (vi c loi declarative & programmatic)

L cc abstract roles, khng lin quan n usernames, passwords, groups ca h iu hnh

Khi trin khai ng dng, cc abstract security roles cn c map vi cc usernames, passwords, groups ca h iu hnh

Trn thc t, CSDL security realm ngoi (vd: LDAP) c th c s dng cho c ng dng Web v h iu hnh


V d: Mc nh trong Tomcat


Dng khng m mt: khng an ton nhng d ci t v bo tr


9/10/2011

7

Mc nh trong Tomcat

Flat file based realm c lu trong


C th thay i theo 2 cch

Bng tay - mannually

S dng cng c admin - admintool


V d-cng c admin ca Tomcat


GlassFish Admin Console


3.4. Bo mt Passwords trn ng truyn cho k thut Basic & Form-based Authentications


Bo mt Passwords

Vi loi Basic & Form-based authentication, tr khi c ch nh r rng, password s c truyn dng khng c m mt (Base64)

Khai bo bo mt cho pasword nh cc loi d liu khc:

Nu chn gi tr CONFIDENTIAL hoc INTEGRAL trong (con ca ),

rng buc ny s c p dng cho tt c cc requests

khp vi cc URL patterns nh ngha trong (khng ch trong login)

s dng SSL


Ch bo mt SSL p dng cho tt c d liu truyn dn, bao gm c password

...


admin

CONFIDENTIAL

FORM

...


9/10/2011

8

3.5. Hng dn ci t Security cho tng Web


Chuyn i gia SSL v non-SSL cho cc ti nguyn Web (Web resources)

Khi chuyn sang ch SSL, khng chp nhn cc request non-SSL trong session

V session ID khng dng m mt, k gi mo c th thc hin cc transaction lin quan n

d liu nhy cm (vd: s th tn dng)

S dng Servlet filter t chi (reject) mi non-SSL requests


SSL c chi ph cao

Ch s dng SSL cho nhng ti nguyn Web cn n security


V d demo:

Download m ngun t:

http://archive.moreservlets.com/Chapter7.html

2 v d, s dng Basic Auth v Form-based Auth

hotdotcom-internal.war

hotdotcom.war

Thm usernames, roles (c s dng trong code) thch hp vo trong mi trng Tomcat (tomcat-users.xml)

Khi ng li Tomcat


Basic Authentication Demo

hotdotcom-internal.war

Financial plan page: cho tt c cc employees

Business plan page: cho tt c cc executives

Employee compensation plan: available to all employees

Th truy cp trang c iu khin truy cp

Th nhp cc username & password gi

Th nhp ng username & password nhng ca ngi khng c quyn truy cp (khng c role ph hp)


Basic Authentication Demo


http://archive.moreservlets.com/Chapter7.html

9/10/2011

9

Truy cp trang c iu khin truy cp vi username gi


Truy cp cc trang access controlled vi ti khon ng


Form-based Authentication


Custom login page


Custom error page


3.6. Xc thc Client s dng k thut xc thc da trn Certificate


9/10/2011

10

Ti sao cn xc thc da trn certificate?

Xc thc Username/password khng th s dng xc thc gia chng trnh vi chng trnh

Chng nhn (Certificates) c th c dng danh tnh (identify) ngi dng cui, t chc thng mai, server, hoc cc software entities

Cp Username/password khng em li tin cy

Certificate c th cha nhiu hn ch username

v password55DatTT-DSE-SOICT-HUST

Xc thc da trn certificate

Xc thc Client

Server xc thc (verify) danh tnh ca client

(client's identity)

Xc thc Server

client xc thc danh tnh ca server

Thc hin mt cch trong sut trong giao tip SSL gia trnh duyt v web server

Xc thc ln nhau (Mutual authentication)

C server v client xc thc danh tnh ca nhau


nh dng Certificate

nh dng chun ca Certificate l X.509

X.509 ch c t nh dng ca certificate nhng khng ch nh r cch thc certificate c trao i

SSL ch nh r cch thc trao i cc certificates


Xc thc Client s dng k thut xc thc da trn certificate

Client c xc thc bng cch gi Client certificate n Web server

Khi server cng xc thc n vi client, ta gi l xc thc ln nhau (mutual authentication)

Tt c Client (trnh duyt) phi c certificate ca mnh

V vy, khng ph bin nh k thut xc thc

Basic & Form-based authentication

S dng SSL cho HTTP (HTTPS)


Ch dn web container s dng k thut Client-Cert authentication

Trong file web.xml ca ng dng Web

......

CLIENT-CERTrealm name

...


3.7. Digest Authentication


9/10/2011

11

Digest Authentication

User, password c chuyn sang dng digested form trc khi c gi cho server

Ngi dng khng th ly c password gc t password c bin i

Ch thay i 1 bit password gc cng dn n thay i gi tr ca password bin i

user, password khng b l trn ng truyn, ngay

c khi khng s dng kt ni SSL

Server so snh gi tr bin i nhn c vi gi tr

n c, nu trng, vic xc thc l thnh cng


Ch dn web container s dng k thut xc thc Digest authentication

Trong file web.xml ca ng dng Web

......

DIGESTrealm name

...


3.8. Xc thc theo kiu Programmatic trong tng Web


Xc thc theo kiu Programmatic trong tng Web

ng dng Web c th t thc hin xc thc

C nhiu ty bin hn (nhng thng t mang li

li ch)

t c s dng trong thc t


Cc bc thc hin

Kim tra xem c authorization header khng

Decode username & password ( c encode Base64)

Kim tra cp username/password

Nu ng, thc hin iu khin truy cp tip

Nu c quyn truy cp, tr v trang mong mun

Nu khng, tr v trang thng bo ph hp

Nu khng, (xc thc cha thnh cng), yu cu gi li username & password


Kim tra c authentication Header khng

public void doGet() {

// Check if authentication header is present in

// HttpServletRequest. If not, ask for it.

String authorization =

request.getHeader("Authorization");

if (authorization == null) {

askForPassword(response);

} else {

...


9/10/2011

12

Decode Username v Password



} else {

String userInfo =

authorization.substring(6).trim();

BASE64Decoder decoder = new BASE64Decoder();

String nameAndPassword =

new String(decoder.decodeBuffer(userInfo));

int index = nameAndPassword.indexOf(":");

String user =

nameAndPassword.substring(0, index);

String password =

nameAndPassword.substring(index+1);

...67DatTT-DSE-SOICT-HUST

Nu thnh cng, tr v trang mong mun, nu khng, yu cu username & password mi



} else {

...

// If authentication succeeds, return page.

// Otherwise, ask for correct username & password

if (areEqualReversed(user, password)) {

showStock(request, response);

} else {


}

}

}


4. Authorization(iu khin truy cp-Access Control)


4 loi Authorization (iu khin truy cp) trn J2EE

Tng Web & tng EJB

C th c s dng cng nhau

Declarative & Programmatic

4 loi:

iu khin truy cp Declarative tng Web

iu khin truy cp Programmatic tng Web

iu khin truy cp Declarative tng EJB

iu khin truy cp Programmatic tng EJB


EJB-tier

Web-tier vs. EJB-tier

(D) Access control to Web resources

(D) Declared in web.xml

(D) Enforced by web container

(P) Coded in servlet or JSP

(D) Access control to bean methods

(D) Declared in EJB deployment descriptor

(D) Enforced by EJB container

(P) Coded in EJB bean

Web-tier

(D): Declarative (P): Programmatic access control71DatTT-DSE-SOICT-HUST

Programmatic

Declarative vs. Programmatic

Access control is declared in deployment descriptor

Container handles access control

Does not handle fine-grained access control, it is all or nothing deal

Access control is coded in your program

Your code handles access control

Can handle fine-grained access control, i.e. instance-based or business logic based access control

Declarative


9/10/2011

13

4.1. iu khin truy cp Declarative tng Web


Cc bc iu khin truy cp Declarative tng Web

Ngi trin khai (Deployer) thc hin map nh danh ngi dng tht vi cc security roles (vd: /config/tomcat-users.xml)

Deployer khai bo cc security roles trong file web.xml

Deployer khai bo cc URL permissions trong file web.xml cho mi security role

( trnh by trong phn trc! )


4.2. iu khin truy cp Programmatic tng Web


iu khin truy cp declarative & Programmatic

Thng c s dng cng nhau

Declarative: iu khin truy cp da trn role

Programmatic: iu khin truy cp da trn tng thc th user & da trn logic nghip v

User instance

Thi gian trong ngy

Cc Parameters trong request

Cc trng thi bn trong ca cc web component


Cc bc thc hin iu khin truy cp Programmatic cho tng Web

Thit lp username, passwords, v roles (realms)

LTV vit cc on code Servlet x l logic iu khin truy cp, s dng cc abstract security roles

Trong file web.xml, deployer thc hin map cc abstract security roles vi role trong thc t (VD, Tomcat c flat file based, RDBMS, LDAP)


Bc 2: LTV vit code Servlet x l iu khin truy cp

public interface javax.servlet.http.HTTPServletRequest{

...

// Find out who is accessing your web resource

public java.security.Principal getUserPrincipal();

public String getRemoteUser();

// Is the caller in a particular role?

public boolean isUserInRole(String role);

...

}


9/10/2011

14

V d: Employees ch truy cp c thng tin v lng ca chnh h

public double getSalary(String employeeId) {

java.security.Principal userPrincipal =

request.getUserPrincipal();

String callerId = userPrincipal.getName();

// manager role can read employee salary information

// employee can read only his/her own salary information

if ( (request.isUserInRole(manager)) ||

((request.isUserInRole(employee)) &&

(callerId == employeeId)) ) {

// return Salary information for the employee

getSalaryInformationSomehow(employId);

} else {

throw new SecurityException(access denied);

}

}


Bc 3: Deployer thc hin map cc abstract security roles vi cc roles thc t

...

...

...

manager

managerOfAcme

...


Education

Bai18 web app_security_scheme