SECTION 6: DESIGNING AND DEVELOPING SECURE WEB APPLICATIONS

Section 6
6.1 Identify correct descriptions or statements about the security issues: Authentication, authorization Data integrity Auditing Malicious code Web site attacks
6.2 Identify the deployment descriptor element names, and their structure, that declare the following: A security constraint A Web resource The login configuration A security role
6.3 Given an authentication type: BASIC, DIGEST, FORM, and CLIENT-CERT, identify the correct definition of its mechanism.

Section 6 - Designing and Developing Secure Web Applications

6.1 Identify correct descriptions or statements about the security issues:

1. Authentication, authorization
   • Authentication: The act of determining the identity of the requesting entity is known as authentication.
     • HTTP basic authentication
       The Web server authenticates a principal(an entity that can be authenticated) using the user name and password obtained from the Web Client.
     • form-based authentication
       The Web container provides an application-specific form for logging in. (using cookies to authenticate users and allows the app to do its own credential verification.)
     • HTTP digest authentication
       A Web client authenticates to a Web server by sending the server a message digest along with its HTTP request message The digest is computed by employing a one-way hash algorithm to a concatenation of the HTTP request message and client's password.
     • Certificate authentication
       The client uses a public key certificate to establish its identity and maintains its own security context.
     • HTTPS mutual authentication
       The proof is bidirectional. The client and server use X.509 certificates to establish their identity.
     • Hybrid authentication
       Combining several available authentications.
     • Lazy authentication:
       Caller authentication performed on the first access to a protected resource.
     • Authentication Configuration:

             <web-app>
                 <login-config>
                     <auth-method> BASIC </auth-method>
                     <realm-name> jpets </realm-name>
                 </login-config>
             </web-app>
             
             -------------
             <web-app>
                  <login-config>
                       <auth-method> FORM </auth-method>
                       <form-login-config>
                           <form-login-page> login.jsp </form-login-page>
                           <form-error-page> error.jsp </form-error-page>
                      </form-login-config>
                  </login-config>
             </web-app>
             -------------
             <web-app>
                 <login-config>
                     <auth-method> CLIENT_CERT </auth-method>
                  </login-config>
             </web-app>
            

   • Authorization: After a user presents credentials, such as name/password pair in order to be authenticated, the process of determining whether that identity can access a given resource is known as authorization.
     • Based on the concept of security roles. A security role is a logical grouping of users defined by an application component provider or application assembler.
     • 1. declarative security:
       using method-permission element in the deployment descriptor
       2. programmatic security:
       using EJBContext.isCallerInRole or
       HttpServletRequest.isRemoteUserInRole methods.
     • Limiting access to resources to a select set of users or programs

2. Data integrity
   • The existing data:
     1. relational
     2. object-based
     3. hierarchical
     4. legacy representation
     
   • Face three types of attacks in a distrubuted computing system:
     1. be intercepted and modified
     2. be captured and reused
     3. be monitored by an eavesdropper
   • Being able to verify that the content of the communication is not changed during transmission
   • done in the transport-guarantee subelement of the user-data-constraint subelement of a security-constraint.
   • ensured by attaching a message signature to a message.

3. Auditing
   • The practice of capturing a record of security-related events to hold users or systems accountable for their actions.
   • Keeping a record of resource access that was granted or denied might be useful for audit purposes later. To that end, auditing and logs serve the useful purposes of preventing a break-in or analyzing a break-in postmortem.

4. Malicious code
   

5. Web site attacks
   Face three types of attacks in a distrubuted computing system:
   
   1. be intercepted and modified
      
   2. be captured and reused
      
   3. be monitored by an eavesdropper
   Confidentiality:
   Ensuring that only the parties involved can understand the communication.

6.2 Identify the deployment descriptor element names, and their structure, that declare the following:

1. A security constraint
   lets you designate URLs that should be protected. It goes hand-in-hand with the login-config element. It should come immediately before login-config in web.xml and contains four possible sub-elements.
   1. display-name -- an optional element giving a name for IDEs to use
   2. web-resource-collection -- a required element that specifies the URLs that should be protected. Multiple web-resourse-collection entries are permitted within security-constraint.
   3. auth-constraint -- an optional element that designates the abstract roles that should have access to the URLs.
   4. user-data-constraint -- an optional element that specifies whether SSL is required.

   <web-app> 
     <servlet>
       <servlet-name>secretSalary</servlet-name> 
       <servlet-class>SalaryServer</servlet-class> 
     </sevlet>
     <security-constraint> 
       <web-resource-collection>
          <web-resource-name>protectedResource</web-resource-name>
          <url-pattern>/servlet/SalaryServer</url-pattern> 
          <url-pattern>/servlet/secretSalary</url-pattern>
          <http-method>GET</http-method>  
          <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
          <role-name>manager</role-name>
          <role-name>ceo</role-name>
      </auth-constraint>  NOTE: if no role-name, then not viewable by any user; if role-name = "*" then viewable by all roles
      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>  
   </security-constraint>
   

2. A Web resource
   Each security-constraint element must contain one or more web-resource-collection entries.
   The web-resource-name element that gives an arbitrary identifying name, a url-pattern element that identifies the URLs that should be protected, an optional http-method element that designates the HTTP commands to which the protection applies(GET, POST, etc. the default is all methods), and an optional description element providing documentation.

   <security-constraint>
       <web-resource-collection>
          <web-resource-name>Proprietary</web-resource-name>
          <url-pattern>/proprietary/*</url-pattern> 
       </web-resource-collection>
       <web-resource-collection>
          <web-resource-name>Account</web-resource-name>
          <url-pattern>/admin/account.jsp</url-pattern> 
       </web-resource-collection>
        <!-- ... -- >
   </security-constraint>
   

3. The login configuration
   Use the login-config element to control the authentication method. To use form-based authentication, supply a value of FORM for the auth-method sub-element and use the form-login-config subelement to give the locations of the login. and login-failure pages.

   <login-config>
     <auth-method> FORM </auth-method>
     <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/login-error.html</form-error-page>
     </form-login-config>
   </login-config>
   

   All the login page requires is a form with an ACTION of j_security_check, a textfield named j_username, and a password field named j_password. All forms that have password fields should use a METHOD of POST. For example:

   <BODY>
   ...
   <FORM ACTION="j_security_check" METHOD="POST">
   <TABLE>
   <TR><TD>User Name: <INPUT TYPE="TEXT" NAME="j_username">
   <TR><TD>Password: <INPUT TYPE="PASSWORD" NAME="j_password">
   <TR><TH><INPUT TYPE="SUBMIT" VALUE="Log In">
   </TABLE>
   </FORM>
   ...
   </BODY>
   

4. A security role
   The security-role element gives a list of security roles that will appear in the role-name subelements of the security-role-ref element inside the servlet element.

   <servlet>
     <!-- ... -- >
     <security-role-ref>
       <role-name>boss</role-name> <!-- New alias -- >
       <role-link>manager</role-link > <!-- Real name -- >
     </security-role-ref >
   </servlet >
   
   

   Another example:

   <web-app>
     <!-- ... !-->
     <login-config>
       <auth-method>BASIC/DIGEST/FORM/CLIENT-CERT</auth-method>
       <realm-name>Default </realm-name> <!-- optional, only useful for BASIC authentication -->
       <form-login-config>  <!-- optional, only useful for FORM based authentication -->
         <form-login-page>/loginpage.html</form-login-page> 
         <form-error-page>/errorpage.html</form-error-page>
       </form-login-config>
     </login-config>
     <security-role>
       <role-name>manager</role-name>
     </security-role>  not req'd; explicitly declaring the webapp's roles supports tool-based manipulation of the file
   </web-app>
   
   

6.3 Given an authentication type: BASIC, DIGEST, FORM, and CLIENT-CERT, identify the correct definition of its mechanism.

BASIC

• specifies that standard HTTP authentication should be used.
• web server maintains a db of usernames and passwords, and identifies certain web resources as protected. When these are accessed, web server requests username and password; this information is sent back to the server, which checks it against its database; and either allows or denies access.
• Advantage: very easy to set up; useful for low-security environments, e.g. subscription-based online newspaper
• Disadvantage: provides no confidentiality, no integrity, and only the most basic authentication. Transmitted passwords are encoded using easily reversable Base64 encoding, unless additional SSL encryption employed. plus, passwords are often stored on server in clear text

  DIGEST

• indicates that the client should transmit the username and password using the encrypted Digest Authentication form.
• produced by taking a hash of username, password, uri, http method, and a randomly generated nonce value provided by server. Server computes digest as well, and compares with user submitted digest.
• Advantage: transactions are somewhat more secure than with basic authentication, since each digest is valid for only a single uri request and nonce value.
• Disadvantage: server must still maintain a database of the original passwords. Digest authentication is not supported by many browsers

  FORM

• specifies that the server should check for a reserved session cookie and should redirect users who do not have it to a designated login page.
• the login page must include a form with a POST to the URL "j_security_check" with a username sent as j_username and a password j_password.
• any time the server receives a request for a protected resource, the server checks if the user has already logged in, e.g. server might look for Principal object in HttpSession object. If Principal found, then roles are checked against security contraints; if Principal not authorized, then client redirected to
• Advantage: allows users to enter your site through a well-designed, descriptive and friendly login page
• Disadvantage: similar to BASIC, password is transmitted in clear text, unless SSL used No standard logout mechanism (calling session.invalidate() may work for FORM, but no guarantees), would need to close browser Error page does not have access to any special information reporting why access was denied or even which page it should point the user at to try again Relies on server to authenticate, so only captures username and password, not custom fields e.g. PIN #.

  CLIENT-CERT

• the server must use HTTPS(HTTP over SSL) and authenticate users by means of their Public Key Certificate.
• upon accessing a protected resource, the server requests the client's certificate; the client then sends its signed certificate (many browsers require the client user enter a password before they will send the certificate), and the server verifies the certificate. If browser has no certificate, or if it is not authorized, then access is denied.
• Advantage: the client will never see a login page, although the browser may prompt for a password to unlock their certificate before it is sent
• Disadvantages: users must obtain and install signed certificates, servers must maintain a database of all accepted public keys, and servers must support SSL 3.0 in the first place.