Java Network Security

slurpslapoutΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

87 εμφανίσεις

Java Network Security
Overview

Paul Flynn

21 Sep 2005


Overview


Authentication


BASIC Example


Forms Example


JAAS Usage


Using SSL


Generate a certificate


Deploy on Tomcat


Demo


Crypto Overview

Basic


Works like .net basic


Specify user database in XML file


Can use Tomcat manager to handle users


Specify in web.xml

Basic


-

<security
-
constraint>




<display
-
name>
Example Security Constraint
</display
-
name>


-

<web
-
resource
-
collection>




<web
-
resource
-
name>
Protected Area
</web
-
resource
-
name> <!
--

Define the context
-
relative URL(s) to be protected


--
>




<url
-
pattern>
/testbasic.html
</url
-
pattern>




</web
-
resource
-
collection>


-

<auth
-
constraint> <!
--

Anyone with one of the listed roles may access this area


--
>




<role
-
name>
dbadmin
</role
-
name>




</auth
-
constraint>




</security
-
constraint>


-

<security
-
constraint>




<display
-
name>
Example Security Constraint
</display
-
name>


-

<web
-
resource
-
collection>




<web
-
resource
-
name>
Protected JPG
</web
-
resource
-
name> <!
--

Define the context
-
relative URL(s) to be protected


--
>




<url
-
pattern>
*.jpg
</url
-
pattern>




</web
-
resource
-
collection>


-

<auth
-
constraint> <!
--

Anyone with one of the listed roles may access this area


--
>




<role
-
name>
dbadmin
</role
-
name>




</auth
-
constraint>




</security
-
constraint>


-

<security
-
constraint>




<display
-
name>
Exlcude Gifs
</display
-
name>


-

<web
-
resource
-
collection>




<web
-
resource
-
name>
Gifs ok
</web
-
resource
-
name>




<url
-
pattern>
*.gif
</url
-
pattern>




</web
-
resource
-
collection>




</security
-
constraint> <!
--

Default login configuration uses form
-
based authentication


--
>


-

<login
-
config>




<auth
-
method>
BASIC
</auth
-
method>




<realm
-
name>
Tomcat Manager Application
</realm
-
name>




</login
-
config> <!
--

Security roles referenced by this web application


--
>


-

<security
-
role>




<role
-
name>
dbadmin
</role
-
name>




</security
-
role>




</web
-
app>

Forms


Designated in web.xml


Action = “j_security_check”


Username parameter= “j_user_name”


Password param= “j_password”


Designate a login page and error page


-

<security
-
constraint>




<display
-
name>
Example Security Constraint
</display
-
name>


-

<web
-
resource
-
collection>




<web
-
resource
-
name>
Protected JPG
</web
-
resource
-
name> <!
--

Define the context
-
relative
URL(s) to be protected


--
>




<url
-
pattern>
*.jpg
</url
-
pattern>




</web
-
resource
-
collection>


-

<auth
-
constraint> <!
--

Anyone with one of the listed roles may access this area


--
>




<role
-
name>
manager
</role
-
name>




</auth
-
constraint>




</security
-
constraint>


-

<security
-
constraint>




<display
-
name>
Exlcude Gifs
</display
-
name>


-

<web
-
resource
-
collection>




<web
-
resource
-
name>
Gifs ok
</web
-
resource
-
name>




<url
-
pattern>
*.gif
</url
-
pattern>




</web
-
resource
-
collection>




</security
-
constraint> <!
--

Default login configuration uses form
-
based authentication


--
>


-

<login
-
config>




<auth
-
method>
FORM
</auth
-
method>




<realm
-
name>
Forms test
</realm
-
name>


-

<form
-
login
-
config>




<form
-
login
-
page>
/login.jsp
</form
-
login
-
page>




<form
-
error
-
page>
/error.jsp
</form
-
error
-
page>




</form
-
login
-
config>




</login
-
config>

JAAS


Plug
-
in very flexible


Very hard to configure


Tomcat ?


Appllication Servers


JBoss

JAAS


Subclass LoginModule


Initialize() , login(), commit(), abort(),logout()


Declare JAAS Config file


WebLogin {



com.jspservletcookbook.DataSourceLoginModule requisite;



};


Generate Certificate for SSL


Use the “keytool” command








Alternate use certificate from provider

>
keytool
-
genkey
-
alias tomcat
-
keyalg RSA

Enter keystore password: changeit

What is your first and last name?


[Unknown]: Paul Flynn

What is the name of your organizational unit?


[Unknown]: CS872

What is the name of your organization?


[Unknown]: ODU

What is the name of your City or Locality?


[Unknown]: Norfolk

What is the name of your State or Province?


[Unknown]: VA

What is the two
-
letter country code for this unit?


[Unknown]: VA

Is CN=Paul Flynn, OU=CS872, O=ODU, L=Norfolk, ST=VA, C=VA correct?


[no]: yes


Enter key password for <tomcat>


(RETURN if same as keystore password):

Enable Tomcat Connector


Simply uncomment provided Connector in
server.xml



<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"


port="8443" minProcessors="5" maxProcessors="75"


enableLookups="true"



acceptCount="100" debug="0" scheme="https" secure="true"


useURIValidationHack="false" disableUploadTimeout="true">


<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"


clientAuth="false" protocol="TLS" />


</Connector>


Cookies and Sessions


See examples:


Cookies
-
http://localhost:8080/examples/servlet/Coo
kieExample


Sessions
-
http://localhost:8080/examples/servlet/Ses
sionExample

Signing Jars


Make a certificate (like for SSL)


Use jarsigner

Jarsigner


keystore myKeystore test.jar mycert