Java Network Security

slurpslapoutNetworking and Communications

Nov 20, 2013 (3 years and 10 months ago)

97 views

Java Network Security
Overview

Paul Flynn

21 Sep 2005


Overview


Authentication


BASIC Example


Forms Example


JAAS Usage


Using SSL


Generate a certificate


Deploy on Tomcat


Demo


Crypto Overview

Basic


Works like .net basic


Specify user database in XML file


Can use Tomcat manager to handle users


Specify in web.xml

Basic


-

<security
-
constraint>




<display
-
name>
Example Security Constraint
</display
-
name>


-

<web
-
resource
-
collection>




<web
-
resource
-
name>
Protected Area
</web
-
resource
-
name> <!
--

Define the context
-
relative URL(s) to be protected


--
>




<url
-
pattern>
/testbasic.html
</url
-
pattern>




</web
-
resource
-
collection>


-

<auth
-
constraint> <!
--

Anyone with one of the listed roles may access this area


--
>




<role
-
name>
dbadmin
</role
-
name>




</auth
-
constraint>




</security
-
constraint>


-

<security
-
constraint>




<display
-
name>
Example Security Constraint
</display
-
name>


-

<web
-
resource
-
collection>




<web
-
resource
-
name>
Protected JPG
</web
-
resource
-
name> <!
--

Define the context
-
relative URL(s) to be protected


--
>




<url
-
pattern>
*.jpg
</url
-
pattern>




</web
-
resource
-
collection>


-

<auth
-
constraint> <!
--

Anyone with one of the listed roles may access this area


--
>




<role
-
name>
dbadmin
</role
-
name>




</auth
-
constraint>




</security
-
constraint>


-

<security
-
constraint>




<display
-
name>
Exlcude Gifs
</display
-
name>


-

<web
-
resource
-
collection>




<web
-
resource
-
name>
Gifs ok
</web
-
resource
-
name>




<url
-
pattern>
*.gif
</url
-
pattern>




</web
-
resource
-
collection>




</security
-
constraint> <!
--

Default login configuration uses form
-
based authentication


--
>


-

<login
-
config>




<auth
-
method>
BASIC
</auth
-
method>




<realm
-
name>
Tomcat Manager Application
</realm
-
name>




</login
-
config> <!
--

Security roles referenced by this web application


--
>


-

<security
-
role>




<role
-
name>
dbadmin
</role
-
name>




</security
-
role>




</web
-
app>

Forms


Designated in web.xml


Action = “j_security_check”


Username parameter= “j_user_name”


Password param= “j_password”


Designate a login page and error page


-

<security
-
constraint>




<display
-
name>
Example Security Constraint
</display
-
name>


-

<web
-
resource
-
collection>




<web
-
resource
-
name>
Protected JPG
</web
-
resource
-
name> <!
--

Define the context
-
relative
URL(s) to be protected


--
>




<url
-
pattern>
*.jpg
</url
-
pattern>




</web
-
resource
-
collection>


-

<auth
-
constraint> <!
--

Anyone with one of the listed roles may access this area


--
>




<role
-
name>
manager
</role
-
name>




</auth
-
constraint>




</security
-
constraint>


-

<security
-
constraint>




<display
-
name>
Exlcude Gifs
</display
-
name>


-

<web
-
resource
-
collection>




<web
-
resource
-
name>
Gifs ok
</web
-
resource
-
name>




<url
-
pattern>
*.gif
</url
-
pattern>




</web
-
resource
-
collection>




</security
-
constraint> <!
--

Default login configuration uses form
-
based authentication


--
>


-

<login
-
config>




<auth
-
method>
FORM
</auth
-
method>




<realm
-
name>
Forms test
</realm
-
name>


-

<form
-
login
-
config>




<form
-
login
-
page>
/login.jsp
</form
-
login
-
page>




<form
-
error
-
page>
/error.jsp
</form
-
error
-
page>




</form
-
login
-
config>




</login
-
config>

JAAS


Plug
-
in very flexible


Very hard to configure


Tomcat ?


Appllication Servers


JBoss

JAAS


Subclass LoginModule


Initialize() , login(), commit(), abort(),logout()


Declare JAAS Config file


WebLogin {



com.jspservletcookbook.DataSourceLoginModule requisite;



};


Generate Certificate for SSL


Use the “keytool” command








Alternate use certificate from provider

>
keytool
-
genkey
-
alias tomcat
-
keyalg RSA

Enter keystore password: changeit

What is your first and last name?


[Unknown]: Paul Flynn

What is the name of your organizational unit?


[Unknown]: CS872

What is the name of your organization?


[Unknown]: ODU

What is the name of your City or Locality?


[Unknown]: Norfolk

What is the name of your State or Province?


[Unknown]: VA

What is the two
-
letter country code for this unit?


[Unknown]: VA

Is CN=Paul Flynn, OU=CS872, O=ODU, L=Norfolk, ST=VA, C=VA correct?


[no]: yes


Enter key password for <tomcat>


(RETURN if same as keystore password):

Enable Tomcat Connector


Simply uncomment provided Connector in
server.xml



<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"


port="8443" minProcessors="5" maxProcessors="75"


enableLookups="true"



acceptCount="100" debug="0" scheme="https" secure="true"


useURIValidationHack="false" disableUploadTimeout="true">


<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"


clientAuth="false" protocol="TLS" />


</Connector>


Cookies and Sessions


See examples:


Cookies
-
http://localhost:8080/examples/servlet/Coo
kieExample


Sessions
-
http://localhost:8080/examples/servlet/Ses
sionExample

Signing Jars


Make a certificate (like for SSL)


Use jarsigner

Jarsigner


keystore myKeystore test.jar mycert