Securing Web Applications with Servlet Security:Part-1
By Suresh Mandalapu on Nov 03, 2009
The purpose of this blog is to give a brief idea, to the readers, about securing web applications with servlet security.
According to Servlet Spec 3.0 , the servlet security is divided into 4 concepts,
iv) Data Integrity(or Data Privacy)
1)Authentication: This is the process of verification about the client that he /she is actually the person who he/she is claiming .They are 4 types of authentication mechanisms which are
i) HTTP Basic Authentication:The basic credentials to authenticate an user is by his/her username and password. The user should produce his/her
username and password to authenticate themselves to access a web service resource.
How it works? when the user requests for a restricted resource , the server find that it is a restricted resource and so requests for authentication(username and password).When the user sends his username/password , server checks the credentials given by user against a secure database called realm.After conforming , the sever sends back the response . for ex: the Tomcat 6.0.18 's realm( user's database) is in conf/tomcat-users.xml file and looks like
<user username="tomcat" password="tomcat" roles="guest"/>
<user username="suresh" password="mandalapu" roles="member,guest"/>
<user username="Sun" password="xwss" roles="manager"/>
The adavantage of this authentication is it is easy to implement and all browsers support it, but the disadvantage is it is not secure because the username/password are not encrypted
ii) HTTP Digest Authentication:The Digest authentication is the same as Basic except that in this case, the password is sent in an encrypted format. This makes it more secure.
How it works? same as basic authnetication
The disadvatage of this authentication is that it is not supported by many servlet containers since the specification does not mandate it.It is not supported by many browsers also.
iii) HTTPS Client cert authentication: HTTPS is HTTP plus secure socket layer.In this method the authentication is performed when the SSL connection is established between the browser and the server. All the data is transmitted in the encrypted form using public-key cryptography, which is handled by the browser and the servlet container
How it works? first ssl is configured between client and server. and the must must have a certificate produced by organizations such as Verizon
iv) FORM based authentication: This is same as basic authentication
How it works? Instead of browser's pop up box , the developers should write an html form to capture username and password . the form action should be j_security_check and the username and password names should be j_username and j_password.
The disadvantage of this method is it not secure, since the username/password are not encrypted
How to implement the above authentication mechanisms?
To implement any of above 4 mechanisms we have to configure then authentication type the Deployment Descriptor (web.xml) of the web application using the <login-config> tag as shown below
The 4 possiable values are BASIC,DIGEST,CLIENT-CERT,FORM
If it is form based authentication then we do not need to specify the realm name
<!--realm-name not required for FORM based authentication -->
For detailed discussion on how container implements FORM based auth. see se. 13.6.3 of the spec 3.0.These are the 4 authentication mechanisms that servlet 3.0 spec. follows..
2) Authorization: Authorization is the process of determining whether the user is permitted to certain resouces that he/she has requested.For ex: for accesing our bank account we need to authenticate ourselves(authentication), but we are not allowed to access some other's account details(we are not Authorised)
Authorization is just maintaing access control!!
The implementation of authorization will be discussed in part-2
3) Confidentiality: is nothing but ensuring that the information is accessed by only intended receipents.This looks similar to authorization but the difference between them is that authorization prevents the information from reaching(accessing) unintended parties , while confidentiality ensures that even if the information falls into the wrong hands, it cannot be usuable for them.
4) Data Integrity: this gives guartantee that the information or data has not been changed by somebody while it is in the transmission between client and server. Data integrity is usually ensured by sending a hashcode or signature of the data along with the data. At the receiving end, the data and its hashcode
are verified.If the data and its hash code are same on the other side also, then we can conform that integrity is maintained ,if they are not the same then some body in between the network might have changed the data so the server has to reject the request.
How to implement Confidentiality and Data Integrity? we have to write <transport-guarantee> tag in the DD(web.xml) as shown below
The legal values are NONE,CONFIDENTIAL,INTEGRAL
NONE------> this is default value which means there is no data protection
CONFIDENTIAL----->the data must not be seen bt anybody in the transmission
INTEGRAL------>the data must not be changed along the transport
we will see the implementation of servlet security and securing web applications declaratively and programmetically in part-2