27 - JSP Security

27.1 Overview of JSP Security

Security of any web application is one of the important aspects and cannot be compromised specially for the web applications dealing with financial transactions.

There are two important aspects for security-

· Preventing unauthorized users from accessing the data.

· Preventing web attackers from stealing data while it is in transit.

There are two approaches to achieve the security of web application.

a) Declarative Security- In this approach we need not to write any code to achieve security instead configurations are done in deployment descriptor (web.xml).

b) Programmatic Security- request object provides methods which can be used to authenticate the users programmatically.

27.2 Authentication vs Authorization

Authentication is the process of identifying the user or application based on credentials where as authorization is the process to identify if the user has an access to the resource or not.

Authorization comes in to picture post-authentication.

27.3 Authentication Mechanisms

There are four types of authentication mechanisms-

HTTP Basic authentication- is the simplest and most common way to protect resources. When a browser requests any of the protected resources, the server asks for a username/password. If the user enters a valid username/password, the server sends the resource.

HTTP Digest authentication- is similar to HTTP Basic authentication with the only difference is that the password is sent in an encrypted format.

HTTPS Client authentication- HTTPS is HTTP over SSL (Secure Socket Layer). In this mechanism, authentication is performed when the SSL connection is established between the browser and the server.

FORM-based authentication- is similar to Basic authentication but instead of pop-up to get the credentials, html form is used so we can customize the look and feel. The only requirement of the FORM is that

- its action attribute should be j_security_check

- must have two fields: j_username and j_password

27.4 Configuring roles and users

In tomcat server we can easily create and configure users and roles. To do so open tomcat-users.xml present under <tomcat-root-directory>\conf and add user and roles in it. By default you will see a commented list role and users (refer below)

<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
-->

On similar lines we can add new roles and users or simply uncomment the above commented section. With this we have got –

a) two roles with the names tomcat and role1.

b) three users mapped to different roles.

c) one user can be mapped to multiple roles.

27.5 Authentication Mechanism in Detail

As we discussed above there are four authentication mechanism, lets discuss couple of them.

To specify the authentication mechanism , we need to use <login-config> tag under <web-app> tag.

<login-config>
  <auth-method></auth-method>
</login-config>

27.5.1 Basic Authentication

To configure basic authentication, we need to add auth-method as “BASIC”

<login-config>
  <auth-method>BASIC</auth-method>
</login-config>

27.5.2 Form based Authentication

To configure form based authentication , we need to add auth-method as FORM and need to provide the name of JSP pages (login and page that will be displayed in case of authentication failure) like below.

<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/auth-failure.jsp</form-error-page>
  </form-login-config>
</login-config>

27.8 Declarative Security

By now we know how to configure roles, users and authentication mechanism. Now we will configure the constraints on the resources as by default all the resources (JSP, servlets etc) are accessible to all users like below.

<security-constraint>
  <web-resource-collection>
    <web-resource-name>
    </web-resource-name>
    <url-pattern></url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <description>
    </description>
    <role-name></role-name>
  </auth-constraint>
</security-constraint>
<security-role>
  <role-name></role-name>
</security-role>

a) <security-constraint> - this is the main tag

b) <web-resource-collection> - child tag of “security-constraint” and is a logical collection of resources that needs to be protected. More than one “web-resource-collection” tags are allowed in a single “security-constraint” tag.

c) <web-resource-name> - child tag of “web-resource-collection” and specifies the name of resource.

d) <url-pattern>- child tag of “web-resource-collection” and use to configure the url of the resources that are protected. We can define multiple “url-pattern” tag

e) <http-method>- child tag of “web-resource-collection” and use to configure the method type on which security will be applied.

f) <auth-constraint>- specifies the roles that can access the resources specified in the web-resource-collection section.

g) <description> - description of authentication constraints

h) <role-name>- specifies the role that can access the resources.

27.9 Declarative Security Examples

Note : Uncomment the users and roles section from tomcat-users.xml as described above.

27.9.1 Basic Authentication Example

To see how basic authentication works ,

a) Add the following configuration in web.xml

<security-constraint>
  <web-resource-collection>
  <web-resource-name>
     Private Resource
  </web-resource-name>
  <url-pattern>/secured.jsp</url-pattern>
  <http-method>GET</http-method>
  </web-resource-collection>
  <auth-constraint>
    <description>
    </description>
    <role-name>role1</role-name>
  </auth-constraint>
</security-constraint>
<security-role>
  <role-name>role1</role-name>
</security-role>
<login-config>
  <auth-method>BASIC</auth-method>
</login-config>

b) Create secured,jsp file

<html>
  <head>
   <title> Secured JSP </title>
  </head>
  <body>
   <h4>
     Secured JSP
   </h4>
  </body>
</html>

c) Access secured,jsp file using http://localhost:8080/jsp-tutorial/secured.jsp you will see a pop-up asking for credentials.

d) As we configured it for role “role1” and we have two users “both” and “role1” belong to this group so if we enter any of these users , we will be able to see secured.jsp.

Let's enter both/tomcat as credentials , you will see below screen.

27.9.2 Form Based Authentication Example

a) change the login-config to FORM like below

<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
    <form-login-page>/auth-login.jsp</form-login-page>
    <form-error-page>/auth-failure.jsp</form-error-page>
  </form-login-config>
</login-config>

B) Create auth-login.jsp

<!DOCTYPE html>
<html>
  <head>
    <title>Login Form</title>
  </head>
  <body>
    <form name="logonform" action="j_security_check" method="POST">
      Username: <input type="text" name="j_username"/>
      <br/>
      Password:<input type="password" name="j_password"/>
      <br/>
      <input type="submit" value="Submit"/>
    </form>
  </body>
</html>

C) Create auth-failure.jsp

<!DOCTYPE html>
  <html>
    <head>
      <title>Auth Failure </title>
    </head>
    <body>
      <h4>
        Access Denied !!
      </h4>
    </body>
</html>

Access secured,jsp file using http://localhost:8080/jsp-tutorial/secured.jsp you will see auth-login.jsp.

Enter invalid credentials , you will see auth-failure.jsp.

Again access secured,jsp file using http://localhost:8080/jsp-tutorial/secured.jsp you will see auth-login.jsp and enter role1/tomcat as credentials , you will be able to see secured.jsp.

27.10 Programmatic Security

Request API provides several methods like request.getRemoteuser() etc which can be used to retrieve user details and based on that we can perform custom logic.

Let's update secured.jsp to show the username and role of the logged in user.

<html>
  <head>
    <title> Secured JSP </title>
  </head>
  <body>
    <h4>
     Secured JSP
    </h4>
    Username :: <%= request.getRemoteUser() %>
    <br/>
    Authentication Mechanism :: <%= request.getAuthType() %>
    <br/>
    <br/>
    Is User belongs to Role "tomcat"? <%= request.isUserInRole("tomcat") %>
    <br/>
    Is User belongs to Role "role1"? <%= request.isUserInRole("role1") %>
  </body>
</html>

Access secured,jsp file using http://localhost:8080/jsp-tutorial/secured.jsp you will see auth-login.jsp and enter role1/tomcat as credentials , you will be able to see secured.jsp

Access secured,jsp file using http://localhost:8080/jsp-tutorial/secured.jsp you will see auth-login.jsp and enter both/tomcat as credentials , you will be able to see secured.jsp

 

Like us on Facebook