user and security management
DESCRIPTION
User and Security Management. Security Management in Web Applications. We all know this page. Would we want all to know this page?. Problem Formulation. Want to restrict access to certain Web pages Must answer the following questions Which pages should be restricted? - PowerPoint PPT PresentationTRANSCRIPT
User and Security User and Security ManagementManagement
Security Management in Web Security Management in Web ApplicationsApplications
HUJI-CSHUJI-CSDBI 2007DBI 2007
We all know this page...We all know this page...
HUJI-CSHUJI-CSDBI 2007DBI 2007
Would we want all to know this page?Would we want all to know this page?
HUJI-CSHUJI-CSDBI 2007DBI 2007
Problem FormulationProblem Formulation
• Want to restrict access to certain Web pages
• Must answer the following questions– Which pages should be restricted?
– Who should access restricted pages?
– How should users be authenticated?
– Should authentication data be encrypted?
HUJI-CSHUJI-CSDBI 2007DBI 2007
Authentication MethodsAuthentication Methods
• Several authentication methods are used:
• Declarative Security– HTTP-level mechanisms
• Basic authentication scheme• Digest access authentication scheme
– Server-level mechanisms
• Programmatic Security
HUJI-CSHUJI-CSDBI 2007DBI 2007
HTTP Basic MechanismHTTP Basic Mechanism
• In the basic authentication scheme of HTTP, the user's name and password need to be sent with each request for a protected resource
• When the server gets a request for a protected resource, it checks whether that request has the HTTP header
Authorization: Basic username:password
• If the name and password are accepted by the server (i.e., are those of a user that has the privilege to get the page), then the requested page is returned
HUJI-CSHUJI-CSDBI 2007DBI 2007
HTTP Basic MechanismHTTP Basic Mechanism
• If the request does not have the authorization header or the name and password are not accepted, then the server replies with 401 (unauthorized)
• An 401 response can have the header
WWW-Authenticate: Basic realm="realm-name"
• That is, "in order to get this resource, you will have to authenticate using the basic method"
– Tell the user to supply authentication for pages in realm-name
HUJI-CSHUJI-CSDBI 2007DBI 2007
Realm B
Realm A
/a/A.html/a/B.jsp
/b/C.css/b/D.xml
E.xsl
GET E.xsl
OK + Content
F.xml
Declarative Security: BASICDeclarative Security: BASIC
HUJI-CSHUJI-CSDBI 2007DBI 2007
Realm B
Realm A
/a/A.html/a/B.jsp
/b/C.css/b/D.xml
E.xsl
GET /a/B.jsp
401 + Basic realm="A"
F.xml
Declarative Security: BASICDeclarative Security: BASIC
HUJI-CSHUJI-CSDBI 2007DBI 2007
Declarative Security: BASICDeclarative Security: BASIC
Realm B
Realm A
/a/A.html/a/B.jsp
/b/C.css/b/D.xml
E.xsl
GET /a/B.jsp + user:pass
OK + Content
F.xml
HUJI-CSHUJI-CSDBI 2007DBI 2007
Declarative Security: BASICDeclarative Security: BASIC
Realm B
Realm A
/a/A.html/a/B.jsp
/b/C.css/b/D.xml
E.xsl
GET /a/A.html + user:pass
OK + Content
F.xml
HUJI-CSHUJI-CSDBI 2007DBI 2007
Browser CooperationBrowser Cooperation
• Throughout the session, the browser stores the user-name and password and automatically sends the authorization header in either one of the following cases:– The requested resource is under the directory
of the originally authenticated resource
– The browser received 401 from the Web server and the WWW-Authenticate header has the same realm as the previous protected resource
HUJI-CSHUJI-CSDBI 2007DBI 2007
Digest Access SchemeDigest Access Scheme
• The most serious security flaw in the basic scheme is that the name and password are sent unencrypted, and hence everyone on the network path can read it
• If an attacker snoops a request with basic authentication, she can access to the whole protection space of the resource
• The digest access authentication scheme solves many of the flaws of the basic schemes, such as the one above
HUJI-CSHUJI-CSDBI 2007DBI 2007
Digest OperationDigest Operation
• Like the basic, the digest scheme requires that authentication data is sent with each request for a protected resource
• However, passwords are not sent in clear text
• The idea is to use a one-way hash, such as MD5
• A one-way hash H is a mapping of strings that has the following properties:– It is "easy" to compute H(x), given the input x
– It is "hard" to compute x, given the mapping H(x)
HUJI-CSHUJI-CSDBI 2007DBI 2007
Digest Operation (cont)Digest Operation (cont)
• In the digest scheme, instead of sending the password x in clear text, the client sends H(y)
• y is the concatenation of the user name, the password, an opaque generated by the server, the request URI, and more (why is the opaque needed?)
• A server that gets digested authentication data repeats the same encryption process and compares its output with the given H(y)
• More details can be found in RFC 2617
HUJI-CSHUJI-CSDBI 2007DBI 2007
Server-Level AuthenticationServer-Level Authentication
• A Web server can use its own authentication mechanisms rather than those of HTTP
• Typically, server-level mechanisms act as follows
– The server requires authentication by redirecting the client to a special HTML form
– If authentication succeeds, then the server stores the username in the corresponding session object
• Note that the browser and the HTTP headers are oblivious to server-level authentication
HUJI-CSHUJI-CSDBI 2007DBI 2007
Programmatic SecurityProgrammatic Security
• In declarative security, a page is either accessible to a user or is not
• But what if we wanted a page to include some data that will only be shown to privileged users?– E.g., the grades of the user
• In programmatic security, we enhance security checks in dynamic pages (e.g., JSP)
• Using this approach, an application can generate different contents for different users
HUJI-CSHUJI-CSDBI 2007DBI 2007
Declarative-Security: Pros & ConsDeclarative-Security: Pros & Cons
• Advantage: Application programs (i.e., JSP and Servlets) do not have to do anything special
• Advantage: Security holes due to bugs are less probable
• Disadvantage: Server-specific process
• Disadvantage: All or nothing security
– users can or cannot see the page
– sometimes, what we really want is for the page content to be dependent on the user
Authentication Management in Authentication Management in TomcatTomcat
HUJI-CSHUJI-CSDBI 2007DBI 2007
Declarative Security in TomcatDeclarative Security in Tomcat
To apply declarative security in Tomcat:– Define roles and users
• A user has a username and a password
– Define the restricted pages and the roles that can access them
– Define the authentication method that is used in the Web application
HUJI-CSHUJI-CSDBI 2007DBI 2007
Defining Users and RolesDefining Users and Roles
1. Create a database that stores users and roles• A table that stores usernames and passwords
• A table that stores usernames and roles
2. Tell Tomcat how to access your tables in the file TOMCAT_BASE/conf/server.xml
3. Users and roles can be dynamically added to the database
HUJI-CSHUJI-CSDBI 2007DBI 2007
An ExampleAn Example
create table users (
username varchar(30) not null primary key,
pass varchar(30) not null
);
create table users_roles (
username varchar(30) not null,
role varchar(30) not null,
primary key (username,role),
foreign key (username) references users(username)
);
HUJI-CSHUJI-CSDBI 2007DBI 2007
In server.xmlIn server.xml
<Realm
className="org.apache.catalina.realm.JDBCRealm"
driverName="org.postgresql.Driver"
connectionURL="jdbc:postgresql://dbserver/public?user=snoopy"
userTable="users"
userNameCol="username"
userCredCol="pass"
userRoleTable="users_roles"
roleNameCol="role"/>
HUJI-CSHUJI-CSDBI 2007DBI 2007
<tomcat-users>
<role rolename="members"/>
[more roles...]
<user username="snoopy" password="snoopass"
roles="members"/>
[more users...]
</tomcat-users>
Static Users and RolesStatic Users and Roles
You can alternatively define a static set of users and roles in
$CATALINA_BASE/conf/tomcat-users.xml
HUJI-CSHUJI-CSDBI 2007DBI 2007
Tomcat ManagerTomcat Manager
• The default resource of users is the file tomcat-users
• If you use database users, then you need to add a manager for Tomcat to your tables– Otherwise, you (and Eclipse) will not be able to log into
the manager application
• A manager is a user that belongs to the role "manager"
HUJI-CSHUJI-CSDBI 2007DBI 2007
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted one</web-resource-name>
<url-pattern>/restricted1/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>restricted two</web-resource-name>
<url-pattern>/restricted2/*</url-pattern>
</web-resource-collection>
Defining Restrictions in web.xmlDefining Restrictions in web.xml
HUJI-CSHUJI-CSDBI 2007DBI 2007
<auth-constraint>
<role-name>members</role-name>
</auth-constraint>
</security-constraint>
<login-config>...</login-config>
<security-role>
<role-name>members</role-name>
</security-role>
Defining Restrictions in web.xmlDefining Restrictions in web.xml
HUJI-CSHUJI-CSDBI 2007DBI 2007
BASIC Authentication in TomcatBASIC Authentication in Tomcat
Add to the application's web.xml the login method (BASIC) and your chosen realm name
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Members</realm-name>
</login-config>
HUJI-CSHUJI-CSDBI 2007DBI 2007
FORM-Based Authentication in TomcatFORM-Based Authentication in Tomcat
• Tomcat provides a built-in form-based authentication
• In the first request to a restricted page, the server forwards the request to a login page
• Using the form in the login page, the user submits its login and password to a special URL of the server which is automatically handled by Tomcat.
• If authentication is successful, the special URL stores the information in the session object and forwards the requerst the the restricted page originally requested (how does Tomcat know which page this is?)
• On subsequent requests for restricted pages, the server checks the session to see if it contains suitable authentication, and if so the requested page is returned (instead of forwarding to the login page)
HUJI-CSHUJI-CSDBI 2007DBI 2007
Add to web.xmlAdd to web.xml
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/admin/login.html
</form-login-page>
<form-error-page>/admin/login-error.html
</form-error-page>
</form-login-config>
</login-config>
HUJI-CSHUJI-CSDBI 2007DBI 2007
<html>
<head><title>Log In</title></head>
<body style="background-color:yellow">
<h2>Log in for accessing this resource.</h2>
<form action="j_security_check" method="post">
<p>Login: <input type="text" name="j_username"/></p>
<p>Password: <input type="password"
name="j_password"/></p>
<p><input type="submit" value="Log In"/></p>
</form>
</body>
</html> myApp/admin/login.html
Create A Login PageCreate A Login Page
HUJI-CSHUJI-CSDBI 2007DBI 2007
<html>
<head>
<title>Login Failure</title>
</head>
<body style="background-color:yellow">
<h1>Wrong username and password!</h1>
</body>
</html>
Create an Error PageCreate an Error Page
myApp/admin/login-error.html
SSL ConnectionsSSL Connections
HUJI-CSHUJI-CSDBI 2007DBI 2007
Security on the InternetSecurity on the Internet
• The Internet is used to transmit sensitive data from clients to servers and vice-versa– User passwords
– Credit card numbers
– Private client data on remote servers (e.g., Banks)
• However, data packets are read by several computers on the way from the client to the server (and vice-versa)– Routers, proxies, etc.
HUJI-CSHUJI-CSDBI 2007DBI 2007
Security on the Internet (cont)Security on the Internet (cont)
• For secure communication, the following should be provided:– Only the server can read the client requests
– Only the client can read the server's responses
– Only the client can send requests on behalf of itself
– Only the server can send responses on behalf of itself
• In short, no one should be able to interfere in the interaction, either by reading the transferred data or by impersonating one of the sides
HUJI-CSHUJI-CSDBI 2007DBI 2007
Symmetric and Asymmetric KeysSymmetric and Asymmetric Keys
• Data can be encrypted and decrypted using keys, which are simply large numbers
• Symmetric keys: the same key is used for both encoding and decoding of the message
• Asymmetric keys: one key is used to encode the message, and another is used to decode it
• It is considered practically impossible to decode a message without knowing the decoding key
HUJI-CSHUJI-CSDBI 2007DBI 2007
The RSA Cryptography SystemThe RSA Cryptography System
• RSA was developed in 1977 by Ron Rivest, Adi
Shamir and Leonard Adleman
• It is the based on the asymmetric key mechanism:
– Each participant has a private key and a public key
– The public key is known to all and the private key is kept in
secret within its owner
– Asymmetric keys: the public key is the encoding key and
the private key is the decoding key
HUJI-CSHUJI-CSDBI 2007DBI 2007
Secure Connection: A Naive ApproachSecure Connection: A Naive Approach
• Consider the following protocol:
– Server and Client send their public keys to each other
– Data is encrypted using the public key of the receiver
• What is wrong with this protocol?
– Encryption methods (public keys) are known to
everyone - everyone can impersonate the participants
– A participant cannot tell whether its received key was
indeed sent by the other participant
HUJI-CSHUJI-CSDBI 2007DBI 2007
SSL ConnectionsSSL Connections
• The SSL (Secure Socket Layer) protocol is used to manage security of message transmission on the Internet
• Data encryption and decryption is based on symmetric and asymmetric keys
• The HTTPS (HTTP over SSL) protocol is actually the HTTP protocol above SSL transportation
HUJI-CSHUJI-CSDBI 2007DBI 2007
TCP/IPTCP/IP
SSLSSL
SSL in the Network LayersSSL in the Network Layers
HTTPHTTP Email ProtocolsEmail Protocols
HUJI-CSHUJI-CSDBI 2007DBI 2007
The SSL HandshakeThe SSL Handshake
Server
hello + SSL settings
ClientSSL Settings + Certificate
Is this a good
certificate?
1. Client gets the Server's certificate
HUJI-CSHUJI-CSDBI 2007DBI 2007
The SSL HandshakeThe SSL Handshake
Server
Client
2. Client creates a master secret and shares it with the
server
( )
HUJI-CSHUJI-CSDBI 2007DBI 2007
The SSL HandshakeThe SSL Handshake
Server
Client
3. Client and server create symmetric session keys from
the master secret
HUJI-CSHUJI-CSDBI 2007DBI 2007
The SSL HandshakeThe SSL Handshake
Server
Client
Data is transferred using the session keys
(Http Response)
(Http Request)
HUJI-CSHUJI-CSDBI 2007DBI 2007
SSL CertificatesSSL Certificates
• To assure that the replier of the first request is the server, the server sends a certificate
• The certificate contains both the server's name and its public key
• The certificate is issued by a Certificate Authority (CA), which is known to the client in advance– For example: VeriSign, Thawte, RSA Secure Server, etc.
• CA signs the certificate using a digital signature, which the client can verify using a method similar to the private-public key method
HUJI-CSHUJI-CSDBI 2007DBI 2007
Issuer's Name
Public Key
Serial Number
Validity Period
Server's Name
The Server's CertificateThe Server's Certificate
Issuer's Digital Signature
HUJI-CSHUJI-CSDBI 2007DBI 2007
An Example: The Certificate of bankleumi.co.ilAn Example: The Certificate of bankleumi.co.il
HUJI-CSHUJI-CSDBI 2007DBI 2007
Authentication via SSLAuthentication via SSL
• If the server needs to assure the client's identity, the first interaction after the SSL handshake will typically be a client authentication
• Client authentication is done using the regular (e.g., HTTP) authentication mechanisms
• What is the difference, though?
HUJI-CSHUJI-CSDBI 2007DBI 2007
SSL in Tomcat 6.0SSL in Tomcat 6.0
• To use SSL connections in Tomcat 6.0, we need to do the following:– Acquire a certificate
– Enable the HTTPS service that listens to a designated port
– Declare the pages that require SSL connections
HUJI-CSHUJI-CSDBI 2007DBI 2007
Generating a CertificateGenerating a Certificate
• Acquiring a certificate from a known CA costs money
• Instead, we will generate our own certificate
• Naturally, the browser will not recognize the CA as a known one and will therefore alert the user
HUJI-CSHUJI-CSDBI 2007DBI 2007
Generating a Certificate (cont)Generating a Certificate (cont)
From the command line, type the following:
keytool -genkey -alias tomcat -keyalg RSA -keystore keyfile
HUJI-CSHUJI-CSDBI 2007DBI 2007
HUJI-CSHUJI-CSDBI 2007DBI 2007
Enable the HTTPS ServiceEnable the HTTPS Service
• Add the following to $CATALINA_BASE/conf/server.xml under the Service "catalina":
• Declare the redirection port for the HTTP Connector:
<Connector port="8090" redirectPort="8443"/>
<Connector port="8443" scheme="https" secure="true"
sslProtocol="TLS" keystoreFile="keyfile"
keystorePass="keypass"/>server.xml
HUJI-CSHUJI-CSDBI 2007DBI 2007
Declare Secured PagesDeclare Secured Pages
• In the application's web.xml, add the following element under the security constraint for which you want SSL to be used
<user-data-constraint>
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
web.xml