Friday, December 11, 2009

Securing Your Application Using WEB.XML


When it comes to security we always thing about EJB and other Java security related APIs. But web.xml itself provides you BASIC security control over you web application. If your application is not using any EJB and you need a security control, then web.xml is there to help you ;).


Below is the sample web.xml which does the following things.

  
    This is the description of my J2EE component
    This is the display name of my J2EE component
    SimpleServlet
    SimpleServlet
  

  
    SimpleServlet
    /servlet/SimpleServlet
  
  
    index.jsp
  
  
  
    
      My First Auth
      /servlet/SimpleServlet
      GET
    
  
  
   Guest
      
  
    
     CONFIDENTIAL
    
  



* We defined a Servlet called SimpleServlet
* As the SimpleServlet want to be protected i have to defined a security-constraint for that.
* In security-constraint we have first defined web-resource-collection, where you have to defined name (which is MANDATORY, even thought you don't use it any where ;))
* web-resource-name can be any valid name.
* In url-pattern tag you have defined which are the url-pattern should be protected, you can given n number of url-pattern.
* Once you are done with that, then comes is in what all the request type you have to protect, say I want to protect the data only if the request is GET (that what i defined), you can protect for all the 5 request type.
* Then comes auth-constraint, where you have defined all the roles which have this permissions. You can define roles in tomcat, by changing the /conf/tomcat-users.xml.
* Here is the sample code in /conf/tomcat-users.xml





* We have defined the roles in the Guest level, so we don't need any changes in tomcat-users.xml file
* Then finally comes user-data-constraint tag, where you have to defined how your request and response data should be traveled between you (client) and the server.
* When you give CONFIDENTIAL in transport-guarantee tag, the server will make sure the data transferred between you and the server should not be sniffed by other parties. It uses HTTPS protocol to start the request.
How it works:
* When you hit the server with www.passion4java.com/simple/servlet/SimpleServlet, it first checks whether the URL request any security check
* By checking the url-pattern inside the web-resource-collection, it finds out.
* it also check the request type in our case we are using GET and it matches.
* Then roles comes, if some roles are defined then it sends back the request to client and again and pops you for the username and password.
* They are 4 different type how you can transfer you username and password to server, which also defined in web.xml (in our web.xml we have not defined that, so going deeper in that)
* Once you got you credentials back from the client, it will check with tomcat-users.xml if it matches or not (for Tomcat server only).
* Then it will make sure which transport method need to be used based on transport-guarantee Tag. it may be HTTP or HTTPS.
Area which i am not clear:

* I not clear how can we configure the role check using database in other servers like weblogic?
* I know that our web.xml redirect us with HTTPS if we have transport-guarantee as CONFIDENTIAL. But not sure how can i setup the HTTPS protocol, so that I can send the data securely.
I just thought of sharing how the security can be configured using you web.xml, if you guys any thoughts, DOUBTS  or any corrections. Please let me know.

Thank you ;)

3 comments:

Jose J. GarcĂ­a said...

To setup HTTPS on Tomcat -> http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

Jobs said...

"I know that our web.xml redirect us with HTTPS if we have transport-guarantee as CONFIDENTIAL. But not sure how can i setup the HTTPS protocol, so that I can send the data securely."

That means after you have configured
CONFIDENTIAL

we have to enable HTTPS configuration ? other wise the url will not be invoked properly?

Anonymous said...

what exactly you are expecting jobu?

Post a Comment

 

This content comes from a hidden element on this page.

The inline option preserves bound JavaScript events and changes, and it puts the content back where it came from when it is closed.
Click me, it will be preserved!

If you try to open a new ColorBox while it is already open, it will update itself with the new content.

Updating Content Example:
Click here to load new content