Your SlideShare is downloading. ×
2012 03 27_philly_jug_rewrite_static
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

2012 03 27_philly_jug_rewrite_static

646
views

Published on

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
646
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Philly Java Users Group Security and Usability URL-rewriting for the next-generation web user Lincoln Baxter, III Senior Software Engineer Founder Red Hat, Inc. http://ocpsoft.org/ 2012-03-27 “Simpler is better.”
  • 2. What is URL-rewriting?Any manipulation of the HTTP Request/Response life-cycle.
  • 3. Mind the gap.● Gap #1: “Relocated” or missing resources● Gap #2: Readability & Clutter● Gap #3: Revealing sensitive information● Gap #4: Formatting of useful information● Gap #5: Validation of user input● … (and actually many more)
  • 4. One big thing.“Without URL-rewriting, our life would be $#@!ing hell.”
  • 5. Gap #1: “Relocated” or missing resources
  • 6. 404slide not found
  • 7. wtf?
  • 8. robo.to
  • 9. github.com
  • 10. blippy.com
  • 11. What does it mean?
  • 12. Distraction from failure.
  • 13. 1. The content existed and now does not.2. The content never existed, fool.
  • 14. Translated.“Either the website sucks or you suck, and neither is going to make anyone happy.”
  • 15. 2 ways to havea magical 404experience ...
  • 16. 301 Moved Permanently302 Moved Temporarily
  • 17. Google says, “Redirect to the new URL for at least 180 days.”
  • 18. Gap #2: URL-readability http://www.amazon.com/Kin dle-Touch-Wi-Fi-Ink- Display/dp/B005890G8Y/ref =amb_link_357575542_6? pf_rd_m=ATVPDKIKX0DER&pf_ rd_s=gateway-center- column&pf_rd_r=1T2J5PYBVZ ZWBHWN1BP1&pf_rd_t=101&pf _rd_p=1321408942&pf_rd_i= 507846 wtf?
  • 19. We are friends.
  • 20. http://amazon.com/shop/kindle-touch
  • 21. Tired of trash in your face? http://www.amazon.com/Kindle-Touch-Wi-Fi-Ink- Display/dp/B005890G8Y/ref=amb_link_357575542_6? pf_rd_m=ATVPDKIKX0DER&pf_rd_s=gateway-center-column&pf_rd_r=1T2J5PYBVZZWBHWN1BP1&pf_rd_t=101&pf_rd_p=132 1408942&pf_rd_i=507846
  • 22. Theres plenty of space out in space! http://amazon.com/shop/kindle-touch?tracker=AAasfds3r32ydkl6fd854kdjf84hfidbdgv64n0curnoxydkl6fd854kdjf84hfidb dgv64n0ge8nfbh...
  • 23. Gap #3: Revealing sensitive information Visit: http://microsoft.com/genuine/downloads/faq.aspx You will be redirected to a page without .aspx suffix
  • 24. .xhtml .do .asp .jsp / .php .cgi .jsf
  • 25. A good magician never reveals the implementation.
  • 26. Gap #4: Formatting of useful informationhttp://example.com/buy/1/shoes/store
  • 27. Be cool.http://example.com/store/shoes/1http://example.com/store/shoes/1/buyhttp://example.com/store?buy=true&category=shoes&item=135
  • 28. Why are people afraid of buying used cars?
  • 29. You never know what you are going to get.
  • 30. Trust me?http://www.youtube.com/watch?v=oHg5SJYRHA0
  • 31. Built trust by reducing clutter & using clean URLs Before:http://example.com/news.xhtml?p=my-new-post After: http://example.com/news/my-new-post/
  • 32. Gap #5: Validation of user input URLs are user-input and your website is vulnerable!
  • 33. Aspect Security says: Two of three recent security vulnerabilities in web-frameworks are URL-based. ** https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf
  • 34. Real Life...http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay? categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp
  • 35. http://llbean.com/kids
  • 36. Vulnerable!wtf?http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay? categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp validate?Cluttered!
  • 37. Mind the gap.● Gap #1: “Relocated” resources (404)● Gap #2: Readability & Clutter● Gap #3: Revealing sensitive information● Gap #4: Formatting of useful information● Gap #5: Validation of user input
  • 38. URL-rewriting
  • 39. Basic things we can do with all types of URL-rewriting● Redirection & Relocation● Parameterization /store/{category}/{item} Accept-Charset: UTF-8 /store/$attack-%3/begin● Simple URL validation● Add/Remove Headers
  • 40. URL-rewriting: Proxy based (Non-Java)
  • 41. Inbound only.
  • 42. URL-rewriting: Filter Based (Native Java)
  • 43. blatant lie“I have no personal investment in any of these tools.” - Me
  • 44. Cool things we can do with Filter- based Java URL-rewriting● Transformation and Canonicalization● Complex Validation● Data Conversion example.com/project/FOO● Request interception("/store/product/{pid}") .when(Path.matches example.com/project/foo .where("pid")● And more... property("productBean.product") .bindsTo(El. .convertedBy(ProductConverter.class) .validatedBy(ProductValidator.class)))
  • 45. Some things you should NOT do, with Java URL-rewritingIf it needs to run when your app doesnt...you probably dont want to put it in your app.
  • 46. Demos(Its *barcode time)
  • 47. Access Control / Timer Demo ( http://access-rewrite.rhcloud.com/ )● Problem #1: “Relocated” resources (404)● Problem #2: Readability & Clutter● Problem #3: Revealing sensitive information● Problem #4: Formatting useful information● Problem #5: Validation of user input
  • 48. Rest Validation/Conversion Demo ( http://rest-rewrite.rhcloud.com )● Problem #1: “Relocated” resources (404)● Problem #2: Readability & Clutter● Problem #3: Revealing sensitive information● Problem #4: Formatting useful information● Problem #5: Validation of user input
  • 49. Composite Query Demo ( http://composite-rewrite.rhcloud.com )● Problem #1: “Relocated” resources (404)● Problem #2: Readability & Clutter● Problem #3: Revealing sensitive information● Problem #4: Formatting useful information● Problem #5: Validation of user input
  • 50. Bonus round! But client-side web applications are the future,cant I just ignore the URL and use WebSockets?!
  • 51. Client side browser applications http://twitter.com/#!/lincolnthree requests #!/lincolnthree #!/connect serves #!/discover #!/lincolnthree/status/180 710662975143936 #!/li
  • 52. How can we clean it up? http://example.com/ t u es req e ns po res example.com/login example.com/signup request example.com/lincoln/myproject resp ? ons e
  • 53. Handling bookmarks example.com/ example.com/login t example.com/lincoln/myproject ues req serves inspec ts / login lincoln/... profile
  • 54. Where am I? example.com/ example.com/lincoln example.com/lincoln/myproject example.com/lincoln/lincoln How do you determine the Context Root? example.com/ ? example.com/lincoln ? example.com/lincoln/lincoln ?
  • 55. Resolve the Context Root http://example.com/lincoln t es req u + / e ns po res HEAD /lincoln?org.ocpsoft.rewrite.history.ContextPath st reque respons 200 OK - Set Header: ContextPath = / e
  • 56. Demos● Access control (Request Interception)● REST (Validation and Conversion)● Composite Query (Security and Usability)● SocialPM Rich Client (Browser Applications)
  • 57. Mind the gap.● Gap #1: “Relocated” resources (404)● Gap #2: Readability & Clutter● Gap #3: Revealing sensitive information● Gap #4: Formatting useful information● Gap #5: Validation of URLs● … (and actually many more)
  • 58. One big thing.“Without URL-rewriting, our life would be $#@!ing hell.”
  • 59. /questions
  • 60. @lincolnthree @lincolnthree @lincolnthree
  • 61. You have options, but if you liked what you saw...● Try it now: ocpsoft.org/rewrite● Get involved: github.com/ocpsoft/rewrite