2012 03 27_philly_jug_rewrite_static
Upcoming SlideShare
Loading in...5
×
 

2012 03 27_philly_jug_rewrite_static

on

  • 658 views

 

Statistics

Views

Total Views
658
Views on SlideShare
658
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

2012 03 27_philly_jug_rewrite_static 2012 03 27_philly_jug_rewrite_static Presentation Transcript

  • Philly Java Users Group Security and Usability URL-rewriting for the next-generation web user Lincoln Baxter, III Senior Software Engineer Founder Red Hat, Inc. http://ocpsoft.org/ 2012-03-27 “Simpler is better.”
  • What is URL-rewriting?Any manipulation of the HTTP Request/Response life-cycle.
  • Mind the gap.● Gap #1: “Relocated” or missing resources● Gap #2: Readability & Clutter● Gap #3: Revealing sensitive information● Gap #4: Formatting of useful information● Gap #5: Validation of user input● … (and actually many more)
  • One big thing.“Without URL-rewriting, our life would be $#@!ing hell.”
  • Gap #1: “Relocated” or missing resources
  • 404slide not found
  • wtf?
  • robo.to
  • github.com
  • blippy.com
  • What does it mean?
  • Distraction from failure.
  • 1. The content existed and now does not.2. The content never existed, fool.
  • Translated.“Either the website sucks or you suck, and neither is going to make anyone happy.”
  • 2 ways to havea magical 404experience ...
  • 301 Moved Permanently302 Moved Temporarily
  • Google says, “Redirect to the new URL for at least 180 days.”
  • Gap #2: URL-readability http://www.amazon.com/Kin dle-Touch-Wi-Fi-Ink- Display/dp/B005890G8Y/ref =amb_link_357575542_6? pf_rd_m=ATVPDKIKX0DER&pf_ rd_s=gateway-center- column&pf_rd_r=1T2J5PYBVZ ZWBHWN1BP1&pf_rd_t=101&pf _rd_p=1321408942&pf_rd_i= 507846 wtf?
  • We are friends.
  • http://amazon.com/shop/kindle-touch
  • Tired of trash in your face? http://www.amazon.com/Kindle-Touch-Wi-Fi-Ink- Display/dp/B005890G8Y/ref=amb_link_357575542_6? pf_rd_m=ATVPDKIKX0DER&pf_rd_s=gateway-center-column&pf_rd_r=1T2J5PYBVZZWBHWN1BP1&pf_rd_t=101&pf_rd_p=132 1408942&pf_rd_i=507846
  • Theres plenty of space out in space! http://amazon.com/shop/kindle-touch?tracker=AAasfds3r32ydkl6fd854kdjf84hfidbdgv64n0curnoxydkl6fd854kdjf84hfidb dgv64n0ge8nfbh...
  • Gap #3: Revealing sensitive information Visit: http://microsoft.com/genuine/downloads/faq.aspx You will be redirected to a page without .aspx suffix
  • .xhtml .do .asp .jsp / .php .cgi .jsf
  • A good magician never reveals the implementation.
  • Gap #4: Formatting of useful informationhttp://example.com/buy/1/shoes/store
  • Be cool.http://example.com/store/shoes/1http://example.com/store/shoes/1/buyhttp://example.com/store?buy=true&category=shoes&item=135
  • Why are people afraid of buying used cars?
  • You never know what you are going to get.
  • Trust me?http://www.youtube.com/watch?v=oHg5SJYRHA0
  • Built trust by reducing clutter & using clean URLs Before:http://example.com/news.xhtml?p=my-new-post After: http://example.com/news/my-new-post/
  • Gap #5: Validation of user input URLs are user-input and your website is vulnerable!
  • Aspect Security says: Two of three recent security vulnerabilities in web-frameworks are URL-based. ** https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf
  • Real Life...http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay? categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp
  • http://llbean.com/kids
  • Vulnerable!wtf?http://www.llbean.com/webapp/wcs/stores/servlet/CategoryDisplay? categoryId=28&storeId=1&catalogId=1&langId=-1&nav=hp-gndp validate?Cluttered!
  • Mind the gap.● Gap #1: “Relocated” resources (404)● Gap #2: Readability & Clutter● Gap #3: Revealing sensitive information● Gap #4: Formatting of useful information● Gap #5: Validation of user input
  • URL-rewriting
  • Basic things we can do with all types of URL-rewriting● Redirection & Relocation● Parameterization /store/{category}/{item} Accept-Charset: UTF-8 /store/$attack-%3/begin● Simple URL validation● Add/Remove Headers
  • URL-rewriting: Proxy based (Non-Java)
  • Inbound only.
  • URL-rewriting: Filter Based (Native Java)
  • blatant lie“I have no personal investment in any of these tools.” - Me
  • Cool things we can do with Filter- based Java URL-rewriting● Transformation and Canonicalization● Complex Validation● Data Conversion example.com/project/FOO● Request interception("/store/product/{pid}") .when(Path.matches example.com/project/foo .where("pid")● And more... property("productBean.product") .bindsTo(El. .convertedBy(ProductConverter.class) .validatedBy(ProductValidator.class)))
  • Some things you should NOT do, with Java URL-rewritingIf it needs to run when your app doesnt...you probably dont want to put it in your app.
  • Demos(Its *barcode time)
  • Access Control / Timer Demo ( http://access-rewrite.rhcloud.com/ )● Problem #1: “Relocated” resources (404)● Problem #2: Readability & Clutter● Problem #3: Revealing sensitive information● Problem #4: Formatting useful information● Problem #5: Validation of user input
  • Rest Validation/Conversion Demo ( http://rest-rewrite.rhcloud.com )● Problem #1: “Relocated” resources (404)● Problem #2: Readability & Clutter● Problem #3: Revealing sensitive information● Problem #4: Formatting useful information● Problem #5: Validation of user input
  • Composite Query Demo ( http://composite-rewrite.rhcloud.com )● Problem #1: “Relocated” resources (404)● Problem #2: Readability & Clutter● Problem #3: Revealing sensitive information● Problem #4: Formatting useful information● Problem #5: Validation of user input
  • Bonus round! But client-side web applications are the future,cant I just ignore the URL and use WebSockets?!
  • Client side browser applications http://twitter.com/#!/lincolnthree requests #!/lincolnthree #!/connect serves #!/discover #!/lincolnthree/status/180 710662975143936 #!/li
  • How can we clean it up? http://example.com/ t u es req e ns po res example.com/login example.com/signup request example.com/lincoln/myproject resp ? ons e
  • Handling bookmarks example.com/ example.com/login t example.com/lincoln/myproject ues req serves inspec ts / login lincoln/... profile
  • Where am I? example.com/ example.com/lincoln example.com/lincoln/myproject example.com/lincoln/lincoln How do you determine the Context Root? example.com/ ? example.com/lincoln ? example.com/lincoln/lincoln ?
  • Resolve the Context Root http://example.com/lincoln t es req u + / e ns po res HEAD /lincoln?org.ocpsoft.rewrite.history.ContextPath st reque respons 200 OK - Set Header: ContextPath = / e
  • Demos● Access control (Request Interception)● REST (Validation and Conversion)● Composite Query (Security and Usability)● SocialPM Rich Client (Browser Applications)
  • Mind the gap.● Gap #1: “Relocated” resources (404)● Gap #2: Readability & Clutter● Gap #3: Revealing sensitive information● Gap #4: Formatting useful information● Gap #5: Validation of URLs● … (and actually many more)
  • One big thing.“Without URL-rewriting, our life would be $#@!ing hell.”
  • /questions
  • @lincolnthree @lincolnthree @lincolnthree
  • You have options, but if you liked what you saw...● Try it now: ocpsoft.org/rewrite● Get involved: github.com/ocpsoft/rewrite