• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Java Web Application Security - Denver JUG 2013

Java Web Application Security - Denver JUG 2013



During this presentation, you'll learn how to implement authentication in your Java web applications using good ol' Java EE 6 Security, Spring Security and Apache Shiro. You'll also learn how to ...

During this presentation, you'll learn how to implement authentication in your Java web applications using good ol' Java EE 6 Security, Spring Security and Apache Shiro. You'll also learn how to secure your REST API with OAuth and lock it down with SSL.

After learning how to integrate security, I'll show how to use Zed Attack Proxy to pentest your app and fix vulnerabilities.



Total Views
Views on SlideShare
Embed Views



53 Embeds 16,839

http://raibledesigns.com 14875
http://www.scoop.it 782
http://www.raibledesigns.com 381
http://localhost 284
http://www.oyous.com 137
http://therichwebexperience.com 39
http://raible9.rssing.com 37
http://raible18.rssing.com 31
http://newsblur.com 25
http://uberconf.com 23
https://raibledesigns.com 22
http://www.newsblur.com 20
http://abtasty.com 17 14
http://www.themusicage.com 14
http://www.mybestcv.co.il 14
http://digg.com 11 9
http://gradlesummit.com 9
http://www.nofluffjuststuff.com 9
https://twitter.com 6
http://www.springone2gx.com 6
http://www.linkedin.com 6
http://springone2gx.com 5
http://www.nfjsone.com 5
http://continuousdeliveryexperience.com 5
http://news.google.com 4
http://webcache.googleusercontent.com 4
http://nofluffjuststuff.com 4
http://freerss.net 4
http://edit.optimizely.com 4
http://www.inoreader.com 3
http://green-headed9.yatopa.com 3
http://translate.googleusercontent.com 3
http://cloud.feedly.com 2
http://www.hanrss.com 2
http://oostende10.zoolbia.com 2
http://biliousness2.rssing.com 2
http://dev.newsblur.com 2
http://clide2.rssing.com 1
http://www.diffbot.com&_=1360884879093 HTTP 1
http://feedmug.com 1
http://inoreader.com 1
http://www.verious.com 1
http://www.diffbot.com&_=1360884894738 HTTP 1
http://feedreader.com 1
http://hsmaker.com 1
http://core.traackr.com 1
http://reader.nunux.org 1
http://www.rss4java.com 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.


11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Java Web Application Security - Denver JUG 2013 Java Web Application Security - Denver JUG 2013 Presentation Transcript

    • Java Web Application Security Matt Raible http://raibledesigns.com @mraiblePhotos by Trish - http://mcginityphoto.com © 2013 Raible Designs
    • Who is Matt Raible? Father, Skier, Cyclist Web Framework ConnoisseurFounder of AppFuse Blogger on raibledesigns.com © 2013 Raible Designs
    • Why am I here?Purpose To learn more about Java webapp security and transform myself into a security expert.Goals Show how to implement Java webapp security. Show how to penetrate a Java webapp. Show how to fix vulnerabilities. © 2013 Raible Designs
    • Why are you here?For the free beer?Because you care aboutsecurity?Have you used Java EE 6,Spring Security or ApacheShiro?What do you want to getfrom this talk? © 2013 Raible Designs
    • Session AgendaSecurity Development Java EE 6, Spring Security, Apache Shiro SSL and TestingVerifying Security OWASP Top 10 & Zed Attack ProxyCommercial Tools and ServicesConclusion Develop Penetrate Protect Relax © 2013 Raible Designs
    • Develop © 2013 Raible Designs
    • Dynamic Language Support?If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails Lift Play! Framework © 2013 Raible Designs
    • Java EE 6Security constraints defined in web.xml web resource collection - URLs and methods authorization constraints - role names user data constraint - HTTP or HTTPSUser Realm defined by App ServerDeclarative or Programmatic AuthenticationAnnotations Support © 2013 Raible Designs
    • Java EE 6 Demohttp://www.youtube.com/watch?v=8bXBGU7uo4o © 2013 Raible Designs
    • Servlet 3.0 HttpServletRequest authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2013 Raible Designs
    • Servlet 3.0 and JSR 250Annotations @ServletSecurity @HttpMethodConstraint @HttpConstraint @RolesAllowed @PermitAll @DenyAll © 2013 Raible Designs
    • Java EE Security Limitations No error messages for failed logins No Remember Me Container has to be configured Doesn’t support regular expressions for URLs © 2013 Raible Designs
    • Spring Security Filter defined in web.xml Separate security context file loaded by Spring Defines URLs, Roles and Authentication Providers Defines UserService (provided or custom) Password Encoding Remember Me © 2013 Raible Designs
    • Spring Security Demohttp://www.youtube.com/watch?v=poc5dyImbig © 2013 Raible Designs
    • Securing Methods<global-method-security secured-annotations="enabled"/> @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account readAccount(Long id); @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account[] findAccounts(); @Secured("ROLE_TELLER") public Account post(Account account, double amount);<global-method-security jsr250-annotations="enabled"/> © 2013 Raible Designs
    • Securing Methods 3.x<global-method-security pre-post-annotations="enabled"/> @PreAuthorize("isAnonymous()") public Account readAccount(Long id); @PreAuthorize("isAnonymous()") public Account[] findAccounts(); @PreAuthorize("hasAuthority(ROLE_TELLER)") public Account post(Account account, double amount); © 2013 Raible Designs
    • Spring Security Limitations Authentication mechanism in WAR Securing methods only works on Spring beans My remember me example doesn’t work © 2013 Raible Designs
    • Apache ShiroFilter defined in web.xmlshiro.ini loaded from classpath [main], [urls], [roles]CryptographySession Management © 2013 Raible Designs
    • Apache Shiro Demohttp://www.youtube.com/watch?v=YJByiDvOhsc © 2013 Raible Designs
    • Apache Shiro LimitationsLimited DocumentationGetting Roles via LDAPnot supportedNo out-of-box supportfor KerberosREST Support needswork © 2013 Raible Designs
    • Testing with SSLCargo doesn’t support http andhttps at same timeJetty and Tomcat plugins workfor bothPass javax.net.ssl.trustStore &javax.net.ssl.trustStorePasswordto maven-failsafe-plugin as<systemPropertyVariables> © 2013 Raible Designs
    • Ajax Loginhttp://raibledesigns.com/rd/entry/implementing_ajax_authentication_using_jquery © 2013 Raible Designs
    • Securing a REST APIUse Basic or FormAuthenticationUse Developer KeysUse OAuth © 2013 Raible Designs
    • OAuth © 2013 Raible Designs
    • REST Security and OAuth Demo http://raibledesigns.com/rd/entry/implementing_oauth_with_gwt http://raibledesigns.com/rd/entry/grails_oauth_and_linkedin_apis © 2013 Raible Designs
    • Integrating OAuth with AppFuse and RESThttp://raibledesigns.com/rd/entry/integrating_oauth_with_appfuse_and © 2013 Raible Designs
    • REST Security ResourcesImplementing REST Authentication http://www.objectpartners.com/2011/06/16/ implementing-rest-authentication/Swagger ApiAuthorizationFilter https://github.com/wordnik/swagger-core/tree/ master/samples/java-jaxrs © 2013 Raible Designs
    • REST Security ResourcesSpring Security OAuth- version 1.0.1Spring Social- version 1.0.2 Facebook, Twitter, LinkedIn, TripIt, and GitHub Bindings © 2013 Raible Designs
    • PenetrateOWASP Testing Guide and Code Review GuideOWASP Top 10OWASP Zed Attack ProxyBurp SuiteOWASP WebGoat © 2013 Raible Designs
    • OWASPThe Open Web Application Security Project (OWASP) isa worldwide not-for-profit charitable organizationfocused on improving the security of software.At OWASP you’ll find free and open ... Application security tools, complete books, standard security controls and libraries, cutting edge research http://www.owasp.org © 2013 Raible Designs
    • Penetration Testing Demohttp://raibledesigns.com/rd/entry/java_web_application_security_part4 © 2013 Raible Designs
    • Fixing ZAP Vulnerabilities<session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> <tracking-mode>COOKIE</tracking-mode></session-config><form action="${ctx}/j_security_check" id="loginForm" method="post" autocomplete="off"> © 2013 Raible Designs
    • 7 Security (Mis)Configurationsin web.xml1. Error pages not configured2. Authentication & Authorization Bypass3. SSL Not Configured4. Not Using the Secure Flag http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files © 2013 Raible Designs
    • 7 Security (Mis)Configurations5. Not Using the HttpOnly Flag6. Using URL Parameters for Session Tracking7. Not Setting a Session Timeout http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files © 2013 Raible Designs
    • OWASP Top 10 for 20101. Injection2. Cross-Site Scripting (XSS)3. Broken Authentication and Session Management4. Insecure Direct Object References5. Cross-Site Request Forgery (CSRF) © 2013 Raible Designs
    • OWASP Top 10 for 20106. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards © 2013 Raible Designs
    • Protect[SWAT] ChecklistFirewallsIDS and IDPsAuditsPenetration TestsCode Reviews with StaticAnalysis Tools © 2013 Raible Designs
    • © 2013 Raible Designs
    • Firewalls Stateless Firewalls Stateful Firewalls Invented by Nir Zuk at Check Point in the mid-90s Web App Firewalls Inspired by the 1996 PHF CGI exploit WAF Market $234m in 2010 © 2013 Raible Designs
    • Gartner on Firewalls © 2013 Raible Designs
    • Content Security Policy An HTTP Header with whitelist of trusted content Bans inline <script> tags, inline event handlers and javascript: URLs No eval(), new Function(), setTimeout or setInterval Supported in Chrome 16+, Safari 6+, and Firefox 4+, and (very) limited in IE 10 © 2013 Raible Designs
    • Content Security Policy © 2013 Raible Designs
    • RelaxWeb App Firewalls: Imperva, F5, Breach Open Source: WebNight and ModSecurityStateful Firewalls: Juniper, Check Point, Palo AltoIDP/IDS: Sourcefire, TippingPoint Open Source: SnortAudits: ENY, PWC, Grant ThorntonPen Testing: WhiteHat, Trustwave, Electric Alchemy Open Source: OWASP ZAPStatic Analysis: Fortify, Veracode © 2013 Raible Designs
    • Remember...“Security is a quality, and as all other quality, it isimportant that we build it into our apps while we aredeveloping them, not patching it on afterwards likemany people do.” -- Erlend OftedalFrom a comment on my blog: http://bit.ly/mjufjR © 2013 Raible Designs
    • Action! Use OWASP and Open Source Security Frameworks Don’t be afraid to contribute! Follow the Security Street Fighter Blog http://software-security.sans.org/blog Use OWASP ZAP to pentest your apps Don’t be afraid of security! © 2013 Raible Designs
    • Additional ReadingSecuring a JavaScript-based Web Application http://eoftedal.github.com/WebRebels2012Michal Zalewski’s “The Tangled Web” http://lcamtuf.coredump.cx/tangled © 2013 Raible Designs
    • Additional ResourcesOWASP Denver https://www.owasp.org/index.php/Denver Next Meeting: Wednesday, February 20, 6-8pmFront Range OWASP Security Conference March 28 - 29 in DenverDavid Campbell of Electric Alchemy http://www.electricalchemy.net © 2013 Raible Designs
    • Questions?Contact Information http://raibledesigns.com @mraibleMy Presentations http://slideshare.net/mraible © 2013 Raible Designs