Java Web Application SecurityDevelop. Penetrate. Protect. Relax.Matt Raiblehttp://raibledesigns.com@mraible       Images b...
Introductions Your experience with web development? Your experience with implementing security? Have you used Java EE 6, S...
Blogger on                                        Father, Skier,raibledesigns.com                                    Cycli...
Why am I here?Purpose To learn more about Java webapp security and transform myself into a security expert.Goals Show how ...
Session AgendaSecurity Development  Java EE 6, Spring Security, Apache Shiro  SSL and TestingVerifying Security  OWASP Top...
Develop          © 2011 Raible Designs
Dynamic Language Support?If it deploys on Tomcat, it has a web.xml.  Grails  JRuby on Rails  Lift  Play! Framework        ...
Java EE 6Security constraints defined in web.xml  web resource collection - URLs and methods  authorization constraints - r...
Java EE 6 Demohttp://www.youtube.com/watch?v=8bXBGU7uo4o                    © 2011 Raible Designs
Servlet 3.0 HttpServletRequest   authenticate(response)   login(user, pass)   logout()   getRemoteUser()   isUserInRole(na...
Servlet 3.0 and JSR 250Annotations  @ServletSecurity  @HttpMethodConstraint  @HttpConstraint  @RolesAllowed  @PermitAll  @...
Java EE Security Limitations No error messages for failed logins No Remember Me Container has to be configured Doesn’t supp...
Spring Security Filter defined in web.xml Separate security context file loaded by Spring   Defines URLs, Roles and Authentic...
Spring Security Demohttp://www.youtube.com/watch?v=poc5dyImbig                     © 2011 Raible Designs
Securing Methods<global-method-security secured-annotations="enabled"/>   @Secured("IS_AUTHENTICATED_ANONYMOUSLY")   publi...
Securing Methods 3.0<global-method-security pre-post-annotations="enabled"/>   @PreAuthorize("isAnonymous()")   public Acc...
Spring Security Limitations Authentication mechanism in WAR Securing methods only works on Spring beans My remember me exa...
Apache ShiroFilter defined in web.xmlshiro.ini loaded from classpath  [main], [urls], [roles]CryptographySession Management...
Apache Shiro Demohttp://www.youtube.com/watch?v=YJByiDvOhsc                     © 2011 Raible Designs
Apache Shiro LimitationsLimited DocumentationGetting Roles via LDAPnot supportedNo out-of-box supportfor KerberosREST Supp...
Testing with SSLCargo doesn’t support http andhttps at same timeJetty and Tomcat plugins workfor bothPass javax.net.ssl.tr...
Ajax Loginhttp://raibledesigns.com/rd/entry/implementing_ajax_authentication_using_jquery                                 ...
Securing a REST APIUse Basic or FormAuthenticationUse Developer KeysUse OAuth                     © 2011 Raible Designs
OAuth        © 2011 Raible Designs
REST Security and OAuth Demo    http://raibledesigns.com/rd/entry/implementing_oauth_with_gwt    http://raibledesigns.com/...
REST Security ResourcesImplementing REST Authentication  http://www.objectpartners.com/2011/06/16/  implementing-rest-auth...
PenetrateOWASP Testing Guide and Code Review GuideOWASP Top 10OWASP Zed Attack ProxyBurp SuiteOWASP WebGoat               ...
OWASPThe Open Web Application Security Project (OWASP) isan open community dedicated to enablingorganizations to develop, ...
Penetration Testing Demohttp://raibledesigns.com/rd/entry/java_web_application_security_part4                             ...
7 Security (Mis)Configurations in web.xml1. Error pages not configured2. Authentication &   Authorization Bypass3. SSL Not C...
7 Security (Mis)Configurations5. Not Using the HttpOnly   Flag6. Using URL Parameters for   Session Tracking7. Not Setting ...
Protecting Ajax Login<session-config>    <session-timeout>15</session-timeout>    <cookie-config>        <http-only>true</...
OWASP Top 10 for 20101. Injection2. Cross-Site Scripting (XSS)3. Broken Authentication and Session   Management4. Insecure...
OWASP Top 10 for 20106. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insuf...
ProtectFirewallsIDS and IDPsAuditsPenetration TestsCode Reviews with StaticAnalysis Tools                     © 2011 Raibl...
Firewalls Stateless Firewalls Stateful Firewalls   Invented by Nir Zuk at   Check Point in the mid-90s Web App Firewalls  ...
Gartner on Firewalls            © 2011 Raible Designs
RelaxWeb App Firewalls: Imperva, F5, Breach  Open Source: WebNight and ModSecurityStateful Firewalls: Juniper, Check Point...
Remember...“Security is a quality, and as all other quality, it isimportant that we build it into our apps while we aredev...
Action! Use OWASP and Open Source Security Frameworks   Don’t be afraid to contribute! Follow the Security Street Fighter ...
Questions?Contact Information  http://raibledesigns.com  @mraibleMy Presentations  http://slideshare.net/mraible          ...
Upcoming SlideShare
Loading in …5
×

Java Web Application Security - UberConf 2011

3,373
-1

Published on

During this presentation, I demonstrate how to implement authentication in your Java web applications using good ol' Java EE Container Managed Authentication, Spring Security and Apache Shiro. You'll also learn how to secure your REST API with OAuth and lock it down with SSL.

After learning how to develop authentication, I'll introduce you to pentest your app, as well as OWASP, the OWASP Top 10, its Testing Guide and its Code Review Guide.

Much of this talk is contained in demos and tutorials, which are available on my blog at http://raibledesigns.com/rd/tags/security and http://youtube.com/mraible.

Published in: Technology, Education
1 Comment
3 Likes
Statistics
Notes
No Downloads
Views
Total Views
3,373
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
121
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide

Java Web Application Security - UberConf 2011

  1. 1. Java Web Application SecurityDevelop. Penetrate. Protect. Relax.Matt Raiblehttp://raibledesigns.com@mraible Images by Stuck in Customs - http://www.flickr.com/photos/stuckincustoms © 2011 Raible Designs
  2. 2. Introductions Your experience with web development? Your experience with implementing security? Have you used Java EE 6, Spring Security or Apache Shiro? What do you want to get from this talk? © 2011 Raible Designs
  3. 3. Blogger on Father, Skier,raibledesigns.com Cyclist Founder of AppFuse Web Framework Connoisseur Who is Matt Raible? © 2011 Raible Designs
  4. 4. Why am I here?Purpose To learn more about Java webapp security and transform myself into a security expert.Goals Show how to implement Java webapp security. Show how to penetrate a Java webapp. Show how to fix vulnerabilities. © 2011 Raible Designs
  5. 5. Session AgendaSecurity Development Java EE 6, Spring Security, Apache Shiro SSL and TestingVerifying Security OWASP Top 10 & Zed Attack ProxyCommercial Tools and ServicesConclusion Develop Penetrate Protect Relax © 2011 Raible Designs
  6. 6. Develop © 2011 Raible Designs
  7. 7. Dynamic Language Support?If it deploys on Tomcat, it has a web.xml. Grails JRuby on Rails Lift Play! Framework © 2011 Raible Designs
  8. 8. Java EE 6Security constraints defined in web.xml web resource collection - URLs and methods authorization constraints - role names user data constraint - HTTP or HTTPSUser Realm defined by App ServerDeclarative or Programmatic AuthenticationAnnotations Support © 2011 Raible Designs
  9. 9. Java EE 6 Demohttp://www.youtube.com/watch?v=8bXBGU7uo4o © 2011 Raible Designs
  10. 10. Servlet 3.0 HttpServletRequest authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2011 Raible Designs
  11. 11. Servlet 3.0 and JSR 250Annotations @ServletSecurity @HttpMethodConstraint @HttpConstraint @RolesAllowed @PermitAll @DenyAll © 2011 Raible Designs
  12. 12. Java EE Security Limitations No error messages for failed logins No Remember Me Container has to be configured Doesn’t support regular expressions for URLs © 2011 Raible Designs
  13. 13. Spring Security Filter defined in web.xml Separate security context file loaded by Spring Defines URLs, Roles and Authentication Providers Defines UserService (provided or custom) Password Encoding Remember Me © 2011 Raible Designs
  14. 14. Spring Security Demohttp://www.youtube.com/watch?v=poc5dyImbig © 2011 Raible Designs
  15. 15. Securing Methods<global-method-security secured-annotations="enabled"/> @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account readAccount(Long id); @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account[] findAccounts(); @Secured("ROLE_TELLER") public Account post(Account account, double amount);<global-method-security jsr250-annotations="enabled"/> © 2011 Raible Designs
  16. 16. Securing Methods 3.0<global-method-security pre-post-annotations="enabled"/> @PreAuthorize("isAnonymous()") public Account readAccount(Long id); @PreAuthorize("isAnonymous()") public Account[] findAccounts(); @PreAuthorize("hasAuthority(ROLE_TELLER)") public Account post(Account account, double amount); © 2011 Raible Designs
  17. 17. Spring Security Limitations Authentication mechanism in WAR Securing methods only works on Spring beans My remember me example doesn’t work © 2011 Raible Designs
  18. 18. Apache ShiroFilter defined in web.xmlshiro.ini loaded from classpath [main], [urls], [roles]CryptographySession Management © 2011 Raible Designs
  19. 19. Apache Shiro Demohttp://www.youtube.com/watch?v=YJByiDvOhsc © 2011 Raible Designs
  20. 20. Apache Shiro LimitationsLimited DocumentationGetting Roles via LDAPnot supportedNo out-of-box supportfor KerberosREST Support needswork © 2011 Raible Designs
  21. 21. Testing with SSLCargo doesn’t support http andhttps at same timeJetty and Tomcat plugins workfor bothPass javax.net.ssl.trustStore &javax.net.ssl.trustStorePasswordto maven-failsafe-plugin as<systemPropertyVariables> © 2011 Raible Designs
  22. 22. Ajax Loginhttp://raibledesigns.com/rd/entry/implementing_ajax_authentication_using_jquery © 2011 Raible Designs
  23. 23. Securing a REST APIUse Basic or FormAuthenticationUse Developer KeysUse OAuth © 2011 Raible Designs
  24. 24. OAuth © 2011 Raible Designs
  25. 25. REST Security and OAuth Demo http://raibledesigns.com/rd/entry/implementing_oauth_with_gwt http://raibledesigns.com/rd/entry/grails_oauth_and_linkedin_apis © 2011 Raible Designs
  26. 26. REST Security ResourcesImplementing REST Authentication http://www.objectpartners.com/2011/06/16/ implementing-rest-authentication/OAuth2’s “Client Credentials” API Key Grant Type http://stackoverflow.com/questions/6190381/how- to-keep-the-client-credentials-confidential-while- using-oauth2s-resource-ow (http://bit.ly/k5LqsH) Thanks to @kdonald for the link! © 2011 Raible Designs
  27. 27. PenetrateOWASP Testing Guide and Code Review GuideOWASP Top 10OWASP Zed Attack ProxyBurp SuiteOWASP WebGoat © 2011 Raible Designs
  28. 28. OWASPThe Open Web Application Security Project (OWASP) isan open community dedicated to enablingorganizations to develop, purchase, and maintainapplications that can be trusted. At OWASP you’ll findfree and open ... Application security tools, complete books, standard security controls and libraries, cutting edge research http://www.owasp.org © 2011 Raible Designs
  29. 29. Penetration Testing Demohttp://raibledesigns.com/rd/entry/java_web_application_security_part4 © 2011 Raible Designs
  30. 30. 7 Security (Mis)Configurations in web.xml1. Error pages not configured2. Authentication & Authorization Bypass3. SSL Not Configured4. Not Using the Secure Flag http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files © 2011 Raible Designs
  31. 31. 7 Security (Mis)Configurations5. Not Using the HttpOnly Flag6. Using URL Parameters for Session Tracking7. Not Setting a Session Timeout http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files © 2011 Raible Designs
  32. 32. Protecting Ajax Login<session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> <tracking-mode>COOKIE</tracking-mode></session-config><form action="${ctx}/j_security_check" id="loginForm" method="post" autocomplete="off"> © 2011 Raible Designs
  33. 33. OWASP Top 10 for 20101. Injection2. Cross-Site Scripting (XSS)3. Broken Authentication and Session Management4. Insecure Direct Object References5. Cross-Site Request Forgery (CSRF) © 2011 Raible Designs
  34. 34. OWASP Top 10 for 20106. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards © 2011 Raible Designs
  35. 35. ProtectFirewallsIDS and IDPsAuditsPenetration TestsCode Reviews with StaticAnalysis Tools © 2011 Raible Designs
  36. 36. Firewalls Stateless Firewalls Stateful Firewalls Invented by Nir Zuk at Check Point in the mid-90s Web App Firewalls Inspired by the 1996 PHF CGI exploit WAF Market $234m in 2010 © 2011 Raible Designs
  37. 37. Gartner on Firewalls © 2011 Raible Designs
  38. 38. RelaxWeb App Firewalls: Imperva, F5, Breach Open Source: WebNight and ModSecurityStateful Firewalls: Juniper, Check Point, Palo AltoIDP/IDS: Sourcefire, TippingPoint Open Source: SnortAudits: ENY, PWC, Grant ThorntonPen Testing: WhiteHat, Trustwave, Electric Alchemy Open Source: OWASP ZAPStatic Analysis: Fortify, Veracode © 2011 Raible Designs
  39. 39. Remember...“Security is a quality, and as all other quality, it isimportant that we build it into our apps while we aredeveloping them, not patching it on afterwards likemany people do.” -- Erlend OftedalFrom: http://bit.ly/mjufjR © 2011 Raible Designs
  40. 40. Action! Use OWASP and Open Source Security Frameworks Don’t be afraid to contribute! Follow the Security Street Fighter Blog http://software-security.sans.org/blog Use OWASP ZAP to pentest your apps Don’t be afraid of security! © 2011 Raible Designs
  41. 41. Questions?Contact Information http://raibledesigns.com @mraibleMy Presentations http://slideshare.net/mraible © 2011 Raible Designs
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×