Java EE 6 Security                         in practice with                             GlassFishMarkus Eisele & Masoud Ka...
Agenda• Introduction• The Top 10 Most Critical Web Application  Security Risks• Take Away
Masoud Kalali                                       Markus Eiselehttp://kalali.me                             http://blog....
Java EE 6 & GlassFish     glassfish.org
Galleria Projecthttps://bitbucket.org/VineetReynolds/java-ee-6-galleria/
Galleria Project           ?http://blog.eisele.net/2012/03/java-ee-6-galleria-example-part-1.html
Galleria and Security•   Form based authentication•   JDBCRealm•   request.login(userId, new String(password));•   @RolesA...
Motivation for this talk• Seen a lot of Java EE out there with no or not  enough security.• Providing you a starting point...
The Top 10 Most Critical Web Application Security Risks                            Attribution-ShareAlike 3.0 Unported (CC...
What is OWASP?• Open Web Application Security Project• Improving the security of (web) application software   – Not-for-pr...
A1 - Injection
What is it?• Sending unintended data to applications• Manipulating and reading Data stores (e.g. DB,  LDAP)• Java EE 6 aff...
Worst-Practice InjectionString id = "x; DROP TABLE members; --"; // user-inputQuery query = em.createNativeQuery("SELECT *...
Prevent Injection• Sanitize the input• Escape/Quotesafe the input• Use bound parameters (the PREPARE statement)• Limit dat...
A2 - Cross-Site Scripting (XSS)
What is it?• Inject malicious code into user interfaces• Get access to browser information   – E.g. javascript:alert(docum...
Worst Practices• Don’t sanitize at all<h:outputText value="#{user.content}" escape="false"/>• Sanitize on your own<ahref="...
Prevent• Sanitize the input• Escape/Quotesafe the input• Use Cookie flags:  – httpOnly (prevents XSS access)https://code.g...
A3 - Broken Authentication andSession Management
What is it?•   Container Security vs. own solution•   Session Binding / Session Renewal•   Password Strength (length/compl...
Worst Practice•   Authentication over http•   Custom security filter•   Not using Container Functionality•   No password s...
Best Practices• Go with provided Standard Realms and  LoginModules whenever possible• Use transport layer encryption (TLS/...
A4 – Insecure Direct Object References
What is it?• Accessing domain objects with their PK  https://you.com/user/1 => https://you.com/user/21• Opening opportunit...
Worst Practice• No data separation for users (tenants)• No request mode access for data (RUD)• No query constraints
Best Practices• Use AccessReferenceMaps• Use data-driven security• Perform data authorization on the view
A5 - Cross Site Request Forgery (CSRF)
What is it?• Basically a capture-replay attack• Malicious code executes functions on your  behalf while being authenticate...
Worst Practice•   Using a “secret Cookie”•   Only POST requests•   Wizard like transactions•   URL rewriting
Best Practices• Add Unpredictability (tokens)• CSRFPreventionForm  http://blog.eisele.net/2011/02/preventing-csrf-with-jsf...
A6 - Security Misconfiguration
What is it?• Applies to   –   Operating System   –   Application Server   –   Databases   –   Additional Services• Include...
Running GlassFish in aSecure Environment• Use the latest version (3.1.2.2)• Enable secure admin (TLS/https)• Use password ...
Review the *.policy files• server.policy and granted.policy• Remove unused grants• Add extra permissions only to applicati...
Worst Practices• Not to redirect the default pages• Using any defaults like:   – Passwords: Admin, master password   – Net...
A7 - Failure to Restrict URL Access
What is it?• Presentation layer access control• Related to A4 – Insecure Direct Object  References
Worst Practice• Using home-grown security features instead  of container provided ones• Assuming people wont know some URL...
Java EE 6• What you do to prevent A4 plus:  – Use Container security (security-constraint)  – Use programatic login of Jav...
Best Practices• Any no public URL should be protected• Use container authentication/authorization  features or extend on t...
A8 - Insecure Cryptographic Storage
What is it?• Sensitive data exposed to wrong persons• Could be:  – Passwords  – Financial/Health care data  – Credit cards
GlassFish• Protect the keystore• Protect sensitive data  – Use salted hashing or double hashing for    authentication real...
Worst Practices• Storing passwords in clear text without  aliasing or the proper store• Using file authentication realm• I...
Prevention• Identify sensitive data• Wisely encrypt sensitive data   – On every level (application, appserver, db)   – wit...
A9- Insufficient Transport Layer Protection
What is it?
Worst Practice• Using basic/form authentication without SSL• Not using HTTPS for pages with private  information• Using de...
GlassFish• Properly configure HTTPS listener/s (set the  right keystore)• Install the right server certificates to be used...
Java EE• Group the resources in regard to transport  sensitivity using web-resource-collection• Use user-data-constraint a...
Best Practice•   Use TLS on all connections with sensitive data•   Individually encrypt messages•   Sign messages before t...
A10 - Unvalidated Redirects and Forwards
What is it?• Redirecting to another URL computed by user  provided parameters• Forward to another URL computed by user  pr...
Java EE 6• Don’t use redirect or forward as much as possible• Accurately verify/validate the target URL before  forwarding...
Worst Practices• Not using a proper access control mechanism  (e.g container managed and proper security-  constraint )• R...
WRAP-UP
Galleria Wrap Up
Security isn‘t all candy..                         … but you will love it in the end!
CC picture reference•   http://www.flickr.com/photos/wallyg/2439494447/sizes/l/in/photostream/•   http://www.flickr.com/ph...
Security in practice with Java EE 6 and GlassFish
Upcoming SlideShare
Loading in...5
×

Security in practice with Java EE 6 and GlassFish

7,801

Published on

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
7,801
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
117
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Security in practice with Java EE 6 and GlassFish

  1. 1. Java EE 6 Security in practice with GlassFishMarkus Eisele & Masoud Kalali
  2. 2. Agenda• Introduction• The Top 10 Most Critical Web Application Security Risks• Take Away
  3. 3. Masoud Kalali Markus Eiselehttp://kalali.me http://blog.eisele.nethttp://twitter.com/MasoudKalali http://twitter.com/myfearMasoud.Kalali@oracle.com Markus.eisele@msg-systems.comsoftware engineer, Java EE 7 EG,author, blogger, architect, husband, father of two,climber and flute enthusiast photographer, speaker, writer
  4. 4. Java EE 6 & GlassFish glassfish.org
  5. 5. Galleria Projecthttps://bitbucket.org/VineetReynolds/java-ee-6-galleria/
  6. 6. Galleria Project ?http://blog.eisele.net/2012/03/java-ee-6-galleria-example-part-1.html
  7. 7. Galleria and Security• Form based authentication• JDBCRealm• request.login(userId, new String(password));• @RolesAllowed({ "RegisteredUsers" })Enough? State-of-the-Art? Feeling-good-with-it™?
  8. 8. Motivation for this talk• Seen a lot of Java EE out there with no or not enough security.• Providing you a starting point• Having seen a lot – sharing something• Making you aware about security• Finding out about “the security state of Galleria”
  9. 9. The Top 10 Most Critical Web Application Security Risks Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0)Aka OWASP Top-10* Source: http://owasptop10.googlecode.com
  10. 10. What is OWASP?• Open Web Application Security Project• Improving the security of (web) application software – Not-for-profit organization since 2001 – Raise interest in secure development• Documents – Top 10 – Cheat Sheets – Development Guides• Solutions – Enterprise Security API (ESAPI) – WebScarab – WebGoat
  11. 11. A1 - Injection
  12. 12. What is it?• Sending unintended data to applications• Manipulating and reading Data stores (e.g. DB, LDAP)• Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP) – Database access (JPA, JDBC)
  13. 13. Worst-Practice InjectionString id = "x; DROP TABLE members; --"; // user-inputQuery query = em.createNativeQuery("SELECT * FROM PHOTOWHERE ID =" + id, Photo.class);Query query2 = em.createNativeQuery("SELECT * FROM MAGWHERE ID ?1", Magazine.class);query2.setParameter(1, id);
  14. 14. Prevent Injection• Sanitize the input• Escape/Quotesafe the input• Use bound parameters (the PREPARE statement)• Limit database permissions and segregate users• Use stored procedures for database access (might work)• Isolate the webserver• Configure error reporting
  15. 15. A2 - Cross-Site Scripting (XSS)
  16. 16. What is it?• Inject malicious code into user interfaces• Get access to browser information – E.g. javascript:alert(document.cookie)• Steal user’s session, steal sensitive data• rewrite web page• redirect user to phishing or malware site• Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP)
  17. 17. Worst Practices• Don’t sanitize at all<h:outputText value="#{user.content}" escape="false"/>• Sanitize on your own<ahref="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4=">Test</a>
  18. 18. Prevent• Sanitize the input• Escape/Quotesafe the input• Use Cookie flags: – httpOnly (prevents XSS access)https://code.google.com/p/owasp-esapi-java/
  19. 19. A3 - Broken Authentication andSession Management
  20. 20. What is it?• Container Security vs. own solution• Session Binding / Session Renewal• Password Strength (length/complexity)• Plain text passwords (http/https)• Password recovery• Number of factors used for authentication• Java EE 6 affected: – JAAS / JASPIC – Filter / PhaseListener – Container and Web-App configuration
  21. 21. Worst Practice• Authentication over http• Custom security filter• Not using Container Functionality• No password strength requirements• No HttpSession binding• Saving Passwords• Not testing security
  22. 22. Best Practices• Go with provided Standard Realms and LoginModules whenever possible• Use transport layer encryption (TLS/SSL)• Use Cookie flags: – secure (avoid clear text transmission)
  23. 23. A4 – Insecure Direct Object References
  24. 24. What is it?• Accessing domain objects with their PK https://you.com/user/1 => https://you.com/user/21• Opening opportunities for intruders• Information hiding on the client• Parameter value tampering• Java EE 6 affected: – All layers – Especially data access
  25. 25. Worst Practice• No data separation for users (tenants)• No request mode access for data (RUD)• No query constraints
  26. 26. Best Practices• Use AccessReferenceMaps• Use data-driven security• Perform data authorization on the view
  27. 27. A5 - Cross Site Request Forgery (CSRF)
  28. 28. What is it?• Basically a capture-replay attack• Malicious code executes functions on your behalf while being authenticated• Deep links make this easier• JavaEE 6 affected: – UI technology of choice (e.g. JSF, JSP)
  29. 29. Worst Practice• Using a “secret Cookie”• Only POST requests• Wizard like transactions• URL rewriting
  30. 30. Best Practices• Add Unpredictability (tokens)• CSRFPreventionForm http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html• Use OWASP ESAPI http://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross- site-request-forgery-csrf/
  31. 31. A6 - Security Misconfiguration
  32. 32. What is it?• Applies to – Operating System – Application Server – Databases – Additional Services• Includes (beside _many_ others) – Missing Patches – All security relevant configuration – Default accounts
  33. 33. Running GlassFish in aSecure Environment• Use the latest version (3.1.2.2)• Enable secure admin (TLS/https)• Use password aliasing• Enable security manager and put forth a proper security policy file• Set correct file system permissionshttp://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.htmlhttp://docs.oracle.com/cd/E18930_01/html/821-2435/gkscr.html
  34. 34. Review the *.policy files• server.policy and granted.policy• Remove unused grants• Add extra permissions only to applications or modules that require them, not to all applications deployed to a domain.• Document your changes!// Following grant block is only required by Connectors. If Connectors// are not in usethe recommendation is to remove thisgrant.grant {permission javax.security.auth.PrivateCredentialPermission "javax.resource.spi.security.PasswordCredential * "*"","read";};
  35. 35. Worst Practices• Not to redirect the default pages• Using any defaults like: – Passwords: Admin, master password – Network interface binding: Listening on 0.0.0.0 – Certificates: Self signed certificate• Not restricting GlassFish user nor enabling security manager.• Same security config for all environments• Using a not hardened OS!
  36. 36. A7 - Failure to Restrict URL Access
  37. 37. What is it?• Presentation layer access control• Related to A4 – Insecure Direct Object References
  38. 38. Worst Practice• Using home-grown security features instead of container provided ones• Assuming people wont know some URLs to try them• Assuming no one would miss use the extra permission and access they have
  39. 39. Java EE 6• What you do to prevent A4 plus: – Use Container security (security-constraint) – Use programatic login of Java EE 6 if needed. – Properly configure security realms – Accurately map roles to principal/groups (auth- constraint / security-role-mapping) – Only allow supported/required HTTP methods – Accurately Categorize the URL patterns and permit the relevant roles for each
  40. 40. Best Practices• Any no public URL should be protected• Use container authentication/authorization features or extend on top of them• If not enough use proven frameworks/ products to protect the resources• If user can get /getpic?id=1x118uf it does not mean you should show /getpic?id=1x22ug
  41. 41. A8 - Insecure Cryptographic Storage
  42. 42. What is it?• Sensitive data exposed to wrong persons• Could be: – Passwords – Financial/Health care data – Credit cards
  43. 43. GlassFish• Protect the keystore• Protect sensitive data – Use salted hashing or double hashing for authentication realms (Custom realm development) – Evaluate logging output• Protect GlassFish accounts – Use aliasing to protect the password and keep the master password safe to protect the aliases
  44. 44. Worst Practices• Storing passwords in clear text without aliasing or the proper store• Using file authentication realm• Ignoring digest authentication/hashed password storage• Keeping clear text copies of encrypted data• Not keeping the keys/passwords well guarded
  45. 45. Prevention• Identify sensitive data• Wisely encrypt sensitive data – On every level (application, appserver, db) – with the right algorithm and – with the right mechanism• Don’t keep clear text copies• Only authorized personnel have access to clear text data• Keep the keys as protected as possible (HSM)• Keep offsite encrypted backups in addition to on-site copies
  46. 46. A9- Insufficient Transport Layer Protection
  47. 47. What is it?
  48. 48. Worst Practice• Using basic/form authentication without SSL• Not using HTTPS for pages with private information• Using default self signed certificate• Storing unencrypted cookies• Not setting cookies to be transmitted Cookie.setSecure(true)• Forgetting about the rest of the infrastructure
  49. 49. GlassFish• Properly configure HTTPS listener/s (set the right keystore)• Install the right server certificates to be used by SSL listeners• Properly configure the ORB over SSL listeners if needed (set the right keystore)• Enable auditing under Security and and access log under HTTP Service
  50. 50. Java EE• Group the resources in regard to transport sensitivity using web-resource-collection• Use user-data-constraint as widely as you need for data integrity and encryption needs• Ensure that login/logout pages (in case of form auth-type) are protected by <transport- guarantee>CONFIDENTIAL</transport- guarantee>
  51. 51. Best Practice• Use TLS on all connections with sensitive data• Individually encrypt messages• Sign messages before transmission• Use standard strong algorithms• Use proven mechanisms when sufficient
  52. 52. A10 - Unvalidated Redirects and Forwards
  53. 53. What is it?• Redirecting to another URL computed by user provided parameters• Forward to another URL computed by user provided parametershttp://www.java.net/external?url=http://www.adam-bien.com/roller/abien/entry/conveniently_transactionally_and_legally_starting
  54. 54. Java EE 6• Don’t use redirect or forward as much as possible• Accurately verify/validate the target URL before forwarding or redirecting• Redirects are safe when using container managed authentication/authorization properly• Redirects happen without authentication and thus requires triple check to prevent unauthorized access.
  55. 55. Worst Practices• Not using a proper access control mechanism (e.g container managed and proper security- constraint )• Redirecting to a user provided parameter, e.g to an external website• Not to validate/verify the target with user’s access level before doing the forward
  56. 56. WRAP-UP
  57. 57. Galleria Wrap Up
  58. 58. Security isn‘t all candy.. … but you will love it in the end!
  59. 59. CC picture reference• http://www.flickr.com/photos/wallyg/2439494447/sizes/l/in/photostream/• http://www.flickr.com/photos/62983199@N04/7188112487/sizes/l/in/photostream/• http://www.flickr.com/photos/stuckincustoms/3466470709/sizes/l/in/photostream/• http://www.flickr.com/photos/lukemontague/187987292/sizes/l/in/photostream/• http://www.flickr.com/photos/082007/7108942911/sizes/l/in/photostream/• http://www.flickr.com/photos/ndrwfgg/140411433/sizes/l/in/photostream/• http://www.flickr.com/photos/gingerblokey/4130969725/sizes/l/in/photostream/• http://www.flickr.com/photos/bpc009/3328427457/sizes/l/in/photostream/• http://www.flickr.com/photos/marine_corps/6950409157/sizes/l/in/photostream/• http://www.flickr.com/photos/cindy47452/2898015652/sizes/l/in/photostream/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×