Matt Raible, profile picture
Uploaded byMatt Raible
5,825 views

Java Web Application Security - Jazoon 2011

The document discusses Java web application security, outlining agenda topics including security development, penetration testing, and protecting applications. It explores frameworks like Java EE 6, Spring Security, and Apache Shiro, detailing their features and limitations. Additionally, it emphasizes the importance of integrating security in the development process rather than applying patches afterward.

Downloaded 134 times
Java Web Application Security Develop. Penetrate. Protect. Relax. Matt Raible http://raibledesigns.com @mraible Images by Stuck in Customs - http://www.flickr.com/photos/stuckincustoms © 2011 Raible Designs
Introductions Your experience with web development? Your experience with implementing security? Have you used Java EE 6, Spring Security or Apache Shiro? What do you want to get from this talk? © 2011 Raible Designs
Blogger on Father, Skier, raibledesigns.com Cyclist Founder of AppFuse Web Framework Connoisseur Who is Matt Raible? © 2011 Raible Designs
Why am I here? Purpose To learn more about Java webapp security and transform myself into a security expert. Goals Show how to implement Java webapp security. Show how to penetrate a Java webapp. Show how to fix vulnerabilities. © 2011 Raible Designs
Session Agenda Security Development Java EE 6, Spring Security, Apache Shiro SSL and Testing Verifying Security OWASP Top 10 & Zed Attack Proxy Commercial Tools and Services Conclusion Develop Penetrate Protect Relax © 2011 Raible Designs
Develop © 2011 Raible Designs
Dynamic Language Support? If it deploys on Tomcat, it has a web.xml. Grails JRuby on Rails Lift Play! Framework © 2011 Raible Designs
Java EE 6 Security constraints defined in web.xml web resource collection - URLs and methods authorization constraints - role names user data constraint - HTTP or HTTPS User Realm defined by App Server Declarative or Programmatic Authentication Annotations Support © 2011 Raible Designs
Java EE 6 Demo http://www.youtube.com/watch?v=8bXBGU7uo4o © 2011 Raible Designs
Servlet 3.0 HttpServletRequest authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2011 Raible Designs
Servlet 3.0 and JSR 250 Annotations @ServletSecurity @HttpMethodConstraint @HttpConstraint @RolesAllowed @PermitAll @DenyAll © 2011 Raible Designs
Java EE Security Limitations No error messages for failed logins No Remember Me Container has to be configured Doesn’t support regular expressions for URLs © 2011 Raible Designs
Spring Security Filter defined in web.xml Separate security context file loaded by Spring Defines URLs, Roles and Authentication Providers Defines UserService (provided or custom) Password Encoding Remember Me © 2011 Raible Designs
Spring Security Demo http://www.youtube.com/watch?v=poc5dyImbig © 2011 Raible Designs
Securing Methods <global-method-security secured-annotations="enabled"/> @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account readAccount(Long id); @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account[] findAccounts(); @Secured("ROLE_TELLER") public Account post(Account account, double amount); <global-method-security jsr250-annotations="enabled"/> © 2011 Raible Designs
Securing Methods 3.0 <global-method-security pre-post-annotations="enabled"/> @PreAuthorize("isAnonymous()") public Account readAccount(Long id); @PreAuthorize("isAnonymous()") public Account[] findAccounts(); @PreAuthorize("hasAuthority('ROLE_TELLER')") public Account post(Account account, double amount); © 2011 Raible Designs
Spring Security Limitations Authentication mechanism in WAR Securing methods only works on Spring beans My remember me example doesn’t work © 2011 Raible Designs
Apache Shiro Filter defined in web.xml shiro.ini loaded from classpath [main], [urls], [roles] Cryptography Session Management © 2011 Raible Designs
Apache Shiro Demo http://www.youtube.com/watch?v=YJByiDvOhsc © 2011 Raible Designs
Apache Shiro Limitations Limited Documentation Getting Roles via LDAP not supported No out-of-box support for Kerberos REST Support needs work © 2011 Raible Designs
Testing with SSL Cargo doesn’t support http and https at same time Jetty and Tomcat plugins work for both Pass javax.net.ssl.trustStore & javax.net.ssl.trustStorePassword to maven-failsafe-plugin as <systemPropertyVariables> © 2011 Raible Designs
Ajax Login http://raibledesigns.com/rd/entry/implementing_ajax_authentication_using_jquery © 2011 Raible Designs
Securing a REST API Use Basic or Form Authentication Use Developer Keys Use OAuth © 2011 Raible Designs
OAuth © 2011 Raible Designs
REST Security and OAuth Demo http://raibledesigns.com/rd/entry/implementing_oauth_with_gwt http://raibledesigns.com/rd/entry/grails_oauth_and_linkedin_apis © 2011 Raible Designs
REST Security Resources Implementing REST Authentication http://www.objectpartners.com/2011/06/16/ implementing-rest-authentication/ OAuth2’s “Client Credentials” API Key Grant Type http://stackoverflow.com/questions/6190381/how- to-keep-the-client-credentials-confidential-while- using-oauth2s-resource-ow (http://bit.ly/k5LqsH) Thanks to @kdonald for the link! © 2011 Raible Designs
Penetrate OWASP Testing Guide and Code Review Guide OWASP Top 10 OWASP Zed Attack Proxy Burp Suite OWASP WebGoat © 2011 Raible Designs
OWASP The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. At OWASP you’ll find free and open ... Application security tools, complete books, standard security controls and libraries, cutting edge research http://www.owasp.org © 2011 Raible Designs
Penetration Testing Demo http://raibledesigns.com/rd/entry/java_web_application_security_part4 © 2011 Raible Designs
7 Security (Mis) Configurations in web.xml 1. Error pages not configured 2. Authentication & Authorization Bypass 3. SSL Not Configured 4. Not Using the Secure Flag http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files © 2011 Raible Designs
7 Security (Mis)Configurations 5. Not Using the HttpOnly Flag 6. Using URL Parameters for Session Tracking 7. Not Setting a Session Timeout http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files © 2011 Raible Designs
Protecting Ajax Login <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config> <form action="${ctx}/j_security_check" id="loginForm" method="post" autocomplete="off"> © 2011 Raible Designs
OWASP Top 10 for 2010 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) © 2011 Raible Designs
OWASP Top 10 for 2010 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10.Unvalidated Redirects and Forwards © 2011 Raible Designs
Protect Firewalls IDS and IDPs Audits Penetration Tests Code Reviews with Static Analysis Tools © 2011 Raible Designs
Firewalls Stateless Firewalls Stateful Firewalls Invented by Nir Zuk at Check Point in the mid-90s Web App Firewalls Inspired by the 1996 PHF CGI exploit WAF Market $234m in 2010 © 2011 Raible Designs
Gartner on Firewalls © 2011 Raible Designs
Relax Web App Firewalls: Imperva, F5, Breach Open Source: WebNight and ModSecurity Stateful Firewalls: Juniper, Check Point, Palo Alto IDP/IDS: Sourcefire, TippingPoint Open Source: Snort Audits: ENY, PWC, Grant Thornton Pen Testing: WhiteHat, Trustwave, Electric Alchemy Open Source: OWASP ZAP Static Analysis: Fortify, Veracode © 2011 Raible Designs
Remember... “Security is a quality, and as all other quality, it is important that we build it into our apps while we are developing them, not patching it on afterwards like many people do.” -- Erlend Oftedal From: http://bit.ly/mjufjR © 2011 Raible Designs
Action! Use OWASP and Open Source Security Frameworks Don’t be afraid to contribute! Follow the Security Street Fighter Blog http://software-security.sans.org/blog Use OWASP ZAP to pentest your apps Don’t be afraid of security! © 2011 Raible Designs
Questions? Contact Information http://raibledesigns.com @mraible My Presentations http://slideshare.net/mraible © 2011 Raible Designs

More Related Content

PDF
Apache Roller, Acegi Security and Single Sign-on
byMatt Raible
 
PDF
Java Web Application Security - UberConf 2011
byMatt Raible
 
PDF
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
byMatt Raible
 
PDF
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
byVMware Hyperic
 
PDF
Java Web Application Security - Utah JUG 2011
byMatt Raible
 
PDF
Web App Security for Java Developers - PWX 2021
byMatt Raible
 
PDF
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
byMatt Raible
 
PDF
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
byArun Gupta
 
Apache Roller, Acegi Security and Single Sign-on
byMatt Raible
 
Java Web Application Security - UberConf 2011
byMatt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
byMatt Raible
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
byVMware Hyperic
 
Java Web Application Security - Utah JUG 2011
byMatt Raible
 
Web App Security for Java Developers - PWX 2021
byMatt Raible
 
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
byMatt Raible
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
byArun Gupta
 

What's hot

PDF
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
byMatt Raible
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
PDF
Front End Development for Back End Java Developers - Jfokus 2020
byMatt Raible
 
PDF
What's New in Spring 3.1
byMatt Raible
 
PDF
Web App Security for Java Developers - UberConf 2021
byMatt Raible
 
PDF
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
byMatt Raible
 
PDF
Java REST API Framework Comparison - PWX 2021
byMatt Raible
 
PDF
Spark IT 2011 - Java EE 6 Workshop
byArun Gupta
 
PDF
Bootiful Development with Spring Boot and React - UberConf 2018
byMatt Raible
 
PDF
Spark IT 2011 - Developing RESTful Web services with JAX-RS
byArun Gupta
 
PDF
JAX-RS JavaOne Hyderabad, India 2011
byShreedhar Ganapathy
 
PDF
Seven Simple Reasons to Use AppFuse
byMatt Raible
 
PDF
Comparing JVM Web Frameworks - Rich Web Experience 2010
byMatt Raible
 
PPT
Choosing a Java Web Framework
byWill Iverson
 
PDF
Front End Development for Backend Developers - GIDS 2019
byMatt Raible
 
PDF
JHipster and Okta - JHipster Virtual Meetup December 2020
byMatt Raible
 
PDF
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
byMatt Raible
 
PDF
Spring Boot APIs and Angular Apps: Get Hip with JHipster! KCDC 2019
byMatt Raible
 
PDF
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
byMatt Raible
 
PDF
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
byMatt Raible
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
byMatt Raible
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
Front End Development for Back End Java Developers - Jfokus 2020
byMatt Raible
 
What's New in Spring 3.1
byMatt Raible
 
Web App Security for Java Developers - UberConf 2021
byMatt Raible
 
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
byMatt Raible
 
Java REST API Framework Comparison - PWX 2021
byMatt Raible
 
Spark IT 2011 - Java EE 6 Workshop
byArun Gupta
 
Bootiful Development with Spring Boot and React - UberConf 2018
byMatt Raible
 
Spark IT 2011 - Developing RESTful Web services with JAX-RS
byArun Gupta
 
JAX-RS JavaOne Hyderabad, India 2011
byShreedhar Ganapathy
 
Seven Simple Reasons to Use AppFuse
byMatt Raible
 
Comparing JVM Web Frameworks - Rich Web Experience 2010
byMatt Raible
 
Choosing a Java Web Framework
byWill Iverson
 
Front End Development for Backend Developers - GIDS 2019
byMatt Raible
 
JHipster and Okta - JHipster Virtual Meetup December 2020
byMatt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
byMatt Raible
 
Spring Boot APIs and Angular Apps: Get Hip with JHipster! KCDC 2019
byMatt Raible
 
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
byMatt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
byMatt Raible
 

Similar to Java Web Application Security - Jazoon 2011

PDF
Java Web Application Security - Denver JUG 2013
byMatt Raible
 
PPT
Web Apps Security
byVictor Bucutea
 
PDF
Spring4 security
bySang Shin
 
PPT
香港六合彩
bybaoyin
 
PPTX
SCWCD : Secure web
byBen Abdallah Helmi
 
PPTX
SCWCD : Secure web : CHAP : 7
byBen Abdallah Helmi
 
PDF
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
PDF
Owasp top 10_openwest_2019
bySean Jackson
 
PPTX
Web Application Security
bysudip pudasaini
 
PPTX
Defending web applications v.1.0
byTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
PPTX
Java Secure Coding Practices
byOWASPKerala
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
PPT
Session 4 : securing web application - Giáo trình Bách Khoa Aptech
byMasterCode.vn
 
PDF
The Thing That Should Not Be
bymorisson
 
PDF
Web Security
byKHOANGUYNNGANH
 
PPT
Top Ten Proactive Web Security Controls v5
byJim Manico
 
PDF
Owasp london training course 2010 - Matteo Meucci
byMatteo Meucci
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
PPT
Intro to Web Application Security
byRob Ragan
 
PDF
Web security and OWASP
byIsuru Samaraweera
 
Java Web Application Security - Denver JUG 2013
byMatt Raible
 
Web Apps Security
byVictor Bucutea
 
Spring4 security
bySang Shin
 
香港六合彩
bybaoyin
 
SCWCD : Secure web
byBen Abdallah Helmi
 
SCWCD : Secure web : CHAP : 7
byBen Abdallah Helmi
 
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
Owasp top 10_openwest_2019
bySean Jackson
 
Web Application Security
bysudip pudasaini
 
Defending web applications v.1.0
byTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Java Secure Coding Practices
byOWASPKerala
 
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
Session 4 : securing web application - Giáo trình Bách Khoa Aptech
byMasterCode.vn
 
The Thing That Should Not Be
bymorisson
 
Web Security
byKHOANGUYNNGANH
 
Top Ten Proactive Web Security Controls v5
byJim Manico
 
Owasp london training course 2010 - Matteo Meucci
byMatteo Meucci
 
Owasp top 10 2013
byEdouard de Lansalut
 
Intro to Web Application Security
byRob Ragan
 
Web security and OWASP
byIsuru Samaraweera
 

More from Matt Raible

PDF
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
byMatt Raible
 
PDF
Micro Frontends for Java Microservices - Belfast JUG 2022
byMatt Raible
 
PDF
Micro Frontends for Java Microservices - Dublin JUG 2022
byMatt Raible
 
PDF
Micro Frontends for Java Microservices - Cork JUG 2022
byMatt Raible
 
PDF
Comparing Native Java REST API Frameworks - Seattle JUG 2022
byMatt Raible
 
PDF
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
byMatt Raible
 
PDF
Comparing Native Java REST API Frameworks - Devoxx France 2022
byMatt Raible
 
PDF
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
byMatt Raible
 
PDF
Native Java with Spring Boot and JHipster - Garden State JUG 2021
byMatt Raible
 
PDF
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
byMatt Raible
 
PDF
Java REST API Framework Comparison - UberConf 2021
byMatt Raible
 
PDF
Native Java with Spring Boot and JHipster - SF JUG 2021
byMatt Raible
 
PDF
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
byMatt Raible
 
PDF
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
byMatt Raible
 
PDF
Security Patterns for Microservice Architectures - SpringOne 2020
byMatt Raible
 
PDF
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
byMatt Raible
 
PDF
Security Patterns for Microservice Architectures - London Java Community 2020
byMatt Raible
 
PDF
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
byMatt Raible
 
PDF
Security Patterns for Microservice Architectures - Oktane20
byMatt Raible
 
PDF
Full Stack Reactive with React and Spring WebFlux - Switzerland JUG 2020
byMatt Raible
 
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
byMatt Raible
 
Micro Frontends for Java Microservices - Belfast JUG 2022
byMatt Raible
 
Micro Frontends for Java Microservices - Dublin JUG 2022
byMatt Raible
 
Micro Frontends for Java Microservices - Cork JUG 2022
byMatt Raible
 
Comparing Native Java REST API Frameworks - Seattle JUG 2022
byMatt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
byMatt Raible
 
Comparing Native Java REST API Frameworks - Devoxx France 2022
byMatt Raible
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
byMatt Raible
 
Native Java with Spring Boot and JHipster - Garden State JUG 2021
byMatt Raible
 
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
byMatt Raible
 
Java REST API Framework Comparison - UberConf 2021
byMatt Raible
 
Native Java with Spring Boot and JHipster - SF JUG 2021
byMatt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
byMatt Raible
 
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
byMatt Raible
 
Security Patterns for Microservice Architectures - SpringOne 2020
byMatt Raible
 
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
byMatt Raible
 
Security Patterns for Microservice Architectures - London Java Community 2020
byMatt Raible
 
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
byMatt Raible
 
Security Patterns for Microservice Architectures - Oktane20
byMatt Raible
 
Full Stack Reactive with React and Spring WebFlux - Switzerland JUG 2020
byMatt Raible
 

Recently uploaded

PDF
A PROJECT ON EVOLUTION OF DNA FINGERPRINTING AND ITS TECHNOLOGY
bychandrakalasahu568
 
PDF
A SEA of Energy Efficiency Opportunities!
byMemoori
 
PPTX
UiPath Platform: Architecture & Context [1/3]
bysuhanisingh58689
 
PPTX
TechVerse Kent (Combining Tech, AI, Innovation and Creativity)
byKritarthDevli
 
PPTX
hackathon[1][1].pptx Cost-Effective Detection of LV Line Breakage
byvivekpunde6
 
PDF
Readying Enterprise Networks for Artificial Intelligence
byEnterprise Management Associates
 
PPTX
CLOUD STUDY JAM 2025 GOOGLE DEVELOPER GROUPS ON CAMPUS NSEC
byasutoshkumar560
 
PDF
Unleash the Power of Salesforce Winter ’26 Release.pdf
byyoyoloftis
 
PDF
Starting a Customer Education Program: Taking Your Training to Them
byRustici Software
 
PDF
Manage VMs on Kubernetes - Introduction to KubeVirt - Meetup MUC 10.2025
byTobias Schneck
 
PDF
The Role of Human Experiences (HX) in GenAI Adoption
byDr. Tathagat Varma
 
PDF
How to get started with Agentic Automation
byUiPathCommunity
 
PDF
Master Deck: GraphSummit Bengaluru (Oct 7)
byNeo4j
 
PDF
Tilannekatsaus tekoälytoimintaan Suomessa.pdf
byMindtrek
 
PDF
Mapping Your Ecosystem: Uniting Content and Data across Systems
byRustici Software
 
PDF
Top 10+ Ajax Development Companies in France
byrockjohnson0829
 
PDF
Unit 3 DS - Distributed Data Storage and Retrieval - PowerPoint Content.pdf
byayesha butalia
 
PDF
What Is Agentic AI and How Is It Transforming ERP Systems?
byScalaCode
 
PPTX
sap 2016-09-14_PP_MRPType_VB_Blogged.pptx
byAmira Jemi
 
PDF
Phishing for Answers: A Tech Filler Quiz.pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 
A PROJECT ON EVOLUTION OF DNA FINGERPRINTING AND ITS TECHNOLOGY
bychandrakalasahu568
 
A SEA of Energy Efficiency Opportunities!
byMemoori
 
UiPath Platform: Architecture & Context [1/3]
bysuhanisingh58689
 
TechVerse Kent (Combining Tech, AI, Innovation and Creativity)
byKritarthDevli
 
hackathon[1][1].pptx Cost-Effective Detection of LV Line Breakage
byvivekpunde6
 
Readying Enterprise Networks for Artificial Intelligence
byEnterprise Management Associates
 
CLOUD STUDY JAM 2025 GOOGLE DEVELOPER GROUPS ON CAMPUS NSEC
byasutoshkumar560
 
Unleash the Power of Salesforce Winter ’26 Release.pdf
byyoyoloftis
 
Starting a Customer Education Program: Taking Your Training to Them
byRustici Software
 
Manage VMs on Kubernetes - Introduction to KubeVirt - Meetup MUC 10.2025
byTobias Schneck
 
The Role of Human Experiences (HX) in GenAI Adoption
byDr. Tathagat Varma
 
How to get started with Agentic Automation
byUiPathCommunity
 
Master Deck: GraphSummit Bengaluru (Oct 7)
byNeo4j
 
Tilannekatsaus tekoälytoimintaan Suomessa.pdf
byMindtrek
 
Mapping Your Ecosystem: Uniting Content and Data across Systems
byRustici Software
 
Top 10+ Ajax Development Companies in France
byrockjohnson0829
 
Unit 3 DS - Distributed Data Storage and Retrieval - PowerPoint Content.pdf
byayesha butalia
 
What Is Agentic AI and How Is It Transforming ERP Systems?
byScalaCode
 
sap 2016-09-14_PP_MRPType_VB_Blogged.pptx
byAmira Jemi
 
Phishing for Answers: A Tech Filler Quiz.pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 

Java Web Application Security - Jazoon 2011

  • 1.
    Java Web ApplicationSecurity Develop. Penetrate. Protect. Relax. Matt Raible http://raibledesigns.com @mraible Images by Stuck in Customs - http://www.flickr.com/photos/stuckincustoms © 2011 Raible Designs
  • 2.
    Introductions Your experiencewith web development? Your experience with implementing security? Have you used Java EE 6, Spring Security or Apache Shiro? What do you want to get from this talk? © 2011 Raible Designs
  • 3.
    Blogger on Father, Skier, raibledesigns.com Cyclist Founder of AppFuse Web Framework Connoisseur Who is Matt Raible? © 2011 Raible Designs
  • 4.
    Why am Ihere? Purpose To learn more about Java webapp security and transform myself into a security expert. Goals Show how to implement Java webapp security. Show how to penetrate a Java webapp. Show how to fix vulnerabilities. © 2011 Raible Designs
  • 5.
    Session Agenda Security Development Java EE 6, Spring Security, Apache Shiro SSL and Testing Verifying Security OWASP Top 10 & Zed Attack Proxy Commercial Tools and Services Conclusion Develop Penetrate Protect Relax © 2011 Raible Designs
  • 6.
    Develop © 2011 Raible Designs
  • 7.
    Dynamic Language Support? Ifit deploys on Tomcat, it has a web.xml. Grails JRuby on Rails Lift Play! Framework © 2011 Raible Designs
  • 8.
    Java EE 6 Securityconstraints defined in web.xml web resource collection - URLs and methods authorization constraints - role names user data constraint - HTTP or HTTPS User Realm defined by App Server Declarative or Programmatic Authentication Annotations Support © 2011 Raible Designs
  • 9.
    Java EE 6Demo http://www.youtube.com/watch?v=8bXBGU7uo4o © 2011 Raible Designs
  • 10.
    Servlet 3.0 HttpServletRequest authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2011 Raible Designs
  • 11.
    Servlet 3.0 andJSR 250 Annotations @ServletSecurity @HttpMethodConstraint @HttpConstraint @RolesAllowed @PermitAll @DenyAll © 2011 Raible Designs
  • 12.
    Java EE SecurityLimitations No error messages for failed logins No Remember Me Container has to be configured Doesn’t support regular expressions for URLs © 2011 Raible Designs
  • 13.
    Spring Security Filterdefined in web.xml Separate security context file loaded by Spring Defines URLs, Roles and Authentication Providers Defines UserService (provided or custom) Password Encoding Remember Me © 2011 Raible Designs
  • 14.
  • 15.
    Securing Methods <global-method-security secured-annotations="enabled"/> @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account readAccount(Long id); @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account[] findAccounts(); @Secured("ROLE_TELLER") public Account post(Account account, double amount); <global-method-security jsr250-annotations="enabled"/> © 2011 Raible Designs
  • 16.
    Securing Methods 3.0 <global-method-securitypre-post-annotations="enabled"/> @PreAuthorize("isAnonymous()") public Account readAccount(Long id); @PreAuthorize("isAnonymous()") public Account[] findAccounts(); @PreAuthorize("hasAuthority('ROLE_TELLER')") public Account post(Account account, double amount); © 2011 Raible Designs
  • 17.
    Spring Security Limitations Authentication mechanism in WAR Securing methods only works on Spring beans My remember me example doesn’t work © 2011 Raible Designs
  • 18.
    Apache Shiro Filter definedin web.xml shiro.ini loaded from classpath [main], [urls], [roles] Cryptography Session Management © 2011 Raible Designs
  • 19.
  • 20.
    Apache Shiro Limitations LimitedDocumentation Getting Roles via LDAP not supported No out-of-box support for Kerberos REST Support needs work © 2011 Raible Designs
  • 21.
    Testing with SSL Cargodoesn’t support http and https at same time Jetty and Tomcat plugins work for both Pass javax.net.ssl.trustStore & javax.net.ssl.trustStorePassword to maven-failsafe-plugin as <systemPropertyVariables> © 2011 Raible Designs
  • 22.
  • 23.
    Securing a RESTAPI Use Basic or Form Authentication Use Developer Keys Use OAuth © 2011 Raible Designs
  • 24.
    OAuth © 2011 Raible Designs
  • 25.
    REST Security andOAuth Demo http://raibledesigns.com/rd/entry/implementing_oauth_with_gwt http://raibledesigns.com/rd/entry/grails_oauth_and_linkedin_apis © 2011 Raible Designs
  • 26.
    REST Security Resources ImplementingREST Authentication http://www.objectpartners.com/2011/06/16/ implementing-rest-authentication/ OAuth2’s “Client Credentials” API Key Grant Type http://stackoverflow.com/questions/6190381/how- to-keep-the-client-credentials-confidential-while- using-oauth2s-resource-ow (http://bit.ly/k5LqsH) Thanks to @kdonald for the link! © 2011 Raible Designs
  • 27.
    Penetrate OWASP Testing Guideand Code Review Guide OWASP Top 10 OWASP Zed Attack Proxy Burp Suite OWASP WebGoat © 2011 Raible Designs
  • 28.
    OWASP The Open WebApplication Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. At OWASP you’ll find free and open ... Application security tools, complete books, standard security controls and libraries, cutting edge research http://www.owasp.org © 2011 Raible Designs
  • 29.
  • 30.
    7 Security (Mis) Configurationsin web.xml 1. Error pages not configured 2. Authentication & Authorization Bypass 3. SSL Not Configured 4. Not Using the Secure Flag http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files © 2011 Raible Designs
  • 31.
    7 Security (Mis)Configurations 5.Not Using the HttpOnly Flag 6. Using URL Parameters for Session Tracking 7. Not Setting a Session Timeout http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files © 2011 Raible Designs
  • 32.
    Protecting Ajax Login <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config> <form action="${ctx}/j_security_check" id="loginForm" method="post" autocomplete="off"> © 2011 Raible Designs
  • 33.
    OWASP Top 10for 2010 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) © 2011 Raible Designs
  • 34.
    OWASP Top 10for 2010 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10.Unvalidated Redirects and Forwards © 2011 Raible Designs
  • 35.
    Protect Firewalls IDS and IDPs Audits PenetrationTests Code Reviews with Static Analysis Tools © 2011 Raible Designs
  • 36.
    Firewalls Stateless Firewalls Stateful Firewalls Invented by Nir Zuk at Check Point in the mid-90s Web App Firewalls Inspired by the 1996 PHF CGI exploit WAF Market $234m in 2010 © 2011 Raible Designs
  • 37.
    Gartner on Firewalls © 2011 Raible Designs
  • 38.
    Relax Web App Firewalls:Imperva, F5, Breach Open Source: WebNight and ModSecurity Stateful Firewalls: Juniper, Check Point, Palo Alto IDP/IDS: Sourcefire, TippingPoint Open Source: Snort Audits: ENY, PWC, Grant Thornton Pen Testing: WhiteHat, Trustwave, Electric Alchemy Open Source: OWASP ZAP Static Analysis: Fortify, Veracode © 2011 Raible Designs
  • 39.
    Remember... “Security is aquality, and as all other quality, it is important that we build it into our apps while we are developing them, not patching it on afterwards like many people do.” -- Erlend Oftedal From: http://bit.ly/mjufjR © 2011 Raible Designs
  • 40.
    Action! Use OWASPand Open Source Security Frameworks Don’t be afraid to contribute! Follow the Security Street Fighter Blog http://software-security.sans.org/blog Use OWASP ZAP to pentest your apps Don’t be afraid of security! © 2011 Raible Designs
  • 41.
    Questions? Contact Information http://raibledesigns.com @mraible My Presentations http://slideshare.net/mraible © 2011 Raible Designs