Web Application Security : web.xml & SecurityRealms , web xml security constraint

web xml security constraint

web.xml security constraint



This post is very specific to J2EE security :

 Most of the time, we modify web.xml file to define the authentication type  and security constraints for a web application. This post will try  explaining importance of these tags in web.xml and authentication method. There are four standard authentication models

  • Basic Authentication model (BASIC)
  • Digest Authentication model( DIGEST)
  • Form Authentication model(FORM) 
  • Client Certificate Authentication model(CLIENT-CERT)
Prior to know about authentication we need to know security components in web.xml

 Security for web application is classified from the below three sections
  • security role
  • security constraints
  • login-config


security role:
 It lists the roles used by web application.
 
<security-role>
        <role-name>manager</role-name>
    </security-role>

 Security Constraints:

Security constraints can be divided  classified as
  • web resource constraint
  • authorization constraint
  • user data constraint


security-constraint


 
web resource constraint:

web resource name : 
         Name used for the web resource. its optional
url-pattern: 
           it lists the request URI to be protected. any thing under /proctectedresource it protected.
http-method:
            lists what methods are protected. 
If nothing is specified then all are protected.
If you specify methods like GET, POST , only GET and POST will allowed for protection, rest allow be blocked the rules will be applicable
  <http-method>GET</http-method> 
 <http-method>POST</http-method>


http-method-omission:
introduced in J2EE 6, white list the methods. the problem with http-method is that if you specify a list,
if there is a new method then web.xml needs to be modified to allow protection
http-method-ommision can be used in that case, where u can specify list which you dont want to protect,
rest of the HTTP methods are protected.

If the requirement is to allow protected expect POST method, then http-method-omission
can be used.

example:
<http-method-omission>POST</http-method-omission>  

 it will allow protection of GET, PUT and all expect POST.
  
  
 
http-method-omission
 



Auth constraint:
 
 
 
 
auth constraint determines roles.
 
 
 
 
 
 
user data constraint.
 
user data constraints determines whether request requires SSL or non SSL. 
Allowed values are NONE, CONFIDENTIAL.
CONFIDENTIAL
all communication needs to happen via  HTTPS layer
NONE
No mandatory that communication needs to happen on HTTPS layer

 
  

 
login-config:
it specifies the authentication type used and maps the login, login failure error pag, relam name.

auth-method : BASIC, FORM, CLIENT-CERT, DIGEST
realm-name :
form-login-config
Example :
Loing Config values:
<login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>BalaKishore : Basic Auth Demo in Tomcat</realm-name>
    </login-config>

Below example shows the values. 
  
Basic Authentication model:

 the concept of basic covered in http://websecurityinfo.blogspot.com/2013/07/http-basic-authentication.html 

Here i will try writing sample tomcat application that demonstrates basic authentication with sample jsp pages.
When you access the request
Login Config option is specified as BASIC. Basic here tells the tomcat to throw basic challenge, if the url patten matches

 Loing Config values:
<login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>BalaKishore : Basic Auth Demo in Tomcat</realm-name>
    </login-config>




Files:
WEB-INF/web.xml

 <?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                      http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
  version="3.0"
  metadata-complete="true">

     <security-constraint>
        <display-name>Basic Auth scheme Security Constraint</display-name>
        <web-resource-collection>
            <web-resource-name> Basic Protected Area</web-resource-name>
            <url-pattern>/basicprotect/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>role1</role-name>
        </auth-constraint>
        <user-data-constraint>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>BalaKishore : Basic Auth Demo in Tomcat</realm-name>
    </login-config>
    <security-role>
        <role-name>role1</role-name>
    </security-role>
</web-app>

 index.jsp

 Code:
<html>
<head><title>Basic Auth Scheme </title></head>
<body>
<h1>Basic Auth Scheme Tomcat Demo</h1>
<p><a href="basicprotect/index.jsp">Click to naviate to proctected page </a><hr/>
(Credentials will be found in tomcat-users.xml file : \conf\tomcat-users.xml)     </p></body>
</html>

\basicprotect\index.jsp

 <html>
<head><title>Basic Auth Demo</title>
</head>
<body><h1>Basic Auth Demo</h1>

<p>user is <b><%=request.getUserPrincipal().getName()%></b></p>

 <p>Authorization role with role name :

<%if (
request.isUserInRole("role1")
) {%><b>Role1</b><%} else {%><b>User</b><%}%> privileges
</p>

 <p>Authentication type : <b><%=request.getAuthType()%> authentication.</b> </p>


</body>

</html>


Posted by at 2 comments:
Labels: , ,
Subscribe to: Posts (Atom)