1 / 12

Overview of Java Network Security: Authentication, SSL, and Deployment in Tomcat

This document provides a comprehensive overview of Java network security, detailing essential components like authentication methods (BASIC and FORM), JAAS configuration, and SSL implementation. It includes practical examples, such as generating certificates, deploying applications on Tomcat, and defining security constraints in the web.xml file. Additionally, it addresses using Tomcat manager to handle users and highlights necessary roles for access control. A demo section is included to illustrate these concepts in action, ensuring a solid understanding of Java's security framework.

yaphet
Télécharger la présentation

Overview of Java Network Security: Authentication, SSL, and Deployment in Tomcat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Java Network Security Overview Paul Flynn 21 Sep 2005

  2. Overview • Authentication • BASIC Example • Forms Example • JAAS Usage • Using SSL • Generate a certificate • Deploy on Tomcat • Demo • Crypto Overview

  3. Basic • Works like .net basic • Specify user database in XML file • Can use Tomcat manager to handle users • Specify in web.xml

  4. Basic • - <security-constraint> • <display-name>Example Security Constraint</display-name> • - <web-resource-collection> • <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> • <url-pattern>/testbasic.html</url-pattern> • </web-resource-collection> • - <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> • <role-name>dbadmin</role-name> • </auth-constraint> • </security-constraint> • - <security-constraint> • <display-name>Example Security Constraint</display-name> • - <web-resource-collection> • <web-resource-name>Protected JPG</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> • <url-pattern>*.jpg</url-pattern> • </web-resource-collection> • - <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> • <role-name>dbadmin</role-name> • </auth-constraint> • </security-constraint> • - <security-constraint> • <display-name>Exlcude Gifs</display-name> • - <web-resource-collection> • <web-resource-name>Gifs ok</web-resource-name> • <url-pattern>*.gif</url-pattern> • </web-resource-collection> • </security-constraint> <!-- Default login configuration uses form-based authentication --> • - <login-config> • <auth-method>BASIC</auth-method> • <realm-name>Tomcat Manager Application</realm-name> • </login-config> <!-- Security roles referenced by this web application --> • - <security-role> • <role-name>dbadmin</role-name> • </security-role> • </web-app>

  5. Forms • Designated in web.xml • Action = “j_security_check” • Username parameter= “j_user_name” • Password param= “j_password” • Designate a login page and error page

  6. - <security-constraint> • <display-name>Example Security Constraint</display-name> • - <web-resource-collection> • <web-resource-name>Protected JPG</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> • <url-pattern>*.jpg</url-pattern> • </web-resource-collection> • - <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> • <role-name>manager</role-name> • </auth-constraint> • </security-constraint> • - <security-constraint> • <display-name>Exlcude Gifs</display-name> • - <web-resource-collection> • <web-resource-name>Gifs ok</web-resource-name> • <url-pattern>*.gif</url-pattern> • </web-resource-collection> • </security-constraint> <!-- Default login configuration uses form-based authentication --> • - <login-config> • <auth-method>FORM</auth-method> • <realm-name>Forms test</realm-name> • - <form-login-config> • <form-login-page>/login.jsp</form-login-page> • <form-error-page>/error.jsp</form-error-page> • </form-login-config> • </login-config>

  7. JAAS • Plug-in very flexible • Very hard to configure • Tomcat ? • Appllication Servers – JBoss

  8. JAAS • Subclass LoginModule • Initialize() , login(), commit(), abort(),logout() • Declare JAAS Config file • WebLogin { • com.jspservletcookbook.DataSourceLoginModule requisite; • };

  9. Generate Certificate for SSL • Use the “keytool” command • Alternate use certificate from provider >keytool -genkey -alias tomcat -keyalg RSA Enter keystore password: changeit What is your first and last name? [Unknown]: Paul Flynn What is the name of your organizational unit? [Unknown]: CS872 What is the name of your organization? [Unknown]: ODU What is the name of your City or Locality? [Unknown]: Norfolk What is the name of your State or Province? [Unknown]: VA What is the two-letter country code for this unit? [Unknown]: VA Is CN=Paul Flynn, OU=CS872, O=ODU, L=Norfolk, ST=VA, C=VA correct? [no]: yes Enter key password for <tomcat> (RETURN if same as keystore password):

  10. Enable Tomcat Connector • Simply uncomment provided Connector in server.xml <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="100" debug="0" scheme="https" secure="true" useURIValidationHack="false" disableUploadTimeout="true"> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" /> </Connector>

  11. Cookies and Sessions • See examples: • Cookies-http://localhost:8080/examples/servlet/CookieExample • Sessions-http://localhost:8080/examples/servlet/SessionExample

  12. Signing Jars • Make a certificate (like for SSL) • Use jarsigner Jarsigner – keystore myKeystore test.jar mycert

More Related