1 / 28

Web Application Security Made Easy With JBoss, Seam, and Hibernate

Web Application Security Made Easy With JBoss, Seam, and Hibernate. PRESENTED BY CHRIS ANDERSON DECEMBER 10, 2008. Outline. The Goal Technologies used Prerequisites Database creation Application generation Application configuration Additional security measures What’s next? Conclusion.

justis
Download Presentation

Web Application Security Made Easy With JBoss, Seam, and Hibernate

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Application Security Made Easy With JBoss, Seam, and Hibernate PRESENTED BY CHRIS ANDERSON DECEMBER 10, 2008

  2. Outline • The Goal • Technologies used • Prerequisites • Database creation • Application generation • Application configuration • Additional security measures • What’s next? • Conclusion

  3. The Goal • Create a secure web application in under 30 minutes • Authenticate users • Role-base validation • Protect against SQL injection • Protect against XSS • Enable SSL

  4. Technologies Used Microsoft SQL Server 2005 JBoss 4.2.0 Application Server JBoss Seam 2.0.2 Web Framework Hibernate Apache Ant Eclipse development environment (recommended)

  5. Prerequisites JBoss Seam SQL Server Ant Java 1.6

  6. Database Creation Create users JBoss user Application user Create Tables User, Role, User_Role Stored Procedures Create user Change Password

  7. Application Generation C:\jboss-seam-2.0.2.SP1>seam setup [input] Enter your Java project workspace (the directory that contains your Seam projects) [c:/Projects] [input] Enter your JBoss home directory [C:/jboss/jbossEP-4.2.0.GA/jboss-as] [input] Enter the project name [testproject] [input] Do you want to use ICEFaces instead of RichFaces [n] (y, [n]) [input] Select a RichFaces skin [classic] (blueSky, [classic], ruby, wine, d eepMarine, emeraldTown, sakura, DEFAULT) [input] Is this project deployed as an EAR (with EJB components) or a WAR (w ith no EJB support) [ear] ([ear], war) [input] Enter the Java package name for your session beans [com.uccs.itapps. testproject.beans.session]

  8. Application Generation [input] Enter the Java package name for your entity beans [com.uccs.itapps.t estproject.beans.entity] [ [input] Enter the Java package name for your test cases [com.uccs.itapps.tes tproject.testcases] [input] What kind of database are you using? [mssql] (hsql, mysql, oracle, p ostgres, [mssql], db2, sybase, enterprisedb, h2) [input] Enter the Hibernate dialect for your database [org.hibernate.dialect .SQLServerDialect] [input] Enter the filesystem path to the JDBC driver jar [C:\Program Files\M icrosort SQL Server 2005 JDBC Driver\sqljdbc_1.2\enu\sqljdbc.jar] [input] Enter JDBC driver class for your database [com.microsoft.sqlserver.j dbc.SQLServerDriver] [input] Enter the JDBC URL for your database [jdbc:sqlserver://localhost]

  9. Application Generation [input] Enter database username [testdbuser] [input] Enter database password [testdbuser] [input] Enter the database schema name (it is OK to leave this blank) [TESTDB] [input] Enter the database catalog name (it is OK to leave this blank) [] [input] Are you working with tables that already exist in the database? [y] ([y], n) [input] Do you want to drop and recreate the database tables and data in imp ort.sql each time you deploy? [n] (y, [n]) C:\jboss-seam-2.0.2.SP1>seam new-project

  10. Building the Application C:\Projects\demoproject>ant deploy

  11. Application Configuration • Modify the datasource xml file • Change <connection-url> jdbc:sqlserver://localhost </connection-url> • To <connection-url> jdbc:sqlserver://127.0.0.1:50853;databaseName=TESTDB </connection-url>

  12. Start JBoss C:\jboss\jbossEP-4.2.0.GA2\jboss-as\bin\run.bat -c default

  13. Authentication • Add entity beans for database tables • Modify authentication bean for user validation

  14. Authentication User user = (User) em.createQuery("from User where username = :username and password = :password") .setParameter("username", identity.getUsername()) .setParameter("password", getHashedPwd(identity.getPassword())) .getSingleResult(); if(user.getRoles() != null){ for(Role mr : user.getRoles()){ System.out.println("adding role: " + mr.getRoleName()); identity.addRole(mr.getRoleName()); } }

  15. Role-Based Security • Create Administration page • Create Link for Administration page on menu • <s:link view="/admin.xhtml" action="administration" value="Administration" rendered="#{identity.loggedIn &amp;&amp; s:hasRole('ADMIN')}"/> • Modify pages.xml • <page view-id="/admin.xhtml" login-required="true"> • <restrict>#{s:hasRole('ADMIN')}</restrict> • </page>

  16. SSL • Create a self-signed certificate using Java keytool keytool -genkey -alias tomcat -keyalg RSA • Copy the generated .keystore file to the JBoss conf directory • Modify the tomcat server.xml file

  17. SSL <!--Connector port="8080" address="${jboss.bind.address}" maxThreads="250" maxHttpHeaderSize="8192" emptySessionPath="true" protocol="HTTP/1.1" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" /--> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="${jboss.server.home.dir}/conf/testproject.keystore" keystorePass=“Pass_1" />

  18. What’s Next • Install SSL certificate • Configure SQL Server or create firewall rules to block anonymous access to the database server

  19. Conclusion • Web application security can be easy • Thanks for listening • Any questions?

More Related