Sunday 7 October 2007

Securing your Web-App:The WEB-INF story, FORMS, JBOSS and JAAS

Securing your web application is a multi-step process and requires careful planning.If you are not careful, you can end up leaving the application vulnerable to hacker attacks or lock yourself in and throw away the key which is what happened to me recently.

I was securing a web application that was to be deployed on JBOSS. Taking the first step in security, I placed all my web-resources in my WEB-INF. Good move.No. Bad move.Yes.
It was a good move in the sense that by placing every resource under WEB-INF, I was securing them from being accessed externally, i.e no one could get to them unless they pretended to be a servlet call. I had locked myself in and thrown away the key. Hang-on what if I got to a resource as an Authenticated subject. Yeah, you could. I redeployed the application and pointed it to my login.jsp that was sitting in the WEB-INF under a pages directory. It worked fine except for one thing. My login.jsp requested a style-sheet and try as much as I could, I could not get it to load. That was when the lightening struck.

The call to load the stylesheet was a new request being made before the authentication process had completed and of course the WEB-INF would bar the request. I moved my jsp pages, stylesheets, images and scripts out of WEB-INF and secured them using security tags defined in the web descriptors.

Securing web-resources placed outside the WEB-INF folder is carried out using the web.xml and your server specific descriptor. Access to web-resources is granted based on user-authentication and authorization policies. These policies are user role base.

To secure your web-resource folders in JBOSS, follow this tutorial or follow this link in the Sun Forum. Both tutorials are very succinctly written and bring out the salient features required to configure and set up security in JBOSS. If you are after WebLogic, then this guide will be useful. It also describes FORM based authentication in sufficient detail which is what most web-applications are based on.

Well, there you go! Enjoy locking yourself in but don't throw away the key...yet!!

No comments: