Hitachi Vantara Pentaho Community Wiki
Child pages
  • A2 Broken Authentication and Session Management

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A.2.1. Consider implementing ESAPI Authenticator and User API

A.2.2. Configure Java EE authentication in Tomcat

...

Example Realm elements are included (commented out) in the default $CATALINA_BASE/conf/server.xml file. Here's an example for using a MySQL database called "authority", configured with the tables described above, and accessed with username "dbuser" and password "dbpass":<Realm

Code Block

className="org.apache.catalina.realm.JDBCRealm"

driverName="org.gjt.mm.mysql.Driver"

connectionURL="jdbc:mysql://localhost/authority?user=dbuser&password=dbpass"

userTable="users" userNameCol="user_name" userCredCol="user_pass"

userRoleTable="user_roles" roleNameCol="role_name"/>

...

Configure Java EE authentication in web.xml to use Confidential transport which will make use of SSL, any request to a resource over plaintext HTTP will be redirected to HTTPS.

Code Block

<user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

...

One of the most powerful forms of authentication is client side certificates. Much like server-side certificates are used to establish the identity of a server over Secure Sockets Layer(SSL), Transport Layer Security (TLS) offers the ability for the server to identify a client with sertificatescertificates.

  1. Create a Certificate Authority
  2. Tell Tomcat to trust the CA
  3. Create a client certificate
  4. Sign on with the client certificate

A 2.2.3 Spring Security Framework:   

Code Block

<intercept-url pattern=”/**” access=isAuthenticated()” />      

...

  1. Don’t store plaintext passwords
  2. Store password in hashes using an algorithm without known weakness like SHA-256 or higher such as Java Symplified Encryption (Jasypt). This library has a StrongPasswordEncryptor class that automatically performs 100000 iterations of the SHA-256 algorithm along with a random 16 byte salt value. In addition, Jasypt provides the ability to encrypt values in property files using password-based encryption (PBE).
  3. Use a salt to mitigate rainbow table attacks
  4. Use a technique to slow down hashing speed
Code Block

StrongPasswordEncryptor bpe= new StrongPasswordEncryptor(); 
bpe.encryptPassword(“example”);

...

Spring Security, enable session fixation protection:

Code Block

<http session-fixation-protection=”newSession”>

...

A 2.2.7.1 Configuration on the web.xml:

Code Block

<http session-fixation-protection=”newSession”>

A 2.2.7.2 Programmatically:

Code Block

servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));

...

A 2.2.8.1: Secure: ensures that the Cookie is only transmitted via SSL, configuration can be done via web.xml:

Code Block

<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>

Or programmatically:

Code Block

Cookie cookie = new Cookie(“mycookie”, “test”);
Cookie.setSecure(true);

A 2.2.8.2: HttpOnly: ensures that the Cookie cannot be accessed via client side scripts (i.e. JavaScript). Configuration can be done via web.xml:

Code Block

<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>

Or programmatically:

Code Block

Cookie cookie = new Cookie(“mycookie”, “test”);
Cookie.setHttpOnly(true);

...

It's a browser side mechanism which allows you to create source whitelists for client side resources of your web application, e.g. JavaScript, CSS, images, etc. CSP via special HTTP header instructs the browser to only execute or render resources from those sources.

Code Block

Content-Security-Policy: default-src: ‘self’; script-src: ‘self’ static.domain.tld

...