Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
A Realm is a "database" of usernames and passwords that identify valid users of a web application (or set of web applications), plus an enumeration of the list of roles associated with each valid user. You can think of roles as similar to groups in Unix-like operating systems, because access to specific web application resources is granted to all users possessing a particular role (rather than enumerating the list of associated usernames). A particular user can have any number of roles associated with their username.
Although the Servlet Specification describes a portable mechanism for applications to declare their security requirements (in the web.xml deployment descriptor), there is no portable API defining the interface between a servlet container and the associated user and role information. In many cases, however, it is desirable to "connect" a servlet container to some existing authentication database or mechanism that already exists in the production environment. Therefore, Tomcat defines a Java interface (org.apache.catalina.Realm) that can be implemented by "plug in" components to establish this connection. Six standard plug-ins are provided, supporting connections to various sources of authentication information:
Example Realm elements are included (commented out) in the default $CATALINA_BASE/conf/server.xml file. Here's an example for using a MySQL database called "authority", configured with the tables described above, and accessed with username "dbuser" and password "dbpass":<Realm
className="org.apache.catalina.realm.JDBCRealm" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/authority?user=dbuser&password=dbpass" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name"/>
Configure Java EE authentication in web.xml to use Confidential transport which will make use of SSL, any request to a resource over plaintext HTTP will be redirected to HTTPS.
<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>
One of the most powerful forms of authentication is client side certificates. Much like server-side certificates are used to establish the identity of a server over Secure Sockets Layer(SSL), Transport Layer Security (TLS) offers the ability for the server to identify a client with certificates.
<intercept-url pattern=”/**” access=isAuthenticated()” />
This configuration will require authentication for access to any of the application pages.
StrongPasswordEncryptor bpe= new StrongPasswordEncryptor(); bpe.encryptPassword(“example”);
Spring Security, enable session fixation protection:
A 126.96.36.199 Configuration on the web.xml:
A 188.8.131.52 Programmatically:
Also, <tracking-mode> element also accepts the value for SSL which is to use SSL ids for session id.
A 184.108.40.206: Secure: ensures that the Cookie is only transmitted via SSL, configuration can be done via web.xml:
<session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config>
Cookie cookie = new Cookie(“mycookie”, “test”); Cookie.setSecure(true);
<session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config>
Cookie cookie = new Cookie(“mycookie”, “test”); Cookie.setHttpOnly(true);
Content-Security-Policy: default-src: ‘self’; script-src: ‘self’ static.domain.tld