I was given a JSP page where anyone can just view the page source and find the Username and password. My task is to make it somewhat secure. After some reading, I figured I would want to implement an SHA-256 encryption system, but I am not too sure how to do this.
How should I store the hashed passwords? I have barely any experience with JSP / security, so I don't fully understand the steps. After a user enters his password, and it gets encrypted with SHA 256, does this string get compared to a string in a text file? What's the best way for this?
What is the difference between having the entire procedure done in one JSP file versus multiple. I notice how sometimes the login and encryption occurs in the same file while other times, the form uses other JSP files.
go for spring web mvc+spring security plug in it provides all you need with just xml and data base
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/admin*" access="hasAnyRole('ROLE_Admin')" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/login" />
</http>
<authentication-manager>
<authentication-provider>
<password-encoder hash="sha256"/>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="
select username,password, enabled
from users where username=?"
authorities-by-username-query="
select u.username, u.authority from users u
where u.username =? "
/>
</authentication-provider>
</authentication-manager>
</beans:beans>
Related
We are having problems using our RADIUS (Microsoft NPS) server for authentication with OpenNMS 22.0.3. The thing is that we have a old OpenNMS server which successfully uses RADIUS authentication for web-logons but even if we copy the conf files from the old working machine, we still cannot get it to work on 22.0.3.
What we have done:
Installed opennms-plugin-protocols-radius,
applicationContext-spring-security.xml:
Changed it to use the file radius.xml in spring-security.d/
<!-- use our custom authentication provider; to use RADIUS instead, change this to "radiusAuthenticationProvider" an
d uncomment below -->
<authentication-manager alias="authenticationManager">
<!-- If a user is pre-authenticated, make sure their user details are populated correctly. -->
<authentication-provider ref="preauthAuthProvider" />
<!-- Use our custom authentication provider -->
<authentication-provider ref="hybridAuthenticationProvider" />
<!-- To enable external (e.g. LDAP, RADIUS) authentication, uncomment the following.
You must also rename and customize exactly ONE of the example files in the
spring-security.d subdirectory. -->
<authentication-provider ref="externalAuthenticationProvider" />
</authentication-manager>
3.In radius.xml:
<beans:bean id="externalAuthenticationProvider" class="org.opennms.protocols.radius.springsecurity.RadiusAuthenticationProvider">
<beans:constructor-arg value="ip.ip.ip.ip"/>
<beans:constructor-arg value="SECRET"/>
<beans:property name="port" value="1812"/>
<beans:property name="timeout" value="5"/>
<beans:property name="retries" value="3"/>
<beans:property name="authTypeClass" value="net.jradius.client.auth.MSCHAPv2Authenticator"/>
<beans:property name="defaultRoles" value="ROLE_USER"/>
<beans:property name="rolesAttribute" value="Unknown-VSAttribute(5813:1)"/>
</beans:bean>
When we then restart opennms (it restarts without errors) and go to the webpage, we are only greeted by a blank page.
Logs doesn't say anything.
The symptom of a blank page indicates a problem with installing the RADIUS protocol. Can you verify if it is installed correctly?
cd ${OPENNMS_HOME}/lib
find . -iname "*radius*"
You should have the following files:
./jradius-core-1.1.5.jar
./org.opennms.dependencies.jradius-extended-22.0.3.jar
./jradius-dictionary-1.1.5.jar
./org.opennms.protocols.radius-22.0.3.jar
In 22.0.2 we have introduced a way to normalise how times are represented and it is configurable in the opennms.properties see here:
# Choose the format how the date is displayed in the UI. It needs to follow the pattern in DateTimeFormatter:
# see https://docs.oracle.com/javase/8/docs/api/java/time/format/DateTimeFormatter.html
# org.opennms.ui.datettimeformat=yyyy-MM-dd'T'HH:mm:ssxxx
This is the issue where this enhancement is introduced: https://issues.opennms.org/browse/NMS-10231
There are a few other places and it is finished with the coming 22.0.4 release. Here is what parts are related to representing time issues in the Web UI and what is going in each release: https://issues.opennms.org/browse/NMS-10072
Following is a sample of the metadata that is returned by my odata endpoint. I am using the endpoint w/ Microsoft Excel Power Query. All is working OK, except that I want to change the displayed name of "MyTable" below to something else, like say "My Cool Table".
I have tried adding annotations, but anytime I add annotations, Excel throws a cryptic error that says my metadata is invalid.
The question is, given the OData XML metadata below, what do I need to add so that the name of the table that is displayed is "My Cool Table" instead of "MyTable".
<?xml version="1.0" encoding="utf-8"?>
<edmx:Edmx xmlns:edmx="http://docs.oasis-open.org/odata/ns/edmx" Version="4.0">
<edmx:DataServices xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" m:MaxDataServiceVersion="4.0" m:DataServiceVersion="4.0">
<Schema xmlns="http://docs.oasis-open.org/odata/ns/edm" Namespace="MyOData">
<EntityType Name="MyTable">
<Key>
<PropertyRef Name="myid" />
</Key>
<Property Name="myid" Type="Edm.String" Nullable="false" />
<Property Name="Anotherfield" Type="Edm.String" />
</EntityType>
<EntityContainer Name="DefaultContainer">
<EntitySet Name="MyTable" EntityType="MyOData.MyTable" />
</EntityContainer>
</Schema>
</edmx:DataServices>
</edmx:Edmx>
I am using HDIV in my project for securing from OWASP list but text boxs are accepting <script>alert(1);</script> as an input and saving to db.
I want to write test case for all OWASP issue.
Below are the project configuration
web.xml Configuration
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/spring/applicationContext-db.xml
WEB-INF/spring/spring-security.xml
WEB-INF/spring/hdiv-config.xml
</param-value>
</context-param>
webmvc-config.xml Configuration
<import resource="applicationContext-hdiv.xml" />
applicationContext-hdiv.xml Configuration
<beans>
<bean id="requestDataValueProcessor" class="org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor" />
<bean id="editableValidator" class="org.hdiv.web.validator.EditableParameterValidator"/>
<mvc:annotation-driven validator="editableValidator" />
</beans>
hdiv-config.xml Configuration
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:hdiv="http://www.hdiv.org/schema/hdiv" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.hdiv.org/schema/hdiv http://www.hdiv.org/schema/hdiv/hdiv.xsd">
<hdiv:config excludedExtensions="css,js,ttf" errorPage="/manage/security-error" maxPagesPerSession="10" confidentiality="true" strategy="memory" randomName="true">
<hdiv:sessionExpired loginPage="/main/common" homePage="/"/>
<hdiv:startPages method="get">/,/.*,/manage/.*,/login</hdiv:startPages>
</hdiv:config>
<hdiv:validation id="customValidation" componentType="text">
<hdiv:acceptedPattern><![CDATA[^[a-zA-Z0-9#.\-_]*$]]></hdiv:acceptedPattern>
<hdiv:rejectedPattern><![CDATA[(\s|\S)*(--)(\s|\S)*]]></hdiv:rejectedPattern>
</hdiv:validation>
<hdiv:editableValidations registerDefaults="true">
<hdiv:validationRule url=".*" enableDefaults="false">customValidation</hdiv:validationRule>
</hdiv:editableValidations>
</beans>
XSS is an output problem, not an input problem. Input validation is about making sure data is correct according to the domain. So for instance you want to check that a field expecting to take a year actually receives a number within the expected range. You may also want to make sure that only allowed characters are in use. And in many cases this will stop many attacks.
However for complex inputs, this is no longer viable. Consider a text field where you want to allow users to comment. The user should be allowed to to write a comment such as "An hence x < 4". Now we are allowing characters used to build html tags.
Now we have two options:
Use a tool to strip out dangerous HTML - likely to fail at some point
Use context aware escaping as described in the OWASP XSS prevention cheat sheet
Remove 'requestDataValueProcessor' and 'editableValidator' beans from 'applicationContext-hdiv.xml' file, they are automatically created by tag.
Have a look at this project configuration for a working example:
https://github.com/hdiv/hdiv-spring-mvc-showcase
I'm trying to customize the session management filter of Spring Security, but I get the error saying that my filter and the default one have the same 'order' value (although I don't have any <session-managent> in my <http> configuration and I have autoconfig=false, as Spring Security says in its documentation).
Here's my configuration of Spring Security:
<http auto-config="false" use-expressions="true">
<custom-filter position="SESSION_MANAGEMENT_FILTER" ref="filtroGestionSesion" />
<intercept-url pattern="/resources/**" filters="none"/>
<intercept-url pattern="/faces/javax.faces.resource/**" filters="none"/>
<intercept-url pattern="/faces/inicio.xhtml" access="permitAll"/>
<intercept-url pattern="/faces/paginas/autenticacion/login.xhtml*" access="permitAll"/>
<intercept-url pattern="/faces/paginas/administracion/**" access="isAuthenticated()"/>
<intercept-url pattern="/faces/paginas/barco/**" access="isAuthenticated()"/>
<intercept-url pattern="/faces/paginas/catalogo/**" access="permitAll"/>
<intercept-url pattern="/faces/paginas/error/**" access="permitAll"/>
<intercept-url pattern="/faces/paginas/plantillas/**" access="permitAll"/>
<intercept-url pattern="/**" access="denyAll" />
<form-login login-processing-url="/j_spring_security_check"
login-page="/faces/paginas/autenticacion/login.xhtml"
default-target-url="/faces/paginas/administracion/inicioAdmon.xhtml"
always-use-default-target="true"
authentication-failure-url="/faces/paginas/autenticacion/login.xhtml?error=authentication" />
<logout logout-url="/j_spring_security_logout"
logout-success-url="/faces/inicio.xhtml"
invalidate-session="true" />
</http>
<global-method-security pre-post-annotations="enabled" />
<authentication-manager>
<authentication-provider>
<user-service>
<user name="myuser" password="myuser" authorities="" />
</user-service>
</authentication-provider>
</authentication-manager>
<beans:bean id="filtroGestionSesion" class="springSecurity.FiltroGestionSesion">
<beans:constructor-arg ref="securityContextRepository" />
<beans:property name="invalidSessionUrl" value="/faces/paginas/autenticacion/login.xhtml?error=timeout" />
</beans:bean>
<beans:bean id="securityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
The class with my custom filter (springSecurity.FiltroGestionSesion) is a copy-paste from the one from Spring Security (org.springframework.security.web.session.SessionManagementFilter) but changing the package name, the class name and some custom code I added to the doFilter method.
Why doesn't it work and throws the error saying both filters have the same order?
I already disabled the default filter by removing the corresponding child element <session-mangement> from <http>, so that the position of my filter doesn't conflict with the default filter.
Do I have to remove any element else or customize anything else?
Any one knows how to do a custom filter works in the position of SESSION_MANAGEMENT_FILTER disabling the default one?
Thank you in advance.
I've found the solution finally. I put it here if someone is interesting.
The way to disable the default session management filter is not by removing the <session-mangement> element from <http>, but by adding it with no session fixation protection:
<session-management session-fixation-protection="none" />
This way, the default session management filter doesn't fire, and you can add your custom filter in that position with no conflict in the filter chain.
I've checked it looking at the debug logs of spring security in my webapp.
Hope it helps someone.
Does Struts 2 has complete solution for simple login task?
I have simple declaration in struts.xml:
<package namespace="/protected" name="manager" extends="struts-default" >
<interceptors>
<interceptor-stack name="secure">
<interceptor-ref name="roles">
<param name="allowedRoles">registered</param>
</interceptor-ref>
</interceptor-stack>
</interceptors>
<default-action-ref name="pindex"/>
<action name="pindex" >
<interceptor-ref name="completeStack"/>
<interceptor-ref name="secure"/>
<result>protected/index.html</result>
</action>
</package>
Accessing to this resource shows only (Forbidden 403). So what should I do on the next step to:
Add login page (standart Tomcat declaration on web.xml with <login-config> not works) ?
Provide security round trip. Do I need write my own servlet or exists struts2 solutions?
Thanks in advance!
can't you add a "error" or an "input" result on "pindex" action? such as
<result name="error">public/error.html</result>