How to develop https site with Spring 3.x? - security

I am a newbie in Spring based web development.
Our site is Spring based and is currently http based (so quite insecure).
Since, the site is not live yet, we are sending login/password also through a normal JSON request to server and have focussed mostly on JSP, UI design, SQL queries etc.
Now, we want to shift to focus on security and shift to https as a first step.
I have read a no. of web-pages and some spring books but none seems to provide a clear answer on how Spring can be used to provide https security.
Can some one please help me in achieving the above?
Please let me know if my question is not clear. I will try to add more details ASAP.
Our web.xml is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
"
id="WebApp_ID" version="2.5">
<display-name>Spring3MVC</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<!--> Mapping for serving static web-content <-->
<!--> The resources folder must be in parallel to WEB-INF <-->
<!--> The mvc:resources gives "not bound" exception unless bound to a namespace as above for xmlns:mvc <-->
<mvc:resources mapping="/resources/**" location="/resources/" />
<mvc:resources mapping="/scripts/**" location="/scripts/" />
</web-app>
There is only one controller right now for which, spring-servlet.xml is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:component-scan
base-package="console.controllerpkg" />
<bean id="viewResolver"
class="org.springframework.web.servlet.view.UrlBasedViewResolver">
<property name="viewClass"
value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
</beans>
Thanks a lot in advance!
P.S. If you can recommend me a good example based site/book on spring, it would be much appreciated. Most of the sites/books I have seen lay much emphasis on theory but very little examples. That has left me a little confused.

As Dave says, you need to configure your container to serve SSL, and then deploy your spring app into that container. Learn about configuring Tomcat for SSL.
Alternately, and more flexibly you can front your container using Apache, and enable SSL there.

Spring is not 100% responsible for configuring SSL. For that you need to configure the container (jetty, tomcat, etc) to handle SSL.

Thanks for all the help guys.
I will re-iterate what I did just for my own record purposes.
First of all, the link provided by nont about 'Tomcat for SSL' was really helpful.
I read all about SSL and Tomcat there and this is what I did:
On the command prompt, enter:
keytool -genkey -alias tomcat -keyalg RSA
The above command asked me some simple questions needed for a Certificate. I used the password 'changeit' wherever asked (as that is the default password).
On finishing with the above command, it generated a keystore file in C:/Documents and Settings//.keystore
I copied this .keystore file to tomcat/conf/myKeyStore.jks
Then I added the following to conf/server.xml :
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" minSpareThreads="5"
maxSpareThreads="75"
enableLookups="true"
disableUploadTimeout="true"
acceptCount="100"
maxThreads="200" debug="5"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${catalina.home}/conf/myKeyStore.jks"
keystoreType="JKS" keystorePass="changeit"
truststoreFile="${catalina.home}/conf/cacerts"
truststoreType="JKS" truststorePass="changeit"
SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2"
sslProtocol="TLS" />
And that's it!!
Next time, I ran tomcat my old http link did not work.
Then I tried adding sweet 's' to http with a port number of 8443 and lo! everything was up and running again.
Thanks nont for the wonderful link!!

Configure two different web sites, one for http and one for https, the one for http will have just a redirect to the https site.

Related

IBM AppScan - Missing Secure Attribute in Encrypted Session (SSL) Cookie

We have got an Missing Secure Attribute in Encrypted Session (SSL) Cookie issue for primefaces.download based on IBM App Scan DSAT test.
Primefaces version is 7.0
Sample Example : https://www.primefaces.org/showcase/ui/data/dataexporter/basic.xhtml
primefaces.download -- this cookies is set when we download a file
We already have session-config in the web.xml , but when i check in chrome the primefaces.download cookie is not set as http-only and secured .
Is there anything else required to be done when running it on JBOSS 7.2?
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
..........
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Updated :
Issue raised
https://github.com/primefaces/primefaces/issues/6040
A Pull Request to fix the issue in 9.0-SNAPSHOT has been submitted.
https://github.com/primefaces/primefaces/pull/6041

Spring Integration Web Service 405 Error

I've been asked to do a prototype, converting a working web service that uses a Spring enabled JAX-WS endpoint to using Spring Integration instead, and I've been told to use xml configuration as much as possible. I stripped down the application until just the relevant web service elements remain, and I've created a couple of new spring xml config files as needed. While it compiles fine, when I deploy to a JBoss container and then try to invoke it using SoapUI, I get a HTTP 405 response, and there's nothing in the JBoss console to indicate that the request was even received, though the server log indicates the new gateway and service activator was setup correctly and is running. I can't find anything remotely relevant in any of the Spring documentation I've read, and none of the code examples I've pulled from Github address configuring the web service to run in an actual J2EE server.
I'm at a complete loss as to what I should be looking at. Here are my spring config files:
springContext-main.xml (I can't use applicationContext.xml in the real app due to pre-existing contraints)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:annotation-config/>
<!-- <bean class="com.bofa.ecom.intfacade.web.ApplicationConfiguration"/> -->
<bean id="reconDao" class="com.bofa.ecom.intfacade.snf.recon.dao.ReconDAOImpl">
<!-- <property name="dataSource" ref="dataSource"/> -->
</bean>
<bean id="reconServiceHelper" class="com.bofa.ecom.intfacade.snf.recon.service.helper.ReconServiceHelperImpl">
<constructor-arg ref="reconDao"/>
</bean>
<import resource="classpath:/META-INF/spring/recon-ws.xml"/>
</beans>
recon-ws.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:sws="http://www.springframework.org/schema/web-services"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.5.xsd
http://www.springframework.org/schema/oxm http://www.springframework.org/schema/oxm/spring-oxm-1.5.xsd
http://www.springframework.org/schema/web-services http://www.springframework.org/schema/web-services/web-services-2.0.xsd">
<bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory"/>
<import resource="classpath:/META-INF/spring/inbound-gateway-config.xml" />
<sws:dynamic-wsdl id="reconWsdl" portTypeName="reconGateway" locationUri="/reconService"
targetNamespace="http://intfacade.cpm.ecom.bofa.com/">
<sws:xsd location="/WEB-INF/recon.xsd"/>
</sws:dynamic-wsdl>
<bean
class="org.springframework.ws.server.endpoint.mapping.UriEndpointMapping">
<property name="defaultEndpoint" ref="reconGateway"></property>
</bean>
</beans>
inbound-gateway-config.xml
<?xml version="1.0" encoding="utf-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:int-ws="http://www.springframework.org/schema/integration/ws"
xmlns:int="http://www.springframework.org/schema/integration"
xsi:schemaLocation="http://www.springframework.org/schema/integration/ws http://www.springframework.org/schema/integration/ws/spring-integration-ws.xsd
http://www.springframework.org/schema/integration http://www.springframework.org/schema/integration/spring-integration.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<int:channel id="recon-input"/>
<int-ws:inbound-gateway id="reconGateway" request-channel="recon-input"/>
<int:service-activator input-channel="recon-input" method="saveArrangementApplicationDetails">
<bean id="arrangementApplicationReconService" class="com.bofa.ecom.intfacade.snf.recon.service.ArrangementApplicationReconServiceImpl">
<constructor-arg ref="reconServiceHelper"/>
</bean>
</int:service-activator>
</beans>
Any pointers in the right direction would be greatly appreciated.
Edit: I've narrowed it down to what I think is a configuration problem with either SI or Spring-ws. I can't find a complete SI + Spring-ws example that uses XML configuration to figure out what I'm missing or doing wrong. I've added my spring ws config file above.
405 is Method Not Allowed - it appears you are doing a GET (or something else) rather than a POST.
If you believe you are POSTing, take a look with a network monitor (wireshark, or the built-in tcp/ip monitor in eclipse).
You may also be hitting the wrong URL; I suggest you turn on DEBUG logging on the server.
If you still can't figure it out, post the log someplace such as a gist.

Spring Integration http outbound-gateway

I'm trying to use the Spring Integration http outbound gateway, but I seem to be getting schema-related errors. The errors are:
cvc-complex-type.3.2.2: Attribute 'expected-response-type' is not allowed to appear in element 'int-http:outbound-gateway'. sprint-servlet.xml /sprint/src/main/webapp/WEB-INF line 28
cvc-complex-type.3.2.2: Attribute 'url' is not allowed to appear in element 'int-http:outbound-gateway'. sprint-servlet.xml /sprint/src/main/webapp/WEB-INF line 28
cvc-complex-type.3.2.2: Attribute 'http-method' is not allowed to appear in element 'int-http:outbound-gateway'. sprint-servlet.xml /sprint/src/main/webapp/WEB-INF line 28
cvc-complex-type.3.2.2: Attribute 'reply-timeout' is not allowed to appear in element 'int-http:outbound-gateway'. sprint-servlet.xml /sprint/src/main/webapp/WEB-INF line 28
It appears that the XSD does not accept these attributes. However, I've simply copy / pasted this from the Spring Integration docs. Here's the relevant part of my XML config file:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:int="http://www.springframework.org/schema/integration"
xmlns:int-http="http://www.springframework.org/schema/integration/http"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/integration http://www.springframework.org/schema/integration/spring-integration.xsd
http://www.springframework.org/schema/integration/http http://www.springframework.org/schema/integration/http/spring-integration-http.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd">
<!-- Spring Integration stuff -->
<int:channel id="requests">
</int:channel>
<int:channel id="replies"/>
<int-http:outbound-gateway id="example"
request-channel="requests"
url="http://localhost/test"
http-method="POST"
expected-response-type="java.lang.String"
charset="UTF-8"
reply-timeout="1234"
reply-channel="replies"/>
Is there something obvious that I'm doing wrong?
Thanks,
Tim
Add spring-integration-http and spring-integration-core to your dependencies.
Should work
I had the same problem and found the answer here
Why does Spring Integration have several XML schemas, and which one should I use?
Basically, the schema without a version is the version 1.0 schema. Point your schema to your version of spring integration like so
http://www.springframework.org/schema/integration
http://www.springframework.org/schema/integration/spring-integration-4.1.xsd
http://www.springframework.org/schema/integration/http
http://www.springframework.org/schema/integration/http/spring-integration-http-4.1.xsd
I'm not using STS - I'm using the standard Eclipse IDE. I'm not sure if STS helps with the classpath, but I simply can't get that to work for me. I ended up having to extract the XSDs from the .jar files and hosting them myself. Hopefully, the good folks at Spring Integration will post the most recent XSDs on the Spring site sometime soon. Until that time, however, I've got a workaround in place.

requested resource is not available

I am using JSF in one of my application and the scenario is as follows:
1.I have a pages folder under WEB_INF
2.Inside pages I have a.jsp
3.When I deploy this application with the local tomcat it says "The requested resource (/pages/a.jsp) is not available."
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaeehttp://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>Sample_Proj</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>AddUser.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
</web-app>
Is there anything else i need to add into web.xml?
The below url is what I'm using to hit the page:
http://localhost:8080/Sample_Proj/WEB-INF/page/AddUser.jsp
Your jsp files / folders should exist in the root of the web project and not in the WEB-INF folder, i.e.:
/pages/a.jsp
/WEB-INF/...
Your web.xml file is very much incomplete when it comes to a JSF web project. I would recommend reading the Java EE 6 tutorial, you can read through this chapter on getting started with web applications

Require authentication through https with spring security?

I'm using tomcat 6, spring mvc 3.0.0 and spring security 3.0.0, and since the passwords I store in the database are sha1 hashed, I can't use digest authentication (section 9.2.1 of the documentation spells that out). For this reason, I need to make authentication happen through https.
Due to potential processing overhead, I want to keep as much of the traffic in regular http as possible. Is there a way I can make spring use https for unathenticated requests, then use http once authentication is done? I think this is done with a ChannelProcessingFilter of some sort, but I'm stumped as to the particulars.
Here's my application-security.xml file as it currently stands:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()" />
<http-basic />
</http>
<authentication-manager>
<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder hash="sha"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="myUserDetailsService"
class="path.to.myUserDetailsServiceImpl">
</beans:bean>
</beans:beans>
Thanks for the help.
If at any point you pass a session id over HTTP you are violating OWASP A9. An attacker doesn't need the password if he has the session id. I would not implement this feature in your application, https is very light weight and I think you should look into saving resources in places that doesn't mean that your clients will be hacked.
Not sure exactly how to do it using Spring MVC but I did accomplish this using Grails with Spring Security 3...if you are interested you can see my blog post here.
Because that will not really help you...I did a quick google search and found this post which looks correct and says to configure your web.xml:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
and your applicationContext-security.xml as such:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<http>
<intercept-url pattern="/url1.htm"
access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https" />
<intercept-url pattern="/url2.htm"
access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https" />
<intercept-url pattern="/**"
access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="http" />
<anonymous />
<http-basic/>
</http>
<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
<beans:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
</beans:beans>
Also take a look at this site for more info and how to configure tomcats SSL connector.

Resources