I have implemented some pages for my webproject. However, now I would like to add security.
I will have a couple of roles, like admin, user, other and some pages shall only be accessable for the admins, some for the users and so on.
If its intresting, Im using Hibernate for the database. I plan to store the roles and users in the database.
Can you help me to tell the best practice (if any) for a scalable solution for implementing the security in my webproject? Links, books or a good example is very grateful =)
Best regards
Apache Shiro is a new and supposedly very elegant and easy to use security framework.
Spring security may be suitable for your needs.
http://static.springsource.org/spring-security/site/features.html
BTW which IDE you are using?
You can undoubtedly visit OWASP web site..The OWASP web site provides you on every bit of information about the potential security attacks/threats to a web application..
The website will provide you all the information related to a particular attack/threat and also the possible solution to avoid the threat..
You can even download the ESAPI jar provided by OWASP which provides ample amount of functionalities to handle security attacks/threats. It will considerably reduce your development time.
Here's the link to the website
https://www.owasp.org/index.php/Main_Page
Based on the underlying technology you are using you will get relevant solutions to avoid attacks/threats.
Also you can store the names of the module or the URL in the DB and you can have a mapping between roles and the module. Based on the role of the user you can fetch the module and display respective modules to the user.
You can further visit this link for some more details on when to use SHIRO and when to use EASPI.
Apache Shiro & Java Security for Novicesenter link description here
But I am sure that after going through EASPI web site and few days of studying security attacks you can easily use EASPI to provide enhance security feature to your web application.
Related
I need of an information. I'm new in develop web application. I should use php and javascritp but it 's possible, in the future, I could use other languase like Java. During these days I'm following a course on the best practice to write secure code.
Is there any guide/book or any other valid resource, where I can find an explanation about the differrent kind of attaks on a web application and the ways to solve them?
Thanks
Luca
If you're looking for resources to secure your applications on the internet, the first thing to try is OWASP, or Open Web Application Security Project. Here are some useful articles about what you're looking for:
OWASP: Web Security Testing Guide
OWASP: Cheatsheets
OWASP: General Information
All of the resources above will show you the recommended ways to secure your web application against threats. I think it's more than enough for the first step in the security world.
does someone know where I can find webapplications, on which i can legaly try my pentesting skills like a dummy application or sth? I heard there were some on the OWASP page, but I cant find any. I'll write my thesis about pentesting web applications, and would like to do some tests.
Thanks,
katy
There is website pprovided by OWASP themselves, which is intended exactly for that. It is called WebGoat
WebGoat is a deliberately insecure web application maintained by OWASP
designed to teach web application security lessons. You can install
and practice with WebGoat in either J2EE (this page) or WebGoat for
.Net in ASP.NET. In each lesson, users must demonstrate their
understanding of a security issue by exploiting a real vulnerability
in the WebGoat applications. For example, in one of the lessons the
user must use SQL injection to steal fake credit card numbers. The
application is a realistic teaching environment, providing users with
hints and code to further explain the lesson.
I have deployed two applications onto the glassfish server, each of which uses its own security realm (file, jdbc). The problem is that the glassfish allows only one default realm to be set which results in only one application to be functional at a time. I'm a newbie with the glassfish so I might be missing something fundamental or should approach this problem differently (do I need a separate domain for each of mine applications to be able to set the security with specific realm?).
Any suggestions would be appreciated.
Thank you.
It's possible to create more file Realms in the same GlassFish domain, you simply have to specify a new file name for the keyfile storing the users / passwords information. You can follow this tutorial if you wish.
Concerning the other part of the question, you can also consider to use a LDAP server, which is a scalable and more general solution, because it can be used also by other applications inside the same firm. You can use OpenLDAP or OpenDJ for example, and use JNDI API for letting your applications access the LDAP realm.
Here you can find a JNDI and OpenLDAP Tutorial, but you can easily find other tutorials around on the subject.
For 90% of every security-related Grails tutorial, they tell you to store your User objects in a session-scoped variable. That's all nice and easy, but I wonder if it's too good to be true, especially with plugins like Spring Security that offer many times more features.
For the simple, "I am a user and therefore I am entitled to view/edit my own domain objects" applications that I develop, I store my User objects in a session. However, this got me thinking how Grails supports J2EE security and sessions in its own implementation (it does use a temporary session ID in the cookie, right?). Furthermore how vulnerable is it to attacks like cookie injection and cross-site/stray JS?
I don't want to actually invest the time in learning, integrating, and maintaining a plugin for an app that might not need it, so my question is, is Grails's session implementation secure enough for simple applications, and is there a very good reason I should use a security plugin even for these trivial tasks?
On a side-note, if anyone can point me to a good OpenID/Facebook login implementation, that would be terrific.
Regarding security concerns I would always suggest to prefer proven and widely adopted solutions over your own rolled security implementation. Spring Security was founded in 2003 under the name Acegi and brings you more than eight years of experience and development for your security concerns.
As you already pointed to the Grails Spring Security plugin you should have a look at the OpenID plugin Spring Security OpenID which extends the Spring Security Core and brings you the OpenID support.
reason I should use a security plugin even for these trivial tasks?
... on a basic level it's also trivial to use the plugin so what's there to lose? Screencast to get you started
We have a SharePoint site on it's own domain and are debating using Forms Authentication or Active Directory. Really we would like the power of kerberos with the flexibility and transparancy of a forms authentication (like storing the users in sqlserver using sqlmembershipprovider in asp.net). Is there any way to force Active Directory to authenticate against our user store, or can we set up a kerberos authentication server that isn't active directory?
Thanks!
You might also want to look into using ISA Server to help you out: http://blogs.msdn.com/jannemattila/archive/2007/07/23/isa-moss-makes-life-a-lot-easier-for-fba.aspx
http://www.isaserver.org/tutorials/Configuring-ISA-Firewalls-ISA-2006-RC-Support-User-Certificate-Authentication-using-Constrained-Delegation-Part1.html
Maybe ADAM might be helpful for your scenario: http://www.microsoft.com/windowsserver2003/adam/default.mspx
The problem with Forms authentication is that it misses some end user GUI controls like: change password, forgot password etc. We implemented it on a project and had to do a lot of coding to achieve good usability for the end users.
You might also consider using Forefront User Access Gateway (UAG). I have implemented multiple times and it works much better than ISA and in fact, bits are installed along with SharePoint for the User Profile Service - http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx.
UAG gives you better security and flexibility and it is 'SharePoint Aware'. Based on the technology developed by Whale Communications (purchased by MS), it provides a common gateway for all of your applications (in addition to SharePoint).
There is one 'gotcha' in the way UAG logs out however but I have the fix for you here: http://davidmsterling.blogspot.com/2011/08/sharepoint-logout-with-uag.html.
To date, 20 clients have moved from ISA to Forefront UAG and all love it.
David Sterling - http://davidmsterling.blogspot.com - http://www.sterling-consulting.com - http://www.sharepoint-blog.com