Reputation: 1287
Securing Tomcat Webapps
Given a database (MySQL) driven webapp written entirely in vanilla J2EE (no frameworks etc), which has no attempts at security (except a basic database login system). What steps should you take to secure it?
Any resources about this would also be handy. (I've found OWASP).
Thanks!
Upvotes: 1
Views: 1190
Answers (2)
Reputation: 1903
That seems to be a loaded question.
The Spring Security framework is the first thing that comes to my mind, but it appears you might not be inclined to using any frameworks.
If you want to manage the security yourself using a set of database tables, then you would probably want to spend some time designing a proper data model that accounts for users and roles.
You would probably want to create some sort of Servlet filter that will check to see if a logged in user exists for protected resources. If the user exists, then the filter would forward to the protected resource. If the user is not authenticated, then the filter would capture the target page and redirect the user to authentication page.
Some other things to consider:
a). You would probably need to setup ssl for any page that passes login credentials.
b). You would probably want to look into some encryption facility for storing a users password.
c). Being that you are writing a Java EE app, you want probably want to look into managing user principles.
d). if you are deploying to a distributed environment, how will you handle session management. In other words, should the sessions be sticky? or will you employ some sort of shared memory space for authenicated users( i.e. WebSessions, Database persistance, etc)
e). Pay special attention to sql injection attacks; if you are using jdbc prepared statements, this wouldn't be much of a concern.
f). If you are processing credit card transactions, you would want to make sure that you are PCI compliant
g). Beware of evil bots, try to limit bot activity wherever possible. This can usually be done by employing some sort of captcha utility
h). If you are using any third party tools/frameworks be sure that you are always updated with the latest releases to avoid vulnerabilities
Here are some resources that come to mind:
http://static.springsource.org/spring-security/site/
http://docs.oracle.com/javase/1.4.2/docs/guide/security/jce/JCERefGuide.html
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html
http://docs.oracle.com/javaee/5/tutorial/doc/bnbwk.html
Hope this helps
Upvotes: 1
Reputation: 17923
Your requirement is very abstract: You have already mentioned OWASP which takes care of security of a web application in general. Some of the most common attacks on a web applications are following
- Cross site scripting (XSS)
- SQL injection
- Insufficient Transport layer security (not using HTTPS)
- Brute force hacking (no restriction on number of login attempts, not using captcha)
- Denial of service attack.
There are many more but these are most common. OWASP addresses most of these. Now to secure your web application from each of these attacks, please go through theory part (Google the same) and then see if OWASP has some workarounds or not, if not, there are lot of open source/free code available for this. For example, for using a captcha, Google provides free captcha service and likewise.
Upvotes: 2
Related Questions
- tomcat security constraints
- Find potential SQL inject problems in Java/JSP code
- How can I secure my code in an Apache Tomcat Server?
- Need help to understand and implement basic web app security
- SQL Injection and possible attacks
- General hardening tips for a Apache Tomcat JSP application
- Secure web apps in tomcat
- tomcat and java.security.Security
- Tomcat servlet security
- Avoiding SQL Injection