Wednesday, January 19, 2011

Java web application security

I have been developing a web application using Struts. I just want share some of the tips & tricks concerning application security. I talk about encrypting passwords using keys, restricting users to access pages directly, implementing intercepting filters and handling logout (back button press).

Encrypting user passwords using keys
I am sure most developers will be using encryption/decryption algorithms for passwords, like SHA-1, SHA-2, etc. Before encrypting passwords, generate a random alphanumeric string which will act as a key for encryption. The key will be used to in the digest to create secret-key of the algorithm. This key will be different for different users. Make sure this key has at least 20 characters in length. Encrypt/decrypt the password using this key.

Restricting users to access your webpages directly
When I say accessing your webpages directly, I mean when a user tries to access a portion of the URL; lets say the URL is: http://localhost:8080/Mywebsite/user/changePasswd.jsp. And the user is clever to access all the files user the directory /user, he will change the URL to http://localhost:8080/Mywebsite/user/. Can you guess what happens now? The user will be able to view the list of all files kept under the directory: /user and he can download them directly: Right click the file -> Save target as -> Save! Done. This will also expose all the server side code whatever you have embedded in that webpage! Damn! you will be angry!

This is where web.xml comes to your rescue. You need to define your restrictions in security-constraint tag in web.xml and the J2EE framework takes care of restricting direct access. Read this

Intercepting filters
When user access a URL or a webpage without having privileges. The grave situation comes when the user session is not-active and the user is accessing a session page. Use filters.

In web.xml, under the filter tag, define all the pages that can be accessed always, accessed only on active sessions an accessed on authorization failure under the tag: init-param. Read these parameter values and write the logic that will redirect the page to error.jsp (response.sendRedirect("/error.jsp");) on authorization failure and allow access to URL (chain.doFilter(request,response);) if user has active session. Read this


Handling logout effectively on back button press
Well, for me, clearing cache using all the meta tags in jsp pages did not help, I would say did not work on all browsers. I found a way to fight it out. It can be handled better using JavaScript.

Here it goes. Write a servlet (or ActionServlet if you are using Struts) which invalidates session and redirects page to Logout.jsp. In Logout.jsp, call javascript functions: backButtonOverrideBody() & redirectToLogin() on the event of 'onload'.

function redirectToLogin(){
window.location="/login.jsp";
}


function backButtonOverrideBody() {
try {
history.forward();
} catch (e) {
// OK to ignore
}
}

As you can see, the function redirectToLogin() redirects the control to Login.jsp. And when the user is in Login.jsp press back button of the browser, he will be forwarded to Login.jsp.

The flow is: LogoutServlet -> Logout.jsp -> Login.jsp