Tag: WebContainer

httpOnly Cookies using web.xml servlet 3.0 in JBoss AS7

Hi,

Securing our Applications is one of the most important task while moving to the production environment. Securing HttpSession is one of them. In this demonstration we will see how to use the HttpOnly cookies in “web.xml” using the tag “httpOnly”, Yes, this is a new feature added as part of Servlet3.0 Specification that we cna specify the httpOnly cookies directly using web.xml file.

The HttpOnly cookie is supported by most modern browsers. On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript). This restriction mitigates but does not eliminate the threat of session cookie theft via Cross-site scripting. It means on client side the cookies can not be accessed using java script or some other scripting utilities. This feature applies only to session-management cookies, and not other browser cookies.

Earlier in JBoss AS6 we had a feature called as “context.xml” using which we could define the cookies as “httpOnly” by either editing the “${PROFILE}/deploy/jbossweb.sar/context.sar/context.xml” file or by creating “conntext.xml” file inside our application “${YOUR_APP}/WEB-INF/context.xml” file as following:

<Context cookies="true" crossContext="true" useHttpOnly="true">
   <SessionCookie httpOnly="true"/> 
</Context>

In this demonstration we will be using JBoss AS7 ( jboss-as-7.1.0.Beta1 ) which can be downloaded from the following link: http://www.jboss.org/jbossas/downloads
And we will see how we can specify httpOnly cookies using the standard web descriptor “web.xml” file using servlet 3.0 specification.

Step1). Create a Directory somewhere inside your file system where we can create our web application. Suppose i am creating a directory as “/home/userone/httpOnlyDemo” and the create a subdirectory with name “src” inside “/home/userone/httpOnlyDemo”

Step2). Now place the following kind of “web.xml” inside the “/home/userone/httpOnlyDemo/src” directory.

<?xml version="1.0"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee web-app_3_0.xsd"
      version="3.0">
    
      <!-- Make sure that your web.xml is pointing the version="3.0" as above -->
      <session-config>
        <cookie-config>
           <http-only>true</http-only>
        </cookie-config>
      </session-config>
    
</web-app>

NOTE: The only thing here you need to kiip in mind that you are using the “web-app_3_0.xsd” in your “web.mxl” file pointing to version=”3.0″.

Step3). Now we will write a simple JSP Page in order to display the JSESSIONID cookie value in the browser with the help of Java Script. (Ideally the code should not be able to display the JSESSIONID cookie value with the help of java script here because we have marked out Cookie as “httpOnly”…so you can try both ways by enabling and disabling the http-only tag inside your web.xml to see what different you see while hitting the JSP Page.)

<%
   System.out.println("nt index.jsp is called...request="+request);
%>
<html>
    <head>
        <title>Hi HttpOnly</title>
        <script type="text/javascript">
          function ReadCookie(cookieName) 
           {
              var theCookie=""+document.cookie;
              var ind=theCookie.indexOf(cookieName);
              if (ind==-1 || cookieName=="") return ""; 
                 var ind1=theCookie.indexOf(';',ind);
              if (ind1==-1) ind1=theCookie.length; 
                 return unescape(theCookie.substring(ind+cookieName.length+1,ind1));
           }
       </script>
    </head>
    <body bgcolor="maroon" text="white">
            <center>
            <h1>Hello CookieDemo "HttpOnly" !!!

	<form name="getCookie">
	    <table border=0 cellpadding=3 cellspacing=3>
	     <tr><td>Cookie Name:&nbsp;</td><td><input name=t1 type=text size=20 value="JSESSIONID"></td></tr>
             <tr><td><input name=b1 type=button value="Read Cookie Value" onClick="this.form.t2.value=ReadCookie(this.form.t1.value)">&nbsp;</td>    <td><input name=t2 type=text size=20 value=""></td></tr>
           </table>
        </form>
       <b>NOTE: when you click on this button you should not be able to see the JSESSIONID cookie value in the textField if the http-only cookie is enabled.</b>
   </center>
    </body>
</html>

Step4). Now we will write a simple ant “build.xml” file in order to build and deploy our web application on JBoss AS7. So write the following “build.xml” file inside “/home/userone/httpOnlyDemo” as following:

<project name="httpOnlyCookieDemo" default="deploy">
<property name="jboss.home" value="/home/userone/jboss-as-7.1.0.Beta1" />
<property name="jboss.module.dir" value="${jboss.home}/modules" />
<property name="basedir" value="." />
<property name="tmp.dir" value="tmp" />
<property name="output.dir" value="build" />
<property name="src.dir" value="src" />
<property name="war.name" value="httpOnlyDemo.war" />

        <path id="jboss.classpath">
           <fileset dir="${jboss.module.dir}">
              <include name="**/*.jar"/>
           </fileset>  
        </path>

        <target name="init">
           <delete dir="${output.dir}" />
           <mkdir dir="${output.dir}" />
           <delete dir="${tmp.dir}" />
           <mkdir dir="${tmp.dir}" />
        </target>
	 
        <target name="build" depends="init">
           <mkdir dir="${tmp.dir}/WEB-INF"/>
           <copy file="${src.dir}/index.jsp" tofile="${tmp.dir}/index.jsp"/>
           <copy todir="${tmp.dir}/WEB-INF">
                <fileset dir="${src.dir}/">
                  <include name="web.xml"/> 
                </fileset>
           </copy>          
           <jar jarfile="${tmp.dir}/${war.name}" basedir="${tmp.dir}" compress="true" />
           <copy file="${tmp.dir}/${war.name}" tofile="${output.dir}/${war.name}"/>
           <delete includeEmptyDirs="true">
              <fileset dir="${tmp.dir}"/>
           </delete> 
        </target>

        <target name="deploy" depends="build">
            <echo message="*******************  Deploying the WAR file ${war.name} *********************" />  
            <echo message="********** ${output.dir}/${war.name} to ${jboss.home}/standalone/deployments **********" />  
            <copy todir="${jboss.home}/standalone/deployments/">
                <fileset dir="${output.dir}/">
                  <include name="${war.name}"/> 
                </fileset>
            </copy>
            <echo message="*******************  Deployed Successfully   *********************" />  
        </target>
</project>

NOTE: The only change in the above file you need to do is to change the “jboss.home” directory path in the second line of the above script is to point to your own JBoss AS7 directory home directory.

Step5). Now before running your ANT script to build and deploy the above webapplication you should have the ANT as well as JAVA set in the $PATH variable of the Shell / command prompt as following:

For Unix Based OS:
export PATH=/home/userone/jdk1.6.0_21/bin:/home/userone/apache-ant-1.8.2/bin:$PATH

For Windows Based OS:
set PATH=C:/jdk1.6.0_21/bin;C:/apache-ant-1.8.2/bin;%PATH%

Step6). Now run the ant file from the directory where you have placed the “build.xml” file as following:

[userone@localhost httpOnlyDemo]$ ant
Buildfile: /home/userone/httpOnlyDemo/build.xml

init:
   [delete] Deleting directory /home/userone/httpOnlyDemo/build
    [mkdir] Created dir: /home/userone/httpOnlyDemo/build
    [mkdir] Created dir: /home/userone/httpOnlyDemo/tmp

build:
    [mkdir] Created dir: /home/userone/httpOnlyDemo/tmp/WEB-INF
     [copy] Copying 1 file to /home/userone/httpOnlyDemo/tmp
     [copy] Copying 1 file to /home/userone/httpOnlyDemo/tmp/WEB-INF
      [jar] Building jar: /home/userone/httpOnlyDemo/tmp/httpOnlyDemo.war
     [copy] Copying 1 file to /home/userone/httpOnlyDemo/build

deploy:
     [echo] *******************  Deploying the WAR file httpOnlyDemo.war *********************
     [echo] ********** build/httpOnlyDemo.war to /home/userone/jboss-as-7.1.0.Beta1/standalone/deployments **********
     [copy] Copying 1 file to /home/userone/jboss-as-7.1.0.Beta1/standalone/deployments
     [echo] *******************  Deployed Successfully   *********************

BUILD SUCCESSFUL
Total time: 0 seconds

Step7). Now access the application like following: “http://localhost:8080/httpOnlyDemo/index.jsp” and then see whether you are able to see the JSESSIONID value or not? Also try removing the http-only tag from your web.xml file and then redeploy the application and then again try to access the application to check whether you are able to see the JSESSIONID cookie value or not .

Some more useful tags from Servlet 3.0 Specifications

You can get more details on these tags from the following link: http://java.sun.com/xml/ns/javaee/web-common_3_0.xsd
Also we can use some more useful tags in order to secure our WebAppications with the help of servlet3.0 tags present inside “web.xml” file like following

secure cookie: A secure cookie is only used when a browser is visiting a server via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping.

<session-config>
  <cookie-config>
    <secure>true</secure>
  </cookie-config>
</session-config>

tracking-mode cookie: tracking-mode element in the Servlet 3.0 specification allows you to define whether the JSESSIONID should be stored in a cookie or in a URL parameter. If the session id is stored in a URL parameter it could be inadvertently saved in a number of locations including the browser history, proxy server logs, referrer logs, web logs, etc. Accidental disclosure of the session id makes the application more vulnerable to session hijacking attacks. Instead, make sure the JSESSIONID is stored in a cookie if tracking-mode is set to COOKIE. The valid values for tracing-mode are COOKIE/SSL/URL

<session-config>
  <cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
  </cookie-config>
</session-config>

.
.
Thanks
MiddlewareMagic Team


Http to Https automatic redirection in JBoss AS7

Hi,

In this demonstration we will see how to create a simple keystore and based on this how to configure the HTTPs connector in JBoss AS7. Also in many production environments it is desired to redirect clients incoming HTTP requests to HTTPs automatically.

So here we will see how can be use the redirect port configuration in the http connector and what kind of information we need to provide inside the “web.xml” file of our web application where we want automatic HTTPs redirection feature to make all the client conversation with the server CONFIDENTIAL.

SSL Configuration on JBoss AS7

Step1). Create a simple SSL certificate keystore. We can use the “keytool” utility which comes by default with the JDK and present inside the “$JAVA_HOME/bin” directory. So before running the below command make sure that you have set the PATH to point to your JDK bin directory.

For Unix Based OS:
export PATH=/home/userone/jdk1.6.0_21/bin:$PATH

For Windows Based OS:
set PATH=C:/jdk1.6.0_21/bin;%PATH%

Step2). Run the following command to create a sample key store file with name “chap8.keystore”


 keytool -genkey -keystore chap8.keystore -storepass rmi+ssl -keypass rmi+ssl 
            -keyalg RSA -alias chapter8  -validity 3650 
            -dname "cn=chapter8 example,ou=admin book,dc=jboss,dc=org"

Step3). Now paste the generated “chap8.keystore” inside the “/home/userone/jboss-as-7.1.0.Beta1/standalone/configuration” directory and then edit the “standalone-full.xml” file present in the same directory. We will need to edit the “urn:jboss:domain:web:1.1” subsystem as following:

        <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">
            <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="8443"/>

            <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
                <ssl name="ssl" 
                     key-alias="chapter8" 
                     password="rmi+ssl" 
                     certificate-key-file="../standalone/configuration/chap8.keystore" 
                     protocol="TLSv1" 
                     verify-client="false"/>
            </connector>
            <virtual-server name="default-host" enable-welcome-root="true">
                <alias name="localhost"/>
                <alias name="example.com"/>
            </virtual-server>
        </subsystem>

NOTE: We added the redirect-port=”8443″ inside the http connector as well as we added the “https” connector settings with the ssl informations.

Step4). Now restart the JBoss AS7 server from inside “/home/userone/jboss-as-7.1.0.Beta1//bin” directory as following:

[userone@localhost bin]$./standalone.sh -c standalone-full.xml

Writing Test WebApplication

Step5). For simple testing we will write a web application. So create a directory somewhere in your file system with name “/home/userone/SelfSigned_SSL_Demo” and then create another directory “src” inside “/home/userone/SelfSigned_SSL_Demo”.

Step6). place the following kind of simple “index.jsp” file inside “/home/userone/SelfSigned_SSL_Demo/src” directory:

<html>
  <head>
    <title>SSL Demo</title>
  </head>
  <body bgcolor=maroon text=white>
      <BR><BR><BR><BR><BR><BR>
      <center>
       <b>index.jsp executed successfully over HTTPS.</b>
      </center>
  </body>
</html>

Step7). Now we will write a “web.xml” file inside the “/home/userone/SelfSigned_SSL_Demo/src” directory, and in this file we will define the user-data-constraint as CONFIDENTIAL sothat clients request matching the url-pattern defined will be automatically be redirected to the redirect-port defined inside the “standalone-full.xml” file.

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5"
         xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <security-constraint>
         <web-resource-collection>
             <web-resource-name>HTTPs Test</web-resource-name>
             <url-pattern>/*</url-pattern>
         </web-resource-collection>
         <user-data-constraint>
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
    </security-constraint>
</web-app>

Step8). To simply build and deploy the above web application we will write the following kind of “build.xml” file inside “/home/userone/SelfSigned_SSL_Demo” directory.

<project name="JBoss_Service" default="post-deploy">
<property name="jboss.home" value="/home/userone/jboss-as-7.1.0.Beta1" />
<property name="jboss.module.dir" value="${jboss.home}/modules" />
<property name="java.home.dir" value="/home/userone/MyJdks/jdk1.6.0_05" />
<property name="basedir" value="." />
<property name="war.exploaded.name" value="SelfSigned_HttpsTest" />
<property name="src.dir" value="src" />
<property name="output.dir" value="build" />
 
   <path id="jboss.classpath">
     <fileset dir="${jboss.module.dir}">
        <include name="**/*.jar"/>
     </fileset>  
   </path>

   <target name="init">
      <delete dir="${output.dir}" />
      <mkdir dir="${output.dir}" />
      <mkdir dir="${output.dir}/${war.exploaded.name}"/>
      <mkdir dir="${output.dir}/${war.exploaded.name}/WEB-INF"/>
   </target>
	 
   <target name="build" depends="init">
        <copy todir="${output.dir}/${war.exploaded.name}/WEB-INF">
	  <fileset dir="${basedir}/src">
	      <include name="web.xml"/>
	  </fileset>
	</copy>   
        <copy todir="${output.dir}/${war.exploaded.name}">
	  <fileset dir="${basedir}/src">
	      <include name="index.jsp"/>
	  </fileset>
	</copy>  
        <jar jarfile="${output.dir}/${war.exploaded.name}.war" basedir="${output.dir}/${war.exploaded.name}" compress="true" /> 
   </target>

        <target name="deploy" depends="build">
            <echo message="*******************  Deploying   *********************" />  
            <echo message="********** ${war.exploaded.name}.war to ${jboss.home}/standalone/deployments **********" />  
            <copy todir="${jboss.home}/standalone/deployments/">
                <fileset dir="${output.dir}/">
                  <include name="${war.exploaded.name}.war"/> 
                </fileset>
            </copy>
            <echo message="*******************  Deployed Successfully   *********************" />  
        </target>
  
        <target name="post-deploy" depends="deploy">
            <echo message="*******************  NOTE  *********************" />
            <echo message="***** You should be able to access your WSDL using Browser now *****" />
            <echo message="                http://localhost:8080/${war.exploaded.name}/index.jsp" />
            <echo message="You will notice that your URL is automactically changing to https"/>
            <echo message="https://localhost:8443/${war.exploaded.name}/index.jsp" />
        </target>  
</project>

Step9). Now before running your ANT script to build and deploy the above webapplication you should have the ANT as well as JAVA set in the $PATH variable of the Shell / command prompt as following:

For Unix Based OS:
export PATH=/home/userone/jdk1.6.0_21/bin:/home/userone/org.apache.ant_1.6.5/bin:$PATH

For Windows Based OS:
set PATH=C:/jdk1.6.0_21/bin;C:/org.apache.ant_1.6.5/bin;%PATH%

Step10). run the ant script “ant” to build and deploy the application on JBoss AS7.

[userone@localhost SelfSigned_SSL_Demo]$ ant
Buildfile: build.xml

init:
   [delete] Deleting directory /home/userone/SelfSigned_SSL_Demo/build
    [mkdir] Created dir: /home/userone/SelfSigned_SSL_Demo/build
    [mkdir] Created dir: /home/userone/SelfSigned_SSL_Demo/build/SelfSigned_HttpsTest
    [mkdir] Created dir: /home/userone/SelfSigned_SSL_Demo/build/SelfSigned_HttpsTest/WEB-INF

build:
     [copy] Copying 1 file to /home/userone/SelfSigned_SSL_Demo/build/SelfSigned_HttpsTest/WEB-INF
     [copy] Copying 1 file to /home/userone/SelfSigned_SSL_Demo/build/SelfSigned_HttpsTest
      [jar] Building jar: /home/userone/SelfSigned_SSL_Demo/build/SelfSigned_HttpsTest.war

deploy:
     [echo] *******************  Deploying   *********************
     [echo] ********** SelfSigned_HttpsTest.war to /home/userone/jboss-as-7.1.0.Beta1/standalone/deployments **********
     [copy] Copying 1 file to /home/userone/jboss-as-7.1.0.Beta1/standalone/deployments
     [echo] *******************  Deployed Successfully   *********************

post-deploy:
     [echo] *******************  NOTE  *********************
     [echo] ***** You should be able to access your WSDL using Browser now *****
     [echo]                 http://localhost:8080/SelfSigned_HttpsTest/index.jsp
     [echo] You will notice that your URL is automactically changing to https
     [echo] https://localhost:8443/SelfSigned_HttpsTest/index.jsp

BUILD SUCCESSFUL
Total time: 0 seconds

NOTE: Access the application with URL “http://localhost:8080/SelfSigned_HttpsTest/index.jsp” and you will notice that your URL is automatically chaged to ” https://localhost:8443/SelfSigned_HttpsTest/index.jsp”

.
.
Thanks
MiddlewareMagic Team


Copyright © 2010-2012 Middleware Magic. All rights reserved. |