Dec 16, 2012

Web Application Security


Web Application Security:

Step 1: Add an entry in web.xml

Add an entry for <security-constraint> in web.xml as shown in Table 1

Table 1
<security-constraint>
     <web-resource-collection>
           <web-resource-name>Generic</web-resource-name>
           <url-pattern>/*</url-pattern>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
     </web-resource-collection>
</security-constraint>

<security-constraint>
     <web-resource-collection>
      <web-resource-name>Protected</web-resource-name>
      <description>Protected Resources</description>
      <url-pattern>/protected/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>                 
     </web-resource-collection>
     <auth-constraint>
           <role-name>admin</role-name>
     </auth-constraint>
     <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>      
     </user-data-constraint>
</security-constraint>
<login-config>
     <auth-method>FORM</auth-method>
     <form-login-config>
           <form-login-page>/login.html</form-login-page>
           <form-error-page>/loginfail.html</form-error-page>
     </form-login-config>
</login-config>
<security-role>     
     <role-name>admin</role-name>
</security-role>

Step 2: Create an html/jsp file for login form
Now we need to create a file/form that we want to use for accepting user credentials (id and password). So create a simple html file as shown in Table 2.

Table 2
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Sample Application: Login</title>
</head>
<body>
       <form action="j_security_check" method="POST">
              <table>
                     <tr>
                           <td>User Name</td>
                           <td><input id="j_username" name="j_username"></td>
                     </tr>
                     <tr>
                           <td>Password</td>
                           <td>
                           <input id="j_password" name="j_password" type="password">
                           </td>
                     </tr>
                     <tr>
                           <td colspan="2"><input type="submit" value="Login"></td>
                     </tr>
              </table>
       </form>
</body>
</html>

Also we need to create a file where application will be routed if login fails. So create an error html as shown in Table 3.

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Sample Application: Login Failed</title>
</head>
<body>
       <span style="color:red">Login Failed</span>
</body>
</html>

Also create one index.html  as a home page and one html (protected.html in folder protected inside Web application root) Now deploy this application/war on your Application Server.

Step 3: Try to access non protected resource
Hit the url http://localhost:7001/SampleApp/ it will show the home page as show in Figure 1

Figure 1


So resource at above mentioned location is successfully accessed.
Step 4: Try to access protected resource
Now if we try to access web resource (i.e http://localhost:7001/SampleApp/protected/protected.html) which we have protected by adding following lines in web.xml

<security-constraint>
     <web-resource-collection>
      <web-resource-name>Protected</web-resource-name>
      <description>Protected Resources</description>
      <url-pattern>/protected/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>                 
     </web-resource-collection>
     <auth-constraint>
           <role-name>admin</role-name>
     </auth-constraint>
     <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>      
     </user-data-constraint>
</security-constraint>


It will first ask for credentials as shown in Figure 2

Figure 2


If credentials are not proper then it will show file configured in form-error-page as shown in Figure 3.

Figure 3


If login is successful then requested resource will be displayed as shown in Figure 4

Figure 4