ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button Java Security

JSP Security for Limiting Access to Application-Internal URLs

06/27/2001

The applications that we deploy to the Web and our intranets are a significant source of security vulnerabilities. The technologies that we use to develop these applications make us more or less vulnerable to different types of attacks. For example, applications that are written in C++ tend to be more vulnerable to buffer-overrun attacks. Fortunately, Java-based Web development technologies (JSP, servlets, EJB, etc.) are less vulnerable to low-level programming errors and even provide some built-in security mechanisms.

While Java is a great language for building secure Web applications, careful attention to locking your application's interface is required to ensure success. In today's column, I'll cover a technique that I use to design and build simple JSP applications that provides some security benefits.

Application URLs Exposed

While many Web sites are still limited to simple collections of static content, more and more sites are deploying complex Web applications that interact with their users over a number of HTTP requests. Examples of these applications include personal information managers, online banking applications, and customer relationship services.

Building Web-based applications is challenging from a security perspective because HTTP is a stateless protocol, in which every browser-request/server-response is treated independently. There are a number of primary and secondary security issues that arise from this limitation. The one that I'll focus on is building applications that are distributed over several URLs.

A Web application that is accessible via several URLs is susceptible to URL-probing attacks. You may intend that your users access the individual application URLs in a way that makes sense for your application. However, some users (and most hackers) may not comply. Instead, they'll jump straight to the middle of your application and request URLs that are carefully calculated to circumvent your application's security features.

Comment on this articleWhat's your approach for security your Java Web applications using JSP or even other API such as EJB?
Post your comments

Also in Java Security:

Secure Your Sockets with JSSE

Java Plug-in 1.3 and RSA Signed Applets

In order to prevent users from probing my application's URLs for security weaknesses, I like to present a single application URL to my users. I model the application as a finite-state machine that changes from one secure state to another based upon interaction from the user.

The single application URL prevents a user/hacker from accessing the individual pages of the application. This doesn't mean that the application is written as a single page; it just means that the individual application pages are hidden from the user. At execution time, the application master page dynamically displays individual application pages to the user, processes user requests, determines the next application states, and transitions to these states. The application master page (which I'll just refer to as the application page) is automatically generated from an XML specification of the application.

Specifying the Application State Machine

Some of you may remember the finite-state machine from your computer science or math classes. If you don't, that's OK -- it is a very simple concept. A finite-state machine is a way of describing an application in terms of the states that the application may be in, the outputs that it displays, the inputs that it receives, and the ways in which it moves from state to state based on its current state and the inputs that it receives. Server-side Web applications are easily described in terms of a finite state machine. They start in a particular state, they receive a request from a user, they send a Web page to the user, and they move to a new state.

The following XML file presents a finite-state-machine design of an application that provides an on-line exam about basic Java security concepts. The application itself may be executed by clicking here.

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE application SYSTEM "machina.dtd">

<application name="javasecurityexam" initial_state="welcome">

<state name="welcome"
output_action="welcome.jsp"
input_action="checkstart.jsp">
<transition next_state="welcome"/>
<transition condition="start" next_state="question"/>
<transition condition="help" type="call" next_state="help"/>
</state>

<state name="question"
output_action="question.jsp"
input_action="checkanswer.jsp">
<transition next_state="question"/>
<transition condition="correct" next_state="response"/>
<transition condition="incorrect" next_state="response"/>
<transition condition="help" type="call" next_state="help"/>
</state>

<state name="response"
output_action="response.jsp"
input_action="checkfinished.jsp">
<transition next_state="response"/>
<transition condition="nextQuestion" next_state="question"/>
<transition condition="finished" next_state="finished"/>
<transition condition="help" type="call" next_state="help"/>
</state>

<state name="finished"
output_action="finished.jsp">
<transition next_state="welcome"/>
</state>

<state name="help"
output_action="help.jsp"
input_action="checkreturn.jsp">
<transition next_state="help"/>
<transition condition="return" type="return"/>
</state>

</application>

The first two lines of the file are standard XML headers. If you are up to speed with XML Document Type Definitions, you can access the above document's DTD. Save the file as machina.dtd.

The application tag specifies that the application is named javasecurityexam and that its initial state is welcome. The remainder of the document consists of the definition of the welcome, question, response, finished, and help states. These states define all of the various states in which the javasecurityexam may reside during its interaction with the user.

The welcome state is the state in which the application resides when the user first starts the application. It displays the welcome.jsp page to the user and awaits input from the user. It executes checkstart.jsp to process the user's request and then transfers to exactly one of the states welcome, start, and help based on the input condition that is set by checkstart.jsp.

Pages: 1, 2, 3

Next Pagearrow