Download Web Application Security Made Easy with JBoss, Seam, and Hibernate

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
Document related concepts

Oracle Database wikipedia , lookup

Microsoft Access wikipedia , lookup

SQL wikipedia , lookup

Concurrency control wikipedia , lookup

Database wikipedia , lookup

Functional Database Model wikipedia , lookup

Ingres (database) wikipedia , lookup

Relational model wikipedia , lookup

PL/SQL wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Database model wikipedia , lookup

Versant Object Database wikipedia , lookup

Open Database Connectivity wikipedia , lookup

Clusterpoint wikipedia , lookup

ContactPoint wikipedia , lookup

Transcript 
Web Application Security Made Easy
With JBoss, Seam, and Hibernate
PRESENTED BY CHRIS ANDERSON
DECEMBER 10, 2008
Outline
 The Goal
 Technologies used
 Prerequisites
 Database creation
 Application generation
 Application configuration
 Additional security measures
 What’s next?
 Conclusion
The Goal
 Create a secure web application in under 30





minutes
Authenticate users
Role-base validation
Protect against SQL injection
Protect against XSS
Enable SSL
Technologies Used
 Microsoft SQL Server 2005
 JBoss 4.2.0 Application Server
 JBoss Seam 2.0.2 Web Framework
 Hibernate
 Apache Ant
 Eclipse development environment (recommended)
Prerequisites
 JBoss
 Seam
 SQL Server
 Ant
 Java 1.6
Database Creation
 Create users
 JBoss user
 Application user
 Create Tables
 User, Role, User_Role
 Stored Procedures
 Create user
 Change Password
Application Generation
C:\jboss-seam-2.0.2.SP1>seam setup
[input] Enter your Java project workspace (the directory that contains your
Seam projects) [c:/Projects]
[input] Enter your JBoss home directory [C:/jboss/jbossEP-4.2.0.GA/jboss-as]
[input] Enter the project name [testproject]
[input] Do you want to use ICEFaces instead of RichFaces [n] (y, [n])
[input] Select a RichFaces skin [classic] (blueSky, [classic], ruby, wine, d
eepMarine, emeraldTown, sakura, DEFAULT)
[input] Is this project deployed as an EAR (with EJB components) or a WAR (w
ith no EJB support) [ear] ([ear], war)
[input] Enter the Java package name for your session beans [com.uccs.itapps.
testproject.beans.session]
Application Generation
[input] Enter the Java package name for your entity beans [com.uccs.itapps.t
estproject.beans.entity] [
[input] Enter the Java package name for your test cases [com.uccs.itapps.tes
tproject.testcases]
[input] What kind of database are you using? [mssql] (hsql, mysql, oracle, p
ostgres, [mssql], db2, sybase, enterprisedb, h2)
[input] Enter the Hibernate dialect for your database [org.hibernate.dialect
.SQLServerDialect]
[input] Enter the filesystem path to the JDBC driver jar [C:\Program Files\M
icrosort SQL Server 2005 JDBC Driver\sqljdbc_1.2\enu\sqljdbc.jar]
[input] Enter JDBC driver class for your database [com.microsoft.sqlserver.j
dbc.SQLServerDriver]
[input] Enter the JDBC URL for your database [jdbc:sqlserver://localhost]
Application Generation
[input] Enter database username [testdbuser]
[input] Enter database password [testdbuser]
[input] Enter the database schema name (it is OK to leave this blank) [TESTDB]
[input] Enter the database catalog name (it is OK to leave this blank) []
[input] Are you working with tables that already exist in the database? [y] ([y], n)
[input] Do you want to drop and recreate the database tables and data in imp
ort.sql each time you deploy? [n] (y, [n])
C:\jboss-seam-2.0.2.SP1>seam new-project
Building the Application
C:\Projects\demoproject>ant deploy
Application Configuration
 Modify the datasource xml file
 Change
<connection-url>
jdbc:sqlserver://localhost
</connection-url>
 To
<connection-url>
jdbc:sqlserver://127.0.0.1:50853;databaseName=TESTDB
</connection-url>
Start JBoss
C:\jboss\jbossEP-4.2.0.GA2\jboss-as\bin\run.bat -c default
Authentication
 Add entity beans for database tables
 Modify authentication bean for user validation
Authentication
User user = (User) em.createQuery("from User where username = :username and
password = :password")
.setParameter("username", identity.getUsername())
.setParameter("password", getHashedPwd(identity.getPassword()))
.getSingleResult();
if(user.getRoles() != null){
for(Role mr : user.getRoles()){
System.out.println("adding role: " + mr.getRoleName());
identity.addRole(mr.getRoleName());
}
}
Role-Based Security
 Create Administration page
 Create Link for Administration page on menu
 <s:link view="/admin.xhtml" action="administration" value="Administration"
rendered="#{identity.loggedIn &amp;&amp; s:hasRole('ADMIN')}"/>
 Modify pages.xml



<page view-id="/admin.xhtml" login-required="true">
<restrict>#{s:hasRole('ADMIN')}</restrict>
</page>
SSL
 Create a self-signed certificate using Java keytool
keytool -genkey -alias tomcat -keyalg RSA
 Copy the generated .keystore file to the JBoss conf
directory
 Modify the tomcat server.xml file
SSL
<!--Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" /-->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${jboss.server.home.dir}/conf/testproject.keystore"
keystorePass=“Pass_1" />
What’s Next
 Install SSL certificate
 Configure SQL Server or create firewall rules to
block anonymous access to the database server
Conclusion
 Web application security can be easy
 Thanks for listening
 Any questions?
Related documents
BIS 3204 Database DB Programming
BIS 3204 Database DB Programming
Elements of SQL Data Definition Language
Elements of SQL Data Definition Language
ispyb_status_2012
ispyb_status_2012
Connection to Access file
Connection to Access file
Experiences with Open-Source BPM/SOA-based Stack
Experiences with Open-Source BPM/SOA-based Stack
Software Engineering Syllabus
Software Engineering Syllabus
Database Programming: JDBC, Data Access Object Design Pattern
Database Programming: JDBC, Data Access Object Design Pattern
Midterm Exam Chapters 1,2,3,5, 6,7 (closed book)
Midterm Exam Chapters 1,2,3,5, 6,7 (closed book)
Job Descriptions - Human Resources Department JOB GOAL
Job Descriptions - Human Resources Department JOB GOAL
Business Intelligence and Data Warehousing
Business Intelligence and Data Warehousing
Smart Queries - Chen Li -
Smart Queries - Chen Li -
Progress Data Sheet - Using Enterprise JavaBeans 3.0 and the Java
Progress Data Sheet - Using Enterprise JavaBeans 3.0 and the Java
JDBC Example
JDBC Example
Slide 1
Slide 1
JDBC
JDBC
WebSecurity
WebSecurity
J2EE Marketplace - Middleware 2003
J2EE Marketplace - Middleware 2003
MidRange Concepts - Fox Valley Technical College
MidRange Concepts - Fox Valley Technical College
JBoss and Aspects for Middlware Components
JBoss and Aspects for Middlware Components
Chapter8Slides
Chapter8Slides
JBoss - unitn.it
JBoss - unitn.it
Diapositiva 1
Diapositiva 1