This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

CRV2 FrameworkSpecIssuesJava

From OWASP
Revision as of 13:09, 4 October 2013 by Johanna Curiel (talk | contribs) (Created page with "=Proper secure configuration of Web.xml= The Web.xml file is the main configuration document responsible for secure configurations in Java Applications. The following section...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Proper secure configuration of Web.xml

The Web.xml file is the main configuration document responsible for secure configurations in Java Applications. The following sections describe important components necessary to secure them

Configure Custom Error pages

All errors generated by the application, such as 404, 500 etc, must be configured in order to redirect the user to a proper Error page instead of allowing him to see the errors generated by the application. This can serve as a starting point to an attacker to reverse engineer the application and create a specific attack using this information 

<error-page>
<error-code>505</error-code>
<location>/error/error.html</location>
</error-page>

Protect data in transit

In order to secure sensitive data, is essential to secure the communication channel and sessions using SSL. Once this has been configured in the server, doesn’t mean that it will be automatically be setup in the web application the developer is trying to secure. For this purpose, it is essential to add in the web.xml file the following configuration(Kim, 2010) : 

<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Configuring proper Authentication and Authorization to directories

Failure to configure proper authentication and authorization of directories, will allow anonymous users to see unprotected files of the web application. Therefore, consider always to set-up proper access controls in the following sections. The following code, for example, makes sure that the ‘Accountant’ role, is the only one able to access directory “accounting” 

<security-constraint>
<web-resource-collection>
<web-resource-name>accounting</web-resource-name>
<url-pattern>/accounting/*</url-pattern>
…
</web-resource-collection>
<auth-constraint>
<role-name>accountant</role-name>
</auth-constraint>
</security-constraint>

Configure http methods

Allow only the necessary http methods to execute in the application, such as the case of GET and POST requests. If the methods are not overtly listed are by default allowed. This will allow an attacker to bypass the web.xml configuration. By removing <http-method> elements from the web.xml and this will offer the proper security.

Use Secure Flag

Make sure that the cookie is created using the seucre flag, otherwise exposes the session cookie to hijacking. 

<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
Retrieved from "https://wiki.owasp.org/index.php?title=CRV2_FrameworkSpecIssuesJava&oldid=159710"