giovedì 14 luglio 2011
Project Done
The project is almost finished. There are some little details to fix, especially in the user interface, but the most of the work is done. I'll do obviously some testing in order to check the correct behavior of the application. Then I will package the final deliver, with the source code, the ear archive, the SQL scripts and the final relation.
giovedì 7 luglio 2011
Little Logout Issue
In a previous post I mentioned that the connection didn't switch back to HTTP after visiting confidential pages. However I expected that after the entire logout process the website would have switch the connection back to normal HTTP, after invalidating the session. Unfortunately, I was wrong. HTTPS was still present! What to do? Google is the answer! However I was not so lucky to find a solution, maybe the question was wrong, not the answer. So I managed to build a solution on myself, which is this one: in the Logout servlet I check if the request was made using HTTP using the method request.isSecure(). If so I invalidate the session and I redirect the user to an absolute url, which is built using this string:
"http://" + getServletContext().getInitParameter("domain") + request.getContextPath() + "/index.jsp"
Where the parameter "domain" is specified in the deployment descriptor as "mauricius-pc:8080".
"http://" + getServletContext().getInitParameter("domain") + request.getContextPath() + "/index.jsp"
Where the parameter "domain" is specified in the deployment descriptor as "mauricius-pc:8080".
sabato 2 luglio 2011
Few notes on SSL Security - Part II
Good practice would be to use Transport Layer Security also when user credentials are sent through the network. I searched for an easy way to implement it, directly using the j_security_check form, however, reading the following quote from the Java EE 6 tutorial I discovered that things are a little bit different:
"Form-based authentication is not particularly secure. In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated. This form of authentication can expose your user names and passwords unless all connections are overSSL. If someone can intercept the transmission, the user name and password information can easily be decoded.However, when a secure transport mechanism, such as SSL, or security at the network level, such as the IPSEC protocol or VPN strategies, is used in conjunction with form-based authentication, some of these concerns can be alleviated."
For this reason I decided to keep the authentication mechanism as it is.
"Form-based authentication is not particularly secure. In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated. This form of authentication can expose your user names and passwords unless all connections are overSSL. If someone can intercept the transmission, the user name and password information can easily be decoded.However, when a secure transport mechanism, such as SSL, or security at the network level, such as the IPSEC protocol or VPN strategies, is used in conjunction with form-based authentication, some of these concerns can be alleviated."
For this reason I decided to keep the authentication mechanism as it is.
venerdì 1 luglio 2011
Few notes on SSL Security
I decided to add support for a secure connection when sensible data is transmitted through the network. Secure data transport is typically implemented using Transport Layer Security (TLS) or Secure Sockets Layer (SSL). HTTP is applied on top of the TLS/SSL protocol to provide both encrypted communication and secure identification of the server. The combination of HTTP with TLS or SSL results in an HTTPS connection, which can be identified in a browser's address bar (https://).
I discovered that Glassfish has a secure service enabled by default (working on port 8181). This service uses a self-signed certificate, which is quite enough for our development purposes. This will lead to some annoying messages in the browser, forcing us to confirm some security exceptions, but that's it. I decided to use HTTPS in the checkout process (because an e-commerce site like this, sometimes requires the user to insert his Credit Card number or other sensitive data, however this is not the case) and in the Registration process, when the user inserts his personal data (as well as his CC number).
The secure connection is defined using XML in the web deployment descriptor, as follows:
<security-constraint>
<display-name>Checkout</display-name>
<web-resource-collection>
<web-resource-name>Checkout</web-resource-name>
<url-pattern>/checkout</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Wow, it works perfectly. Also it seems that the navigation doesn't switch back to HTTP once the user moves out from a protected page. Should I treat this as a problem? Maybe not.
I noticed on the website of the course that the exam is set for July, 6th, in the morning. Unfortunately, even if the project is almost finished (apart from some little details), I cannot be present on that date because I'm still working. I will join the September session.
I discovered that Glassfish has a secure service enabled by default (working on port 8181). This service uses a self-signed certificate, which is quite enough for our development purposes. This will lead to some annoying messages in the browser, forcing us to confirm some security exceptions, but that's it. I decided to use HTTPS in the checkout process (because an e-commerce site like this, sometimes requires the user to insert his Credit Card number or other sensitive data, however this is not the case) and in the Registration process, when the user inserts his personal data (as well as his CC number).
The secure connection is defined using XML in the web deployment descriptor, as follows:
<security-constraint>
<display-name>Checkout</display-name>
<web-resource-collection>
<web-resource-name>Checkout</web-resource-name>
<url-pattern>/checkout</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Wow, it works perfectly. Also it seems that the navigation doesn't switch back to HTTP once the user moves out from a protected page. Should I treat this as a problem? Maybe not.
I noticed on the website of the course that the exam is set for July, 6th, in the morning. Unfortunately, even if the project is almost finished (apart from some little details), I cannot be present on that date because I'm still working. I will join the September session.
Iscriviti a:
Post (Atom)