Securing Web Applications (Thin Clients)

The following topics are discussed in this section:

• Authentication with Web Browsers
• Developing Secure Web Applications
• Using the <global-role/> Tag With Web Applications
• Adding Declarative Security to Web Applications
• Adding Programmatic Security to Web Applications
• Programmatic Authentication

 

---

Authentication with Web Browsers

Web browsers can connect to WebLogic Server over either an HyperText Transfer Protocol (HTTP) port or an HTTP Secure (HTTPS) port. The benefits of using an HTTPS port versus an HTTP port is two-fold. With HTTPS connections:

• All communication on the network between the Web browser and the server is encrypted. None of the communication including the username and password flows in clear text.
• As a minimum authentication requirement, the server is required to present a digital certificate to the Web browser client to establish its trusted identity.

If the server is configured for two-way SSL authentication, both the server and client are required to present a digital certificate to each other to establish their trusted identity.

Username and Password Authentication

WebLogic Server performs username and password authentication when users use a Web browser to connect to the server via the HTTP port. In this scenario, the browser and server interact in the following manner to authenticate a user (see Figure 2-1):

1. A user invokes a resource in WebLogic Server by entering the URL for that resource in a Web browser. The URL contains the HTTP listen port and the HTTP schema, for example, http://myserver:7001.
2. The Web server in WebLogic Server receives the request. WebLogic Server provides its own Web server but also supports the use of Apache Server, Microsoft Internet Information Server, and Netscape Enterprise Server as Web servers.
3. The Web server checks whether the WebLogic Server resource is protected by an security policy. If the WebLogic Server resource is protected, the Web server uses the established HTTP connection to request a username and password from the user.
4. When the user's Web browser receives the request from WebLogic Server, it prompts the user for a username and password.
5. The Web browser sends the request to the server again, along with the username and password.
6. The Web server forwards the request to the Web server plug-in. WebLogic Server provides the following plug-ins for Web servers:
   • Apache-Weblogic Server plug-in
   • Netscape Server Application Programming Interface (NSAPI)
   • Internet Information Server Application Programming Interface (ISAPI)

   The Web server plug-in performs authentication by sending the request, via the HTTP protocol, to the resource in WebLogic Server, along with the authentication data (username and password) received from the user.

7. Upon successful authentication, WebLogic Server determines whether the user has the permissions necessary to access the resource.
8. Before invoking a method on the server resource, the server performs an security authorization check. During this check, the server extracts the user's credentials from the security context, determines the user's role, compares the user's role to the security policy for the requested resource and verifies that the user is authorized to invoke the method on the resource.
9. If authorization succeeds, the server fulfills the request.

Figure 2-1 illustrates the secure login process for Web browsers.

Figure 2-1 Secure Login for Web Browsers

 

Digital Certificate Authentication

WebLogic Server uses encryption and digital certificate authentication when Web browser users connect to the server via the HTTPS port. In this scenario, the browser and server interact in the following manner to authenticate and authorize a user (see Figure 2-1):

1. A user invokes a resource in WebLogic Server by entering the URL for that resource in a Web browser. The URL contains the SSL listen port and the HTTPS schema, for example, https://myserver:7002.
2. The Web server in WebLogic Server receives the request. WebLogic Server provides its own Web server but also supports the use of Apache Server, Microsoft Internet Information Server, and Netscape Enterprise Server as Web servers.
3. The Web server checks whether the WebLogic Server resource is protected by an security policy. If the WebLogic Server resource is protected, the Web server uses the established HTTPs connection to request a username and password from the user.
4. When the user's Web browser receives the request from WebLogic Server, it prompts the user for a username and password. (This step is optional when using two-way authentication.)
5. The Web browser sends the request again, along with the username and password. (Only supplied if requested by the server.)
6. WebLogic Server presents its digital certificate to the Web browser.
7. The Web browser checks that the server's name matches the name in the digital certificate and that the digital certificate was issued by a trusted third party, that is, a trusted CA
8. If two-way authentication is in force on the server, the server requests a digital certificate from the client.
9. WebLogic Server checks that the client's name matches the name in the digital certificate and that the digital certificate was issued by a trusted third party, that is, a trusted CA.
10. The Web server forwards the request to the Web server plug-in. The Web server plug-in performs authentication by sending the request, via the HTTPS protocol, to the resource in WebLogic Server, along with the authentication data (username and password) received from the user.
11. Upon successful authentication, WebLogic Server determines whether the user has the permissions necessary to access the resource.
12. Before invoking a method on the server resource, the server performs an security authorization check. During this check, the server extracts the user's credentials from the security context, determines the user's role, compares the user's role to the security policy for the requested resource and verifies that the user is authorized to invoke the method on the resource.
13. If authorization succeeds, the server fulfills the request.

For more information, see the following sections:

• Managing WebLogic Security
• Configuring the Apache Server Plug-In
• Configuring the Microsoft-IIS Plug-In
• Configuring the Netscape Plug-In

 

---

Developing Secure Web Applications

WebLogic Server supports three types of authentication for Web browsers:

• BASIC
• FORM
• CLIENT-CERT

The following sections cover these topics:

• Developing BASIC Authentication Web Applications
• Developing FORM Authentication Web Applications
• Developing CLIENT-CERT Authentication Web Applications
• Deploying Web Applications

Developing BASIC Authentication Web Applications

With basic authentication, the Web browser pops up a login screen in response to a resource request. The login screen prompts the user for username and password. Figure 2-2 shows a typical login screen.

Figure 2-2 Basic Authentication Login Screen

 

To develop a Web application that provides basic authentication, perform these steps:

1. Create the web.xml deployment descriptor. In this file you include the following security information (see Listing 2-1):
   1. Define the welcome file. The welcome file name is Welcome.jsp.
   2. Define a security constraint for each set of Web application resources that you plan to protect. Each set of resources share a common URL. Resources such as HTML pages, JSPs, and servlets are the most commonly protected, but other types of resources are supported. In Listing 2-1, the URL pattern points to the Welcome.jsp file located in the Web application's top-level directory, the HTTP methods that are allowed to access the resource, POST and GET, and the role name, webuser.

   Note: Do not use hyphens in role names. Role names with hyphens cannot be modified in the Administration Console.

   1. Define the type of authentication you want to use and the security realm to which the security constraints will be applied. In this case, the BASIC type is specified and the realm is the default realm, which means that the security constraints will apply to the active security realm when the WebLogic Server boots.
   2. Define one or more security roles and map them to your security constraints. In our sample, only one role is defined, webuser, is defined in the security constraint so only one role name is defined here. However, any number of roles can be defined.

Listing 2-1 Basic Authentication web.xml File

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">

    <web-app>
          <welcome-file-list>
               <welcome-file>welcome.jsp</welcome-file>
          </welcome-file-list>

          <security-constraint>
                <web-resource-collection>
                      <web-resource-name>Success</web-resource-name>
                      <url-pattern>/welcome.jsp</url-pattern>
                     <http-method>GET</http-method>
                     <http-method>POST</http-method>
                </web-resource-collection>
               <auth-constraint>
                    <role-name>webuser</role-name> 
              </auth-constraint>
          </security-constraint>

          <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>default</realm-name>
          </login-config>

           <security-role>
               <role-name>webuser</role-name>
           </security-role>

           </web-app>

2. Create the weblogic.xml deployment descriptor. In this file you map security role names to users and groups. Listing 2-2 shows a sample weblogic.xml file that maps the webuser security role defined in the <security-role> tag in the web.xml file to myGroup. With this configuration, WebLogic Server will only allow users in myGroup to access the protected resource—Welcome.jsp. However, you can use the Administration Console to modify the Web application's security role so that other groups can be allowed to access the protected resource.

Listing 2-2 BASIC Authentication weblogic.xml File

<?xml version="1.0"?>
<!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application 6.0//EN" "http://www.bea.com/servers/wls600/dtd/weblogic-web-jar.dtd"> 

<weblogic-web-app>

     <security-role-assignment>
         <role-name>webuser</role-name>
         <principal-name>myGroup</principal-name>
     </security-role-assignment>

</weblogic-web-app>

3. Create a file that produces the Welcome screen that displays when the user enters a username and password and is granted access. Listing 2-3 shows a sample welcome.jsp file. Figure 2-3 shows the Welcome screen.

Listing 2-3 BASIC Authentication welcome.jsp File

<html>
  <head>
    <title>Browser Based Authentication Example Welcome Page</title>
  </head>
  <h1> Browser Based Authentication Example Welcome Page </h1>

  <p> Welcome <%= request.getRemoteUser() %>!

  </blockquote>
  </body>
</html>

Figure 2-3 Welcome screen

 

4. Start WebLogic Server and define the users and Groups that will have access to the Web application resource. In the weblogic.xml file (see Listing 2-2), the <principal-name> tag defines myGroup as the group that has access to the Welcome.jsp. Therefore, use the Administration Console to define the myGroup group, define a user, and add that user to the myGroup group. For information on adding users and groups, see Configuring WebLogic Security.
5. Deploy the Web application and use the user defined in the previous step to access the protected resource.
   1. For deployment instructions, see "Deploying Web Applications" on page 2-15.
   2. Open a Web browser and enter this URL:

   http://localhost:7001/basicauth/welcome.jsp

   3. Enter the username and password. The Welcome screen displays.

Developing FORM Authentication Web Applications

With FORM authentication, you provide a custom login screen that the Web browser displays in response to a resource request and error screen that displays if the login fails. The login screen prompts the user for username and password. Figure 2-2 shows a typical login screen. The benefit is that you have complete control over these screens so that you can design them to meet the requirements of your application.

Figure 2-4 shows the login screen for the form-based authentication sample application.

Figure 2-4 Form Authentication Login Screen

 

To develop a Web application that provides FORM authentication, perform these steps:

1. Create the web.xml deployment descriptor. In this file you include the following security information (see Listing 2-4):
   1. Define the welcome file. The welcome file name is Welcome.jsp.
   2. Define a security constraint for each set of Web application resources that you plan to protect. Each set of resources share a common URL. Resources such as HTML pages, JSPs, and servlets are the most commonly protected, but other types of resources are supported. In Listing 2-4, the URL pattern points to /admin/edit.jsp thus protecting the edit.jsp file located in the Web application's admin sub-directory, defines the HTTP method that is allowed to access the resource, GET, and defines the role name, admin.

   Note: Do not use hyphens in role names. Role names with hyphens cannot be modified in the Administration Console.

   1. Define the type of authentication you want to use and the security realm to which the security constraints will be applied. In this case, the FORM type is specified and no realm is specified so the realm is the default realm, which means that the security constraints will apply to the security realm that is activated when WebLogic Server boots.
   2. Define one or more security roles and map them to your security constraints. In our sample, only one role is defined, admin, is defined in the security constraint so only one role name is defined here. However, any number of roles can be defined.

Listing 2-4 FORM Authentication web.xml File

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

    <welcome-file-list>
        <welcome-file>welcome.jsp</welcome-file>
    </welcome-file-list>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>AdminPages</web-resource-name>
            <description>
                These pages are only accessible by authorized
                 administrators.
            </description>
            <url-pattern>/admin/edit.jsp</url-pattern>
            <http-method>GET</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>
                These are the roles who have access.
            </description>
            <role-name>
                admin
            </role-name>
        </auth-constraint>
        <user-data-constraint>
            <description>
                This is how the user data must be transmitted.
            </description>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/fail_login.html</form-error-page>
        </form-login-config>
    </login-config>

    <security-role>
        <description>
            An administrator
        </description>
        <role-name>
            admin
        </role-name>
    </security-role>
</web-app>

2. Create the weblogic.xml deployment descriptor. In this file you map security role names to users and groups. Listing 2-5 shows a sample weblogic.xml file that maps the admin security role defined in the <security-role> tag in the web.xml file to the group supportGroup. With this configuration, WebLogic Server will only allow users in support group to access the protected resource. However, you can use the Administration Console to modify the Web application's security role so that other groups can be allowed to access the protected resource.

Listing 2-5 FORM Authentication weblogic.xml File

<?xml version="1.0"?>
<!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application 6.0//EN" "http://www.bea.com/servers/wls600/dtd/weblogic-web-jar.dtd"> 

<weblogic-web-app>

     <security-role-assignment>
         <role-name>admin</role-name>
         <principal-name>supportGroup</principal-name>
     </security-role-assignment>

</weblogic-web-app>

3. Create a file that produces the Welcome screen when the user requests the protected resource by entering the URL. Listing 2-6 shows a sample welcome.jsp file. Figure 2-4 shows the Welcome screen.

Listing 2-6 Form Authentication welcome.jsp File

<html>
  <head>
    <title>Security login example</title>
  </head>

  <%
    String bgcolor;
    if ((bgcolor=(String)application.getAttribute("Background")) ==
        null)
    {
        bgcolor="#cccccc";
    }
  %>

  <body bgcolor=<%="\""+bgcolor+"\""%>> 

  <blockquote>
  <img src=BEA_Button_Final_web.gif align=right>
  <h1> Security Login Example </h1>

  <p> Welcome <%= request.getRemoteUser() %>! 

  <p> If you are an administrator, you can configure the background 
  color of the Web Application. 
  <br> <b><a href="admin/edit.jsp">Configure background</a></b>.

  <% if (request.getRemoteUser() != null) { %>
    <p> Click here to <a href="logout.jsp">logout</a>. 
  <% } %>    

  </blockquote>
  </body>
</html>

4. Start WebLogic Server and define the users and Groups that will have access to the Web application resource. In the weblogic.xml file (see Listing 2-5), the <role-name> tag defines admin as the group that has access to the edit.jsp file and defines the user joe as a member of that group. Therefore, use the Administration Console to define the admin group, and define user joe and add joe to the admin group. You can also define other users add them to the group and they will also have access to the protected resource. For information on adding users and groups, see Configuring WebLogic Security.
5. Deploy the Web application and use the user(s) defined in the previous step to access the protected resource.
   1. For deployment instructions, see "Deploying Web Applications" on page 2-15.
   2. Open a Web browser and enter this URL:

   http://hostname:7001/security/welcome.jsp

   3. Enter the username and password. The Welcome screen displays.

Developing CLIENT-CERT Authentication Web Applications

Use client certificates involves using the SSL and digital certificates to secure your network traffic and verify that clients are who they claim to be. For information on using SSL and digital certificates, see "Writing SSL Clients" on page 3-29.

Deploying Web Applications

To deploy a Web application on a server running in development mode, perform the following steps:

1. Set up a directory structure for the application's files. Figure 2-5 shows the directory structure for the Web application named basicauth. The top-level directory must be assigned the name of the Web application and the sub-directory must be named Web-inf.

   Figure 2-5 Basicauth Application Directory Structure

   
    

2. To deploy the application in exploded directory format, simply move your directory to the applications directory on your server. For example, you would deploy the basicauth application in the following location:

   WL_HOME\user_projects\mydomain\applications\basicauth

   If the server is running, the application should auto-deploy. Use the Administration Console to verify that the application deployed.

   If the server is not running, the application should auto-deploy when you start the server

3. If you have not yet done so already, use the Administration Console to configure the users and groups that will have access to the application. To determine the users and groups that are allowed access to the protected resource, examine the weblogic.xml file. For example, the weblogic.xml file for the basicauth sample (see Listing 2-2) defines myGroup as the only group to have access to the welcome.jsp file.

For more information on deploying Web applications, see Deployment Tools and Procedures.

 

---

Using the <global-role/> Tag With Web Applications

With WebLogic Server versions 7.0 SP1 and later, there are four different options, or approaches, that you can use to configure security in Web applications:

• Approach #1: Always use the deployment descriptors in the web.xml and weblogic.xml files. In this case, you simply elect to never use the Administration Console to configure security and, instead, use the deployment descriptor files. The security configuration settings are read from the deployment descriptor files every time the Web application is deployed or redeployed. To use this approach, the Administration Console's Ignore Security Data in Deployment Descriptors attribute on the General tab of a security realm must be left in its default state—unchecked.
• Approach #2: Always use the Administration Console. In this case, before you deploy the application for the first time, you must check the Administration Console's Ignore Security Data in Deployment Descriptors attribute so that the deployment descriptors are ignored on initial deployment and subsequent redeployments. Then you use the Administration Console to configure Global Roles after the application is deployed.
• Approach #3: Use the deployment descriptor files to configure security at initial application deployment and then use the Administration Console to configure security from that point forward. In this case, the security configuration settings are read from the deployment descriptors upon initial deployment. Then you check the Ignore Security Data in Deployment Descriptors attribute so that deployment descriptors are ignored on subsequent redeployments and you use the Administration Console to make all subsequent changes to the application's security configuration.
• Approach #4: Use the deployment descriptors to configure policies and use the Administration Console to configure roles. In WebLogic Server 7.0 SP1 and later, support was added for the <global-role/> tag for use in the weblogic.xml and weblogic-ejb-jar.xml deployment descriptors. You can use this tag, instead of the <principal-name> tag, to explicitly indicate that you want the roles defined in the deployment descriptors by the <role-name> tag to use the mappings that you specify in the Administration Console.

Thus, the <global-role/> tag gives you the flexibility of not having to specify a specific role mapping for each role defined in the deployment descriptors for a particular Web application. Rather, you can use the Administration Console to specify and modify a specific role mapping for each defined role at anytime. Additionally, because you may elect to use this tag on some applications and not others, it is not necessary to check the Ignore Security Data In Deployment Descriptors attribute on the General tab of the security realm. Thus, within the same security realm, deployment descriptors can be used to specify and modify security for some applications while the Administration Console can be use to specify and modify security for others.

Listing 2-7 and Listing 2-8 show by comparison how to use the <global-role> tag.

Listing 2-7 Using the web.xml and weblogic.xml Files to Map Security Roles and Principals to a Security Realm

web.xml entries:

<web-app>
           ...
           <security-role>
               <role-name>webuser</role-name>
           </security-role>
           ...

</web-app>

<weblogic.xml entries:

<weblogic-web-app>

     <security-role-assignment>
         <role-name>webuser</role-name>
         <principal-name>myGroup</principal-name>
         <principal-name>Bill</principal-name>
         <principal-name>Mary</principal-name>
     </security-role-assignment>

</weblogic-web-app>

.

Listing 2-8 Using the <global-role> tag in Web Application Deployment Descriptors

web.xml entries:

<web-app>
           ...
           <security-role>
               <role-name>webuser</role-name>
           </security-role>
           ...

</web-app>

<weblogic.xml entries:

<weblogic-web-app>

     <security-role-assignment>
         <role-name>webuser</role-name>
         <global-role/>
     </security-role-assignment>

For information about how to use the Administration Console to configure security for EJBs, See Managing WebLogic Security.

 

---

Adding Declarative Security to Web Applications

To implement declarative security in Web application you use deployment descriptors (web.xml and weblogic.xml) to define security requirements. The deployment descriptors map the application's logical security requirements to its runtime definitions. And at runtime, the servlet container uses the security definitions to enforce the requirements. For a discussion of using deployment descriptors, see "Developing Secure Web Applications" on page 2-6.

For information about how to use deployment descriptors and the <global-role/> tag to configure security in Web applications declaratively, see "Using the <global-role/> Tag With Web Applications" on page 2-17.

For information about how to use the Administration Console to configure security in Web applications, See Managing WebLogic Security.

 

---

Adding Programmatic Security to Web Applications

You can write your servlets to access users and roles programmatically in your servlet code. To do this, use the following method in your servlet code: javax.servlet.http.HttpServletRequest.isUserInRole(String role). This method returns a boolean indicating whether the authenticated user is included in the specified logical "role". If the user has not been authenticated, this method returns false.

This method maps roles to the group names in the security realm. Listing 2-9 shows the elements that are used with the <servlet> element to define the user role in the web.xml file.

Listing 2-9 IsUserInRole Web.xml and Weblogic.xml Elements

Begin web.xml entries:

...
<servlet>
        <security-role-ref>
             <role-name>user-rolename</role-name>
             <role-link>rolename-link</role-link>
         </security-role-ref>
</servlet>

<security-role>
         <role-name>rolename-link</role-name>
</security-role>
...

Begin weblogic.xml entries:

...
<security-role-assignment>
         <role-name>rolename-link</role-name>
         <principal-name>groupname</principal>
         <principal-name>username</principal>
</security-role-assignment>
...

The string role is mapped to the name supplied in the <role-name> element which is nested inside the <security-role-ref> element of a <servlet> declaration in the web.xml deployment description. The <role-name> element defines the name of the security role or principal that is used in the servlet code. The <role-link> element maps to a <role-name> defined in the <security-role-assignment> element in the weblogic.xml deployment descriptor.

For example, if the client has successfully logged in as user Bill with the role of manager, the following method would return true:

request.isUserInRole("manager")

The following listing provides an example.

Listing 2-10 Example of Security Role Mapping

Servlet code: 
out.println("Is the user a Manager? " +
                         request.isUserInRole("manager"));

web.xml entries:

<servlet>
. . .
   <role-name>manager</role-name>
   <role-link>mgr</role-link>
. . .
</servlet>

<security-role>
   <role-name>mgr</role-name>
</security-role>

weblogic.xml entries:

<security-role-assignment>
   <role-name>mgr</role-name>
   <principal-name>bostonManagers</principal-name>
   <principal-name>Bill</principal-name>
   <principal-name>Ralph</principal-name>
</security-role-ref>

 

---

Programmatic Authentication

There are some applications where programmatic authentication is appropriate. A typical example is an application that supports user self-registration, that is, an application that requires an automated means for users to register an authentication identity for themselves and then be given immediate access to the site's protected resources. Usually, to self register, users are required to provide their identity and a password to protect the account, and perhaps some personal information that only they would know, for example, their mother's maiden name.

WebLogic Server provides a server-side API that supports programmatic authentication from within a servlet application:

weblogic.servlet.security.ServletAuthentication

Using this API, you can write servlet code that authenticates the user, logs in the user, and associates the user with the current session so that the user is registered in the active WebLogic Server security realm. Once the login is completed, it appears as if the user logged in using the standard mechanism. Listing 2-11 shows an example of how to use this API.

Listing 2-11 Programmatic Authentication Code Fragment

CallbackHandler handler = new SimpleCallbackHandler(username,
                                                     password);
Subject mySubject =
        weblogic.security.services.Authentication.login(handler);
weblogic.servlet.security.ServletAuthentication.runAs(mySubject);