Re: JSP Security - Limiting URL's

[Steve Posick <steve.posick () advansol com>]

The idea of a Finite State Machine (FSM) is a good one for the example that 
the author used, an exam.  It would fit nicely for any application that 
requires the user to follow a specific set of paths through the application 
and his use of XML as a state definition language is very 
elegant.  However, most web applications are not developed in this 
fashion.  From my experience most web applications are hybrids of static 
and dynamic HTML with no set defined paths for the use to follow.  There 
are times in the web site, especially on data entry, where the user needs 
to follow a set path through the application such as wizard style entry 
forms.  This approach would be excellent for those cases.  As for the rest 
of the time, the old tried and true methods are still the best.  Here are 
some things I do to help protect the applications, some required a fair 
level of security.

1. Use a Servlet (in an MVC architecture) or Filter to authenticate/verify 
all requests to HTML, JSP, XML, ... formats.  Ignore images and style 
sheets if performance is an issue.
2. Interrogate the request parameters (recursively decoding until nothing 
is encoded) and deny any requests that contain '<', '>', '|' (the pipe 
symbol) or 'javascript'.  I usually use regular expression and look up the 
rejection patterns from a properties file.
3. Rely on the permission system built into the container for ACLs.
4. When needed I will sign the Session ID and other information about the 
client using the JCE and store the signature as a session cookie in the 
client browser.  This cookie is used to authenticate the request later 
on.  I do this if the Session ID is not cryptographically sound, such as 
the Session IDs generated by JRun 3.0 and lower (Don't know if the 
corrected the issue in 4.0).

All in all though I would classify the FSM as a security mechanism.  It 
will be overly complicated to implement for large applications (containing 
lots of states) and require an expert programmer to maintain the 
application, forget about you web designers and standard web masters.  And 
as we all know the more complicated the application, the harder it is to 
secure (the KISS principal).

I guess what I'm trying to say is that the only security benefit that the 
FSM provides is flow control.  A user cannot jump from page to page at 
random and must follow predefined paths.  It does not help protect you're 
application from XSS attacks, improper implementation of permissions, 
directory traversals, poor implementations of system calls or 
cryptographically weak authentication schemes.  But if used where it is 
needed I can see a benefit (The code used in the examples looks a little 
overly complex as well, the FSM code should DEFINATELY be in a Servlet 
(MVC) and NOT in the JSP.

At 02:42 PM 12/9/2002 -0800, securityarchitect () hush com wrote:

> http://www.onjava.com/pub/a/onjava/2001/06/27/java_security.html
>
> Can anyone see a downside to this ?
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Big $$$ to be made with the HushMail Affiliate Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427

Steven J. Posick, CISSP
CEO - Systems Architect
AdvanSol LLC.
EMail: steve.posick () advansol com
Phone: (203) 257-0037

www.libertylost.org - America the land of the free?