Jan 9, 2012 - 35 | Page. Figure: web app code. Ex: For JDBC: permission java.util.PropertyPermission "java.home", "read";. For OS: permission java.util.
qwertyuiopasdfghjklzxcvbnmqwerty uiopasdfghjklzxcvbnmqwertyuiopasd fghjklzxcvbnmqwertyuiopasdfghjklzx Review on Tomcat Security and cvbnmqwertyuiopasdfghjklzxcvbnmq the role of Java security manager (JSM) in Tomcat wertyuiopasdfghjklzxcvbnmqwertyui By: Kiran Bharath kumar Damarla opasdfghjklzxcvbnmqwertyuiopasdfg hjklzxcvbnmqwertyuiopasdfghjklzxc vbnmqwertyuiopasdfghjklzxcvbnmq wertyuiopasdfghjklzxcvbnmqwertyui opasdfghjklzxcvbnmqwertyuiopasdfg hjklzxcvbnmqwertyuiopasdfghjklzxc vbnmqwertyuiopasdfghjklzxcvbnmq wertyuiopasdfghjklzxcvbnmqwertyui opasdfghjklzxcvbnmqwertyuiopasdfg hjklzxcvbnmrtyuiopasdfghjklzxcvbn mqwertyuiopasdfghjklzxcvbnmqwert yuiopasdfghjklzxcvbnmqwertyuiopas 1/9/2012
MSc Computer Security De Montfort University
DeMontfort University
Abstract By mean exactly web applications are complex systems and to make these complete systems, various components would be included such as operating system, database, network, web server, and some others. In the web environment world, there should be a lot more scope to found vulnerability can in any one of the component. In this internet age, take care of security of only particular components and neglecting or pay least attention of other can expose your entire system make vulnerable. In the same way putting serious effort to securing the tomcat should necessary as securing as other components such as operating systems, networks. The aim of this project is to develop an understanding of Tomcat security in terms of web application and web server view, and also how to enhance the security of tomcat particularly by using Java Security Manager. A less work has been done on different aspects of security of Tomcat such as configuration of Tomcat and how to secure the Tomcat in general way and also very small amount of research available to show how to implement the Java security Manager with Tomcat, how JSM provide security to web server. This is precisely the main objective of this project, in addition with that the role of the JSM within Tomcat have been analysed. To support that an analysis have been given by testing the different written test cases.
3|Page
DeMontfort University
CONTENTS Chapter 1: Introduction …………………………………………………………………………. 5 1.1.1Background …………………………………………………………………………………. 5 1.1.2Web Application ……………………………………………………………………………. 5 1.1.3The Security Manager ………………………………………………………….................... 5 1.1.4Sandbox ………………………………………………………………………….................... 6 1.2 Tomcat Introduction …………………………………………………………………………. 6 1.3 Tomcat Architecture ………………………………………………………………… ………. 6 1.4 Tomcat Startup ………………………………………………………………………. ……….9 Chapter 2: Setup Production Environment .……………………………………...................... 10 2.1 Overview …………………………………………………………………………..................... 10 2.2 Installing Apache Tomcat and Java SDK …………………………………………………... 10 2.3 Tomcat Setup ……………………………………………………………………..................... 12 2.4 Installing Eclipse ………………………………………………………………….................... 13 2.5 Configuration of Eclipse ……………………………………………………………………… 13 2.5.1 Integration of Tomcat and Eclipse …………………………………………….................... 13 2.5.2 Start Server Tomcat …………………………………………………................................... 14 2.5.3 Regular Structure of Web Application ………………………………………………… 14 2.5.4 Web Deployment structure ……………………………………………………………… 14 2.5.5 Development and Deployment of project ………………………………………………. 15 2.5.6 Creating Servlets …………………………………………………………………………. 15 2.5.7 Creating JSP’s…………………………………………………………………………….. 16 2.5.8 Home Page ………………………………………………………………………………… 17 2.5.9 Web Application Deployment Descriptor ……………………………………………… 17 Chapter 3: Overview of Tomcat Security ……………………………………………………….. 18 3.1 Introduction …………………………………………………………………………………… 18 3.2 Avoid Tomcat installation on Multi use system ………………………………………….. 18 3.3 Use latest and Stay update ………………………………………….................................. 18 3.4 Remove default applications ………………………………………………………………. 19 3.5 Maintaining the Logs ………………………………………………………………………. 19 3.5 Remove unused connectors ………………………………………………………………… 20 3.6 Realms ……………………………………………………………………………………….. 21 3.7 Protect Server platform information ……………………………………………………… 21 3.8 File configuration in Tomcat ……………………………………………………………….. 23 3.9 Protection of Tomcat File Configurations ………………………………………………… 24 3.10 File permission in Windows ………………………………………………………………. 27 3.11 Implementation of JSM …………………………………………………………………… 30 3.12 Security Manager ……………………………………………………………. 30 3.13 Security permissions and Policies …………………………………………………...30 3.14 Implementation of Permissions and Policies …………………………………………….30 3.14.1 System code Permissions ………………………………………………………………… 31 3.14.2 Catalina code Permissions ……………………………………………………………… 31 3.14.3 Web Application Permissions ………………………………………………………….. 33 3.15 Running JSM with Apache tomcat ………………………………………………………. 35
4|Page
DeMontfort University Chapter 4: Proposed Web Application ………………………………………………………..
36
4.1 Introduction …………………………………………………………………………………. 4.2 Home page……………………………………………………………….............................. 4.3 My account ………………………………………………………………………………….. 4.4 SSL …………………………………………………………………………………………… 4.5 Form Based Authentication ………………………………………………………………….
36 36 36 36 36
Chapter 5: Analysis of Security Manager …………………………………………………….. 37 5.1 Introduction …………………………………………………………………………………. 37 5.2 Need of Security Manager for Tomcat ……………………………………………………. 37 5.3 The Roles of The Security Manager includes …………………….. ………………………... 37 5.4 Test case I ……………………………………………………………………………………. 38 5.5 Test Case II ………………………………………………………………………………….. 40 5.6 Test Case III ………………………………………………………………………………… 41 5.7 Test Case IV ………………………………………………………………………………….. 43 Chapter 6: Conclusion …………………………………………………………………………… 46 Chapter 7: Further Work ……………………………………………………………………… 47 References ……………………………………………………………………………………….
48
Appendices……………………………………………………………………………………….. 49 Appendix A………………………………………………………………………………………. 49 Appendix B ………………………………………………………………………………………. 51
5|Page
DeMontfort University
Chapter 1: Introduction
1.1.1 Background According to the official Apache community, Tomcat has a good track record when it comes to provide security to web application. Due to the security measures taken by Apache community such as most of the vulnerabilities discovered by its own and provide early patches. However simply using tomcat itself does not provide full security to web application. It should necessary to take and implement additional security measures which are enhance tomcat as much as can fairly secure. In that manner one of the most important one is security manager. Running the tomcat with the security manager defend server from running Trojan JSP’s, Servlets etc. The security manager protects the web application from untrusted applets which are run malicious code to harm or access files on the local system. It works by allowing the web to run all applets within its own sandbox. By using this, JVM runs all the web application programs in a separated space which prevent them to make changes and harm to other programs within the system. Then an analysis is provided by testing some written test cases to show how the JSM can be integrated and works with the tomcat to ensure security. Before that an overview of Tomcat security discussed regarding most of the security related issues can be identified in that section. At first, simple introductions about web applications, Tomcat, Security manager sandbox and so on could be given in this earlier section.
1.1.2 Web Application: Web applications are software applications and made by using web technologies. These applications are accessible through web browsers such as Internet Explorer, Firefox etc. These web applications are more user interactive than old traditional websites and allow users to do tasks mail services, online shopping, and pay bills. ( Pawan, 2009 )
1.1.3 The Security Manager: While web browser run applets, security manager prevents untrusted code to access files on the local system and this can be done by using its sandbox. If the browser uses the java 6|Page
DeMontfort University
security manager which supports the sandboxing, it allows running applets in its own sandbox.
1.1.4 Sandbox: Robert W was the first who introduced and used the concept of sandboxing in the context of software fault isolation. They achieved was to provide safety for trusted modules running as untrusted in the same address space. To contrast that Ian Goldberg used the term sandboxing to demonstrate their basic design to achieve security and not to provide safety. Their concept was basically depends upon limitation and restriction. Its design cannot allow permission to any untrusted applications means that no granted permissions, to access any part of the system and network resources. (Robert, 1993) (Ian Goldberg, 1996)
1.2 Tomcat Introduction: The Apache Tomcat is an open source, Java based web application container and web server to run Java servlets and JSP (Java Server Pages) based web applications. It was developed by the Apache Software Foundation. It is very stable and has lot good futures as commercially available web application container under an open source licence. (Jason, 2009)( Aleksa, 2011) Web server, a web server serves the pages in response to requests received from the web application or web browser. Nowadays these web servers are not only limited to serve traditional static web pages and CGI programs; it provides Java servlets and JSPs (Java Server Pages). And they can also dishes out application programs and return dynamic results in response to the requests by the user at web browser. It is a good choice for to use as a high performance production web server for web applications. One of the main aspects of tomcat is, it can be used as a standalone server and work along with other web servers. (Jason, 2009) (Aleksa, 2011)
Before going to discuss about the security aspects of Tomcat, it is good to give brief detail about the tomcat architecture. The following section covers the architecture of tomcat.
1.3 Architecture of Tomcat: As mentioned earlier, tomcat is a container and also it maintains pluggable components that fit together in a hierarchy. In that container hierarchy the top level component is instance or server. One container component may contain some other components and also their profiles such as Connector, Host, Logger, Valve and Wrapper. The figure, Architecture of Tomcat shows how multiple components connected. (Datadisk, ND) (Apache-Arc, 2011)
7|Page
DeMontfort University
Server: Tomcat is the server and the server comprises the whole container. It is a default implementation of the server interface. And the server is an instance of web server, owns a port (port 8005) to shutdown the server. Service: It is an intermediate component with multiple connectors and connects with an engine. It acts as a mediator between container and web browser such as it accepts requests, sends to specified destination, and returns the result. Engine: an engine is a high level container and represents a request processing pipeline component for a specific service as Catalina Server Engine. It cannot be included by any other container. It might have a set of connectors such as a service, it process requests from connectors and handing the response back to specified connector to transmit to client. It passes requests by verifying the HTTP header to identify the host or context. Connector: A Connector deals communication with clients. It connects the clients to applications and by default they receive the requests HTTP or AJP from clients. In tomcat there are more connectors available to use mostly HTTP and AJP connectors. The HTTP connector is used for HTTP traffic while using tomcat as standalone server and the AJP connector is used while connecting tomcat to a web server such as Apache HTTPD server. Host: for the server, Host is an association of network name which contains name and IP address. An engine may contains a set of virtual hosts for each own web application. It supports aliasing for network name such as myweb.com and you.myweb.com. Context: A Context is a web application. A host may contain a set of Contexts and each with their own path. To create custom contexts, the Context interface might be implemented by the context but it is very rare because most of the context implementations are created by using StandardContext. At web application level a context is a container by itself and it adds the servlets and filters as StandardWrapper. Logger: A Logger can report the internal state of a component. Valve: A Valve is used to intercept and preprocess the request. And also Valves are used to provide single sign-on in hosts, client IP addresses, server usage and log request patterns. Realm: A Realm is used to enforce the security policies. An engine use real to mange user authentication and authorization. It provides access control which enables which user roles to access resources. (Datadisk,ND) (Apache-Arc, 2011)
8|Page
DeMontfort University
Figure: Architecture of Tomcat.
Representation of the Tomcat Architecture hierarchy in XML format: Ex:
9|Page
DeMontfort University
(Aleksa, 2011)
1.4 Tomcat Startup Tomcat Startup: Tomcat server can be start by several ways, mostly there are three types following as: I) II) III)
Run automatically as a windows service Run as an embedded server through a Java program or application Run from the command prompt
Different sequences of Tomcat startup procedure involved are as follows: i)
ii)
Start from command Line a. Set up class loaders b. Load startup class c. Bootstrap.daemon.init() complete Process command line argument a. Catalina.setAwait(true); b. Catalina.load() c. Catalina.start() d. Tomcat receives a request on an HTTP port e. Invocation of the servlet class
Apache-Start (2011),
10 | P a g e
DeMontfort University
Chapter 2: Setup Production Environment : 2.1Overview: To understand about the Tomcat and its behaviour, it should necessary to create a working environment for this project and also analysis will be made by testing the Tomcat with various conditions such as running with Java Security Manager. This chapter contained how to install java including setting environment variable, install instruction for tomcat and Eclipse. And also how to configure Tomcat server in Eclipse would be discussed here. In addition with that, web deployment structure also presented in this chapter.
2.2 Installing Apache Tomcat and Java SDK : Java Setup: Apache Tomcat 7.0 requires the Java Standard Edition Runtime Environment (JRE) version 6.0 or later. Here Java SE Development Kit 7 (JDK) downloaded for full functionality. And also for Eclipse uses Java to develop applications. The JDK is a development environment for building applications, applets, and components using the Java programming language. The JDK includes tools useful for developing and testing programs written in the Java programming language and running on the Java platform. (ApacheText, 2011) (1) Download and Install the Java SE Development Kit (JDK) (1.1) Download the Java SE Development Kit (JDK) from http://www.oracle.com/technetwork/java/javase/downloads/jdk-7u1-download-513651.html (1.2) Install the JDK according to the instructions included with the release. (1.3) Set an environment variable named JAVA_HOME to the pathname of the directory into which you installed the JDK as showed in below figures. C:\Program Files\Java\jdk1.7.0.
11 | P a g e
DeMontfort University
12 | P a g e
DeMontfort University
2.3 Tomcat Setup: (2) Download and Install the Tomcat Binary Distribution (2.1) Download a binary distribution of Tomcat from: http://tomcat.apache.org/download-70.cgi (2.2) Unpack the binary distribution into a convenient location so that the Distribution resides in its own directory. "$CATALINA_HOME" is used to refer to the full pathname of the release directory. (3) Start Up Tomcat (3.1) Tomcat can be started by executing the following commands: $CATALINA_HOME\bin\startup.bat
(Windows)
$CATALINA_HOME/bin/startup.sh
(Unix)
(3.2) After startup, the default web applications included with Tomcat will be available by visiting: http://localhost:8080/ showed in below figure. ApacheText (2011)
(4) Shut Down Tomcat. (4.1) Tomcat can be shut down by executing the following command: $CATALINA_HOME\bin\shutdown 13 | P a g e
(Windows)
DeMontfort University $CATALINA_HOME/bin/shutdown.sh
(Unix)
2.4 Installing Eclipse: As mentioned earlier Eclipse requires an installed Java Runtime. So we handed to install the eclipse. To download “Eclipse IDE for java Developers” from official Eclipse website: http://www.eclipse.org/downloads/ After installation, to start Eclipse press double-click on the file "eclipse.exe" (Microsoft Windows) or eclipse (Linux / Mac) in the directory you unpacked Eclipse. The system will prompt you for a workspace.
2.5 Configuration of Eclipse (vogella, 2011) The workspace is the place there you store your Java projects (more on workspaces later). Select an empty directory and press Ok.
2.5.1 Integration of Tomcat and Eclipse To add Tomcat: Select Windows -> Preferences -> Server -> Runtime Environments to configure WTP to use Tomcat. Select version of tomcat and tomcat installation directory.
14 | P a g e
DeMontfort University
2.5.2 Start Server Tomcat: To run and Stop Tomcat within Eclipse: Select Windows -> Show View -> Servers -> Servers.
(vogella, 2011) 2.5.3 Regular Structure of Web Application -JSP and Web content files such as HTML, style sheets, images, etc will be in main directory or a subdirectory thereof. -Servlets, Unjarred beans and utility classes usually placed in the: WEB-INF/classes directory. Some times in subdirectory that related to main package name. –JAR files: resides in the WEB-INF/lib. -web.xml: resides in WEB-INF -Tag Library Descriptor files: WEB-INF or subdirectory
2.5.4 Web Deployment structure:
15 | P a g e
DeMontfort University
2.5.5 Development and Deployment of project the
To use the packages such as web and Java, it requires installation of these packages by using Eclipse update manager. Select HelpInstall New Software.
Making new Project: To create new project in Eclipse select file-New-OtherWebSelect dynamic web.
2.5.6 Creating Servlets: To create Servlet, select the Webcontent folder and select New Other Web -Servlet
16 | P a g e
DeMontfort University
2.5.7 Creating JSP’s: To create JSP, select the Webcontent folder and select NewJSP and Select the "New JSP File (html)" template.
17 | P a g e
DeMontfort University 2.5.8 Home Page: To create the welcome page for your application Modify the file "WebContent/WEB-INF/web.xml". Locate and we can set the JSP or HTML page as the home page for application.
2.5.9 Web Application Deployment Descriptor: As mentioned above, the /WEB-INF/web.xml file contains the Web Application Deployment Descriptor for your application. As the filename extension implies, this file is an XML document, and defines everything about your application that a server needs to know.
18 | P a g e
DeMontfort University
Chapter 3: Overview of Tomcat Security
3.1 Introduction: One of the main purpose of this project report to investigate the tomcat security and its related security issues. In this chapter we tried to cover most of the security concerns and configurations of Tomcat. In addition with that how to protect Tomcat Platform with recommended setting to do that would be discussed here. And also some major Tomcat configurations explained such as file configuration includes catalina.policy, catalina.properties, server.xml, tomcatusers.xml and so on. This section start from the basic installation settings of Tomcat and some other actions to do such as remove web application would be presented. 3.2 Avoid Tomcat installation on Multi use system: “Maintaining a server for a single purpose increases the security of your application and system. The more services which are exposed to an attacker, the more potential vectors an attacker has to exploit the system. Tomcat services should function as application servers only and should not be mixed with other functions”. (CIS, 2009) 3.3 Use latest and Stay update: Same as other software Tomcat is also not free from bugs. But it is very easy to improve the basic security of Tomcat by just keep the tomcat instance up to date. Because of it is an active open source project, every new release of Tomcat come up with new bug fixes and security patches. In addition with that new security related issues which are useful to improve security of instance can be discussed in the tomcat mailing lists. The community members of Apache notified through the Announce mailing list about major security threats and patches to be applied. For most of the software to avoid tampered software or a hacked version, it should be checked whether we are downloading the right software or correct version from the right place. To do this user must be verify the integrity of the downloaded file. For security purpose tomcat provide PGP signatures for every release file and this should be exact to the PGP keys of Tomcat’s Release Managers. And also Tomcat provide MD5 digest to verify that the downloaded version is correct version. If any change happened to software can lead to change the MD5 change. For every time when we downloaded Tomcat, it should be good to calculate the checksum of the downloaded file with the official Tomcat website to verify its integrity, and make sure that both must be same. ((Apache-install, 2011), (Datadisk, ND), (Mule (2011)) 19 | P a g e
DeMontfort University
While using the Tomcat, there should be some actions taken in to consider for securing Tomcat, in the part of that some recommendations are going to be discussing here in this section. It is best to start Tomcat security with the Tomcat instance. 3.4 Remove default applications: By default Tomcat included several web applications which are already installed and ready to use. These applications are following: docs application : it includes documentation about Tomcat examples application: It includes simple examples of servlets and JSP’s for demonstration purpose. host-manager application: it is used for administrating virtual hosts. manager application: It is used for easy of deployment and management of web applications ROOT application: it includes default welcome page All these applications are shipped with for a specific usage, even though it is not good to use the way they are installed and configured by default. It must be necessary to decide and remove which ones useful and which ones not. But in production environment these all applications should be removed to avoid greater risks. “Removing the sample resources is a defense in depth measure that reduces potential exposures introduced by these resources” (CIS, 2009). “By removing these applications make difference between being susceptible to vulnerability down the road, and being protected” (Chopra, 2003). “According to Open Web Application Security Project, misconfiguration and improper installation of web application servers can lead to seriously affect the integrity of web application and may also open to dangerous threats”. (Chopra, 2003) “Gaining access to the Tomcat Manager would give an attacker considerable control over your Tomcat instance”. (Mule, 2011) To remove applications, do the following command: $ rm –rf $CATALINA_HOME/webapps/manager If it is necessary to use manager application then it is should be access to limited known IP addresses to easy of security handle. 3.5 Maintaining the Logs:
20 | P a g e
DeMontfort University
“Well-maintained access logs are a vital tool in identifying security holes and sources of attack. In a development environment, it is not always obvious what kinds of malicious activity you should defend against. Maintaining logs once moving to production will help make sure an application which seems secure in development stays secure in the real world. Logs should be maintained on multiple levels - user access, application traffic, Tomcat internals, and OS/firewall, and a single process for reviewing and acting upon logs should be agreed upon by all system administrators”. (Mule, 2011) 3.5 Remove unused connectors: By default Tomcat installation contains connectors with default settings. For user easy of convenience these are set to default. But it is best to configure these settings from starting stage as remove these connectors which are not necessary and enable which are exactly needed. Because unneeded and misconfiguration connectors might lead to security hole. By default, in $CATALINA_HOME/conf/server.xml, the following connectors have defined as: For shutdown connector port is 8005 For non-SSL connector port is 8080 For AJP 1.3 connector port is 8009 Select windows: CATALINA_HOME%/CONF/server.xml Ubuntu:
/etc/tomcat7/serevr.xml
So the Tomcat server can be shutdown by listen on localhost to Port 8005 and this can be configured at Server component's "port" attribute, and we can change the server port number and character sequence: By setting the Server port value to “-1”, we can secure the server from the unusual shutdowns. By using this configuration, the user who owns the tomcat process can shutdown the tomcat at terminal interface by using command “kill”. And with this standard kill, user can shutdown the Tomcat in more securely through issuing an identical graceful shutdown command. (Datadisk, ND) (Mule, 2011) (ISC, 2009)) 21 | P a g e
DeMontfort University
3.6 Realms: Tomcat provides container-managed security; you have to set up a realm. A realm is simply a collection of users, passwords, and roles. Web applications can declare which resources are accessible by which groups of users in their web.xml deployment descriptor. Access control: Assign user roles and controls such as setup usernames, passwords, and roles. It contains a list of permissions as roles such as guest, registered user, and administrator. The tomcat-users.xml contains a list of users who are allowed to access web applications. Select windows: CATALINA_HOME%/CONF/tomcat-users.xml Ubuntu:
/etc/tomcat7/tomcat-users.xml
3.7 Protect Server platform information: Modify the server.info String: “The server.info attribute contains the name of the application service. This value is presented to Tomcat clients when clients connect to the tomcat server. This value is presented to Tomcat clients when clients connect to the tomcat server”. (CIS, 2009) Modify the server.number String: “Advertising a valid server version may provide attackers with information useful for locating vulnerabilities that affect the server platform. Altering the server version string may make it harder for attackers to determine which vulnerabilities affect the server platform”. (CIS, 2009)
22 | P a g e
DeMontfort University
Modify the server.built Date: “The server.built date represents the date which Tomcat was compiled and packaged. This value is presented to Tomcat clients when clients connect to the server. Altering the server.built string may make it harder for attackers to fingerprint which vulnerabilities affect the server platform”.(CIS, 2009) http://www.owasp.org/index.php/Securing_tomcat
These values will be displayed to clients when connect to the Tomcat. To avoid any risks, alteration must be performed. This can be done by Select $CATALINA_HOME/lib/catalina.jar
Extract the catalina.jar file Navigate to the org/apache/catalina/util/ServerInfo.properties open the ServerInfo.properties in editor Alter the attribute “server.info” Ex: server.info=Apache Tomcat/7.0.23 server.number=7.0.23.0 server.built=Sep 20 2011 07:36:25
Update the attribute in ServerInfo.properties and also update catalina.jar with altered ServerInfo.properties file. Stack Traces: tomcat displays the default error page when a runtime error happens with a full stacktrace with sensitive information. But it is not recommend revealing such information to open. This sensitive information might be useful to attackers to attack. (Datadisk, ND) (Mule, 2011) (ISC, 2009)) “The following solution is not ideal as it produces a blank page because Tomcat cannot find the file specified, but without a better solution this, at least, achieves the desired result. A well configured web application will override this default in CATALINA_HOME/webapps/APP_NAME/WEBINF/web.xml so it won't cause problems” (OWASP, 2011)
java.lang.Throwable /error.jsp (OWASP, 2011)(CIS, 2009)
23 | P a g e
DeMontfort University
However for more interactive, The web application which is used in this project contained some created error pages for replacing the default errors from server. 404 /error/404-error.jsp 505 /error/505-error.jsp java.lang.Throwable /error/error.jsp
3.8 File configuration in Tomcat: Configuring Tomcat is mainly done by editing files and restarting Tomcat. The following are the main configuration files provided with Tomcat that reside in the $CATALINA_HOME/conf directory: server.xml: The main Tomcat configuration file. web.xml :A servlet specification standard format configuration file for servlets and other settings that are global to all web applications. tomcat-users.xml: The default list of roles, users, and passwords used by Tomcat’s UserDatabaseRealm for authentication. catalina.policy: The Java security policy file for Tomcat. context.xml: The default context settings that are applied to all deployed contexts of all hosts in this installation of Tomcat. And the protection of these files would be discussed as follows 24 | P a g e
DeMontfort University
3.9 Protection of Tomcat File Configurations: CATALINA_HOME: $CATALINA_HOME is directory and the root path where the tomcat installed. It contains all important files related to Tomcat includes catalina.policy, tomcat-users.xml, catalina.jar etc. it should very important to protect these files from unauthorised access. And laso it is recommended that restrict the access permission on CATALINA_HOME to read, write and execute from others and write access from user groups. According to CIS, Perform the following to establish the recommended state: 1. Set the ownership of the $CATALINA_HOME to tomcat_admin.tomcat. 2. Remove read, write, and execute permissions for the world 3. Remove write permissions for the group. # chown tomcat_admin.tomcat $CATALINA_HOME # chmod g-w,o-rwx $CATALINA_HOME.
(CIS, 2009) CATALINA_BASE: CATALINA_BASE is the base directory and it used when multiple instances are running. It is necessary to protect this directory to prevent unauthorised changes of tomcat libraries and binaries. Location: $CATALINA_BASE To establish a safe recommended state, follow steps same as for CATALINA_HOME. (CIS, 2009) Configuration Directory (conf): Configuration directory contains configuration files of Tomcat. It should important to restrict access on this directory to prevent any alterations on configuration of tomcat and also mostly from malicious attacks. Location: $CATALINA_HOME/conf To establish a safe recommended state, follow steps same as for CATALINA_HOME. (CIS, 2009) bin: bin directory contains the runtime executes of the Tomcat. It should important to restrict access on this directory to prevent any alterations and malicious effects on integrity of Tomcat processes. Location:
$CATALINA_HOME/bin/
To establish a safe recommended state, follow steps same as for CATALINA_HOME. 25 | P a g e
DeMontfort University
(CIS, 2009) webapps: webapps directory contains the all default and deployed web applications of Tomcat. It should important to restrict access on this directory to prevent any alterations and malicious effects on integrity of web applications. Location: $CATALINA_HOME/webapps To establish a safe recommended state, follow steps same as for CATALINA_HOME. (CIS, 2009) catalina.properties: catalina.properties file is a java properties file; it includes Tomcat settings including information about class loaders, lists of security package, and performance properties of Tomcat. It should important to restrict access on this directory to prevent local users to do any unauthorised changes on Tomcat security policy. Location: $CATALINA_HOME/conf/catalina.properties To establish a safe recommended state, follow steps same as for CATALINA_HOME. (CIS, 2009) context.xml: context.xml file includes configuration options and load by web application. It should important to restrict access on this directory to prevent local users to do any unauthorised changes and to prevent inadvertent alters on security policy of Tomcat. Location: $CATALINA_HOME/conf/context.xml To establish a safe recommended state, follow steps same as for CATALINA_HOME. (CIS, 2009) logging.properties: logging.properties contains the logging configuration of Tomcat. . It should important to restrict access on this directory to prevent local users to do any unauthorised changes and to prevent inadvertent alters on security policy of Tomcat. Location: $CATALINA_HOME/conf/logging.properties To establish a safe recommended state, follow steps same as for CATALINA_HOME. (CIS, 2009)
26 | P a g e
DeMontfort University
server.xml: server.xml includes servlet definitions and configurations of Tomcat. It should important to restrict access on this directory to prevent local users to do any unauthorised changes and to prevent inadvertent alters on security policy of Tomcat. Location: $CATALINA_HOME/conf/server.xml To establish a safe recommended state, follow steps same as for CATALINA_HOME. (CIS, 2009) tomcat-users.xml: tomcat-users.xml file includes all information about user authentication for web applications. It should important to restrict access on this directory to prevent local users to do any unauthorised changes and to prevent any attacks by using the information in this file. Location: $CATALINA_HOME/conf/ tomcat-users.xml Ex:
password="12345"
To establish a safe recommended state, follow steps same as for CATALINA_HOME. (CIS, 2009) web.xml: web.xml is a configuration file which contains configuration settings of web application. It should important to restrict access on this directory to prevent local users to do any unauthorised changes and to prevent inadvertent alters on security policy of Tomcat. Location: $CATALINA_HOME/conf/server.xml To establish a safe recommended state, follow steps same as for CATALINA_HOME. (CIS, 2009) 27 | P a g e
DeMontfort University
Logs Directory: Logs directory contains Tomcat logs. It should important to restrict access on this directory to prevent any alterations Tomcat logs and also mostly from malicious attacks. Location: $CATALINA_HOME/logs According to ISC, Perform the following to establish the recommended state: 1. Set the ownership of the $CATALINA_HOME to tomcat_admin.tomcat. 2. Remove read, write, and execute permissions for the world # chown tomcat_admin:tomcat $CATALINA_HOME/logs # chmod o-rwx $CATALINA_HOME/logs
((CIS, 2009) temp: temp directory is used to load temporary information to disk. . It should important to restrict access on this directory to prevent any alterations Tomcat logs and also mostly from malicious attacks. Location: $CATALINA_HOME/temp (CIS, 2009) catalina.policy: it contains configure security policies of Tomcat and used to configure these policies. It should important to restrict access on this directory to prevent local users to do any unauthorised changes and to prevent inadvertent alters on security policy of Tomcat. Location: $CATALINA_HOME/conf/catalina.policy Set the owner and group owner of the contents of root directory to Tomcat admin. # chmod 770 $CATALINA_HOME/conf/catalina.policy # chown tomcat_admin:tomcat $CATALINA_HOME/conf/catalina.policy
(CIS, 2009) 3.10 File permission in Windows: And also in windows based systems, there is another method to protect these files by controlling the file permissions. A user account can read access to many locations on the file system by default. To revoke all the system permissions for root directory, select My Computer and view the properties for each partition. And select security tab, add a user account with all disabled permissions to access system location showed in figure: system permissions.
28 | P a g e
DeMontfort University
Figure: system permissions
29 | P a g e
DeMontfort University
Now we have to give the permissions according to our requirements such as allow read access to JDK directory to execute tomcat by Java. And locate the Java home or installed directory, allow permissions such as read, write and execute to a user account to run Tomcat. (Chopra, 2003) In addition with that we have to give various permissions to the Tomcat directory as showed in figure T-permissions. And mentioned earlier we have to give permissions according to our requirement and for example the following table: Tomcat Directory Permissions shows the various permissions which are allowed which are not on Tomcat directory in hierarchy. (Chopra, 2003)
Figure: T-permissions Table: Tomcat Directory Permissions Tomcat Directories
CATALINA_HOME CATALINA_HOME/bin
Permissions for a Tomcat user Account
Allow: Read and Execute, List Folder Contents and Read
CATALINA_HOME/common Deny: Write CATALINA_HOME/conf 30 | P a g e
DeMontfort University
CATALINA_HOME/server CATALINA_HOME/shared CATALINA_HOME/webapps CATALINA_HOME/temp
Allow: Modify, Read and Execute, List Folder Contents, Read, Write
CATALINA_HOME/work CATALINA_HOME/logs Source: (Chopra, 2003)
3.11 Implementation of JSM: In this section, what is security manager and how to use with Tomcat can discussed here. And also details about what are the security policies and permissions and which are used to implement to use for Tomcat given briefly. In addition with that how to grant various security permissions is explained in this chapter. 3.12 Security Manager: The Security Manager can protect the server from faults and malicious codes by controlling classes which can access by Tomcat. Applications can run in a sandbox, If Tomcat run with the Security Manager. It creates an isolated space in disk to prevent untrusted or malicious code to access files on the system. 3.13 Security permissions and Policies: Permission classes are used to define what Permissions a class loaded by Tomcat will have. There are a number of Permission classes that are a standard part of the JDK, and you can create your own Permission class for use in your own web applications. Both techniques are used in Tomcat.
3.14 Implementation of Permissions and Policies: The security policies implemented by the Java SecurityManager are configured in the $CATALINA_BASE/conf/catalina.policyfile. This file completely replaces the java.policy file present in your JDK system directories. Catalina.policy file contains set of security policy permissions for Tomcat and to be enforced by the JVM, when tomcat run with “-security” switch. Manly these policy file divided into three code permissions and listed in order as: 31 | P a g e
DeMontfort University
System Code Permissions Catalina Code Permissions Web Application Code Permissions 3.14.1 System code Permissions: In the system code permissions all permissions are garnted to javac and Java standard system extentions. To compile JSP pages into servlets, Tomcat uses the javac tool. And the grants created in these code permissions ensure the work of system code permissions when the JVM is running from JAVA. And additional grants might be required to implement for JVM. The figure shows the various syetm code permissions in the catalina.policy file. (Chopra, 2003)
Figure: System code Permissions Ex:
grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; };
3.14.2 Catalina code permissions: in this catalina code permissions, all grants are used for own code only. This code can be used to start up and to run the server and JSP 32 | P a g e
DeMontfort University
container. 2003)
33 | P a g e
The following figures shows the Catalina code permissions. (Chopra,
DeMontfort University
Figure: Catalina code permissions Ex: grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; };
3.14.3 Web Application permissions: It grants permission to read access to various system properties. A web application will get read FilePermission and JndiPermission on it s doc root includes all files and directories within it. The following figure:web app code shows the various code permissions in the web application permissions (Chopra, 2003)
34 | P a g e
DeMontfort University
Figure: web app code Ex: For JDBC: permission java.util.PropertyPermission "java.home", "read"; For OS: permission java.util.PropertyPermission "os.name", "read"; For JVM: permission java.util.PropertyPermission "java.version", "read"; And also some additional permission to particular web applications can be assign by adding additional "grant" entries. For /WEB-INF/classes/, or /WEB-INF/lib/ jar files. Different permissions can be granted to JSP pages, classes loaded from the /WEBINF/classes/ directory, all jar files in the /WEB-INF/lib/ directory, or even to individual jar files in the /WEB-INF/lib/ directory. In addition with that Tomcat org.apache.naming.JndiPermission. ApacheSEC (2011), 35 | P a g e
uses
a
custom
permission
named
as
DeMontfort University
And also some Security Manager standard Permission classes which are applicable to Tomcat are showed below: java.util.PropertyPermission: Controls read/write access to JVM properties such as java.home. java.lang.RuntimePermission: Controls use of some System/Runtime functions like exit() and exec(). Also control the package access/definition. java.io.FilePermission: Controls read/write/execute access to files and directories. java.net.SocketPermission: Controls use of network sockets. java.net.NetPermission: Controls use of multicast network connections. java.lang.reflect.ReflectPermission: Controls use of reflection to do class introspection. java.security.SecurityPermission: Controls access to Security methods. java.security.AllPermission: Allows access to all permissions, just as if you were running Tomcat without a SecurityManager.
(ApacheSEC, 2011),
3.15 Running JSM with Apache tomcat: After finished configure catalina.policy and Catalina.properties files for use with a SecurityManager, Tomcat can be started with a Security Manager in place by using the "-security" option: Windows: UNIX:
CATALINA_HOME%\bin\catalina start -security CATALINA_HOME/bin/catalina.sh start -security
(ApacheSEC, 2011), Mainly the architecture of the security manager is built upon the concept of policies and permissions. Once the security manager run with the tomcat, these all permissions should execute or carry out tasks.
36 | P a g e
DeMontfort University
Chapter 4: Proposed Web Application: 4.1 Introduction: The proposed design is to overcome most of security concerns about tomcat which are discussed in the background section. The proposed design is an experimental design and it can be tested. In this design, a web application will be used to for testing purpose. The built of the web application depends upon to examine the role of the java security manager and how it ensures security of the tomcat. The proposed web application named as Book Store contains some pages and those are divided into three sections according to access control as follows: i.
ii. iii. iv.
Home Page: home page is a main web page and it automatically loads start up page. It contains main information about web application with links to other parts of the application. Home page can be accessed by anyone. My account : It contains the authorised information about the users and these can be accessed by using authentication Online Books: it can be accessed by anyone with only read permission. Admin Section: It can be accessed only by the Administrators. And it contains JSP files for a) Login page b) Login Failure Page c) Delete Account Page d) Delete Confirm Page
4.2 Home page: It contains the details of the web application and also links to access other location such as my account, Catalogue and Online. 4.3 My account: It can be accessed by the authorised users which defined in the tomcatusers.xml The main purpose of the proposed system is used to analyse the tomcat security and for investigating the behaviour of Tomcat running with Java Security Manager. 4.4 SSL: in this proposed application we tried to establish the secure connection between Tomcat server and the client browser. Even if we implement any authentication mechanism in application, then it is not required to use SSL. It can be defined in the web.xml file 4.5 Form Based Authentication: the proposed Web application security uses the Form based authentication for accessing the secure location in Web Application.
37 | P a g e
DeMontfort University
Chapter 5: Analysis of Security Manager: 5.1 Introduction: In this analysis section, the most important things such why we need security manager Tomcat would be discussed. After that, major roles of Security Manager could be presented in this section. At last the role of the Security Manager could be identified trough experimenting by written test cases. Test case are designed by using polices and permissions. These test case are tested when Tomcat running with Java Security Manager and without. It is good to start the analysis section with security manager requirement.
5.2 Need of Security Manager for Tomcat: “The access controls of Tomcat’s are developed by using Java Platform security architecture’s security manager and its security declaration mechanisms”. (Chopra, 2003) The Java platform security components are following:
The Security Manager Associated AccessController and ClassLooader (Chopra, 2003)
The abstract of Java Security architecture is very simple and the Java security team had to perform some tasks those are as follows:
Recognise operations in a code which are cause to create security risk To protect from these operations, checks could be identified and placed in the code without any bottlenecks And Throw an Exception if the caller is unauthorised to go forward. (Chopra, 2003)
The security Manager is useful in two ways of protects those are Tomcat server and Web browser.
For Tomcat server: The Security Manager can protect the server from unauthorised and malicious servlets, JSP’s and tag libraries For Web browser: In the same way, web browser used the Security manager to defend its client from unauthorised applets. (Chopra, 2003)
The Security Manager not only protects from malicious code and also protect from inadvertent programming mistakes.
5.3 The Roles of The Security Manager includes: 38 | P a g e
Manage accessing the socket operations Guard accessing the protected resources including files, confidential data and so on Control the creation and access permission to operating system programs and its processes Prevention of new Class Loaders Maintain the integrity of threads Control accessing the Java packages
DeMontfort University (Chopra, 2003)
5.4 Test case I: For example if the web application compromised then all other connected application would be compromised. Tomcat runs in the Java Virtual Machine, so if any security violations found related to JVM, those definitely affect the security of tomcat. Hacker can get the advantage if he found any security holes in JVM. In the same way if he got authorisation to publish any JSP which contains the security related violation methods such as System.exit (0) methods. If he succeeds to run System.exit in application running in Tomcat web server, it can terminate the Tomcat server without instruction. First it will turn the JVM to exit then automatically Tomcat can be terminated. Assume that someone might be a hacker hacked and enter in to web application and tried to authorise the site. And if he tried to modify the web application such as authorised to run a malformed JSP then definitely it will be out of control. Even if he gets less time of access, within that time only there is more chance to do any kind of harm, he can access application restricted resources and also can alter system function controls into favour to him. For instance if the hacker modify system functions in web application pages then it may lead to occur any malfunction between the client and server interaction. If it contains following method in JSP: . Then the JSP become the killer of the functionality of web application and Tomcat. If this malformed JSP run along with the web application by the web server Tomcat, The web server Tomcat should be terminated or exit without no option. For instance, to experiment with that we made a JSP which contains method System.exit as showed in figure: Tomkill
39 | P a g e
DeMontfort University
Figure: Tomkill As discussed above, if we try to publish this JSP in any of web application by chance then the tomcat server can be terminate without any warn as showed in following figures Tomcat Terminate.
40 | P a g e
DeMontfort University
Figure: Tomcat Terminate This can be happen if the security policies are not applied properly or misconfiguration in catalina.policy or improper permissions such as read write and execute to access files. To handle some of these security violations and errors, the best way to handle errors is to implementing the exception handling mechanism.
5.5 Test Case II: If Tomcat runs with Java Security Manager, there is no need to invoke any security java methods. By default those methods already invoked with running Security Manager, when there is any error occurred as showed in figure: Exception Handle
41 | P a g e
DeMontfort University
Figure: Exception Handle.
5.6 Test Case III: It is very difficult to identify the risks running the Tomcat without the Security Manager. If any misconfiguration or mistakes happen while giving permissions like read and write to any property that can be lead to open security holes. For example by using the getProperty ( ) method in java.util.PropertyPermission an attacker can get the information about the system properties and later it can open to exploit any attacks easily against system. If the method found in any page by inadvertently or maliciously can be open to know about the specific property. For example if we want to know about the run time environment of java such as home directory as showed in the figure: java-home.
42 | P a g e
DeMontfort University
Figure: Java-home The above figure Java-home shows the runtime environment directory means that the location of where java installed. In another case, due to the improper configuration or control access on system file location or even without any security manger it is possible to publish any malicious code by an attacker by using methods of java.lang.System, to retrieve anything or create way to future exploitations. In this case attacker might use the following methods in a JSP which can be executed along with web application in Tomcat server.
The above mentioned methods are If he succeeded to execute those methods, by return it come up with the information what he wanted as showed in figure: System properties
43 | P a g e
DeMontfort University
Figure: System properties According to the previous outcomes, it should recommended and necessary to adopt any Security Manger to run with Tomcat to prevent them. The following Test case can rectify the problems found in the previous case. In this test case we are using the Security manager with security policy configuration.
5.7 Test Case IV: With Security Manager Suppose, if we use any Security Manager running with Tomcat, we can easily implement various java security policies includes web application, system code and catalina code. The following example demonstrates the web application code permissions and their read access permissions. To perform this we have to edit the catalina.policy file located in catalina_home/conf/catalina.policy directory. In the catalina.policy file we have to remove the permission to read property java.home as represented in figure: java-home for earlier discussed problem.
44 | P a g e
DeMontfort University
Figure: java-home Commented permission to read java.home
Do the same for the other properties such as OS should look as figure: OS properties. Make sure that the permission to read properties should be commented out.
Figure: OS property
Comment the Permissions to read OS properties
Now we have to run the Tomcat with Security Manager by using –security switch. If we run the security manger then the security policies in the catallina.policy file are enforced. And the 45 | P a g e
DeMontfort University
current JSP should raise an access controlexception handler when executed. The below Figure: Exception Control shows the error handling mechanism, when the error raised by the JSP page.
Figure: Exception Control According to the above figure, we can observe as it showed that an exception access control is occurred when the policy does not give access permission and run with Security Manager.
46 | P a g e
DeMontfort University
Chapter 6: Conclusion This section of the document summarises the main conclusions of the role of JSM with Apache tomcat. A review of tomcat security provides the security related issues of tomcat in detail. And the web application Book Store is used to identify the running environment of Tomcat, and also with Java Security Manager and without. By configuring the JSM with Tomcat might create to control and to implementation of different security policies. Each security policy provides special type of security to the web application. To analyse the role of JSM, some test cases are written and then tested successfully. Even though the implementation and work of JSM with tomcat has not been completely tested yet but in this proposed project tried to analyse the Role of JSM with tomcat by using different test cases. And also it can be weak against attacks such as triggering the infinite loops and consume the most of the CPU memory and valuable time.
47 | P a g e
DeMontfort University
Chapter 7: Further Work In the present proposed project, we tried to cover all security related issues about Tomcat and its configurations and how to create better secure environment for Tomcat. The investigation to analyse the Security manger in Tomcat requires a lot of time and experimental work. Within the limited time constraint, we got some results which are helpful to analyse the role of Security Manager. In this project we implemented SSL but it will require some more time to work perfectly. And we tried to add the some extra futures to current web application such as credit card security. Within the time constraint we tested various file permission access controls such as system properties. We used some methods and created some malicious pages which are useful to test the real time attacks. For the present concept of Tomcat security and Java Security Manager should require a lot of research. If we get some more time, we can test some more test cases.
48 | P a g e
DeMontfort University
References: Aleksa Vukotic and James Goodwill, “Apache Tomcat 7”, Published by Apress, 2011.
Apache-Arch (2011), “Architecture Overview”, online [www], http://tomcat.apache.org/tomcat-7.0-doc/architecture/overview.html Apache-Start (2011), “Architecture Overview: Startup”, online [www], http://tomcat.apache.org/tomcat-7.0-doc/architecture/startup/serverStartup.txt ApacheText (2011), “RUNNING.txt”, [www], http://tomcat.apache.org/download-70.cgi Apache-install (2011), “Apache Tomcat”, [www],http://tomcat.apache.org/download-70.cgi
ApacheSEC (2011), “security-manager-howto “, online[www], http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html CIS (2009), “Security Configuration Benchmark For Apache Tomcat 5.5/6.0”, [www]
http://benchmarks.cisecurity.org/en-us/?route=default, Version 1.0.0 ,December 12th, 2009 Datadisk (ND), “Apache Tomcat Security”, [www],
http://www.datadisk.co.uk/html_docs/java_app/tomcat6/tomcat6_security.htm Datadisk (ND), “Apache Tomcat 6”, online [www] http://www.datadisk.co.uk/html_docs/java_app/tomcat6/tomcat6_architecture.htm Chopra, Galbraith and etc (2003), “Apache Tomcat Security Handbook”, Published by Wrox Press Ian Goldberg, David Wagner, Randi Thomas, and Eric Brewer. “A Secure Environment for Untrusted Helper Applications (Confining the Wily Hacker)”, published in the Proceedings of the Sixth USENIX UNIX Security Symposium, San Jose, California, July 1996. Jason Brittain with Ian F. Darwin, “Tomcat: The Definitive Guide”, Second Edition, Published by O’Reilly Media, 2009. Mule (2011), “improving Apache Tomcat Security - A Step By Step Guide”, [www],
http://www.mulesoft.com/tomcat-security OWASP (2011), “Securing tomcat”, online [www],
https://www.owasp.org/index.php/Securing_tomcat Pawan Vora, “Web Application Design Patterns”, Available at ScienceDirect, 2009 Robert W, Steven L, Thomas E. A, and Susan L. G.,“Efficient software-based fault isolation, Proceedings of the fourteenth ACM symposium on Operating systems principles”, 1993. vogella (2011), “Eclipse IDE Tutorial”, online [www], 49 | P a g e
