jQuery in Action, 3rd edition
The moose likes JSP and the fly likes Methods to secure web application Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "Methods to secure web application" Watch "Methods to secure web application" New topic

Methods to secure web application

Abhishek Shirodkar

Joined: May 08, 2009
Posts: 26
Hi All

Iam designing one new web application in jsp.I just wanted to know if there are any new methods to secure my web application against sharing of login IDs.

Thanks in advance
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63844

As with any web application, it should be secured with SSL.

[Asking smart questions] [About Bear] [Books by Bear]
Abhishek Shirodkar

Joined: May 08, 2009
Posts: 26
can you please tell me where i can get the information about the SSL with the example code.
ujjwal soni
Ranch Hand

Joined: Mar 28, 2007
Posts: 403

Which application server are you using ?

I did a configuration in jboss to enable https authentication.

Check out below steps to enable https in jboss :

Step 1)
First of all, we are going to make a keystore. This is the place we are going to store the keys in on the serverside. We will use the Java-tool keytool for this. The algorithm used here is RSA.

At the selected directory:
keytool -genkey -alias <alias name> -keyalg RSA -keystore ./name.keystore

Fill in all the information that is asked.
A keystore with the name name.keystore is generated.

Step 2)
Then we have to make a Certificate Signing Request (CSR) for the Certificate Authority. We can get this signed by a certifying authority like verisign or thwate

keytool -certreq -keystore ./name.keystore -alias <alias name> -file < CSR file name>.csr

Enter the keystore password.
A < CSR file name>.csr file is generated.

If you are getting the CSR signed by a certifying authority, then skip the next step.
Step 3)
If you are using going to sign using your own CSR by using, for example, OpenSSL, then the steps are:

(This assumes that you are working on a Linux machine with OpenSSL, which can be obtained from www.openssl.org. Follow the procedure to install OpenSSL)
To Sign the certificate:
Make a new directory:

cd usr/local/
mkdir newCA

Copy openssl.cnf and CA.sh
from the OpenSSL apps directory to your new directory (newCA)
cp ../../openssl-0.9.6a/apps/openssl.cnf newCA/
cp ../../openssl-0.9.6a/apps/CA.sh newCA/

Edit your new copy of openssl.cnf and CA.sh:
Set the dir variable to the current directory
dir . # (“.” Specifies current directory where everything is kept)
Set the CATOP variable to the current directory:
CATOP=. # (“.” Specifies current directory where everything is kept)

Create the certificates for Certification Authority:
cd newCA
chmod 744 CA.sh (only if necessary)
CA.sh –newca
ls -l

Send the < CSR file name>.csr file to Certification authority and Creating Server Certificate

cp < CSR file name>.csr /usr/local/newCA
or ftp the < CSR file name>.csr file to the m/c acting as CA.
cd /usr/local/newCA

Create the certificate

openssl x509 -req -in < CSR file name>.csr -out <pem file name>.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 -outform PEM

Optionally convert the server certificate from PEM encoding to DER for distributing to Clients:

openssl x509 -inform pem -outform der < cacert.pem > cacert.cer

We receive two files, cacert.der, containing the CA's public key and a file <pem file name>.pem, containing the public key signed by the CA using the CA's private key. I will now import these two files into my keystore (the order is important!):

Step 4)
keytool -import -alias <alias name> -file cacert.der -keystore ./name.keystore

Step 5)
keytool -import -alias <alias name> -file <pem file name>.pem -keystore ./name.keystore

Important remark: if you get an exception that looks like this: java.security.NoSuchAlgorithmException: Algorithm TLS not available, take a look at this file: $JAVA_HOME/jre/lib/security/java.security. Check if the com.sun.net.ssl.internal.ssl.Provider is in the list of Providers:
# List of providers and their preference orders (see above):

And we have to add jcert.jar, jnet.jar and jsse.jar files to the $JAVA_HOME /jre/lib/ext folder and set the class path to the same.

Tomcat over SSL (HTTPS)
If we have Tomcat running as a jBoss service, we need to make a few changes in some configuration files:
1. $JBOSS_DIST/server/default/conf/jboss-service.xml
We want JaasSecurityDomain as SecurityManagerClass instead of JaasSecurityManager, so we need to change this in the file:

2. $JBOSS_DIST/server/default/conf/jboss-service.xml
Add the below lines after the paragraph mentioned above in jboss-service.xml

3. $JBOSS_DIST/server/default/deploy/tomcat4-service.xml
This is the final step: We remove the Connector that listens on port 8080 and replace it by one that listens on port 8443

Add the following lines:


<!-- A HTTP Connector on port 8080 -->
<Connector className = "org.apache.catalina.connector.http.HttpConnector"
port = "8080" minProcessors = "3" maxProcessors = "10" enableLookups = "true"
acceptCount = "10" debug = "0" connectionTimeout = "60000"/>

When you connect to your server now, don't use port http://localhost:8080, use https://localhost:8443 instead. If you used a selfsigned certificate or if your CA is not known in your browser, a confirmation dialog box will open and ask if you 'trust' the issuer of the certificate.

Ujjwal B Soni <baroda, gujarat, india> <+918866008962>
"Helping hands are better than praying lips......"
Deepak Bala

Joined: Feb 24, 2006
Posts: 6662

against sharing of login IDs.

What is your definition of sharing of login IDs ? SSL will encrypt the underlying plain text communication. It cannot prevent someone from "sharing" their login ID with a colleague.

SCJP 6 articles - SCJP 5/6 mock exams - More SCJP Mocks
Abhishek Shirodkar

Joined: May 08, 2009
Posts: 26
Hi..I am using Tomcat 6
ujjwal soni
Ranch Hand

Joined: Mar 28, 2007
Posts: 403
Ok, then the Tomcat documentation has everything

I agree. Here's the link: http://aspose.com/file-tools
subject: Methods to secure web application
It's not a secret anymore!