Thread: [securityfilter-devel] transport-guarantee secure port configuration

Brought to you by: chris_schultz, maxcooper

securityfilter-devel

[securityfilter-devel] transport-guarantee secure port configuration

From: Christopher S. <ch...@ch...> - 2007-11-06 22:59:31

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

Okay, I've got an implementation of the <user-data-constraint> and
<transport-guarantee> support built and working. Now all I need to do is
add configuration for the target SSL port to use.

I basically have three options:

1. Add an optional attribute to an existing element in
   securityfilter-config.xml like <transport-guarantee sslport="123">

2. Add a new element to securityfilter-config.xml like
   <ssl-port>123</ssl-port>

3. Add a configuration parameter in web.xml for the filter itself.
   <filter>
      ...
      <init-param>
         <description>
            The port number to use when upgrading to an SSL connection
            to fulfill a transport-guarantee of INTEGRAL or
            CONFIDENTIAL.
         </description>
         <param-name>sslPort</param-name>
         <param-value>123</param-value>
      </init-param>

On the one hand, it's nice to have configuration in a single place (like
securityfilter-config.xml). On the other hand, that file should be as
much like the deployment descriptor's security-constraint sections as
possible.

I wondered if anyone had any thoughts on which strategy would be best.
I'm leaning toward #3.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHMPHF9CaO5/Lv0PARAus9AJ9Q5KwbHQoOoKrqiJKdpKZb0sP6IgCfQEJ8
CXH1qDzIAUqeRnrubSebomg=
=qa2U
-----END PGP SIGNATURE-----

Re: [securityfilter-devel] transport-guarantee secure port configuration

From: Torgeir V. <to...@po...> - 2007-11-07 00:01:01

On 6 Nov 2007, at 22:59, Christopher Schultz wrote:

> On the one hand, it's nice to have configuration in a single place  
> (like
> securityfilter-config.xml). On the other hand, that file should be as
> much like the deployment descriptor's security-constraint sections as
> possible.
>
> I wondered if anyone had any thoughts on which strategy would be best.
> I'm leaning toward #3.


+1. I'd go for #3 as well. Setting the SL port to something else than  
443 I'd say would happen very rarely.

-- 
Torgeir Veimo
to...@po...

Re: [securityfilter-devel] transport-guarantee secure port configuration

From: Max C. <ma...@ma...> - 2007-11-07 03:55:38

#3 looks like a good option to me as well. It has an additional feature of
being app-wide, which would allow other elements in the system to use the
parameter to construct URLs using the port if they want to. Also, I agree
that ports other than 443 are unlikely on production servers, they are
fairly common on development servers, adding some importance to making it
configurable.

Another aspect of redirecting is that a lot of sites are setup using lousy
web server plugins or just a simple proxy, where redirects are not properly
rewritten. Here's an illustration of the problem:
1. user's browser requests GET http://www.company.com/
2. (web server on www.company.com proxies request to
internal-server.company.com)
3. (internal-server.company.com requires https, and redirects to
https://internal-server.company.com:443/)
4. user's browser requests (in response to the redirect) GET
https://internal-server.company.com:443/ and fails because the server is
unreachable from the outside
This won't happen with a properly setup server configuration, but it has
been my experience that it is fairly common for organizations to have this
problem. Maybe things have gotten better since I was working in this space,
but I doubt it. So, it might be a useful feature to allow securityfilter to
be configured with a full "https://www.company.com:443/"-style absolute
prefix for the redirects. The absolute prefix could be an advantage over the
redirect functionality offered by the containers, for teams with lousy
server setups. It does create some issues for app developers during
development, when they won't want requests to their dev server to redirect
to their public server, but they can handle this with their own app
configuration / build systems. And we should also allow just the port to
change, to avoid creating headaches for those that do have their servers
setup well. Solving this configuration problem is out of scope for
securityfilter to deal with, but I wanted to raise awareness of the issue in
case you decide to support the configuration of a "
https://www.company.com:443/"-style prefix.

To recap:
1. we should support just configuring the port
a) so it can be set to something other than 443, which is common on dev
servers
b) so those that have their production servers setup properly don't have to
deal with configuring an absolute prefix
2. (optional) it may be additionally useful to support the configuration of
an absolute prefix so that the redirects can work with lousy server configs

I collaborated on the design of another project called SSLExt (
http://sslext.sf.net) that worked with Struts, allowing developers to set a
flag for each action to indicate that it should only execute when the
request was over https. Ideally, developers would use the URL rewriting tags
so that the URLs would be constructed to hit the https port without needing
a redirect. However, it would also redirect requests received over plain
http for those actions (that may have been optionally configurable, but I
don't remember precisely what the final implementation does). One
undesireable aspect of the redirects was that it could send the confidential
form data over the wire again. So, sloppy usage could result in confidential
data being sent over the wire twice (orig request, redirect response), and
it might not be that obvious to developers when this happens. Another
important aspect of this is that the data can get stuck in browser history,
since a redirect cannot cause a POST and the only other alternative besides
keeping the data on the server or just failing is to create a redirect with
the data in the query string -- a troubling alternative from a security
standpoint.

I don't recall what containers (such as tomcat) do in response to plain http
requests for urls with transport-guarantee settings that require https, but
I think we should try to do the same. Or punt a bit on the first
implementation and just fail fast rather than sending the info over the wire
again. If the container does something fancy like keep the data on the
server and this turns out to be difficult to implement (securely), I think
failing is better than sending the data over the wire again.

-Max

On 11/6/07, Torgeir Veimo <to...@po...> wrote:
>
>
> On 6 Nov 2007, at 22:59, Christopher Schultz wrote:
>
> > On the one hand, it's nice to have configuration in a single place
> > (like
> > securityfilter-config.xml). On the other hand, that file should be as
> > much like the deployment descriptor's security-constraint sections as
> > possible.
> >
> > I wondered if anyone had any thoughts on which strategy would be best.
> > I'm leaning toward #3.
>
>
> +1. I'd go for #3 as well. Setting the SL port to something else than
> 443 I'd say would happen very rarely.
>
> --
> Torgeir Veimo
> to...@po...
>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> securityfilter-devel mailing list
> sec...@li...
> https://lists.sourceforge.net/lists/listinfo/securityfilter-devel
>