CRV2 FrameworkSpecIssuesJava

=Proper secure configuration of Web.xml=

The Web.xml file is the main configuration document responsible for secure configurations in Java Applications. The following sections describe important components necessary to secure them

Configure Custom Error pages
All errors generated by the application, such as 404, 500 etc, must be configured in order to redirect the user to a proper Error page instead of allowing him to see the errors generated by the application. This can serve as a starting point to an attacker to reverse engineer the application and create a specific attack using this information

 505 /error/error.html 

Protect data in transit
In order to secure sensitive data, is essential to secure the communication channel and sessions using SSL. Once this has been configured in the server, doesn’t mean that it will be automatically be setup in the web application the developer is trying to secure. For this purpose, it is essential to add in the web.xml file the following configuration(Kim, 2010) :  ...  CONFIDENTIAL  

Configuring proper Authentication and Authorization to directories
Failure to configure proper authentication and authorization of directories, will allow anonymous users to see unprotected files of the web application. Therefore, consider always to set-up proper access controls in the following sections. The following code, for example, makes sure that the ‘Accountant’ role, is the only one able to access directory “accounting”   accounting /accounting/* … </web-resource-collection> <auth-constraint> <role-name>accountant</role-name> </auth-constraint> </security-constraint>

Configure http methods
Allow only the necessary http methods to execute in the application, such as the case of GET and POST requests. If the methods are not overtly listed are by default allowed. This will allow an attacker to bypass the web.xml configuration. By removing <http-method> elements from the web.xml and this will offer the proper security.

Use Secure Flag
Make sure that the cookie is created using the seucre flag, otherwise exposes the session cookie to hijacking. <session-config> <cookie-config> true </cookie-config> </session-config>