Secure configurations in Web.xml
The Web.xml file is the main configuration document responsible for securing configurations in Java Applications. The following section information is based on the article written by Frank Kim(2010) which describes important configuration necessary to protect them.
Configure Custom Error pages
All errors generated by the application, such as 404, 500 etc, must be configured in order to redirect the user to a proper Error page instead of allowing him to see the errors generated by the application. This can serve as a starting point to an attacker to reverse engineer the application and create a specific attack using this information
<error-page> <error-code>505</error-code> <location>/error/error.html</location> </error-page>
Protect data in transit
In order to secure sensitive data, is essential to secure the communication channel and sessions using SSL. Once this has been configured in the server, doesn’t mean that it will be automatically be setup in the web application the developer is trying to secure. For this purpose, it is essential to add in the web.xml file the following configuration(Kim, 2010) :
<security-constraint> ... <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Configuring proper Authentication and Authorization to directories
Failure to configure proper authentication and authorization of directories, will allow anonymous users to see unprotected files of the web application. Therefore, consider always to set-up proper access controls in the following sections. The following code, for example, makes sure that the ‘Accountant’ role, is the only one able to access directory “accounting”
<security-constraint> <web-resource-collection> <web-resource-name>accounting</web-resource-name> <url-pattern>/accounting/*</url-pattern> … </web-resource-collection> <auth-constraint> <role-name>accountant</role-name> </auth-constraint> </security-constraint>
Configure http methods
Allow only the necessary http methods to execute in the application, such as the case of GET and POST requests. If the methods are not overtly listed are by default allowed. This will allow an attacker to bypass the web.xml configuration. By removing <http-method> elements from the web.xml and this will offer the proper security.
Use Secure Flag
Make sure that the cookie is created using the seucre flag, otherwise exposes the session cookie to hijacking.
<session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config>
Setting a time out session
Undefined time out sessions allows hackers to execute CRSF attacks and hijacking the session make sure that <session-timeout> property is set to a time (in munites)
Fran Kim, 2010 "Seven Security (Mis)Configurations in Java web.xml Files" available at http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files/ accessed on 4rd October 2013