Showing posts with label security. Show all posts

Thursday, 2 May 2019

Antisamy - false positive security issue

Some time ago, I received a security notification from Github regarding a vulnerability^{1 2} in Antisamy.

It took me a while to find out that it was a false positive.

But the issue in [1] did mention that Antisamy seems to be lacking a maintainer. A worthwhile replacement was suggested as being HTML Sanitizer^{3 5 6}.

I started using the HTML Sanitizer in my project and I like it. The fact that I don't need an XML configuration file is a plus.

There's a StackOverflow answer on why and how of the two projects⁴.

Only thing missing are the policy configuration files from AntiSamy, which are not present in any way in HTML Sanitizer, so you either have to write your own or get them from here⁷.

The file is called HTMLSanitizerAntiSamyPolicy.java.

References

[1] Github - Antisamy issues: https://github.com/nahsra/antisamy/issues/32
[2] CVE details - CVE-2018-1000643: https://www.cvedetails.com/cve/CVE-2018-1000643/
[3] OWASP Java HTML Sanitizer Project: https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
[4] Java: Owasp AntiSamy vs Owasp-java-html-sanitize: https://stackoverflow.com/questions/28577738/java-owasp-antisamy-vs-owasp-java-html-sanitize/29259874
[5] GitHub - OWASP/java-html-sanitizer: https://github.com/OWASP/java-html-sanitizer
[6] MailingList - HTML Sanitizer: https://lists.owasp.org/pipermail/owasp-leaders/2011-March/004883.html
[7] GitHub - ESAPI/esapi-java-legacy - New file to use Java HTML Sanitizer that implements old AntiSamy poli…: https://github.com/ESAPI/esapi-java-legacy/commit/d48e5a6f07601322c44c113058526eb133b777a5#diff-72ca1caf39f169db1ab83d2af2ec6cc3l

Thursday, 1 November 2018

Securing Glassfish

As written in my previous blogpost, I mentioned securing Glassfish.

Here are the steps I took. I plan to add more steps, if I find them.

change the default passwords

a no-brainer, I think

do not run glassfish as root

I already did that, but I just mention it here. If you need to have it listening to port 80, there are plenty of ways to do that without running glassfish as root.

make sure the user running glassfish has /sbin/nologin as a login shell

so nobody can get shell access, unless you use another account¹.

Also means if we need to access the account ourselves, we could run:

sudo -u glassfish /bin/bash

turn off admin console access from outside the server

Go to Configuration -> server-config -> Network Config -> Network Listeners -> admin-listener.

Under the General tab, in the Address: field replace 0.0.0.0 to 127.0.0.1

Restart the server

You can access the admin console using an ssh tunnel⁶:

[user@localhost ~]$ ssh user@mysite.com -L 4848:localhost:4848 -N

The first 4848 is the port of your homepc. The second 4848 is the remote port. And then connecting your browser to localhost:4848.

make sure only the essentials are accessible from outside the server

an application server has a very high number of open ports, many of them are only required for local access. Verifying this can be done with the following command:

[root ~]# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 0.0.0.0:7676            0.0.0.0:*               LISTEN      1002       8518781    14140/java
tcp        0      0 0.0.0.0:42853           0.0.0.0:*               LISTEN      1002       9560152    14140/java
tcp        0      0 0.0.0.0:44425           0.0.0.0:*               LISTEN      1002       9560153    14140/java
tcp        0      0 0.0.0.0:45613           0.0.0.0:*               LISTEN      1002       9560151    14140/java
tcp        0      0 0.0.0.0:8686            0.0.0.0:*               LISTEN      1002       8518047    14140/java
tcp        0      0 0.0.0.0:4848            0.0.0.0:*               LISTEN      1002       8517513    14140/java
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      1002       8516146    14140/java
tcp        0      0 0.0.0.0:3700            0.0.0.0:*               LISTEN      1002       8516151    14140/java
tcp        0      0 0.0.0.0:8181            0.0.0.0:*               LISTEN      1002       8516148    14140/java
tcp        0      0 0.0.0.0:41593           0.0.0.0:*               LISTEN      1002       8517967    14140/javat

port	type	comments
7676		Message Queue Port
42853
44425
45613
8686	Pure JMX Clients Port
4848	the administration console	set it to localhost, and connect using ssh tunnel
8080	the normal http listener	this should be accessible from outside the server
3700	IIOP Port ("ORB listener 1")
8181	the normal https listener	this should be accessible from outside the server
41593

This can be either done by changing the ip address in the configuration of the glassfish server to 127.0.0.1 instead of 0.0.0.0.

But it could also be done by adding firewall rules, disallowing incoming traffic to ports you do not approve.

However, why not do both?

turn off autodeployments²

asadmin set server.admin-service.das-config.autodeploy-enabled=false

dynamic-reload-enabled² is another useful one to turn on and off in this manner

asadmin set server.admin-service.das-config.dynamic-reload-enabled=false

hide your identity

glassfish response headers contain information on what server you are running, what version, what frameworks, etc. You can turn this option off by following instructions of reference 3. Has some other excellent advice as well.

make sure any database access used by glassfish is as restricted as possible

usually it is enough to create a database user that has only access to one specific database^{4 5}

add a second admin user account for accessing the glassfish admin console

just in case of problems

make sure the user running the glassfish has files with as restricted rights as possible

there is no reason for "other" and "group" to have any access.

References

[1] StackExchange - Unix&Linux - Does /usr/sbin/nologin as a login shell serve a security purpose?: https://unix.stackexchange.com/questions/155139/does-usr-sbin-nologin-as-a-login-shell-serve-a-security-purpose
[2] GlassFish Server Open Source Edition - Application Deployment Guide - Release 5.0: https://javaee.github.io/glassfish/doc/5.0/application-deployment-guide.pdf
[3] Securing your GlassFish. Hardening Guide: http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html
[4] How to create a user in MySQL/MariaDB and grant permissions on a specific database: http://www.daniloaz.com/en/how-to-create-a-user-in-mysql-mariadb-and-grant-permissions-on-a-specific-database/
[5] MariaDB - SET PASSWORD: https://mariadb.com/kb/en/library/set-password/
[6] Frank Wiles - Quick-Tip: SSH Tunneling Made Easy: https://www.revsys.com/writings/quicktips/ssh-tunnel.html
Fine Tuning Payara Server in Production: https://blog.payara.fish/fine-tuning-payara-server-in-production
Bug 1530511 - rocksdb appears under "show databases": https://bugzilla.redhat.com/show_bug.cgi?id=1530511

Saturday, 6 October 2018

SSH Key-Based Authentication

I'm using reference [1] almost exclusively, it is easy to follow and very well written. The reason I am writing stuff down here, is in the case the referenced article goes offline.

Generating Keys

[mrbear@localhost ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mrbear/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Passphrases do not match. Try again.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mrbear/.ssh/id_rsa.
Your public key has been saved in /home/mrbear/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:etv4wn8 4843n3v48nvan80avw2408a4vn588an04845 mrbear@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| ..o |
| E o= . |
| o. o |
| .. |
| ..S |
| o o. |
| =o.+. |
|. =++.. |
|o=++. |
+-----------------+
[mrbear@localhost ~]$

Copying keys to the server

[mrbear@localhost ~]$ ssh-copy-id mrbear@www.mysite.org
The authenticity of host 'www.mysite.org (10.0.0.11)' can't be established.
ECDSA key fingerprint is SHA256:B&B(&BSf7bFSfb7fF&SFb7SF&tFibFuSOWWFuFBUf76.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
mrbear@www.mysite.org's password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'mrbear@www.mysite.org'"
and check to make sure that only the key(s) you wanted were added.

[mrbear@localhost ~]$

Logging in

[mrbear@localhost ~]$ ssh mrbear@www.mysite.org
Last login: Mon Sep 24 21:01:12 2018

Add to sudoers file

Found how to do this at [2].

[root@mysite ~]# usermod -aG wheel mrbear

Disabling Password Authentication

Edit the file /etc/ssh/sshd_config.

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# systemctl restart sshd.service

Now what you get when you try is:

$ ssh -l root www.mysite.org root@www.mysite.org: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Thank the heavens I no longer have to worry about messages as the one below:

root@mysite's password:
Last failed login: Sat Oct 6 10:12:48 CEST 2018 from 10.0.0.1 on ssh:notty
There were 56310 failed login attempts since the last successful login.
Last login: Tue Oct 2 23:23:41 2018
[root@mysite ~]#

I originally had installed fail2ban, as a way to protect against a password-based attack, but even the man page of fail2ban³ indicates that the above way is pretty much better.

References

[1] Digital Ocean - How To Configure SSH Key-Based Authentication on a Linux Server: https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
[2] Top 20 OpenSSH Server Best Security Practices: https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
[3] Fail2ban: https://www.fail2ban.org/wiki/index.php/Main_Page
How to disable ssh password login on Linux to increase security: https://www.cyberciti.biz/faq/how-to-disable-ssh-password-login-on-linux/

Thursday, 21 December 2017

CTF training

On the 14th of December, our company decided to hold a CTF training provided by Dennis van Halteren and Joep van Gassel of Nováccent Group¹ for us poor software developers.

I had never heard of it before, so I was kind of interested.

Capture the Flag is a competition where different teams compete to each find the most "Flags": issues in especially for the competition buildt pieces of software. Different flags have different scores. The Application you are trying to hack will let you know in different fashions about the flags you have found. Some flags are hard, some are easy, their respective points reflect this.

The CTF training consisted of an introduction into security and how to test it, and the main CTF competition.

One of the good points of the introduction, was regarding some of the tools that are used in security and penetration testing, which I will mention here:

BeEF³: a tool for injecting bad stuff into browsers of users by means of a vulnerable website
Kali Linux⁴: a Linux OS containing a lot of penetration test tools and security tools by default

The introduction was very general and lacked depth and lasted about an hour. I already learned most of it during a session working with WebGoat from OWASP² some years previously.

The CTF competition was a lot of fun. We sorted ourselved into groups of two or three software designers. Each group was provided with a key with which to enter the portal from which all the assignments could be started. A dashboard showing the different scores was available on the big screen.

A number of web portals were provided to us, which all contained different challenges for us to overcome:

Some of the security issues to detect were:

caching
escalating priviledges
using left-over files that should have been deleted
SQL injection
using error messages to gain insight into the backend
wrong permissions that allow too much
examining web code for vulnerabilities (HTML, JavaScript, CSS)

The intensity was very high, all of us competing in finding the most flags the fastest. The combination of thinking very hard, trying stuff, frustration if it didnt't work, the cooperation and communication between team members, made most of us feel quite exhausted at the end of the day.

There was no followup after the competition, which I felt was a pity. The trainers were available for questions regarding some of the assignments during and after the competition.

References

[1] Nováccent Group: https://www.novaccent.nl/
[2] OWASP WebGoat: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
[3] Kali Linux - a free and open-source penetration testing platform: https://www.kali.org/
[4] BeEF - The Browser Exploitation Framework: http://beefproject.com/
Practice CTF List / Permanant CTF List: http://captf.com/practice-ctf/
Wikipedia - Wargame (hacking): https://en.wikipedia.org/wiki/Wargame_(hacking)

Thursday, 1 June 2017

flexibleJDBCRealm

I have recently changed my security realm settings, and I thought I'd document them here.

I'm still using the flexibleJDBCRealm¹ as I've documented in previous blogs^2,3.

In the Glassfish administration console, under Configurations -> server-config -> Security -> Realms -> myRealm, the settings are now as follows.

Name	Value	Description
datasource.jndi	jdbc/mydb	the data source to my database
jaas.context	flexibleJdbcRealm
password.digest	SHA-512	I have upgraded from SHA1 to SHA2, which seems more secure
password.encoding	HEX:128	See note below
sql.groups	select groupid from mmv_groups where name in (?)	using a database view, makes it easier to change table layout without effecting the securityrealm
sql.password	select password from mmv_users where name in (?)	same as above

Note

The SHA-512 encoding always creates 128 characters as the hash.

However, in the source code of the flexibleJDBCRealm, this hash is converted from a byte[] into a hexadecimal string by means of a call "new BigInteger(1, aData).toString(16);".

This effectively means that if the byte[] starts with one or more "0"s, these are removed in the BigInteger call leaving you with a hash that is less than 128 characters.

This is why I need to use "HEX:128", instead of just "HEX".

MariaDB/MySQL

The values are easily verifiable in the database.

I can just do a

SELECT SHA2(usertable.password, 512) from usertable where user='mrbear';

It should yield the exact same result as the encryption function of the flexibleJDBCRealm.

References

[1] FlexibleJDBCRealm: http://flexiblejdbcrealm.wamblee.org/site/
[2] Security Realms in Glassfish: http://randomthoughtsonjavaprogramming.blogspot.nl/2016/04/security-realms-in-glassfish.html
[3] Glassfish Security Realms: http://randomthoughtsonjavaprogramming.blogspot.nl/2014/10/glassfish-security-realms.html
[4] Installation instructions: http://flexiblejdbcrealm.wamblee.org/site/documentation/snapshot/installation.html

Thursday, 7 April 2016

Security Realms in Glassfish

I recently ran into the problem that the Roles I declared in my application were never assigned to the users I defined, when deployed in my Glassfish server. The log provided me with the following:

2016-03-30T13:13:43.560+0200] [glassfish 5.0] [WARNING] [] [javax.enterprise.system.core.security] [tid: _ThreadID=96 _ThreadName=AutoDeployer] [timeMillis: 1459336423560] [levelValue: 900] [[
No Principals mapped to Role [player].]]

Upon closer inspection, the problem became quite clear.

A more in-depth explanation on how security works in Glassfish can be found in the Java EE 6 Tutorial at [1].

Within a realm (security policy domain) you can define groups and users. Users can be assigned to groups.

Now, there needs to be a mapping between the security as defined in your application, and the security as defined in your application server. There is a bit of a separation between the two, because you need to be able to effortlessly deploy your application to different application servers without having to change your applications security settings.

Even if the realm of the application server happens to be configured differently.

scope	security items	Annotations	deployment descriptor
within your application	roles	@DeclareRolls, @RolesAllowed	web.xml
within your application server	users and groups	-	glassfish-web.xml

Manual mapping

Manual mapping between groups/users and your applications defined roles, is by using an application server specific deployment descriptor. The one glassfish uses is the WEB-INF/glassfish-web.xml and is included in your application war.

Schematically it looks like the following:

An example of the glassfish-web.xml deployment descriptor:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
  <context-root>/myNewWebapp</context-root>
  <security-role-mapping>
    <role-name>admin</role-name>
    <group-name>admin</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>god</role-name>
    <principal-name>root</principal-name>
    <group-name>god</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>player</role-name>
    <group-name>player</group-name>
  </security-role-mapping>
<class-loader delegate="true"/>
  <jsp-config>
    <property name="keepgenerated" value="true">
      <description>Keep a copy of the generated servlet class' java code.</description>
    </property>
  </jsp-config>
</glassfish-web-app>

In the example above most mappings are between groups and roles. There is one exception, which is the principal (user) "root". He is directly mapped to the "god" role, as he should be.

Automatic mapping

One of the handy features if you wish to use it, is the option for the glassfish server to automatically try to map groups and roles, based on similar names. This can be done in the glassfish administration gui, by going to server-config and selecting security.

It can completely replace the need for a glassfish-web.xml deployment descriptor.

References

[1] Java EE 6 Tutorial - Working with Realms, Users, Groups and Roles: https://docs.oracle.com/javaee/6/tutorial/doc/bnbxj.html

Thursday, 19 November 2015

Linux Commandline Password Manager

Recently I was looking for a good Password Manager, as the number of passwords I need to maintain is growing steadily (I'm sure everyone knows how it is).

The one I found ("pass² - the standard unix password manager"), the one I am talking about, exemplifies the Unix philosophy⁰. Which is:

Do One Thing and Do It Well.

Write programs to work together.

Write programs to handle text streams, because that is a universal interface.

The password manager actually basically doesn't do anything itself, but delegates to other parts of the Linux system, namely the filesystem, and GPG for encryption, pwgen for the generation of random passwords, xclip for interfacing with the clipboard and (optionally) Git for version control.

It does mean that you have to setup Gnu Private Guard properly, before you can start using "pass", hence the next chapter.

Gnu Private Guard

“GnuPG¹ is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP).”

Creating a key

All keys are stored in .gnupg.

bash-4.3$ gpg2 --full-gen-key
gpg (GnuPG) 2.1.7; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/home/mrbear/.gnupg' created
gpg: new configuration file '/home/mrbear/.gnupg/gpg.conf' created
gpg: WARNING: options in '/home/mrbear/.gnupg/gpg.conf' are not yet active during this run
gpg: keybox '/home/mrbear/.gnupg/pubring.kbx' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 2

I have decided to follow the advice of the website¹ and take 2.

DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048)

I take 2048, it seems fairly default.

Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) Y

GnuPG needs to construct a user ID to identify your key.

Real name: mrbear
Email address: mrbear@localhost.com
Comment: mrbear
You selected this USER-ID:
"mrbear (mrbear) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

And away we go!

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/mrbear/.gnupg/trustdb.gpg: trustdb created
gpg: key 3A4CFDFE marked as ultimately trusted
gpg: directory '/home/mrbear/.gnupg/openpgp-revocs.d' created
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub dsa2048/3A4CFDFE 2015-10-14
Key fingerprint = 7FCC 07FA A6BE 32DE A971 2281 587B D827 3A4C FDFE
uid [ultimate] mrbear (mrbear)
sub elg2048/0B94C819 2015-10-14

So, just to check:

bash-4.3$ gpg2 --list-keys
/home/mrbear/.gnupg/pubring.kbx
---------------------------------
pub dsa2048/3A4CFDFE 2015-10-14
uid [ultimate] mrbear (mrbear)
sub elg2048/0B94C819 2015-10-14

Password store

Apparently, initialising the store needs to be done with the name of the key generated above.

bash-4.3$ sudo dnf install pass
...
bash-4.3$ pass init "3A4CFDFE"
mkdir: created directory ‘/home/mrbear/.password-store/’
Password store initialized for 3A4CFDFE

And I wish to use Git, because I'm that kinda guy.

bash-4.3$ pass git init
Initialized empty Git repository in /home/mrbear/.password-store/.git/
[master (root-commit) 77cc085] Add current contents of password store.
1 file changed, 1 insertion(+)
create mode 100644 .gpg-id
[master 6655058] Configure git repository for gpg file diff.
1 file changed, 1 insertion(+)
create mode 100644 .gitattributes

Adding my passwords

For example, my email:

bash-4.3$ pass insert Email/mail.localhost.com
mkdir: created directory ‘/home/mrbear/.password-store/Email’
Enter password for Email/mail.localhost.com:
Retype password for Email/mail.localhost.com:
[master 40d6094] Add given password for Email/mail.localhost.com to store.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 Email/mail.localhost.com.gpg

Adding parameter --multiline makes it possible to not only add your password but other stuff as well. Handy if the userid/username is not standard my email address.

Showing passwords

bash-4.3$ pass
Password Store
└── Email
└── mail.localhost.com

Generating passwords

bash-4.3$ pass generate Internet/sync.firefox.com 16
mkdir: created directory ‘/home/mrbear/.password-store/Internet’
[master 9b966af] Add generated password for Internet/sync.firefox.com.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 Internet/sync.firefox.com.gpg
The generated password for Internet/sync.firefox.com is:
\$%R&E%&8^BA/

Some websites do not accept "odd" characters (< > ! @ # $ % ^ & * _) when it comes to passwords. When adding the "[--no-symbols,-n]" option you get a generated password containing only letters, capitals and digits.

Showing passwords and copying to clipboard

bash-4.3$ pass -c Email/mail.localhost.com
Copied Email/mail.localhost.com to clipboard. Will clear in 45 seconds.

Getting your stuff back

As basically this awesome password manager stored the passwords as a bunch of GPG2 encrypted files in .password-store, we should be able to decrypt the files directly.

This would work as follows:

bash-4.3$ gpg2 --decrypt .password-store/Email/mail.localhost.com.gpg
gpg: encrypted with 2048-bit ELG key, ID 0B94C819, created 2015-10-14
"mrbear (mrbear) "
itsasecret!

Syncing the git

As I wish to manage my passwords from multiple computers, there's a need to sync/merge the git repositories⁵ from time to time.

First is, of course, the copying of the GPG keys by copying the .gnupg directory.

scp -r .gnupg mrbear@toby:/home/mrbear

From the second machine, from my homedirectory:

git clone ssh://mrbear@sherlock/home/mrbear/.password-store
Cloning into '.password-store'...

After that it is nothing more but a "git pull" or "git push" whenever I need it.

References

[0] Wikipedia - Unix philosophy: https://en.wikipedia.org/wiki/Unix_philosophy
[1] GnuPG: https://www.gnupg.org/documentation/howtos.html
[2] Password store: http://www.passwordstore.org/
[3] Linux Crypto: Passwords: http://blog.sanctum.geek.nz/linux-crypto-passwords/
[4] StackExchange Unix - I try to add passwords to the pass password managers but my attempts fail: http://unix.stackexchange.com/questions/53912/i-try-to-add-passwords-to-the-pass-password-manager-but-my-attempts-fail-with
[5] Git - Git Basics Working with Remotes: https://git-scm.com/book/en/v2/Git-Basics-Working-with-Remotes
Fedora Magazine - GPG: a Fedora primer: https://fedoramagazine.org/gnupg-a-fedora-primer/
Fedora Magazine - GPG key management, part 1: https://fedoramagazine.org/gpg-key-management-part-1/

Thursday, 22 October 2015

Running Glassfish on port 80

Well, in short. Linux does not allow non-root programs to listen/occupy ports below 1024. It is a security feature.

So what can I do to make a server that is non-root (because of security) able to receive/send messages through a privileged port? Luckily the question has already been asked multiple times on the Internet.

To summarize:

Run the program as root anyway
Have a root daemon run the program as root, then change the rootrights automatically to something less
Kernel param CAP_NET_BIND_SERVICE
Run a proxy server in front of it
Software that performs what you want
Port-forwarding using IPTables

For the matter of this blog, I am going to assume that I wish to make my Glassfish instance available via both port 80 (the default web port) and port 443 (the default ssl web port). For that is the use case I was faced with.

Run the program as root anyway

Well, that should work, but is a huge security risk in most cases.

We would just need to change the ports of the HTTP Listeners in Glassfish administration console. It can be found in the default-config option.

Have a root daemon run the program as root, then change the rootrights automatically to something less

This seems to be one of the functions of the inetd daemon.

Kernel param CAP_NET_BIND_SERVICE

sudo setcap cap_net_bind_service=ep some-binary

In Linux, the things root can do have been broken up into a set of capabilities. CAP_NET_BIND_SERVICE is the ability to bind to ports <= 1024.

Unfortunately, we would need to set the binary to "java". This automatically means that any java program will have the ability to access any ports. This is not what we want.

Run a proxy server in front of it

That's what I did initially. There are lots of web servers that are perfectly capable of redirecting traffic to another port. For example the Apache HTTP server and Nginx. I choose Nginx, as it seems to be quite easy to setup and doesn't come with a lot of extras, extras I do not need.

The excellent part of this solution is that we can use Nginx to serve static webpages/images/files and not bother the Glassfish with it.

Tricky is that I need the original originating IP address of the client, and that is lost without some magic configuration.

The bad part is that a proxy server is another link in the chain that needs to be supported and maintained etc.

Software that performs what you want

For example authbind seems mentioned a lot.

Port-forwarding using IPTables

This is the solution I went for eventually.

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -p udp -m udp --dport 80 -j REDIRECT --to-ports 8080

# Do the same thing for ssl:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8181
iptables -t nat -A PREROUTING -p udp -m udp --dport 443 -j REDIRECT --to-ports 8181

Removing all the rules can be done with:

echo "Stopping firewall and allowing everyone..."

iptables -F

iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

To save the configuration, you can use iptables-save and iptables-restore. Or try something like:

]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

References

StackOverflow - Is there a way for non-root processes to bind to “privileged” ports (<1024) on Linux?: http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-1024-on-l#414258
Debian Administration - Running network services as a non-root user: http://www.debian-administration.org/article/386/Running_network_services_as_a_non-root_user
Ubuntu Help - Iptables HowTo: https://help.ubuntu.com/community/IptablesHowTo
Oracle Blogs - Byron's Pointless Ramblings - Run GlassFish V3 as a non-root Service on Linux Ubuntu/Debian: https://blogs.oracle.com/foo/entry/run_glassfish_v3_as_a
The JavaDude Weblog - Glassfish and https running secure applications: https://javadude.wordpress.com/2013/03/25/glassfish-and-https-running-secure-applications/

Sunday, 19 October 2014

Glassfish Security Realms

The JDBCRealm

In the Glassfish Administration Console, go to Configurations -> server-config -> Security -> Realms -> and select "New".

We're going to choose com.sun.enterprise.security.ee.auth.realm.jdbc.JDBCRealm.

The jaas.context name of the new realm is "jdbcRealm".

A jdbcRealm needs both a user table and a group table. The group table should store both userids as well as groupids. In other words,

the group table doesn't only contain groups, and
has a composite primary key, consisting of userid and groupid.

Database Schema

The user table is called "mm_admin" in my case, and the groups table is called "mm_admin_mm_groups".

I have created the "mm_groups" table to store extra information for groups, but that table is ignored by the jdbcRealm.

Some serious disadvantages of the jdbcRealm are:

groups are cached, which means if a user changes groups, the Glassfish Server needs to be rebooted.
flexibility is about zero, for instance if I have an expiration date attached to my usertable, I'm out of luck.

All this causes me to look elsewhere, namely towards the flexibleJDBCRealm⁵

The flexibleJDBCRealm

The great advantage of the flexibleJDBCRealm is that you can add SQL queries that are run to retrieve passwords and groups.

Instructions

Well, according to instructions found here⁶, you have to:

download the flexiblejdbcrealm-deploy-1.2-all.jar
put it into glassfish/domains/domain1/lib directory
change glassfish/domains/domain1/config/login.conf to add
flexibleJdbcRealm {
org.wamblee.glassfish.auth.FlexibleJdbcLoginModule required;
};
reboot the glassfish
In the Glassfish Administration Console, go to Configurations -> server-config -> Security -> Realms -> and select "New"
enter the class name org.wamblee.glassfish.auth.FlexibleJdbcRealm
set the properties, for example like in the image above.

Properties

The properties that can be entered could use a little more explaining compared to what is available at [6].

password.digest: uses MessageDigest(String algorithm). Possible values are "PLAIN", "MD2", "MD5", "SHA-1", "SHA-256", "SHA-384" and SHA-512.
password.encoding: the encoding, I find HEX to be the most useful. Possibile values are "TEXT", "HEX" and "BASE64". A variation of "HEX" is "HEX:<digits>", for example "HEX:40". This padds the beginning of the encoding with zeros to reach the length required. For example MySQL itself always creates passwords using the SHA() function to 40 hex digits also padding the beginning with zeros.
sql.groups: select groupid from mm_admin_mm_groups where name in (?)
sql.password: select passwd from mm_admin where name in (?) and validuntil > now()
jaas.context: flexibleJdbcRealm
datasource.jndi: of course, the connection string to the database

NOTE: he's complaining about setting properties in the realm with a = in them. So I had to go back to an "in (?)" construction for the SQL queries.

Logging

In glassfish/domains/domain1/config/logging.properties, add: org.wamblee.level=FINEST.

Application Configuration

My web.xml would look like thusly:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1"
    xmlns="http://xmlns.jcp.org/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
             http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <security-constraint>
        <display-name>Administration</display-name>
        <web-resource-collection>
            <web-resource-name>Administration REST Resources</web-resource-name>
            <description/>
            <url-pattern>/resources/administration/*</url-pattern>
            <url-pattern>/administration/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>deputy</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>deputyRealm</realm-name>
    </login-config>
    <security-role>
        <description/>
        <role-name>deputy</role-name>
    </security-role>
</web-app>

My glassfish-web.xml looks like:

In this file you can create a mapping between security roles and groups.

Declarative Security

An example of declarative security using Annotations:

@DeclareRoles("deputy")
@RolesAllowed("deputy")
@Stateless
@Path("/administration/worldattributes")
public class WorldattributesBean extends AbstractFacade<Worldattribute>
{

This means the role definition in the web.xml can be removed.

In the example above, the security role is applied to the entire Bean, so for each method in the bean, instead of on each method that requires the role.

Programmatic Security

Unfortunately, some fine-grained security can only be done with programmatic means, for example determining if a person who has authenticated themselves owns a certain object that needs mutated upon. In my example, this info in a Rest service can be obtained through a SecurityContext:

import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.Context;
...
@POST
@Override
@Consumes(
{
     "application/xml", "application/json"
})
public void create(Worldattribute entity, @Context SecurityContext sc)
{
  itsLog.info("create");
  final String name = sc.getUserPrincipal().getName();

FAQ

I get WEB9102: Web Login Failed: com.sun.enterprise.security.auth.login.common.LoginException: Login failed: No LoginModules configured for flexibleJdbcRealm?: You forgot to add the entry to the login.conf as specified above.

References

[1] Oracle - Security in the Java EE Platform: http://docs.oracle.com/javaee/7/tutorial/doc/security-intro.htm
[2] The Java EE 7 Tutorial: Release 7 for Java EE Platform
[3] Oracle - Using the JDBC Realm for User Authentication: http://docs.oracle.com/javaee/6/tutorial/doc/glxgo.html
[4] Understanding Web Security: http://java.dzone.com/articles/understanding-web-security
[5] FlexibleJDBCRealm: http://flexiblejdbcrealm.wamblee.org/site/
[6] Installation instructions: http://flexiblejdbcrealm.wamblee.org/site/documentation/snapshot/installation.html