Tuesday July 26, 2005
Tuesday July 26, 2005
Secure That Session Bean!
Using Ethereal, a sniffer I used in NetBeans IDE, Sniffers, and the Deviant Computer User, I 'sniffed' (i.e., 'preemptively hacked') the application described in the Building Secure Enterprise Beans in NetBeans IDE tutorial. This is the data stream that Ethereal intercepted between the session bean and web application (click to enlarge):
When I decoded the garbled authorization string (as described in step 6 here), the IDE's Output window displayed the username and password that the server requires in order for the web application to access the session bean:
The point is this: HTTP Basic Authentication is useful for illustrative purposes only. To really secure an application, a far more robust security strategy should be adopted -- and that strategy is Secure Socket Layer (SSL). SSL provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. It includes support for a public key certificate, which is the digital equivalent of a passport. It is issued by a trusted organization, which is called a certificate authority (CA), and provides identification for the bearer. For details, read the Understanding Login Authentication section in the J2EE Tutorial.
Jul 26 2005, 06:54:43 AM PDT Permalink
3 Comments