Table of Contents
| Table of Contents |
|---|
Introduction
This section describes how the FEWS Web Services can be protected using the security mechanisms of the Tomcat application server.
...
| Info |
|---|
Tomcat 8 is recommended above Tomcat 7 for it's advanced security possibilities using the so called CredentialHandler |
Basic Authentication with Tomcat
To configure Basic Authentication for the FEWS Web Services with theUserDatabaseRealm, the Tomcat application server has to be configured as described in the following steps. Since these steps are configured in the tomcat application server, they apply to all web applications running in that tomcat server.
...
| Warning |
|---|
Basic authentication should always be used with a secure HTTPS connection. This is usually done by adding a secure proxy in front of Tomcat like NGINX or the Apache Webserver. Alternatively Tomcat itself can be configured for using HTTPS connection. |
User management with Tomcat
Tomcat has the concept of a Realm to store users, roles and passwords. For more information see Tomcat Realm implementations. In a standard tomcat installation, tomcat is configured with a file based user store that can be used with basic authentication called the UserDatabaseRealm. For more advanced implementations, please consult the tomcat documentation. In the conf directory of the Tomcat installation the server.xml file can be found where this realm is configured.
The UserDatabaseRealm uses the tomcat-users.xml file from the conf folder to store users, roles and passwords. By default the passwords are stored in plain text. It is strongly advised to use a hashing algorithm to prevent storing plain text passwords on the file system. Both Tomcat 7 and 8 support hashing algorithms. Tomcat 8 uses a CredentialHandler that has support for salt and iterations which is not possible with Tomcat 7.
User management with Tomcat 8
In the following server.xml file the CredentialHandler element was added to the UserDatabaseRealm. In this case the PBKDF2WithHmacSHA512 algorithm is configured with a keyLength of 256, a saltLength of 16 and 100000 iterations. These settings are a trade-off between performance and security. The exact values should be evaluated per use case.
...
Now when accessing the FEWS Web Services the user fews can access all webserver pages with the Test1234 password.
User management with Tomcat 7
To enable hashing a digest attribute has to be added to the UserDatabaseRealm with the hashing algorithm algorithm to be used.
...
Now when accessing the FEWS Web Services the user fews can access all webserver pages with the Test1234 password.
Advanced access configuration
In the previous examples all FEWS Web Services are available for all users with the fewswebservices role. It is also possible to configure a more fine grained access to the different web services or even methods within the services by using different roles and different url-patterns in the security constraints. Each FEWS Web Service has its own url pattern that can be used. The different patterns per web service are as follows.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<role rolename="fewswebservices"/> <role rolename="fewspirest"/> <user username="fews" roles="fewswebservices" password="91429c93e8b1d9462852770ea94d3cee$100000$48c94a74968e5a1b5df394a50c27effeb330553b66dc75d7840a9beb25a2ce90" /> <user username="rest" roles="fewspirest" password="[PASSWORD_OF_USER_REST]" /> </tomcat-users> |
General recommendations
- Always inspect the Tomcat documentation on the latest security improvements.
- Take note that generating hashes of passwords on the machine where the passwords are stored can still keep references to the password in for example a history file. Take measurements to avoid the passwords from being logged. For example in Linux bash starting a command with a space, will prevent the command from being added to the history file.
- Always use strong passwords
...