Java-risk-715144

Hacking Liferay – Securing against online vulnerabilities

This is a brief post on securing Liferay on Tomcat and MySQL.
Liferay CE is stable enterprise portal, as more companies
start to adopt it, therefore security becomes a very important aspect of the
deployment. I am not sure if Liferay has been officially tested by a 3rd
party security firm but based on my simple security test against OWASP  Top 10 vulnerabilities, I can say that it looks good in that aspect. Some of the recommendations are taken from their
respective sites while others are based on our testing. We tested the following
on Linux Ubuntu 12.04 LTS.
Here is what I did for a quick test (using default
installation of liferay-portal-tomcat-6.1.1-ce-ga2-20120731132656558) :
1-
Download the Zed Attack Proxy (ZAP) from OWASP
2-
Make ZAP is set to run the following attacks:
a.
Path traversal
b.
Remote file Inclusion
c.
URL Redirector Abuse
d.
Server Side Include
e.
Cross Site Scripting
f.
SQL Injection
g.
Directory Browsing
h.
Session ID in URL rewrite
i.
Secure page browser cache
j.
External redirect
k.
CRLF injection
l.
Parameter tampering
3-
Run Liferay with default settings
4-
Now sit back and watch Liferay logs go “CRAZY”
Passing the OSWAP Top 10 vulnerabilities doesn’t mean that
you are out of the water yet. This test just focuses on browser based
penetration tests.
Here some steps to have an even more secured Liferay
deployment on Tomcat.

Make sure Tomcat uses SSL
to serve Liferay content

Make sure that you do not run Tomcat as “root”
user
o
Tomcat user should not have remote access to the
server

Disable auto-deployment of web applications

Change the file permissions on the Tomcat folder;
all Tomcat files should be owned by “root” user with group Tomcat  and
whilst owner has read/write privileges, group only has read and world has no
permissions. The exceptions are the logs, temp and work directory that are
owned by the Tomcat user rather than root. This means that even if an attacker
compromises the Tomcat process, they can’t change the Tomcat configuration,
deploy new web applications or modify existing web applications. The Tomcat
process runs with a umask of 007 to maintain these permissions.

Enable
Tomcat Security Manager, this causes web application to be run in a sandbox

In Server.xml
do the following:
o
Disable the
shutdown port by setting its attribute to -1
o
Make
sure that Tomcat HTTP connectors only to designated IP address; by default the
connectors listen to all configured IP addresses
o
Configure
the “ciphers” attribute used for SSL connections. By default, Tomcat uses the
default ciphers for the JVM which contains weak export grade ciphers
There are more
Tomcat settings which is available online.
You also need to
make sure that you secure your Operating System and Network. Now that we have
some basic security in place for Tomcat, let’s now tackle the our database. In
this test, we used MySQL 5.
Here is some basic
MySQL security:

Set a
root password for MySQL

Remove
all anonymous accounts

Disable
non-local root access

Remove
all test databases and any access rules related to them

Reload privilege
tables to apply the changes

Enable
SSL connection for MySQL, the default connection
is unencrypted
Now to conclude, let’s
secure our Liferay instance. Liferay is configured through portal.properties
and you should override those settings in portal-ext.properties. Create the
file if it doesn’t exist:

Set web.server.host=MY-HOST-NAME
so that it is not dynamically set

Set the preferred
protocol to web.server.protocol=https

If you
want Liferay to be only accessible from certain IP addresses, set
main.servlet.hosts.allowed=,,

To make
Liferay only accessible through HTTPS, set main.servlet.https.required=true

Secure the
Axis servlet as follow:
o
axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP
axis.servlet.https.required=true

Secure
the JSON Tunnel Servlet as follow:
o
json.servlet.hosts.allowed=
json.servlet.https.required=true

Secure Liferay Tunnel Servlet as follow:
o
tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP
tunnel.servlet.https.required=true

Secure Spring Remoting Servlet
o
spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP
spring.remoting.servlet.https.required=true

Securing the Webdav Servlet
o
webdav.servlet.hosts.allowed=
webdav.servlet.https.required=true

Make sure you have configured the Admin
portlet by overriding all the default values

The IFrame Portlet, when used in a high
security environment, should have the following properties set
o
iframe.password.token.role=

JAAS security need to have properties set:
o
To stop user from passing in encrypted
password: portal.jaas.strict.password=true

Passwords: Choose a strong password
encryption algorithm to encrypt passwords by setting the following:
o
passwords.encryption.algorithm=
I am sure that many
other security settings are left out so feel free to share in the comments. I
hope this helps someone to secure their Liferay environment.
happy20101

Happy New Year Techies!!!

I just wanted to say happy new year to the community, without you guys, we would still be living in the dark ages. Here are a few that I am looking forward to in the new year:

  1. Oracle Sun merger:- The untold future of NetBeans, MySQL, Swing and every open source that Sun has been working on in the past. What would happen to Sun Open Source (SOS!!!) Movement.
  2. Looking forward to JavaFX1.3 release, Authoring tool and improved Composer plugin.
  3. Android uprise against iPhone (not because I can easily write Android based application) and hopefully with Visual XML builder to build Android UI. JavaFX running on Android, anybody????
  4.  Looking forward to seeing real-world JavaFX application and possibly a showcase linked to the JavaFX.com site.
  5. Java EE 6 support in Google App Engine
  6. Google Wave open to the public and how well it does against Twitter and Facebook
  7. Java Store open to Europe (well this is where I am based and want to sell applications not just provide free).
  8. My new video blog ( well that’s me trying to be more Armel 2.0 – the sequel) to better engage with the community.
  9. looking forward to networking with fellow developers and techies.
  10. looking forward to the new buzzwords (old technology, new name)

Well, 2009 is was good year for Java and tech scene. I hope that you all enjoyed the year as much as I did. Why not share what wish list with me (comment box). Subscribe to follow my blog as I will try to bring more interesting articles in the new year.

Happy 2010 New Year, wish you all; success, properity, fame (yup) and fortune. Don’t forget, if you need a server-side, UI, Android or JavaFx developer, just mail me.

4099041220_b0ccec7f10

Develop High Transaction Web Applications with Java MySQL & NetBeans

This entry is a brief tutorial on how to develop high transactional web application. I will be looking at how to develop a high transactional application while maintaining data integrityFor the purpose of keeping this entry simple, I will be using some RAD tools, the NetBeans IDE, to generate most of the code.

In order to follow the tutorial, you will need the following:

  1. NetBeans IDE 6.7+
  2. Java JDK 1.6+ (my version is 1.6.0_17)
  3. MySQL 5.1+
  4. MySQL Sakila database
  5. Apache Tomcat 6.x
  6. An understanding of JPA transactions and ReSTful web services

This is my definition of High Transaction Applications:

A high transaction application is one that can serve multiple simultaneous requests from clients and keep them secure from each other. The application has only two purposes: read or write data to/from a repository either JMS or DB. The transactions have to meet the ACID criteria in order to be deployed in the real world.

Ok, the above is my definition and you are free to redefine it. I am going to build a web application that will be an n-tier application:

  • Database back-end (MySQL)
  • Entity classes
  • ReSTful Web Services to allow other developers to integrate the application with theirs
  • A web based front-end

For the simplicity of the article, I will not implement any security such as user or application level security (authentication and database table privileges). This tutorial is mostly geared toward the newbies but I am sure that more advanced developers would benefit too.

Let’s get coding.

  1. Make sure that you have loaded the MySQL Sakila database into your MySQL database. You can download the Sakila database from the NetBeans plugin centre (see here).
  2. Create a new web application and name whatever you like. I have named mine “WebApplication”. I will now refer the application as WebApplication. Make sure to choose Tomcat as your deployment server
  3. Add the MySQL driver “mysql-connector-java-5.0.7-bin” to the WebApplication libraries. NetBeans will work and connect to the DB even without the driver but once you deploy your application to a server, the application will not be able to connect to the DB and throw a ClassNotFoundException com.mysql.jdbc.driver.
  4. We are going to develop the back-end first. NetBeans makes it very easy for us to create Entity classes from database. I would recommend newbies to learn how to manually create Entity classes and configure the persistence.xml file. This tutorial makes use of JPA but one should ignore the drawbacks of JPA/ ORM frameworks.
  5. Right click on the project name and choose Entity Classes from Database… On the next screen choose the “filmActor” table and click on the Add button. Make sure that “Include Related Tables” box is checked underneath the Selected Tables panel. The screenshot does not show the “filmActor” table as I have previously generated the Entity class but I am sure you get the idea.

  6. If you are required to create a Persistence Unit, click on the persistence button -> you can accept the default name -> choose your Persistence Library -> choose your database connection -> choose “None” for Table Generation Strategy -> click Finish
  7. After choosing the table to generate the Entity from click next -> fill Package name -> tick Generate Name Query… -> click Finish
  8.  

    NetBeans generates all the Entity classes based on the database table that you have chosen. The next thing that we want to do is generate a set of ReSTful web services from the generated Entity classes. Again, NetBeans facilitates the work for us (it is important that you also know how to create the classes manually or you will not know how to debug them if there is any problem in the future).

  9. Right click on the project name “WebApplication” -> RESTful Web Services from Entity Classes… -> Choose the Entity Classes that you would like to generate the WS for and click add or add all -> click next -> on the following screen, accept the default values and click Finish

  10. You can go ahead and test your ReSTFul Web Services by right clicking on the name of the application and click on Test RESTful Web Services

  11. The previous step will launch your web browser within which you can test your web services (click on the node on the left and see the queries on the right)

  12. Back in the NetBeans IDE; right click on the project name “WebApplication” -> click on JSF Pages from Entity Classes… (The JSF pages will not use the web services as there are packaged together with the Entity Classes. This will improve performances and still allow external applications to integrate). Choose the Entity Classes that you would like to generate the pages for -> click next. On the final screen, fill in the package name for the JPA Controller and JSF Classes -> click finish

    NetBeans will generate the necessary files to create a CRUD application with a user interface. I suggest that you familiarize yourself with the generated code.

  13. Expand the Configuration folder under your project name “WebApplication” and the web.xml file. At around line 38, change the content of the welcome-file-list to look as follow
    <welcome-file-list>
            <welcome-file>faces/welcomeJSF.jsp</welcome-file>
    </welcome-file-list>

    This will make the generate JSF page to be the landing page for the application when requested. Make sure that you do have a “welcomeJSF.jsp” file before making the change.

  14. Right click on the application name -> Run. The application should load in your web browser. Now go on, play around with the application. And why not create a client to send request to the web services? (not today)

You can load test your application by using Apache JMeter. It is easy to run and configure. If you want to take a look at how JPA implements the ACID features, browse to your controller classes. Here is a short introduction to JPA transaction.

Hope you enjoyed and if you need any clarification, just leave me a comment and try to get back to you ASAP (if time permits).

4064537510_e727865913

ReST Web Services on Google App Engine using NetBeans 6.7

When Google announced early this year the availability of the Java language on their cloud system “App Engine”, this was turning point for Java on the web. The reason I am saying that is due to a simple questions; how many hosting providers support Java? And providing free hosting for that purpose… This was a good move in the direction of the JAVA community and the vast list of all the languages that run on the JVM.  But App Engine does not support the full range of the J2EE API. If you are looking to build any EJB, SOAP services or anything that access the file system, then the App Engine is not for you as it does not support it. To make matter worst, some URL connections are not supported by the Google cloud services. I am looking forward to the day when JBoss Seam will be supported entirely by their services without having to hack the code. Alright, it is not that bad; Google App engine supports a number of Java EE frameworks such as Spring.

Alright people, this was a long introduction but I believe it is worth it. You cannot create web services such as SOAP in the Google App Engine therefore, in this short article, I will show you how to develop a ReST based web services that works with the App Engine using NetBeans and Jersey API. Actually, NetBeans comes with Jersey support out the box. Now, let’s get started.
In order to follow the instructions, you will need the following:

NetBeans 6.7+

Google App Engine SDK

Google App Engine Plugin for NetBeans

I would expect you to know to be familiar with JAVA EE development and Google App Engine development. Once you have all the software and components installed, now we can start.

1.    Create a database structure to store your data. I used MySQL Workbench to design my DB structure (Google App Engine does not used MySQL and does not have plan to support it in the future). This schema is to help you understand the relationship between your entities. You can use any UML tools to design your objects’ relationship. There is a reason I chose to design DB in MySQL, the application generates SQL script which I will upload to MySQL DB. I will show you in the next step the main benefits.
 

2.    Based on your DB schema, create a database. You can use any database you want. I used MySQL to initially store my entities.

3.    Launch your NetBeans application and create new Web Application.
 

3.1    Choose Google App Engine as deployment server, click here to see how to register the App Engine in NetBeans.

4.    Now click on: File -> New File. In the popup window, choose Web Services in the Categories panel and RESTFul Web Services from Database and click next.
 

5.    Choose your the database that you want to generate your Entity classes from and click next. ( in the screenshot I am using the sample DB which came with the NetBeans and JAVA DB server. This is just for illustration purposes only as I have previously generated my Entity Classes from the DB schema I generated in step 1).

6.    Check your Class Names and how they relate to the database. Make any changes that you require in this screen, and then click next.
 

7.    In the next screen, just accept the default values and click finish.
 

Well we have done the hard parts. There is another step that missed out due to the fact that I already written the application. When generating Entities from Database, if you do not have a persistence unit available, it will ask to generate one. Here is more information on how to create a persistence unit with NetBeans. Make sure to make sure to choose “Create” as the table generation strategy.
 

By Now, you should be aware that we have create a back-end application store which we can call using normal http post, get, delete and create. NetBeans RestFull methods allows to use XML or JSON to send data to the services. The responses MIME can be anything you like as long as the application server supports it.
WARNING: JERSEY XML processing is not supported by Google App Engine as it uses JAXB. JAXB accesses API which is forbidden by the App Engine stack. If testing the application on the App engine, use the JSON MIME for your data.
Ok so we have generate the classes and methods require to expose our back-end to other application. As it is, this will not work on Google App Engine so we need to make a final change, this time we need to change the persistence.xml file manually. In the project window under the name of your project, click on Configuration files -> persistence.xml and open the file in the editor. Once the file is open in the editor, click on the XML tab and make the necessary changes to make it look like the screenshot.
 

Here is the content of persistence.xml; modify to reflect your entities and make sure the name of the provider is the same as mine and the properties are exactly the same.

    <?xml version=”1.0″ encoding=”UTF-8″?>
    <persistence version=”1.0″ xmlns=”http://java.sun.com/xml/ns/persistence” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=”http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd”>
        <persistence-unit name=”ReSTWebApplicationPU” transaction-type=”RESOURCE_LOCAL”>
            <provider>org.datanucleus.store.appengine.jpa.DatastorePersistenceProvider</provider>
            <class>com.test.api.Userlogs</class>
            <class>com.test.api.Customer</class>
            <class>com.test.api.User</class>
            <class>com.test.api.Business</class>
            <class>com.test.api.Reviews</class>
            <exclude-unlisted-classes>false</exclude-unlisted-classes>
            <properties>
                <property name=”datanucleus.NontransactionalRead” value=”true”/>
                <property name=”datanucleus.NontransactionalWrite” value=”true”/>
                <property name=”datanucleus.ConnectionURL” value=”appengine”/>
            </properties>
        </persistence-unit>
    </persistence>

Now we are ready to run the application and test it in our local environment. Right click your project name in the projects window and click Test RestFul web services, your favourite web browser with page that shows your resources. You can test your services by clicking on the nodes and or drilling through the nodes.
 

You can also use the Firefox RESTClient Plugin to test your app. Also, Google App Engine does not fully support JPA and might throw some exception about not supporting “integer type object for primary key”. If you do experience this issue, change the type of your key.
This is it for now, looking forward to your feedback, good or bad, they are all welcome. Also, if you need JAVA EE help, contact me directly. Also join me on facebook. Hope the guide or tutorial or whatever you call it, was good enough to help you with something.

Please support my blog and its advertisers by clicking on the interesting products/ services on the right (Google ads).  Cheers.

pixy

IBM to buy SUN – the End for NetBeans and Glassfish?

I am sure that you have seen in the tech news that IBM are looking to buy SUN MicroSystem the owner of JAVA and now MySQL.

Sun has been losing money on its Solaris based servers, probably one of the reason Solaris is now Open Source? Sun started to lose money after the 2000-01 dot com bubble burst. Since the company has been trying to reinvent himself and even tried to look for buyers for more than year. Rumours says that HP turned the offer down. Everyone must be thinking now, why a company which losing money and put himself up for sale at $6B would buy an open source company for $1B (MySQL)?

Anyway, what would this acquisition mean to the JAVA world? IBM has been a major sponsor of SUN rival IDE – Eclipse. Therefore there is a major question as what will happen to NetBeans? Oh, and what about JavaFX, it is still in beta stage as far as I can see and cannot yet compete with Flash or SilverLight, will IBM pull the plug on that?

WOW, I have so much questions but I am not sure how to formulate them all. For example, I am a big fan of NetBeans and Glassfish but IBM develops Eclipse and WebSphere, I can’t help feel insecure about the future of NetBeans & Glassfish to be replaced by IBM own baby.

NetBeans funding will ceased th project will become a full fledge Open Source and hopefully an organisation like Apache or even Google take over it. But what about MySQL, IBM has DB2 which is very powerful so what are they going to do with DB systems?

You know what guys, time will tell us so let’s just wait and see, shall we?

http://www.guardian.co.uk/technology/blog/2009/mar/18/ibm-sun-deal-maybe