Application configuration security hardening
Before you can run an application in production, carefully harden its configuration by following best practices. If your application isn’t properly secured, external users might derive or inherit unauthorized privileges when they run it and gain access to sensitive information.
This sensitive information might contain information about your application and other users. By hardening your application configuration, you can prevent unauthorized exposure of sensitive information.
Roles and access
Understanding roles and mappings of users is key to securely configuring your application for production use. Incorrect role mapping can give inadvertent levels of access to users, which can result in users who can gain unapproved access to sensitive resources. For more information about how to map users to roles and groups, see Authorization.
If you don’t configure roles in the server.xml
file, by default, Open Liberty uses the group names that a user is attached to as the role names for the user. For conflicts in the role mapping of a servlet between the web.xml
file and annotations in the application, the configuration in the web.xml
file takes precedence.
If a conflict exists between the ibm-application-bnd.xml
and server.xml
files, then the configuration in the server.xml
file takes precedence. If the information that is being specified can have multiple values, the values from the server.xml
file are added to the values from the application. For example, if the ibm-application-bnd.xml
file defines two roles, such as admin
and viewer
, and the server.xml
file defines one role, such as user
, then all three roles are used. A role that is defined in the server.xml
file can have the same name as a role that is defined in the ibm-application-bnd.xml
file. For example, the admin
role could be defined in the server.xml
and ibm-application-bnd.xml
files. In this situation, the admin
role from the server.xml
file overwrites the admin
role from the ibm-application-bnd.xml
file.
When the role-mapping binding information isn’t specified for the application in the ibm-application-bnd.xml
or server.xml
files, the group name and role name must be the same. For example, if the role name is manager
, then a user who belongs to a manager
group has access to that resource.
Web server document root
Avoid placing sensitive information in the WAR root. The web container serves any files that are found in the root of the WAR file, which is okay if the root contains only servable content. However, because the web container serves files from the WAR root, it must never contain any content that you don’t want users to see, including property or class files. If you must place such information in the WAR file, place it in the WEB-INF
directory, as allowed by the servlet specification. Information in this directory is never served by the web container.
Secure servlets
Servlets can be served by class name or with a normal URL alias. You can serve servlets by class name by setting the serveServletsByClassnameEnabled
property to true
in the ibm-web-ext.xml
file of the application. For production purposes, don’t enable this property. Enabling the serveServletsByClassnameEnabled
property makes it possible for anyone that knows the class name of any servlet to directly start it.
By default, Open Liberty does not allow servlets to be served by class name. Instead of defining a mapping for each servlet, a single generic URI, such as /servlet
, serves all servlets. The component of the path after the generic URI is assumed to be the class name for the servlet. For example, the /servlet/com.ibm.sample.MyServlet
path refers to the com.ibm.sample.MyServlet
servlet class.
Servlet aliases
Servlets are secured by URLs, and each URL must be specified with security constraints. The security constraints can be outlined by using JAX-RS annotations, or they can be included in the web.xml
file that describes the application.
A servlet can have more than one alias. For example, multiple URLs can access the same servlet class. If a servlet has more than one alias, it can be easy to forget to secure an alias. Because Open Liberty secures URLs and not the underlying classes, if just one servlet URL is insecure, an intruder might be able to bypass security. To alleviate this risk, use wildcards to secure servlets wherever possible. If using wildcards isn’t appropriate, carefully check your web.xml
file before deployment.
When you specify security constraints for servlets, ensure that you either list no methods or carefully list all the methods for a servlet, including GET, POST, PUT, and HEAD methods.
Specify the deny-uncovered-http-methods
element in the web.xml
file. When the deny-uncovered-http-methods
element is specified, the container denies any uncovered HTTP methods. A 403 (SC_FORBIDDEN)
status code is returned by the denied HTTP methods. You can also use the http-method-omission element to specify an HTTP method to which a security constraint doesn’t apply. In the following secure example, the deny-uncovered-http-methods
element is specified in the web.xml
file:
<servlet-mapping id="ServletMapping_1">
<servlet-name>MyServlet</servlet-name>
<url-pattern>/MyURLPattern</url-pattern>
</servlet-mapping>
<deny-uncovered-http-methods />
<!-- SECURITY CONSTRAINTS -->
<security-constraint id="SecurityConstraint_1">
<web-resource-collection id="WebResourceCollection_1">
<web-resource-name>Protected with Employee or Manager roles</web-resource-name>
<url-pattern>/MyURLPattern</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1">
<role-name>Employee</role-name>
<role-name>Manager</role-name>
</auth-constraint>
</security-constraint>
A message is logged in the messages.log
file for each URL pattern in each servlet. These messages indicate the uncovered methods and whether those methods are accessible:
If the
deny-uncovered-http-methods
element is specified in theweb.xml
file, the messages indicate that the uncovered methods are unprotected and not accessible, as shown in the following example:For URL MyURLPattern in servlet MyServlet, the following HTTP methods are uncovered, and not accessible: DELETE OPTIONS HEAD PUT TRACE
If the
deny-uncovered-http-methods
element isn’t specified in theweb.xml
file, the messages indicate that the uncovered methods are unprotected and accessible, as shown in the following example:For URL MyURLPattern in servlet MyServlet, the following HTTP methods are uncovered, and accessible: DELETE OPTIONS HEAD PUT TRACE
File serving and directory browsing
You can further limit the risk of serving inappropriate content by disabling file serving and directory browsing in your web applications. Set the following property in the ibm-web-ext.xml
file:
<enable-directory-browsing value="false" />
Confidential transport guarantee between the client and the server
To ensure that applications run only over secure HTTP connections, specify the transport-guarantee
element with a value of CONFIDENTIAL
in the web.xml
file:
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
See also
Guide: Securing a web application