8.6. Example: Programmatic Security and SSL
Listing 8.5 presents a servlet that redirects non-SSL requests to a URL that is identical to the URL of the original request except that http is changed to https. When an SSL request is received, the servlet presents a page that displays information on the URL, query data, key size, encryption algorithm, and client certificate. Figures 8-7 and 8-8 show the results.
Figure 8-7. New-certificate page for Internet Explorer. View and import the certificate to suppress future warnings. For details on creating self-signed certificates for use with Tomcat, see Section 7.5. Again, self-signed certificates would not be trusted in real-world applications; they are for testing purposes only.
Figure 8-8. Result of the SecurityInfo servlet.
In a real application, make sure that you redirect users when they access the servlet or JSP page that contains the form that collects the data. Once users submit sensitive data to an ordinary non-SSL URL, it is too late to redirect the request: attackers with access to the network traffic could have already obtained the data.
Listing 8.5. SecurityInfo.java
package moreservlets;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.security.cert.*; // For X509Certificate
/** Servlet that prints information on SSL requests. Non-SSL
* requests get redirected to SSL.
*/
public class SecurityInfo extends HttpServlet {
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
// Redirect non-SSL requests to the SSL equivalent.
if (request.getScheme().equalsIgnoreCase("http")) {
String origURL = request.getRequestURL().toString();
String newURL = httpsURL(origURL);
String formData = request.getQueryString();
if (formData != null) {
newURL = newURL + "?" + formData;
}
response.sendRedirect(newURL);
} else {
String currentURL = request.getRequestURL().toString();
String formData = request.getQueryString();
PrintWriter out = response.getWriter();
String docType =
"<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 " +
"Transitional//EN">
";
String title = "Security Info";
out.println
(docType +
"<HTML>
" +
"<HEAD><TITLE>" + title +
"</TITLE></HEAD>
" +
"<BODY BGCOLOR="#FDF5E6">
" +
"<H1>" + title + "</H1>
" +
"<UL>
" +
" <LI>URL: " + currentURL + "
" +
" <LI>Data: " + formData);
boolean isSecure = request.isSecure();
if (isSecure) {
String keyAttribute =
"javax.servlet.request.key_size";
// Available only with servlets 2.3
Integer keySize =
(Integer)request.getAttribute(keyAttribute);
String sizeString =
replaceNull(keySize, "Unknown");
String cipherAttribute =
"javax.servlet.request.cipher_suite";
// Available only with servlets 2.3
String cipherSuite =
(String)request.getAttribute(cipherAttribute);
String cipherString =
replaceNull(cipherSuite, "Unknown");
String certAttribute =
"javax.servlet.request.X509Certificate";
// Available with servlets 2.2 and 2.3
X509Certificate certificate =
(X509Certificate)request.getAttribute(certAttribute);
String certificateString =
replaceNull(certificate, "None");
out.println
(" <LI>SSL: true
" +
" <UL>
" +
" <LI>Key Size: " + sizeString + "
" +
" <LI>Cipher Suite: " + cipherString + "
" +
" <LI>Client Certificate: " +
certificateString + "
" +
" </UL>");
}
out.println
("</UL>
" +
"</BODY></HTML>");
}
}
// Given http://blah, return https://blah.
private String httpsURL(String origURL) {
int index = origURL.indexOf(":");
StringBuffer newURL = new StringBuffer(origURL);
newURL.insert(index, 's'),
return(newURL.toString());
}
// If the first argument is null, return the second argument.
// Otherwise, convert first argument to a String and
// return that String.
private String replaceNull(Object obj, String fallback) {
if (obj == null) {
return(fallback);
} else {
return(obj.toString());
}
}
} |
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.