For Java Security
- Custom Error Page
- Restrict File to Access
- Broken Session Managment
- SecDim - Learn Secure Programming in a Game
How to implement custom error page in Java website? Create web.xml and insert below code
<error-page>
<error-code>404</error-code>
<location>/error.jsp</location>
</error-page>
## error.jsp is location of custom error page
Create web.xml and insert below code
<error-code>403</error-code>
<location>forbid.jsp</location>
</error-page>
## forbid.jsp is location of custom error page
using session
request.getSession(false).invalidate();
HttpSession session = request.getSession(true);
session.setAttribute("uname", uname);
session.setAttribute("pass", pass);
response.sendRedirect("welcome.jsp");
on logout
HttpSession session = request.getSession();
session.removeAttribute("uname");
session.invalidate();
response.sendRedirect("login.jsp");
- Adding security headers
- Custom error page
- Broken session Managment
- Cross site Scripting
- Unrestricted file upload
To implement security headers in application created in spring boot framework we have to add spring security dependencies in pom.xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Next, create a class that extends the WebSecurityConfigureAdapter. Add the annotation @EnableWebSecurity to the class to tell spring that this class is a spring security configuration.
Override the two overloaded methods configure(HttpSecurity) and configure(AuthenticationManagerBuilder).
The configure(HttpSecurity) defines the mapping of secured URLs or paths that will determine if the user can access specific pages.
@EnableWebSecurity
public class Security extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
}
}
go to application.properties and set
server.error.whitelabel.enabled=false and create a custom error page
add org.owasp.esapi dependeny in pom.xml file
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.2.2.0</version>
</dependency>
use the StringEscapeUtils
${StringEscapeUtils.escapeHtml(obj.name)}
#### Refernce : https://www.java67.com/2012/10/how-to-escape-html-special-characters-JSP-Java-Example.html
https://owasp.org/owasp-java-encoder/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login").permitAll()
.and()
.logout().invalidateHttpSession(true)
.clearAuthentication(true)
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/logout-success").permitAll();
}
public ModelAndView upload(String file) {
String UPLOAD_FOLDER = "C://test//";
String fileExtentions = "jpg,jpeg,png";
String substring = FilenameUtils.getExtension(file);
System.out.println(substring);
if (!fileExtentions.contains(substring) || substring.isEmpty())
{
System.out.println("sorry");
return new ModelAndView("status", "message", " file type not supported");
}
else {
int abcd=file.hashCode();
System.out.println("good");
String filter= String.valueOf(abcd).concat(".png");
System.out.println(filter);
byte[] bytes = file.getBytes();
Path path = Paths.get(UPLOAD_FOLDER + filter);
try {
Files.write(path, bytes);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
//log
return new ModelAndView("status", "message", "succes");
}
for more check the code https://github.com/effortlessdevsec/Java-Security/tree/main/files/spring-boot-fileupload