Tomcat Notes: Web Security, HTTPS In Tomcat

news2024/12/24 3:08:12

This is a personal study notes of Apache Tomcat. Below are main reference material.

- YouTube Apache Tomcat Full Tutorial,owed by Alpha Brains Courses. https://www.youtube.com/watch?v=rElJIPRw5iM&t=801s

  • 1、Overview
  • 2、Two Levels Of Web Security
    • 2.1、Trace Of A Full Security Example
  • 3、Some Security Conceptions
    • 3.1、Man-In-The-Middle
    • 3.2、 Key Store And Trust Store
    • 3.3、Message Digests
    • 3.4、Symmetric Encryption And Decryption
    • 3.5、Asymmetric Encryption And Decryption
  • 4、Process Of HTTPS


1、Overview

This article is about problems in web security, how HTTPS secure sending messages and some basic cryptology algorithm.

I’m not very confident with this article since I never make any practice on those concetions or theorys.

Any advice or correction is welcomed.

2、Two Levels Of Web Security

Web server and web app security covers two distinct but related levels.

  • Wire-level(transport-level): In this level it encrypts data transmission through all nodes.
  • Users/roles security: User authentication and role authorization. Good news is Tomcat supports ‘Container-managed security’ in which Catalina, rather than a particular web app does this heavy lifting.

HTTPS is a way to secure in this two levels. HTTPS is a way to secure in this level. S of course stands for secure, There a lot of layers atop HTTPS but HTTPS is the most popular and dominant one.

Tomcat uses HTTP by default. We need to turn HTTPS on in TOMCAT_HOME/conf/server.xml. And other operations are also required.

Three problems HTTPS need to solve.

1. The one who sends you messages is who you think it is rather than other one who pretends to be it.
2. The messages are encrypted, even though other people capture the messages but we have the confidence they can't decrypt it.
3. The request(response) recieved by the server(the browser) is exactly same with initially sent by the brower(the server). 

Here is the wire-level security and services in Alice-to-Bob messages sending scenario.

  1. Peer Authentication (aka mutual chanllenge)

     messages            #Is it real Bob?
     Alice <------------->Bob
     #Is it real Alice?     
    
  2. Confidentiality (message decryption/encryption)

            message                          encrypted message                   message
     Alice --------->encryption engine------------------>decryption engine--------> Bob
    
  3. Integrity:

           message		 message
     Alice--------->route------->Bob # does sent messge == recieved message?
    

2.1、Trace Of A Full Security Example

We are going to explore the details of web security with curl. The curlis used to issue a request over a HTTPSto a deployed web app.

Below is the output of curlissuing a HTTPSrequest.

* About to connect() to localhost port 8443 (#0)  # 8443 is the conventional port fo HTTPS in Tomcat
*   Trying ::1... connected						  # while 8080 is for HTTP
* Connected to localhost (::1) port 8443 (#0)
* successfully set certificate verify locations:
*   CAfile: none		
  CApath: /etc/ssl/certs		#Exchange for certificates
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):	#In handshake, the server and the client need to discuss
* SSL connection using EDH-RSA-DES-CBC3-SHA # which encryption to use and digital certificates.
* Server certificate:	
    ...
*   SSL certificate verify result: self signed certificate (18), continuing anyway.  
* Server auth using Basic with user 'moe'
# one the SSl and TLS secure the connection, server begins to handle request
> GET /predictions HTTP/1.1
> Authorization: Basic bW9lOk1vZU1vZU1vZQ==
> User-Agent: curl libcurl OpenSSL zlib libidn
> Host: localhost:8443
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Cache-Control: private
< Transfer-Encoding: chunked
...
<
<html>

3、Some Security Conceptions

3.1、Man-In-The-Middle

Man-in-the-middle scenario.

Alice(sender)---------------------->Bob(intended recepient)
						|
						|	
				Eve(eavesdropper)

Alice sends messages to Bob and Alice thinks the person she sent messages to is Bob but it is Eve in fact.

Bob thinks he receives messages from Alice but it is Eve in fact.

This is where peer authentication phase come in. It is meant to build trust on the Alice and Bob sides. In other words Alice
sends certificates to Bob to assure Bob that it is really Alice on the other side and Bob do the same thing to Alice to get trust.

3.2、 Key Store And Trust Store

Now let me intrduce more jargon which are key storeand trust store.

Java uses this terminology all over the place and it is also what we are going to use.

They bear directly on the topic of digital certificates.

The key storeis where we keep our digital certificates. So it’s database of our digital certificates. They are just some files.

The trust storeis database of digital certificates that I trust. The trust stroecould be the same with key storeby the way.

3.3、Message Digests

We see this thing before. When we download the Tomcat from Apache official site, we can see sha-1or md5used to verify the integrity, making sure the package we download has exactly same with that in Apache server.

By the way output of the Message Digestcould be encrypted forming a digital signature.

请添加图片描述

Below is the processes of sending a message, and Message Digestis part of the encryption engine.

在这里插入图片描述

3.4、Symmetric Encryption And Decryption

Now we are going to get further about the encryption keyand the decryption key.

In the modal called Symmetric encryption and decryption, encryption keyand decryption keyis the same one.

It brings a new problem, if Alice has the single key, how can she manage to send the single key to Bob safely or vice versa?

That’s sometimes called the key distribution problem.

The upside of this modal is that it’s fast. Roughly speaking it 1000 times faster than Asymmetric encryption and decryption.
请添加图片描述


3.5、Asymmetric Encryption And Decryption

In this modal, it uses a pair of key, containing a public keyand a private key, to encryption and decryption.

This pair of key is generated by the recipient. The public keyis used to encryption and the encrypted message can be decrypted only with the private key.

The pulic key can be held by anyone just like its name so it basically can be percieved as an indentity, while the private name can only be held by the recipient.

Supposing Alice wants to send a message to Bob.

  1. Alice firstly get Bob’s public key.
  2. Alice encrypts message with the public key.
  3. Bob recieves the encrypted message then decrypts it with it’s private key.

In this way it assure Alice that her messages can be understood only by Bob.

While it’s not perfect, Alice knows who she sent messages to but Bob does’t know where the messages come from.

请添加图片描述



4、Process Of HTTPS

With the basis of above conceptions we are going to get into how ‘S’ in HTTPSworks.

Three terms play a role in wire-level security ‘peer authentication’ in particular.

  • Key Pair: A pulic key and a private key. Unlike the asymmetric cryptology, the public key in here is used to decryption while the private key is used to encryption.

  • Digital Certificate: Including the key pairand a digital signature as a voucher for message sent by someone.

    Digital signature is a message digest encrypted by the private key.

  • Certificate Authority: Company that voucher for a digital certificate.

    Company voucher for a DCby adding it’s digital signature to the DC.

HTTPS addresses the man-in-the-middle by having the two sides(Alice and Bob) exchanges their DCto confirm their indenties.

Here’s is the five steps that Alice would go through in order to send messages to Bob.

  1. Alice sends a signed certificate reqeust containing her name her public key and perhaps some additional information to a CA.
  2. The CAcreates a message M from Alice’s request. signing the message M with its private key, thereby creating a seperate signature message SIG,
  3. The CAreturns Alice the message M with its signature message M. Together M and SIG form Alice’s certificate.
  4. Alice sends her newly minted certificate to Bob to give him access to her public key .
  5. Bob verfies the signature SIG using the CA'spublic key. If the signature proves valid, which means the message does come from Alice, he accepts the public key in the certificates as Alice’s public key which is her identity.

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1409096.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

运用ETLCloud快速实现数据清洗、转换

一、数据清洗和转换的重要性及传统方式的痛点 1.数据清洗的重要性 数据清洗、转换作为数据ETL流程中的转换步骤&#xff0c;是指在数据收集、处理、存储和使用的整个过程中&#xff0c;对数据进行检查、处理和修复的过程&#xff0c;是数据分析中必不可少的环节&#xff0c;对…

Maps基础知识

什么是Maps&#xff1f; 在JavaScript中&#xff0c;Map是一种用于存储键值对的数据结构。它类似于对象&#xff0c;但有一些区别。 Map对象允许任何类型的值作为键&#xff08;包括对象、函数和基本数据类型&#xff09;&#xff0c;而对象只能使用字符串或符号作为键。这使得…

一次性密码 One Time Password,简称OTP

一次性密码&#xff08;One Time Password&#xff0c;简称OTP&#xff09;&#xff0c;又称“一次性口令”&#xff0c;是指只能使用一次的密码。一次性密码是根据专门算法、每隔60秒生成一个不可预测的随机数字组合&#xff0c;iKEY一次性密码已在金融、电信、网游等领域被广…

three.js中Meshline库的使用

three.js中Meshline的使用 库的地址为什么要使用MeshLine,three.js内置的线不好用吗?MeshLine入门MeshLine的深入思考样条曲线一个问题 库的地址 https://github.com/spite/THREE.MeshLine?tabreadme-ov-file 为什么要使用MeshLine,three.js内置的线不好用吗? 确实不好用,…

一个监控小技巧,巧妙破解超低温冰箱难题!

在当今科技飞速发展的时代&#xff0c;超低温冰箱监控系统以其在各行各业中关键的温度控制和环境监测功能而备受关注。 超低温环境对于存储生物样本、药品和其他温度敏感物品至关重要&#xff0c;而监控系统则提供了实时、精准的环境数据&#xff0c;确保这些物品的质量和安全性…

(2)Elastix图像配准:参数文件(配准精度的关键)

文章目录 前言一、Elastix简介二、参数文件&#xff08;类型&#xff09;三、参数文件&#xff08;定义&#xff09;&#xff1a;由多个组件组成&#xff0c;每个组件包含多个参数。3.1、组件的相关参数3.2、图解组件3.2.1、图解 - 金字塔&#xff08;pyramid&#xff09;3.2.2…

Mediasoup Demo-v3笔记(二)——server.js和room.js分析

server.js 主要运行逻辑 async function run() {// Open the interactive server.await interactiveServer();// Open the interactive client.if (process.env.INTERACTIVE true || process.env.INTERACTIVE 1)await interactiveClient();// Run a mediasoup Worker.await…

基于node.js和Vue3的医院挂号就诊住院信息管理系统

摘要&#xff1a; 随着信息技术的快速发展&#xff0c;医院挂号就诊住院信息管理系统的构建变得尤为重要。该系统旨在提供一个高效、便捷的医疗服务平台&#xff0c;以改善患者就医体验和提高医院工作效率。本系统基于Node.js后端技术和Vue3前端框架进行开发&#xff0c;利用其…

spring中循环依赖问题、Servlet 的过滤器与 Spring 拦截器区别

spring中的循环依赖问题 当A类中关联B&#xff0c;B类中关联A class A {B b; } class B {A a; } 正常java代码中new A时&#xff0c;b为null&#xff1b;new B时&#xff0c;a为null&#xff1b; 但是在spring中&#xff0c;由于对象是由spring容器管理的&#xff0c;当创建…

Netty Reactor 模式解析

目录 Reactor 模式 具体流程 配置 初始化 NioEventLoop ServerBootstrapAcceptor 分发 Reactor 模式 在刚学 Netty 的时候&#xff0c;我们肯定都很熟悉下面这张图&#xff0c;它就是单Reactor多线程模型。 在写Netty 服务端代码的时候&#xff0c;下面…

vue 解决:Module not found: Error: Can‘t resolve ‘vue-router‘ 的问题

1、问题描述&#xff1a; 其一、报错为&#xff1a; Module not found: Error: Cant resolve vue-router 中文为&#xff1a; 找不到模块&#xff1a;错误&#xff1a;无法解析“vue-router” 其二、问题描述为&#xff1a; 根据报错的中文信息可知&#xff1a;应该是无法…

PWN入门Protostar靶场Stack系列

Protostar靶场地址 https://exploit.education/protostar/溢出 源码分析 #include <stdlib.h> #include <unistd.h> #include <stdio.h>int main(int argc, char **argv) {volatile int modified; //定义一个变量char buffer[64]; //给…

Git服务器、GitLab介绍及搭建、HIS代码托管、CI/CD概述、Jenkins部署、Jenkins插件、Jenkins工程构建

案例1&#xff1a;GitLab服务器搭建 使用rpm包本地部署GitLab服务器 #确认GitLab主机硬件配置[rootGitLab ~]# free -mtotal used free shared buff/cache availableMem: 3896 113 3691 8 90 3615…

day31WEB攻防-通用漏洞文件上传js验证mimeuser.ini语言特性

目录 1.JS验证 2.JS验证MIME 3.JS验证.user.ini 4.JS验证.user.ini短标签 &#xff08;ctfshow154&#xff0c;155关&#xff09; 5.JS验证.user.ini短标签过滤 [ ] 6.JS验证.user.ini短标签加过滤文件头 有关文件上传的知识 1.为什么文件上传存在漏洞 上传文件…

视频汇聚/云存储平台EasyCVR级联上级播放后一直发流是什么原因?

可视化云监控平台/安防视频监控系统EasyCVR视频综合管理平台&#xff0c;采用了开放式的网络结构&#xff0c;可以提供实时远程视频监控、视频录像、录像回放与存储、告警、语音对讲、云台控制、平台级联、磁盘阵列存储、视频集中存储、云存储等丰富的视频能力&#xff0c;同时…

大创项目推荐 题目: 基于深度学习的疲劳驾驶检测 深度学习

文章目录 0 前言1 课题背景2 实现目标3 当前市面上疲劳驾驶检测的方法4 相关数据集5 基于头部姿态的驾驶疲劳检测5.1 如何确定疲劳状态5.2 算法步骤5.3 打瞌睡判断 6 基于CNN与SVM的疲劳检测方法6.1 网络结构6.2 疲劳图像分类训练6.3 训练结果 7 最后 0 前言 &#x1f525; 优…

spire.doc合并word文档

文章目录 spire.doc合并word文档1. 引入maven依赖2. 需要合并的word3. 合并文档代码4. 合并结果 spire.doc合并word文档 1. 引入maven依赖 <repositories><repository><id>com.e-iceblue</id><name>e-iceblue</name><url>https://r…

JVM篇----第五篇

系列文章目录 文章目录 系列文章目录前言一、Java 中堆和栈有什么区别?二、描述一下 JVM 加载 class 文件的原理机制三、GC 是什么?为什么要有 GC?前言 前些天发现了一个巨牛的人工智能学习网站,通俗易懂,风趣幽默,忍不住分享一下给大家。点击跳转到网站,这篇文章男女通…

LIMS源码,实验室信息系统源码,后端框架:asp.net

LIMS(laboratory information management system)即实验室信息管理系统是实验室管理科学发展的成果&#xff0c;是实验室管理科学与现代信息技术结合的产物&#xff0c;是利用计算机网络技术、数据存储技术、快速数据处理技术等&#xff0c;对实验室进行全方位管理的计算机软件…

利用tpu-mlir工具将深度学习算法模型转成算能科技平台.bmodel模型的方法步骤

目录 1 TPU-MLIR简介 2 开发环境搭建 2.1 下载镜像 2.2 下载SDK 2.3 创建容器 2.4 加载tpu-mlir 3 准备工作目录 4 onnx转mlir文件 5 mlir转INT8 模型 5.1 生成校准表 5.2 便以为INT8对称量化模型 参考文献&#xff1a; 之前是用nntc转算能科技的模型的&#xff0c…