Chapter 7: JSP/Servlets Information
CHAPTER FOUR -
Security
Security:
How do I implement it?
5.1) SECURE WEB
PAGES
How
do I secure all web pages in a
directory?
Please use the browser
control panel interface for password protecting
your web pages.
Or
via telnet, if your home directory is yourlogin,
create a file named .htaccess in your web
directory that contains the following:
AuthUserFile /home/yourlogin/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic
<Limit GET POST>
require user pumpkin
</Limit>
Then in
your home directory, type htpasswd -c .htpasswd
pumpkin.
This
will enable you to secure the directory so that
only user pumpkin can enter this directory.
You may well want any
of the user/password combinations you created in
your .htpasswd file to allow access. Just say
require valid-user instead of require user xxx in
.htaccess and any of the users you created will be
able to access the files.
Note that you want to
store the .htpasswd file in your home directory so
it is hidden from others. The one drawback to
putting your .htpasswd file in your home directory
is that you will have to slightly lower the
security of your home directory. Go to /home and
type chmod +x yourlogin. The web server needs
execute permission on to read the .htpasswd
file.
5.2) SECURE
PASSWORDS
How
do I create a secure password?
Make it at least 6
characters long. Include at least one number,
capital letter, or punctuation mark in the name.
Passwords can be a maximum of 10 digits.
5.3) SECURE FTP
DIRECTORIES
How
do I create secure ftp directories?
To make a directory
named direct that can only be accessed by userid
fred, go to the directory above direct and type
chown fred direct. If you wish for only fred to
read and write in it, type chmod 700 direct. If
you wish to allow others to read these files you
can type chmod a+rx direct after typing the first
command.
The
above only works if you are fred. If you not, but
fred is in your group, ask us to make a new group
for you and fred, your2grp. Then you can chgrp
your2grp direct, and chmod g=rwx direct. If you do
not wish anyone else to be able to read these
files, use chmod o-rx direct.
To
list the access permissions of a file, type ls -l
file, and for a directory, ls -ld directory.
r=read access, x=execute access, w=write access.
After the first letter or hyphen (for file type),
the first three letters apply to you, the second
three letters apply to your group, the last three
letters apply to everyone else. Execute access
enables you to run programs or enter
directories.
Examples of using
chmod:
PEOPLE
PERMISSIONS u = the file's
user (or
owner)
r = read access g = the
file's
group
x = execute access o =
others
w = write access a = the
user, the group, and
others. chmod a+w =
let everyone write to the
file chmod go-r = don't
let people in the file's group or others to
read
the file chmod g+x =
let people in the file's group execute the
file
5.4) SECURE CGI-BIN
DIRECTORIES
How
do I secure all pages in a cgi-bin
directory?
To stop people from
being able to read your scripts under all
circumstances, end your CGI scripts with the name
.cgi.
5.5) SECURE SOCKET LAYER
(SSL)
How
do use SSL security on a webpage or
form?
The webpage form
that you want to be secure must be called via the
secure server. The images in the webpage must also
be called via the secure server. This is done by
calling the files in the following format: If your
file is normally
http://www.yourdomain.com/order.htm then the page
must be called as
https://serversecured.net/~username/order.htm.
order.htm can be replaced with any file you are
calling, including image files that you are trying
to secure. If you get a broken key instead of an
image file that should appear, it is because you
have secured the page, but have not secured an
image or your background.
If
the webpage you are trying secure is a form, the
action the form performs (form method=post
action=http....) must be a secure action as well
(form method=post action=https....). Below is an
example of the beginning of a secure form using
formmail:
You
must replace hostforweb.net with the secure URL
for the HostForWeb server that you are on. The
following are the names of the secure URL for
common HostForWeb servers.
host.hostforweb.net
(ns.hostforweb.net) =
serversecured.net
host2.hostforweb.net (
ns3.hostforweb.net) =
secure.serversecured.net
java.hostforweb.net =
java.serversecured.net
unis.hostforweb.net =
unis.serversecured.net
manhatten.hostforweb.net
= digits.hostforweb.net
lilo.hostforweb.net =
email
sysadmin@hostforweb.net
fallout.hostforweb.net
= email sysadmin@hostforweb.net
If
your HostForWeb server is not listed above, or if
you are unsure what server you are on, please
contact the support
dept.
