InfoCenter Home >
4: Developing applications >
4.2: Building Web applications >
4.2.1: Developing servlets >
4.2.1.2: Servlet support and environment in WebSphere >
4.2.1.2.3: Using the WebSphere servlets for a head start >
4.2.1.2.3.1: Avoiding the security risks of invoking servlets by class name

4.2.1.2.3.1: Avoiding the security risks of invoking servlets by class name

Anyone enabling the Invoker servlet to serve servlets by their class names

Anyone enabling the "serve files by class name" function in WebSphere Application Server, should take steps to avoid potential security risks. The administrator should remain aware of each and every servlet class placed in the classpath of an application, even if the servlets are to be invoked by their classnames.

Warning regarding servlet URIs Appending /$/foo to the URL allows you to access the servlet URL, but the URL is then misunderstood by the runtime environment. This type of URL may create a security exposure. The best practice for securing servlets is to follow the Java security specifications documented in the Securing applications section.

Warning regarding malicious HTML tags embedded in client requests A Web site may inadvertently include malicious HTML tags or scripts in a dynamically generated page based on unvalidated input from untrustworthy sources. By accessing a malicious URL and then accessing an application server, a user may unknowingly execute script code on his machine that exposes the data received from the server. The browser executes the script on the user machine without the knowledge of the user.

The malicious tags that can be embedded in this way are <SCRIPT> and </SCRIPT>.

This problem can be prevented if the server generated pages are encoded to prevent the scripts from executing. Developers generating responses containing client data, based on servlet or JSP requests, can encode the responses using the following method:

com.ibm.websphere.servlet.response.ResponseUtils.encodeDataString(String)
Visit the Cert advisories Web site for more information.

Protecting servlets

To protect each servlet, the administrator needs to:

  1. Configure a Web resource based on the servlet class name, such as:
    /servlet/SnoopServlet
    for SnoopServlet.class

  2. Add the Web resource to the Web Path list of the Invoker servlet in the Web application to which the servlet belongs.

  3. Use the Configure Resource Security wizard in the Java administrative console to secure the Web resource.

Also, the administrator needs to secure the Invoker servlet itself.

Details

WebSphere security is based on defining, and then securing, URIs (known as Web resources) for servlets. This allows an administrator to apply different security levels to different paths for accessing the same servlet. Also, Web resources are logical designations that are not guaranteed to match servlet class names. For these reasons, actual class names are irrelevant to WebSphere security unless you explicitly specify that you want to protect the path for invoking a servlet by its class name.

When a Web application allows users to invoke servlets by class name, the administrator is able to drop servlets into a Web application without having to explicitly define them in WebSphere systems administration.

Suppose that the WebSphere administrator drops in a servlet class to be invoked by its class name. Even if a servlet corresponding to the same class name is defined and protected, users will be able to invoke the servlet by class name without any security checks. (The exception is if the administrator has created a Web resource corresponding to the servlet class name, as described in the above steps).

Undefined servlets remain unprotected unless steps are taken to assign secure Web resources to them based on their class names.

Go to previous article: Using the WebSphere servlets for a head start Go to next article: Security risk example of invoking servlets by class name

 

 
Go to previous article: Using the WebSphere servlets for a head start Go to next article: Security risk example of invoking servlets by class name