How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
2012 03 27_philly_jug_rewrite_static
1. Philly Java Users Group
Security and Usability
URL-rewriting for the next-generation web user
Lincoln Baxter, III
Senior Software Engineer Founder
Red Hat, Inc. http://ocpsoft.org/
2012-03-27 “Simpler is better.”
3. Mind the gap.
● Gap #1: “Relocated” or missing resources
● Gap #2: Readability & Clutter
● Gap #3: Revealing sensitive information
● Gap #4: Formatting of useful information
● Gap #5: Validation of user input
● … (and actually many more)
29. Tired of trash in your face?
http://www.amazon.com/Kindle-Touch-Wi-Fi-Ink-
Display/dp/B005890G8Y/ref=amb_link_357575542_6?
pf_rd_m=ATVPDKIKX0DER&pf_rd_s=gateway-center-
column&pf_rd_r=1T2J5PYBVZZWBHWN1BP1&pf_rd_t=101&pf_rd_p=132
1408942&pf_rd_i=507846
30. There's plenty of space out
in space!
http://amazon.com/shop/kindle-touch?
tracker=AAasfds3r32ydkl6fd854kdjf84hf
idbdgv64n0curnoxydkl6fd854kdjf84hfidb
dgv64n0ge8nfbh...
31. Gap #3: Revealing sensitive
information
Visit: http://microsoft.com/genuine/downloads/faq.aspx
You will be redirected to a page without .aspx suffix
39. Built trust by reducing clutter &
using clean URLs
Before:
http://example.com/news.xhtml?p=my-new-post
After:
http://example.com/news/my-new-post/
40. Gap #5: Validation of user input
URLs are user-input and your website is
vulnerable!
41. Aspect Security says:
Two of three recent security vulnerabilities in
web-frameworks are URL-based. *
* https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf
47. Mind the gap.
● Gap #1: “Relocated” resources (404)
● Gap #2: Readability & Clutter
● Gap #3: Revealing sensitive information
● Gap #4: Formatting of useful information
● Gap #5: Validation of user input
49. Basic things we can do with all
types of URL-rewriting
● Redirection & Relocation
● Parameterization
/store/{category}/{item}
Accept-Charset: UTF-8
/store/$attack-%3/begin
● Simple URL validation
● Add/Remove Headers
54. Cool things we can do with Filter-
based Java URL-rewriting
● Transformation and Canonicalization
● Complex Validation
● Data Conversion example.com/project/FOO
● Request interception("/store/product/{pid}")
.when(Path.matches
example.com/project/foo
.where("pid")
● And more... property("productBean.product")
.bindsTo(El.
.convertedBy(ProductConverter.class)
.validatedBy(ProductValidator.class)))
55. Some things you should NOT do,
with Java URL-rewriting
If it needs to run when your app doesn't...
you probably don't want to put it in your app.
57. Access Control / Timer Demo
( http://access-rewrite.rhcloud.com/ )
● Problem #1: “Relocated”
resources (404)
● Problem #2: Readability &
Clutter
● Problem #3: Revealing
sensitive information
● Problem #4: Formatting
useful information
● Problem #5: Validation of
user input
58. Rest Validation/Conversion Demo
( http://rest-rewrite.rhcloud.com )
● Problem #1: “Relocated”
resources (404)
● Problem #2: Readability &
Clutter
● Problem #3: Revealing
sensitive information
● Problem #4: Formatting
useful information
● Problem #5: Validation of
user input
59. Composite Query Demo
( http://composite-rewrite.rhcloud.com )
● Problem #1: “Relocated”
resources (404)
● Problem #2: Readability &
Clutter
● Problem #3: Revealing
sensitive information
● Problem #4: Formatting
useful information
● Problem #5: Validation of
user input
60. Bonus round!
But client-side web applications are the future,
can't I just ignore the URL and use WebSockets?!
62. How can we clean it up?
http://example.com/
t
u es
req
e
ns
po
res
example.com/login
example.com/signup
request
example.com/lincoln/myproject
resp
?
ons
e
64. Where am I?
example.com/
example.com/lincoln
example.com/lincoln/myproject
example.com/lincoln/lincoln
How do you determine the Context Root?
example.com/ ?
example.com/lincoln ?
example.com/lincoln/lincoln ?
65. Resolve the Context Root
http://example.com/lincoln
t
es
req
u
+ /
e
ns
po
res
HEAD /lincoln?org.ocpsoft.rewrite.history.ContextPath
st
reque
respons 200 OK - Set Header: ContextPath = /
e
66.
67. Demos
● Access control (Request Interception)
● REST (Validation and Conversion)
● Composite Query (Security and Usability)
● SocialPM Rich Client (Browser Applications)
68. Mind the gap.
● Gap #1: “Relocated” resources (404)
● Gap #2: Readability & Clutter
● Gap #3: Revealing sensitive information
● Gap #4: Formatting useful information
● Gap #5: Validation of URLs
● … (and actually many more)