Versions Compared

Old Version 28

changes.mady.by.user Vasilis Kleanthous (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user Vasilis Kleanthous (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

-Djdk.tls.rejectClientInitiatedRenegotiation=true

 

Panel

Table of Contents

Table of Contents

Panel

Additional Guides

 

...

Overview

This guide provides some guidelines for security configuration

...

for Wildfly application servers based on OWASP

...

recommendations.

Management Console Security

...

Note

For additional information on security configuration of the application server, you can refer to the following link: https://docs.jboss.org/author/display/WFLY10/Security+Realms

 

Management Console Security

To secure application server configuration, it is necessary to setup the users and roles that can access the application server's management console.

For more information, you can refer to https://www.owasp.org/index.php/Testing_Identity_Management

...

To configure

...

Wildfly security, follow the directions in the link below.

...

https://

...

docs.

...

jboss.

...

org/author/

...

display/

...

Wildfly

To configure Wildfly security, follow the directions in the link below.

...

WFLY8/Security+Realms

HTTPS Configuration

CRM.COM application is designed to process and store customer sensitive data.

To transmit this data to the user's browser in a secure way, the application server should be configured to use HTTPS and SSL/TLS protocol.

For more information, you can refer to https://www.owasp.org/index.php/Testing_for_Sensitive_information_sent_via_unencrypted_channels_%28OTG-CRYPST-003%29

IBM Websphere

To configure

...

Wildfly for HTTPS, follow the directions in the link below.

...

https://

...

docs.

...

Wildfly

To configure Wildfly for HTTPS, follow the directions in the link below.

...

jboss.org/author/pages/viewpage.action?pageId=66322705

SSL/TLS Configuration

Due to known vulnerabilities, it is required to enable specific encryption protocols and cypher suites.

More specifically, it is recommended to use TLS v1.2 encryption protocol and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cypher suite.

For more information, you can refer to https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29

...

To configure

...

http://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.0/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_was.html

To configure the cypher suite used, check the following link.

http://www.ibm.com/support/knowledgecenter/linuxonibm/liaag/wascrypt/l0wscry00_wasciphersuite.htm

Wildfly

To configure Wildfly, the Undertow subsystem should be configured by adding the enabled-protocols and enabled-cipher-suites attributes in https listener as follows.

...

languagexml
titlestandalone.xml

Wildfly, the Undertow subsystem should be configured by adding the enabled-protocols and enabled-cipher-suites attributes in https listener as follows.

Code Block
languagexml
titlestandalone.xml
        <subsystem xmlns="urn:jboss:domain:undertow:2.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                ...
				<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm" no-request-timeout="30000" enabled-cipher-suites="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" enabled-protocols="TLSv1.2"/>
            </server>
                ...

...

 </subsystem>

HTTP Strict Transport Security

The HTTP Strict Transport Security (HSTS) header is a mechanism that web sites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests.

For more information, you can refer to https://www.owasp.org/index.php/Test_HTTP_Strict_Transport_Security_%28OTG-CONFIG-007%29

To configure the HSTS header on Wildfly, the Undertow subsystem should be configured by adding 2 lines in standalone.xml as follows.

Code Block
languagexml
titlestandalone.xml
        <subsystem xmlns="urn:jboss:domain:undertow:2.0">

...

   <buffer-cache name="default"/>
            <server name="default-

...

server">
                <http-listener name="default" socket-binding="http" redirect-socket="https"/>

...

    <host name="default-host" alias="localhost">

...

...

HTTP Strict Transport Security

The HTTP Strict Transport Security (HSTS) header is a mechanism that web sites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests.

For more information, you can refer to https://www.owasp.org/index.php/Test_HTTP_Strict_Transport_Security_%28OTG-CONFIG-007%29

IBM Websphere

To configure IBM HTTP Server for HSTS, follow the directions in the following link.

http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.ihs.doc/ihs/tihs_hsts.html

Wildfly

To configure the HSTS header on Wildfly, the Undertow subsystem should be configured by adding 2 lines in standalone.xml as follows.

...

languagexml
titlestandalone.xml

...

...
					<!-- Add the following line -->
 					<filter-ref name="HSTS"/>
					...
				 </host>
            </server>
            <servlet-container name="default">
                ...
            </servlet-container>
            <handlers>
                ...

...

...

          </handlers>

...

...

         <filters>
				<!-- Add the following line

...

-->
 				<response-header name="

...

HSTS"

...

header-

...

name="

...

Strict-Transport-Security"

...

header-

...

value="max-age=31536000"/>
            </filters>

...

...

</subsystem>

Server Fingerprinting

Server fingerprinting is the process of identifying the Web server / technologies used.

For more information, you can refer to https://www.owasp.org/index.php/Fingerprint_Web_Server_%28OTG-INFO-002%29

To avoid server fingerprinting the following configurations should be done on the application server.

Wildfly by default includes the Server and X-Powered-By headers.

Code Block
languagebash
titleWildfly HTTP Headers
Connection: close
Vary: Accept-Encoding
Last-Modified: Mon, 26 Oct 2015 22:15:17 GMT
X-Powered-By: Undertow/1
Server: WildFly/9
Content-Length: 2425
Content-Type: text/html
Date: Wed, 21 Sep 2016 14:59:31 GMT

To remove these headers, you need to change the default configuration of the Undertow subsystem.

One way to do that is to edit the configuration file standalone.xml and remove the following lines.

Code Block
languagexml
titlestandalone.xml
        <subsystem xmlns="urn:jboss:domain:undertow:2.0">

...

   <buffer-cache name="default"/>

...

    <server name="default-server">

...

     <http-listener name="default" socket-binding="http" redirect-socket="https"/>

...

...

<host name="default-host" alias="localhost">

...

        <location

...

Server Fingerprinting

Server fingerprinting is the process of identifying the Web server / technologies used.

For more information, you can refer to https://www.owasp.org/index.php/Fingerprint_Web_Server_%28OTG-INFO-002%29

To avoid server fingerprinting the following configurations should be done on the application server.

IBM Websphere

By default, IBM Websphere does not include the server name in HTTP headers.

Code Block
languagebash
titleIBM Websphere HTTP Headers
X-Powered-By: Servlet/3.0
Content-Type: text/html;charset=ISO-8859-1
$WSEP:
Content-Language: en-GB
Date: Wed, 21 Sep 2016 14:28:52 GMT

 

However, the X-Powered-By: Servlet/3.0 header should be removed.

This can be done by setting the custom property com.ibm.ws.webcontainer.disablexPoweredBy to the value true in Websphere's configuration.
To set this custom property, you can follow the directions in the link below.

https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rweb_custom_props.html

Wildfly

Wildfly by default includes the Server and X-Powered-By headers.

Code Block
languagebash
titleWildfly HTTP Headers
Connection: close
Vary: Accept-Encoding
Last-Modified: Mon, 26 Oct 2015 22:15:17 GMT
X-Powered-By: Undertow/1
Server: WildFly/9
Content-Length: 2425
Content-Type: text/html
Date: Wed, 21 Sep 2016 14:59:31 GMT

To remove these headers, you need to change the default configuration of the Undertow subsystem.

One way to do that is to edit the configuration file standalone.xml and remove the following lines.

...

languagexml
titlestandalone.xml
name="/" handler="welcome-content"/>
					<!-- The following 2 lines should be removed -->
                    <!--filter-ref name="server-header"/-->
                    <!--filter-ref name="x-powered-by-header"/-->
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config development="true"/>

...

       <websockets/>

...

</servlet-container>

...

<handlers>

...

<file name="

...

welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>

...

...

...

    <filters>

...

<response-header name="

...

server-header"

...

header-name="Server"

...

 header-value="WildFly/9"/>

...

...

...

...

...

...

...

...

...

...

<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
            </filters>

...

 </subsystem>

 

Clickjacking

“Clickjacking” is a malicious technique that consists of deceiving a web user into interacting (in most cases by clicking) with something different to what the user believes they are interacting with.

For more information, you can refer to https://www.owasp.org/index.php?title=Testing_for_Clickjacking_(OTG-CLIENT-009)&setlang=en

To avoid clickjacking vulnerability, the following configurations should be done on the application server.

Wildfly by default does not include the X-Frame-Options: DENY header in response headers.

Code Block
languagebash
titleWildfly HTTP Headers
Connection: close
Vary: Accept-Encoding
Last-Modified: Mon, 26 Oct 2015 22:15:17 GMT
X-Powered-By: Undertow/1
Server: WildFly/9
Content-Length: 2425
Content-Type: text/html
Date: Wed, 21 Sep 2016 14:59:31 GMT

To add this header, you need to change the default configuration of the Undertow subsystem.

One way to do this is to edit the configuration file standalone.xml and add the following 2 lines.

Code Block
languagexml
titlestandalone.xml

...

<subsystem xmlns="urn:jboss:domain:undertow:2.0">

...

<buffer-cache name="default"/>
            <server

...

name="

...

default-server">

...

    <http-listener

...

name="default" socket-binding="http" redirect-socket="https"/>

...

...

<host name="

...

default-

...

host"

...

alias="

...

localhost"

...

>

...

<location name="

...

/"

...

handler="

...

welcome-

...

content"/>
					<!-- The following line should be added -->
                    <filter-ref name="X-Frame-Options"/>
                </

...

host>

...

 

Clickjacking

“Clickjacking” is a malicious technique that consists of deceiving a web user into interacting (in most cases by clicking) with something different to what the user believes they are interacting with.

For more information, you can refer to https://www.owasp.org/index.php?title=Testing_for_Clickjacking_(OTG-CLIENT-009)&setlang=en

To avoid clickjacking vulnerability, the following configurations should be done on the application server.

IBM Websphere

By default, IBM Websphere does not include the X-Frame-Options: DENY header in HTTP headers.

Code Block
languagebash
titleIBM Websphere HTTP Headers
X-Powered-By: Servlet/3.0
Content-Type: text/html;charset=ISO-8859-1
$WSEP:
Content-Language: en-GB
Date: Wed, 21 Sep 2016 14:28:52 GMT

 

This can be done by setting the header in IBM HTTP Server's configuration file /opt/IBM/HTTPServer/conf/httpd.conf as follows:

Code Block
languagebash
titleIBM Websphere HTTP Headers
Header always append X-Frame-Options DENY

Wildfly

Wildfly by default does not include the X-Frame-Options: DENY header in response headers.

Code Block
languagebash
titleWildfly HTTP Headers
Connection: close
Vary: Accept-Encoding
Last-Modified: Mon, 26 Oct 2015 22:15:17 GMT
X-Powered-By: Undertow/1
Server: WildFly/9
Content-Length: 2425
Content-Type: text/html
Date: Wed, 21 Sep 2016 14:59:31 GMT

To add this header, you need to change the default configuration of the Undertow subsystem.

One way to do this is to edit the configuration file standalone.xml and add the following 2 lines.

...

languagexml
titlestandalone.xml
    </server>
            <servlet-container name="default">
                <jsp-config development="true"/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
            <filters>
				<!-- The following line should be added -->
                <response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="DENY"/>
            </filters>

...

 </subsystem>

Secure Cookies

CRM.COM application uses cookies to store session information.

It is crucial that the session cookie the application is using is secure.

For more information, you can refer to https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OTG-SESS-002%29

To configure secure session cookie on Wildfly, the following changes are needed in standalone.xml.

Code Block
languagexml
titlestandalone.xml
        <subsystem xmlns="urn:jboss:domain:undertow:2.0">

...

<buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https"/>
                <host name="default-host" alias="localhost">
					...
				 </host>
            </server>

...

      <servlet-container name="

...

default">

...

				<!-- Add

...

the following line

...

-->
				 <session-cookie http-only="true" secure="true"/>
            </servlet-container>

...

...

       <handlers>

...

       ...

...

       </handlers>

...

...

      <filters>

...

      ...

...

</

...

filters>

...

</subsystem>

 

Default Applications

Some application server installations include by default applications and tools that should be disabled for maximum security.

Wildfly does not include any default applications. However, the welcome page should be disabled.

This can be done by removing the following lines from standalone.xml.

 

Code Block
languagexml
titlestandalone.xml
        <subsystem

...

xmlns="urn:jboss:domain:undertow:2.0">

...

<buffer-cache name="default"/>

...

<server name="default-server">

...

<http-

...

listener name="

...

default"

...

socket-

...

binding="

...

http"

...

redirect-

...

socket="

...

https"/>
                <host name="default-host" alias="localhost">

...

Secure Cookies

CRM.COM application uses cookies to store session information.

It is crucial that the session cookie the application is using is secure.

For more information, you can refer to https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OTG-SESS-002%29

IBM Websphere

To configure secure session cookie on IBM Websphere, follow the directions in the link below.

http://www-01.ibm.com/support/docview.wss?uid=swg21427901

Wildfly

To configure secure session cookie on Wildfly, the following changes are needed in standalone.xml.

...

languagexml
titlestandalone.xml
				<!-- The following line should be removed -->
                   <!-- <location name="/" handler="welcome-content"/> -->
                </host>

...

 </server>

...

<servlet-

...

container name="default"

...

>

...

...

   ...

...

</servlet-container>
			<!-- The following lines should be removed -->

...

   <!-- <handlers>
                <file

...

name="welcome-content" path="${jboss.home.dir}/welcome-content"/>

...

</handlers> -->
            <filters>

...

...

 ...
            </filters>

...

...

</subsystem>

 

Client Initiated Renegotiation

To disable Client Initiated Renegotiation the following option should be added in $JAVA_OPTS variable in /opt/wildfly/bin/standalone.conf

 

Code Block
languagetext
titlestandalone.conf

...

-Djdk.tls.rejectClientInitiatedRenegotiation=true

 

Additional HTTP Headers

The following headers can be added for additional security:


 

Code Block
languagexml
titlestandalone.xml
        <subsystem xmlns="urn:jboss:domain:undertow:2.0">

...

  <buffer-cache name="default"/>

...

   <server name="default-server">
                <http-listener name="default"

...

 

Default Applications

Some application server installations include by default applications and tools that should be disabled for maximum security.

IBM Websphere

IBM Websphere ships with some default web applications (for example Snoop Servlet).

To disable/remove these applications, login to the administrative console and go to Applications -> Application Types -> Websphere enterprise applications

Wildfly

Wildfly does not include any default applications.

Additional Resources

For additional information on security configuration of the application servers, you can refer to the following links.

IBM Websphere

http://www.ibm.com/developerworks/websphere/techjournal/1210_lansche/1210_lansche.html

Wildfly

...

socket-binding="http" redirect-socket="https"/>
                <host name="default-host" alias="localhost">
                    ...
					<!-- Add the following lines -->                  
					<filter-ref name="x-xss-protection"/>
                    <filter-ref name="content-security-policy"/>
					<filter-ref name="x-Content-type-options"/>                  
					<filter-ref name="referrer-policy"/>
					<filter-ref name="host"/>
					...
				 </host>
            </server>
            <servlet-container name="default">
                ...
            </servlet-container>
            <handlers>
                ...
            </handlers>
            <filters>
				<!-- Add the following lines -->
				<response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1"/>                
				<response-header name="content-security-policy" header-name="Content-Security-Policy" header-value="*"/>
				<response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
				<response-header name="referrer-policy" header-name="Referrer-Policy" header-value="no-referrer-when-downgrade"/>
				<response-header name="host" header-name="Host" header-value="myhostname.com"/><!-- The hostname of the server should be specified here in order to avoid displaying the internal IP in the Location response header-->
            </filters>
        </subsystem>