Security Tour of WebMDS

1
Security Tour of WebMDS
2
Request Flow in WebMDS
3
WebmdsServlet class

• Extends HttpServlet has two public methods
  called by Tomcat
• Init
• Called when servlet is loaded
• Reads static config information (including xml
  source definitions)
• doGet called when servlet is invoked
• Identifies xml sources for data and xslt
  transform
• Invokes plugins with config data and html form
  args to get raw data and xslt.
• Applies xslt transform to raw data.

4
Concept XML Sources

• An XML Source is a description of how to get a
  particular piece of XML
• For example, resource properties from a service,
  or an XSLT transform from a file.
• Includes methods to call and some initialization
  parameters.
• XML Sources are statically configured this
  configuration is read at initialization time.
• Each WebMDS request
• specifies an XML Source (or two).
• May include additional arguments to be passed to
  each XML source.

5
WebMDS Servlet Configuration

• Tomcat is configured to use G_L/lib/webmds as
  the document base for the WebMDS servlet.
• Ill call this directory webmds_root.
• XML Source definition files live in
  webmds_root/conf.
• At initialization, WebMDS reads the config
  entries from this directory.
• The file webmds_root/conf/foo defines the XML
  source named foo.

6
WebMDS Servlet Operation Request Arguments

• Client request comes in with html form args
• Required argument
• Name of XML Source to use to get raw xml data.
• Optional Arguments
• Name of XML Source to use to get the XSLT
  Transform
• Additional arguments to pass to the raw data XML
  source. There may be zero or more of these.
• Additional arguments to pass to the XSLT
  transform XML source. There may be zero or more
  of these.

7
WebMDS Servlet Operation Request Processing

• WebMDS collects raw XML data
• Finds the XML source associated with the info
  request argument.
• Calls the plugin, passing the XML source config
  parameters and any info XML-source-specific
  request arguments.
• Plugin returns XML.
• WebMDS finds the appropriate XSLT transform
• Same as above, except the xsl arg is used
  instead of info.
• WebMDS applies the XSLT transform and returns the
  results.
• If no xsl arg was specified, WebMDS just
  returns the raw XML data.

8
One More Detail about Request Processing

• The xslt transform package allows the calling
  routine to pass name/value pairs to the xslt
  transform.
• The WebMDS servlet calls a plugin mechanism to
  get a descriptive string
• for example, the file plugin returns the name of
  the file being read
• When WebMDS makes the call to apply the xslt
  translation on the raw xml data, it also
  specifies a parameter named requestInfo with
  the descriptive string as its value.

9
WebMDS Servlet Security Questions

• Who controls which WebMDS config files are read?
• Tomcat config determines webmds_root.
• Webmds_root and its subdirectories are writable
  only by the user who installed globus.
• Although of course a tomcat administrator could
  configure tomcat to look at a different
  webmds_root owned by someone else.
• WebMDS does a directory listing of
  webmds_root/conf at init time and reads the
  config files there it does not go looking for
  config files in response to user requests.
• In the future, we may change this to redo the
  directory listing more often, e.g., if it fails
  to find a config file its looking for. But it
  would still just look at the files in that
  directory, not go searching for specific files.
• Who controls what plugin classes are loaded?
• Class names are specified in config files in
  webmds_root/conf.
• Webmds inherits tomcats class loader, classpath,
  etc.
• What risks are there in server-side XSLT
  processing?
• See the next slide.

10
WebMDS XSLT Security Issue

• WebMDS does XSLT transformations on the server,
  with the Tomcat processs privileges.
• Clients can specify any XML Source recognized by
  the server as the source of XSLT.
• If a user can control the content of an XSLT
  transform, they can add include statements, to
  read stylesheets from external files.
• A malicious user could use this to determine
• Whether a file exists and is readable by the
  Tomcat process
• Whether or not such a file is an XML file.
• If the file contains an XSLT stylesheet, they can
  observe the results of applying that stylesheet.
• This is bug 3537
• In 4.0.1, XML sources will have a suitable for
  xslt parameter, which will default to false.

11
XML Sources

• WebMDS plugins implement the WebmdsXmlSource
  interface, which has three methods
• Init (arg is a utility object, returns void)
• getXmlSource
• Args are
• Name (used only in generating error messages)
• InitParams (static configuration parameters)
• RequestParams (arguments from the client request)
• Returns a javax.xml.transform.Source object
  representing XML data.
• The XmlSource in this method name refers to the
  Source object returned, not to the XML Sources
  weve been discussing so far.
• getRequestInfo returns a string of information
  about the request.
• These objects are created, initialized, used, and
  destroyed in the course of processing each client
  request.
• This may change in the future, so that these
  objects are created and initialized with request
  parameters when the configuration files are read,
  and only the request parameters are passed to the
  getXmlSource method.

12
FileXmlSource

• WebMDS plugin to read XML from a file.
• Normally used to get XSLT and for testing.
• Static configuration parameters
• File Name of the file to read
• If specified as a relative pathname, interpreted
  relative to webmds_root.
• Request arguments none.
• getRequestInfo returns the filename.

13
FileXmlSource Security Questions

• I cant think of any.

14
NodeXmlSource

• WebMDS plugin to get XML from a DOM Node object
  (specifically, to get an xslt Source object from
  a Node).
• Uses its own plugin interface calls a
  WebmdsNodeSource plugin to get an XML node, then
  converts it to a Source object.
• Static configuration parameters
• Class name of a class that implements the
  WebmdsNodeSource interface
• Other parameters are passed to the
  WebmdsNodeSource plugin
• Request arguments
• None recognized directly, but args are passed to
  the WebmdsNodeSource plugin
• Used to implement the resource property plugin.

15
NodeXmlSource Security Questions

• Who controls what plugin classes are loaded?
• Class names are specified in config files in
  webmds_root/conf.
• Webmds inherits tomcats class loader, classpath,
  etc.

16
WebmdsNodeSource

• Interface that defines plugins used by
  NodeXMLSource.
• Three methods
• Init called by NodeXmlSource.init().
• getRequestInfo called by NodeXmlSource.getReques
  tInfo().
• getNode called by NodeXmlSource.getXmlSource()
• Args are initParams and RequestParams (passed
  through from NodeXMLSource).
• Returns an XML DOM Node object.

17
ResourcePropertyQueryNodeSource

• Plugin used by WebmdsNodeSource to get resource
  properties.
• Static configuration parameters
• Endpoint-specifying parameters
• allowUserEndpoints if true, request arguments
  may override the values of endpoint,
  endpointKeyName, and endpointKeyValue.
• Request arguments (honored only if
  allowUserEndpoints is true)
• Endpoint-specifying parameters
• Makes a QueryResourceProperties request with /
  as the query string.
• In the future, will allow query strings to be
  statically configured and passed as request
  arguments.

18
Security of Resource Property Queries

• Summary There is none.
• Authentication of Webmds plugin to WSRF service
  (for QueryResourceProperty)
• Currently, is always anonymous.
• People use web browsers as Webmds clients, so
  they cant delegate credentials to use when doing
  resource property queries.
• So far there hasnt been any demand for the
  ability to get privileged information via WebMDS.
  If there is, we will probably add the ability to
  configure a set of credentials, and leave it to
  the WebMDS administrators to make sure privileged
  data isnt passed to unprivileged users, using
  Tomcat authentication mechanisms.
• Authorization of the WSRF service by the WebMDS
  plugin
• Currently, the authorization style is always
  none.
• Should probably be configurable.

19
ResourcePropertyQueryNodeSource Security Questions

• Could a bunch of WebMDS servers be used to mount
  a DOS attack by inundating a WSRF service with
  resource property queries?
• Yes.
• If that becomes a problem, Tomcat access control
  mechanisms can be used to restrict who can use
  WebMDS.

20
ResourcePropertyNodeSource

• Plugin used by WebMDS to get resource properties
  via GetResourceProperty calls.
• Static configuration parameters
• Endpoint-specifying parameters (same as in
  ResourcePropertyQueryNodeSource)
• allowUserEndpoints (same as in ResourcePropertyQue
  ryNodeSource)
• rpNamespace, rpName specify the resource
  property to query for
• allowUserResourceProperties if true, request
  arguments may override the values of rpNamespace
  and rpName.
• Request arguments
• Endpoint-specifying args same as in
  ResourcePropertyQueryNodeSource.
• rpNamespace, rpName specify the resource
  property to query for (honored only if
  allowUserResourceProperties is true).

21
Security of Resource Property Requests

• Authentication of Webmds plugin to WSRF service
  (for QueryResourceProperty)
• Currently, is always anonymous.
• People use web browsers as Webmds clients, so
  they cant delegate credentials to use when doing
  resource property queries.
• So far there hasnt been any demand for the
  ability to get privileged information via WebMDS.
  If there is, we will probably add the ability to
  configure a set of credentials, and leave it to
  the WebMDS administrators to make sure privileged
  data isnt passed to unprivileged users, using
  Tomcat authentication mechanisms.
• Authorization of the WSRF service by the WebMDS
  plugin
• Currently, the authorization style is always
  none.
• Should probably be configurable.
• Handled by the same code as ResourcePropertyQueryN
  odeSource, so any features we add will be added
  to both.

22
ResourcePropertyNodeSource Security Questions

• Could a bunch of WebMDS servers be used to mount
  a DOS attack by inundating a WSRF service with
  resource property requests?
• Yes.
• If that becomes a problem, Tomcat access control
  mechanisms can be used to restrict who can use
  WebMDS.