creating secure zim web applications
Creating Secure ZimWeb Applications
Some key guidelines for creating secure ZimWeb applications include:-
- Secure access to the ZimWeb Administration servlet so that unpriviledged users cannot access it. The installation instructions for Tomcat (See Installation) show how to reserve it for a given user name and password.
- Ensure that the client DEBUG facility is disabled by default by setting the
allow-debugconfiguration option to
- Specify a
TEMPLATEin the security configuration for all procedures – this is described in the configuration file extensions.
- Avoid or restrict using Zim sessions if at all possible, as they are openings to a denial of service by committing all the Zim database agents:
- Use http session variables to preserve state information instead – see parameter sources for more details about this.
- Use the most secure setting possible for the
zim-session-securityconfiguration option– preferably disable persistent Zim sessions if they are not requred, or track Zim sessions in the http session. In addition, existing unmodified ZimCGI applications can also have their security improved.
- Record the authentication of a user in an http session parameter e.g.
session.AuthenticatedUser, which is present in all procedure templates and checked by all procedures. The initial authentication can be performed by the web server or the Zim application.
- Place XSLT stylesheets and templates in a secure location that cannot be accessed directly by clients. A suitable location is under the
WEB-INFdirectory of the application, as demonstrated by the ZimWeb example application.
- Be careful about what XML information is output by the application – remember that the client can specify
style=nonein any request to see the raw, unstyled XML data.