7. π Security Guide
7.1 Security Overview
HONGIKINGAN CMS provides various security features to protect the system from various security threats. This chapter explains the currently implemented security features of HONGIKINGAN CMS, additionally supportable features, and security guidelines that must be followed during development.
7.1.1 Security Architecture
The security architecture of HONGIKINGAN CMS consists of the following layers:
Currently Implemented Security Features
- HTTP security header configuration
- XSS prevention filter
- Basic encryption/decryption (AES, SHA-256)
- Personal information access history management
- Session management
- Input validation utility (HumanValidatorUtil)
Supportable Security Features
- Spring Security-based authentication
- Role-based access control (RBAC)
- CSRF prevention
- Advanced encryption techniques (BCrypt, PBKDF2)
- Input validation through Bean Validation
Security Areas
- Authentication and authorization management
- Data security
- Application security
- Logging and auditing
7.2 Currently Implemented Security Features
7.2.1 XSS (Cross-Site Scripting) Prevention
HONGIKINGAN CMS provides filters to prevent XSS attacks. These filters prevent XSS attacks by removing malicious scripts from user input values.
Main Features
- HTML tag filtering
- User input validation
- Output value escape processing
XSSWebFilter.java - Actually implemented code
public class XSSWebFilter implements Filter {
// ...
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
// ...
if (isRequestCheck) {
// Remove special characters from parameters
chain.doFilter(new HTMLTagFilterRequestWrapper(req), response);
} else {
chain.doFilter(request, response);
}
// ...
}
}Actually implemented XSS filter configuration
<filter>
<filter-name>XSSWebFilter</filter-name>
<filter-class>humanframe.web.filter.XSSWebFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>XSSWebFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>7.2.2 Encryption/Decryption
HONGIKINGAN CMS provides basic encryption/decryption functionality. This feature is used to protect sensitive information such as personal information and passwords.
Main Features
- ARIA encryption/decryption
- SHA-256 based password encryption
- AES-256 encryption/decryption (HumanAES256Util)
- Configuration-based encryption key management
HumanCryptoServiceImpl.java - Actually implemented code
@Service("humanCryptoService")
public class HumanCryptoServiceImpl extends HumanAbstractServiceImpl implements HumanCryptoService {
@Resource(name="propertiesService")
private EgovPropertyService properties;
@Resource(name="ARIACryptoService")
private EgovCryptoService cryptoService;
@Resource(name="passwordEncoder")
public EgovPasswordEncoder egovPasswordEncoder;
@Override
public String encrypt(String str) throws Exception {
byte[] encrypted = cryptoService.encrypt(str.getBytes("UTF-8"), properties.getString("CRYPTO_KEY"));
String encryptStr = new String(Base64.encodeBase64(encrypted));
return encryptStr;
}
@Override
public String decrypt(String str) throws Exception {
byte[] decrypted = cryptoService.decrypt(Base64.decodeBase64(str.getBytes()), properties.getString("CRYPTO_KEY"));
return new String(decrypted, "UTF-8");
}
/**
* Password encryption function (SHA-256 encoding method applied as it should not be decrypted)
*/
@Override
public String encryptPassword(String password, String id) throws Exception {
if (password == null) {
return "";
}
byte[] hashValue = null; // Hash value
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.reset();
md.update(id.getBytes());
hashValue = md.digest(password.getBytes());
return new String(Base64.encodeBase64(hashValue));
}
}7.2.3 Personal Information Access History Management
HONGIKINGAN CMS provides functionality to manage personal information access history. This feature is important for compliance with personal information protection laws.
Main Features
- Record personal information access history
- Set personal information access status by menu
- Logging by access type (view, modify, delete, etc.)
AdminPrivacyAspect.java - Actually implemented code
@Aspect
@Order(2)
@Component
public class AdminPrivacyAspect {
@Resource(name = "mngPrivacyService")
private MngPrivacyService mngPrivacyService;
// Admin permission check
@Pointcut("execution(* humanframe.backoffice..Admin*Controller.form(..))"
+ "|| execution(* humanframe.backoffice..Admin*Controller.list(..))"
+ "|| execution(* humanframe.backoffice..Admin*Controller.view(..))"
+ "|| execution(* humanframe.backoffice..Admin*Controller.action(..))"
+ "|| execution(* humanframe.web.controller.admin..Admin*Controller.list(..))"
+ "|| execution(* humanframe.web.controller.admin..Admin*Controller.view(..))"
+ "|| execution(* humanframe.web.controller.admin..Admin*Controller.form(..))"
+ "|| execution(* humanframe.web.controller.admin..Admin*Controller.action(..))")
private void checkAdminPrivacy() {}
@Before(value = "checkAdminPrivacy()")
private void beforeCheckAdminPrivacy(JoinPoint joinPoint) throws Exception {
HttpServletRequest request = null;
for (Object o : joinPoint.getArgs()) {
if (o instanceof HttpServletRequest)
request = (HttpServletRequest)o;
}
if(request != null) {
// Save personal information access history
String logTxt = "IP:" + request.getRemoteAddr() + ", " + className + "." + methodName;
for(MngMenuVO sessMenuVO : mngrSession.getMngMenuList()){
if(sessMenuVO.getMenuUrl().contains(request.getServletPath().substring(0,request.getServletPath().lastIndexOf("/")))){
if(sessMenuVO.getPrivacyAt().equals("Y")) {
mngPrivacyService.createMngPriacyAccess(logTy, request.getServletPath(), logTxt);
}
}
}
}
}
}7.2.4 HTTP Security Header Configuration
HONGIKINGAN CMS enhances basic web security through HTTP security headers.
Main Features
- Cookie security settings (HttpOnly)
- Restricted HTTP method settings
- Session management
Actually implemented HTTP security configuration
<session-config>
<session-timeout>60</session-timeout>
<cookie-config>
<http-only>true</http-only> <!-- Set cookies to be sent only when there are server requests -->
<!-- <secure>true</secure> --> <!-- Set cookies to be sent only when SSL communication channel is connected -->
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<security-constraint>
<display-name></display-name>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>nobody</role-name>
</auth-constraint>
</security-constraint>7.2.5 Input Validation Utility
HONGIKINGAN CMS provides various input validation utilities through the humanframe.core library.
Main Features
- Email, URL format validation
- Character type validation for numbers, alphabets, Korean, etc.
- Password complexity validation
- String length validation
HumanValidatorUtil.java - Part of actual code
public class HumanValidatorUtil {
// Regular expression patterns
final static private String pattern_alpha = "^[A-Za-z]*$";
final static private String pattern_numeric = "^[0-9]*$";
final static private String pattern_korean = "^[γ±-γ
|κ°-ν£]*$";
final static private String pattern_email = "^[-A-Za-z0-9_]+[-A-Za-z0-9_.]*[@]{1}[-A-Za-z0-9_]+[-A-Za-z0-9_.]*[.]{1}[A-Za-z]{2,5}$";
final static private String pattern_url = "^(https?)://[-a-zA-Z0-9+&@#/%?=~_|!:,.;]*[-a-zA-Z0-9+&@#/%=~_|]";
final static private String pattern_invalid_password = "^(?=.*?[a-zA-Z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-]).{8,25}$";
// Email validation
public static boolean isEmail(String value) {
return nullChecker(5, value);
}
// URL validation
public static boolean isUrl(String value) {
return nullChecker(6, value);
}
// Password complexity validation
public static boolean isValidPassword(String value){
return nullChecker(10, value);
}
// Alphabet + number combination validation
public static boolean isAlphaNumeric(String value) {
if (!nullChecker(value)) {
boolean bReturn = true;
char[] cArr = value.toCharArray();
int alphaLen = 0;
int numericLen = 0;
for (char c : cArr) {
if (isAlpha(String.valueOf(c))) {
alphaLen++;
}
if (isNumeric(String.valueOf(c))) {
numericLen++;
}
}
if ((alphaLen == 0) || (numericLen == 0) || (cArr.length != (alphaLen + numericLen))){
bReturn = false;
}
return bReturn;
} else {
return false;
}
}
}7.3 Secure Coding Rules
The secure coding rules that must be followed when developing HONGIKINGAN CMS are as follows.
7.3.1 Prevent Information Exposure in Error Messages
Care must be taken to ensure that sensitive information is not exposed in error messages.
Incorrect Example
try {
// Database operation
} catch (SQLException e) {
e.printStackTrace(); // Error stack trace exposure
return "Database error: " + e.getMessage(); // Error message exposure
}Correct Example
try {
// Database operation
} catch (SQLException e) {
logger.error("Database error", e); // Record only in log
return "A system error has occurred. Please contact the administrator."; // Generic error message
}7.3.2 Prevent Absence of Error Situation Response
Appropriate handling for all exception situations is required.
Incorrect Example
public void processData(String data) {
// No exception handling
int value = Integer.parseInt(data); // NumberFormatException may occur
// Processing logic
}Correct Example
public void processData(String data) {
try {
int value = Integer.parseInt(data);
// Processing logic
} catch (NumberFormatException e) {
logger.error("Number conversion error", e);
throw new BusinessException("Invalid data.");
}
}7.3.3 Prevent Inappropriate Exception Handling
Care must be taken not to ignore exceptions or handle them inappropriately.
Incorrect Example
try {
// File operation
} catch (Exception e) {
// No processing (ignoring exception)
}Correct Example
try {
// File operation
} catch (IOException e) {
logger.error("File processing error", e);
throw new BusinessException("An error occurred during file processing.");
}7.3.4 Specific Exception Handling
When handling exceptions, specific exception classes should be used rather than the general Exception class.
Incorrect Example
try {
// Various operations like file reading, network requests, database queries, etc.
} catch (Exception e) {
logger.error("Error occurred", e);
throw new RuntimeException("An error occurred during processing.");
}Correct Example
try {
// File reading operation
} catch (FileNotFoundException e) {
logger.error("File not found", e);
throw new BusinessException("The requested file could not be found.");
} catch (IOException e) {
logger.error("File reading error", e);
throw new BusinessException("An error occurred while reading the file.");
} catch (SQLException e) {
logger.error("Database error", e);
throw new SystemException("An error occurred during database processing.");
} catch (RuntimeException e) {
logger.error("Runtime error", e);
throw new SystemException("An error occurred during system processing.");
}Advantages of Specific Exception Handling
- Clear error cause identification: Using specific exception classes allows for clearer identification of error causes.
- Appropriate response possible: Appropriate response methods can be selected according to exception types.
- Improved code readability: Code readability is improved by clearly expressing what exceptions can occur.
- Enhanced maintainability: When modifying specific exception handling logic, it does not affect other exception handling.
- Enhanced security: Appropriate error messages can be provided according to exception types to prevent exposure of sensitive information.
7.3.5 SQL Injection Prevention
Coding rules to prevent SQL injection attacks must be followed. Since HONGIKINGAN CMS uses MyBatis to manage SQL queries, SQL injection can be prevented through parameter binding.
Incorrect Example
public BbsVO selectBbsVulnerable(String bbsNo) {
String sqlId = "bbs.selectBbs";
String dynamicSql = sqlId + "_" + bbsNo; // Dangerous: User input directly included in SQL ID
return (BbsVO) selectOne(dynamicSql);
}Correct Example (Using MyBatis Mapping)
public BbsVO selectBbs(int bbsNo) {
Map<String, Object> paramMap = new HashMap<String, Object>();
paramMap.put("bbsNo", bbsNo);
return (BbsVO) selectOne("bbs.selectBbs", paramMap);
}<select id="bbs.selectBbs" parameterType="java.util.Map" resultType="humanframe.web.vo.BbsVO">
SELECT
bbs_no,
title,
content,
reg_dt
FROM
tn_bbs
WHERE
bbs_no = #{bbsNo}
</select>7.3.6 Coding Convention Compliance
Coding conventions must be followed to maintain consistent coding style.
Main Rules
- Comply with naming conventions for classes, methods, variables, etc.
- Comply with indentation and spacing rules
- Comply with comment writing rules
- Comply with package structure rules
7.4 Security Vulnerability Inspection and Management
7.4.1 Security Vulnerability Inspection Items
It is recommended to periodically check the following security vulnerability inspection items:
π Authentication and Authorization Management
- Authentication bypass vulnerabilities
- Missing permission verification
- Session management vulnerabilities
β Input Validation
- XSS vulnerabilities
- SQL injection vulnerabilities
- Command injection vulnerabilities
π€ Output Processing
- Sensitive information exposure
- Error message exposure
π File Processing
- Path manipulation vulnerabilities
- File upload vulnerabilities
π Encryption
- Use of weak encryption algorithms
- Encryption key management vulnerabilities
7.4.2 Security Patches and Updates
Regular security patches and updates are necessary to maintain the security of HONGIKINGAN CMS.
Patch Application Procedure
π Check Security Vulnerabilities
Check security vulnerabilities that may affect the system
π Review Patch Content
Review patch content and scope of impact
π§ͺ Apply to Test Environment
Apply patch to test environment and test
π Apply to Production Environment
Apply patch to production environment
π Monitor Results
Monitor patch application results
Dependency Library Management
π Manage Library List
Manage dependency library list
π Monitor Vulnerability Information
Monitor security vulnerability information
π Update Libraries
Update libraries with discovered vulnerabilities
π§ͺ Compatibility Testing
Compatibility testing after updates
7.5 Conclusion
HONGIKINGAN CMS provides basic security features, and developers can implement additional security features as needed. Currently implemented features include XSS prevention filters, encryption/decryption, personal information access history management, HTTP security header configuration, and input validation utilities, which can meet basic security requirements.
When additional security enhancement is needed, Spring Security-based authentication, role-based access control, CSRF prevention, advanced encryption techniques, etc. can be implemented. These features can be implemented by extending the humanframe.core library or by utilizing external libraries.
Important Note
Security is an area that requires continuous management and improvement, so it is important to maintain system safety through regular security inspections and updates. Developers should follow the secure coding rules presented in this manual and implement additional security features as needed to enhance the security of HONGIKINGAN CMS.