webMathematica >

Security

Server Security

The Apache Tomcat wiki site, http://wiki.apache.org/tomcat/FAQ/Security, states "There have been no public cases of damage done to a company, organization, or individual due to a Tomcat security issue." Many other servlet containers have similar security records.

Mathematica Program Security

MSPBlock

MSPBlock is one of the key security functions for webMathematica. It is useful for taking input to the server and converting it to be used in a computation. A typical script, taken from the example Expand.jsp, is shown below.
Remember that variables starting with $$, such as $$expr, are input variables. These have been transmitted as part of the web request and are potential sources of attack. In fact, giving them a special naming convention, which draws attention to them, is one security feature. Using MSPBlock avoids security problems because it applies the security test to its variables, in this case $$expr and $$num. If either fails the test, a security exception is thrown and the body is never evaluated; in fact a page error results. (The section on handling errors shows how you can custom the exact behavior of page errors.)

MSPToExpression

MSPToExpression is the other key security function for webMathematica. It is used for taking input to the server and turning it into a Mathematica expression that can be used for computing. A typical script, taken from the example Integrate.jsp, is shown below.
If the variable $$expr failed the security test, then MSPToExpression will throw a security exception and the page will be terminated. You can modify the treatment of page errors as discussed in the section on handling errors.

Avoid ToExpression

One of the key functions to avoid is ToExpression, the command that turns a string into a Mathematica program. In fact, well-written Mathematica programs rarely need to actually use this. One case might be when an input has been passed with the web request. But this is exactly what MSPToExpression is for, and ToExpression should not be used.
webMathematica still provides a check to prevent users from calling ToExpression on input to the server. For example, in the following the security test is still applied to the input.

Security Validation

The Validation Process

In[1]:=
In[2]:=
In[3]:=
Out[3]=
In[4]:=
Out[4]=
In[5]:=
Out[5]=
In[6]:=
Out[6]=
In[7]:=
In[8]:=

Configuring a Security Model

To make your own security definitions you should put them into a file in the /WEB-INF directory. The name of the file is set in the MSPConfiguration.xml file with the configuration parameter SecurityConfigurationFile, which refers to the name relative to the base web application. For example, if the configuration information is in a file called ComputeSiteSecurity.m, inside of WEB-INF, the following should be added.
<SecurityConfigurationFile>
/WEB-INF/ComputeSiteSecurity.m
</SecurityConfigurationFile>
As described in the section on Multiple Kernel Pools, it is possible to use different configuration details for different request URLs. Each pool has its own configuration file and its own security system.

ToExpression Validation

The webMathematica security system adds a security test to ToExpression when it is used on input from the server. This is described in the section on avoiding ToExpression.
<CheckToExpression>
false
</CheckToExpression>

Security and Kernel Pools

The security system is configured as part of a kernel pool. This means you can have different styles of security configuration for different types of access. More information can be found in the section on kernel pools.

Access Restrictions

You may wish to restrict access to certain parts of your system such as the Kernel Monitor, which is provided for monitoring and debugging your system. In this case, refer to the sections on Logging and the Kernel Monitor. The installation section on Apache and Tomcat describes how this can be done when webMathematica is used from the Apache web server.