Presentation is loading. Please wait.

Presentation is loading. Please wait.

Java EE Platform Security What is included, what is missing. Masoud Kalali Author of GlassFish security book

Similar presentations


Presentation on theme: "Java EE Platform Security What is included, what is missing. Masoud Kalali Author of GlassFish security book"— Presentation transcript:

1 Java EE Platform Security What is included, what is missing. Masoud Kalali Author of GlassFish security book

2 What can Security refer to?

3 Security requirements Authentication Authorization Transport Security Single Sign-On

4 Java EE and Security Requirements I = {"manager", "administrator"}))... String usrname = request.getParameter("username"); String pass = request.getParameter("password"); request.login(strUsername, strPassword);.... BASIC JDBCRealm What Java EE provides for Authentication: Authentication Methods (Form, Basic, Digest, Client-Cert) Security Realms Programmatic login/ logout, setHttpOnly Adding new or Extending Realms, extending current realms JSR-196, pluggable authentication

5 Java EE and Security Requirements II What Java EE platform provides for authorization: Role based access control over resources Roles are defined in a vendor specific way Roles are based on the info from the same security realm Enforced using Annotation or XML description Can be extend using JSR-115 AnnotationTargets LevelTarget MethodEJB manager Emp getAge

6 Java EE and Security Requirements III The Transport Security facilities: Confidentiality Data integrity Different set of resources, different level of transport security Current Online Users online users /admin/online/* manager CONFIDENTIAL

7 Java EE and Security Requirements IV What Java EE platform provides for SSO: Nothing out of JSRs Application servers provide some basic functionalities with restrictions: Same Realm Same Virtual Server/ Host Other solutions like proxies like delegated authentication to Apache mod_proxy Clustering the instances Need same realm

8 Is that All? Really, Is that all we need to have? Do we miss anything major? Is there anything still basic and good to have?

9 Basic, but missing requirements Authentication chain Fine grained access control Single Sign-On

10 Basic, but missing requirements I Chain of authentication challenges One realm, provider failed chain to the next one Put Challenges together in groups Basic rules to forms the groups Authentication levels Higher level for more secure realms More resources accessible on higher authentication levels Authentication chain:

11 Basic, but missing requirements II Fine grained access control Coarse grained allow/not-allow are not sufficient anymore A very common issue: time, location based access control XACML is there, but not in the platform Attribute based access evaluation Attributes for all involving factors Version 2 is mature enough, Version 3 in the corner JBoss and Sun open source XACML implementations

12 Basic, but missing requirements III What to do with more SSO requirements? It may never get into the platform Involve more than just Java EE Heavy, complex and open ended Go with JOSSO, Go with OpenSSO, Both work with CDSSO Integrate with many platforms/ servers Can be used from almost any language

13 Time For Questions Questions? You can contact me at or


Download ppt "Java EE Platform Security What is included, what is missing. Masoud Kalali Author of GlassFish security book"

Similar presentations


Ads by Google