Presentation is loading. Please wait.

Presentation is loading. Please wait.

Java Application Security Integration

Published bySheila Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "Java Application Security Integration"— Presentation transcript:

1 Java Application Security Integration
WAS CLASS

2 Agenda Introduction Challenges Technology Overview Examples of Use
solving problems integration Conclusion

3 What is Security? “Freedom from risk or danger; safety.” source: dictionary.com Core Pillars Authentication Authorization Integrity Confidentiality Non-repudiation Disciplines Threat Assessment Policy Definition Administration Intrusion Detection Optimization/ Vulnerability Assessment Application security builds on infrastructure security

4 Authentication Challenges
Multiple Realms Different technologies OS, directory, database, AAA, file, legacy… Multiple instances internally and cross-organization (trust) Single-sign on/reduced sign-on Strong authentication PKI: how to do key management? Multi-factor? Delegation

5 Authorization Challenges
Defining roles & permissions Mapping & specializing Functional authorization For resource, service, component, class & method Data-driven authorization For instance-level & field-level UI: showing only authorized Fields, commands (buttons) Consistent enforcement

6 Additional Challenges
Non-Repudiation Tracking audit trails Digital signatures? Confidentiality Field-level encryption At-rest encryption (preferably infrastructure!) Integrity Digital signatures

7 Application Security Architecture
Interaction Tier Application Tier Resource Tier Perimeter end-user Service operations

8 Security Technologies
The Java platform JAAS Application servers Security products Fine grained security Aspect-Oriented Programming Filters and Proxies Web services

9 Application Security Domains
Edge UI Domain Data Identify Protect Manage Security Servers (AAA) Web Ser- vices SSL/ PKI Data- base Fine-grained Security (AOP…) Application Servers, JAAS

10 Java Security Secure platform since inception JCA, JCE JAAS
sandbox supports untrusted code no pointers, bounds checking, GC JCA, JCE cryptography, certificates, keys JAAS pluggable authentication AccessController authorizes access J2SE 1.4 moves JAAS capabilities into core

11 Source: Sun Microsystems
JAAS Authentication Source: Sun Microsystems

12 Source: Sun Microsystems
JAAS Authorization Source: Sun Microsystems

13 J2EE Security Declarative Programmatic Role names and mapping
Web resource constraints EJB component and method constraints Programmatic Principal (name) Role membership

14 Application Server Integration
Until now Container-specific realms for authentication Container-specific policy for authorization JAAS not integrated J2EE 1.4 will standardize with JAAS Java Authorization Contract for Containers Java Authentication Service Provider Interface for Containers Jacc = jsr 155 Jaspic = Jsr 196

15 J2EE 1.4 Security Architecture
Source: Sun Microsystems

16 AAA products E.g., Netegrity, RSA, Oblix, Tivoli, Oracle… end-user
Interaction Tier Application Tier Resource Tier Perimeter end-user PEP Service operations admin identity, access PDP E.g., Netegrity, RSA, Oblix, Tivoli, Oracle…

17 Security Integration Framework Example
Weblogic Security Framework 8.1, Quadrasis Source: BEA

18 Source: Sun Microsystems
Web Services Security Source: Sun Microsystems

19 Aspect-Oriented Programming (AOP)
Auxiliary concerns are scattered and tangled Security: authorization, identity management, audit trail Business rules Error handling So AOP uses aspects to provide: modular support for crosscutting concerns language and tool integration Evolutionary step for software development structured  objects  components  aspects AOP turns this... Into this

20 Filters & Proxies Special-case support for crosscutting
Servlet Filters Allow all/certain servlet requests to enforce policy Authentication (JAAS, single-sign on…) Authorization (set up doAsSubject…) Dynamic Proxies Allow wrapping interfaces Can separate data-driven authorization Still scatters policy implementation

21 Functional Authorization Example
Add bug use case Forces authentication Projects in groups with corresponding roles Functional authorization: check bug entry role UI Filtering: only employees can edit status

22 Traditional Web Container Security

23 Web Deployment Descriptor
<security-constraint> <web-resource-collection> <web-resource-name>Protected Area</> <url-pattern>/aTrack/internal/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>internal</role-name> </auth-constraint> </security-constraint>

24 Web Deployment Descriptor
<login-config> <auth-method>FORM</auth-method> <realm-name>aTrack</realm-name> <form-login-config> <form-login-page>/aTrack/protected/login.jsp</> <form-error-page>/aTrack/protected/error.jsp</> </form-login-config> </login-config> <security-role> <role-name>internal</role-name> </security-role>

25 Tomcat 4.x JDBC Realm Setup
<Server className="org.apache.catalina.core.StandardServer“ debug="0" port="8005" shutdown="SHUTDOWN"> <Realm className="org.apache.catalina.realm.JDBCRealm“ debug="99" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/authority? user=dbuser&password=dbpass" userTable="users" userNameCol="user_name“ userCredCol="user_pass“ userRoleTable="user_roles“ roleNameCol="role_name"/>

26 UI Filtering … <% if (SecurityUtils.getRoles(getUser()).
contains("internal")) { %> <html:list property="status"> <% } else { %> <html:label property="status"> <% } %>

27 Security Server Implementation
This scenario demonstrates single sign on use, with the PEP able to redirect to communicate with

28 JAAS Authentication in Web Container

29 JAAS Authorization in Web Container

30 Servlet Filter to Set Up JAAS
public class AccessFilter implements Filter { public void doFilter(ServletRequest request, …) { Session session = ((HttpServletRequest)request).getSession(); Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // redirect to force authentication try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { chain.doFilter(request, response); } }, null); } catch (PrivilegedActionException e) { throw e.getException(); } } }

31 JAAS Authorization public class AddBugAction extends Action {
public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { // does the user have permission to enter bugs? AccessController.checkPermission( new AtrackPermission("bugEntry")); }

32 UI Filtering <% if (getUserPrincipals().contains("internal")) { %> <html:list property="status"> <% } else { %> <html:label property="status"> <% } %>

33 AspectJ JAAS Authentication
public aspect RoleBasedAccess { private pointcut request(HttpServletRequest request, HttpServletResponse response) : execution(* HttpServlet.do*(..)) && this(SensitiveServlet) && args(request, response); private pointcut sensitiveOperations() : execution(* atrack.model.sensitive.*.* (..));

34 AspectJ JAAS Authentication
void around(HttpServletRequest request, HttpServletResponse response) : request(request, response) { HttpSession session = request.getSession(); Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // redirect to force authentication try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { proceed(request, response); } }, null); } catch (PrivilegedActionException e) { throw e.getException(); } }

35 AspectJ JAAS Authorization
before(SensitiveServlet servlet, HttpServletRequest request, HttpServletResponse response) : sensitiveOperations() { Permission permission = getPermission(thisJoinPoint. getSignature().getName()); AccessController.checkPermission(permission); } private Permission getPermission(String methodName) { // config or database lookup

36 Data-Driven Authorization Example
Edit employee data Data-driven: employee, manager (transitively) and HR admin role UI Filtering: invisible, visible, editable Possible extension Trust delegation: check in domain tier on commit

37 Data-Driven Authorization
EJB security

38 EJB Implementation public class Employee { …
public int getSSN(EjbContext securityContext) { Principal p = securityContext.getPrincipal(); Employee caller = Employee.getEmployee(p); if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail return ssn; public double getSalary(EjbContext securityContext) { Note that we need to propagate the security context, either by threading it as a parameter, or using a global/context somewhere

39 Propagating Context public class ServiceEjb {
public int getEmployeeDetails() { employees.getRows(getContext()); } public class Employees { public int getRows(EjbContext securityContext) { employee.getSSN(securityContext);

40 JAAS Implementation public class Employee {
public int getSSN(Subject subject) { Set s = subject.getPrincipals(Employee.class); boolean ok = false; for (Iterator it = s.iterator(); it.hasNext();) { Employee caller = (Employee)s.next(); if (employee.reportsTo(caller))) ok = true; } if (!ok) { // record attempted security violation throw new AuthorizationException("…"); // and log data access to audit trail return ssn; public double getSalary(Subject subject) { The access controller provides the security context, either by threading it as a parameter, or using a global/context somewhere

41 JAAS Set Up public class Service { public int getEmployeeDetails() {
Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // forward to force authentication try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { employees.getRows(subject); } }, null); } catch (PrivilegedActionException e) { throw e.getException(); } }

42 Proxy Set Up public class EmployeeFactory {
public Employee getEmployee(int key, Subject subject) { InvocationHandler handler = new EmployeeInvocationHandler(subject); return (Employee) Proxy.newProxyInstance( Employee.class.getClassLoader(), new Class[] { Employee.class }), handler); }

43 Proxy Implementation public class EmployeeInvocationHandler {
public EmployeeInvocationHandler(EjbContext context) { this.context = context; } public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { if (proxy instanceof Employee && isSensitive(method)) { Principal p = context.getPrincipal(); Employee caller = Employee.getEmployee(p); Employee employee = (Employee)proxy; if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); // and log data access to audit trail return method.invoke(proxy, args); The access controller provides the security context, either by threading it as a parameter, or using a global/context somewhere

44 Data-Driven Authorization
Using Aspects EmployeeDataAuthorization Aspect

45 Policy Definition Aspect
public aspect SecurityPolicy { public pointcut securedCall(ManagedSessionBean ejb): cflow(EjbPointcuts.ejbTopLevelExec(*) && this(ejb)) && (call(* Employee.getSalary(..)) || call(* Employee.getSSN(..)) || call(* Employee.getAddress(..))); } This uses the sample DefaultEJB aspect and associated ManagedSessionBean interface from the Timer example.

46 Data Authorization Aspect
public aspect EmployeeDataAuthorization { before(ManagedSessionBean ejb, Employee employee) : SecurityPolicy.securedCall(ejb) && target(employee) { Principal p = ejb.getContext().getPrincipal(); Employee caller = Employee.getEmployee(p); if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail This uses the sample DefaultEJB aspect and associated ManagedSessionBean interface from the Timer example.

47 Security: UI Filtering Requirements
Only authorized fields Only links to authorized resources Edit field only if authorized Saved same key as edited Within JSP, Servlet, etc. Might demo, time permitting

48 AOP Implementation Strategy for JSP
Advice finds unauthorized field display catch SecurityExceptions and flag Filter removes complete context We’ll use a servlet filter Can also intercept PageContextFactory to extend PageContext to wrap the PrintWriter Deployment options: precompile JSPs, then link aspects in configure JSP compiler to use ajc (we’ll use this with Tomcat) the classloader (if available, e.g., WLS) Weblogic 8.1 will support AspectJ and AspectWerkz classloaders AspectWerkz supports weaving in any classloader but the system classloader; we expect a future version of AspectJ will allow this too.

49 Catching Unauthorized Fields in JSP
Object around() throws JspException: securityChecks() && call(* *(..) throws (Throwable || Exception || JSPException)) { try { return proceed(); } catch (JspException je) { Exception e = (Exception)pageContext.getAttribute( Globals.EXCEPTION_KEY, PageContext.REQUEST_SCOPE); if (e != null && e instanceof SecurityException) { handleSecurityException(e); return null; // void or filtered... } throw je; } } When a security exception occurs, we note the fact

50 Aspect Uses FilteringResponse
Object around() : securityChecks() { try { return proceed(); } catch (SecurityException e) { handleSecurityException(e); return null; // void or filtered... } } private void handleSecurityException(Exception e) { jspWriter.flush(); // force buffer synch } catch (java.io.IOException ioe) { throw new RuntimeException("error flushing", ioe); } // specialized Response object adds the position to // a list of “locations to filter”; the contents are // then removed when flushing the buffer response.removeCurrentSection(); … then filter it

51 Security Integration Many options for each of
Application AAA Data Protection Message Protection Scenarios have illustrated Trade offs among approaches Possible integration ideas Standards are improving integration But architecture is needed

52 Conclusion Application Security is multi-faceted
Many challenges Pervasive in solutions Additional to infrastructure security Solutions are available Need for explicit policy Various trade-offs An effective architecture is critical to integrate the new technologies

Download ppt "Java Application Security Integration"

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Application Security Aspects Ron Bodkin ( x as pects.com) New Aspects of Software, AspectMentor AOSD 2005.

Application Security Aspects Ron Bodkin ( x as pects.com) New Aspects of Software, AspectMentor AOSD 2005.
AspectWerkz 2 - and the road to AspectJ 5 Jonas Bonér Senior Software Engineer BEA Systems.

AspectWerkz 2 - and the road to AspectJ 5 Jonas Bonér Senior Software Engineer BEA Systems.
Apache Struts Technology

Apache Struts Technology
Aspect Oriented Programming. AOP Contents 1 Overview 2 Terminology 3 The Problem 4 The Solution 4 Join point models 5 Implementation 6 Terminology Review.

Aspect Oriented Programming. AOP Contents 1 Overview 2 Terminology 3 The Problem 4 The Solution 4 Join point models 5 Implementation 6 Terminology Review.
1 JAC : Aspect Oriented Programming in Java An article review by Yuval Nir and Limor Lahiani.

1 JAC : Aspect Oriented Programming in Java An article review by Yuval Nir and Limor Lahiani.
Understanding WebLogic Security

Understanding WebLogic Security
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Aspect-Oriented Programming In Eclipse ® Aspect-Oriented Programming in Eclipse with AspectJ Dr Helen Hawkins and Sian January.

Aspect-Oriented Programming In Eclipse ® Aspect-Oriented Programming in Eclipse with AspectJ Dr Helen Hawkins and Sian January.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
WEB1P servintro1 Introduction to servlets and JSP Dr Jim Briggs.

WEB1P servintro1 Introduction to servlets and JSP Dr Jim Briggs.
Review Amit Shabtay. March 3rd, 2004 Object Oriented Design Course 2 Review What have we done during the course? Where to learn more? What is for the.

Review Amit Shabtay. March 3rd, 2004 Object Oriented Design Course 2 Review What have we done during the course? Where to learn more? What is for the.
Java 2 – Enterprise Edition Kevin J. LaFata April 21, 2003 UM – St. Louis.

Java 2 – Enterprise Edition Kevin J. LaFata April 21, 2003 UM – St. Louis.
1 Build a Web Application on J2EE. 2 J2EE Scenario Client – Web Server – EIS Resources Client – Web Server – EIS Resources Client – Application Server.

1 Build a Web Application on J2EE. 2 J2EE Scenario Client – Web Server – EIS Resources Client – Web Server – EIS Resources Client – Application Server.
J2EE Security and Enterprise Java Beans Mrunal G. Dhond Department of Computing and Information Sciences Master of Science, Final Defense February 26,

J2EE Security and Enterprise Java Beans Mrunal G. Dhond Department of Computing and Information Sciences Master of Science, Final Defense February 26,
Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 1999 by Carnegie.

Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1999 by Carnegie.

Similar presentations

Ads by Google