Download presentation
1
Java Application Security Integration
WAS CLASS
2
Agenda Introduction Challenges Technology Overview Examples of Use
solving problems integration Conclusion
3
What is Security? “Freedom from risk or danger; safety.” source: dictionary.com Core Pillars Authentication Authorization Integrity Confidentiality Non-repudiation Disciplines Threat Assessment Policy Definition Administration Intrusion Detection Optimization/ Vulnerability Assessment Application security builds on infrastructure security
4
Authentication Challenges
Multiple Realms Different technologies OS, directory, database, AAA, file, legacy… Multiple instances internally and cross-organization (trust) Single-sign on/reduced sign-on Strong authentication PKI: how to do key management? Multi-factor? Delegation
5
Authorization Challenges
Defining roles & permissions Mapping & specializing Functional authorization For resource, service, component, class & method Data-driven authorization For instance-level & field-level UI: showing only authorized Fields, commands (buttons) Consistent enforcement
6
Additional Challenges
Non-Repudiation Tracking audit trails Digital signatures? Confidentiality Field-level encryption At-rest encryption (preferably infrastructure!) Integrity Digital signatures
7
Application Security Architecture
Interaction Tier Application Tier Resource Tier Perimeter end-user Service operations
8
Security Technologies
The Java platform JAAS Application servers Security products Fine grained security Aspect-Oriented Programming Filters and Proxies Web services
9
Application Security Domains
Edge UI Domain Data Identify Protect Manage Security Servers (AAA) Web Ser- vices SSL/ PKI Data- base Fine-grained Security (AOP…) Application Servers, JAAS
10
Java Security Secure platform since inception JCA, JCE JAAS
sandbox supports untrusted code no pointers, bounds checking, GC JCA, JCE cryptography, certificates, keys JAAS pluggable authentication AccessController authorizes access J2SE 1.4 moves JAAS capabilities into core
11
Source: Sun Microsystems
JAAS Authentication Source: Sun Microsystems
12
Source: Sun Microsystems
JAAS Authorization Source: Sun Microsystems
13
J2EE Security Declarative Programmatic Role names and mapping
Web resource constraints EJB component and method constraints Programmatic Principal (name) Role membership
14
Application Server Integration
Until now Container-specific realms for authentication Container-specific policy for authorization JAAS not integrated J2EE 1.4 will standardize with JAAS Java Authorization Contract for Containers Java Authentication Service Provider Interface for Containers Jacc = jsr 155 Jaspic = Jsr 196
15
J2EE 1.4 Security Architecture
Source: Sun Microsystems
16
AAA products E.g., Netegrity, RSA, Oblix, Tivoli, Oracle… end-user
Interaction Tier Application Tier Resource Tier Perimeter end-user PEP Service operations admin identity, access PDP E.g., Netegrity, RSA, Oblix, Tivoli, Oracle…
17
Security Integration Framework Example
Weblogic Security Framework 8.1, Quadrasis Source: BEA
18
Source: Sun Microsystems
Web Services Security Source: Sun Microsystems
19
Aspect-Oriented Programming (AOP)
Auxiliary concerns are scattered and tangled Security: authorization, identity management, audit trail Business rules Error handling So AOP uses aspects to provide: modular support for crosscutting concerns language and tool integration Evolutionary step for software development structured objects components aspects AOP turns this... Into this
20
Filters & Proxies Special-case support for crosscutting
Servlet Filters Allow all/certain servlet requests to enforce policy Authentication (JAAS, single-sign on…) Authorization (set up doAsSubject…) Dynamic Proxies Allow wrapping interfaces Can separate data-driven authorization Still scatters policy implementation
21
Functional Authorization Example
Add bug use case Forces authentication Projects in groups with corresponding roles Functional authorization: check bug entry role UI Filtering: only employees can edit status
22
Traditional Web Container Security
23
Web Deployment Descriptor
<security-constraint> <web-resource-collection> <web-resource-name>Protected Area</> <url-pattern>/aTrack/internal/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>internal</role-name> </auth-constraint> </security-constraint> …
24
Web Deployment Descriptor
… <login-config> <auth-method>FORM</auth-method> <realm-name>aTrack</realm-name> <form-login-config> <form-login-page>/aTrack/protected/login.jsp</> <form-error-page>/aTrack/protected/error.jsp</> </form-login-config> </login-config> <security-role> <role-name>internal</role-name> </security-role>
25
Tomcat 4.x JDBC Realm Setup
<Server className="org.apache.catalina.core.StandardServer“ debug="0" port="8005" shutdown="SHUTDOWN"> … <Realm className="org.apache.catalina.realm.JDBCRealm“ debug="99" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/authority? user=dbuser&password=dbpass" userTable="users" userNameCol="user_name“ userCredCol="user_pass“ userRoleTable="user_roles“ roleNameCol="role_name"/>
26
UI Filtering … <% if (SecurityUtils.getRoles(getUser()).
contains("internal")) { %> <html:list property="status"> <% } else { %> <html:label property="status"> <% } %>
27
Security Server Implementation
This scenario demonstrates single sign on use, with the PEP able to redirect to communicate with
28
JAAS Authentication in Web Container
29
JAAS Authorization in Web Container
30
Servlet Filter to Set Up JAAS
public class AccessFilter implements Filter { public void doFilter(ServletRequest request, …) { Session session = ((HttpServletRequest)request).getSession(); Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // redirect to force authentication try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { chain.doFilter(request, response); } }, null); } catch (PrivilegedActionException e) { throw e.getException(); } } }
31
JAAS Authorization public class AddBugAction extends Action {
public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { // does the user have permission to enter bugs? AccessController.checkPermission( new AtrackPermission("bugEntry")); … }
32
UI Filtering … <% if (getUserPrincipals().contains("internal")) { %> <html:list property="status"> <% } else { %> <html:label property="status"> <% } %>
33
AspectJ JAAS Authentication
public aspect RoleBasedAccess { private pointcut request(HttpServletRequest request, HttpServletResponse response) : execution(* HttpServlet.do*(..)) && this(SensitiveServlet) && args(request, response); private pointcut sensitiveOperations() : execution(* atrack.model.sensitive.*.* (..));
34
AspectJ JAAS Authentication
… void around(HttpServletRequest request, HttpServletResponse response) : request(request, response) { HttpSession session = request.getSession(); Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // redirect to force authentication try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { proceed(request, response); } }, null); } catch (PrivilegedActionException e) { throw e.getException(); } }
35
AspectJ JAAS Authorization
… before(SensitiveServlet servlet, HttpServletRequest request, HttpServletResponse response) : sensitiveOperations() { Permission permission = getPermission(thisJoinPoint. getSignature().getName()); AccessController.checkPermission(permission); } private Permission getPermission(String methodName) { // config or database lookup
36
Data-Driven Authorization Example
Edit employee data Data-driven: employee, manager (transitively) and HR admin role UI Filtering: invisible, visible, editable Possible extension Trust delegation: check in domain tier on commit
37
Data-Driven Authorization
EJB security
38
EJB Implementation public class Employee { …
public int getSSN(EjbContext securityContext) { Principal p = securityContext.getPrincipal(); Employee caller = Employee.getEmployee(p); if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail return ssn; public double getSalary(EjbContext securityContext) { Note that we need to propagate the security context, either by threading it as a parameter, or using a global/context somewhere
39
Propagating Context public class ServiceEjb {
public int getEmployeeDetails() { … employees.getRows(getContext()); } public class Employees { public int getRows(EjbContext securityContext) { employee.getSSN(securityContext);
40
JAAS Implementation public class Employee {
public int getSSN(Subject subject) { Set s = subject.getPrincipals(Employee.class); boolean ok = false; for (Iterator it = s.iterator(); it.hasNext();) { Employee caller = (Employee)s.next(); if (employee.reportsTo(caller))) ok = true; } if (!ok) { // record attempted security violation throw new AuthorizationException("…"); // and log data access to audit trail return ssn; public double getSalary(Subject subject) { … The access controller provides the security context, either by threading it as a parameter, or using a global/context somewhere
41
JAAS Set Up public class Service { public int getEmployeeDetails() {
Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // forward to force authentication try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { … employees.getRows(subject); } }, null); } catch (PrivilegedActionException e) { throw e.getException(); } }
42
Proxy Set Up public class EmployeeFactory {
public Employee getEmployee(int key, Subject subject) { InvocationHandler handler = new EmployeeInvocationHandler(subject); return (Employee) Proxy.newProxyInstance( Employee.class.getClassLoader(), new Class[] { Employee.class }), handler); }
43
Proxy Implementation public class EmployeeInvocationHandler {
public EmployeeInvocationHandler(EjbContext context) { this.context = context; } public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { if (proxy instanceof Employee && isSensitive(method)) { Principal p = context.getPrincipal(); Employee caller = Employee.getEmployee(p); Employee employee = (Employee)proxy; if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); // and log data access to audit trail return method.invoke(proxy, args); … The access controller provides the security context, either by threading it as a parameter, or using a global/context somewhere
44
Data-Driven Authorization
Using Aspects EmployeeDataAuthorization Aspect
45
Policy Definition Aspect
public aspect SecurityPolicy { public pointcut securedCall(ManagedSessionBean ejb): cflow(EjbPointcuts.ejbTopLevelExec(*) && this(ejb)) && (call(* Employee.getSalary(..)) || call(* Employee.getSSN(..)) || call(* Employee.getAddress(..))); } This uses the sample DefaultEJB aspect and associated ManagedSessionBean interface from the Timer example.
46
Data Authorization Aspect
public aspect EmployeeDataAuthorization { before(ManagedSessionBean ejb, Employee employee) : SecurityPolicy.securedCall(ejb) && target(employee) { Principal p = ejb.getContext().getPrincipal(); Employee caller = Employee.getEmployee(p); if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail This uses the sample DefaultEJB aspect and associated ManagedSessionBean interface from the Timer example.
47
Security: UI Filtering Requirements
Only authorized fields Only links to authorized resources Edit field only if authorized Saved same key as edited Within JSP, Servlet, etc. Might demo, time permitting
48
AOP Implementation Strategy for JSP
Advice finds unauthorized field display catch SecurityExceptions and flag Filter removes complete context We’ll use a servlet filter Can also intercept PageContextFactory to extend PageContext to wrap the PrintWriter Deployment options: precompile JSPs, then link aspects in configure JSP compiler to use ajc (we’ll use this with Tomcat) the classloader (if available, e.g., WLS) Weblogic 8.1 will support AspectJ and AspectWerkz classloaders AspectWerkz supports weaving in any classloader but the system classloader; we expect a future version of AspectJ will allow this too.
49
Catching Unauthorized Fields in JSP
Object around() throws JspException: securityChecks() && call(* *(..) throws (Throwable || Exception || JSPException)) { try { return proceed(); } catch (JspException je) { Exception e = (Exception)pageContext.getAttribute( Globals.EXCEPTION_KEY, PageContext.REQUEST_SCOPE); if (e != null && e instanceof SecurityException) { handleSecurityException(e); return null; // void or filtered... } throw je; } } When a security exception occurs, we note the fact
50
Aspect Uses FilteringResponse
Object around() : securityChecks() { try { return proceed(); } catch (SecurityException e) { handleSecurityException(e); return null; // void or filtered... } } private void handleSecurityException(Exception e) { jspWriter.flush(); // force buffer synch } catch (java.io.IOException ioe) { throw new RuntimeException("error flushing", ioe); } // specialized Response object adds the position to // a list of “locations to filter”; the contents are // then removed when flushing the buffer response.removeCurrentSection(); … then filter it
51
Security Integration Many options for each of
Application AAA Data Protection Message Protection Scenarios have illustrated Trade offs among approaches Possible integration ideas Standards are improving integration But architecture is needed
52
Conclusion Application Security is multi-faceted
Many challenges Pervasive in solutions Additional to infrastructure security Solutions are available Need for explicit policy Various trade-offs An effective architecture is critical to integrate the new technologies
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.