Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application Security Aspects Ron Bodkin ( x as pects.com) New Aspects of Software, AspectMentor AOSD 2005.

Published byElizabeth Owen Modified over 10 years ago

Similar presentations

Presentation on theme: "Application Security Aspects Ron Bodkin ( x as pects.com) New Aspects of Software, AspectMentor AOSD 2005."— Presentation transcript:

1 Application Security Aspects Ron Bodkin ( rbodkin@new x as pects.com) New Aspects of Software, AspectMentor http://www.newaspects.com AOSD 2005

2 2(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Application Security Classic big-A Aspect –Affects application architecture –Crosscuts all levels of the stack and systems –Many stakeholders

3 3(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Challenges Today… Enterprises cant –consistently enforce security policies across resources –expose systems for Web services securely –even see how sensitive data is used… let alone assure policy compliance Consequences –Risks: damages and loss of reputation –Expense: manual implementations, audits –Lost opportunities: build walls not manage use Enterprises believe its intractable so they –Take risks by not complying fully –Fight fires

4 4(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 The Promise of AOP … Correct implementation Separation of policy from implementation Defense in depth Auditability Fine-grained security Integration Pluggability (product lines)

5 5(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Application Security Architecture end-user Service Interaction Tier Resource Tier Application Tier operations Perimeter

6 6(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Application Areas EdgeUIDomainData Identify Protect Manage Security Servers (AAA) Web Ser- vices SSL/ PKI AOP Security Application Servers, JAAS Data- base

7 7(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Many Types of Authorization ClassInstanceField UI Business Logic Data

8 8(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Business Model for Example Employee + address + salary Manager + bonus 0..1 * US_Regulation + ssn + state + calcTax() CanadaRegulation + sin + province + calcTax() 1 EmpRegulation + calcTax()

9 9(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 JAAS Authentication for Web public aspect JaasAuthentication { private pointcut request(HttpServletRequest request, HttpServletResponse response) : execution(* HttpServlet.do*(..)) && this(SensitiveServlet) && args(request, response); private pointcut sensitiveOperations() : execution(* atrack.model.sensitive.*.* (..)); public pointcut inAuthentication(Worker worker) : cflow(execution(* run()) && within(RoleBasedAuthentication) && this(worker));

10 10(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 AspectJ JAAS Authentication void around(HttpServletRequest request, HttpServletResponse response) : request(request, response) { LoginContext lc = new LoginContext("WebApp", new HttpCallbackHandler(request, response)); try { lc.login(); Subject subject = lc.getSubject(); ImplAction action = new ImplAction() { public Object run() throws Exception { proceed(request, response); } action.setSubject(subject); Subject.doAsPrivileged(subject, action, null); } catch …

11 11(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Role-Based Authorization … before(SensitiveServlet servlet, HttpServletRequest request, HttpServletResponse response) : sensitiveOperations() { Permission permission = getPermission(thisJoinPointStaticPart); AccessController.checkPermission(permission); } private Permission getPermission(String methodName) { // config or database lookup }

12 12(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Data-Driven Authorization Example Edit employee data –Data-driven: employee, manager (transitively) and HR admin role –UI Filtering: invisible, visible, editable Possible extension –Trust delegation: check in domain tier on commit

13 13(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Data-Driven Authorization

14 14(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 public class EmployeeFactory { public Employee getEmployee(int key, Subject subject) { InvocationHandler handler = new EmployeeInvocationHandler(subject); return (Employee) Proxy.newProxyInstance( Employee.class.getClassLoader(), new Class[] { Employee.class }), handler); } public class EmployeeReviewFactory { … Proxy Set Up

15 15(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 public class EmployeeInvocationHandler { public EmployeeInvocationHandler(Subject subject) { this.subject = subject; } public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { if (proxy instanceof Employee && isSensitive(method)) { Employee caller = Employee.getEmployee(subject); Employee employee = (Employee)proxy; if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail return method.invoke(proxy, args); } … Proxy Implementation

16 16(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Data-Driven Authorization EmployeeDataAuthorization Aspect Using Aspects

17 17(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 public aspect EmployeeDataAuthorization { pointcut sensitiveDirectOperation(Employee employee) : (execution(* Employee.getSalary()|| execution(* Employee.getAddress()) || execution(* US_Employee.getSSN())) && this(employee); before(Employee employee, Worker worker) : JaasAuthentication.Authentication(worker) && sensitiveDirectOperation(employee) { Employee caller = Employee.getEmployee(worker.getSubject()); if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail } Data Authorization Aspect

18 18(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 public aspect EmployeeDataAuthorizationV2 { … pointcut sensitiveReviewOperation(EmployeeReview r) : execution(* getInformation()) && this(r); before(Review reviewr, Worker worker) : JaasAuthentication.Authentication(worker) && sensitiveDirectOperation(review) { checkAccess(review, worker); } Multi-Class Refactoring

19 19(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Refactoring Auditing Out public aspect SecurityAuditing { SecurityAuditor auditor; void setAuditor(auditor) { … } pointcut securityCheck() : // better: @annotation within(ajee.security..Authorization*) && adviceexecution(); after() returning: securityCheck() && authenticated(worker) { auditor.recordAccess(worker.getSubject(), tEJPSP); } after() throwing (SecurityException se): securityCheck() && authenticated(worker) { auditor.recordViolation(worker.getSubject(), tEJPSP, se); // bug: in AspectJ 1.2 tEJPSP doesnt refer } // to the advised join point; work around: } // find method from ses stack trace

20 20(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 P3P Annotation, Permissions… public aspect P3PDataAuthorization { pointcut p3pDataAccess(P3P prefs) : (get((* @P3P) *.*) || set((* @P3P) *.*)) && @annotation(prefs); before(P3P prefs) : p3pDataAccess(prefs) { AccessController.checkPermission(new P3P_Permission(prefs)); }

21 21(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Database Filtering… public aspect ToplinkQuerySecurityFilter { pointcut readingObject(Class clazz, Expression expression) : (call(* Session.readObject(..)) || call(* Session.readAllObjects(..))) && args(clazz, expression); Object around(Class clazz, Expression expression, AbstractJaasAuthentication.Worker worker) : readingObject(clazz, expression) && AbstractJaasAuthentication.authenticated(worker) { if (clazz == Employee.class) { Subject subject = worker.getSubject(); Manager mgr = ManagerDao.findManager(subject); Vector employees = mgr.getEmployees(); expression = expression.and(new ExpressionBuilder().get("id").in(employees)); } return proceed(clazz, expression, worker); }

22 22(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Domain-Specific Tools…

23 23(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Security: UI Filtering Requirements Only authorized fields Only links to authorized resources Edit field only if authorized Saved same key as edited Within JSP, Servlet, etc.

24 24(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 AOP Implementation Strategy for JSP Advice finds unauthorized field display –catch SecurityException s and flag Filter removes complete context –Well use a servlet filter –Can also intercept PageContextFactory to extend PageContext to wrap the PrintWriter Deployment options: –precompile JSPs, then link aspects in –configure containers JSP compiler to use ajc –the classloader

25 25(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Catching Unauthorized Fields in JSP Object around() throws JspException: securityChecks() && call(* *(..) throws (Throwable || Exception || JSPException)) { try { return proceed(); } catch (JspException je) { Exception e = (Exception)pageContext.getAttribute( Globals.EXCEPTION_KEY, PageContext.REQUEST_SCOPE); if (e != null && e instanceof SecurityException) { handleSecurityException(e); return null; // void or filtered... } throw je; }

26 26(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Aspect Uses FilteringResponse Object around() : securityChecks() { try { return proceed(); } catch (SecurityException e) { handleSecurityException(e); return null; // void or filtered... } private void handleSecurityException(Exception e) { try { jspWriter.flush(); // force buffer synch } catch (java.io.IOException ioe) { throw new RuntimeException("error flushing", ioe); } // specialized Response object adds the position to // a list of locations to filter; the contents are // then removed when flushing the buffer response.removeCurrentSection(); }

27 27(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Low Hanging Fruit Authorization –By function –Instance-level –Field-level Auditing Authentication –Web page –Web service

28 28(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Within Reach… UI filtering –operations available (or enabled) –information displayed Database result filtering Distributed authentication –Delegation –Indirect database Encryption and decryption of data

29 29(c) Copyright 2003-2005 New Aspects of Software. All Rights Reserved.March 17, 2005 Conclusions Real value Great test case for AOSD flexibility

Download ppt "Application Security Aspects Ron Bodkin ( x as pects.com) New Aspects of Software, AspectMentor AOSD 2005."

Similar presentations

Spring Roo and the Cloud Shekhar Gulati.

Spring Roo and the Cloud Shekhar Gulati.
CS2006 - Data Structures I Chapter 6 Stacks I 2 Topics ADT Stack Stack Operations Using ADT Stack Line editor Bracket checking Special-Palindromes Implementation.

CS Data Structures I Chapter 6 Stacks I 2 Topics ADT Stack Stack Operations Using ADT Stack Line editor Bracket checking Special-Palindromes Implementation.
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
Sequence Diagrams and Collaboration Diagrams

Sequence Diagrams and Collaboration Diagrams
Chapter 1: The Database Environment

Chapter 1: The Database Environment
Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 10 Servlets and Java Server Pages.

Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 10 Servlets and Java Server Pages.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
© Near Infinity Corporation www.nearinfinity.com Using AOP for Enterprise Auditing of J2EE Applications AOSD Practitioners Report March 17, 2005.

© Near Infinity Corporation Using AOP for Enterprise Auditing of J2EE Applications AOSD Practitioners Report March 17, 2005.
Implementation of a Validated Statistical Computing Environment Presented by Jeff Schumack, Associate Director – Drug Development Information September.

Implementation of a Validated Statistical Computing Environment Presented by Jeff Schumack, Associate Director – Drug Development Information September.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
19 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Developing Web Services.

19 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Developing Web Services.
21 Copyright © 2005, Oracle. All rights reserved. Oracle Application Server 10g Transaction Support.

21 Copyright © 2005, Oracle. All rights reserved. Oracle Application Server 10g Transaction Support.
12 Copyright © 2005, Oracle. All rights reserved. Implementing Business Tasks with Session EJBs.

12 Copyright © 2005, Oracle. All rights reserved. Implementing Business Tasks with Session EJBs.
1 Copyright © 2005, Oracle. All rights reserved. Introduction.

1 Copyright © 2005, Oracle. All rights reserved. Introduction.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

Similar presentations

Ads by Google