1 / 52

Java Application Security Integration

Java Application Security Integration. WAS CLASS. Agenda. Introduction Challenges Technology Overview Examples of Use solving problems integration Conclusion. Core Pillars Authentication Authorization Integrity Confidentiality Non-repudiation. Disciplines Threat Assessment

Download Presentation

Java Application Security Integration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Java Application Security Integration WAS CLASS

  2. Agenda • Introduction • Challenges • Technology Overview • Examples of Use • solving problems • integration • Conclusion

  3. Core Pillars Authentication Authorization Integrity Confidentiality Non-repudiation Disciplines Threat Assessment Policy Definition Administration Intrusion Detection Optimization/Vulnerability Assessment What is Security? “Freedom from risk or danger; safety.” source: dictionary.com Application security builds on infrastructure security

  4. Authentication Challenges • Multiple Realms • Different technologies • OS, directory, database, AAA, file, legacy… • Multiple instances • internally and cross-organization (trust) • Single-sign on/reduced sign-on • Strong authentication • PKI: how to do key management? • Multi-factor? • Delegation

  5. Authorization Challenges • Defining roles & permissions • Mapping & specializing • Functional authorization • For resource, service, component, class & method • Data-driven authorization • For instance-level & field-level • UI: showing only authorized • Fields, commands (buttons) • Consistent enforcement

  6. Additional Challenges • Non-Repudiation • Tracking audit trails • Digital signatures? • Confidentiality • Field-level encryption • At-rest encryption (preferably infrastructure!) • Integrity • Digital signatures

  7. Service end-user operations Application Security Architecture Interaction Tier ApplicationTier Resource Tier Perimeter

  8. Security Technologies • The Java platform • JAAS • Application servers • Security products • Fine grained security • Aspect-Oriented Programming • Filters and Proxies • Web services

  9. Application Security Domains Security Servers (AAA) Web Ser-vices SSL/PKI Data-base Fine-grainedSecurity (AOP…) Application Servers,JAAS

  10. Java Security • Secure platform since inception • sandbox supports untrusted code • no pointers, bounds checking, GC • JCA, JCE • cryptography, certificates, keys • JAAS • pluggable authentication • AccessController authorizes access • J2SE 1.4 moves JAAS capabilities into core

  11. JAAS Authentication Source: Sun Microsystems

  12. JAAS Authorization Source: Sun Microsystems

  13. J2EE Security • Declarative • Role names and mapping • Web resource constraints • EJB component and method constraints • Programmatic • Principal (name) • Role membership

  14. Application Server Integration • Until now • Container-specific realms for authentication • Container-specific policy for authorization • JAAS not integrated • J2EE 1.4 will standardize with JAAS • Java Authorization Contract for Containers • Java Authentication Service Provider Interface for Containers

  15. J2EE 1.4 Security Architecture Source: Sun Microsystems

  16. Service end-user operations AAA products Interaction Tier ApplicationTier Resource Tier Perimeter E.g., Netegrity, RSA, Oblix, Tivoli, Oracle… PEP admin identity, access PDP

  17. Security Integration Framework Example Weblogic Security Framework 8.1, Quadrasis Source: BEA

  18. Web Services Security Source: Sun Microsystems

  19. Into this AOP turns this... Aspect-Oriented Programming (AOP) • Auxiliary concerns are scattered and tangled • Security: authorization, identity management, audit trail • Business rules • Error handling • So AOP uses aspects to provide: • modular support for crosscutting concerns • language and tool integration • Evolutionary step for software development • structured  objects  components  aspects 

  20. Filters & Proxies • Special-case support for crosscutting • Servlet Filters • Allow all/certain servlet requests to enforce policy • Authentication (JAAS, single-sign on…) • Authorization (set up doAsSubject…) • Dynamic Proxies • Allow wrapping interfaces • Can separate data-driven authorization • Still scatters policy implementation

  21. Functional Authorization Example • Add bug use case • Forces authentication • Projects in groups with corresponding roles • Functional authorization: check bug entry role • UI Filtering: only employees can edit status

  22. Traditional Web Container Security

  23. Web Deployment Descriptor <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</> <url-pattern>/aTrack/internal/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>internal</role-name> </auth-constraint> </security-constraint> …

  24. Web Deployment Descriptor … <login-config> <auth-method>FORM</auth-method> <realm-name>aTrack</realm-name> <form-login-config> <form-login-page>/aTrack/protected/login.jsp</> <form-error-page>/aTrack/protected/error.jsp</> </form-login-config> </login-config> <security-role> <role-name>internal</role-name> </security-role>

  25. Tomcat 4.x JDBC Realm Setup <Server className="org.apache.catalina.core.StandardServer“ debug="0" port="8005" shutdown="SHUTDOWN"> … <Realm className="org.apache.catalina.realm.JDBCRealm“ debug="99" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/authority?user=dbuser&password=dbpass" userTable="users" userNameCol="user_name“ userCredCol="user_pass“ userRoleTable="user_roles“ roleNameCol="role_name"/> …

  26. UI Filtering … <% if (SecurityUtils.getRoles(getUser()). contains("internal")) { %> <html:list property="status"> <% } else { %> <html:label property="status"> <% } %>

  27. Security Server Implementation

  28. JAAS Authentication in Web Container

  29. JAAS Authorization in Web Container

  30. Servlet Filter to Set Up JAAS public class AccessFilter implements Filter { public void doFilter(ServletRequest request, …) { Session session = ((HttpServletRequest)request).getSession(); Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // redirect to force authentication try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { chain.doFilter(request, response); } }, null); } catch (PrivilegedActionException e) { throw e.getException(); } } }

  31. JAAS Authorization public class AddBugAction extends Action { publicActionForwardexecute(ActionMappingmapping, ActionFormform,HttpServletRequestrequest, HttpServletResponseresponse)throwsException{ // does the user have permission to enter bugs? AccessController.checkPermission( new AtrackPermission("bugEntry")); … } }

  32. UI Filtering … <% if (getUserPrincipals().contains("internal")) { %> <html:list property="status"> <% } else { %> <html:label property="status"> <% } %> …

  33. AspectJ JAAS Authentication public aspect RoleBasedAccess { private pointcut request(HttpServletRequest request, HttpServletResponse response) : execution(* HttpServlet.do*(..)) && this(SensitiveServlet) && args(request, response); private pointcut sensitiveOperations() : execution(* atrack.model.sensitive.*.* (..));

  34. AspectJ JAAS Authentication … void around(HttpServletRequest request, HttpServletResponse response): request(request, response) { HttpSession session = request.getSession(); Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // redirect to force authentication try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { proceed(request, response); } }, null); } catch (PrivilegedActionException e) { throw e.getException(); } } …

  35. AspectJ JAAS Authorization … before(SensitiveServlet servlet, HttpServletRequest request, HttpServletResponse response): sensitiveOperations() { Permission permission = getPermission(thisJoinPoint. getSignature().getName()); AccessController.checkPermission(permission); } private Permission getPermission(String methodName) { // config or database lookup } }

  36. Data-Driven Authorization Example • Edit employee data • Data-driven: employee, manager (transitively) and HR admin role • UI Filtering: invisible, visible, editable • Possible extension • Trust delegation: check in domain tier on commit

  37. Data-Driven Authorization EJB security

  38. EJB Implementation publicclass Employee { … public int getSSN(EjbContext securityContext) { Principal p = securityContext.getPrincipal(); Employee caller = Employee.getEmployee(p); if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation thrownew AuthorizationException("…"); } // and log data access to audit trail return ssn; } public double getSalary(EjbContext securityContext) { Principal p = securityContext.getPrincipal(); … } }

  39. Propagating Context publicclass ServiceEjb { public int getEmployeeDetails() { … employees.getRows(getContext()); } … } publicclass Employees { … public int getRows(EjbContext securityContext) { … employee.getSSN(securityContext); … } }

  40. JAAS Implementation publicclass Employee { public int getSSN(Subject subject) { Set s = subject.getPrincipals(Employee.class); boolean ok = false; for (Iterator it = s.iterator(); it.hasNext();) { Employee caller = (Employee)s.next(); if (employee.reportsTo(caller))) ok = true; } if (!ok) { // record attempted security violation thrownew AuthorizationException("…"); } // and log data access to audit trail return ssn; } public double getSalary(Subject subject) { Set s = subject.getPrincipals(Employee.class); …

  41. JAAS Set Up public class Service { public int getEmployeeDetails() { Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // forward to force authentication try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { … employees.getRows(subject); … } }, null); } catch (PrivilegedActionException e) { throw e.getException(); } } …

  42. Proxy Set Up publicclass EmployeeFactory { public Employee getEmployee(int key, Subject subject) { InvocationHandler handler = new EmployeeInvocationHandler(subject); return (Employee) Proxy.newProxyInstance( Employee.class.getClassLoader(), new Class[] { Employee.class }), handler); } }

  43. Proxy Implementation publicclass EmployeeInvocationHandler { public EmployeeInvocationHandler(EjbContext context) { this.context = context; } public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { if (proxy instanceof Employee && isSensitive(method)) { Principal p = context.getPrincipal(); Employee caller = Employee.getEmployee(p); Employee employee = (Employee)proxy; if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation thrownew AuthorizationException("…"); } // and log data access to audit trail return method.invoke(proxy, args); } …

  44. EmployeeDataAuthorization Aspect Data-Driven Authorization Using Aspects

  45. Policy Definition Aspect publicaspect SecurityPolicy { publicpointcut securedCall(ManagedSessionBean ejb): cflow(EjbPointcuts.ejbTopLevelExec(*) && this(ejb)) && (call(* Employee.getSalary(..)) || call(* Employee.getSSN(..)) || call(* Employee.getAddress(..))); }

  46. Data Authorization Aspect publicaspect EmployeeDataAuthorization { before(ManagedSessionBean ejb, Employee employee) : SecurityPolicy.securedCall(ejb) && target(employee) { Principal p = ejb.getContext().getPrincipal(); Employee caller = Employee.getEmployee(p); if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation thrownew AuthorizationException("…"); } // and log data access to audit trail } }

  47. Security: UI Filtering Requirements • Only authorized fields • Only links to authorized resources • Edit field only if authorized • Saved same key as edited • Within JSP, Servlet, etc.

  48. AOP Implementation Strategy for JSP • Advice finds unauthorized field display • catch SecurityExceptions and flag • Filter removes complete context • We’ll use a servlet filter • Can also intercept PageContextFactory to extend PageContext to wrap the PrintWriter • Deployment options: • precompile JSPs, then link aspects in • configure JSP compiler to use ajc (we’ll use this with Tomcat) • the classloader (if available, e.g., WLS)

  49. Catching Unauthorized Fields in JSP Object around() throws JspException: securityChecks() && call(* *(..) throws (Throwable || Exception || JSPException)) { try { returnproceed(); } catch (JspException je) { Exception e = (Exception)pageContext.getAttribute( Globals.EXCEPTION_KEY, PageContext.REQUEST_SCOPE); if (e != null && e instanceof SecurityException) { handleSecurityException(e); returnnull; // void or filtered... } throw je; } }

  50. Aspect Uses FilteringResponse Object around() : securityChecks() { try { returnproceed(); } catch (SecurityException e) { handleSecurityException(e); returnnull; // void or filtered... } } privatevoid handleSecurityException(Exception e) { try { jspWriter.flush(); // force buffer synch } catch (java.io.IOException ioe) { thrownew RuntimeException("error flushing", ioe); } // specialized Response object adds the position to // a list of “locations to filter”; the contents are // then removed when flushing the buffer response.removeCurrentSection(); }

More Related