1 / 34

Building Secure J2EE Applications With Oracle

Session id:40119. Building Secure J2EE Applications With Oracle. Cary Bakker Principal Consultant John Gammon Principal Consultant Adam Leftik Sr. Principal Consultant Oracle Corporation. Agenda. Introduction Motivation for POC Requirements for solution Architectural decisions

iria
Download Presentation

Building Secure J2EE Applications With Oracle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session id:40119 Building Secure J2EE Applications With Oracle Cary BakkerPrincipal Consultant John Gammon Principal Consultant Adam Leftik Sr. Principal Consultant Oracle Corporation

  2. Agenda • Introduction • Motivation for POC • Requirements for solution • Architectural decisions • Security Fundamentals • Security Concepts review • SSL • A “How To” on locking down the system • Web Client to HTTP Server • HTTP Server to App Server • App Server to Database

  3. Client Motivation • Aerospace Operation Center (AOC) issues: • Separate Coalition Network • n * as many servers • n * setup time • Difficult to share data • Data “cleansing” process • Untimely data • Erroneous data • Unavailable data

  4. Solution Requirements • Multi Level Security (MLS) • US and Coalition all on single network • Timely release of data • Security given highest priority • Flexible architecture

  5. Solution Architecture Overview • SSL Mutual Authentication for all network communication, lock down all layers • Oracle’s MVC Framework – flexibility for migration to service oriented architecture implementation • Oracle Label Security – key for MLS and timely release of information

  6. Security Concepts Review • Authentication • Authorization • Confidentiality • Integrity

  7. Secure Socket Layer Protocol (SSL) • Client Sends list of cipher suites • Server responds with the cipher suite specification and web servers digital certificate and requests client certificate • Client verifies certificate • Client generates pre-master secret and encrypts with server’s public key and sends its client certificate and pre-master secret • Server decrypts pre-master secret with private key and verifies client certificate • Session key is calculated using pre-master secret by both parties independently • Session key is used for symmetric key encryption for rest of the session

  8. Certificate Verification • Is this certificate in the CRL? • Is the certificate within validity period? • Is the Certificate Authority trusted (chain)? • Does the issuing certificate’s public key validate issuer’s signature? • (Optional) Does the web server DNS name match the subject’s (server cert) DN? 9i also supports instance verification via instance name + hostname

  9. Secure Software Architecture

  10. High-Level Flow

  11. Oracle Http Server and Mod OSSL • Provides authentication, confidentiality, and integrity for communication between web client and OHS using SSL • Support for majority of cryptographically strong cipher algorithms • SSL mutual authentication support (two-phase authentication)

  12. Key OHS Directives LoadModule ossl_module modules/ApacheModuleOSSL.DLL SSLWallet file:<ohs_home>\conf\Apache\Apache\conf SSLWalletPassword mypassword SSLVerifyClient require SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

  13. Securing OC4J • Mod OC4J for proxying requests to OC4J • AJP over SSL support in 9.04 • IP Checks • Security Filters • JAZN provides authentication and authorization for middle-tier business logic

  14. Mod OC4J Example <IfModule mod_oc4j.c> # propagate credentials to OC4J Oc4jExtractSSL on <Location /oc4j-service> SetHandler oc4j-service-handler Order deny,allow Deny from all Allow from localhost </Location> </IfModule> Oc4jMount /myapp home Oc4jMount /myapp/* home </IfModule>

  15. Accessing Certificates //Servlet sevice method…. ServetRequest request = null; …. java.security.cert.X509Certificate [] certs = request.getAttribute(java.security.cert. X509Certificate.getClass().getName()); Principal issuerPrincipal = cert[0].getIssuerDN(); Principal subjPrincipal = cert[0].getSubjectDN();

  16. Security Filter

  17. JAZN • Provides authorization for middle-tier resources • Makes the J2EE container ‘aware’ of the authentication and authorization • Map J2EE Principals and Roles to enterprise data stores e.g. LDAP • Support for declarative security model in J2EE e.g. method level permissions in EJB deployment descriptors

  18. Database Users and Application Users • Avoid the “One Big Database User” • Leverage auditing • Allows you to use other security features • Oracle Label Security • Secure application roles

  19. Securing Database Access

  20. Proxy Authentication • JDBC OCI connection pool support (Subclass of OracleDataSource) • A pool of lightweight database sessions created via app server database user which are authenticated via SSL mutual authentication • Digital certificates propagated to database server to authenticate application users creating a ‘heavyweight session’ • SSL ensures Middle-Tier and Database trust each other • Preserves application identities

  21. Proxy Authentication Example CREATE USER APP_SERVER IDENTIFIED GLOBALLY AS ‘CN=APP_SERVER, C=US’; CREATE USER JOHN_ROHLER IDENTIFIED GLOBALLY AS 'CN=Jon Rohler, C=US'; GRANT "CONNECT" TO APP_SERVER; ALTER USER JOHN_ROHLER GRANT CONNECT THROUGH APP_SERVER; GRANT "CONNECT" TO JOHN_ROHLER; GRANT “APPLICATION_ROLE” TO JOHN_ROHLER;

  22. Proxy Authentication Example (cont) import oracle.jdbc.pool; ….. InitialContext ctx = new InitialContext(); OracleOCIConnectionPool ds = (OracleOCIConnectionPool) initial.lookup("jdbc/OracleProxyDS"); Properties props = new Properties(); props.put(OracleOCIConnectionPool.PROXY_CERTIFICATE, UsersDERCertRef); Connection connection = pool.getProxyConnection(OracleOCIConnectionPool. PROXYTYPE_CERTIFICATE, props);

  23. Secure Application Roles • Only allows privileges to schema objects from specific applications in specific contexts • Reduce the possibility of inside intrusion by circumventing middle-tier • Network based authorization

  24. Secure Application Role Example CREATE OR REPLACE PACKAGE BODY MY_ROLE IS PROCEDURE check_access IS proxy_usr VARCHAR2 (4000); ip_address VARCHAR2 (16); BEGIN proxy_usr := SYS_CONTEXT('userenv','proxy_user'); ip_address := SYS_CONTEXT('userenv','ip_address'); IF proxy_usr = ‘APP_SERVER’ AND ip_address = ‘192.168.1.125’ THEN DBMS_SESSION.SET_ROLE(‘MY_APPLICATION_ROLE'); END IF; END; END; / GRANT SELECT ON ACCOUNTS TO MY_APPPLICATION_ROLE; GRANT EXECUTE ON MY_ROLE TO JOHN_ROHLER; CREATE MY_APPLICATION_ROLE IDENTIFIED USING schema_owner_for_pl_sql_package.MY_ROLE; GRANT "MY_APPLICATION_ROLE" TO JOHN_ROHLER; ALTER USER JOHN_ROHLER DEFAULT ROLE ALL EXCEPT MY_APPLICATION_ROLE;

  25. Integration With JDBC Example Connection conn = null; CallableStatement cs = null; try { // get a proxy connection from jdbc oci connection pool conn = getConnection(); cs = conn.prepareCall(“begin schema_owner.my_role.check_access(); end;”); cs.execute(); // now use conn to issue a query against account table, query will fail if not connecting from middle tier } catch (SQLException sqle) { //handle the exception } finally { if (conn != null) { try { conn.close();} catch (SQLException sqle){} } if (cs != null) { try{cs.close();}catch(SQLException sqle){} } }

  26. Oracle Label Security – Row Level Security • Built on top of VPD • General purpose row-level authorization • Based on military classification metaphor • Flexible: Levels, Compartments, Groups

  27. Oracle Label Example – Create Policy and Levels EXEC SA_SYSDBA.CREATE_POLICY('MYPOLICY', 'MYCOLUMN', 'READ_CONTROL, WRITE_CONTROL, CHECK_CONTROL, LABEL_DEFAULT'); EXEC SA_COMPONENTS.CREATE_LEVEL('MYPOLICY',9000,'C', 'CLASSIFIED'); EXEC SA_COMPONENTS.CREATE_LEVEL('MYPOLICY',2000,'HS', 'HIGHLY_SENSITIVE'); EXEC SA_COMPONENTS.CREATE_LEVEL('MYPOLICY',1000,'S', 'SENSITIVE');

  28. Oracle Label Example – Apply Policy to Table EXEC sa_policy_admin.apply_table_policy( 'MYPOLICY', 'SCHEMAOWNER', 'MYTABLE');

  29. Oracle Label Example – Authorize User Labels BEGIN SA_USER_ADMIN.SET_USER_LABELS( POLICY_NAME=>'MYPOLICY', USER_NAME => ‘JOHN_ROHLER', MAX_READ_LABEL => 'C,HS,S', MAX_WRITE_LABEL => 'C', MIN_WRITE_LABEL => ‘C’); END; /

  30. Oracle Label Example – Apply Labels to Rows UPDATE SCHEMAOWNER.TABLE_NAME SET MYCOLUMNAME = char_to_label('MYPOLICY','C') WHERE MYUNIQUEKEY = 'SOMEUNIQUEVALUE'; INSERT INTO ACCOUNTS (ACCOUNT_NUM) VALUES (1); INSERT INTO ACCOUNTS (ACCOUNT_NUM, LABEL_COLUMN) VALUES (2, char_to_label(‘MYPOLICY’,’C’)); SELECT * FROM ACCOUNTS;

  31. Next Steps…. • To request a complimentary 1-on-1 consultation to begin a personalized assessment of the potential benefits of an Oracle solution based on your organization’s environment, stop by the Oracle Consultations area in the Oracle DEMOgrounds section of the Exhibit Hall. • For information on our services, visit the Oracle Consulting booth in the Oracle Services area in the Oracle DEMOgrounds section of the Exhibit Hall.

  32. For more information • TheServerSide.com J2EE Community • Largest J2EE site in the world • 305,000 registered members • Enterprise Java News • Design Patterns • Free Books • Product Reviews • Articles and Video Interviews

  33. Reminder – please complete the OracleWorld online session surveyThank you.

More Related