1 / 13

Java EE Platform Security What is included, what is missing.

Masoud Kalali Author of GlassFish security book Http://kalali.me. Java EE Platform Security What is included, what is missing. What can Security refer to?. Authentication Authorization Transport Security Single Sign-On. Security requirements. Java EE and Security Requirements I.

mathilda-sean
Download Presentation

Java EE Platform Security What is included, what is missing.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Masoud Kalali Author of GlassFish security book Http://kalali.me Java EE Platform SecurityWhat is included, what is missing.

  2. What can Security refer to?

  3. Authentication Authorization Transport Security Single Sign-On Security requirements

  4. Java EE and Security Requirements I What Java EE provides for Authentication: • Authentication Methods (Form, Basic, Digest, Client-Cert) • Security Realms • Programmatic login/ logout, setHttpOnly isHttpOnly, @ServletSecurity • Adding new or Extending Realms, extending current realms • JSR-196, pluggable authentication <login-config> <auth-method>BASIC</auth-method> <realm-name>JDBCRealm</realm-name> </login-config> ... String usrname = request.getParameter("username"); String pass = request.getParameter("password"); request.login(strUsername, strPassword); .... @ServletSecurity(@HttpConstraint(rolesAllowed = {"manager", "administrator"}))

  5. Java EE and Security Requirements II What Java EE platform provides for authorization: • Role based access control over resources • Roles are defined in a vendor specific way • Roles are based on the info from the same security realm • Enforced using Annotation or XML description • Can be extend using JSR-115 <method-permission> <role-name>manager</role-name> <method> <ejb-name>Emp</ejb-name> <method-name>getAge</method-name> </method> </method-permission>

  6. Java EE and Security Requirements III The Transport Security facilities: • Confidentiality • Data integrity • Different set of resources, different level of transport security <security-constraint> <display-name>Current Online Users</display-name> <web-resource-collection> <web-resource-name>online users</web-resource-name> <description/> <url-pattern>/admin/online/*</url-pattern> </web-resource-collection> <auth-constraint> <description/> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <description/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

  7. Java EE and Security Requirements IV What Java EE platform provides for SSO: • Nothing out of JSRs • Application servers provide some basic functionalities with restrictions: • Same Realm • Same Virtual Server/ Host • Other solutions like proxies like delegated authentication to Apache mod_proxy • Clustering the instances • Need same realm

  8. Really, Is that all we need to have? Do we miss anything major? Is there anything still basic and good to have? Is that All?

  9. Authentication chain Fine grained access control Single Sign-On Basic, but missing requirements

  10. Basic, but missing requirements I Authentication chain: • Chain of authentication challenges • One realm, provider failed chain to the next one • Put Challenges together in groups • Basic rules to forms the groups • Authentication levels • Higher level for more secure realms • More resources accessible on higher authentication levels

  11. Basic, but missing requirements II Fine grained access control • Coarse grained allow/not-allow are not sufficient anymore • A very common issue: time, location based access control • XACML is there, but not in the platform • Attribute based access evaluation • Attributes for all involving factors • Version 2 is mature enough, Version 3 in the corner • JBoss and Sun open source XACML implementations • http://sunxacml.sourceforge.net/ • http://www.jboss.org/picketbox/

  12. Basic, but missing requirements III What to do with more SSO requirements? • It may never get into the platform • Involve more than just Java EE • Heavy, complex and open ended • Go with JOSSO, http://www.josso.org/ • Go with OpenSSO, http://opensso.dev.java.net • Both work with CDSSO • Integrate with many platforms/ servers • Can be used from almost any language

  13. Questions? You can contact me at kalali@gmail.com or http://twitter.com/MasoudKalali Time For Questions

More Related