1 / 15

Web Application Server Survey

CS526, Spring 2006 Semester Project Enoch Leung. Web Application Server Survey. Outline of The Talk. Web Application Servers Commons and Differences Application level security Web service security. Web Application Servers. IBM WebSphere, BEA WebLogic, JBoss Web Container, EJB Container

milton
Download Presentation

Web Application Server Survey

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS526, Spring 2006 Semester Project Enoch Leung Web Application Server Survey mleung/Web App Server Survey

  2. mleung/Web App Server Survey Outline of The Talk • Web Application Servers • Commons and Differences • Application level security • Web service security

  3. mleung/Web App Server Survey Web Application Servers • IBM WebSphere, BEA WebLogic, JBoss • Web Container, EJB Container • J2EE 1.4 • JAR, WAR, EAR • ClassLoader

  4. mleung/Web App Server Survey J2EE 1.4 Major Components • EJB 2.1, Servlet 2.4, JMS, JAX-RPC, JCA, JACC, JTA, JMX • EJB: Entity, Session, Message-Driven • Servlet: Servlet, Filter, JSP • JMS: ESB • JAX-RPC: WSDL, SOAP • JCA, JACC: • JMX: Management and more

  5. mleung/Web App Server Survey Offering Differences • JBoss: JMX-based, AOP • WebSphere: Cell=Cluster, Delta-deploy, Eclipse Integration (RAD), multiple registry (Tivoli), JSR-168 (Portal), Runtime profiling (Tivoli) • WebLogic: Workshop (Eclipse Integration, JSR-168, JSF), multiple registry (JAAS)

  6. mleung/Web App Server Survey J2EE Security • Authentication: identification • Authorization: permission • Servlet: BASIC, DIGEST, Form, Credential • JAAS: Subject, Principal, LoginModule, Callback; required, sufficient, requisite, optional • JACC: externalize resource access policy • JCA: JDBC3, accept Subject

  7. mleung/Web App Server Survey J2EE Security (Con't) • Role definition • JNDI -> EJB through JAAS • Servlet -> EJB through Servlet security • EJBContext.getCallerPrincipal() • EJBContext.isCallerInRole(String roleName) • WebSphere: RunAs(String roleName)

  8. public final class JBossLoginModule extends AbstractServerLoginModule { private static final String EMPTY = " "; public void initialize(Subject s, CallbackHandler c, Map t, Map o) { super.initialize(s, c, t, o); } protected Principal getIdentity() { // return new SimplePrincipal(username); System.out.println("called getIdentity()"); return new SimplePrincipal("hardcode_moron"); } protected Group[] getRoleSets() throws LoginException { System.out.println("called getRoleSets()"); // decode group by username String roleNames = "Web,BCT,Echo"; SimpleGroup roles = new SimpleGroup("Roles"); SimpleGroup callerPrincipal = new SimpleGroup("CallerPrincipal"); Group[] roleSets = {roles,callerPrincipal}; if( roleNames != null ) { StringTokenizer tokenizer = new StringTokenizer(roleNames, ","); while (tokenizer.hasMoreTokens()) { String roleName = tokenizer.nextToken(); roles.addMember(new SimplePrincipal(roleName)); } } callerPrincipal.addMember(new SimplePrincipal("hardcoded!!!")); System.out.println("caller principals = hardcoded!!!"); return roleSets; } // ... to be continued... } Code Snipplet (JBoss) mleung/Web App Server Survey

  9. { // ... continue... public boolean login() throws LoginException { if (super.login()) { // do proper name resolution here return true; } NameCallback nc = new NameCallback(EMPTY,EMPTY); PasswordCallback pc = new PasswordCallback(EMPTY,false); Callback[] callbacks = {nc, pc}; try { callbackHandler.handle(callbacks); String username = nc.getName(); char[] password = pc.getPassword(); // get username & password okay, now what? NtlmPasswordAuthentication ntpa = new NtlmPasswordAuthentication("BCTHK01","el0686","********"); UniAddress addr = new UniAddress(NbtAddress.getByName("BCTHK01")); SmbSession.logon(addr,ntpa); System.out.println("NTLM login success"); return true; } catch (Exception e) { // do nothing } return false; } } Code Snipplet (Con't) mleung/Web App Server Survey

  10. mleung/Web App Server Survey J2EE Security Concerns • RMI / JNDI • ServletContext -> EJBContext • JAAS vs. JACC, aka. Subject vs. Policy • ClientContainer: RMI-IIOP, vendor lock-in • WebSphere: WSSPI • WebSphere: 30% performance penalty

  11. mleung/Web App Server Survey Web Services (SOAP) • J2EE: SAAJ (SOAP) • SOAPEnvelop, SOAPBody, SOAPFault • WebSphere: map servlets to web services • Security: HTTPS + Servlet A&A

  12. mleung/Web App Server Survey XML / WS Security • Secure transport, correct identity, integrity • Canonicalized, Portion-Tree • Referenced, Sibling, Embedded, Child (embedded key) • WS-Security: SOAP Headers, wsse (actor={receiver}, mustUnderstand=”1”)

  13. mleung/Web App Server Survey JMS • Message-oriented middle-ware (MOM) bridge (e.g. MQSeries) • Queue (point-to-point) • Topic (publish / subscribe) • Delivery confirmation • Security: NONE (or proprietary) • Solution: protected JNDI discovery, embed Principal with message etc.

  14. mleung/Web App Server Survey Enterprise Service Bus • Service-oriented Architecture (SOA) • MOM + WS + XSLT / XSD + Content-based routing • WS -> SOAP + UDDI (some have ebXML) • MOM -> JMS • Usage: enterprise systems integration

  15. mleung/Web App Server Survey End of Session • Question?

More Related