j2ee security l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
J2EE Security PowerPoint Presentation
Download Presentation
J2EE Security

Loading in 2 Seconds...

play fullscreen
1 / 93

J2EE Security - PowerPoint PPT Presentation


  • 213 Views
  • Uploaded on

J2EE Security. Topics. J2EE Security Goals JAAS and Application Server Security Setup Security Layers Web Applications Web Service Clients EJB Security EAR Security External EJB Clients. J2EE Security Goals. Lessen burden on application developer

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

J2EE Security


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. J2EE Security J2EE Security

    2. Topics • J2EE Security Goals • JAAS and Application Server Security Setup • Security Layers • Web Applications • Web Service Clients • EJB Security • EAR Security • External EJB Clients J2EE Security

    3. J2EE Security Goals • Lessen burden on application developer • Container can provide security infrastructure • Deployer and system administrator define security policies • Avoid hard-coding security policies in component implementations • Portability among servers that use different security mechanisms J2EE Security

    4. J2EE Roles and Security • Application Assembler defines security roles for an application • web.xml • ejb-jar.xml • Deployer maps principals (or groups of principles) in an operational environment to the security roles defined by the application assembler • Component implementer may implement security policies in code (Avoid if possible) J2EE Security

    5. Security Points Security Infrastructure (App Server *may* use JAAS to access) Business Logic (Vendor A) Web Tier (Servlets/JSP) http/https Rmi/ IIOP Resource Tier BASIC, Form, Mutual-SSL EJBs rmi/iiop new InitialContext(props) JAAS Business Logic (Vendor B) OMG CSIv2 Level 0 SSL/TLS Security Info in IOR Security Context in IIOP Message EJBs J2EE Security

    6. Security Infrastructure J2EE Security

    7. Security Points Security Infrastructure (App Server *may* use JAAS to access) Business Logic (Vendor A) Web Tier (Servlets/JSP) http/https Rmi/ IIOP Resource Tier BASIC, Form, Mutual-SSL EJBs rmi/iiop new InitialContext(props) JAAS Business Logic (Vendor B) OMG CSIv2 Level 0 SSL/TLS Security Info in IOR Security Context in IIOP Message EJBs J2EE Security

    8. Security Infrastructure • J2EE specs dictate little concerning actual security implementation. • Many implementations possible • X.509 Certificates/LDAP/etc. • Kerberos • Application server is responsible for ‘adapting’ the security infrastructure in the deployment environment to the J2EE application’s needs • Every App server does this differently J2EE Security

    9. Weblogic Security Infrastructure • Server • Users and Groups configured using console or Mbeans • Defines Service Provider Interface so various security implementations can be overridden • Authentication • Identity Assertion • Authorization • Auditing • Adjudication • Role Mapping • KeyStore • Credential Mapper J2EE Security

    10. WL Security Infrastructure (Cont) • Contains an embedded LDAP adapter • Usage similar to old File Realm provider used for a default security implementation • Adapters to most commercial LDAP servers also • Can define advanced policies for access to resources • times of day, from where, etc. J2EE Security

    11. Adding Groups using Console J2EE Security

    12. Adding a User from the Console J2EE Security

    13. Assigning User to a Group J2EE Security

    14. Adding Users/Groups with MBeans runtime.properties WLS_ADMIN_USERS=jim,dan WLS_ADMIN_GROUP=WLSAdminRole $ corej2ee.bash tools addUserGroups mysite.properties=C:\cygwin\home\jcstaff\mysite.properties Buildfile: C:\cygwin\home\jcstaff\proj\corej2ee\deploy\bin\antfiles\tools.xml _addGroup_: executing addGroup group WLSAdminRole added _noPassword_: no -DuserPassword=<password> supplied, using default J2EE Security

    15. Adding Users/Groups with MBeans _addUser_: executing addUser user jim/password added _noPassword_: no -DuserPassword=<password> supplied, using default _addUser_: executing addUser user dan/password added _addGroupMember_: executing addGroupMember added jim to group WLSAdminRole _addGroupMember_: executing addGroupMember added dan to group WLSAdminRole J2EE Security

    16. WL Security Setup Summary • Realms have configured implementations for each required security component • Possible to write custom security implementations • Default implementation utilizes embedded LDAP server, user names/passwords, and certificates • Realm used is selected in web.xml deployment descriptor J2EE Security

    17. JBoss Security Infrastructure • Uses JAAS heavily • Quick JAAS Overview • Example: Using a Database Login Module • Keeps users/roles in database tables • Can develop login modules for any desired security implementation • LDAP and property file implementations provided in JBoss distribution J2EE Security

    18. Java Authorization and Authentication Service JAAS J2EE Security

    19. JAAS • Two purposes • Authentication – Determine WHO is executing the code • Authorization – Verify user has permission to access the resource • Part of J2SDK, v 1.4 • Support mandated by J2EE specification • Weblogic uses JAAS for authentication. A proprietary mechanism is used to implement an extendable app server security infrastructure • JBoss uses JAAS for authentication and a ‘pluggable’ application server security infrastructure JBossSX J2EE Security

    20. JAAS Components 2. Check configuration for ‘Client’ login module 1. LoginContext lc = new LoginContext(“Client", new MyCallbackHandler()); Configuration Login context 5. lc.login() 4. initialize Configuration implementation maps the login context name to a login module implementation 3. new Subject() 6. login Client Subject Client Login Module 8. Populate with principal Callback Handler 7. Ask for information e.g. password Note: commit() details omitted J2EE Security

    21. JBoss JAAS Configuration • Server (Users/Passwords in Database) • Define Oracle Data Source (OracleDS) • deploy/oracle-service.xml • Copy classes12.jar to ‘lib’ • Create/Populate user database tables • Update login-config.xml J2EE Security

    22. Server: deploy/oracle-service.xml …………………….. <attribute name="JndiName">OracleDS</attribute> <attribute name="ManagedConnectionFactoryProperties"> <properties> <config-property name="ConnectionURL" type="java.lang.String"> jdbc:oracle:thin:@linux1:1521:coredb</config-property> <config-property name="DriverClass" type="java.lang.String"> oracle.jdbc.driver.OracleDriver</config-property> <config-property name="UserName" type="java.lang.String">core</confi-property> <config-property name="Password" type="java.lang.String">corepassword</config-property> </properties> </attribute> ………….. J2EE Security

    23. Server: Database Tables (Principal) CREATE TABLE principal_Principal ( id VARCHAR2(32) NOT NULL, password VARCHAR2(128), principalType CHAR(1), firstName VARCHAR2(128), lastName VARCHAR2(128) ); CREATE TABLE principal_PrincipalGroup ( principalId VARCHAR2(32) NOT NULL, groupId VARCHAR2(32) NOT NULL, roleName VARCHAR2(32) ); J2EE Security

    24. Add Some Users (principal_data.ddl) INSERT INTO principal_Principal VALUES ('DAN', 'DAN', '1', 'Dan', 'Weimer'); INSERT INTO principal_Principal VALUES ('JIM', 'JIM', '1', 'Jim', 'Stafford'); INSERT INTO principal_Principal VALUES ('GROUP1', 'XXX', '2', 'G', '1'); INSERT INTO principal_PrincipalGroup VALUES ('DAN', 'GROUP1', 'ADMIN'); INSERT INTO principal_PrincipalGroup VALUES ('DAN', 'GROUP1', 'USERS'); INSERT INTO principal_PrincipalGroup VALUES ('JIM', 'GROUP1', 'USERS'); J2EE Security

    25. Server: conf/login-config.xml <application-policy name="coreDB"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule“ flag="required"> <module-option name="dsJndiName">java:/OracleDS</module-option> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="principalsQuery">select password from principal_Principal where id=?</module-option> <module-option name="rolesQuery">select roleName, 'Roles' from principal_PrincipalGroup where principalId=?</module-option> </login-module> </authentication> </application-policy> J2EE Security

    26. DtD for login-config.xml J2EE Security

    27. JBoss Security Setup (Cont.) • Login Module utilized by the server is configured in the jboss proprietary deployment descriptor for J2EE components • Servlet and EJB examples shown later J2EE Security

    28. Web Application Security J2EE Security

    29. Security Points Security Infrastructure (App Server *may* use JAAS to access) Business Logic (Vendor A) Web Tier (Servlets/JSP) http/https Rmi/ IIOP Resource Tier BASIC, Form, Mutual-SSL EJBs rmi/iiop new InitialContext(props) JAAS Business Logic (Vendor B) OMG CSIv2 Level 0 SSL/TLS Security Info in IOR Security Context in IIOP Message EJBs J2EE Security

    30. Web Tier Security • Authentication • BASIC • Form • Client X.509 Certificate • Confidentiality and Message Integrity • Can require communication to take place over SSL with <transport-guarantee> element J2EE Security

    31. Web Tier Security Configuration (web.xml) Name a set of pages to protect <security-constraint> <web-resource-collection> <web-resource-name>Admin Pages</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <description>Pages for admin only</description> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> State what roles can access these pages Do requests for these pages need to be made over SSL? Not in this example J2EE Security

    32. Security Configuration (Cont) <security-constraint> <web-resource-collection> <web-resource-name>Admin SSL Pages</web-resource-collection> <url-pattern>/adminssl/*</url-pattern> </web-resource-collection> <auth-constraint> <description>Pages for admin over ssl only</description> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> Have to use SSL to access these pages J2EE Security

    33. Security Configuration (Cont) (web.xml) Use HTTP BASIC to collect user’s name and password <login-config> <auth-method>BASIC</auth-method> <realm>myrealm</realm> </login-config> <security-role> <role-name>admin</role-name> </security-role> </web-app> Have to list all security roles mentioned previously J2EE Security

    34. Setting up Security (weblogic.xml) <!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application 7.0//EN“ "http://www.bea.com/servers/wls700/dtd/weblogic700-web-jar.dtd"> <weblogic-web-app> <description>WebLogic Descriptor</description> <security-role-assignment> <role-name>admin</role-name> <principal-name>WLSAdminRole</principal-name> </security-role-assignment> <iweblogic-web-app> Have to map ‘logical’ J2EE roles to a group configured in Weblogic J2EE Security

    35. Setting up Security (jboss-web.xml) <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" "http://www.jboss.org/j2ee/dtds/jboss-web_3_0.dtd"> <jboss-web> <security-domain>java:/jaas/coreDB</security-domain> </jboss-web> Matches an application-policy in login-config.xml J2EE Security

    36. Web Demo App • No constraints on the 1’st link • Second link requires login by user in the admin role • Third link will fail because link is not SSL • Fourth link uses SSL link. If user is not already authenticated, challenge box will appear J2EE Security

    37. FORM-based authentication • Allows custom application form to be used to collect user credentials • Can look better than browser pop-up box J2EE Security

    38. Web.xml Changed BASIC to FORM <login-config> <auth-method>FORM</auth-method> <realm-name>myrealm</realm-name> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/error.html</form-error-page> </form-login-config> </login-config> Our pages that look more like our application J2EE Security

    39. Login.html <form action="j_security_check" method="POST"> <table border="0" width="30%" cellspacing="3" cellpadding="2"> <tr><td><b>User Name</b></td><td> <input type="text" size="20" name="j_username"> </td></tr> <tr><td><b>Password</b></td><td> <input type="password" size="10" name="j_password"> </td></tr> <tr><td><p><input type="submit" value="Login"></td></tr> </table> </form> J2EE Security

    40. Custom Challenge Box J2EE Security

    41. Programmatic Security J2EE Security

    42. Servlet with Programmatic Security public class SecureServlet extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { PrintWriter pw=response.getWriter(); pw.println("<HTML><HEAD><TITLE>HelloWorld</TITLE></HEAD><BODY>"); if(request.isUserInRole("applicationAdmin")) { pw.println("You are an admin user"); } else { pw.println("You are not an admin user"); } pw.println("</BODY></HTML>"); } } J2EE Security

    43. Web.xml <servlet> <servlet-name>secure</servlet-name> <servlet-class>corej2ee.examples.web.SecureServlet</servlet-class> <security-role-ref> <description>servlet checks for this role programmatically</description> <role-name>applicationAdmin</role-name> <role-link>admin</role-link> </security-role-ref> </servlet> …………………… <security-role> <role-name>admin</role-name> </security-role> We did an isUserInRole for this role in our code App Server please map this to the overall ‘admin’ logical role defined for the application J2EE Security

    44. Web Services Security J2EE Security

    45. Web Services Security (Cont) • Web Services for J2EE still being defined • JSR 109 (http://www-3.ibm.com/software/solutions/webservices/pdf/websvcs-0_3-pd.pdf) • HTTP Basic Auth and Symmetric SSL • Access to JAX-RPC web service endpoints is based upon the servlet/JSP security model • Still immature • No Support for credential propagation within a SOAP message i.e. no message-level security provisions J2EE Security

    46. EJB Security J2EE Security

    47. Security Points Security Infrastructure (App Server *may* use JAAS to access) Business Logic (Vendor A) Web Tier (Servlets/JSP) http/https Rmi/ IIOP Resource Tier BASIC, Form, Mutual-SSL EJBs rmi/iiop new InitialContext(props) JAAS Business Logic (Vendor B) OMG CSIv2 Level 0 SSL/TLS Security Info in IOR Security Context in IIOP Message EJBs J2EE Security

    48. EJB Security • Authentication • validates the identity of the user • implemented through username/password logins, ID Cards, security certificates, etc. • Technique used not covered by EJB Specification • Authorization/Access Control • controls what a user can and cannot do within the system • Secure Communications • ensuring the privacy of a communications • implemented through private communication (infrequently) channels or (more commonly) encryption • not covered by EJB Specification J2EE Security

    49. Authentication • EJB external clients • Specify principal and password properties when creating JNDI initial context (deprecated and proprietary) • JAAS with a client-login module • Web Clients • Authenticated with FORM, Basic, or certificates J2EE Security

    50. Authentication • EJB Spec requires that every client access be associated with a security identity • user or role • getCallerPrincipal always returns a valid principal • User logs into EJB System and authenticated through an implementation-specific method • EJB Server passes security identity along with method invocation • EJB objects or EJB homes check access J2EE Security