Weitere ähnliche Inhalte Ähnlich wie Utilize the Full Power of GlassFish Server and Java EE Security (20) Mehr von Masoud Kalali (11) Utilize the Full Power of GlassFish Server and Java EE Security1. 1 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
2. Utilize the Full Power of
GlassFish Server and Java
EE Security
Masoud Kalali
Principal Member of Technical Staff -
ORACLE
Twitter: @MasoudKalali
Blog: http://kalali.me
2 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
3. Program Agenda
Introduction
Java EE Security API
Java Authentication Service Provider Interface (JSR-
196)
Java Authorization Contract for Containers (JSR-115)
3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
4. Introduction
4 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
5. Java EE Security API
Terms
A Subject: An individual identity which is to be authenticated.
A Group: Group of users with common permissions and access levels.
A Security Realm: Connects the application server identity storage.
A Role: A Java EE concept to define access levels
A Principal: Aka, A role attached to a authenticated subject
A Credential: Contains or references information used to authenticate a
principal
5 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
6. Java EE Security API
Before anything else
Identify the sensitive data
Identify the roles having access to sensitive data
Identify resources representing sensitive data
Group the mentioned resources into meaningful sets
And Document the above items!
6 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
7. Java EE Security API
Resource Protection
Authentication
– At Web Container
– Application Client Container
Authorization (Access Control)
– At Web Container
– EJB Container
Subject Propagation
– From Web Container to EJB Container
– From App Client To EJB container
– EIS to Connector (inflow messages)
7 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
8. Java EE Security API
Authentication
When a protected resource is requested
Establish the client’s identity
Authentication Methods
– Form
– Basic
– Digest
– Client-Cert
8 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
9. Java EE Security API
Authentication Continued…
Specify the protected resources
<security-constraint>
<web-resource-collection>
<url-pattern>/manager/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name> Specify the permitted role/s
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
Specify the transport guarantee
</user-data-constraint> level
</security-constraint>
9 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
10. Java EE Security API
Authentication Continued…
Specify the login configuration
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbc-realm</realm-name>
Pick one of:
</login-config> • HTTP Basic Authentication: BASIC
• Digest Authentication: DIGEST
• HTTPS Client Authentication:
CLIENT-CERT
• Form-Based Authentication:
FORM
Specify the security realm name
10 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
11. Java EE Security API
Got your own way of authenticating?
Use programmatic login in Java EE 6
Benefit from all that container security provides
– Principal propagation
– Unified security exceptions
– Any auditing/logging that container provides
– Authenticate against the configured realm
Do more than just two tokens (multi factor authentication)
– Mix and match 3rd soft tokens with username/passwords
11 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
12. Java EE Security API
Got your own way of authenticating?
String userName = request.getParameter("user");
String password = request.getParameter("password");
String enteredSmsCode = request.getParameter("enteredSms");
if(enteredSmsCode.equals(getLastActiveSmsForUser(userName))){
try {
request.login(userName, password);
}
catch(ServletException ex) {
//Handling Exception
}
}
else{
invalidateLastSmsForUser(userName);
}
12 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
13. To wrap it up
The web.xml, *-web.xml security related structure, role mapping
13 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
14. Java EE Security API
Security related methods on HTTPServletRequest
Method Description
If the user is authenticated returns the username otherwise return null.
String getRemoteUser()
boolean isUserInRole(String role) Return whether the current user has the specified roles or not.
Principal getUserPrincipal() Returns a java.security.Principal object containing the name of the
current authenticated user.
String getAuthType() Returns an String containing authentication method used to protect this
application.
void login(String username, String password) Perform the explained programmatic login
Void logout() Establish null as the value returned when getUserPrincipal,
getRemoteUser, and getAuthType is called on the request.
String getScheme() Returns the schema portion of the URL, for example HTTP or HTTPS.
14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
15. Java EE Security API
Authorization (Access Control)
Now that you established the user identity we can Enforce access
control:
– Using Annotations to annotate the permitted and not permitted roles
– Using XML Description to specify the permitted and not permitted roles
15 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
16. Java EE Security API
Authorization (Access Control): Security constraints (Web, EJB..)
Annotation Description
Prior to referencing to any role, it should be defined. The
@DeclareRoles @DeclareRoles acts like security-role element in defining
the roles used in application.
@RunAs Specifies the run-as role for the given Components.
@ServletSecurity Specifies the security constraint for the annotated Servlet.
Permitting users with any role to access the given method,
@PermitAll
EJB or Servlet
On method permits the included roles to invoke it. On class,
@RolesAllowed all methods are accessible to the roles unless the annotated
with a different set of roles using @RolesAllowed
On a method.
@DenyAll
16 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
17. Java EE Security API
Where to place the Annotations?
Annotation Target Level Target Kind
EJB, Servlet
@DeclareRoles Class
EJB, Servlet
@RunAs Class
@ServletSecurity Class Servlet
@PermitAll Class, Method EJB, Servlet
@RolesAllowed Class, Method EJB, Servlet
@DenyAll Method EJB, Servlet
17 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
18. Java EE Security API
Transport Security
Apply right level of transport security on your resources
– CONFIDENTIAL
– INTEGRAL
Use as much strengths as needed, the best is not always the best
Check country regulation before choosing cipher suites
18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
19. Is that all that we can do?
No,
There are much more…
19 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
20. Java Authentication Service Provider Interface
(JSR-196)
What JSR-196 is…
SPI for integrating authentication mechanism implementations in
message processing runtimes
Authentication is delegated to the corresponding provider at message
processing points
Develop authentication modules that utilize non supported credentials
or headers
Utilize the Container security integration
Can plug-in off the shelf 3rd party Authentication Module implementing
JSR-196
20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
21. Java Authentication Service Provider Interface
(JSR-196)
Message interception points
In the client, before transmitting the request to the server.
In the server, before the target service receives the client request.
In the server, before a response can be sent back to the client.
In the client, before the server response can be consumed.
21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
22. Java Authentication Service Provider Interface
(JSR-196)
How you can benefit from it
Integrate any COTS authentication module
Develop your own credentials and use them for authentication
Benefit from container provided security
– Access control
– Subject propagation
– Unified error messages
– Auditing
– Etc
22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
23. Java Authentication Service Provider Interface
(JSR-196)
The good part, the SPI…
The interface is javax.security.auth.message.module.ServerAuthModule
An overall of 5 methods to implement
– 2 directly from javax.security.auth.message.module.ServerAuthModule
– 3 derived from javax.security.auth.message.ServerAuth
Implementation can be plugged to the container
Implementation can be used by the web apps
Supported by any Java EE 6 compliant app server
23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
24. Java Authentication Service Provider Interface
(JSR-196)
2 directly from ServerAuthModule
void initialize(MessagePolicy requestPolicy, MessagePolicy
responsePolicy, CallbackHandler handler, Map options)
– Called for each authentication event
– requestPolicy and responsePolicy specifies if authentication is
mandatory or not
– handler communicate the user and group principals to be used in
establishing the runtime's security context
– options coming from the container for having parameterized behavior in
the SAM module.
24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
25. Java Authentication Service Provider Interface
(JSR-196)
2 directly from ServerAuthModule
Class[] getSupportedMessageTypes()
Returns an array of the supported message type class names.
– HttpServletRequest.class
– HttpServletResponse.class
25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
26. Java Authentication Service Provider Interface
(JSR-196)
3 derived from javax.security.auth.message.ServerAuth
AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject,
Subject serviceSubject)
– Custom credential scraping and/or authentication happens here
– Communicate authentication result and/or identity assertions to the
message processing runtime through callbackHandler.
26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
27. Java Authentication Service Provider Interface
(JSR-196)
3 derived from javax.security.auth.message.ServerAuth
AuthStatus secureResponse(MessageInfo messageInfo, Subject
serviceSubject)
– Nothing much to do here for servlet profile
– Usually return return AuthStatus.SEND_SUCCESS;
27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
28. Java Authentication Service Provider Interface
(JSR-196)
3 derived from javax.security.auth.message.ServerAuth
void cleanSubject(MessageInfo messageInfo, Subject subject)
remove method specific principals and groups from the provided
Subject
Update the messageInfo if needed for multi step message exchange
28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
29. Java Authentication Service Provider Interface
(JSR-196)
GlassFish and JSR-196, Install it in the domain
Create a new provider under Security>Message Security>HttpServlet
29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
30. Java Authentication Service Provider Interface
(JSR-196)
GlassFish and JSR-196
Use it for one web application if not made default
– Use the httpservlet-security-provider attribute of glassfish-web.xml’s sun-
web-app element
And you are done! <glassfish-web-app httpservlet-security-provider="new-
sam">
<security-role-mapping>
<role-name>role_1</role-name>
<group-name>group_1</group-name>
</security-role-mapping>
</glassfish-web-app>
30 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
31. Java Authorization Contract for Containers
(JSR-115)
What is JSR-115
To plug a new access control mechanism to the container
Container delegates access control decision to the provider
Use the same role mapping that is supported by Java EE
Correlates with Authentication mechanism (Subject’s role)
31 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
32. Java Authorization Contract for Containers
(JSR-115)
How you can benefit from it
Add a new decision making mechanism:
– Add time of the day to decision making
– Use a different type of policy storage
– etc
32 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
33. Java Authorization Contract for Containers
(JSR-115)
The good part, the SPI…
Mainly two classes should be implanted by provider:
– javax.security.jacc.PolicyConfigurationFactory
– javax.security.jacc.PolicyConfiguration
If it is not compliant with default Java SE policy should implement
– java.security.Policy
The rest is already done by the container!
33 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
34. Java Authorization Contract for Containers
(JSR-115)
To install a new provider
Under Server-Config or any other config node:
– Create new entry under Security>JACC Provider
– Select the newly installed provider under Security
34 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
35. Are there more basics to know:
Yes,
OWASP Top 10
35 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
36. Java EE Security, GlassFish
Things to remember:
Comparative data should be stored salted hashed
Encrypted data does not need to have clear text copies
Keys must be protected properly
Use security manager and policy files
Avoid forward, redirect based on user provided values
Paying enough attention to role mappings
Choose the right security realm
36 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
37. Java EE Security, GlassFish
Things to remember:
Watch out for SQL injection, limit database access, use bind
parameters, etc.
Understand what you are storing in the session
Never store unencrypted cookies with important bits
Transmit cookies securely when needed Cookie.setSecure(true)
37 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
38. Java EE Security, GlassFish
Things to remember:
To use service specific user in the os
To use security manager and policy files
To properly configuring the listeners
Not to use the alias feature
Not to Use default accounts (admin accounts)
To Check the OWASP top 10 talk, and resources
38 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
39. 39 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.