3. Overview
if you need your application "to be secure", there's no generic framework that you can just
installed and be done.
You need to understand what exactly you need and for that you should good functional/business
knowledge.
There are many java based security frameworks some are open source and some are
commercial.
if you have specific requirements around encryption, digital signatures, authentication,
authorization, etc. you should list what your requirements are, as multiple frameworks can
provide better support for each of these.
This framework is written for web and standalone applications, to resolve simply, access control
problems.
4. List of Java Security Framework’s
Following are the list of frameworks which can be integrated with java based application, both
web and standalone applications to make the application secure.
Spring Security
Apache Shiro
OACC
PicketLink
Wicket
JGaurd
HDIV
5. Details of Java Security Framework’s
“Spring Security”
Spring Security provides security services for J2EE-based enterprise software applications.
Spring Security is a lightweight security framework that provides authentication and authorization
support in order to Secure Spring-based applications.
It integrates well with Spring MVC and comes bundled with popular security algorithm
implementations. There are two main areas for application securities.
Authentication: Process of checking the user, who they claim to be.
Authorization: Process of deciding whether an user is allowed to perform an activity within the application.
Authentication Models supported by Spring Security: Spring security supports more then 20 models for
authentication. Some of them are…
X.509 client certificate exchange
LDAP Authentication
OpenID authentication
Java Open Source Single Sign On
7. Details of Java Security Framework’s
“Spring Security”
Spring Security Modules: Spring security code has been divided in different JARs(Can be considers as
modules)
Core (spring-security-core.jar) : Required Module. Contains core authentication and access-contol classes and
interfaces, remoting support and basic provisioning APIs.
Web (spring-security-web.jar): Required* if web authentication services and URL-based access-control is
required. Contains filters and related web-security infrastructure code.
Remoting : Provides integration with Spring Remoting.
Config : Contains the security namespace parsing code. You need it if you are using the Spring Security XML
namespace for configuration.
LDAP : LDAP authentication and provisioning code. Required if you need to use LDAP authentication or manage
LDAP user entries.
ACL : Used to apply security to specific domain object instances within your application.
CAS : If you want to use Spring Security web authentication with a CAS single sign-on server.
OPENID :Used to authenticate users against an external OpenID server.
8. Details of Java Security Framework’s
“Apache Shiro”
Apache Shiro is a top level open source project under the Apache Software Foundation.
Apache Shiro is a powerful and easy to use Java security framework that offers developers an
intuitive yet comprehensive solution to authentication, authorization, cryptography, and session
management.
In practical terms, it achieves to manage all facets of your application’s security, while keeping out
of the way as much as possible.
It is built on sound interface-driven design and OO principles, enabling custom behavior
wherever you can imagine it. But with sensible defaults for everything, it is as “hands off” as
application security can be.
Apache Shiro can be run in any environment, from the simplest command line application to the
biggest enterprise web and clustered applications.
10. Details of Java Security Framework’s
“Apache Shiro”
The easiest to understand Java Security API anywhere. Class and Interface names are intuitive and
make sense. Anything is pluggable but good defaults exist for everything.
Support authentication (‘logins’) across one or more pluggable data sources (LDAP, JDBC, Active
Directory, etc.).
Perform authorization (‘access control’) based on roles or fine-grained permissions, also using
pluggable data sources.
First-class caching support for enhanced application performance.
Simple Single Sign-On (SSO) support piggybacking the above Enterprise Session Management. If
sessions are federated across multiple applications, the user’s authentication state can be shared too.
Log in once to any application and the others all recognize that log-in.
Secure data with the easiest possible Cryptography APIs available, giving you power and simplicity
beyond what Java provides by default for ciphers and hashes.
An incredibly robust yet low-configuration web framework that can secure any url or resource,
automatically handle logins and logouts, perform Remember Me services, and more.
11. Details of Java Security Framework’s
“OACC”
OACC - pronounced [oak] - is a fully featured Java API to both enforce and manage your
application's authentication and authorization needs.
The OACC framework is an open-source project and encourages engagement with and
contributions from community members like you.
OACC provides an API to manage security relationships like the above. Most current security
frameworks for Java™, however, do not, because their security model lacks an abstraction for
the application resources being secured.
This forces the application developer to implement a means to store and manage the security
relationships. The abstraction for an application resource is core to OACC’s security model.
The security relationships are stored in OACC’s security data repository, backed by a set of
relational database tables. As a result you will not see the concept of realms in OACC that exists
in other security frameworks.
12. Details of Java Security Framework’s
“OACC”
OACC features a fully functioning, rich API that doesn’t require any DIY implementation to enable
the programmatic and dynamic modeling of complex security scenarios. In other words, OACC
provides all the functionality to manage your application’s security model, out of the box.
Fully implemented data store: OACC supplies a fully implemented RDBMS-backed data store for its
security model, which the API manages for you behind the scenes.
Permission‐based security model: OACC’s security model is permission-based: it essentially
manages permissions between resources.
Single access control paradigm: Other frameworks allow role-membership or expression-language
checks to enforce some level of authorization at the web and service layers (URLs and methods), and
then provide a separate ACL interface to secure the domain-model layer (objects).
Annotations or expression language support: OACC is a security framework that facilitates programmatic
authorization at the code-level, thus there currently is no support for aspect-oriented intercepts with
annotations or expression-language constructs. Instead, simple API methods to check or assert
permissions allow for authorization enforcement.
13. Details of Java Security Framework’s
“OACC”
True RBAC modeling: If role membership checks aren’t enough to secure your application, you’ll be
pleased to learn that OACC supports full RBAC, in which a “role is essentially a collection of
permissions” (NIST). Roles - and groups for that matter - can be modeled through permission
inheritance, allowing for hierarchical roles through which a subject transitively acquires any assigned
permissions.
Symmetric query methods: OACC provides efficient query methods to find resources by
permission, without loading all resources first and then filtering out the unauthorized ones. These
methods are symmetric in the sense that you can find both
the resources to which a specified resource has a specific set of permissions, and
the resources that have a specific set of permissions to a specified resource.
For auditing or for purposes of managing authorization, these query methods make it easy to find, for
example, users “belonging” to a role, or users that have permissions on a resource.
Permission delegation: OACC is the only framework that natively supports delegation control at the
authorization level. With OACC, subjects can delegate their permissions to others.
14. Details of Java Security Framework’s
“OACC”
Automatic permission assignment: Another novel feature of OACC are create-permissions, which
not only control what kind of resources a subject may create, but also define exactly what
permissions they would get on a new resource after creating it - defined once, permissions are
automatically assigned to a resource creator, without the need for explicit API calls.
Multi‐tenancy support: OACC supports partitioning the resource space into (hierarchical) logical
security domains, which facilitates modeling security scenarios in multi-tenant applications. These
domains constitute a useful abstraction in itself, because they also allow permissions to be
efficiently assigned and queried at the domain-level.
Caching: OACC does not yet come with a built-in caching mechanism. To prevent any
performance degradation in terms of memory or query time as the size of your secured data set
increases, OACC uses dynamic, highly targeted queries into a very efficient data model for all
access control checks. As a result, OACC doesn’t load a subject’s entire permission set into
memory up front and then iterate over it for each authorization check.
15. Details of Java Security Framework’s
“PicketLink”
PicketLink is an open source project for simplified security and identity management for Java
Applications.
A Picket Fence is a secure system of pickets joined together via some type of links. Basically, the
Pickets by themselves do not offer any security.
But when they are brought together by linking them, they provide the necessary security.
This project is that link for other security systems or systems to bring together or join, to finally
provide the necessary secure system.
17. Details of Java Security Framework’s
“PicketLink”
Robust IDM feature: Model Identie’s and Attributes. build model from various data sources such as
Databases, LDAP, File System and mix-n-match! Simple API for Users, Roles, Groups and Attributes.
Suitable for JavaEE Applications: Use CDI based application programming.
Robust Authentication Support: Application developers have greater control for authentication. You
use the IDM as the foundation for your authentication needs.
Extensive Access Control/Authorization Support: PicketLink has a permission model that allows you to
have robust access control for your Java Applications. Permission implementations include ACL and
Drools Rules based implementations.
Plug in your own access control: API allows custom authorization implementations. Easy migration to a
fine grained access control model using XACML.
SAML Web Browser Profile Single Sign-On: PicketLink provides SSO using SAML v1.1 and v2.0,parsers
and Object Model available to build robust SAML enabled applications.
Social Media Based Login: PicketLink allows you to incorporate Social Login into your applications. You
can build applications that allow sign in using Facebook, Google and Twitter.
Open Standards: PicketLink supports SAML, XACML and WS-Trust.
18. Details of Java Security Framework’s
“Wicket”
Apache Wicket is a simple and features rich component-based web framework , the real reusable
components is the main selling point of this framework.
Security is one of the most important non-functional requirements we must implement in our
applications.
This is particularly true for enterprise applications as they usually support multiple concurrent
users, and therefore they need to have an access control policy.
In this chapter we will explore the security infrastructure provided by Wicket and we will learn
how to use it to implement authentication and authorizations in our web applications.
19. Details of Java Security Framework’s
“Wicket”
Authentication: The authentication is implemented in wicket based on the security policie, which
means that we must authenticate them on the basis of trusted user credentials and it supports for
web applications usually adopt a form-based authentication with a login form.
Authorizations: The authorization support provided by Wicket is built around the concept of
authorization strategy, there 2 main authorization strategies…
Simple Page Authorization Strategy
Role-based strategies
HTTPS protocol: HTTPS is the standard technology adopted on Internet to create a secure
communication channel between web applications and their users. In Wicket we can easily
protect our pages with HTTPS mounting a special request mapper called HttpsMapper.
URLs encryption: Wicket has a feature to encrypt/decrypt the URL using the interfaces like Icrypt.
20. Details of Java Security Framework’s
“JGuard”
JGuard is an open source Java Security framework that is primarily used for securing Java Web
Applications.
It is built on JAAS and offers simple and flexible configurations to authenticate and authorize user
roles and manage the permission of the users.
It can be also considered for resolving access control problems and user rights in standalone and
desktop based applications.
JGuard is very flexible and allows several different ways to configure those mechanisms for
authentication and authorization, i.e., in a relational database, XML files, or LDAP service.
JGuard is under the open source LGPL license.
22. Details of Java Security Framework’s
“JGuard”
It can be adapted to any webapp, on any application server.
It permits a user to have more than one role simultaneously.
It Does not depend on a web framework, or an AOP framework.
It built on top of the standard, very secure, and flexible JAAS.
Authentication and authorization are handled by pluggable mechanisms.
Authentication data stored in a database, an XML file, a JNDI data source, an LDAP directory,
Kerberos...
The changes take effects 'on the fly' (dynamic configuration).
In JGuard the permissions, roles, and their associations can be created, updated, deleted on the fly
through a webapp (an API is provided too),
For each webapp has its own authentication and authorization configuration,
A taglib is provided to protect jsp fragments.
It provides the feature to support security manager.
24. Details of Java Security Framework’s
“HDIV”
Hdiv has pioneered application self-protection since 2008.
Hdiv enables applications to protect themselves through runtime application self-protection
(RASP) products.
By building protection in during development, we protect applications from the inside. Hdiv
solutions combine the strongest protection against OWASP Top 10 threats with deep
understanding of business configuration and logic to enable real-time, all-the-time application
protection.
Protect your applications in runtime, with fewer resources, and greater accuracy.
Hdiv delivers the best protection against application risks without having to change anything.
26. Details of Java Security Framework’s
“HDIV”
STRONGEST REAL-TIME PROTECTION: Hdiv repels 90% of application security risks included in the OWASP Top 10,
such as SQL injection, cross-site scripting, cross-site request forgery, data tampering and brute force attacks. Hdiv
offers higher effectiveness than any of the solutions currently available to fight web application security risks.
ULTRA-HIGH ACCURACY: Hdiv RASP has deep insight into application logic, configuration, and data and event
flows. These capabilities enable Hdiv to analyze and block security attacks with less dependence on external security
devices without false positives and with no need of learning processes and content parsing.
NO EXTENSIVE SECURITY EXPERTISE NEEDED: Programmers don’t have to be security experts to apply Hdiv during
development. Hdiv enables self-protected applications with almost zero operations costs, and enables customers to
avoid having to upgrade programming environments.
REAL-TIME VISIBILITY AND PROTECTION: It provides real-time visibility into actual attacks hitting applications in
production. Get actionable information, including detected attacks, vulnerabilities and business logic flaws,
and protect your business with instant information from interactive dashboards and alerts.
KEEP YOUR PROGRAMMING ENVIRONMENT: Hdiv installation and updates are easy, needing only a declarative
configuration based on XML files. Hdiv does not change app source code, so it can be used with any application
before and after development.