SlideShare ist ein Scribd-Unternehmen logo
1 von 8
Downloaden Sie, um offline zu lesen
ICW Developer Conference - May 2008




                                        Instance-based Security with the
                                        Security Annotation Framework (SAF)
                                        ICW Developer Conference

                                        Martin Krasser / 07.05.2008




                      Martin Krasser

                      •   Software Architect @ Professional Gate


                      •   Focus
                               -   Application Security
                               -   Application Integration Platforms
                               -   Application Integration Solutions
                               -   Research & Development



                  07.05.2008        ICW Developer Conference




Security - Instance-based Security with SAF                                   13 - 1
ICW Developer Conference - May 2008




                     Agenda

                      •   Introduction


                      •   Architecture


                      •   Code Examples


                      •   Outlook


                      •   Live Demo




                  07.05.2008   ICW Developer Conference




                     Overview

                      •   Open Source Security Project @ sourceforge.net
                           - Instance-level access control
                           - Attribute-level encryption


                      •   Driven by Java 5 Annotations
                           - @Secure and @Filter annotations to enforce access decisions
                           - @Encrypt annotation to trigger encryption/decryption operations


                      •   Framework with provider interfaces (SPI) for
                           - Authorization Providers
                           - Encryption Providers
                           - Reference implementations available

                  07.05.2008   ICW Developer Conference




Security - Instance-based Security with SAF                                                    13 - 2
ICW Developer Conference - May 2008




                     Motivations
                      •   Java EE doesn‘t provide instance-level access control mechanisms
                           - Access decisions and policy definitions in Java EE only based on static
                             application properties (methods, ...)
                           - Instance-level access control is additionally based on runtime application
                             properties (domain object state, ...)

                      •   Encryption mechanisms decoupled from data storage/binding mechanisms
                           - No Hibernate-specific encryption interceptors ...
                           - No JAXB-specific marshal/unmarshal listeners ...


                      •   Avoid complex configurations
                           - No need to deal with Spring/AspectJ AOP details
                           - Place security interceptors using annotations


                      •   Support for pluggable authorization and crypto providers
                           - Access control and encryption logic provided by plugins/providers
                           - Different applications have significantly different access control and encryption
                             requirements


                  07.05.2008        ICW Developer Conference




                     History

                      •   SAF initially developed as part of the eHF
                               -   Refactoring of complex Spring/AspectJ AOP configurations


                      •   Open source since March 2007
                               -   Apache 2.0 License


                      •   Three releases so far
                               -   Latest release is 0.8.2 (production-stable)
                               -   Current development on 0.9-SNAPSHOT




                  07.05.2008        ICW Developer Conference




Security - Instance-based Security with SAF                                                                      13 - 3
ICW Developer Conference - May 2008




                          SAF Access Control Architecture
                                                                Security     Domain      SAF Core
                                Requestor
                                                              Interceptor    Object




                                                   AccessManager

                                                                                         SAF JAAS
                                                             Authorization
                                                                                         Spring Security
                                                               Provider
                                                                                         ...

                  •       Security Interceptor (Policy Enforcement Point)
                           - Implemented by annotating domain objects, methods and method parameters


                  •       Authorization Providers (Policy Decision Point)
                           - Makes access decisions based on class instances
                           - Reference implementation based on JAAS extensions



                  07.05.2008      ICW Developer Conference




                          SAF Crypto Architecture
                                                                Crypto       Instance    SAF Core
                                Requestor
                                                              Interceptor    Attribute




                                                   CryptoProvider

                                                                                         SAF Crypto
                                                                 Crypto
                                                                                         ...
                                                                Provider


                      •   Crypto Interceptor
                            -   Implemented by annotating instance attributes


                      •   Crypto Service Provider
                            -   Runs encrypt/decrypt operations
                            -   Reference implementation coming soon
                  07.05.2008      ICW Developer Conference




Security - Instance-based Security with SAF                                                                13 - 4
ICW Developer Conference - May 2008




                   Code Example – Access Control




                  07.05.2008   ICW Developer Conference




                       Code Example – Attribute Encryption




                   •   BUT: No crypto operations for access via reflection
                   •   Hibernate can be configured for reflective access (field access)
                        - Encrypted storage of attribute values in databases
                   •   JAXB2 can be configured for reflective access (field access)
                        - XML binding of encrypted attribute values

                  07.05.2008   ICW Developer Conference




Security - Instance-based Security with SAF                                               13 - 5
ICW Developer Conference - May 2008




                      Configuration
                                                                                                Spring 2.5
                                                                                                Application Context




                                                                                                            Provider
                                                                                                            Implementations
                                                                        loads




                  07.05.2008      ICW Developer Conference




                  Behind the Scenes

                                                               Client


                                                             Spring AOP                           AspectJ

                                Spring                         Method                Enhanced   AspectJ
                   RT                                                           CT   Bytecode
                               AOP Proxy                     Interceptor                        Advice
                                                                                     Domain
                                                                                     Object
                                                                                                                      Application
                                Service
                                                                                                                      SAF
                               Spring Bean
                                                                                                                      Infrastructure


                 RT   Created at runtime
                                                                                      Access
                      Created at compile time
                                                                                     Manager
                 CT




                  07.05.2008      ICW Developer Conference




Security - Instance-based Security with SAF                                                                                            13 - 6
ICW Developer Conference - May 2008




                     Outlook – 1.0 Release
                      •   Crypto provider reference implementation
                      •   AspectJ load-time weaving
                      •   AspectJ 1.6 upgrade
                           - Support for parameter-level annotations
                      •   OSGi support
                               -   Make SAF components OSGi compliant bundles
                               -   OSGi sample application using SAF components
                      •   Security annotations on
                           - Static domain object methods
                           - Constructors
                      •   Documentation extensions
                               -   Document new features, more examples
                               -   Translate Java Magazin article to English
                      •   Acegi authorization provider integration (optional)
                  07.05.2008        ICW Developer Conference




                     Resources

                      •   Project Site

                               -   http://sourceforge.net/projects/safr



                      •   Web Site

                               -   http://safr.sourceforge.net/



                      •   Article

                               -   Instanz-basierte Zugriffskontrolle, Java Magazin 7.2007


                  07.05.2008        ICW Developer Conference




Security - Instance-based Security with SAF                                                  13 - 7
ICW Developer Conference - May 2008




                     Live Demo

                      •   Notebook web application




                  07.05.2008   ICW Developer Conference




                                                Thank you for your attention!
                                                martin.krasser@icw.de




Security - Instance-based Security with SAF                                     13 - 8

Weitere ähnliche Inhalte

Was ist angesagt?

FortiGate-310B Datasheet
FortiGate-310B DatasheetFortiGate-310B Datasheet
FortiGate-310B Datasheetdemoteam
 
Secure Your AWS Cloud Data by Porticor
Secure Your AWS Cloud Data by PorticorSecure Your AWS Cloud Data by Porticor
Secure Your AWS Cloud Data by PorticorNewvewm
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence ServiceF5 Networks
 
Switch
SwitchSwitch
Switch1 2d
 
F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks
 
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
Yes, you can be pci compliant using a public iaas cloud   a case study by phi...Yes, you can be pci compliant using a public iaas cloud   a case study by phi...
Yes, you can be pci compliant using a public iaas cloud a case study by phi...Khazret Sapenov
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesVladimir Jirasek
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISECisco Canada
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the FutureCisco Security
 
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld
 
Simplifying the secure data center
Simplifying the secure data centerSimplifying the secure data center
Simplifying the secure data centerCisco Canada
 
Key Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation FirewallsKey Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation FirewallsAlgoSec
 
Data Center Security
Data Center SecurityData Center Security
Data Center SecurityCisco Canada
 
BIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall SolutionBIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall SolutionF5 Networks
 
Refense Security Risk Briefing July 2009
Refense   Security Risk Briefing   July 2009Refense   Security Risk Briefing   July 2009
Refense Security Risk Briefing July 2009apompliano
 

Was ist angesagt? (20)

FortiGate-310B Datasheet
FortiGate-310B DatasheetFortiGate-310B Datasheet
FortiGate-310B Datasheet
 
Datasheet stonegate ips-allinone
Datasheet stonegate ips-allinoneDatasheet stonegate ips-allinone
Datasheet stonegate ips-allinone
 
Datasheet stonegate fw-allinone
Datasheet stonegate fw-allinoneDatasheet stonegate fw-allinone
Datasheet stonegate fw-allinone
 
Secure Your AWS Cloud Data by Porticor
Secure Your AWS Cloud Data by PorticorSecure Your AWS Cloud Data by Porticor
Secure Your AWS Cloud Data by Porticor
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence Service
 
Switch
SwitchSwitch
Switch
 
ISE_Pub
ISE_PubISE_Pub
ISE_Pub
 
F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)
 
OCS LIA
OCS LIAOCS LIA
OCS LIA
 
Azure F5 Solutions
Azure F5 SolutionsAzure F5 Solutions
Azure F5 Solutions
 
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
Yes, you can be pci compliant using a public iaas cloud   a case study by phi...Yes, you can be pci compliant using a public iaas cloud   a case study by phi...
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the Future
 
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
 
Simplifying the secure data center
Simplifying the secure data centerSimplifying the secure data center
Simplifying the secure data center
 
Key Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation FirewallsKey Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation Firewalls
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
BIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall SolutionBIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall Solution
 
Refense Security Risk Briefing July 2009
Refense   Security Risk Briefing   July 2009Refense   Security Risk Briefing   July 2009
Refense Security Risk Briefing July 2009
 

Ähnlich wie ICW Developer Conference - Instance-based Security with SAF

Zephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfZephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfibramax
 
SPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6Irsandi Hasan
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security ArchitectureRamesh Nagappan
 
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 Natalia Kataoka
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsKannan Subbiah
 
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONSADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONSelliando dias
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Jain Sip Tutorial
Jain Sip TutorialJain Sip Tutorial
Jain Sip Tutorialrajibdk
 
WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsPavel Bucek
 
IBM Impact session CICS & java a tale of liberty
IBM Impact session CICS & java a tale of libertyIBM Impact session CICS & java a tale of liberty
IBM Impact session CICS & java a tale of libertynick_garrod
 
Dr. David Movshovitz - Navajo SaaS
Dr. David Movshovitz -  Navajo SaaSDr. David Movshovitz -  Navajo SaaS
Dr. David Movshovitz - Navajo SaaSCSAIsrael
 
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut®  ,GraalVM...SevillaJUG - Unleash the power of your applications with Micronaut®  ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...Juarez Junior
 
Enabling .NET Apps with Monitoring and Management Using Steeltoe
Enabling .NET Apps with Monitoring and Management Using SteeltoeEnabling .NET Apps with Monitoring and Management Using Steeltoe
Enabling .NET Apps with Monitoring and Management Using SteeltoeVMware Tanzu
 
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...Juarez Junior
 
Webinar: Unifying storage for EMC & NetApp
Webinar: Unifying storage for EMC & NetAppWebinar: Unifying storage for EMC & NetApp
Webinar: Unifying storage for EMC & NetAppJeannette Grand
 

Ähnlich wie ICW Developer Conference - Instance-based Security with SAF (20)

Zephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfZephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdf
 
Top 10 IaaS Highlights for Developers
Top 10 IaaS Highlights for DevelopersTop 10 IaaS Highlights for Developers
Top 10 IaaS Highlights for Developers
 
SPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA Java Case Study
SPEC INDIA Java Case Study
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security Architecture
 
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
 
Enterprise Security & SSO
Enterprise Security & SSOEnterprise Security & SSO
Enterprise Security & SSO
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security Concerns
 
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONSADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Jain Sip Tutorial
Jain Sip TutorialJain Sip Tutorial
Jain Sip Tutorial
 
WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise Applications
 
IBM Impact session CICS & java a tale of liberty
IBM Impact session CICS & java a tale of libertyIBM Impact session CICS & java a tale of liberty
IBM Impact session CICS & java a tale of liberty
 
Dr. David Movshovitz - Navajo SaaS
Dr. David Movshovitz -  Navajo SaaSDr. David Movshovitz -  Navajo SaaS
Dr. David Movshovitz - Navajo SaaS
 
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut®  ,GraalVM...SevillaJUG - Unleash the power of your applications with Micronaut®  ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
 
Enabling .NET Apps with Monitoring and Management Using Steeltoe
Enabling .NET Apps with Monitoring and Management Using SteeltoeEnabling .NET Apps with Monitoring and Management Using Steeltoe
Enabling .NET Apps with Monitoring and Management Using Steeltoe
 
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
 
Ashwin Resume
Ashwin ResumeAshwin Resume
Ashwin Resume
 
Webinar: Unifying storage for EMC & NetApp
Webinar: Unifying storage for EMC & NetAppWebinar: Unifying storage for EMC & NetApp
Webinar: Unifying storage for EMC & NetApp
 

Kürzlich hochgeladen

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesSanjay Willie
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsZilliz
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Kürzlich hochgeladen (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

ICW Developer Conference - Instance-based Security with SAF

  • 1. ICW Developer Conference - May 2008 Instance-based Security with the Security Annotation Framework (SAF) ICW Developer Conference Martin Krasser / 07.05.2008 Martin Krasser • Software Architect @ Professional Gate • Focus - Application Security - Application Integration Platforms - Application Integration Solutions - Research & Development 07.05.2008 ICW Developer Conference Security - Instance-based Security with SAF 13 - 1
  • 2. ICW Developer Conference - May 2008 Agenda • Introduction • Architecture • Code Examples • Outlook • Live Demo 07.05.2008 ICW Developer Conference Overview • Open Source Security Project @ sourceforge.net - Instance-level access control - Attribute-level encryption • Driven by Java 5 Annotations - @Secure and @Filter annotations to enforce access decisions - @Encrypt annotation to trigger encryption/decryption operations • Framework with provider interfaces (SPI) for - Authorization Providers - Encryption Providers - Reference implementations available 07.05.2008 ICW Developer Conference Security - Instance-based Security with SAF 13 - 2
  • 3. ICW Developer Conference - May 2008 Motivations • Java EE doesn‘t provide instance-level access control mechanisms - Access decisions and policy definitions in Java EE only based on static application properties (methods, ...) - Instance-level access control is additionally based on runtime application properties (domain object state, ...) • Encryption mechanisms decoupled from data storage/binding mechanisms - No Hibernate-specific encryption interceptors ... - No JAXB-specific marshal/unmarshal listeners ... • Avoid complex configurations - No need to deal with Spring/AspectJ AOP details - Place security interceptors using annotations • Support for pluggable authorization and crypto providers - Access control and encryption logic provided by plugins/providers - Different applications have significantly different access control and encryption requirements 07.05.2008 ICW Developer Conference History • SAF initially developed as part of the eHF - Refactoring of complex Spring/AspectJ AOP configurations • Open source since March 2007 - Apache 2.0 License • Three releases so far - Latest release is 0.8.2 (production-stable) - Current development on 0.9-SNAPSHOT 07.05.2008 ICW Developer Conference Security - Instance-based Security with SAF 13 - 3
  • 4. ICW Developer Conference - May 2008 SAF Access Control Architecture Security Domain SAF Core Requestor Interceptor Object AccessManager SAF JAAS Authorization Spring Security Provider ... • Security Interceptor (Policy Enforcement Point) - Implemented by annotating domain objects, methods and method parameters • Authorization Providers (Policy Decision Point) - Makes access decisions based on class instances - Reference implementation based on JAAS extensions 07.05.2008 ICW Developer Conference SAF Crypto Architecture Crypto Instance SAF Core Requestor Interceptor Attribute CryptoProvider SAF Crypto Crypto ... Provider • Crypto Interceptor - Implemented by annotating instance attributes • Crypto Service Provider - Runs encrypt/decrypt operations - Reference implementation coming soon 07.05.2008 ICW Developer Conference Security - Instance-based Security with SAF 13 - 4
  • 5. ICW Developer Conference - May 2008 Code Example – Access Control 07.05.2008 ICW Developer Conference Code Example – Attribute Encryption • BUT: No crypto operations for access via reflection • Hibernate can be configured for reflective access (field access) - Encrypted storage of attribute values in databases • JAXB2 can be configured for reflective access (field access) - XML binding of encrypted attribute values 07.05.2008 ICW Developer Conference Security - Instance-based Security with SAF 13 - 5
  • 6. ICW Developer Conference - May 2008 Configuration Spring 2.5 Application Context Provider Implementations loads 07.05.2008 ICW Developer Conference Behind the Scenes Client Spring AOP AspectJ Spring Method Enhanced AspectJ RT CT Bytecode AOP Proxy Interceptor Advice Domain Object Application Service SAF Spring Bean Infrastructure RT Created at runtime Access Created at compile time Manager CT 07.05.2008 ICW Developer Conference Security - Instance-based Security with SAF 13 - 6
  • 7. ICW Developer Conference - May 2008 Outlook – 1.0 Release • Crypto provider reference implementation • AspectJ load-time weaving • AspectJ 1.6 upgrade - Support for parameter-level annotations • OSGi support - Make SAF components OSGi compliant bundles - OSGi sample application using SAF components • Security annotations on - Static domain object methods - Constructors • Documentation extensions - Document new features, more examples - Translate Java Magazin article to English • Acegi authorization provider integration (optional) 07.05.2008 ICW Developer Conference Resources • Project Site - http://sourceforge.net/projects/safr • Web Site - http://safr.sourceforge.net/ • Article - Instanz-basierte Zugriffskontrolle, Java Magazin 7.2007 07.05.2008 ICW Developer Conference Security - Instance-based Security with SAF 13 - 7
  • 8. ICW Developer Conference - May 2008 Live Demo • Notebook web application 07.05.2008 ICW Developer Conference Thank you for your attention! martin.krasser@icw.de Security - Instance-based Security with SAF 13 - 8