2. Syllabus
⢠It seems that organizations are taking security more and
more seriously these days. One motivator is avoiding
embarrassment which can collapse the organization in
a hurry. The architecture of a web based application
has a number of complexities when it comes to
implementing security properly. Jonathan will talk about
some of these complexities and identify a number of
considerations that can save you time and money. In
particular, he will explain how the Oracle suite of
products integrate and use that as a concrete example.
Architects, developers, and DBAs will learn from topics
such as virtual private databases, single sign on,
cookies, Hibernate interactions, and role-based security.
2
3. Setting the stage âŚ
⢠Who is in the audience? Which one are you?
⢠Architect
⢠Database Administrator (DBA)
⢠Developer
⢠Java
⢠Other
⢠Other
⢠Goals:
⢠General Understanding
⢠Advice, related to Security in a web application
⢠Drill-in into to some unobvious specifics
⢠Questions?
3
4. Whatâs the big deal?
We have some challenges âŚ
⢠Technology is more susceptible and more complicated
⢠unwanted system access
⢠localized damage
⢠global damage
⢠how do decision makers respond to pain? ~~ rational thinking
⢠Data (and Process) Ownership Trends
⢠Silos ď Sharing
⢠Terminology confusion ~~ talk about the same thing: Einstein quote
⢠Organizations ď Products AND Services
⢠Potential huge costs, time and $$$$
⢠Educate and then ask, are you sure?
4
5. Legal stuff âŚ
⢠Legal questions can delay a project
⢠submit questions early as possible
⢠get feedback early as possible
⢠legal requirements are hard and fast â know them early to avoid
expensive rework
5
10. Step 3
⢠Reverse Proxy (Oracleâs WebCache)
⢠Guard at the door into the architecture
⢠In the middle of the DMZ sandwich
⢠Robust solutions include:
⢠Caching of static âpublicâ content (picture files, Javascript)
⢠Load Balancing
⢠Decryption of HTTPS requests ⌠more on that later
10
11. Step 4
⢠The Web Application Server is the brains with all the
business logic --- it knows what to with the HTTP GET
request
11
12. Step 5
⢠The server needs to first get a list of teenagers, and so,
get it from the server responsible for persisting
information
12
19. Audit Columns
⢠Every table in the database include the following
columns:
⢠A_CREATED_BY
⢠A_CREATED_TIMESTAMP
⢠A_MODIFIED_BY
⢠A_MODIFIED_TIMESTAMP
⢠Know the affects of the Sarbanes-Oxley act
⢠Create a companion history table for every table in the
database. It will be a complete history of âsnapshotsâ.
These tables have the exact same columns plus a
timestamp column. (Data is almost free!)
19
20. Web Application Architecture
We now going to concentrate on the Database.
Will talk about:
⢠Virtual Private Databases
⢠Oracle Label Security
20
21. Database Tables
⢠TEENAGER
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
⢠EXPENSE
TEENAGER DETAILS AMOUNT DATE
_ID
1 Cell 45.00 Oct 1
1 Gum 1.35 Oct 6
2 Help Haiti 4.00 Oct 8
21
22. Raelene is allowed to see this âŚ
⢠TEENAGER
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
⢠EXPENSE
TEENAGER DETAILS AMOUNT DATE
_ID
1 Cell 45.00 Oct 1
1 Gum 1.35 Oct 6
2 Help Haiti 4.00 Oct 8
22
23. Jenna is allowed to see this âŚ
⢠TEENAGER
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
⢠EXPENSE
TEENAGER DETAILS AMOUNT DATE
_ID
1 Cell 45.00 Oct 1
1 Gum 1.35 Oct 6
2 Help Haiti 4.00 Oct 8
23
24. A VPD
⢠A Virtual Private Database (VPD) = restricts access on
horizontal slices
⢠Oracle Label Security is an implementation of a VPD
24
25. Who can view/edit what data?
⢠Label Security allows you to create a policy on the
TEENAGER_ID
TEENAGER
_ID = 1 100
(Raelene)
Raelene
Parents
TEENAGER (God-like access)
_ID = 2
(Jenna) 200
Jenna
25
26. Database Tables
with Label Security column added âŚ
⢠TEENAGER
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
⢠EXPENSE
TEENAGER DETAILS AMOUNT DATE LS_
_ID TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
26
27. Jenna will get a different answer
than Raelene and the Parents!
⢠TEENAGER
SELECT sum(amount)
FROM EXPENSE
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
⢠EXPENSE
TEENAGER DETAILS AMOUNT DATE LS_
_ID TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
27
28. Jenna will get a different answer
than Raelene and the Parents!
⢠TEENAGER
SELECT sum(amount)
FROM EXPENSE
TEENAGER_ID TEENAGER_NAME
1 Raelene
WHERE LS_TEENAGER IN (100)
2 Jenna
⢠EXPENSE
TEENAGER DETAILS AMOUNT DATE LS_
_ID TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
28
29. Parents type in âŚ
⢠TEENAGER
SELECT sum(amount)
FROM EXPENSE
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
⢠EXPENSE
TEENAGER DETAILS AMOUNT DATE LS_
_ID TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
29
30. ⌠and this what happens under the
covers:
⢠TEENAGER
SELECT sum(amount)
FROM EXPENSE
TEENAGER_ID TEENAGER_NAME
1 Raelene
WHERE LS_TEENAGER IN (100, 200)
2 Jenna
⢠EXPENSE
TEENAGER DETAILS AMOUNT DATE LS_
_ID TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
30
31. DBMS Triggers are used for INSERTs
and UPDATEs
⢠TEENAGER
INSERT (TEENAGER_ID, DETAILS, AMOUNT, DATE)
VALUES (2,
TEENAGER_ID âBook Fineâ, 1, Oct 16)
TEENAGER_NAME
1 Raelene
Oracle Label Security auto-generated a DBMS Trigger on the EXPENSE
table. The trigger calculatesJenna
2 200 based on TEENAGER_ID
⢠EXPENSE
TEENAGER DETAILS AMOUNT DATE LS_
_ID TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
2 Book Fine 1.00 Oct 16 Calculated
by DBMS
Trigger
31
32. Label Security can have up to 3 groupings
TEENAGER
_ID = 1 100
EXPENSE
Younger
_TYPE =
Siblings
8
8,000 TEENAGER
_ID = 2
200
Teenagers
770,000
Grandparents
32
33. Take a break âŚ
⢠A story about University âŚ
33
35. LDAP
Oracle OAM & OID
⢠LDAP = Lightweight Directory Access Protocol
⢠Oracle Internet Directory is an implementation of
directory services, LDAPv3
⢠Oracle Access Manager (OAM) enforces policies and
works with OID
⢠Watch out for your firewalls settings -- timeouts
⢠Active Directory can âconnectâ
⢠DIP transfers name and passwords
35
36. Oracle LDAP Components
All the âgreenâ servers support the LDAP responsibilities. Oracle Access Manager
(OAM) is the main interface into the outside world. However, the âpurpleâ Oracle
Database has some direct connections with Oracleâs LDAP (OID), probably for
performance reasons. In theory, the dashed lines below were not really
necessary.
The two columns of âgreenâ servers indicate that they can be clustered, and the
set of servers can be in different locations.
36
41. Simplified Web Application Architecture
⢠HTTP Server â Oracleâs MOD_OC4J
⢠Web Application Container â Oracleâs OC4J ⌠and soon
WebLogic
41
42. Web Server interactions with LDAP
The âHappy Pathâ âŚ
The Browser makes a HTTP Request, via interaction #1.
The HTTP Server looks at this request and asks the LDAP
Access services if this request is allowed to proceed. This
is done via interaction #2. If the answer is positive, it
passes on the request to the destination, via interaction #3.
42
43. Web Server interactions with LDAP
The âHappy Pathâ continued âŚ
In this âHappy Pathâ scenario the user has already
authenticated (i.e. logged in).
Oracle can place authentication data in âHTTP Headersâ
and/or in some âcookiesâ. It gives information about the
User ID, expiry time, etc. [Refer to interactions #1 & #3]
43
44. Web Server interactions with LDAP
The âHappy Pathâ continued âŚ
The authorization rules are enforced in two different places:
⢠Interaction #2 â Can protect basic requests, such as, URL
requests that start with
www.TeenagerExpenses.mb.ca/expenses
⢠Interaction #4 â Using LDAP Queries, it can lookup more fine
grained permissions such as:
www.TeenagerExpenses.mb.ca/expenses/expense_details.jsp 44
46. Web Server interactions with LDAP
The âHappy Pathâ continued âŚ
The authorization rules are enforced in two different places:
⢠Interaction #2 â Basic requests based on OAM polices
⢠Interaction #4 â Fine grained based on LDAP Queries / Role-
based Security
Decide which interaction is responsible for what, early in
the project!
46
47. Authorization and Role-based Security
User â Role â Feature
⢠Can be tricky. Canât control the number of users. But
you can control the number of Roles and Features.
⢠Roles â Configure Roles and role names to match the
actual physical business processes â people need to
understand them. Be ready to refactor!
47
48. Authorization and Role-based Security
User â Role â Feature
⢠Can be tricky. Canât control the number of users. But
you can control the number of Roles and Features.
⢠Roles â Configure Roles and role names to match the
actual physical business processes â people need to
understand them. Be ready to refactor!
48
49. Authorization and Role-based Security
⢠Features â Pick the number of features wisely, keep
them to a minimum and understandable.
Fine grained control Coarse grained control
Complicated Simple
⢠Ask questions! Find out what the real requirement is.
âAre you sure?â âCan this one feature represent both the
search and the detail page?â âHow easy is it to test?â
49
50. Web Server interactions with LDAP
The âUnhappy Pathâ âŚ
The âunhappyâ path is one where the user has not logged
in yet. The Web Application Container can have two
applications:
⢠The OAM Single-Sign On (SSO) âhelperâ application, which
includes these pages: login, logout, and not authorized
⢠The business application, such as the âexpensesâ test
application 50
51. Web Server interactions with LDAP
Log out âŚ
Your web applications will point to a logout page in the SSO
application. It can (or should) invalidate the web
applications under its protection.
51
53. Oracle BI Publisher Report Server
⢠It has its own built-in security that doesnât work directly
with OAM â Read up on how to integrate them.
53
55. Database Connections
⢠Perform adequate performance tests on this interactions
⢠Because we implemented a VPD at a low level, we want
to ensure that the end-user will be restricted from the
bottom up, and that means to connect as that user.
⢠Experience: Can take up to 5 seconds to âstampâ a user onto a
proxy connection. The solution is to make a connection pool for
each user
⢠Experience: The setup and use of Label Security is expensive
⢠Alternatives??
55
56. (If we have time âŚ)
1. Creating a log of access â find out if one is needed
early in the project
2. Web Analytics â find out if test users are needed in
production, and what that means
3. Security on Web Services & Services (SOA) â again,
find out if this extra layer needs its own gatekeeper of
security
4. The need for Backend Reports with BI Publisher
5. Data Encryption in the Database
56