A MidLink presentation Java Security Shmuel Babad CEO MidLink Computing LTD [email protected] Middleware Lecturer at John Bryce Training

A MidLink presentation

Java Security

Shmuel BabadCEO MidLink Computing [email protected]

Middleware Lecturer at John Bryce Training

A MidLink presentation2

Goals

Beginning

Java security components and architecture

JAAS within Java Security

Concepts and components of JAAS

Look beyond JAAS

A short demo of JAAS


Speaker’s Qualifications

• Middleware expert

• Over 7 years of experience in designing developing and administration of middleware tools and

• Over 4 years of using J2EE implementation

• Currently working for– John Bryce– Pelephone– Amdocs– Orange

• CEO of MidLink – a middleware services company

• Lectures on advanced J2EE topics at John Bryce training

Beginning


Security issues

What is our biggest security problem?

Beginning

The one we don’t know about yet!


Evolving security needs

• Driven by Integration– Internal Applications (EAI)– External systems

• More transaction are performed over communications

• A bigger threat– More valuable information– Sophisticated hacking– Available large scale hacking– Terror oriented attacks

Beginning


Presentation Outline

• Security basics

• Java security basic concepts

• Cryptography in Java

• JAAS

• Beyond JAAS

• JAAS Demo

Beginning


Security involves

• Authentication – Verifying the users’ identity via Certificate

User/Password or other credentials

• Authorization– Verifying whether a user has access to

protected resources

• Encoding / Encryption

• Monitoring / Logging

Middle


Java Security

• Java provides an evolving and expending model currently (1.4) based on:– Native java.security package– JAAS

• Java Authentication and Authorization Service – JCE

• Java Cryptography Extension – JSSE

• Java Secure Socket Extension – JAVA GSS-API

• Use Kerberos V5 mechanism– Java Certification Path API

• Build and validate certification paths ("certificate chains")

Middle


Java Security Architecture

• Fine-grained access control

• Configurable security policy

• Extensible access control structure

• Checks to all Java programs, including applications (also good for server side)

All without writing code


Java Security Concepts

• Protection Domain– Application domain– System domain

• Principal (identity)

• Permission (class)

• Policy

• SecurityManager and AccessController


JCAJava Cryptography Architecture

• Design principles– Implementation independence and interoperability – Algorithm independence and extensibility

• Provided algorithms include:– Digital Signature Algorithm (DSA) including:

• Public and private keys generator• Parameter generator & parameter manager• Key factory providing bi-directional conversions

– MD5 and SHA-1 message digest algorithms– A "SHA1PRNG" pseudo-random number generation

algorithm


JCAProvided algorithms (cont)

– A certificate path builder & validator for PKIX (X.509) – A certificate factory for X.509 certificates and

Certificate Revocation Lists (CRLs)– A certificate store for retrieving certificates and CRLs

from Collection and LDAP directories (PKIX LDAP V2 Schema)

– A proprietary keystore called JKS


What is JAAS

• Java Authentication and Authorization Service

• Introduced as an optional package in J2SE 1.3

• Integrated into J2SE 1.4

• Implements a Java Pluggable Authentication Module (PAM) framework

• Access decisions are based on CodeSource and the User running the code


Before JAAS

• Security and Authorization decisions were based on– Code origin– Who signed it

Code Source Based Authorization

FileSystem

NetworkSockets

SystemProperties

Applet

TrustedLibrary

Library X

• A Trusted Library may be given access to sensitive resources while an Applet or another Library may have that access restricted


After introducing JAAS

• With the integration of JAAS and J2SE Security model, authorization decisions can be made based on:– Code origin– Who signed it– Who is running the

code

Code Source and Principal BasedAuthorization

FileSystem

NetworkSockets

SystemProperties

Library X

Andy

Bart

• A Library may not have access privileges to resources when running without a User context or when being executed by User Bart, but when User Andy executes the Library those permissions may be granted


JAAS Features

• Pure Java implementation

• Flexible access control policy for user-based, group-based, and role-based authorization

• Single sign-on support

• Pluggable Authentication Module (PAM) framework implementation for authenticating users


JAAS – Core classes

• Common Classes – Subject – Principals – Credentials

• Authentication Classes – LoginContext – LoginModule – CallbackHandler – Callback

• Authorization Classes – Policy – AuthPermission – PrivateCredentialPermission

Middle


JAAS – Subject

• Subject represent the source of a request

• The Subject is a container for– associated Principals– Public Credentials

(public keys)– Private Credentials

(passwords, private keys)

• doAs methods can be called to perform as a particular subject (delegation)

The Subject in Detail

Subject

PrincipalPrincipal

Principal

PublicCredential

PublicCredential

PublicCredential

PrivateCredential

PrivateCredential

PrivateCredential


JAAS – Principal

• A Principal identifies a Subject. The Subject can be – A person– A corporation – An application

• A single Subject may have many Principals that serve to identify the entity

• A user can have Principals like– User name– Employee id– Social security number


PAMPluggable Authentication Modules

• The PAM framework enables multiple authentication technologies to be added without changing any of the login services

• The application calls the PAM API

• The request is forwarded to the appropriate authentication model – one or more (stack)

• Configuration is done via a pam.conf file


Pluggable Authentication Modules

• An application using JAAS for authentication can remain independent of the underlying authentication technology

Pluggable Authentication

Login Modules

Application

Login Context

JndiLoginModule

NTLoginModule

UnixLoginModule

Krb5LoginModule

MyLoginModule

LDAP Server

DbLoginModule

NTAuthentication

UnixAuthentication

KerberosAuthentication

RDBMS

BiometricAuthentication


JAAS – Authentication

1. The application creates a LoginContext and calls login()

2. The LoginContext refers to the LoginConfiguration to set up the appropriate LoginModules

3. The LoginContext delegates the authentication to the LoginModules

4. The LoginModules use the CallbackHandler to communicate with the application

5. Once the login succeeds you can get the Subject from the LoginContext and get the authenticated Principals from the Subject

Authentication Participants

Application

LoginContext

LoginConfiguration

LoginModule

LoginModule

LoginModuleCallback

Handler


JAAS Authorization - Outline

• CodeSource

• Protection Domains

• Access control

• Permissions

• Policy

• Privileged Actions by Subjects


CodeSource & ProtectionDomain

• The CodeSource of a piece of Java code is the URL location that the code was loaded from and the Certificates that we used to sign the code

• The ProtectionDomain is a holder for the CodeSource and a Principal

• Each class is assigned a ProtectionDomain upon being loaded. The Principal is null when the class is first loaded.

ProtectionDomain

CodeSource

CodeSource

URL

Certificate

ProtectionDomain

CodeSource

Principal

Class


AccessControlContext – a Context for Authorization Decisions

• When making access decisions, the security system looks at every ProtectionDomain involved in the call. Access is granted only if every ProtectionDomain in the Context can have access.

• A less privileged PD can not gain privilege by calling a more privileged PD. And a more privileged PD must lose privilege when calling a less privileged PD. This is the principle of least privilege.

Authorization Context

ContextStack Snapshot

AccessController.checkPermission()

java.io.FileInputStream()

java.io.FileReader()

ReadTestFileUseCase.apply()

AuthorizationTestHarness.run()

...

Class

Class

Class

Class

Class

Class

PD

PD

PD

PD

PD

PD


Permissions

• Permissions represent access to resources

• All Permission objects have a name

• The meaning of the name parameter varies between implementations

• Typically the name identifies the resource to be accessed

• An “action” parameter can be used to define the type of access to the resource allowed

• A special permission exists to indicate unrestricted access to all resource: java.security.AllPermission


Policy

• The mapping between PDs and associated Permissions is stored by the Policy

• Policy is a Singleton

Policy Holds a Mapping of ProtectionDomain toPermissions

Policy

ProtectionDomain

ProtectionDomain

ProtectionDomain

PermissionCollection Permission

PermissionPermission






Policy

• The default implementation of Policy accepts text based configuration in the above format

• Each grant entry is composed of an optional CodeSource, Signers, Principals, and a list of Permissions

• Default security policy is <JRE_HOME>/lib/security/java.policy

• Can provide supplemental policy file location via – -Djava.security.policy=<file> JVM parameter

• Can override the default policy file with:– -Djava.security.policy==<file> JVM parameter

1. grant [CodeBase <URL>,] [Signedby <signers>,]2. [Principal <Principal_Class> <Principal_Name>] {3. Permission <Permission_Class> [<Target_Name>]4. [, <Permission_Actions>]5. [, signedBy <Signer_Name>];6. };


AccessController

• The AccessController embodies the access control algorithm

• It obtains the current AccessControlContext, which has an array of PDs and then for each PD checks whether the PD has the requested permission

Authorization Participants

ProtectionDomain

CodeSource

Principal

PermissionCollection


PermissionPolicy

Class

AccessControlContext

AccessController

1. MyPermission p = new MyPermission(fileName, "display");2. AccessController.checkPermission(p);

• Verify that the current context has a permission:


Beyond JAAS – Instance-Based Security

• Instance-based security is an authorization mechanism for protecting access to resources based on the identity of the resource

• This is a step forward from class-based security that protects access to resources based on the class of the resource

Instance Based Security

Andy

Order Instances

Order101

Order104

Order103

Order102


Beyond JAAS – JACC

• The Java Authorization Contract for Containers defines– New java.security.Permission classes to satisfy the

J2EE authorization model– The binding of container access decisions to

operations on instances of the new permission classes– The installation and configuration of authorization

providers for use by containers– The interfaces that a provider must make available to

allow container deployment tools to create and manage permission collections corresponding to roles

• The spec is in it’s final draft stages


Summary

• Java security is ever evolving, as are security problems, Thus we must implement new technologies and methodologies

• JAAS is the latest package added to improve Authentication Authorization and most of all control over applications

• JAAS allows you to manipulate resource access of code according to – Who signed it– Where it came from– who’s running it!

End


If You Only Remember One Thing…

End

Security is like blood pressure

At first you do not feel any pain

And when you do - it Is too late....

A MidLink presentation40End

Thank You!Shmuel Babad

[email protected]

054-963313

MMiidLdLiink nk Middleware

Infrastructure & Administration

Documents

A MidLink presentation Java Security Shmuel Babad CEO MidLink Computing LTD [email protected] Middleware Lecturer at John Bryce Training