Upload
shannon-ryan
View
219
Download
0
Embed Size (px)
Citation preview
A MidLink presentation
Java Security
Shmuel BabadCEO MidLink Computing [email protected]
Middleware Lecturer at John Bryce Training
A MidLink presentation2
Goals
Beginning
Java security components and architecture
JAAS within Java Security
Concepts and components of JAAS
Look beyond JAAS
A short demo of JAAS
A MidLink presentation4
Speaker’s Qualifications
• Middleware expert
• Over 7 years of experience in designing developing and administration of middleware tools and
• Over 4 years of using J2EE implementation
• Currently working for– John Bryce– Pelephone– Amdocs– Orange
• CEO of MidLink – a middleware services company
• Lectures on advanced J2EE topics at John Bryce training
Beginning
A MidLink presentation5
Security issues
What is our biggest security problem?
Beginning
The one we don’t know about yet!
A MidLink presentation6
Evolving security needs
• Driven by Integration– Internal Applications (EAI)– External systems
• More transaction are performed over communications
• A bigger threat– More valuable information– Sophisticated hacking– Available large scale hacking– Terror oriented attacks
Beginning
A MidLink presentation7
Presentation Outline
• Security basics
• Java security basic concepts
• Cryptography in Java
• JAAS
• Beyond JAAS
• JAAS Demo
Beginning
A MidLink presentation8
Security involves
• Authentication – Verifying the users’ identity via Certificate
User/Password or other credentials
• Authorization– Verifying whether a user has access to
protected resources
• Encoding / Encryption
• Monitoring / Logging
Middle
A MidLink presentation9
Java Security
• Java provides an evolving and expending model currently (1.4) based on:– Native java.security package– JAAS
• Java Authentication and Authorization Service – JCE
• Java Cryptography Extension – JSSE
• Java Secure Socket Extension – JAVA GSS-API
• Use Kerberos V5 mechanism– Java Certification Path API
• Build and validate certification paths ("certificate chains")
Middle
A MidLink presentation10
Java Security Architecture
• Fine-grained access control
• Configurable security policy
• Extensible access control structure
• Checks to all Java programs, including applications (also good for server side)
All without writing code
A MidLink presentation11
Java Security Concepts
• Protection Domain– Application domain– System domain
• Principal (identity)
• Permission (class)
• Policy
• SecurityManager and AccessController
A MidLink presentation12
JCAJava Cryptography Architecture
• Design principles– Implementation independence and interoperability – Algorithm independence and extensibility
• Provided algorithms include:– Digital Signature Algorithm (DSA) including:
• Public and private keys generator• Parameter generator & parameter manager• Key factory providing bi-directional conversions
– MD5 and SHA-1 message digest algorithms– A "SHA1PRNG" pseudo-random number generation
algorithm
A MidLink presentation13
JCAProvided algorithms (cont)
– A certificate path builder & validator for PKIX (X.509) – A certificate factory for X.509 certificates and
Certificate Revocation Lists (CRLs)– A certificate store for retrieving certificates and CRLs
from Collection and LDAP directories (PKIX LDAP V2 Schema)
– A proprietary keystore called JKS
A MidLink presentation14
What is JAAS
• Java Authentication and Authorization Service
• Introduced as an optional package in J2SE 1.3
• Integrated into J2SE 1.4
• Implements a Java Pluggable Authentication Module (PAM) framework
• Access decisions are based on CodeSource and the User running the code
A MidLink presentation15
Before JAAS
• Security and Authorization decisions were based on– Code origin– Who signed it
Code Source Based Authorization
FileSystem
NetworkSockets
SystemProperties
Applet
TrustedLibrary
Library X
• A Trusted Library may be given access to sensitive resources while an Applet or another Library may have that access restricted
A MidLink presentation16
After introducing JAAS
• With the integration of JAAS and J2SE Security model, authorization decisions can be made based on:– Code origin– Who signed it– Who is running the
code
Code Source and Principal BasedAuthorization
FileSystem
NetworkSockets
SystemProperties
Library X
Andy
Bart
• A Library may not have access privileges to resources when running without a User context or when being executed by User Bart, but when User Andy executes the Library those permissions may be granted
A MidLink presentation17
JAAS Features
• Pure Java implementation
• Flexible access control policy for user-based, group-based, and role-based authorization
• Single sign-on support
• Pluggable Authentication Module (PAM) framework implementation for authenticating users
A MidLink presentation18
JAAS – Core classes
• Common Classes – Subject – Principals – Credentials
• Authentication Classes – LoginContext – LoginModule – CallbackHandler – Callback
• Authorization Classes – Policy – AuthPermission – PrivateCredentialPermission
Middle
A MidLink presentation19
JAAS – Subject
• Subject represent the source of a request
• The Subject is a container for– associated Principals– Public Credentials
(public keys)– Private Credentials
(passwords, private keys)
• doAs methods can be called to perform as a particular subject (delegation)
The Subject in Detail
Subject
PrincipalPrincipal
Principal
PublicCredential
PublicCredential
PublicCredential
PrivateCredential
PrivateCredential
PrivateCredential
A MidLink presentation20
JAAS – Principal
• A Principal identifies a Subject. The Subject can be – A person– A corporation – An application
• A single Subject may have many Principals that serve to identify the entity
• A user can have Principals like– User name– Employee id– Social security number
A MidLink presentation21
PAMPluggable Authentication Modules
• The PAM framework enables multiple authentication technologies to be added without changing any of the login services
• The application calls the PAM API
• The request is forwarded to the appropriate authentication model – one or more (stack)
• Configuration is done via a pam.conf file
A MidLink presentation22
Pluggable Authentication Modules
• An application using JAAS for authentication can remain independent of the underlying authentication technology
Pluggable Authentication
Login Modules
Application
Login Context
JndiLoginModule
NTLoginModule
UnixLoginModule
Krb5LoginModule
MyLoginModule
LDAP Server
DbLoginModule
NTAuthentication
UnixAuthentication
KerberosAuthentication
RDBMS
BiometricAuthentication
A MidLink presentation24
JAAS – Authentication
1. The application creates a LoginContext and calls login()
2. The LoginContext refers to the LoginConfiguration to set up the appropriate LoginModules
3. The LoginContext delegates the authentication to the LoginModules
4. The LoginModules use the CallbackHandler to communicate with the application
5. Once the login succeeds you can get the Subject from the LoginContext and get the authenticated Principals from the Subject
Authentication Participants
Application
LoginContext
LoginConfiguration
LoginModule
LoginModule
LoginModuleCallback
Handler
A MidLink presentation26
JAAS Authorization - Outline
• CodeSource
• Protection Domains
• Access control
• Permissions
• Policy
• Privileged Actions by Subjects
A MidLink presentation27
CodeSource & ProtectionDomain
• The CodeSource of a piece of Java code is the URL location that the code was loaded from and the Certificates that we used to sign the code
• The ProtectionDomain is a holder for the CodeSource and a Principal
• Each class is assigned a ProtectionDomain upon being loaded. The Principal is null when the class is first loaded.
ProtectionDomain
CodeSource
CodeSource
URL
Certificate
ProtectionDomain
CodeSource
Principal
Class
A MidLink presentation28
AccessControlContext – a Context for Authorization Decisions
• When making access decisions, the security system looks at every ProtectionDomain involved in the call. Access is granted only if every ProtectionDomain in the Context can have access.
• A less privileged PD can not gain privilege by calling a more privileged PD. And a more privileged PD must lose privilege when calling a less privileged PD. This is the principle of least privilege.
Authorization Context
ContextStack Snapshot
AccessController.checkPermission()
java.io.FileInputStream()
java.io.FileReader()
ReadTestFileUseCase.apply()
AuthorizationTestHarness.run()
...
Class
Class
Class
Class
Class
Class
PD
PD
PD
PD
PD
PD
A MidLink presentation29
Permissions
• Permissions represent access to resources
• All Permission objects have a name
• The meaning of the name parameter varies between implementations
• Typically the name identifies the resource to be accessed
• An “action” parameter can be used to define the type of access to the resource allowed
• A special permission exists to indicate unrestricted access to all resource: java.security.AllPermission
A MidLink presentation30
Policy
• The mapping between PDs and associated Permissions is stored by the Policy
• Policy is a Singleton
Policy Holds a Mapping of ProtectionDomain toPermissions
Policy
ProtectionDomain
ProtectionDomain
ProtectionDomain
PermissionCollection Permission
PermissionPermission
PermissionCollection Permission
PermissionPermission
PermissionCollection Permission
PermissionPermission
A MidLink presentation31
Policy
• The default implementation of Policy accepts text based configuration in the above format
• Each grant entry is composed of an optional CodeSource, Signers, Principals, and a list of Permissions
• Default security policy is <JRE_HOME>/lib/security/java.policy
• Can provide supplemental policy file location via – -Djava.security.policy=<file> JVM parameter
• Can override the default policy file with:– -Djava.security.policy==<file> JVM parameter
1. grant [CodeBase <URL>,] [Signedby <signers>,]2. [Principal <Principal_Class> <Principal_Name>] {3. Permission <Permission_Class> [<Target_Name>]4. [, <Permission_Actions>]5. [, signedBy <Signer_Name>];6. };
A MidLink presentation32
AccessController
• The AccessController embodies the access control algorithm
• It obtains the current AccessControlContext, which has an array of PDs and then for each PD checks whether the PD has the requested permission
Authorization Participants
ProtectionDomain
CodeSource
Principal
PermissionCollection
PermissionPermission
PermissionPolicy
Class
AccessControlContext
AccessController
1. MyPermission p = new MyPermission(fileName, "display");2. AccessController.checkPermission(p);
• Verify that the current context has a permission:
A MidLink presentation35
Beyond JAAS – Instance-Based Security
• Instance-based security is an authorization mechanism for protecting access to resources based on the identity of the resource
• This is a step forward from class-based security that protects access to resources based on the class of the resource
Instance Based Security
Andy
Order Instances
Order101
Order104
Order103
Order102
A MidLink presentation36
Beyond JAAS – JACC
• The Java Authorization Contract for Containers defines– New java.security.Permission classes to satisfy the
J2EE authorization model– The binding of container access decisions to
operations on instances of the new permission classes– The installation and configuration of authorization
providers for use by containers– The interfaces that a provider must make available to
allow container deployment tools to create and manage permission collections corresponding to roles
• The spec is in it’s final draft stages
A MidLink presentation38
Summary
• Java security is ever evolving, as are security problems, Thus we must implement new technologies and methodologies
• JAAS is the latest package added to improve Authentication Authorization and most of all control over applications
• JAAS allows you to manipulate resource access of code according to – Who signed it– Where it came from– who’s running it!
End
A MidLink presentation39
If You Only Remember One Thing…
End
Security is like blood pressure
At first you do not feel any pain
And when you do - it Is too late....
A MidLink presentation40End
Thank You!Shmuel Babad
054-963313
MMiidLdLiink nk Middleware
Infrastructure & Administration