Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan

Dr. Waitak Wong Dr. Waitak Wong Department of Information ManagementDepartment of Information Management

Chung Hua University, Hsinchu, TaiwanChung Hua University, Hsinchu, Taiwan

2

About SecurityAbout Security

Application SecurityApplication Security

Java Security from the Ground UpJava Security from the Ground Up

Standalone Java Application TechniquesStandalone Java Application Techniques

Hacking Java Client-Sever ApplicationHacking Java Client-Sever Application

Java Network Applications: RMIJava Network Applications: RMI

3

Exploiting Java Web Tier ComponentsExploiting Java Web Tier Components

Web Services SecurityWeb Services Security

Enterprise Java Beans Security Enterprise Java Beans Security

4

Common Security ThreatsCommon Security Threats

Three concepts of CIA security modelThree concepts of CIA security model

Definition of securityDefinition of security

About SecurityAbout Security

5

Identity interceptionIdentity interception

Steal your identity and use it as their ownSteal your identity and use it as their own

MasqueradingMasquerading

Grab your identity and use it elsewhere with the Grab your identity and use it elsewhere with the intention of perpetrating fraudintention of perpetrating fraud

Replay attackReplay attack

Capture your request and replay that requestCapture your request and replay that request

Data interception and manipulationData interception and manipulation

Read your data (such as credit card info)Read your data (such as credit card info)


6

RepudiationRepudiation

Deny your/his completed transactionDeny your/his completed transaction

Denial of ServiceDenial of Service

Terminate the serviceTerminate the service


7

Three concepts of CIA security modelThree concepts of CIA security modelCConfidentialityonfidentiality

information must not be disclosed to any unauthorized person

IIntegrityntegrityauthorized actions (unauthorized data changes)

separation and protection for resources

error detection and correction (data corruption)

AAvailabilityvailabilitypresence of objects or service in a usable form

capacity to meet service needs

adequate timeliness of a service

8

Definition of security

DeterDeterGenerate a feasible and believable deterrence

DetectDetectDetect how, when and where intrusion has taken place

ProtectProtectManage people and the Information System in an effective manner so as to protect against unauthorized usage

9

Definition of security

ReactReactreact to an intrusion

ensure that penetration does not happen again.

vulnerability is eliminated

RecoverRecoverrecover all data and programs from a breach in security

10

Application SecurityApplication Security - Not just technology; it’s a process… -- Not just technology; it’s a process… -

System-level Security Vs. System-level Security Vs.

Application-level SecurityApplication-level Security

Operating SystemOperating System

JVMJVM

Java/J2EE APIsJava/J2EE APIs

Application codeApplication codeApplication LevelApplication Level｛｛

System LevelSystem Level｛｛

11

System-level Security Vs. System-level Security Vs. Application-level SecurityApplication-level Security

Defeating System-level security may not Defeating System-level security may not provide attackers with appropriate access provide attackers with appropriate access to the application-level data, logic, or to the application-level data, logic, or methods that they seekmethods that they seek

Attacker

Sys

tem

-lev

elS

yste

m-l

evel

sec

uri

tyse

curi

ty

Ap

pli

cati

on

-A

pp

lica

tio

n-

leve

lle

vel

Sec

uri

tyS

ecu

rity

En

terp

rise

En

terp

rise

Dat

aD

ata

12

System-level Security Vs. System-level Security Vs. Application-level Security (cont.)Application-level Security (cont.)

Work together to build a secure Work together to build a secure system/application combinationsystem/application combination

Attacker

S

yste

m-l

evel

Sys

tem

-lev

el s

ecu

rity

secu

rity

Ap

pli

cati

on

-A

pp

lica

tio

n-

leve

lle

vel

Sec

uri

tyS

ecu

rity

En

terp

rise

En

terp

rise

Dat

aD

ata

Attacker

13

System-level Security Vs. System-level Security Vs. Application-level Security (cont.)Application-level Security (cont.)

It is more efficient to push some security It is more efficient to push some security responsibilities up to the application level responsibilities up to the application level instead of handling them at the operating-instead of handling them at the operating-system levelsystem level

OS (Solaris)OS (Solaris)

JVM (Solaris)JVM (Solaris)


Application codeApplication code

OS (IBM AIX)OS (IBM AIX)

JVM (IBM AIX)JVM (IBM AIX)



OS (MS Window)OS (MS Window)

JVM (MS Window)JVM (MS Window)



14

Java Security from the Ground UpJava Security from the Ground Up

Java Language Safety FeaturesJava Language Safety Features

Java Security ModelJava Security Model

Java Security ArchitectureJava Security Architecture

15


Objects have access levels:Objects have access levels:

private: Accessible by defining classprivate: Accessible by defining class

package (default): Accessible by classes in package (default): Accessible by classes in the same packagethe same package

protected: Same as package, with addition protected: Same as package, with addition of access by any subclassof access by any subclass

public: Accessible by any classpublic: Accessible by any class

16


Access methods are strictly adhered toAccess methods are strictly adhered to

No pointers (no access to arbitrary memory No pointers (no access to arbitrary memory and automatic garbage collection)and automatic garbage collection)

““final” methods or variables cannot be final” methods or variables cannot be changedchanged

Variables MUST be initialized before useVariables MUST be initialized before use

Array bounds are enforcedArray bounds are enforced

Strict object casting rulesStrict object casting rules

17

Java Security EnforcementJava Security Enforcement

18

Java Security EnforcementJava Security Enforcement

Enforcement happens at different timesEnforcement happens at different times

Compile time enforcementCompile time enforcement

Class load time enforcementClass load time enforcement

Runtime enforcementRuntime enforcement

19

Compile Time EnforcementCompile Time Enforcement

Java Source

Java CompilerBytecode

Class Loader BytecodeVerifier

Java Virtual MachineRuntime

20

Compile Time EnforcementCompile Time Enforcement

Validate language syntaxValidate language syntax

Enforce method and variable access Enforce method and variable access rulesrules

Enforce variable initializationEnforce variable initialization

Enforce some casting operationsEnforce some casting operations

21

Class Load Time EnforcementClass Load Time Enforcement

Java Source

Java CompilerBytecode

Class Loader BytecodeVerifier


22


Bytecode verificationBytecode verification

Verifies class file formatVerifies class file format

Accesses objects as correct typeAccesses objects as correct type

Final classes are not subclassedFinal classes are not subclassed

Final methods are not overriddenFinal methods are not overridden

Every class has a single superclass Every class has a single superclass Verify that casting legality checks are in Verify that casting legality checks are in placeplace

23


No operand stack overflows or No operand stack overflows or underflowsunderflows

All field and method accesses are legalAll field and method accesses are legal

Method calls use correct number & Method calls use correct number & types of argumentstypes of arguments

24

Runtime EnforcementRuntime Enforcement

Java Compiler

Java Source

BytecodeClass Loader Bytecode

Verifier


Java Compiler

25

Runtime EnforcementRuntime Enforcement

Array bounds checkingArray bounds checking

Throws Throws ArrayIndexOutOfBoundsExceptionArrayIndexOutOfBoundsException

Object castingObject casting

Throws ClassCastExceptionThrows ClassCastException

Security ManagerSecurity Manager

Throws SecurityExceptionThrows SecurityException

Depends on the Access ControllerDepends on the Access Controller

26


27


Sandbox – a strictly defined arena where they cannot affect other system resources. It provides virtually no flexibility.

28

Java Security Model (cont.)Java Security Model (cont.)

29

Components work with SandboxComponents work with Sandbox

Class loaderClass loaderfirst link in the security chain

enforces the name space hierarchy

Byte code verificationByte code verificationchecks that there are violations like stack overflows, name space violations, illegal data type casts, etc.

Security managerSecurity managerIt enforces the boundary of the sandbox

30


Applets either received unlimited access or were confined to the sandbox – there was no option for selective access to resources.

JDK 1.1 security model

31


32


33


34


35


36


37


38


Introduces the concept of a ProtectionDomain, which permits a highly flexible security policy decoupled from its implementation

39


40


41


42


43


44


45


46


The J2SE 1.3 introduced The J2SE 1.3 introduced policy-based access controlpolicy-based access controlX.509 v3 implementation of certificate X.509 v3 implementation of certificate interfacesinterfacestools for creating and managing security tools for creating and managing security keys and certificateskeys and certificates

47


J2SE 1.4 continued by adding J2SE 1.4 continued by adding Java Authentication and Authorization Java Authentication and Authorization Service (JAAS)Service (JAAS)Java Cryptography Extension (JCE)Java Cryptography Extension (JCE)Java Secure Socket Extension (JSSE)Java Secure Socket Extension (JSSE)Features for Kerberos communicationFeatures for Kerberos communication

48

Java Security Architecture Road MapJava Security Architecture Road Map

1

2

3

4

5

6

7

49


50

Java Cryptographic ArchitectureJava Cryptographic Architecture

51

Java Cryptographic Architecture (cont.)Java Cryptographic Architecture (cont.)

52

JCE ArchitectureJCE Architecture

Extension to JCAExtension to JCAFramework for multiple CSPsFramework for multiple CSPsSun distributes a JCE providerSun distributes a JCE providerDesigned for exportDesigned for exportProvide a framework for encryption and Provide a framework for encryption and decryption, key generation, key decryption, key generation, key agreement, and Message Authentication agreement, and Message Authentication Code (MAC).Code (MAC).Encryption allows symmetric, Encryption allows symmetric, asymmetric, block, and stream ciphers, asymmetric, block, and stream ciphers, with addition support for secure streams with addition support for secure streams and sealed objects. and sealed objects.

53

JCA & JCEJCA & JCE

54

JCE v1.2.1JCE v1.2.1

55

JCE v1.2.1JCE v1.2.1

Unapproved providers cannot plug-inUnapproved providers cannot plug-in

Providers unusable without frameworkProviders unusable without framework

Crypto strength is configured in Crypto strength is configured in jurisdiction policy filesjurisdiction policy files

56

JCA & JCEJCA & JCE

57

JCA & JCE (cont.)JCA & JCE (cont.)

58

JCA & JCE (cont.)JCA & JCE (cont.)

59

JAAS ArchitectureJAAS Architecture

Provides a Java security API to perform Provides a Java security API to perform authentication and authorization security authentication and authorization security service for Java applicationservice for Java application

JAAS is designed to be pluggable.

Pluggable authentication

User-based authorization

Fine-grained access control capabilities

Framework for single sign-on

60

JAAS Architecture (cont.)JAAS Architecture (cont.)

61


62


63


64

JAAS Architecture v1.0 JAAS Architecture v1.0

65

JAAS Architecture v1.0 (cont.)JAAS Architecture v1.0 (cont.)

66

Java Secure Sockets ExtensionJava Secure Sockets Extension

Provides Secure Socket Layer (SSL) Provides Secure Socket Layer (SSL) connections over TCP/IP sockets. connections over TCP/IP sockets.

67

Java Secure Sockets Extension (cont.)Java Secure Sockets Extension (cont.)

JSSE is a set of Java packages that enables secure Internet communications.

Standard socket APIs for SSL and TLSStandard socket APIs for SSL and TLS

Transport level Authentication, Integrity, and Transport level Authentication, Integrity, and PrivacyPrivacy

Supports standard cipher suitesSupports standard cipher suites

Includes https URL handlerIncludes https URL handler

68

JSSE v1.0.1JSSE v1.0.1

69

J2SE v1.4 "Merlin": Security

CertPath APICertPath API

GSSAPI “Java Bindings”GSSAPI “Java Bindings”

Public Key Cryptography Standards (PKCS)Public Key Cryptography Standards (PKCS)

70

J2SE v1.4 "Merlin" : Cert Path

Validation of Certification PathsValidation of Certification Paths

Building of Certification PathsBuilding of Certification Paths

Creation of Certification PathsCreation of Certification Paths

Retrieval of certs/CRLsRetrieval of certs/CRLs

71

J2SE v1.4 "Merlin": Cert Path

72

J2SE v1.4 "Merlin": Cert Path

SPI (service provider interface) layer

73

J2SE v1.4 "Merlin": Kerberos

Network Authentication System

Internet Standard (RFC 1510)

Access via JAAS, JGSS, maybe JSSE

74

J2SE v1.4 "Merlin": Kerberos Features

Single Sign-on in a Kerberized Single Sign-on in a Kerberized environmentenvironment

Credential cache integrates with platform Credential cache integrates with platform KerberosKerberos

Interoperate with Solaris™ 8 software, Interoperate with Solaris™ 8 software, Windows 2000, and MIT distributionsWindows 2000, and MIT distributions

75

J2SE v1.4 "Merlin": Kerberos

76

J2SE v1.4 "Merlin": PKCS

De-facto standards widely used todayDe-facto standards widely used today

Evolved to cover technologies from Evolved to cover technologies from encryption to smartcardsencryption to smartcards

Utilizes public key technologyUtilizes public key technology

77

J2SE v1.4 "Merlin": PKCS (cont.)

78

Road Map: Security

End-to-end security

Integrated Security Services

Evolve with standards

Further performance improvements

79

Standalone Java Application SecurityStandalone Java Application SecurityTechniquesTechniques

Encryption and secure digesting of sensitEncryption and secure digesting of sensitive data using JCEive data using JCELogging and auditing using the Java LogLogging and auditing using the Java Logging APIging API

80

Encryption and secure digesting of Encryption and secure digesting of sensitive data using JCEsensitive data using JCE

- - ，。、；：！？「『（【＃％】）』」＆＊，。、；：！？「『（【＃％】）』」＆＊※○◎□㊣※○◎□㊣＋－＋－ ×÷×÷＜＞＝＄￥＜＞＝＄￥€€ --

Defeat a casual unauthorized read or Defeat a casual unauthorized read or write attemptwrite attempt

Adding salt to the data Adding salt to the data

Generating a secret keyGenerating a secret key

Encrypt the dataEncrypt the data

Data verification with message digestsData verification with message digests

81

Encryption and secure digesting of Encryption and secure digesting of sensitive data using JCE (cont.)sensitive data using JCE (cont.)

DataData

SaltSalt

KeyKey

LockedLockedEncryptEncrypt

DigestingDigesting

EncodingEncoding

MessageMessageDigestDigest

Account Account Encrypted BalanceEncrypted Balance Message DigestMessage Digest12345 R/cT9Xhe44QwZEo+5yruroGmJOLljQTI vMY6nlyuZcFsdHWphVmPxAu1V3o= 12345 R/cT9Xhe44QwZEo+5yruroGmJOLljQTI vMY6nlyuZcFsdHWphVmPxAu1V3o= 54321 RIerr4ua0qatf/TYzVVMHpzARJJ+vQL4 Pc9XQrnv+tR7MD9I4KcsjN3xat0= 54321 RIerr4ua0qatf/TYzVVMHpzARJJ+vQL4 Pc9XQrnv+tR7MD9I4KcsjN3xat0=

AccountAccount BalanceBalance12345 300.312345 300.3 54321 1000.5254321 1000.52

82

Logging and auditing using the Java Logging and auditing using the Java Logging APILogging API

Modification of data by an unauthorized Modification of data by an unauthorized user with an authorized user’s credentialsuser with an authorized user’s credentials

Log security-related messages and direct Log security-related messages and direct the log messages to a file, a database, a the log messages to a file, a database, a network socket, or even the consolenetwork socket, or even the console

83

Logging and auditing using Logging and auditing using the Java Logging API (cont.)the Java Logging API (cont.)

Decide what to logDecide what to log

Successful and unsuccessful login Successful and unsuccessful login attemptattempt

Logouts and application shutdownsLogouts and application shutdowns

Successfully accessing functionalitySuccessfully accessing functionality

Unsuccessfully attempting to access any Unsuccessfully attempting to access any functionalityfunctionality

Severe application exceptions that could Severe application exceptions that could affect the integrity of application data or affect the integrity of application data or functionalityfunctionality

84

Hacking Java Client/Server Hacking Java Client/Server Application Application

Attacking a client-server application Attacking a client-server application (network) is easier than attacking a (network) is easier than attacking a standalone application (physical access)standalone application (physical access)

A two-tier application can be attacked A two-tier application can be attacked

Outside of the application – Outside of the application – Attack the database server Attack the database server

The network – The network – Attack the data as it transits Attack the data as it transits

Application itself – Application itself – Attack the client sideAttack the client side

85

Attack the database serverAttack the database server

Application-level Database credentialApplication-level Database credential

Using application userid and pwd Using application userid and pwd database credentials database credentials

No way to track the attackerNo way to track the attacker (semi-anonymous)(semi-anonymous)

86

Attack the database server (cont.) Attack the database server (cont.)

JDBC Data Sources with JNDI JDBC Data Sources with JNDI authentication and embedded credentialauthentication and embedded credential

Hiding the DatabaseHiding the Database

Authenticate a particular user’s access to Authenticate a particular user’s access to the Data Source with that user’s the Data Source with that user’s credentials.credentials.

87

Attack the database server (cont.)Attack the database server (cont.)

User-level Database passwords and JCE User-level Database passwords and JCE for encryptionfor encryption

Encrypt sensitive data, write it to Encrypt sensitive data, write it to database, and generate a message digest database, and generate a message digest for each data record.for each data record.

User-level database passwords and User-level database passwords and Stored Procedures or callable statements Stored Procedures or callable statements for access controlfor access control

No users or application can directly No users or application can directly access the application tablesaccess the application tables

88

Attack the data as it transits Attack the data as it transits

Packet sniffingPacket sniffing

Solution: Solution:

Secure the Database connectionSecure the Database connection

89

Packet Sniffing – Packet Sniffing – Mysql Login PacketMysql Login Packet

90

Packet Sniffing – Packet Sniffing – Mysql Request PacketMysql Request Packet

91

Packet sniffing – Packet sniffing – Mysql Response PacketMysql Response Packet

92

Secure the Database connectionSecure the Database connection

Use a secure JDBC driverUse a secure JDBC driver

Use a secure SSL tunnelUse a secure SSL tunnel

Use JSSE to implement an SSL TunnelingUse JSSE to implement an SSL Tunneling Client and Server Client and Server

Use JCE to encrypt the data at the Use JCE to encrypt the data at the Application LevelApplication Level

93

Use JSSE to implement an SSL Use JSSE to implement an SSL Tunneling Client and ServerTunneling Client and Server

94

Attack the client sideAttack the client side

Applets and WebStart applications, where Applets and WebStart applications, where remote class loading is a necessityremote class loading is a necessity

Attackers might succeed in placing Attackers might succeed in placing unwanted or dangerous files on our client.unwanted or dangerous files on our client.

Remote codeRemote code

Remote codeRemote code

Client codes that Client codes that need remote need remote class loadingclass loading

95

Attack the client side (cont.)Attack the client side (cont.)

Solution:Solution:

Securing JAR filesSecuring JAR files

Specify the Specify the classpathclasspath on the command line on the command line

Protecting Applet-based clientProtecting Applet-based client

96

Securing JAR filesSecuring JAR files

JAR file – a mechanism for distributing JAR file – a mechanism for distributing application code in an encapsulated formapplication code in an encapsulated form

Jar signer – To associate a digital Jar signer – To associate a digital signature with a JAR file, and to later signature with a JAR file, and to later verify the signature vs. an entry in verify the signature vs. an entry in keystorekeystore

Sealing package within a JAR fileSealing package within a JAR file

Notify JVM that the packages contained in Notify JVM that the packages contained in the JAR file are atomic.the JAR file are atomic.

Remark: keystore – a physical repository for the digital certificates Remark: keystore – a physical repository for the digital certificates that are used to verify that a file was sent by the entity you expectedthat are used to verify that a file was sent by the entity you expected

97

Specify the classpath on the Specify the classpath on the command linecommand line

Don’t rely on the CLASSPATH Don’t rely on the CLASSPATH environment variable, because that opens environment variable, because that opens a door for attackers to insert their own a door for attackers to insert their own classesclasses

A good practice to always specify your A good practice to always specify your application’s classpath on the command application’s classpath on the command line in a read only startup script.line in a read only startup script.

98

Protecting Applet-based clientProtecting Applet-based client

Type confusion attack – attacker would Type confusion attack – attacker would develop bycode that could confuse as to develop bycode that could confuse as to the type of the object at a particular the type of the object at a particular memory locationmemory location

Took advantage of flaws (failure to stop Took advantage of flaws (failure to stop illegal class casting or accessing an illegal class casting or accessing an object’s private instance variables) in the object’s private instance variables) in the bytecode verifiers embedded in particular bytecode verifiers embedded in particular VMs.VMs.

99

Protecting Applet-based client (cont.)Protecting Applet-based client (cont.)

Problem: flaws in an underlying VMProblem: flaws in an underlying VM

Solution: Use the Java Plug-inSolution: Use the Java Plug-in

When the browser sees a special tag When the browser sees a special tag embedded in an HTML page indicating embedded in an HTML page indicating that a Java applet is presented, it ignores that a Java applet is presented, it ignores the browser’s built-in VM and invokes the the browser’s built-in VM and invokes the Java Plug-in, which uses Sun’s JREJava Plug-in, which uses Sun’s JRE

With Java Plug-in, applets will run with With Java Plug-in, applets will run with the default Java Security manager.the default Java Security manager.

100

Protecting WebStart-based ClientProtecting WebStart-based Client

Java WebStart Java WebStart Java Network Java Network Launching Protocol (JNLP) and APILaunching Protocol (JNLP) and API

Combine the benefits of applet-based Combine the benefits of applet-based deployment with the benefits of deployment with the benefits of standalone applications (no need for a standalone applications (no need for a web browser or applet container)web browser or applet container)

WebStart code is loaded remotely WebStart code is loaded remotely it is it is vulnerable to well known hacking vulnerable to well known hacking technique such as Server spoofing, class technique such as Server spoofing, class replacement, and tricking replacement, and tricking unknowledgable users into granting wide-unknowledgable users into granting wide-ranging system access.ranging system access.

101

Protecting WebStart-based Client Protecting WebStart-based Client (cont.)(cont.)

Solution:Solution:

Regulated via the SignedBy attribute in Regulated via the SignedBy attribute in javaws.policy file or the system policy filejavaws.policy file or the system policy file

Two additional security settings defined Two additional security settings defined in the JNLP file for the application: in the JNLP file for the application: AllPermissions attribute and the J2EE-AllPermissions attribute and the J2EE-Client attribute.Client attribute.

Including the JNLP files in the signed JAR Including the JNLP files in the signed JAR filefile

102

Java Network Applications: RMIJava Network Applications: RMI

The Dangers of RMIThe Dangers of RMI

Unauthorized Use of Server Side Unauthorized Use of Server Side FunctionsFunctions

Loading class and jar files remotelyLoading class and jar files remotely

103

The Dangers of RMI The Dangers of RMI

RMI makes all method calls across RMI makes all method calls across network in plain text without any network in plain text without any authentication.authentication.

Information could be read in transit by a Information could be read in transit by a packet snifferpacket sniffer

104

The Dangers of RMI (cont.)The Dangers of RMI (cont.)

Solution:Solution:

Selective encryptionSelective encryption

Encrypting the Account number and Encrypting the Account number and BalanceBalance

Encrypted communication channelEncrypted communication channel

Using SSL connection between Client and Using SSL connection between Client and ServerServer

105

Unauthorized Use of Server Side Unauthorized Use of Server Side FunctionsFunctions

Solution:Solution:

Alter the remote methods so that the Alter the remote methods so that the server can verify the user’s identityserver can verify the user’s identity

Authenticated communication channelAuthenticated communication channel

Create an authenticated socket classCreate an authenticated socket class

Create a socket factory so that RMI can Create a socket factory so that RMI can use the new socketuse the new socket

106

Loading class and jar files remotelyLoading class and jar files remotely

RMI allows the class and JAR files to be RMI allows the class and JAR files to be loaded from a remote location for loaded from a remote location for application distribution application distribution

Hackers could modify the JAR code and Hackers could modify the JAR code and convince the users to run it. Then they convince the users to run it. Then they could control the system.could control the system.

Solution:Solution:

Alter the remote methods so that the Alter the remote methods so that the server can verify the user’s identityserver can verify the user’s identity

107

Exploiting Java Web Tier Exploiting Java Web Tier ComponentsComponents

A Java web application utilizes several A Java web application utilizes several technologies:technologies:

JSP and ServletsJSP and Servlets

Static HTML contentStatic HTML content

The Tomcat web container / web serverThe Tomcat web container / web server

108

Exploiting Java Web Tier Exploiting Java Web Tier Components (cont.)Components (cont.)

System-level security is extremely System-level security is extremely important for any web applicationimportant for any web application

You can apply the following security You can apply the following security measures to the web application:measures to the web application:

Passing servlet parameters in the URL Passing servlet parameters in the URL instead of in the HTTP headerinstead of in the HTTP header

Configuring certain servlets to deny HTTP Configuring certain servlets to deny HTTP GET requestGET request

109


Implementing a solid web application Implementing a solid web application exception handlingexception handling

Overriding container defaults for Overriding container defaults for directory listing and servlet invocationdirectory listing and servlet invocation

Implementing a form-based Implementing a form-based authentication schemeauthentication scheme

Resist “session stealing” attacksResist “session stealing” attacks

Implementing and requiring HTTPS via Implementing and requiring HTTPS via SSL to be used for all browsers to SSL to be used for all browsers to container connectioncontainer connection

110


111


112

Web Services SecurityWeb Services Security

Web ServicesWeb Services

Web Service TechnologiesWeb Service Technologies

Quick Comparison Related TechnologiesQuick Comparison Related Technologies

The Java Web Services Developer PackThe Java Web Services Developer Pack

Web Services Application VulnerabilitiesWeb Services Application Vulnerabilities

Securing Web Services ApplicationSecuring Web Services Application

Web Services Security SchemeWeb Services Security Scheme

113

Web ServicesWeb ServicesThe ability to publish, discover, or invoke a set The ability to publish, discover, or invoke a set of services in a platform-independent manner, of services in a platform-independent manner, using XML and standard, web-based protocols using XML and standard, web-based protocols for transport.for transport.

114

Web Services TechnologiesWeb Services Technologies

Simple Object Access Protocol (SOAP)Simple Object Access Protocol (SOAP)Provide a platform neutral, XML-based Provide a platform neutral, XML-based mechanism to request servicesmechanism to request services

Web Services Description Language Web Services Description Language (WSDL)(WSDL)

The interface description of the serviceThe interface description of the service

115

Web Services Technologies (cont.)Web Services Technologies (cont.)

Universal Description Discovery and Universal Description Discovery and Integration (UDDI)Integration (UDDI)

The naming service, where service The naming service, where service providers can advertise their services to providers can advertise their services to prospective clientsprospective clients

116

Quick Comparison to Related Quick Comparison to Related TechnologiesTechnologies

FunctionFunction CORBACORBA JAVA RMIJAVA RMI Web Web ServicesServices

Naming Naming ServiceService

COSNamingCOSNaming rmiregistryrmiregistry UDDIUDDI

Interface Interface DescriptionDescription

IDLIDL extends extends java.rmi.Remotejava.rmi.Remote

WSDLWSDL

Wire Wire ProtocolProtocol

IIOPIIOP JRMP or JMI-JRMP or JMI-IIOPIIOP

SOAPSOAP

117

The Java Web Services Developer The Java Web Services Developer PackPack

Java technologies for web servicesJava technologies for web services

JAXMJAXM

A Java Interface to generate SOAP A Java Interface to generate SOAP messagesmessages

JAX-RPCJAX-RPC

An interface on top of JAXM provides An interface on top of JAXM provides RMI-like interface to web servicesRMI-like interface to web services

118

The Java Web Services Developer The Java Web Services Developer Pack (cont.)Pack (cont.)

JAXRJAXR

Java access to UDDI-based registriesJava access to UDDI-based registries

A Host for Web Services EndpointsA Host for Web Services Endpoints

A reference implementation using A reference implementation using servlets running on Jakarta Tomcatservlets running on Jakarta Tomcat

119

Web Services Application Web Services Application VulnerabilitiesVulnerabilities

The transport data is viewable or The transport data is viewable or changeable with a common text editorchangeable with a common text editor

The WSDL metadata to invoke the service The WSDL metadata to invoke the service is usually available to the general publicis usually available to the general public

Propagation of security identity or Propagation of security identity or credentials between the client and service credentials between the client and service is not standard and can be quite is not standard and can be quite problematic, especially in a workflow-problematic, especially in a workflow-based architecturebased architecture

120

Watching SOAP Request and Response with tcpmon

121

Securing Web Services ApplicationSecuring Web Services Application

Securing the client/server connectionSecuring the client/server connection

Connecting web services via secure Connecting web services via secure tunneling over SSLtunneling over SSL

Authentication with web servicesAuthentication with web services

Implementing declarative authorization Implementing declarative authorization for web servicesfor web services

Implementing programmatic authorization Implementing programmatic authorization for web servicesfor web services

122

Securing Web Services Application Securing Web Services Application (cont.)(cont.)

Confidentiality and integrity of payload Confidentiality and integrity of payload informationinformation

Propagation of credential informationPropagation of credential information

123

Securing the client/server connectionSecuring the client/server connection

Use SSL/TLS for All Non-public Web Use SSL/TLS for All Non-public Web Service PortsService Ports

J2EE provides an option for all J2EE provides an option for all communication with the application to communication with the application to use SSL/TLS or notuse SSL/TLS or not

124

125

126

127

128

XML Key Management Spec.XML Key Management Spec.

129


130


131

eXtensible Access Control eXtensible Access Control

132

Security Assertion Markup Language

133

Security Assertion Markup Language

134

135

136

Enterprise Java Beans SecurityEnterprise Java Beans Security

137

J2EE Security ArchitectureJ2EE Security Architecture

Covers both web-tier and EJB-tiers. At Web-tier, the access control is performed against each web resource which is represented in the form of an URL

At EJB-tier, the access control can be applied against each business method of a bean.

The container can enforce access control based on roles defined in the web-tier and EJB-tier.

138

J2EE Security ArchitectureJ2EE Security Architecture

A security role represents a grouping of principals and is associated with permissions, or authorization within the application.A principal is assigned a role, and a role is granted permission to execute specific methods.User credentials are represented in the form of Principal objects. The Principal objects are created from the actual user identity information that was entered by user.

139

140

141

142

143

144

145

EJB Security ArchitectureEJB Security Architecture

EJBs have two options for managing EJBs have two options for managing securitysecurity

Declarative securityDeclarative securityDeclarations made in the deployment Declarations made in the deployment descriptor dictate the security of the descriptor dictate the security of the components.components.Security boundaries are based on the Security boundaries are based on the beans and the methods provided by the beans and the methods provided by the beansbeansSecurity is based on which roles are Security is based on which roles are allowed to use which beans and which allowed to use which beans and which methods they are allowed to execute methods they are allowed to execute within the beans.within the beans.

146

EJB Security ArchitectureEJB Security Architecture

Programmatic securityProgrammatic securityThe EJB API provides several methods The EJB API provides several methods that indicate the role of the caller and the that indicate the role of the caller and the principal of the caller to control the principal of the caller to control the execution of application securityexecution of application security

147

148

149

150

151

152

J2EE Protection DomainJ2EE Protection Domain

153

154

155

Dr. Waitak WongDr. Waitak WongEmail: [email protected] Email: [email protected]

Phone: 03-5186529Phone: 03-5186529

Department of Information ManagementDepartment of Information ManagementChu Hua UniversityChu Hua University

No. 707, Sec. 2, WuFu Rd., No. 707, Sec. 2, WuFu Rd., Hsinchu, TaiwanHsinchu, Taiwan

Contact Details:Contact Details:

157

GrossaryGrossary

CSP – Cryptographic Service ProviderCSP – Cryptographic Service Provider

EJB – Enterprise Java BeanEJB – Enterprise Java Bean

IDL – Interface Description LanguageIDL – Interface Description Language

IIOP – Internet Inter-ORB ProtocolIIOP – Internet Inter-ORB Protocol

JAAS – Java Authentication and JAAS – Java Authentication and Authorization ServiceAuthorization Service

JCE – Java Cryptography ExtensionJCE – Java Cryptography Extension

JDBC – Java Database ConnectivityJDBC – Java Database Connectivity

JNLP – Java Network Launching ProtocolJNLP – Java Network Launching Protocol

158

Grossary (cont.)Grossary (cont.)

JRMP – Java Remote Method ProtocolJRMP – Java Remote Method Protocol

JSSE – Java Secure Socket Extension JSSE – Java Secure Socket Extension

JWSDP – Java Web Services Developer JWSDP – Java Web Services Developer PackPack

MAC – Message Authentication CodeMAC – Message Authentication Code

PKCS – PKCS – Public Key Cryptography System

RMI – Remote method InvocationRMI – Remote method Invocation

SSL – Secure Socket LayerSSL – Secure Socket Layer

TLS – Transport Layer SecurityTLS – Transport Layer Security

159

The End of the SessionThe End of the Session

Documents

Dr. Waitak Wong Department of Information Management Chung Hua University, Hsinchu, Taiwan