Upload
masoud-kalali
View
2.394
Download
1
Tags:
Embed Size (px)
DESCRIPTION
In this session, learn how to utilize Java EE security and what GlassFish Server technology provides to address your security requirements. The presentation goes over how to develop new JASPIC (JSR196) or JACC (JSR-115) moduls and plug them to GlassFish
Citation preview
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.1
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.2
Utilize the Full Power of GlassFish Server and Java EE SecurityMasoud KalaliPrincipal Member of Technical Staff - ORACLETwitter: @MasoudKalaliBlog: http://kalali.me
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.3
Program Agenda
Introduction
Java EE Security API
Java Authentication Service Provider Interface (JSR-
196)
Java Authorization Contract for Containers (JSR-115)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.4
Introduction
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.5
Java EE Security API
A Subject: An individual identity which is to be authenticated. A Group: Group of users with common permissions and access levels. A Security Realm: Connects the application server identity storage. A Role: A Java EE concept to define access levels A Principal: Aka, A role attached to a authenticated subject A Credential: Contains or references information used to authenticate
a principal
Terms
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.6
Java EE Security API
Identify the sensitive data Identify the roles having access to sensitive data Identify resources representing sensitive data Group the mentioned resources into meaningful sets
And Document the above items!
Before anything else
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.7
Java EE Security API
Authentication– At Web Container
– Application Client Container
Authorization (Access Control)– At Web Container
– EJB Container
Subject Propagation– From Web Container to EJB Container
– From App Client To EJB container
– EIS to Connector (inflow messages)
Resource Protection
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.8
Java EE Security API
When a protected resource is requested Establish the client’s identity Authentication Methods
– Form
– Basic
– Digest
– Client-Cert
Authentication
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.9
Java EE Security API
Specify the protected resources<security-constraint>
<web-resource-collection>
<url-pattern>/manager/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Authentication Continued…
Specify the permitted role/s
Specify the transport guarantee level
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.10
Java EE Security API
Specify the login configuration<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbc-realm</realm-name>
</login-config>
Authentication Continued…
Pick one of:• HTTP Basic Authentication: BASIC• Digest Authentication: DIGEST• HTTPS Client Authentication:
CLIENT-CERT• Form-Based Authentication:
FORM
Specify the security realm name
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.11
Java EE Security API
Use programmatic login in Java EE 6 Benefit from all that container security provides
– Principal propagation
– Unified security exceptions
– Any auditing/logging that container provides
– Authenticate against the configured realm
Do more than just two tokens (multi factor authentication)– Mix and match 3rd soft tokens with username/passwords
Got your own way of authenticating?
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.12
Java EE Security API
String userName = request.getParameter("user");
String password = request.getParameter("password");
String enteredSmsCode = request.getParameter("enteredSms");
if(enteredSmsCode.equals(getLastActiveSmsForUser(userName))){
try {
request.login(userName, password);
}
catch(ServletException ex) {
//Handling Exception
}
}
else{
invalidateLastSmsForUser(userName);
}
Got your own way of authenticating?
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.13
To wrap it upThe web.xml, *-web.xml security related structure, role mapping
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.14
Java EE Security APISecurity related methods on HTTPServletRequest
Method Description
String getRemoteUser()
If the user is authenticated returns the username otherwise return null.
boolean isUserInRole(String role) Return whether the current user has the specified roles or not.
Principal getUserPrincipal() Returns a java.security.Principal object containing the name of the current authenticated user.
String getAuthType() Returns an String containing authentication method used to protect this application.
void login(String username, String password) Perform the explained programmatic login
Void logout() Establish null as the value returned when getUserPrincipal, getRemoteUser, and getAuthType is called on the request.
String getScheme() Returns the schema portion of the URL, for example HTTP or HTTPS.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.15
Java EE Security API
Now that you established the user identity we can Enforce access control:
– Using Annotations to annotate the permitted and not permitted roles
– Using XML Description to specify the permitted and not permitted roles
Authorization (Access Control)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.16
Java EE Security APIAuthorization (Access Control): Security constraints (Web, EJB..)
Annotation Description
@DeclareRolesPrior to referencing to any role, it should be defined. The @DeclareRoles acts like security-role element in defining the roles used in application.
@RunAs Specifies the run-as role for the given Components.
@ServletSecurity Specifies the security constraint for the annotated Servlet.
@PermitAll Permitting users with any role to access the given method, EJB or Servlet
@RolesAllowed
On method permits the included roles to invoke it. On class, all methods are accessible to the roles unless the annotated with a different set of roles using @RolesAllowed
@DenyAll On a method.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.17
Java EE Security APIWhere to place the Annotations?
Annotation Target Level Target Kind
@DeclareRoles Class
EJB, Servlet
@RunAs Class EJB, Servlet
@ServletSecurity Class Servlet
@PermitAll Class, Method EJB, Servlet
@RolesAllowed Class, Method EJB, Servlet
@DenyAll Method EJB, Servlet
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.18
Java EE Security API
Apply right level of transport security on your resources– CONFIDENTIAL
– INTEGRAL
Use as much strengths as needed, the best is not always the best Check country regulation before choosing cipher suites
Transport Security
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.19
Is that all that we can do?
No,There are much more…
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.20
Java Authentication Service Provider Interface (JSR-196)
SPI for integrating authentication mechanism implementations in message processing runtimes
Authentication is delegated to the corresponding provider at message processing points
Develop authentication modules that utilize non supported credentials or headers
Utilize the Container security integration Can plug-in off the shelf 3rd party Authentication Module implementing
JSR-196
What JSR-196 is…
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.21
Java Authentication Service Provider Interface (JSR-196)
In the client, before transmitting the request to the server. In the server, before the target service receives the client request. In the server, before a response can be sent back to the client. In the client, before the server response can be consumed.
Message interception points
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.22
Java Authentication Service Provider Interface (JSR-196)
Integrate any COTS authentication module Develop your own credentials and use them for authentication Benefit from container provided security
– Access control
– Subject propagation
– Unified error messages
– Auditing
– Etc
How you can benefit from it
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.23
Java Authentication Service Provider Interface (JSR-196)
The interface is javax.security.auth.message.module.ServerAuthModule
An overall of 5 methods to implement– 2 directly from javax.security.auth.message.module.ServerAuthModule
– 3 derived from javax.security.auth.message.ServerAuth
Implementation can be plugged to the container Implementation can be used by the web apps Supported by any Java EE 6 compliant app server
The good part, the SPI…
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.24
Java Authentication Service Provider Interface (JSR-196)
void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler handler, Map options)
– Called for each authentication event
– requestPolicy and responsePolicy specifies if authentication is mandatory or not
– handler communicate the user and group principals to be used in establishing the runtime's security context
– options coming from the container for having parameterized behavior in the SAM module.
2 directly from ServerAuthModule
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.25
Java Authentication Service Provider Interface (JSR-196)
Class[] getSupportedMessageTypes()
Returns an array of the supported message type class names.– HttpServletRequest.class
– HttpServletResponse.class
2 directly from ServerAuthModule
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.26
Java Authentication Service Provider Interface (JSR-196)
AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject)
– Custom credential scraping and/or authentication happens here
– Communicate authentication result and/or identity assertions to the message processing runtime through callbackHandler.
3 derived from javax.security.auth.message.ServerAuth
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.27
Java Authentication Service Provider Interface (JSR-196)
AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject)
– Nothing much to do here for servlet profile
– Usually return return AuthStatus.SEND_SUCCESS;
3 derived from javax.security.auth.message.ServerAuth
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.28
Java Authentication Service Provider Interface (JSR-196)
void cleanSubject(MessageInfo messageInfo, Subject subject)
remove method specific principals and groups from the provided Subject
Update the messageInfo if needed for multi step message exchange
3 derived from javax.security.auth.message.ServerAuth
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.29
Java Authentication Service Provider Interface (JSR-196)GlassFish and JSR-196, Install it in the domain
Create a new provider under Security>Message Security>HttpServlet
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.30
Java Authentication Service Provider Interface (JSR-196)
Use it for one web application if not made default– Use the httpservlet-security-provider attribute of glassfish-web.xml’s sun-
web-app element
And you are done!
GlassFish and JSR-196
<glassfish-web-app httpservlet-security-provider="new-sam"> <security-role-mapping> <role-name>role_1</role-name> <group-name>group_1</group-name> </security-role-mapping></glassfish-web-app>
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.31
Java Authorization Contract for Containers (JSR-115)
To plug a new access control mechanism to the container Container delegates access control decision to the provider Use the same role mapping that is supported by Java EE Correlates with Authentication mechanism (Subject’s role)
What is JSR-115
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.32
Java Authorization Contract for Containers (JSR-115)
Add a new decision making mechanism:– Add time of the day to decision making
– Use a different type of policy storage
– etc
How you can benefit from it
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.33
Java Authorization Contract for Containers (JSR-115)
Mainly two classes should be implanted by provider:– javax.security.jacc.PolicyConfigurationFactory
– javax.security.jacc.PolicyConfiguration
If it is not compliant with default Java SE policy should implement– java.security.Policy
The rest is already done by the container!
The good part, the SPI…
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.34
Java Authorization Contract for Containers (JSR-115)
Under Server-Config or any other config node:– Create new entry under Security>JACC Provider
– Select the newly installed provider under Security
To install a new provider
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.35
Are there more basics to know:
Yes,OWASP Top 10
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.36
Java EE Security, GlassFish
Comparative data should be stored salted hashed Encrypted data does not need to have clear text copies Keys must be protected properly Use security manager and policy files Avoid forward, redirect based on user provided values Paying enough attention to role mappings Choose the right security realm
Things to remember:
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.37
Java EE Security, GlassFish
Watch out for SQL injection, limit database access, use bind parameters, etc.
Understand what you are storing in the session Never store unencrypted cookies with important bits Transmit cookies securely when needed Cookie.setSecure(true)
Things to remember:
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.38
Java EE Security, GlassFish
To use service specific user in the os To use security manager and policy files To properly configuring the listeners Not to use the alias feature Not to Use default accounts (admin accounts) To Check the OWASP top 10 talk, and resources
Things to remember:
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.39