J wagner security

Web Application Security

Using Oracle products as an example

1

Syllabus

• It seems that organizations are taking security more and

more seriously these days. One motivator is avoiding

embarrassment which can collapse the organization in

a hurry. The architecture of a web based application

has a number of complexities when it comes to

implementing security properly. Jonathan will talk about

some of these complexities and identify a number of

considerations that can save you time and money. In

particular, he will explain how the Oracle suite of

products integrate and use that as a concrete example.

Architects, developers, and DBAs will learn from topics

such as virtual private databases, single sign on,

cookies, Hibernate interactions, and role-based security.

2

Setting the stage …

• Who is in the audience? Which one are you?

• Architect

• Database Administrator (DBA)

• Developer

• Java

• Other

• Other

• Goals:

• General Understanding

• Advice, related to Security in a web application

• Drill-in into to some unobvious specifics

• Questions?

3

What’s the big deal?

We have some challenges …

• Technology is more susceptible and more complicated

• unwanted system access

• localized damage

• global damage

• how do decision makers respond to pain? ~~ rational thinking

• Data (and Process) Ownership Trends

• Silos Sharing

• Terminology confusion ~~ talk about the same thing: Einstein quote

• Organizations Products AND Services

• Potential huge costs, time and $$$$

• Educate and then ask, are you sure?

4

Legal stuff …

• Legal questions can delay a project

• submit questions early as possible

• get feedback early as possible

• legal requirements are hard and fast – know them early to avoid

expensive rework

5

6

LEAN

Agile

Manage

Did someone say something about

Security?

Web Application Architecture

7

Step 1

• www.TeenagerExpenses.mb.ca

• Ask the Domain Name Server to provide a machine

readable address, call an Internet Protocol (IP) Address

8

http://www.teenagerexpenses.mb.ca/

Step 2

• www.TeenagerExpenses.mb.ca = 233.168.324.234

9

http://www.teenagerexpenses.mb.ca/

Step 3

• Reverse Proxy (Oracle’s WebCache)

• Guard at the door into the architecture

• In the middle of the DMZ sandwich

• Robust solutions include:

• Caching of static “public” content (picture files, Javascript)

• Load Balancing

• Decryption of HTTPS requests … more on that later

10

Step 4

• The Web Application Server is the brains with all the

business logic --- it knows what to with the HTTP GET

request

11

Step 5

• The server needs to first get a list of teenagers, and so,

get it from the server responsible for persisting

information

12

Step 6

• Teenager Result Set:

• Raelene

• Jenna

13

• Let’s send HTTP Response of HTML:

<Label>Teenager Name:</Label>

<SelectionBox> <Selection>Raelene</Selection>

<Selection>Jenna</Selection> … 14

Step 7

Step 8

15

Step 9

16


17


18

Audit Columns

• Every table in the database include the following

columns:

• A_CREATED_BY

• A_CREATED_TIMESTAMP

• A_MODIFIED_BY

• A_MODIFIED_TIMESTAMP

• Know the affects of the Sarbanes-Oxley act

• Create a companion history table for every table in the

database. It will be a complete history of “snapshots”.

These tables have the exact same columns plus a

timestamp column. (Data is almost free!)

19


20

We now going to concentrate on the Database.

Will talk about:

• Virtual Private Databases

• Oracle Label Security

Database Tables

• TEENAGER

• EXPENSE

21

TEENAGER_ID TEENAGER_NAME

1 Raelene

2 Jenna

TEENAGER

_ID

DETAILS AMOUNT DATE

1 Cell 45.00 Oct 1

1 Gum 1.35 Oct 6

2 Help Haiti 4.00 Oct 8

Raelene is allowed to see this …

• TEENAGER

• EXPENSE

22


1 Raelene

2 Jenna

TEENAGER

_ID

DETAILS AMOUNT DATE

1 Cell 45.00 Oct 1

1 Gum 1.35 Oct 6


Jenna is allowed to see this …

• TEENAGER

• EXPENSE

23


1 Raelene

2 Jenna

TEENAGER

_ID

DETAILS AMOUNT DATE

1 Cell 45.00 Oct 1

1 Gum 1.35 Oct 6


A VPD

• A Virtual Private Database (VPD) = restricts access on

horizontal slices

• Oracle Label Security is an implementation of a VPD

24

• Label Security allows you to create a policy on the

TEENAGER_ID

Who can view/edit what data?

25

TEENAGER

_ID = 1

(Raelene)

TEENAGER

_ID = 2

(Jenna)

Parents

(God-like access)

Jenna

Raelene

100

200

Database Tables

with Label Security column added …

• TEENAGER

• EXPENSE

26


1 Raelene

2 Jenna

TEENAGER

_ID

DETAILS AMOUNT DATE LS_

TEENAGER

1 Cell 45.00 Oct 1 100

1 Gum 1.35 Oct 6 100

2 Help Haiti 4.00 Oct 8 200

Jenna will get a different answer

than Raelene and the Parents!

• TEENAGER

• EXPENSE

27


1 Raelene

2 Jenna

TEENAGER

_ID


TEENAGER

1 Cell 45.00 Oct 1 100

1 Gum 1.35 Oct 6 100


SELECT sum(amount)

FROM EXPENSE

Jenna will get a different answer

than Raelene and the Parents!

• TEENAGER

• EXPENSE

28


1 Raelene

2 Jenna

TEENAGER

_ID


TEENAGER

1 Cell 45.00 Oct 1 100

1 Gum 1.35 Oct 6 100


SELECT sum(amount)

FROM EXPENSE

WHERE LS_TEENAGER IN (100)

Parents type in …

• TEENAGER

• EXPENSE

29


1 Raelene

2 Jenna

TEENAGER

_ID


TEENAGER

1 Cell 45.00 Oct 1 100

1 Gum 1.35 Oct 6 100


SELECT sum(amount)

FROM EXPENSE

… and this what happens under the

covers:

• TEENAGER

• EXPENSE

30


1 Raelene

2 Jenna

TEENAGER

_ID


TEENAGER

1 Cell 45.00 Oct 1 100

1 Gum 1.35 Oct 6 100


SELECT sum(amount)

FROM EXPENSE

WHERE LS_TEENAGER IN (100, 200)

DBMS Triggers are used for INSERTs

and UPDATEs

• TEENAGER

• EXPENSE

31


1 Raelene

2 Jenna

TEENAGER

_ID


TEENAGER

1 Cell 45.00 Oct 1 100

1 Gum 1.35 Oct 6 100


2 Book Fine 1.00 Oct 16 Calculated

by DBMS

Trigger

INSERT (TEENAGER_ID, DETAILS, AMOUNT, DATE)

VALUES (2, “Book Fine”, 1, Oct 16)

Oracle Label Security auto-generated a DBMS Trigger on the EXPENSE

table. The trigger calculates 200 based on TEENAGER_ID

Label Security can have up to 3 groupings

32

TEENAGER

_ID = 1

TEENAGER

_ID = 2

EXPENSE

_TYPE =

8

Grandparents

Teenagers

Younger

Siblings

100

200

8,000

770,000

Take a break …

• A story about University …

33


34

LDAP

Oracle OAM & OID

• LDAP = Lightweight Directory Access Protocol

• Oracle Internet Directory is an implementation of

directory services, LDAPv3

• Oracle Access Manager (OAM) enforces policies and

works with OID

• Watch out for your firewalls settings -- timeouts

• Active Directory can “connect”

• DIP transfers name and passwords

35

Oracle LDAP Components

36

All the “green” servers support the LDAP responsibilities. Oracle Access Manager

(OAM) is the main interface into the outside world. However, the “purple” Oracle

Database has some direct connections with Oracle’s LDAP (OID), probably for

performance reasons. In theory, the dashed lines below were not really

necessary.

The two columns of “green” servers indicate that they can be clustered, and the

set of servers can be in different locations.


37

How the LDAP interacts with the Web Application Server?

Oracle LDAP Interfaces

38


39

Simplified Web Application Architecture

40

Simplified Web Application Architecture

• HTTP Server – Oracle’s MOD_OC4J

• Web Application Container – Oracle’s OC4J … and soon

WebLogic

41

Web Server interactions with LDAP

The “Happy Path” …

The Browser makes a HTTP Request, via interaction #1.

The HTTP Server looks at this request and asks the LDAP

Access services if this request is allowed to proceed. This

is done via interaction #2. If the answer is positive, it

passes on the request to the destination, via interaction #3.

42


The “Happy Path” continued …

In this “Happy Path” scenario the user has already

authenticated (i.e. logged in).

Oracle can place authentication data in “HTTP Headers”

and/or in some “cookies”. It gives information about the

User ID, expiry time, etc. [Refer to interactions #1 & #3]

43



The authorization rules are enforced in two different places:

• Interaction #2 – Can protect basic requests, such as, URL

requests that start with

www.TeenagerExpenses.mb.ca/expenses

• Interaction #4 – Using LDAP Queries, it can lookup more fine

grained permissions such as:

www.TeenagerExpenses.mb.ca/expenses/expense_details.jsp

44

http://www.teenagerexpenses.mb.ca/expenses

http://www.teenagerexpenses.mb.ca/expenses/expense_details.jsp

Authorization and Role-based Security

45



The authorization rules are enforced in two different places:

• Interaction #2 – Basic requests based on OAM polices

• Interaction #4 – Fine grained based on LDAP Queries / Role-

based Security

Decide which interaction is responsible for what, early in

the project!

46


User – Role – Feature

• Can be tricky. Can’t control the number of users. But

you can control the number of Roles and Features.

• Roles – Configure Roles and role names to match the

actual physical business processes – people need to

understand them. Be ready to refactor!

47


User – Role – Feature

• Can be tricky. Can’t control the number of users. But

you can control the number of Roles and Features.

• Roles – Configure Roles and role names to match the

actual physical business processes – people need to

understand them. Be ready to refactor!

48


• Features – Pick the number of features wisely, keep

them to a minimum and understandable.

• Ask questions! Find out what the real requirement is.

“Are you sure?” “Can this one feature represent both the

search and the detail page?” “How easy is it to test?”

49

Fine grained control Coarse grained control

Complicated Simple


The “Unhappy Path” …

The “unhappy” path is one where the user has not logged

in yet. The Web Application Container can have two

applications:

• The OAM Single-Sign On (SSO) “helper” application, which

includes these pages: login, logout, and not authorized

• The business application, such as the “expenses” test

application

50


Log out …

Your web applications will point to a logout page in the SSO

application. It can (or should) invalidate the web

applications under its protection.

51


The Report Server

52

Oracle BI Publisher Report Server

• It has its own built-in security that doesn’t work directly

with OAM – Read up on how to integrate them.

53


Database connections

54

Database Connections

• Perform adequate performance tests on this interactions

• Because we implemented a VPD at a low level, we want

to ensure that the end-user will be restricted from the

bottom up, and that means to connect as that user.

• Experience: Can take up to 5 seconds to “stamp” a user onto a

proxy connection. The solution is to make a connection pool for

each user

• Experience: The setup and use of Label Security is expensive

• Alternatives??

55

(If we have time …)

1. Creating a log of access – find out if one is needed

early in the project

2. Web Analytics – find out if test users are needed in

production, and what that means

3. Security on Web Services & Services (SOA) – again,

find out if this extra layer needs its own gatekeeper of

security

4. The need for Backend Reports with BI Publisher

5. Data Encryption in the Database

56

Web Application Security

Using Oracle products as an example

57

By: Jonathan Wagner, October 2011

[email protected]

mailto:[email protected]