Java2Days - Security for JavaEE and the Cloud

Copyright © 2016, Creative Arts & Technologies and others. All rights reserved.

Security for Java EEand the CloudWerner KeilJSR 375 EG Member@wernerkeil

November 16, 2016

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 2

Safe Harbor StatementThe following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

© 2016 Creative Arts & Technologies and others. All rights reserved.#JavaSecurity @jsr375

Who am I?Werner Keil

• Consultant – Coach• Creative Cosmopolitan• Open Source Evangelist• Software Architect• Spec Lead – JSR363• Individual JCP Executive Committee Member

[www.linkedin.com/in/catmedia]


Agenda1. Motivation2. Identity Use Cases3. How can JSR 375 help?4. More Security Use Cases5. Way Forward?6. Get Involved


Motivation• Where enterprise apps run is changing

– In corporate data centers– In the cloud from one of several vendors

• The shape of the Enterprise app is changing– A monolith or a collection of microservices

• These factors– Drive complexity in how apps are built, deployed, managed,

operated– Drive complexity in how apps need to work in their target

environment• Can we still stay secure after these changes?


Deployed On premise• Deployed within the corporate network• Authenticates to on premise

identity systems• May use on premise Single Sign-on to

secure web resources• Authorization : managed by application,

mapped to on premise identity• Identity propagation to external entitiesrelies on SAML, Basic Auth• Secrets in local stores with several layers

of control


Deployed in the Cloud• Cloud Vendor for controls on network• Social logins, external Identity Systems• SSO using a Cloud Identity provider• REST needs OAuth• Identity Propagation - SAML,

Basic Auth plus OAuth and JWT• More interactions – cloud, on premise• Authorization - from one of several

identity providers• Secrets need defense in depth – encryption,

securing the encryption key?


Microservices in the Cloud• All issues of Java EE App in the cloud

Plus• App Boundary is changing

E Distributed processes, scale independentlyE Identity on every hop?E Each micro service deals with identity?E Each micro service authorizes access?E Each micro service manages secrets?E What about Statelessness, configuration ?E What about the network boundary?

Which micro services are public?


Identity Use Cases

Why are these so important in the Cloud?


Use CaseAuthentication• Application may manage its users or use externally managed

users• Application must authenticate users against one of several

identity stores• Application must support one of these authentication methods

E Basic Auth, OpenID Connect• Application is able to handle Authentication events (login,

logout)• Developer is able to use a portable Authentication API

regardless of the identity store


Use CaseIdentity Store• Application may manage its users or use externally managed

users• Application must be able access the identity store• Application can be bound to one or more identity stores at

deployment• Identity Store bound to the Application can be reconfigured


Use CaseIdentity Representation• Application must be able to determine identity of the caller• Application is able to determine user’s groups.• Application knows caller identity consistently, as identity stores

change


Use CaseSecurity Context• Application is able to determine user attributes consistently

E Authenticated userE Groups, RolesE Identity Provider that issued claims used in creating the SubjectE Local or remote user? Virtual User?

• Application needs a consistent API to access security context

@YourTwitterHandle#DVXFR14{session hashtag} © 2016 Creative Arts & Technologies and others. All rights reserved.#JavaSecurity @jsr375

How ca

n

JSR 37

5

help?


JSR 375Relevance to the Cloud• Standardize Terminology• API for Authentication mechanism• API for Identity Store• API for Security Context• API for Password Aliasing• API for Role/Permission Assignment• API for Authorization Interceptors

A necessary foundation for the Cloud


JSR 375 – Survey ResultsJava EE 8 Survey• Survey results

(from 2014)• 4500 total responses• Priorities Pie Chart


JSR 375 – Survey ResultsSecurity details


JSR 375 – Survey ResultsSecurity details

• Deferred from Java EE 7


JSR 375 – Candidates for EGAuthentication Mechanism• Portable API for Authentication

E Abstracts the specific Identity Store against which to Authenticate• Simple configuration• Extensible to support protocols such as OpenID Connect and

OAuth• Produces a Consistent representation of an authenticated

Subject• Authentication Events• Use JASPIC (JSR 196) ?


JSR 375 – Candidates for EGIdentity Store• Abstract the Identity Store used by an application• Simple configuration• Support a variety of Identity stores

E Lightweight k-v development storesE Traditional stores – LDAP, DBE Cloud-specific stores e.g. Social Logins, 3rd-party Cloud Identity

providers


JSR 375 – Candidates for EGIdentity Store• Orderable to support multiple identity stores• Abstraction to support variety of credential types

E Username/PasswordE OAuth Client ID & SecretE JWT Tokens


JSR 375 – Candidates for EGSecurity Context• Consistent API regardless of container• Enables Application to determine

E User’s identityE Identity Provider that was used to establish identityE Which groups or roles the user belongs to


JSR 375 – Candidates for EGSecurity Context Example// Security Contextpublic interface SecurityContext{String getUserPrincipal();boolean isUserInRole(String role);List<String> getAllUsersRoles();boolean isAuthenticated();

}


Is th

ere m

ore

to Se

curit

y

than

Ident

ity?


AuthorizationLots to cover• OAuth2• Role/Permission Assignment• Authorization Interceptors


26

OAuthOAuth is a protocol to delegate rights for an application to act

on behalf of a user who granted its rights without giving away their login / password

Developed by Twitter, Magnolia and Google, it was made standard by IETF in April 2010 under RFC 5849

History


27

OAuthVersion 2.0, simpler to use but often criticized by its too many

implementation s was standardized in October 2012 under RFC 6749 and 6750. It’s already used by many actors (Social Networks like Facebook, Google, Microsoft as well as other API providers )

All social services are based on OAuth 1.0a or 2.0.To use OAuth, one has to create an application on the targeted

service to have an entry point for consumer.

OAuth2


28

OAuthOverview• An Authorization/Delegation Framework• Standardized by RFC6749

E RFC 6750 using bearer tokensE RFC 6819 Security considerations

• On a foundation of Token standardsE JSON Object Signing Encryption (JOSE)E JWT (RFC7519), JWS (RFC7515), JWE (RFC7516),

JWA (RFC7518), JWK (RFC7517)


29

OAuthConcepts• Actors

E Resource OwnerE ClientE Resource, Resource serverE Authorization Server

• Authorizations represented as ‘scopes’


30

OAuth DanceCreating an application in the OAuth Social Media service

Initialization : the right granting phase also called the OAuth Dance. At the end of the dance we obtain an access token

(formed by a public and secret part) to use in next step

Signature : each request is signed with access token and token identifying the OAuth application that was granted the rights

OAuth has 3 steps


In Memoriam

January 8, 1947 – January 10, 2016

David Bowie

Image © 1983 EMI America Records. All Rights Reserved.


32

OAuth Step 1 : Create an application


33

OAuth : application settings


34

The OAuth 1.0a «Dance»

client asks for a resource on the consuming service

Consuming service server

Social Media Service(where OAuth application is declared)

Consuming service redirect user on the social media login page

token is returned by SM

Consuming service ask a request token tot he Social Media (using OAuth application keys). It also send a callback url

Once authenticated, social media redirects user on call back url with a verification code

with the code and request token consuming service request an access token

Social media returns Access token

user


35

OAuth 2.0 «Dance» now in SSL

client asks for a resource on the consuming serviceSSL is mandatory Consuming service server

Social Media Service(where OAuth application is declared)

Consuming service redirect user on the social media login page

Once authenticated, social media redirects user on call back url with a verification code

with the code and request token consuming service request an access token

Social media returns Access token

user


36

OAuth Signature : original request

POST /1/statuses/update.json?include_entities=true HTTP/1.1Accept: */*Connection: closeUser-Agent: OAuth gem v0.4.4Content-Type: application/x-www-form-urlencodedContent-Length: 76Host: api.twitter.com

status=Hello%20Ladies%20%2b%20Gentlemen%2c%20a%20signed%20OAuth%20request%21


37

OAuth Signature : request & OAuth params

status Hello Ladies + Gentlemen, a signed OAuth request!

include_entities true

oauth_consumer_key xvz1evFS4wEEPTGEFPHBog

oauth_nonce kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg

oauth_signature_method HMAC-SHA1

oauth_timestamp 1318622958

oauth_token 370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb

oauth_version 1.0


38

OAuth Signature : parameter stringinclude_entities=true&oauth_consumer_key=xvz1evFS4wEEPTGEFPHBog&oauth_nonce=kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1318622958&oauth_token=370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb&oauth_version=1.0&status=Hello%20Ladies%20%2B%20Gentlemen%2C%20a%20signed%20OAuth%20request%21


39

OAuth Signature : Base String

POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fupdate.json&include_entities%3Dtrue%26oauth_consumer_key%3Dxvz1evFS4wEEPTGEFPHBog%26oauth_nonce%3DkYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1318622958%26oauth_token%3D370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb%26oauth_version%3D1.0%26status%3DHello%2520Ladies%2520%252B%2520Gentlemen%252C%2520a%2520signed%2520OAuth%2520request%2521


40

OAuth Signing key

VQ5CZHG4qUoAkUUmckPn4iN4yyjBKcORTW0wnok4r1k&LswwdoUaIvS8ltyTt5jkRh4J50vUPVVHtR2YPi5kE

Application consumer key secret part

Access Token secret part


41

OAuth Signature : Signed requestPOST /1/statuses/update.json?include_entities=true HTTP/1.1

Accept: */*Connection: closeUser-Agent: OAuth gem v0.4.4Content-Type: application/x-www-form-urlencodedAuthorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg", oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1318622958", oauth_token="370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb", oauth_version="1.0"Content-Length: 76Host: api.twitter.com

status=Hello%20Ladies%20%2b%20Gentlemen%2c%20a%20signed%20OAuth%20request%21


Ideas for OAuth2Server Side• Annotate resources to be secured• Annotate if resource needs BASIC or OAuth2• For OAuth2 secured resources, standardize scope declaration• Standardize OAuth Resource registration with Authorization

Server• Adapt to specific Authorization Servers• Document Auth method, scopes – Swagger?• Subject to further exploration with EG, JAX-RS and Servlet Specs


Ideas for OAuth2Client Side• Lifecycle to handle Client registration

E Static or dynamically created ClientsE Secure management of Client ID/secrets

• Discover capabilities on Targets for constructing scopes in Token requests

• Abstractions to acquire TokenE OAuth2 Flows as StrategiesE Token Expiry handling

• Abstraction to inject Tokens on invocation


44

OpenID Connect (OIDC)Overview• Authentication Protocol built on OAuth2• Session Management – Single Sign on, Out• An additional Token Type – ID Token• UserInfo, Discovery, Client Self-registration Endpoints• Specs : OpenID core, Discovery, Client Registration

http://openid.net/specs/openid-connect-core-1_0.html

http://openid.net/specs/openid-connect-discovery-1_0.html

http://openid.net/specs/openid-connect-registration-1_0.html


OpenID ConnectUse Case• At deployment, Application is configured to be secured by OIDC• Application must continue to rely on well known abstractions

forE IdentityE AuthenticationE Authentication Events


OpenID ConnectWhat does this mean to the App?• An App developer

E Needs a consistent API to abstract the Identity store, authentication mechanism, identity representation

E Can rely on configuration alone, to change as the App progresses• DevOps can easily change configuration to suit the

environment


Role/Permission AssignmentUse Case• Application may manage its users or use externally

managed users• Application needs to assign roles to users, groups based

on application specific model


Role/Permission AssignmentProblem Statement• Users or Groups assigned to Roles changes based on

deployment• User, Group representations change based on bound

Identity Store• OAuth2 Scopes vs Roles – do they overlap? Are they

complementary?


Role/Permission AssignmentIdeas• Support via Deployment• descriptors e.g. web.xml

E Change binding at deployment• Assign Scopes on OAuth2 resources to roles?

E Enables App to bind Scopes to RolesE While mapped Users, Groups change


Role/Permission AssignmentIdeas• Support via Deployment• descriptors e.g. web.xml

E Change binding at deployment• Assign Scopes on OAuth2 resources to roles?

E Enables App to bind Scopes to RolesE While mapped Users, Groups change


Role/Permission AssignmentExample<security-role-map>

<group>SalesSupport</group><role-name>CSR</role-name>

</security-role-map>

public class Customers{@RolesAllowed(“CSR”)@GETpublic String get()...

}


Authorization InterceptorsUse Case• Application must restrict access to functionality• Roles alone are too coarse grained• Application business model determines rules that drive

access


Authorization InterceptorsProblem Statement• No Consistent Interceptor for policy enforcement• No Consistent externalizable Rules• Need to be bindable to changing identities by Business

and Operations


Authorization InterceptorsIdeas• Standardize Interceptors• Enable Security teams to build custom Authorization

logic• Externalized, standardized rule language• Identity and SecurityContext aware


Secrets

Image © 2016 ABC Studios. All Rights Reserved.


SecretsUse Case• Application needs to be able to securely manage secrets• Secrets may include passwords to resources e.g. OAuth Client ID +

secrets• Applications are able secure secrets in a portable way• Secrets are never stored in clear text• Values change and are bound per deployment• State has to be externalized

E Application may consume secrets from a Key Management System (KMS)


SecretsIdeas• Application refers to secrets via Aliases• Aliases configured via Annotations or Deployment Descriptors• Lifecycle

E Bundle Alias + value as a secrets archive with the applicationE Bind values to Aliases at Deployment

E From an external KMS?

E Tooling to manage secrets archive• Rely on PKCS12 support in java.security.KeyStore ?


58

Consistently SecureOn premise to Cloud


Way Forward?• Standardize Terminology• Authentication mechanism• Identity Store• Security Context

• Authentication – OpenID Connect• Authorization (incl. OAuth)• Secret Management (incl. Password

Aliasing)• Security micro services• Packaging, Configuration, Binding

Java EE 8

Java EE 9


60


Java EE 9 CandidatesOpen ID ConnectProblem Statement• Enable using OIDC for Authentication at Deployment• Transparent to the Application• Solely through Configuration• Regardless of specific OIDC Implementation


Java EE 9 CandidatesOpen ID ConnectIdeas• OIDC Flows as an AuthenticationMechanism• Standardize, abstract necessary configuration• Configurable at deployment


Java EE 9 CandidatesOpen ID ConnectIdeas• Encapsulate within the SecurityContext

E Representations of user identity, group membershipsE Based on Claims in OIDC Identity Token from Open ID Provider

(OP)• Provide Applications access to /userInfo endpoint via the

IdentityStore abstraction


Java EE 9 CandidatesAuthorization• Discover/publish OAuth Resources• OAuth Client registration• Authorization Interceptors• Authorization Rules EL• Role/Permission assignment


Java EE 9 CandidatesSecret Management• Abstracting secrets the application needs• Bind secret values at deployment• Standardize binding values from KMS systems


Java EE 9 CandidatesSecret Management• Abstracting secrets the application needs• Bind secret values at deployment• Standardize binding values from KMS systems


Java EE 9 CandidatesSecurity Micro ServicesIdentity Services• Authentication implementations• Authentication Configuration• IdentityStore Configuration, handling• Token Acquisition, Exchange


Java EE 9 CandidatesSecurity Micro ServicesSecrets Management• APIs to manage secrets• APIs to get secrets• Abstracts persistence, state management


Java EE 9 CandidatesSecurity Micro ServicesAuthorization Service• APIs to publish, manage policy, role mapping• APIs to get decisionsMix-in Services as functionally neededPackaging and Lifecycle• Standardize Security Configuration• Externalize Configuration• Bind Values at deployment


Java EE 9 CandidatesSecurity Micro ServicesIdentity Services• Encapsulate within the SecurityContext

E Representations of user id entity, group membershipsE Based on Claims in OIDC Identity Token from Open ID Provider

(OP)• Provide Applications access to /userInfo endpoint via the

IdentityStore abstraction


Action

!

Images: Nu Image / Millennium Films


LinksJSR detail page on JCP.org: https://www.jcp.org/en/jsr/detail?id=375Spec Page on java.net: https://java.net/projects/javaee-securityspec

Java.net Mailing List : [email protected] Google Group: [email protected] Group: [email protected] Account: @jsr375

Project website on GitHub: https://github.com/javaee-security-spec

Project Agorava: http://www.agorava.org

https://www.jcp.org/en/jsr/detail?id=375

https://java.net/projects/javaee-securityspec

mailto:[email protected]



https://github.com/javaee-security-spec

http://www.agorava.org/


Q & A

Technology

Java2Days - Security for JavaEE and the Cloud