Utilize the Full Power of GlassFish Server and Java EE Security
Upcoming SlideShare
Loading in...5
×
 

Utilize the Full Power of GlassFish Server and Java EE Security

on

  • 2,463 views

In this session, learn how to utilize Java EE security and what GlassFish Server technology provides to address your security requirements. The presentation goes over how to develop new JASPIC ...

In this session, learn how to utilize Java EE security and what GlassFish Server technology provides to address your security requirements. The presentation goes over how to develop new JASPIC (JSR196) or JACC (JSR-115) moduls and plug them to GlassFish

Statistics

Views

Total Views
2,463
Views on SlideShare
2,451
Embed Views
12

Actions

Likes
1
Downloads
29
Comments
0

2 Embeds 12

https://twitter.com 11
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Utilize the Full Power of GlassFish Server and Java EE Security Utilize the Full Power of GlassFish Server and Java EE Security Presentation Transcript

  • 1 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Utilize the Full Power ofGlassFish Server and JavaEE SecurityMasoud KalaliPrincipal Member of Technical Staff -ORACLETwitter: @MasoudKalaliBlog: http://kalali.me2 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Program Agenda  Introduction  Java EE Security API  Java Authentication Service Provider Interface (JSR- 196)  Java Authorization Contract for Containers (JSR-115)3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Introduction4 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security API Terms  A Subject: An individual identity which is to be authenticated.  A Group: Group of users with common permissions and access levels.  A Security Realm: Connects the application server identity storage.  A Role: A Java EE concept to define access levels  A Principal: Aka, A role attached to a authenticated subject  A Credential: Contains or references information used to authenticate a principal5 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security API Before anything else  Identify the sensitive data  Identify the roles having access to sensitive data  Identify resources representing sensitive data  Group the mentioned resources into meaningful sets And Document the above items!6 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security API Resource Protection  Authentication – At Web Container – Application Client Container  Authorization (Access Control) – At Web Container – EJB Container  Subject Propagation – From Web Container to EJB Container – From App Client To EJB container – EIS to Connector (inflow messages)7 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security API Authentication  When a protected resource is requested  Establish the client’s identity  Authentication Methods – Form – Basic – Digest – Client-Cert8 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security API Authentication Continued…  Specify the protected resources <security-constraint> <web-resource-collection> <url-pattern>/manager/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> Specify the permitted role/s </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> Specify the transport guarantee </user-data-constraint> level </security-constraint>9 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security API Authentication Continued…  Specify the login configuration <login-config> <auth-method>FORM</auth-method> <realm-name>jdbc-realm</realm-name> Pick one of: </login-config> • HTTP Basic Authentication: BASIC • Digest Authentication: DIGEST • HTTPS Client Authentication: CLIENT-CERT • Form-Based Authentication: FORM Specify the security realm name10 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security API Got your own way of authenticating? Use programmatic login in Java EE 6  Benefit from all that container security provides – Principal propagation – Unified security exceptions – Any auditing/logging that container provides – Authenticate against the configured realm  Do more than just two tokens (multi factor authentication) – Mix and match 3rd soft tokens with username/passwords11 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security API Got your own way of authenticating? String userName = request.getParameter("user"); String password = request.getParameter("password"); String enteredSmsCode = request.getParameter("enteredSms"); if(enteredSmsCode.equals(getLastActiveSmsForUser(userName))){ try { request.login(userName, password); } catch(ServletException ex) { //Handling Exception } } else{ invalidateLastSmsForUser(userName); }12 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • To wrap it up The web.xml, *-web.xml security related structure, role mapping13 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security API Security related methods on HTTPServletRequest Method Description If the user is authenticated returns the username otherwise return null. String getRemoteUser() boolean isUserInRole(String role) Return whether the current user has the specified roles or not. Principal getUserPrincipal() Returns a java.security.Principal object containing the name of the current authenticated user. String getAuthType() Returns an String containing authentication method used to protect this application. void login(String username, String password) Perform the explained programmatic login Void logout() Establish null as the value returned when getUserPrincipal, getRemoteUser, and getAuthType is called on the request. String getScheme() Returns the schema portion of the URL, for example HTTP or HTTPS.14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security API Authorization (Access Control) Now that you established the user identity we can Enforce access control: – Using Annotations to annotate the permitted and not permitted roles – Using XML Description to specify the permitted and not permitted roles15 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security API Authorization (Access Control): Security constraints (Web, EJB..) Annotation Description Prior to referencing to any role, it should be defined. The @DeclareRoles @DeclareRoles acts like security-role element in defining the roles used in application. @RunAs Specifies the run-as role for the given Components. @ServletSecurity Specifies the security constraint for the annotated Servlet. Permitting users with any role to access the given method, @PermitAll EJB or Servlet On method permits the included roles to invoke it. On class, @RolesAllowed all methods are accessible to the roles unless the annotated with a different set of roles using @RolesAllowed On a method. @DenyAll16 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security API Where to place the Annotations? Annotation Target Level Target Kind EJB, Servlet @DeclareRoles Class EJB, Servlet @RunAs Class @ServletSecurity Class Servlet @PermitAll Class, Method EJB, Servlet @RolesAllowed Class, Method EJB, Servlet @DenyAll Method EJB, Servlet17 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security API Transport Security  Apply right level of transport security on your resources – CONFIDENTIAL – INTEGRAL  Use as much strengths as needed, the best is not always the best  Check country regulation before choosing cipher suites18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Is that all that we can do? No, There are much more…19 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authentication Service Provider Interface (JSR-196) What JSR-196 is…  SPI for integrating authentication mechanism implementations in message processing runtimes  Authentication is delegated to the corresponding provider at message processing points  Develop authentication modules that utilize non supported credentials or headers  Utilize the Container security integration  Can plug-in off the shelf 3rd party Authentication Module implementing JSR-19620 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authentication Service Provider Interface (JSR-196) Message interception points  In the client, before transmitting the request to the server.  In the server, before the target service receives the client request.  In the server, before a response can be sent back to the client.  In the client, before the server response can be consumed.21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authentication Service Provider Interface (JSR-196) How you can benefit from it  Integrate any COTS authentication module  Develop your own credentials and use them for authentication  Benefit from container provided security – Access control – Subject propagation – Unified error messages – Auditing – Etc22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authentication Service Provider Interface (JSR-196) The good part, the SPI…  The interface is javax.security.auth.message.module.ServerAuthModule  An overall of 5 methods to implement – 2 directly from javax.security.auth.message.module.ServerAuthModule – 3 derived from javax.security.auth.message.ServerAuth  Implementation can be plugged to the container  Implementation can be used by the web apps  Supported by any Java EE 6 compliant app server23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authentication Service Provider Interface (JSR-196) 2 directly from ServerAuthModule void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler handler, Map options) – Called for each authentication event – requestPolicy and responsePolicy specifies if authentication is mandatory or not – handler communicate the user and group principals to be used in establishing the runtimes security context – options coming from the container for having parameterized behavior in the SAM module.24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authentication Service Provider Interface (JSR-196) 2 directly from ServerAuthModule Class[] getSupportedMessageTypes()  Returns an array of the supported message type class names. – HttpServletRequest.class – HttpServletResponse.class25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authentication Service Provider Interface (JSR-196) 3 derived from javax.security.auth.message.ServerAuth AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) – Custom credential scraping and/or authentication happens here – Communicate authentication result and/or identity assertions to the message processing runtime through callbackHandler.26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authentication Service Provider Interface (JSR-196) 3 derived from javax.security.auth.message.ServerAuth AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) – Nothing much to do here for servlet profile – Usually return return AuthStatus.SEND_SUCCESS;27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authentication Service Provider Interface (JSR-196) 3 derived from javax.security.auth.message.ServerAuth void cleanSubject(MessageInfo messageInfo, Subject subject)  remove method specific principals and groups from the provided Subject  Update the messageInfo if needed for multi step message exchange28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authentication Service Provider Interface (JSR-196) GlassFish and JSR-196, Install it in the domain Create a new provider under Security>Message Security>HttpServlet29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authentication Service Provider Interface (JSR-196) GlassFish and JSR-196  Use it for one web application if not made default – Use the httpservlet-security-provider attribute of glassfish-web.xml’s sun- web-app element  And you are done! <glassfish-web-app httpservlet-security-provider="new- sam"> <security-role-mapping> <role-name>role_1</role-name> <group-name>group_1</group-name> </security-role-mapping> </glassfish-web-app>30 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authorization Contract for Containers (JSR-115) What is JSR-115  To plug a new access control mechanism to the container  Container delegates access control decision to the provider  Use the same role mapping that is supported by Java EE  Correlates with Authentication mechanism (Subject’s role)31 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authorization Contract for Containers (JSR-115) How you can benefit from it  Add a new decision making mechanism: – Add time of the day to decision making – Use a different type of policy storage – etc32 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authorization Contract for Containers (JSR-115) The good part, the SPI…  Mainly two classes should be implanted by provider: – javax.security.jacc.PolicyConfigurationFactory – javax.security.jacc.PolicyConfiguration  If it is not compliant with default Java SE policy should implement – java.security.Policy  The rest is already done by the container!33 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java Authorization Contract for Containers (JSR-115) To install a new provider  Under Server-Config or any other config node: – Create new entry under Security>JACC Provider – Select the newly installed provider under Security34 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Are there more basics to know: Yes, OWASP Top 1035 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security, GlassFish Things to remember:  Comparative data should be stored salted hashed  Encrypted data does not need to have clear text copies  Keys must be protected properly  Use security manager and policy files  Avoid forward, redirect based on user provided values  Paying enough attention to role mappings  Choose the right security realm36 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security, GlassFish Things to remember:  Watch out for SQL injection, limit database access, use bind parameters, etc.  Understand what you are storing in the session  Never store unencrypted cookies with important bits  Transmit cookies securely when needed Cookie.setSecure(true)37 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • Java EE Security, GlassFish Things to remember:  To use service specific user in the os  To use security manager and policy files  To properly configuring the listeners  Not to use the alias feature  Not to Use default accounts (admin accounts)  To Check the OWASP top 10 talk, and resources38 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  • 39 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.