• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Extreme Security
 

Extreme Security

on

  • 535 views

 

Statistics

Views

Total Views
535
Views on SlideShare
535
Embed Views
0

Actions

Likes
0
Downloads
10
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Extreme Security Extreme Security Presentation Transcript

    • eXtreme Enterprise SecurityArne Limburg // open knowledge GmbH
    • Meine PersonArne Limburg @ArneLimburgEnterprise Architect @_openknowledgeopen knowledge GmbH www.openknowledge.deSchwerpunkte Open Source• JPA • JPA Security • Apache DeltaSpike• CDI • Apache OpenWebBeans
    • Enterprise Application Security Kommunikationssicherheit - HTTP / HTTPS - Application-Firewall Webserver - Konfiguration Authentication Network Security- OS Authorization- Firewall- TCP/IP
    • BeispielanwendungE-Learning Plattform
    • Security-Anforderungen• Nur Dozenten dürfen Kurse anlegen• Dozenten dürfen Veranstaltungen für ihre Kurse anlegen• Dozenten dürfen nur Studenten sehen, die an ihren Kursen teilnehmen• Studenten dürfen nur Mitstudenten sehen, mit denen sie gemeinsame Kurse haben
    • Authentication vs. Authorization
    • AuthenticationNutzername / Kennwort Twitter OAuth Wer ist der aktuelle Benutzer? Public Key Facebook Biometrisch
    • Authentication in einer Web-App. web.xml <login-config> <auth-method>FORM</auth-method> <realm-name>JAAS</realm-name> <form-login-config> <form-login-page>/login.xhtml</…> <form-error-page>/error.xhtml</…> </form-login-config> </login-config>
    • Servlet 3.0 Authenticationpublic void login(HttpServletRequest request, String username, String password) { request.login(username, password);}public void logout(HttpServletRequest req) { req.logout();}
    • AuthorizationRollenbasiert Access Control Lists Was darf der aktuelle Benutzer?User-Permissions Domain-Object-Security
    • JAAS• Pluggable Authentication• Authorization – Pluggable Policy-Provider – Permission-Checks über AccessController
    • Java PermissionsPolicy-Dateigrant principal de…User "arne" { de…ExecPermission "de…CourseDao.find*"}grant principal de…User "admin" { de…ExecPermission "de…CourseDao.*"}
    • Java Permissionspublic class ExecPermission extends BasicPermission { public ExecPermission(String methodName) { super(methodName); }}
    • Java Permissionspublic void create(Course course) { String methodName = "de…CourseDao.create"; AccessController.checkPermission( new ExecPermission(methodName); ); entityManager.persist(course);}
    • Fazit Permissons• Jede Security-Anforderung abbildbar• Aber – Viel zu aufwendig – Schlecht wartbar Erweiterungen nötig
    • AuthorizationRollenbasiert Access Control Lists Was darf der aktuelle Benutzer? User-Permissions Domain-Object-Security
    • Role based Access Control Users Roles PermissionsTeacher 1 Create Course TeacherStudent 1 Read Course StudentStudent 2 Read Student
    • Role based Access Control Servlet Spec Permissions für Web-Resources
    • Role based Access Controlweb.xml<security-constraint> <web-resource-name>New Course</…> <url-pattern>/courses/create.xhtml</…> <auth-constraint> <role-name>teacher</…> </auth-constraint></security-constraint>
    • Role based Access Control Servlet Spec Permissions für Web-Resources Java EE SecurityPermissions für Klassen und Methoden
    • Role based Access Control in Java EE@DeclareRoles@RolesAllowed@PermitAll@DenyAll
    • JACCJava Authorization Contract forContainers• Implementierung ist verantwortlich für: – Rollen als Sammlung von Permissions – Granting von Permissions – Überprüfung von Permissions
    • Role Based Access Control@RolesAllowed("teacher")public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
    • Role Based Access Control@RolesAllowed("teacher")public Course create(Teacher lecturer, …) { Course course = Anforderung: new Course(lecturer, …); entityManager.persist(course); anlegen. Dozenten dürfen nur ihre Kurse return course;}
    • Role Based Access Control@Resourceprivate EjbContext context;public Course create(Teacher lecturer, …) { Principal caller = ejbContext.getCallerPrincipal(); if (!lecturer.equals(caller)) { throw new SecurityException(…); } …}
    • Role Based Access Control@Resourceprivate EjbContext context; Das Rollenkonzept ist sehr limitiert!public Course create(Teacher lecturer, …) { Komplexere Access-Control-Anforderungen Principal caller finden sich im Code „verstreut“ wieder! = ejbContext.getCallerPrincipal(); if (!lecturer.equals(caller)) { throw new SecurityException(…); Wartbarkeits- und Erweiterbarkeitsprobleme! } …}
    • Alternativen zuRole based Access Control?
    • Die Rechte sollten nicht danach vergeben Alternativen zu werden, was der Benutzer ist (welche Rolle er hat),Role based Access Control? sondern danach, was er darf!
    • Beispiel I<h:outputLink value="editCourse.xhtml" rendered ="#{sec:isUserInRole(teacher)}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Edit Course"/></h:outputLink>
    • Beispiel I<h:outputLink value="editCourse.xhtml" rendered ="#{sec:isUserInRole(teacher)}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Edit Course"/></h:outputLink>
    • Beispiel I<h:outputLink value="editCourse.xhtml" rendered ="#{sec:hasPermission(editCourse)}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Edit Course"/></h:outputLink>
    • Beispiel I<h:outputLink value="editCourse.xhtml" rendered ="#{sec:canUpdate(course)}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Edit Course"/></h:outputLink>
    • Beispiel II<h:outputLink value="createLesson.xhtml" rendered ="#{sec:isUserInRole(teacher)}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Create Lesson"/></h:outputLink>
    • Beispiel II<h:outputLink value="createLesson.xhtml" rendered ="#{sec:isUserInRole(teacher)}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Create Lesson"/></h:outputLink>
    • Beispiel II<h:outputLink value="createLesson.xhtml" rendered ="#{sec:hasPermission(createLesson)}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Create Lesson"/></h:outputLink>
    • Beispiel II<h:outputLink value="createLesson.xhtml" rendered ="#{sec:canCreate(Lesson, course)}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Create Lesson"/></h:outputLink>
    • AuthorizationRollenbasiert Access Control Lists Was darf der aktuelle Benutzer? User-Permissions Domain-Object-Security
    • Access Control ListsObject Access Control List Access Control Entry User 1 Access Control Entry User 2 Access Control Entry User 3
    • Spring SecuritySecurity für spring-basierten Web-Apps• Umfangreiche Authentication-Module• Authorization – Request-basiert – Methoden-basiert – Access Control Lists
    • ACLs in Spring Securitypublic List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
    • ACLs in Spring Security Anforderungen:public List<Student> Studenten sehen, die ihre Dozenten dürfen nur findAll() { TypedQuery<Student> besuchen. Kurse query = entityManager.createNamedQuery(…, …); return query.getResultList(); Studenten dürfen nur Kommilitonen sehen, mit} denen sie gemeinsame Kurse haben.
    • ACLs in Spring SecuritySpring Context<global-method-security pre-post-annotations="enabled" />
    • ACLs in Spring Security@PostFilter ("hasPermission(filterObject, read)")public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
    • ACLs in Spring Security@PostFilter Problem: ("hasPermission(filterObject, read)")public List<Student> findAll() { TypedQuery<Student> querySpeicher! Filtern passiert im = entityManager.createNamedQuery(…, …); return Schlechte Performance bei großen query.getResultList();} Datenmengen!
    • ACLs in Spring Security@PostFilter ("hasPermission(filterObject, read)")public List<Student> findAll() { Anforderung: TypedQuery<Student> query =Dozenten dürfen nur ihre Kurse anlegen. entityManager.createNamedQuery(…, …); return query.getResultList();}
    • ACLs in Spring Security@PreAuthorize ("hasPermission(#course, create)")public void create(Course course) { entityManager.persist(course);} AccessDeniedException
    • ACLs in Spring Security@PreAuthorize ("hasPermission(#course, create)")public void create(Course course) { entityManager.persist(course); Weiteres Problem:} Wie kommen die ACLs in die Datenbank? AccessDeniedException
    • ACLs in Spring Security@PreAuthorize ("hasPermission(#course, create)")public void create(Course course) { entityManager.persist(course);}
    • ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, create)")public Course create(Course course) { entityManager.persist(course); return course;}
    • ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, create)")public Course create(Course course) { entityManager.persist(course); ObjectIdentity identity = new ObjectIdentityImpl(Course.class, course.getId()); …}
    • ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, create)")public Course create(Course course) { entityManager.persist(course); ObjectIdentity identity = …; String name = course.getTeacher().getName(); PrincipalSid principal = new PrincipalSid(name);
    • ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, create)")public Course create(Course course) { entityManager.persist(course); ObjectIdentity identity = …; PrincipalSid principal = …; MutableAcl acl = aclService.createAcl(i); acl.insertAce(0, CREATE, principal, true); aclService.updateAcl(acl); return course;}
    • ACLs in Spring Securitypublic void add(Course course, Student student) { course.subscribe(student); createACE(student, course.getLecturer()); for (Student participant: course.getParticipants()) { createACE(student, participant); createACE(participant, student); }}
    • ACLs in Spring Securitypublic void add(Course course, Student student) { Anlegen und Löschen von ACLs findet sich im course.subscribe(student); Code „verstreut“ wieder! createACE(student, course.getLecturer()); Wartbarkeits- und Erweiterbarkeitsprobleme! for (Student participant: course.getParticipants()) { createACE(student, participant); Was passiert, wenn ein Entwickler vergisst, createACE(participant, student); eine ACL anzulegen oder zu löschen? }}
    • AuthorizationRollenbasiert Access Control Lists Was darf der aktuelle Benutzer? User-Permissions Domain-Object-Security
    • Seam Security• Authentication – JAAS (Seam 2) – PicketLink (Seam 3)• Authorization – JSF – Business-Method – Entity (nur Seam 2)
    • Seam 3 Security@Createpublic Course create( @Owner Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
    • Eigene Security-Annotation@SecurityBindingTypepublic @interface Create {}@SecurityParameterBindingpublic @interface Owner {}
    • Separate Logik-Implementierung public class SecurityRules { @Secures @Create public boolean checkOwner(@Owner User owner, Identity user) { return owner.equals(user); } }
    • Seam 3 Security@Createpublic Course create( @Owner Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
    • Seam 3 Security@Createpublic Course create( @Owner Teacher lecturer, …) { Check des Rückgabe-Wertes aktuell noch…); Course course = new Course(lecturer, nicht möglich! entityManager.persist(course); return course;}
    • Spring Security@PreAuthorize("#lecturer == principal")@PostAuthorize ("returnedObject.lecturer == principal")public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
    • Domain-Object-basiert@PreAuthorize("#lecturer == principal")@PostAuthorize ("returnedObject.lecturer == principal")public Course create(Teacherdes Kurses nicht Was ist, wenn das Anlegen lecturer, …) { Course course =create-Methode erfolgt? …); über die new Course(lecturer, entityManager.persist(course); return course;}
    • Seam 2 SecurityRule-based Authorization mit Drools Auch auf Entitäten-Ebene
    • Entity-Security in Seam 2@Restrict@Entitypublic Course { …}
    • Entity-Security in Seam 2Drools Konfiguration rule CreateCourse no-loop activation-group "permission" when principal: Principal() course: Course(lecturer: lecturer -> (lecturer.equals(principal))) check: PermissionCheck(target == course, action == "insert", granted == false) then check.grant(); end;
    • Entity-Security mit Seam 2 orm.xml<persistence-unit-metadata> <persistence-unit-defaults> <entity-listeners> <entity-listener class= "org.jboss.seam.security.EntitySecurityListener" /> </entity-listeners> </persistence-unit-defaults></persistence-unit-metadata>
    • Entity-Security mit Seam 2public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();} AuthorizationException
    • Entity-Security mit Seam 2public List<Student> findAll() { TypedQuery<Student> query Zwei Methoden notwendig = entityManager.createNamedQuery(…, …); return query.getResultList();} AuthorizationException
    • Entity-Security mit Seam 2public List<Student> find(Teacher lecturer) { …}public List<Student> find(Student fellow) { …}
    • Entity-Security mit Seam 2public List<Student> find(Teacher lecturer) { …} Aufruf geschieht auf Basis des aktuell angemeldeten Benutzers!public List<Student> find(Student fellow) { …}
    • Entity-Security mit Seam 2public List<Student> findAll() { Principal caller = ejbContext.getCallerPrincipal(); if (caller instanceof Teacher) { return find((Teacher)caller); } else { return find((Student)caller); }}
    • Entity-Security mit Seam 2public List<Student> findAll() { Principal caller = ejbContext.getCallerPrincipal(); if (caller instanceof Teacher) { Wieder Security im Code „verstreut“! return find((Teacher)caller); } else { return find((Student)caller); }}
    • JPA SecuritySecurity Framework für JPA• Pluggable Authentication• Authorization – JSP- und JSF-Support – Access-Check bei CRUD-Operationen – In-Memory-Filtern von Collections – In-Database-Filtern von Queries (JPQL und Criteria)
    • Entity-Security mit JPA Security @Permit(access = AccessType.CREATE, rule = "lecturer = CURRENT_PRINCIPAL") @Entity public Course { … }
    • Entity-Security mit JPA Security @Permit(access = AccessType.CREATE, ruleAutomatischer = CURRENT_PRINCIPAL") = "lecturer Check bei @EntityentityManager.persist(…) oder public entityManager.merge(…) oder bei Course { … Cascading! }
    • Entity-Security mit JPA Security public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList(); }
    • Entity-Security mit JPA Security public List<Student> findAll() { TypedQuery<Student> query JPA Queries und Automatische Filterung von Criterias! = entityManager.createNamedQuery(…, …); return query.getResultList(); }
    • Entity-Security mit JPA Security @PermitAny({ @Permit(access = AccessType.READ, rule = "this IN (SELECT p" + " FROM Course course" + " JOIN course.participants p" + " WHERE course.lecturer" + " = CURRENT_PRINCIPAL"), @Permit(…)}) @Entity public Student { …
    • Entity-Security mit JPA Security persistence.xml<persistence …> <persistence-unit name="…"> <provider>org.hibernate.ejb.HibernatePersistence</…> <properties> … </properties> </persistence-unit></persistence>
    • Entity-Security mit JPA Security persistence.xml<persistence …> <persistence-unit name="…"> <provider>net.sf.jpase…SecurePersistenceProvider</…> <properties> <property name="net.sf.jpasecurity.persistence.provider" value="org.hibernate.ejb.HibernatePersistence"/> </properties> </persistence-unit></persistence>
    • Kurs anlegen<h:outputLink value="createLesson.xhtml" rendered ="#{sec:canCreate(Lesson, course)}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Create Lesson"/></h:outputLink>
    • Kurs ändern<h:outputLink value="editCourse.xhtml" rendered ="#{sec:canUpdate(course)}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Edit Course"/></h:outputLink>
    • Fazit Authorization• Methoden-basiert – Spring Security Permissions, ACL oder EL – Seam 3 Security Typesafe über Annotations im Code• Entity-basiert – JPA Security automatischer Filterung in der Datenbank
    • Q&AVielen Dank für Ihre Zeit.Kontakt:open knowledge GmbHBismarckstr. 1326122 Oldenburgarne.limburg@openknowledge.de ArneLimburg _openknowledge