Your SlideShare is downloading. ×
0
ADDRESSING TOMORROW'S SECURITY
REQUIREMENTS IN ENTERPRISE APPLICATIONS

Ben Alex, Principal Software Engineer
TS-6348

   ...
Learn what's coming in enterprise application
security, and how to achieve it easily today.




                          ...
Agenda

 A Quick Landscape Review
 Simple Web Application Security
 Beyond Simple Web Application Security
 Adding Method ...
Approaching AAAA
 Security considerations revolve around AAAA
  • Authentication: who are they?
  • Authorization: what ca...
Java™ Servlet Security
 Solid foundation provided by the Servlet API

 HttpServletRequest methods
  • boolean isUserInRole...
JAAS
 Java Authentication and Authorization Service (JAAS)
 Optional in Java™ 1.3, and included in SDK from Java™ 1.4

 Lo...
Agenda

 A Quick Landscape Review
 Simple Web Application Security
 Beyond Simple Web Application Security
 Adding Method ...
What Are “Simple Requirements”?
 Login form
 Authentication against common backends
 Web URL authorization
 Determining wh...
Demonstration Software
 My demos today will use Spring Security 2
 • Open source project from SpringSource, the company be...
Implementing Simple Requirements
(in 10 minutes or less)




                          2008 JavaOneSM Conference | java.co...
Agenda

 A Quick Landscape Review
 Simple Web Application Security
 Beyond Simple Web Application Security
 Adding Method ...
Component, State and Transition Security
 We're moving towards component-based web frameworks
 • For example, Java™ Server...
CAPTCHA Overview
 Completely Automated Public Test to tell Computers and
 Humans Apart

 Useful for mitigating denial of s...
Single Sign On and Federated Identity
 NTLM for Microsoft® Windows® intranet apps
  • Works with Mozilla® Firefox® and Mic...
Agenda

 A Quick Landscape Review
 Simple Web Application Security
 Beyond Simple Web Application Security
 Adding Method ...
Protecting Methods
 Strongly recommended in preference to web authorization
  • Can still be used concurrently with web UR...
JSR 250 Method Security Metadata
 JSR 250: “Common Annotations for the Java™ Platform™”

 Annotate classes
  • @RunAs(“som...
Domain Access Control
 Domain access control considers
  • Who the user is
  • Which method they are invoking on which Jav...
Method Authorization




                       2008 JavaOneSM Conference | java.com.sun/javaone |   19
Agenda

 A Quick Landscape Review
 Simple Web Application Security
 Beyond Simple Web Application Security
 Adding Method ...
Basic Authentication
 Great for RESTful paradigms and remote clients

 RFC 1945, Section 11.1

 Stateless HTTP header base...
WSS (formerly WS-Security) and REST POX
 WSS provides key security functionality for SOAP

 Use XWSS for Java™ WSS
  • Vis...
Securing JMS and ESBs
 JMS 1.1 does not provide message integrity or privacy
  • Refer to JMS 1.1 Specification (JSR 914) ...
Enterprise Connectivity




                          2008 JavaOneSM Conference | java.com.sun/javaone |   24
Agenda

 A Quick Landscape Review
 Simple Web Application Security
 Beyond Simple Web Application Security
 Adding Method ...
Securing GWT
 GWT offers no authentication-specific features
  • Option 1: ServiceDefTarget.setServiceEndPoint(...) with j...
AJAX Clients and Web 2.0




                           2008 JavaOneSM Conference | java.com.sun/javaone |   27
Agenda

 A Quick Landscape Review
 Simple Web Application Security
 Beyond Simple Web Application Security
 Adding Method ...
Enterprise Application Security Tips
 Use a proven security framework; don't roll your own
 Start simply, and add complexi...
Ben Alex, Principal Software Engineer
TS-6348



                                                    Speaker’s logo here
 ...
Upcoming SlideShare
Loading in...5
×

ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS

1,418

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,418
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS"

  1. 1. ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS Ben Alex, Principal Software Engineer TS-6348 Speaker’s logo here (optional)
  2. 2. Learn what's coming in enterprise application security, and how to achieve it easily today. 2008 JavaOneSM Conference | java.com.sun/javaone | 2
  3. 3. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 3
  4. 4. Approaching AAAA Security considerations revolve around AAAA • Authentication: who are they? • Authorization: what can they do? • Accounting: what resources did they consume in doing it? • Auditing: what exactly did they do? Java™ Servlets and JAAS Third party products Build your own 2008 JavaOneSM Conference | java.com.sun/javaone | 4
  5. 5. Java™ Servlet Security Solid foundation provided by the Servlet API HttpServletRequest methods • boolean isUserInRole(String role) • String getRemoteUser() • Principal getUserPrincipal() Configured in web.xml • <security-constraint> • <login-config> • <security-role> Self registration requirements being considered in JSR 315 2008 JavaOneSM Conference | java.com.sun/javaone | 5
  6. 6. JAAS Java Authentication and Authorization Service (JAAS) Optional in Java™ 1.3, and included in SDK from Java™ 1.4 LoginContext CallbackHandler LoginModule Subject Principal Configured in policy files Many Java™ servers use JAAS 2008 JavaOneSM Conference | java.com.sun/javaone | 6
  7. 7. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 7
  8. 8. What Are “Simple Requirements”? Login form Authentication against common backends Web URL authorization Determining who is logged in Programmatic authorization Logout mechanism Externalization of deployment configuration Transport-level protection Maintaining authentication scope during a session 2008 JavaOneSM Conference | java.com.sun/javaone | 8
  9. 9. Demonstration Software My demos today will use Spring Security 2 • Open source project from SpringSource, the company behind Spring • Formerly known as “Acegi Security”, and publicly available since 2003 Builds upon the Java™ platform • Integrates with Java™ Servlet Security container authentication • Integrates with JAAS login modules • External porting efforts underway to .Net, Python and other platforms Spring Security supports all technologies discussed today Widely used in global banking, defense, government etc 2008 JavaOneSM Conference | java.com.sun/javaone | 9
  10. 10. Implementing Simple Requirements (in 10 minutes or less) 2008 JavaOneSM Conference | java.com.sun/javaone | 10
  11. 11. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 11
  12. 12. Component, State and Transition Security We're moving towards component-based web frameworks • For example, Java™ Server Faces • Reducing development time, and increasing modularity Spring Web Flow provides a JSF model and authorization of • States • Flows • Transitions Spring Web Flow unifies JSF and Spring Security 2008 JavaOneSM Conference | java.com.sun/javaone | 12
  13. 13. CAPTCHA Overview Completely Automated Public Test to tell Computers and Humans Apart Useful for mitigating denial of service and IP infringement Popular Java™ solutions include JCaptcha and reCAPTCHA Consider accessibility issues • http://tinyurl.com/3ypzck (Matt May, “Escape from Captcha”, 2004) Captchas are often machine decipherable • http://www.cs.sfu.ca/~mori/research/gimpy/ 2008 JavaOneSM Conference | java.com.sun/javaone | 13
  14. 14. Single Sign On and Federated Identity NTLM for Microsoft® Windows® intranet apps • Works with Mozilla® Firefox® and Microsoft® Internet Explorer® • Implement using Samba JCIFS JA-SIG Central Authentication Service (CAS) for intranet apps • Java™ (for both client and server, plus full Spring Security support) • Other clients include .Net, PHP, Perl, Apache etc OpenID for Internet apps • Sun®, IBM®, Microsoft®, Google®, Yahoo®, AOL®, Yahoo®, Blogger™ • Implement using OpenID4Java 2008 JavaOneSM Conference | java.com.sun/javaone | 14
  15. 15. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 15
  16. 16. Protecting Methods Strongly recommended in preference to web authorization • Can still be used concurrently with web URL authorization Before a method invocation • Is the user authorized in view of the signature and arguments? After a method invocation • Was the user authorized in view of the returned object? • Should the returned object be modified in some manner? Typically used on the services or domain layer • Thus all client layers are secured (web, rich client, JMS etc) • Of course, proper encapsulation and layering should remain a priority 2008 JavaOneSM Conference | java.com.sun/javaone | 16
  17. 17. JSR 250 Method Security Metadata JSR 250: “Common Annotations for the Java™ Platform™” Annotate classes • @RunAs(“someRole”) • @RolesAllowed(“someRole”) • @PermitAll() • @DenyAll() • @DeclareRoles(“someRole”) Annotation interaction defined in JSR 250, Section 2.11 Spring Security supports JSR-250, plus @Secured, <protect- pointcut>, <protect-method> and custom strategies 2008 JavaOneSM Conference | java.com.sun/javaone | 17
  18. 18. Domain Access Control Domain access control considers • Who the user is • Which method they are invoking on which Java™ type • Which domain object instance they are invoking the method on Major considerations • Performance and normalization level of the ACL database • Appropriate tier to perform filtering (eg database-side or Java™) • Potential propagation of user identity from Java™ to database 2008 JavaOneSM Conference | java.com.sun/javaone | 18
  19. 19. Method Authorization 2008 JavaOneSM Conference | java.com.sun/javaone | 19
  20. 20. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 20
  21. 21. Basic Authentication Great for RESTful paradigms and remote clients RFC 1945, Section 11.1 Stateless HTTP header based • Header name: “Authorization” • Header value: “Basic” + “ “ + Base64(username + “:” + password) • Some SSO solutions permit session tokens to be presented over Basic Recommended, but only if used with HTTPS • Consider Digest authentication if only HTTP is available • See RFC 2617 Section 4 for a comparison of Basic and Digest • Be aware of cross-site request forgery risks 2008 JavaOneSM Conference | java.com.sun/javaone | 21
  22. 22. WSS (formerly WS-Security) and REST POX WSS provides key security functionality for SOAP Use XWSS for Java™ WSS • Visit https://xwss.dev.java.net/ • XWSS version 2.0 implements OASIS WSS Specification 1.0 • XWSS version 3.0 implements OASIS WSS Specification 1.1 • Part of Project Metro (https://metro.dev.java.net/) and Glassfish™ Spring Web Services integrates XWSS and Spring Security Securing Plain Old XML using the RESTful paradigm • Option 1: Use HTTP Basic authentication • Option 2: Use XPath to extract username/password from XML payload 2008 JavaOneSM Conference | java.com.sun/javaone | 22
  23. 23. Securing JMS and ESBs JMS 1.1 does not provide message integrity or privacy • Refer to JMS 1.1 Specification (JSR 914) Section 2.7 • Implementations are expected to provide such features Destination authorization may be provided (eg ActiveMQ) • Read from destination; write to destination; admin destination ESBs may provide implementation-specific capabilities • Endpoint authorization; channel authorization; security translation Spring Integration addresses security in its Q2 2008 roadmap 2008 JavaOneSM Conference | java.com.sun/javaone | 23
  24. 24. Enterprise Connectivity 2008 JavaOneSM Conference | java.com.sun/javaone | 24
  25. 25. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 25
  26. 26. Securing GWT GWT offers no authentication-specific features • Option 1: ServiceDefTarget.setServiceEndPoint(...) with jsessionid • Option 2: Establish a token, then present it as a cookie and in RPC calls Key considerations • Session and/or token timeout issues • How to robustly logout • Cross-site request forgery • Transition of existing server-side authentication to GWT client Useful GWT security advice • http://tinyurl.com/3akc6y (GWT wiki) offers GWT security advice • http://tinyurl.com/2ynd26 (GWT incubator) includes Spring Security 2008 JavaOneSM Conference | java.com.sun/javaone | 26
  27. 27. AJAX Clients and Web 2.0 2008 JavaOneSM Conference | java.com.sun/javaone | 27
  28. 28. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity Remote Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 28
  29. 29. Enterprise Application Security Tips Use a proven security framework; don't roll your own Start simply, and add complexity incrementally Consider user registration requirements Plan for federated identity, particularly involving OpenID For in-house applications, consider NTLM and CAS Employ Captcha techniques to mitigate DoS attacks Favor method authorization over web authorization Annotations-based authorization metadata is quick and easy Very carefully consider any domain object instance security Prefer Basic authentication for RESTful, HTTPS interactions Leverage WSS for transport-independent SOAP 2008 JavaOneSM Conference | java.com.sun/javaone | 29
  30. 30. Ben Alex, Principal Software Engineer TS-6348 Speaker’s logo here (optional) 2008 JavaOneSM Conference | java.com.sun/javaone | 30
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×