Your SlideShare is downloading. ×
Jsfandsecurity
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Jsfandsecurity

5,319

Published on

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,319
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. JSF and Security Çağatay Çivici
  • 2. About Me • Apache MyFaces PMC(Project Management Committee) member • Co-Author of “The Definitive Guide to Apache MyFaces and Facelets” from APRESS • Reference in “Core JavaServer Faces 2nd Edition” • Recognized speaker in international and local conferences • Oracle RCF(Rich Client Framework) member • Krank (CRUD Framework for JSF-Spring-JPA) member • Sourceforge jsf-comp member • Spring Security(Acegi) JSF Integration author • JSF Chart Creator project lead • FacesTrace project lead • YUI4JSF project lead • FC Barcelona Fan • Blog: http://www.prime.com.tr/cagataycivici • Prime Technology - 2008
  • 3. Roadmap • JSF and Security • Non-JSF Based Approaches • JSF Based Approaches • Page authorization • Protect ViewState
  • 4. JSF and Security • The mismatch! Security Support in JSF • JSF – MVC Framework – Component Oriented – Event Driven • Security – Authentication – Authorization
  • 5. JSF API • FacesContext.getCurrentInstance().getExternalContext().getRemoteUser() • FacesContext.getCurrentInstance().getExternalContext().getAuthType() • FacesContext.getCurrentInstance().getExternalContext().isUserInRole(Strin g role) • FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal()
  • 6. Approaches • Non-JSF based – Container Managed Security – Security Filter – Spring Security • JSF based – ViewHandler – PhaseListener – Seam Security
  • 7. Container Managed Security • <security-constraint> <web-resource-collection> <web-resource-name>secure pages</web-resource-name> <url-pattern>/secure.jsf<url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>myrealm</realm-name> </login-config> <security-role> <description>Admin Role</description> <role-name>admin</role-name> </security-role>
  • 8. Container Managed Security The Good • Based on Servlet API • Well known • Fine for URL Protection • JSF Component Security • JSF Login Page • Securing JSF Navigations
  • 9. Container Managed Security • Case study DEMO with JSF Navigation Issue
  • 10. Servlet Filter Security Filter Request Faces Servlet Response
  • 11. Servlet Filter The Good • Based on Servlet API • Well known • Good for URL Protection • Non-Faces Resources The Bad • JSF Component Security • Faces APIs • Requires Maintenance
  • 12. Spring Security <security:http auto-config='true'> <security:intercept-url pattern=quot;/login.jspquot; filters=quot;nonequot;/> <security:intercept-url pattern=quot;/admin/*quot; access=quot;ROLE_ADMINquot; /> <security:intercept-url pattern=quot;/**quot; access=quot;ROLE_USER,ROLE_ADMINquot; /> <security:concurrent-session-control max-sessions=quot;1quot;/> <security:logout logout-url=quot;/logoutquot; logout-success-url=quot;/quot;/> </security:http>
  • 13. Spring Security • Securing JSF Beans public class MySecuredBackingBean { … … … @Secured({“ROLE_ADMIN,ROLE_ADMINS_GIRLFRIEN D”}) public String delete() { //delete something } … … … }
  • 14. Spring Security The Good • Extendable • Easy configuration • Bean security • ACL • Securing methods The Bad • Complex for simple applications • Page authorization
  • 15. ViewHandler • Decorate for Security • Integration point: createView public class SecurityViewHandler extends ViewHandler{ … … … public UIViewRoot createView(FacesContext facesContext, String viewId) { if(!userCanAccess(viewId)) return base.createView(facesContext, quot;/accessDenied.jspquot;); else return base.createView(facesContext, viewId); } … … … }
  • 16. ViewHandler Demo
  • 17. ViewHandler The Good • JSF Based The Bad • Non faces resources(images, styles) • Possibility to be supressed
  • 18. PhaseListener Faces Servlet Restore View Security Check Request Apply Request Values Validations Update Model Response Invoke Application Security Check Render Response
  • 19. PhaseListener public class SecurityPhaseListener implements PhaseListener{ … public void afterPhase(PhaseEvent phaseEvent) { PhaseId phaseId = phaseEvent.getPhaseId(); if(phaseId.equals(PhaseId.RESTORE_VIEW) || phaseId.equals(PhaseId.INVOKE_APPLICATION)) { String viewId = phaseEvent.getFacesContext().getViewRoot().getViewId(); if(!canUserAccess(viewId)) { HttpServletResponse response = (HttpServletResponse)phaseEvent.getFacesContext().getExternalContext().getRespo nse(); try { response.sendRedirect(quot;/jsfcalistay/accessDeniedPhaseListener.jsfquot;); phaseEvent.getFacesContext().responseComplete(); } catch (IOException e) { //send a 404 } } } } …
  • 20. PhaseListener Demo
  • 21. PhaseListener The Good • JSF Based The Bad • Non faces resources(images, styles)
  • 22. Seam Security Components.xml <security:identity authenticate-method=quot;#{authenticator.authenticate}quot;/> Authenticate Method boolean () authenticate; <h:form> <h:outputLabel for=quot;namequot; value=quot;Usernamequot;/> <h:inputText id=quot;namequot; value=quot;#{identity.username}quot;/> <h:outputLabel for=quot;passwordquot; value=quot;Passwordquot;/> <h:inputSecret id=quot;passwordquot; value=quot;#{identity.password}quot;/> <h:commandButton value=quot;Loginquot; action=quot;#{identity.login}quot;/> </h:form>
  • 23. Seam Security • URL Protection • pages.xml <page view-id=quot;/controlPanel.xhtmlquot;> <restrict>#{s:hasRole(‘ROLE_ADMIN’)}</restrict> </page>
  • 24. Seam Security • Securing backing beans @Name(“orderControllerquot;) public class OrderController { @Restrict(quot;#{s:hasRole(‘ROLE_ADMIN')}quot;) public void deleteOrder() { //blabla } }
  • 25. Seam Security The Good • JSF Based • URL Protection • Controller security • Entity security • Page authorization • JSF login form The Bad • Authenticate method
  • 26. Page Authorization • Acegi-JSF Components • Facelets Functions • Seam • MyFaces SecurityContext
  • 27. Acegi-JSF Components • Page definition security <authz:authorize ifAllGranted=”ROLE_SUPERVISOR,ROLE_ADMIN”> Components that are only visible to the users that satisfy the requirements here… <h:commandButton value=“Delete” …/> </authz:authorize> • ifAllGranted • ifAnyGranted • ifNotGranted <authz:authentication operation=”username”/>
  • 28. Facelets Function public static boolean isUserInRole(String rolName) { boolean inRole = false; Authentication authentication = SecurityContextHolder. getContext().getAuthentication(); GrantedAuthority[] roles = authentication.getAuthorities(); for(GrantedAuthority role : roles) { if(role.getAuthority().equals(roleName)) { inRole = true; break; } } return inRole;} <h:commandButton value=“Delete” action=“#{bean.delete}” rendered=“#{barca:isUserInRole(‘ROLE_ADMIN’)}” />
  • 29. Seam Security <h:commandButton action=“#{someBackingBean.deleteSomething}” rendered=quot;#{s:hasRole(ROLE_ADMIN')}quot; ” />
  • 30. Seam Security <h:dataTable value=quot;#{orders}quot; var=“ordquot;> … <h:column> <f:facet name=quot;headerquot;>Delete</f:facet> <s:link value=quot;Delete Orderquot; action=quot;#{orderController.delete}quot; rendered=quot;#{s:hasPermission('order','delete',ord)}quot;/> </h:column> … </h:dataTable>
  • 31. MyFaces SecurityContext • EL extension • Defaults to Container Managed Security • Easy to plugin custom SecurityContextImpl #{securityContext.authType} #{securityContext.remoteUser} #{securityContext.ifGranted['rolename']} #{securityContext.ifAllGranted['rolename1,rolename2']} #{securityContext.ifAnyGranted['rolename1,rolename2']} #{securityContext.ifNotGranted['rolename1,rolename2']} <h:commandButton action=“#{someBackingBean.deleteSomething}” rendered=“#{securityContext.ifAllGranted['rolename1,rolename2']}”
  • 32. Custom SecurityContext public class MyAwesomeSecurityContextImpl extends SecurityContext{ public String getAuthType() { //return my authtype as string } public String getRemoteUser() { //return current logged in user } public boolean ifGranted(String role) { //check if user in the given role } } <context-param> <param-name>org.apache.myfaces.SECURITY_CONTEXT</param- name> <param- value>com.my.company.MyAwesomeSecurityContextImpl</param-value> </context-param>
  • 33. Protect the ViewState • <input type=quot;hiddenquot; name=quot;javax.faces.ViewStatequot; id=quot;javax.faces.ViewStatequot; value=quot;cjnoN2li7kqi8Z2WbOa811eyyZ3UHh2K56Gg6gQszNDFicizAEsfAahhbsLly/n77sA5+Qfp3HR/nuDxQ62wnmwBjJ4RAKf4R++/cXW /6+iBp3BCjEJEyaYamWpbwrEaff4JIBH95NBpeV+NxAA/ajo21eqj2HB6LsUfA/jOjGVoNhvb/wEbUdAhW7q64qj0QUFLKoKLxmP1y4ZE2O ffr5SFQZBOOJDgQ219TiC2mMmOGpYJkyda5gf8fSBzHIjTJtMpkoPyBhuBp3BCjEJEyXJRPvnqCGSDcCbEtYQi9lx7B74ivhUaCnn2c0Jf3 3AWzMZafd4RNF495qXRBsegWA0ZGpQWr/pe/hNJf2fEUOCwfNk/xPZNlKz8QmN0iarCTQTGXQUZh8aZKX3uFxSPynZ5nz1be+hzqZ5 HcMBKR6zG++byQ1lmXPvJOwLEzGZ2gJBkPY95iKWXqkldrEj87AtO0GvWKkE+V46kbWZ2hpmETVQZzkdqLi0j6nW5LnDfXfT9GCUNs wqgMEhjknsobneBwGULiZ7ix43qkMIXlJ0YYESCRkdc57DY5lYzQY/W26Dxt8JGgGwkj9LAbJs03bMPAahnWEpxeeseC4TvtW809acOZj XJ/3O3at/Mdqyu14mxtt2t5e5DSNLmAqgXXSHmUGEYznwQOS9KyLsBTpFUYDQe0MDREW1NzChacqWBkD10DopxLJ+HDAEuD85bV /iYHJz3NQlzSPJwaGEbp8PlbVVn/YdMtV/elpZmX34kj/rC1o0CiAc68+VrTHIPwhs4q8DYvcQTEgB+6hgWx5G6TkwrRhb9m0B98DSaU3Lx du7UJaXOafbaEjXSEyWiD8ZW0PywLECX1UtWwQ3lxKXXibG23a3l7kNI0uYCqBddi6ETJipf4L/lvDjBDcQHeUBdU2Kl/sQnpJU+kqlHNe+ 0j0ilVnF04Q5OFWpmZIp1dso7ZLgQbkpUG/7K5RR0CtfzUc+sJzIQZmV4/1DwdqXjG2z3+VQNWgP0yz9PbwB2YzeJki6CbMuNWrW5Yo8 MwLtBaF2HGEB7MR6SP0wx4IoA28lSdx2HsSThYKP/O8kW3qyokVzYupYWNcHddqlK6Nu2bzFICQ2DtbnzrTFOD/MPRsM45Xce4hXQ7 D23T9BaBsIhHCyErpSfr+veeLLUqr6AqodKRwOCiyWPOPLoenvrsH388cbZqcv3W1RIgOM5YAqfgzrbNbZcxtA9fFGskT+VNArlJp7MY2Zt ORGP/z4apxqvV+IJXwOdOtK6xuHH3e+QjOSqc/GOxadVsmET+jLv72lP+tN9Du3Rn9EkkRUgl/bNuabOAZaDtacU2qTh/fKtiHZe6gEyqz2 XwH2dIdSbemJc0889xiBEZqBgOESYQ22cVFOOxNTwHxlat63brvaxQdx0wSYsFlYHTMwo/qVs49VhOu2DHokq5xNbrZ//rpVt3XMqe+X5 yD30S2vur+xawTZjTYlmSorxONvTwvjFLiftnMe9ieA2XcRf2Qbws+smPawkBKEtAOXiiLAp3hIb33FrYxDYVoEChnmQc+DMzxNlOw3zaJ MykZRn6oy0AomUxUdxI2kGlCVOHejxQnBDvmj6XAsYSzlrbJN+FidIfTYpkV3e0cDIW8rHsiTatBZWL3zmu0YI1JyLAVQw8+a0n/+1yAVCT 6J+NhfDo6UdiC9Ilyws7TtDXQhssR3qoh9x17Nxlif/LOBU817V6Ip/Y+eyLjYgs/fnEaxgdeW8OMENxAd5cqlB1zDTb+dUn6Vk/yis6RGMAX1 UAVou7uRDmYV0TtZKFttVdlyTjfp5Q5F0Tsj4qzw+vDTlYWbf7hrD1TosZGsbT6Mc9obUgkSsULRUr/eCRKxQtFSv94JErFC0VK/3prA0Mc Ldt5A0fhuQAXRbLOB+tk5wheoIGO390JZB08jJAso9qbBLvdfzUc+sJzIQZmV4/1DwdqU5XLWwZnjkhp82k0VBRHmxnoTdDbCj4eWbUK6 PiWsmY45zzkmNPnEkcj6dL1XByNR++RYWIXMIHvQULVqI+6gSQrrgKnOqESqFDaWpLPzgKORF9t+3+sQzXpj6O42fVIYewkG+d/LfFV C6IQuOrZIA/HSrCzJcAUhuNAc6UCH/zvVkucTURgX/mJGk1QFJZCDR3dQvrdm0gkhCZKzNWfEYpoGjAhKICqbugdxmuLZQbqW0qYiPn CeOPTHL3QbIpfoZ/GHI/z4himtRXVRLML+5NyB2zY5gCFkLE1ndMjTdMGDpmu9tJOqUsmfHADUrVXiF58GlBNEiwUL8hxxTB30vWPCS mt5ZNuML57GU98tciku9zMr9RZF042UTURw0RNvg5d3FpSVK6iuF5MRKSfkQs6zPN1m1JXj6tq4jBjWZ4l10TKWvM45qwYwB1/9Uk6wb gDeawD1AXpX/lFLKOgPz2bRzp62oQJknhKfANxS8NX6FbUoeEbq8UCvndmMVg1mRBD8AAeZ+aejfKFoACLDXlY0hy1RisbE/kMDSpxP /D+j7V/RdhJO+0eszWvJJtNPs2swsZzoK4hjt/dCWQdPI/71KpGQim5xlqjHjHY4mDGZleP9Q8Hal88oxKykFUQYDEQ3KRz675N28vIu+Rt 7AybDcnlzTi+YbOKvA2L3EExIAfuoYFseRCQzwdnhDhIoZ8NDazCdYM8p2H3t46MR2rMsR+B0Q6Izbtm8xSAkNgzlihd3SqMtOVuj07dMZ FhXIWaExKordOT96wcyFY3hLqImCn+z/U0SFUFoQZvLd+NN5nRpZ306hMq+VDqbwXh4IBAOYAzwHZo8jCDrfGHs7DYKb34rSHlMnPT Yk1MTgY2274j9ci5o1CAQDmAM8B2ZX62EUfdC6sJpjOWqdcwBfPofXChsPp82sx//RPwgu6y9nXdc4RLxtAo64SXmcdzKJXAMTvWO3xs b75vJDWWZcbbviP1yLmjUIBAOYAzwHZrrqBsyYPolmbjgXhK2KMvrWFOtn0nQne/O3AKPReE70WiloiJgp0WZCcEO+aPpcC1eyyZ3UHh 2KV/gOQ+q4Q7PBdBhadxtM+pWXQJfDPX9K3T/QjJykD7a4vEyF0rrpfH681LoX50+YgkSsULRUr/eCRKxQtFSv9589YNTYpEoSmmChJ1 cujHKbQDA6ApqouhzFPZN1RXmspR2IL0iXLCxwBmf6k7hYMeqiH3HXs3GW+yfPXMCEGAHoin9j57IuNum608SbPOCr9c/wJwAXAev7x k/N7Gn0FfWRhlVfpdYSGzirwNi9xBMSAH7qGBbHkdQFKnbYQ80DjnPOSY0+cSRyPp0vVcHI1MwwOB6mohdlzFJnDPSn3W9hJzQXrQy OiVVQOut45pL+PULx/inIPznHECBqgvm5ECbe6WdfeFnfxIW5JaekPaEUbGwU6i3uqLKDHYb58r/IxlDcqoIvU7KUTRSh3NKV7m0wAtPa HaYoPIWJOpZof+SCRKxQtFSv93H9+08c8xaRmmChJ1cujHKM6oQT0D3hjZxxwQB7wM7MtSxrTlWiv+ocs46hAgrz4w==quot; />
  • 34. ViewState Encryption • Turned on by default • Several algorithms, default: DES <context-param> <param-name>org.apache.myfaces.secret</param- name> <param-value>NzY1NDMyMTA=</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.algorithm</param-name> <param-value>Blowfish</param-value> </context-param>
  • 35. The End • cagatay@apache.org • http://www.prime.com.tr/cagataycivici • PlayStation3 online id: facescontext

×