Octopus
Java EE Security Framework
Concepts
• Authentication
– validating the identity of a user
• Authorization
– whether a user is allowed to execute a cer...
Security
• Standards
– Only role based
• Not good
– Documentation (which role is allowed to do
what)
– Change (redeploymen...
Permission based
• Each (group) action(s)
– Associated with a permission
• User need permission to execute it
• Very compl...
Octopus
• Permission based
• Declarative
• Secures
– URL, JSF Components, CDI, EJB
• CDI integrated
Configuration
• Jar File (maven artifact)
– <dependency>
<groupId>be.c4j.ee.security</groupId>
<artifactId>octopus</artifa...
octopusConfig.properties
• All configuration options of framework
• Required options have default values
• Empty file
– On...
SecurityDataProvider
• Supply authentication and authorization
information to Octopus
• AuthenticationInfo
getAuthenticati...
login.xhtml
• No requirements imposed by Octopus
• Fields
– #{loginBean.username}
– #{loginBean.password}
– #{loginBean.do...
getAuthenticationInfo()
• token.getUsername()
– User name entered in login screen
• Return null if user name is not known
...
AuthenticationInfoBuilder
• principalId(Serializable)
– Unique identification of user, used in authorization call
• name(S...
getAuthorizationInfo()
• principals.getPrimaryPrincipal().getId()
– Id of user supplied during authentication
• Authorizat...
AuthorizationInfoBuilder
• addPermission()
• addPermissions()
• Supply permissions for user
Named permission
• Based on Apache Shiro domain permission
• Domain permission
– Domain
• Functional area of your applicat...
Domain permission
• Example
– Department:read:*
• * is wildcard
• Used in verifying if user has permission
– User is permi...
Domain permission(2)
• Multiple values allowed
– Department:read,update:*
Named permission ?
• Assign useful name to permission
• Named can be constant of Enum
• Configuration needed in octopusMod...
Define named permission
• enum DemoPermission implements NamedPermission {
DEPARTMENT_READ, EMPLOYEE_READ_INFO //…
}
• nam...
Define named permission (2)
• @ApplicationScoped @Produces
public PermissionLookup<DemoPermission>
buildLookup() {
List<Na...
Protect URL
• Specify which URL needs to be protected
• Define in securedURLs.ini
• /pages/** = user
• All pages within pa...
Protect URL
• /pages/department/** = user, namedPermission[xxx]
• Pages requires authentication and the named
permission x...
Protect JSF component
• <sec:securedComponent
permission="DEPARTMENT_CREATE"/>
• Can be placed inside any JSF component
• ...
Protect JSF component (2)
• <sec:requiresUser />
• Only authenticated persons see component
• Inverse of rule
• not=“true”...
Protect EJB method
• Annotation based
• @RequiresUser
• Custom annotation for named permissions
– @DemoPermissionCheck(Dem...
Custom annotation for security
• public @interface DemoPermissionCheck {
DemoPermission[] value();
}
• namedPermissionChec...
Custom voters
• extends AbstractGenericVoter
• checkPermission(InvocationContext
invocationContext, Set<SecurityViolation>...
Custom voters (2)
• Set<SecurityViolation> parameter
– Put violations messages, empty means allowed
• this.userPrincipal
–...
Custom voters and URL
• /pages/updateSalary.xhtml = user,
voter[employeeSalaryUpdateVoter]
• this.hasServletRequestInfo(In...
Custom voters and EJB methods
• this.checkMethodHasParameterTypes(Set<SecurityViolati
on>, InvocationContext, Class<?>…)
–...
• this.getAssignableParameter(InvocationContext,
Class<T>[, int])
– Get parameter value of method call
– Optional position...
Using custom voters on EJB
• @CustomVoterCheck(EmployeeSalaryUpdateVoter.class)
Custom voters on JSF component
• <sec:securedComponent
voter="employeeSalaryUpdateVoter" >
• Voter is the @named CDI bean
Custom voters on JSF component
• Dynamic parameters
• <sec:securedComponent voter="employeeSalaryUpdateVoter" >
<sec:secur...
Upcoming SlideShare
Loading in …5
×

Octopus framework; Permission based security framework for Java EE

1,180 views

Published on

Octopus framework for using permission based security in your Java EE app capable of securing URL, JSF components and CDI and EJB methods with the same security voters.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,180
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Octopus framework; Permission based security framework for Java EE

  1. 1. Octopus Java EE Security Framework
  2. 2. Concepts • Authentication – validating the identity of a user • Authorization – whether a user is allowed to execute a certain action • Permission • User/Principal
  3. 3. Security • Standards – Only role based • Not good – Documentation (which role is allowed to do what) – Change (redeployment because we changed role assignments to method)
  4. 4. Permission based • Each (group) action(s) – Associated with a permission • User need permission to execute it • Very complex system – User can be assigned to group – Permissions are assigned to the group
  5. 5. Octopus • Permission based • Declarative • Secures – URL, JSF Components, CDI, EJB • CDI integrated
  6. 6. Configuration • Jar File (maven artifact) – <dependency> <groupId>be.c4j.ee.security</groupId> <artifactId>octopus</artifactId> <version>0.9.3</version> </dependency> • octopusConfig.properties • CDI bean implements SecurityDataProvider • WEB-INF/securedURLs.ini • ejb-jar.xml
  7. 7. octopusConfig.properties • All configuration options of framework • Required options have default values • Empty file – Only authentication for URL
  8. 8. SecurityDataProvider • Supply authentication and authorization information to Octopus • AuthenticationInfo getAuthenticationInfo(UsernamePasswordToken token); • AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals);
  9. 9. login.xhtml • No requirements imposed by Octopus • Fields – #{loginBean.username} – #{loginBean.password} – #{loginBean.doLogin} • actionListener for the login • Std JSF messages in case of errors
  10. 10. getAuthenticationInfo() • token.getUsername() – User name entered in login screen • Return null if user name is not known • AuthenticationInfoBuilder – For easier instantiation of method result
  11. 11. AuthenticationInfoBuilder • principalId(Serializable) – Unique identification of user, used in authorization call • name(String) – Display name for user • password(Object) – Password for user • salt(ByteSource) – For salted hashed passwords • addUserInfo – Additional info usefull for custom permission checks
  12. 12. getAuthorizationInfo() • principals.getPrimaryPrincipal().getId() – Id of user supplied during authentication • AuthorizationInfoBuilder • For easier instantiation of method result
  13. 13. AuthorizationInfoBuilder • addPermission() • addPermissions() • Supply permissions for user
  14. 14. Named permission • Based on Apache Shiro domain permission • Domain permission – Domain • Functional area of your application – Action • Some action within the domain – Target • Restriction on what items action is allowed • No interpretation, just strings
  15. 15. Domain permission • Example – Department:read:* • * is wildcard • Used in verifying if user has permission – User is permitted to execute Required permission User permission Department:read:* Department:*:*
  16. 16. Domain permission(2) • Multiple values allowed – Department:read,update:*
  17. 17. Named permission ? • Assign useful name to permission • Named can be constant of Enum • Configuration needed in octopusModule
  18. 18. Define named permission • enum DemoPermission implements NamedPermission { DEPARTMENT_READ, EMPLOYEE_READ_INFO //… } • namedPermission.class = be.c4j.demo.security.permission.DemoPermission
  19. 19. Define named permission (2) • @ApplicationScoped @Produces public PermissionLookup<DemoPermission> buildLookup() { List<NamedDomainPermission> allPermissions = permissionService.getAllPermissions(); return new PermissionLookup<DemoPermission> (allPermissions, DemoPermission.class); } • Mapping between enum and domain permisions.
  20. 20. Protect URL • Specify which URL needs to be protected • Define in securedURLs.ini • /pages/** = user • All pages within pages directory (and subdirectories now requires authentication
  21. 21. Protect URL • /pages/department/** = user, namedPermission[xxx] • Pages requires authentication and the named permission xxx – xxx = value of enum class • np instead of namedPermission also allowed
  22. 22. Protect JSF component • <sec:securedComponent permission="DEPARTMENT_CREATE"/> • Can be placed inside any JSF component • Component only shown when user has permission
  23. 23. Protect JSF component (2) • <sec:requiresUser /> • Only authenticated persons see component • Inverse of rule • not=“true” attribute – On securedComponent and requiresUser
  24. 24. Protect EJB method • Annotation based • @RequiresUser • Custom annotation for named permissions – @DemoPermissionCheck(DemoPermission.DEPARTMENT_CR EATE
  25. 25. Custom annotation for security • public @interface DemoPermissionCheck { DemoPermission[] value(); } • namedPermissionCheck.class = be.c4j.demo.security.permission.DemoPermissionCheck
  26. 26. Custom voters • extends AbstractGenericVoter • checkPermission(InvocationContext invocationContext, Set<SecurityViolation> violations) { • @Named – Needed for securing JSF components
  27. 27. Custom voters (2) • Set<SecurityViolation> parameter – Put violations messages, empty means allowed • this.userPrincipal – Current user info • this.newSecurityViolation(String) – Create violation, for adding to the Set
  28. 28. Custom voters and URL • /pages/updateSalary.xhtml = user, voter[employeeSalaryUpdateVoter] • this.hasServletRequestInfo(InvocationContext) – Called from within URL context? • this.getURLRequestParameter(InvocationContext, String) – Get URL parameter
  29. 29. Custom voters and EJB methods • this.checkMethodHasParameterTypes(Set<SecurityViolati on>, InvocationContext, Class<?>…) – Check if method has correct type of parameters – If not, additional entry in Set • this.verifyMethodHasParameterTypes(InvocationContext, Class<?>…) – As above, but return boolean – When multiple methods with different parameter types are supported
  30. 30. • this.getAssignableParameter(InvocationContext, Class<T>[, int]) – Get parameter value of method call – Optional position can be used if multiple parameters has same type (0-based)
  31. 31. Using custom voters on EJB • @CustomVoterCheck(EmployeeSalaryUpdateVoter.class)
  32. 32. Custom voters on JSF component • <sec:securedComponent voter="employeeSalaryUpdateVoter" > • Voter is the @named CDI bean
  33. 33. Custom voters on JSF component • Dynamic parameters • <sec:securedComponent voter="employeeSalaryUpdateVoter" > <sec:securedComponentParameter value="#{employeeBean.employee.id}" /> </sec:securedComponent> </sec:securedComponent> • #{employeeBean.employee.id} – Becomes the single parameters which can be retrieved by getAssignableParameter()

×