Web Application SecurityUsing Oracle products as an example                                      1
Syllabus• It seems that organizations are taking security more and  more seriously these days. One motivator is avoiding  ...
Setting the stage …• Who is in the audience? Which one are you?   • Architect   • Database Administrator (DBA)   • Develop...
What’s the big deal?  We have some challenges …• Technology is more susceptible and more complicated   • unwanted system a...
Legal stuff …• Legal questions can delay a project   • submit questions early as possible   • get feedback early as possib...
LEAN AgileManage         Did someone say something about         Security?                                           6
Web Application Architecture                               7
Step 1• www.TeenagerExpenses.mb.ca• Ask the Domain Name Server to provide a machine  readable address, call an Internet Pr...
Step 2• www.TeenagerExpenses.mb.ca = 233.168.324.234                                                 9
Step 3• Reverse Proxy (Oracle’s WebCache)   • Guard at the door into the architecture   • In the middle of the DMZ sandwic...
Step 4• The Web Application Server is the brains with all the  business logic --- it knows what to with the HTTP GET  requ...
Step 5• The server needs to first get a list of teenagers, and so,  get it from the server responsible for persisting  inf...
Step 6• Teenager Result Set:   • Raelene   • Jenna                         13
Step 7• Let’s send HTTP Response of HTML:  <Label>Teenager Name:</Label>  <SelectionBox> <Selection>Raelene</Selection>   ...
Step 8         15
Step 9         16
Web Application Architecture                               17
Web Application Architecture                               18
Audit Columns• Every table in the database include the following  columns:   •   A_CREATED_BY   •   A_CREATED_TIMESTAMP   ...
Web Application ArchitectureWe now going to concentrate on the Database.Will talk about:     • Virtual Private Databases  ...
Database Tables• TEENAGER    TEENAGER_ID      TEENAGER_NAME                  1 Raelene                  2 Jenna• EXPENSE  ...
Raelene is allowed to see this …• TEENAGER     TEENAGER_ID     TEENAGER_NAME                   1 Raelene                  ...
Jenna is allowed to see this …• TEENAGER     TEENAGER_ID     TEENAGER_NAME                   1 Raelene                   2...
A VPD• A Virtual Private Database (VPD) = restricts access on  horizontal slices• Oracle Label Security is an implementati...
Who can view/edit what data?• Label Security allows you to create a policy on the  TEENAGER_ID                        TEEN...
Database Tables with Label Security column added …• TEENAGER    TEENAGER_ID      TEENAGER_NAME                  1 Raelene ...
Jenna will get a different answer than Raelene and the Parents! • TEENAGERSELECT sum(amount)FROM EXPENSE        TEENAGER_I...
Jenna will get a different answer than Raelene and the Parents! • TEENAGERSELECT sum(amount)FROM EXPENSE        TEENAGER_I...
Parents type in … • TEENAGERSELECT sum(amount)FROM EXPENSE        TEENAGER_ID     TEENAGER_NAME                      1 Rae...
… and this what happens under the covers: • TEENAGERSELECT sum(amount)FROM EXPENSE        TEENAGER_ID      TEENAGER_NAME  ...
DBMS Triggers are used for INSERTs and UPDATEs  • TEENAGERINSERT (TEENAGER_ID, DETAILS, AMOUNT, DATE)VALUES (2,        TEE...
Label Security can have up to 3 groupings                       TEENAGER                         _ID = 1 100             E...
Take a break …• A story about University …                               33
Web Application Architecture                               34
LDAPOracle OAM & OID• LDAP = Lightweight Directory Access Protocol• Oracle Internet Directory is an implementation of  dir...
Oracle LDAP ComponentsAll the “green” servers support the LDAP responsibilities. Oracle Access Manager(OAM) is the main in...
Web Application ArchitectureHow the LDAP interacts with the Web Application Server?                                       ...
Oracle LDAP Interfaces                         38
Web Application Architecture                               39
Simplified Web Application Architecture                                          40
Simplified Web Application Architecture• HTTP Server – Oracle’s MOD_OC4J• Web Application Container – Oracle’s OC4J … and ...
Web Server interactions with LDAP The “Happy Path” …The Browser makes a HTTP Request, via interaction #1.The HTTP Server l...
Web Server interactions with LDAP The “Happy Path” continued …In this “Happy Path” scenario the user has alreadyauthentica...
Web Server interactions with LDAP The “Happy Path” continued …The authorization rules are enforced in two different places...
Authorization and Role-based Security                                        45
Web Server interactions with LDAP The “Happy Path” continued …The authorization rules are enforced in two different places...
Authorization and Role-based Security       User    –       Role   –      Feature• Can be tricky. Can’t control the number...
Authorization and Role-based Security       User    –       Role   –      Feature• Can be tricky. Can’t control the number...
Authorization and Role-based Security• Features – Pick the number of features wisely, keep  them to a minimum and understa...
Web Server interactions with LDAP The “Unhappy Path” …The “unhappy” path is one where the user has not loggedin yet. The W...
Web Server interactions with LDAP Log out …Your web applications will point to a logout page in the SSOapplication. It can...
Web Application Architecture The Report Server                               52
Oracle BI Publisher Report Server• It has its own built-in security that doesn’t work directly  with OAM – Read up on how ...
Web Application Architecture  Database connections                               54
Database Connections• Perform adequate performance tests on this interactions• Because we implemented a VPD at a low level...
(If we have time …)1. Creating a log of access – find out if one is needed   early in the project2. Web Analytics – find o...
Web Application SecurityUsing Oracle products as an example        By: Jonathan Wagner, October 2011        jwagner@proteg...
Upcoming SlideShare
Loading in …5
×

J wagner security

355 views
290 views

Published on

Web Application Security

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
355
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

J wagner security

  1. 1. Web Application SecurityUsing Oracle products as an example 1
  2. 2. Syllabus• It seems that organizations are taking security more and more seriously these days. One motivator is avoiding embarrassment which can collapse the organization in a hurry. The architecture of a web based application has a number of complexities when it comes to implementing security properly. Jonathan will talk about some of these complexities and identify a number of considerations that can save you time and money. In particular, he will explain how the Oracle suite of products integrate and use that as a concrete example. Architects, developers, and DBAs will learn from topics such as virtual private databases, single sign on, cookies, Hibernate interactions, and role-based security. 2
  3. 3. Setting the stage …• Who is in the audience? Which one are you? • Architect • Database Administrator (DBA) • Developer • Java • Other • Other• Goals: • General Understanding • Advice, related to Security in a web application • Drill-in into to some unobvious specifics• Questions? 3
  4. 4. What’s the big deal? We have some challenges …• Technology is more susceptible and more complicated • unwanted system access • localized damage • global damage • how do decision makers respond to pain? ~~ rational thinking• Data (and Process) Ownership Trends • Silos  Sharing • Terminology confusion ~~ talk about the same thing: Einstein quote • Organizations  Products AND Services• Potential huge costs, time and $$$$ • Educate and then ask, are you sure? 4
  5. 5. Legal stuff …• Legal questions can delay a project • submit questions early as possible • get feedback early as possible • legal requirements are hard and fast – know them early to avoid expensive rework 5
  6. 6. LEAN AgileManage Did someone say something about Security? 6
  7. 7. Web Application Architecture 7
  8. 8. Step 1• www.TeenagerExpenses.mb.ca• Ask the Domain Name Server to provide a machine readable address, call an Internet Protocol (IP) Address 8
  9. 9. Step 2• www.TeenagerExpenses.mb.ca = 233.168.324.234 9
  10. 10. Step 3• Reverse Proxy (Oracle’s WebCache) • Guard at the door into the architecture • In the middle of the DMZ sandwich• Robust solutions include: • Caching of static “public” content (picture files, Javascript) • Load Balancing • Decryption of HTTPS requests … more on that later 10
  11. 11. Step 4• The Web Application Server is the brains with all the business logic --- it knows what to with the HTTP GET request 11
  12. 12. Step 5• The server needs to first get a list of teenagers, and so, get it from the server responsible for persisting information 12
  13. 13. Step 6• Teenager Result Set: • Raelene • Jenna 13
  14. 14. Step 7• Let’s send HTTP Response of HTML: <Label>Teenager Name:</Label> <SelectionBox> <Selection>Raelene</Selection> <Selection>Jenna</Selection> … 14
  15. 15. Step 8 15
  16. 16. Step 9 16
  17. 17. Web Application Architecture 17
  18. 18. Web Application Architecture 18
  19. 19. Audit Columns• Every table in the database include the following columns: • A_CREATED_BY • A_CREATED_TIMESTAMP • A_MODIFIED_BY • A_MODIFIED_TIMESTAMP• Know the affects of the Sarbanes-Oxley act• Create a companion history table for every table in the database. It will be a complete history of “snapshots”. These tables have the exact same columns plus a timestamp column. (Data is almost free!) 19
  20. 20. Web Application ArchitectureWe now going to concentrate on the Database.Will talk about: • Virtual Private Databases • Oracle Label Security 20
  21. 21. Database Tables• TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna• EXPENSE TEENAGER DETAILS AMOUNT DATE _ID 1 Cell 45.00 Oct 1 1 Gum 1.35 Oct 6 2 Help Haiti 4.00 Oct 8 21
  22. 22. Raelene is allowed to see this …• TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna• EXPENSE TEENAGER DETAILS AMOUNT DATE _ID 1 Cell 45.00 Oct 1 1 Gum 1.35 Oct 6 2 Help Haiti 4.00 Oct 8 22
  23. 23. Jenna is allowed to see this …• TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna• EXPENSE TEENAGER DETAILS AMOUNT DATE _ID 1 Cell 45.00 Oct 1 1 Gum 1.35 Oct 6 2 Help Haiti 4.00 Oct 8 23
  24. 24. A VPD• A Virtual Private Database (VPD) = restricts access on horizontal slices• Oracle Label Security is an implementation of a VPD 24
  25. 25. Who can view/edit what data?• Label Security allows you to create a policy on the TEENAGER_ID TEENAGER _ID = 1 100 (Raelene) Raelene Parents TEENAGER (God-like access) _ID = 2 (Jenna) 200 Jenna 25
  26. 26. Database Tables with Label Security column added …• TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna• EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 26
  27. 27. Jenna will get a different answer than Raelene and the Parents! • TEENAGERSELECT sum(amount)FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 27
  28. 28. Jenna will get a different answer than Raelene and the Parents! • TEENAGERSELECT sum(amount)FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 RaeleneWHERE LS_TEENAGER IN (100) 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 28
  29. 29. Parents type in … • TEENAGERSELECT sum(amount)FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 29
  30. 30. … and this what happens under the covers: • TEENAGERSELECT sum(amount)FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 RaeleneWHERE LS_TEENAGER IN (100, 200) 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 30
  31. 31. DBMS Triggers are used for INSERTs and UPDATEs • TEENAGERINSERT (TEENAGER_ID, DETAILS, AMOUNT, DATE)VALUES (2, TEENAGER_ID “Book Fine”, 1, Oct 16) TEENAGER_NAME 1 RaeleneOracle Label Security auto-generated a DBMS Trigger on the EXPENSEtable. The trigger calculatesJenna 2 200 based on TEENAGER_ID • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 2 Book Fine 1.00 Oct 16 Calculated by DBMS Trigger 31
  32. 32. Label Security can have up to 3 groupings TEENAGER _ID = 1 100 EXPENSE Younger _TYPE = Siblings 8 8,000 TEENAGER _ID = 2 200 Teenagers 770,000 Grandparents 32
  33. 33. Take a break …• A story about University … 33
  34. 34. Web Application Architecture 34
  35. 35. LDAPOracle OAM & OID• LDAP = Lightweight Directory Access Protocol• Oracle Internet Directory is an implementation of directory services, LDAPv3• Oracle Access Manager (OAM) enforces policies and works with OID• Watch out for your firewalls settings -- timeouts• Active Directory can “connect” • DIP transfers name and passwords 35
  36. 36. Oracle LDAP ComponentsAll the “green” servers support the LDAP responsibilities. Oracle Access Manager(OAM) is the main interface into the outside world. However, the “purple” OracleDatabase has some direct connections with Oracle’s LDAP (OID), probably forperformance reasons. In theory, the dashed lines below were not reallynecessary.The two columns of “green” servers indicate that they can be clustered, and theset of servers can be in different locations. 36
  37. 37. Web Application ArchitectureHow the LDAP interacts with the Web Application Server? 37
  38. 38. Oracle LDAP Interfaces 38
  39. 39. Web Application Architecture 39
  40. 40. Simplified Web Application Architecture 40
  41. 41. Simplified Web Application Architecture• HTTP Server – Oracle’s MOD_OC4J• Web Application Container – Oracle’s OC4J … and soon WebLogic 41
  42. 42. Web Server interactions with LDAP The “Happy Path” …The Browser makes a HTTP Request, via interaction #1.The HTTP Server looks at this request and asks the LDAPAccess services if this request is allowed to proceed. Thisis done via interaction #2. If the answer is positive, itpasses on the request to the destination, via interaction #3. 42
  43. 43. Web Server interactions with LDAP The “Happy Path” continued …In this “Happy Path” scenario the user has alreadyauthenticated (i.e. logged in).Oracle can place authentication data in “HTTP Headers”and/or in some “cookies”. It gives information about theUser ID, expiry time, etc. [Refer to interactions #1 & #3] 43
  44. 44. Web Server interactions with LDAP The “Happy Path” continued …The authorization rules are enforced in two different places: • Interaction #2 – Can protect basic requests, such as, URL requests that start with www.TeenagerExpenses.mb.ca/expenses • Interaction #4 – Using LDAP Queries, it can lookup more fine grained permissions such as: www.TeenagerExpenses.mb.ca/expenses/expense_details.jsp 44
  45. 45. Authorization and Role-based Security 45
  46. 46. Web Server interactions with LDAP The “Happy Path” continued …The authorization rules are enforced in two different places: • Interaction #2 – Basic requests based on OAM polices • Interaction #4 – Fine grained based on LDAP Queries / Role- based SecurityDecide which interaction is responsible for what, early inthe project! 46
  47. 47. Authorization and Role-based Security User – Role – Feature• Can be tricky. Can’t control the number of users. But you can control the number of Roles and Features.• Roles – Configure Roles and role names to match the actual physical business processes – people need to understand them. Be ready to refactor! 47
  48. 48. Authorization and Role-based Security User – Role – Feature• Can be tricky. Can’t control the number of users. But you can control the number of Roles and Features.• Roles – Configure Roles and role names to match the actual physical business processes – people need to understand them. Be ready to refactor! 48
  49. 49. Authorization and Role-based Security• Features – Pick the number of features wisely, keep them to a minimum and understandable. Fine grained control Coarse grained control Complicated Simple• Ask questions! Find out what the real requirement is. “Are you sure?” “Can this one feature represent both the search and the detail page?” “How easy is it to test?” 49
  50. 50. Web Server interactions with LDAP The “Unhappy Path” …The “unhappy” path is one where the user has not loggedin yet. The Web Application Container can have twoapplications: • The OAM Single-Sign On (SSO) “helper” application, which includes these pages: login, logout, and not authorized • The business application, such as the “expenses” test application 50
  51. 51. Web Server interactions with LDAP Log out …Your web applications will point to a logout page in the SSOapplication. It can (or should) invalidate the webapplications under its protection. 51
  52. 52. Web Application Architecture The Report Server 52
  53. 53. Oracle BI Publisher Report Server• It has its own built-in security that doesn’t work directly with OAM – Read up on how to integrate them. 53
  54. 54. Web Application Architecture Database connections 54
  55. 55. Database Connections• Perform adequate performance tests on this interactions• Because we implemented a VPD at a low level, we want to ensure that the end-user will be restricted from the bottom up, and that means to connect as that user. • Experience: Can take up to 5 seconds to “stamp” a user onto a proxy connection. The solution is to make a connection pool for each user • Experience: The setup and use of Label Security is expensive • Alternatives?? 55
  56. 56. (If we have time …)1. Creating a log of access – find out if one is needed early in the project2. Web Analytics – find out if test users are needed in production, and what that means3. Security on Web Services & Services (SOA) – again, find out if this extra layer needs its own gatekeeper of security4. The need for Backend Reports with BI Publisher5. Data Encryption in the Database 56
  57. 57. Web Application SecurityUsing Oracle products as an example By: Jonathan Wagner, October 2011 jwagner@protegra.com 57

×