J wagner security

Web Application SecurityUsing Oracle products as an example 1

Syllabus• It seems that organizations are taking security more and more seriously these days. One motivator is avoiding embarrassment which can collapse the organization in a hurry. The architecture of a web based application has a number of complexities when it comes to implementing security properly. Jonathan will talk about some of these complexities and identify a number of considerations that can save you time and money. In particular, he will explain how the Oracle suite of products integrate and use that as a concrete example. Architects, developers, and DBAs will learn from topics such as virtual private databases, single sign on, cookies, Hibernate interactions, and role-based security. 2

Setting the stage …• Who is in the audience? Which one are you? • Architect • Database Administrator (DBA) • Developer • Java • Other • Other• Goals: • General Understanding • Advice, related to Security in a web application • Drill-in into to some unobvious specifics• Questions? 3

What’s the big deal? We have some challenges …• Technology is more susceptible and more complicated • unwanted system access • localized damage • global damage • how do decision makers respond to pain? ~~ rational thinking• Data (and Process) Ownership Trends • Silos  Sharing • Terminology confusion ~~ talk about the same thing: Einstein quote • Organizations  Products AND Services• Potential huge costs, time and $$$$ • Educate and then ask, are you sure? 4

Legal stuff …• Legal questions can delay a project • submit questions early as possible • get feedback early as possible • legal requirements are hard and fast – know them early to avoid expensive rework 5

LEAN AgileManage Did someone say something about Security? 6

Web Application Architecture 7

Step 1• www.TeenagerExpenses.mb.ca• Ask the Domain Name Server to provide a machine readable address, call an Internet Protocol (IP) Address 8

Step 2• www.TeenagerExpenses.mb.ca = 233.168.324.234 9

Step 3• Reverse Proxy (Oracle’s WebCache) • Guard at the door into the architecture • In the middle of the DMZ sandwich• Robust solutions include: • Caching of static “public” content (picture files, Javascript) • Load Balancing • Decryption of HTTPS requests … more on that later 10

Step 4• The Web Application Server is the brains with all the business logic --- it knows what to with the HTTP GET request 11

Step 5• The server needs to first get a list of teenagers, and so, get it from the server responsible for persisting information 12

Step 6• Teenager Result Set: • Raelene • Jenna 13

Step 7• Let’s send HTTP Response of HTML: <Label>Teenager Name:</Label> <SelectionBox> <Selection>Raelene</Selection> <Selection>Jenna</Selection> … 14

Step 8 15

Step 9 16

Audit Columns• Every table in the database include the following columns: • A_CREATED_BY • A_CREATED_TIMESTAMP • A_MODIFIED_BY • A_MODIFIED_TIMESTAMP• Know the affects of the Sarbanes-Oxley act• Create a companion history table for every table in the database. It will be a complete history of “snapshots”. These tables have the exact same columns plus a timestamp column. (Data is almost free!) 19

Web Application ArchitectureWe now going to concentrate on the Database.Will talk about: • Virtual Private Databases • Oracle Label Security 20

Database Tables• TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna• EXPENSE TEENAGER DETAILS AMOUNT DATE _ID 1 Cell 45.00 Oct 1 1 Gum 1.35 Oct 6 2 Help Haiti 4.00 Oct 8 21

Raelene is allowed to see this …• TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna• EXPENSE TEENAGER DETAILS AMOUNT DATE _ID 1 Cell 45.00 Oct 1 1 Gum 1.35 Oct 6 2 Help Haiti 4.00 Oct 8 22

Jenna is allowed to see this …• TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna• EXPENSE TEENAGER DETAILS AMOUNT DATE _ID 1 Cell 45.00 Oct 1 1 Gum 1.35 Oct 6 2 Help Haiti 4.00 Oct 8 23

A VPD• A Virtual Private Database (VPD) = restricts access on horizontal slices• Oracle Label Security is an implementation of a VPD 24

Who can view/edit what data?• Label Security allows you to create a policy on the TEENAGER_ID TEENAGER _ID = 1 100 (Raelene) Raelene Parents TEENAGER (God-like access) _ID = 2 (Jenna) 200 Jenna 25

Database Tables with Label Security column added …• TEENAGER TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna• EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 26

Jenna will get a different answer than Raelene and the Parents! • TEENAGERSELECT sum(amount)FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 27

Jenna will get a different answer than Raelene and the Parents! • TEENAGERSELECT sum(amount)FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 RaeleneWHERE LS_TEENAGER IN (100) 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 28

Parents type in … • TEENAGERSELECT sum(amount)FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 Raelene 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 29

… and this what happens under the covers: • TEENAGERSELECT sum(amount)FROM EXPENSE TEENAGER_ID TEENAGER_NAME 1 RaeleneWHERE LS_TEENAGER IN (100, 200) 2 Jenna • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 30

DBMS Triggers are used for INSERTs and UPDATEs • TEENAGERINSERT (TEENAGER_ID, DETAILS, AMOUNT, DATE)VALUES (2, TEENAGER_ID “Book Fine”, 1, Oct 16) TEENAGER_NAME 1 RaeleneOracle Label Security auto-generated a DBMS Trigger on the EXPENSEtable. The trigger calculatesJenna 2 200 based on TEENAGER_ID • EXPENSE TEENAGER DETAILS AMOUNT DATE LS_ _ID TEENAGER 1 Cell 45.00 Oct 1 100 1 Gum 1.35 Oct 6 100 2 Help Haiti 4.00 Oct 8 200 2 Book Fine 1.00 Oct 16 Calculated by DBMS Trigger 31

Label Security can have up to 3 groupings TEENAGER _ID = 1 100 EXPENSE Younger _TYPE = Siblings 8 8,000 TEENAGER _ID = 2 200 Teenagers 770,000 Grandparents 32

Take a break …• A story about University … 33

LDAPOracle OAM & OID• LDAP = Lightweight Directory Access Protocol• Oracle Internet Directory is an implementation of directory services, LDAPv3• Oracle Access Manager (OAM) enforces policies and works with OID• Watch out for your firewalls settings -- timeouts• Active Directory can “connect” • DIP transfers name and passwords 35

Oracle LDAP ComponentsAll the “green” servers support the LDAP responsibilities. Oracle Access Manager(OAM) is the main interface into the outside world. However, the “purple” OracleDatabase has some direct connections with Oracle’s LDAP (OID), probably forperformance reasons. In theory, the dashed lines below were not reallynecessary.The two columns of “green” servers indicate that they can be clustered, and theset of servers can be in different locations. 36

Web Application ArchitectureHow the LDAP interacts with the Web Application Server? 37

Oracle LDAP Interfaces 38

Simplified Web Application Architecture 40

Simplified Web Application Architecture• HTTP Server – Oracle’s MOD_OC4J• Web Application Container – Oracle’s OC4J … and soon WebLogic 41

Web Server interactions with LDAP The “Happy Path” …The Browser makes a HTTP Request, via interaction #1.The HTTP Server looks at this request and asks the LDAPAccess services if this request is allowed to proceed. Thisis done via interaction #2. If the answer is positive, itpasses on the request to the destination, via interaction #3. 42

Web Server interactions with LDAP The “Happy Path” continued …In this “Happy Path” scenario the user has alreadyauthenticated (i.e. logged in).Oracle can place authentication data in “HTTP Headers”and/or in some “cookies”. It gives information about theUser ID, expiry time, etc. [Refer to interactions #1 & #3] 43

Web Server interactions with LDAP The “Happy Path” continued …The authorization rules are enforced in two different places: • Interaction #2 – Can protect basic requests, such as, URL requests that start with www.TeenagerExpenses.mb.ca/expenses • Interaction #4 – Using LDAP Queries, it can lookup more fine grained permissions such as: www.TeenagerExpenses.mb.ca/expenses/expense_details.jsp 44

Authorization and Role-based Security 45

Web Server interactions with LDAP The “Happy Path” continued …The authorization rules are enforced in two different places: • Interaction #2 – Basic requests based on OAM polices • Interaction #4 – Fine grained based on LDAP Queries / Role- based SecurityDecide which interaction is responsible for what, early inthe project! 46

Authorization and Role-based Security User – Role – Feature• Can be tricky. Can’t control the number of users. But you can control the number of Roles and Features.• Roles – Configure Roles and role names to match the actual physical business processes – people need to understand them. Be ready to refactor! 47

Authorization and Role-based Security User – Role – Feature• Can be tricky. Can’t control the number of users. But you can control the number of Roles and Features.• Roles – Configure Roles and role names to match the actual physical business processes – people need to understand them. Be ready to refactor! 48

Authorization and Role-based Security• Features – Pick the number of features wisely, keep them to a minimum and understandable. Fine grained control Coarse grained control Complicated Simple• Ask questions! Find out what the real requirement is. “Are you sure?” “Can this one feature represent both the search and the detail page?” “How easy is it to test?” 49

Web Server interactions with LDAP The “Unhappy Path” …The “unhappy” path is one where the user has not loggedin yet. The Web Application Container can have twoapplications: • The OAM Single-Sign On (SSO) “helper” application, which includes these pages: login, logout, and not authorized • The business application, such as the “expenses” test application 50

Web Server interactions with LDAP Log out …Your web applications will point to a logout page in the SSOapplication. It can (or should) invalidate the webapplications under its protection. 51

Web Application Architecture The Report Server 52

Oracle BI Publisher Report Server• It has its own built-in security that doesn’t work directly with OAM – Read up on how to integrate them. 53

Web Application Architecture Database connections 54

Database Connections• Perform adequate performance tests on this interactions• Because we implemented a VPD at a low level, we want to ensure that the end-user will be restricted from the bottom up, and that means to connect as that user. • Experience: Can take up to 5 seconds to “stamp” a user onto a proxy connection. The solution is to make a connection pool for each user • Experience: The setup and use of Label Security is expensive • Alternatives?? 55

(If we have time …)1. Creating a log of access – find out if one is needed early in the project2. Web Analytics – find out if test users are needed in production, and what that means3. Security on Web Services & Services (SOA) – again, find out if this extra layer needs its own gatekeeper of security4. The need for Backend Reports with BI Publisher5. Data Encryption in the Database 56

Web Application SecurityUsing Oracle products as an example By: Jonathan Wagner, October 2011 jwagner@protegra.com 57

J wagner security

by sdeconf on Nov 08, 2011

Accessibility

Categories

Upload Details

Usage Rights

Statistics

J wagner security Presentation Transcript