The document discusses security considerations for web applications that use Oracle products. It covers topics like using virtual private databases and Oracle Label Security to restrict user access to different parts of application and database data based on their roles. The document also explains how these Oracle security features can be implemented to allow different users like teenagers, parents, and administrators to only see data that they are authorized to access.

1. Web Application Security
Using Oracle products as an example
1

2. Syllabus
• It seems that organizations are taking security more and
more seriously these days. One motivator is avoiding
embarrassment which can collapse the organization in
a hurry. The architecture of a web based application
has a number of complexities when it comes to
implementing security properly. Jonathan will talk about
some of these complexities and identify a number of
considerations that can save you time and money. In
particular, he will explain how the Oracle suite of
products integrate and use that as a concrete example.
Architects, developers, and DBAs will learn from topics
such as virtual private databases, single sign on,
cookies, Hibernate interactions, and role-based security.
2

3. Setting the stage …
• Who is in the audience? Which one are you?
• Architect
• Database Administrator (DBA)
• Developer
• Java
• Other
• Other
• Goals:
• General Understanding
• Advice, related to Security in a web application
• Drill-in into to some unobvious specifics
• Questions?
3

4. What’s the big deal?
We have some challenges …
• Technology is more susceptible and more complicated
• unwanted system access
• localized damage
• global damage
• how do decision makers respond to pain? ~~ rational thinking
• Data (and Process) Ownership Trends
• Silos  Sharing
• Terminology confusion ~~ talk about the same thing: Einstein quote
• Organizations  Products AND Services
• Potential huge costs, time and $$$$
• Educate and then ask, are you sure?
4

5. Legal stuff …
• Legal questions can delay a project
• submit questions early as possible
• get feedback early as possible
• legal requirements are hard and fast – know them early to avoid
expensive rework
5

6. LEAN
Agile
Manage
Did someone say something about
Security?
6

7. Web Application Architecture
7

8. Step 1
• www.TeenagerExpenses.mb.ca
• Ask the Domain Name Server to provide a machine
readable address, call an Internet Protocol (IP) Address
8

9. Step 2
• www.TeenagerExpenses.mb.ca = 233.168.324.234
9

10. Step 3
• Reverse Proxy (Oracle’s WebCache)
• Guard at the door into the architecture
• In the middle of the DMZ sandwich
• Robust solutions include:
• Caching of static “public” content (picture files, Javascript)
• Load Balancing
• Decryption of HTTPS requests … more on that later
10

11. Step 4
• The Web Application Server is the brains with all the
business logic --- it knows what to with the HTTP GET
request
11

12. Step 5
• The server needs to first get a list of teenagers, and so,
get it from the server responsible for persisting
information
12

13. Step 6
• Teenager Result Set:
• Raelene
• Jenna
13

14. Step 7
• Let’s send HTTP Response of HTML:
<Label>Teenager Name:</Label>
<SelectionBox> <Selection>Raelene</Selection>
<Selection>Jenna</Selection> … 14

15. Step 8
15

16. Step 9
16

17. Web Application Architecture
17

18. Web Application Architecture
18

19. Audit Columns
• Every table in the database include the following
columns:
• A_CREATED_BY
• A_CREATED_TIMESTAMP
• A_MODIFIED_BY
• A_MODIFIED_TIMESTAMP
• Know the affects of the Sarbanes-Oxley act
• Create a companion history table for every table in the
database. It will be a complete history of “snapshots”.
These tables have the exact same columns plus a
timestamp column. (Data is almost free!)
19

20. Web Application Architecture
We now going to concentrate on the Database.
Will talk about:
• Virtual Private Databases
• Oracle Label Security
20

21. Database Tables
• TEENAGER
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
• EXPENSE
TEENAGER DETAILS AMOUNT DATE
_ID
1 Cell 45.00 Oct 1
1 Gum 1.35 Oct 6
2 Help Haiti 4.00 Oct 8
21

22. Raelene is allowed to see this …
• TEENAGER
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
• EXPENSE
TEENAGER DETAILS AMOUNT DATE
_ID
1 Cell 45.00 Oct 1
1 Gum 1.35 Oct 6
2 Help Haiti 4.00 Oct 8
22

23. Jenna is allowed to see this …
• TEENAGER
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
• EXPENSE
TEENAGER DETAILS AMOUNT DATE
_ID
1 Cell 45.00 Oct 1
1 Gum 1.35 Oct 6
2 Help Haiti 4.00 Oct 8
23

24. A VPD
• A Virtual Private Database (VPD) = restricts access on
horizontal slices
• Oracle Label Security is an implementation of a VPD
24

25. Who can view/edit what data?
• Label Security allows you to create a policy on the
TEENAGER_ID
TEENAGER
_ID = 1 100
(Raelene)
Raelene
Parents
TEENAGER (God-like access)
_ID = 2
(Jenna) 200
Jenna
25

26. Database Tables
with Label Security column added …
• TEENAGER
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
• EXPENSE
TEENAGER DETAILS AMOUNT DATE LS_
_ID TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
26

27. Jenna will get a different answer
than Raelene and the Parents!
• TEENAGER
SELECT sum(amount)
FROM EXPENSE
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
• EXPENSE
TEENAGER DETAILS AMOUNT DATE LS_
_ID TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
27

28. Jenna will get a different answer
than Raelene and the Parents!
• TEENAGER
SELECT sum(amount)
FROM EXPENSE
TEENAGER_ID TEENAGER_NAME
1 Raelene
WHERE LS_TEENAGER IN (100)
2 Jenna
• EXPENSE
TEENAGER DETAILS AMOUNT DATE LS_
_ID TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
28

29. Parents type in …
• TEENAGER
SELECT sum(amount)
FROM EXPENSE
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
• EXPENSE
TEENAGER DETAILS AMOUNT DATE LS_
_ID TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
29

30. … and this what happens under the
covers:
• TEENAGER
SELECT sum(amount)
FROM EXPENSE
TEENAGER_ID TEENAGER_NAME
1 Raelene
WHERE LS_TEENAGER IN (100, 200)
2 Jenna
• EXPENSE
TEENAGER DETAILS AMOUNT DATE LS_
_ID TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
30

31. DBMS Triggers are used for INSERTs
and UPDATEs
• TEENAGER
INSERT (TEENAGER_ID, DETAILS, AMOUNT, DATE)
VALUES (2,
TEENAGER_ID “Book Fine”, 1, Oct 16)
TEENAGER_NAME
1 Raelene
Oracle Label Security auto-generated a DBMS Trigger on the EXPENSE
table. The trigger calculatesJenna
2 200 based on TEENAGER_ID
• EXPENSE
TEENAGER DETAILS AMOUNT DATE LS_
_ID TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
2 Book Fine 1.00 Oct 16 Calculated
by DBMS
Trigger
31

32. Label Security can have up to 3 groupings
TEENAGER
_ID = 1 100
EXPENSE
Younger
_TYPE =
Siblings
8
8,000 TEENAGER
_ID = 2
200
Teenagers
770,000
Grandparents
32

33. Take a break …
• A story about University …
33

34. Web Application Architecture
34

35. LDAP
Oracle OAM & OID
• LDAP = Lightweight Directory Access Protocol
• Oracle Internet Directory is an implementation of
directory services, LDAPv3
• Oracle Access Manager (OAM) enforces policies and
works with OID
• Watch out for your firewalls settings -- timeouts
• Active Directory can “connect”
• DIP transfers name and passwords
35

36. Oracle LDAP Components
All the “green” servers support the LDAP responsibilities. Oracle Access Manager
(OAM) is the main interface into the outside world. However, the “purple” Oracle
Database has some direct connections with Oracle’s LDAP (OID), probably for
performance reasons. In theory, the dashed lines below were not really
necessary.
The two columns of “green” servers indicate that they can be clustered, and the
set of servers can be in different locations.
36

37. Web Application Architecture
How the LDAP interacts with the Web Application Server?
37

38. Oracle LDAP Interfaces
38

39. Web Application Architecture
39

40. Simplified Web Application Architecture
40

41. Simplified Web Application Architecture
• HTTP Server – Oracle’s MOD_OC4J
• Web Application Container – Oracle’s OC4J … and soon
WebLogic
41

42. Web Server interactions with LDAP
The “Happy Path” …
The Browser makes a HTTP Request, via interaction #1.
The HTTP Server looks at this request and asks the LDAP
Access services if this request is allowed to proceed. This
is done via interaction #2. If the answer is positive, it
passes on the request to the destination, via interaction #3.
42

43. Web Server interactions with LDAP
The “Happy Path” continued …
In this “Happy Path” scenario the user has already
authenticated (i.e. logged in).
Oracle can place authentication data in “HTTP Headers”
and/or in some “cookies”. It gives information about the
User ID, expiry time, etc. [Refer to interactions #1 & #3]
43

44. Web Server interactions with LDAP
The “Happy Path” continued …
The authorization rules are enforced in two different places:
• Interaction #2 – Can protect basic requests, such as, URL
requests that start with
www.TeenagerExpenses.mb.ca/expenses
• Interaction #4 – Using LDAP Queries, it can lookup more fine
grained permissions such as:
www.TeenagerExpenses.mb.ca/expenses/expense_details.jsp 44

45. Authorization and Role-based Security
45

46. Web Server interactions with LDAP
The “Happy Path” continued …
The authorization rules are enforced in two different places:
• Interaction #2 – Basic requests based on OAM polices
• Interaction #4 – Fine grained based on LDAP Queries / Role-
based Security
Decide which interaction is responsible for what, early in
the project!
46

47. Authorization and Role-based Security
User – Role – Feature
• Can be tricky. Can’t control the number of users. But
you can control the number of Roles and Features.
• Roles – Configure Roles and role names to match the
actual physical business processes – people need to
understand them. Be ready to refactor!
47

48. Authorization and Role-based Security
User – Role – Feature
• Can be tricky. Can’t control the number of users. But
you can control the number of Roles and Features.
• Roles – Configure Roles and role names to match the
actual physical business processes – people need to
understand them. Be ready to refactor!
48

49. Authorization and Role-based Security
• Features – Pick the number of features wisely, keep
them to a minimum and understandable.
Fine grained control Coarse grained control
Complicated Simple
• Ask questions! Find out what the real requirement is.
“Are you sure?” “Can this one feature represent both the
search and the detail page?” “How easy is it to test?”
49

50. Web Server interactions with LDAP
The “Unhappy Path” …
The “unhappy” path is one where the user has not logged
in yet. The Web Application Container can have two
applications:
• The OAM Single-Sign On (SSO) “helper” application, which
includes these pages: login, logout, and not authorized
• The business application, such as the “expenses” test
application 50

51. Web Server interactions with LDAP
Log out …
Your web applications will point to a logout page in the SSO
application. It can (or should) invalidate the web
applications under its protection.
51

52. Web Application Architecture
The Report Server
52

53. Oracle BI Publisher Report Server
• It has its own built-in security that doesn’t work directly
with OAM – Read up on how to integrate them.
53

54. Web Application Architecture
Database connections
54

55. Database Connections
• Perform adequate performance tests on this interactions
• Because we implemented a VPD at a low level, we want
to ensure that the end-user will be restricted from the
bottom up, and that means to connect as that user.
• Experience: Can take up to 5 seconds to “stamp” a user onto a
proxy connection. The solution is to make a connection pool for
each user
• Experience: The setup and use of Label Security is expensive
• Alternatives??
55

56. (If we have time …)
1. Creating a log of access – find out if one is needed
early in the project
2. Web Analytics – find out if test users are needed in
production, and what that means
3. Security on Web Services & Services (SOA) – again,
find out if this extra layer needs its own gatekeeper of
security
4. The need for Backend Reports with BI Publisher
5. Data Encryption in the Database
56

57. Web Application Security
Using Oracle products as an example
By: Jonathan Wagner, October 2011
jwagner@protegra.com
57