The document discusses security features provided by the Java EE platform and some missing requirements. It covers authentication, authorization, transport security, and single sign-on capabilities. Some basic missing requirements mentioned are authentication chaining, fine-grained access control, and robust single sign-on support. The document recommends additional open source solutions that can help address some of these limitations.

1. Java EE Platform Security What is included, what is missing. Masoud Kalali Author of GlassFish security book Http://kalali.me

2. What can Security refer to?

3. Security requirements Authentication Authorization Transport Security Single Sign-On

4. Java EE and Security Requirements I @ServletSecurity(@HttpConstraint(rolesAllowed = {&quot;manager&quot;, &quot;administrator&quot;})) ... String usrname = request.getParameter(&quot;username&quot;); String pass = request.getParameter(&quot;password&quot;); request.login(strUsername, strPassword); .... <login-config> <auth-method>BASIC</auth-method> <realm-name>JDBCRealm</realm-name> </login-config> What Java EE provides for Authentication: Authentication Methods (Form, Basic, Digest, Client-Cert) Security Realms Programmatic login/ logout, setHttpOnly isHttpOnly, @ServletSecurity Adding new or Extending Realms, extending current realms JSR-196, pluggable authentication

5. Java EE and Security Requirements II What Java EE platform provides for authorization: Role based access control over resources Roles are defined in a vendor specific way Roles are based on the info from the same security realm Enforced using Annotation or XML description Can be extend using JSR-115 <method-permission> <role-name>manager</role-name> <method> <ejb-name>Emp</ejb-name> <method-name>getAge</method-name> </method> </method-permission> Annotation Targets Level Target Kind @DeclareRoles Class EJB, Servlet @RunAs Class EJB, Servlet @ServletSecurity Class Servlet @PermitAll Class, Method EJB @DenyAll Method EJB @RolesAllowed Class, Method EJB

6. Java EE and Security Requirements III The Transport Security facilities: Confidentiality Data integrity Different set of resources, different level of transport security <security-constraint> <display-name>Current Online Users</display-name> <web-resource-collection> <web-resource-name>online users</web-resource-name> <description/> <url-pattern>/admin/online/*</url-pattern> </web-resource-collection> <auth-constraint> <description/> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <description/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

7. Java EE and Security Requirements IV What Java EE platform provides for SSO: Nothing out of JSRs Application servers provide some basic functionalities with restrictions: Same Realm Same Virtual Server/ Host Other solutions like proxies like delegated authentication to Apache mod_proxy Clustering the instances Need same realm

8. Is that All? Really, Is that all we need to have? Do we miss anything major? Is there anything still basic and good to have?

9. Basic, but missing requirements Authentication chain Fine grained access control Single Sign-On

10. Basic, but missing requirements I Chain of authentication challenges One realm, provider failed chain to the next one Put Challenges together in groups Basic rules to forms the groups Authentication levels Higher level for more secure realms More resources accessible on higher authentication levels Authentication chain:

11. Basic, but missing requirements II Fine grained access control Coarse grained allow/not-allow are not sufficient anymore A very common issue: time, location based access control XACML is there, but not in the platform Attribute based access evaluation Attributes for all involving factors Version 2 is mature enough, Version 3 in the corner JBoss and Sun open source XACML implementations http://sunxacml.sourceforge.net/ http://www.jboss.org/picketbox/

12. Basic, but missing requirements III What to do with more SSO requirements? It may never get into the platform Involve more than just Java EE Heavy, complex and open ended Go with JOSSO, http://www.josso.org/ Go with OpenSSO, http://opensso.dev.java.net Both work with CDSSO Integrate with many platforms/ servers Can be used from almost any language

13. Time For Questions Questions? You can contact me at [email_address] or http://twitter.com/MasoudKalali