J2EE Security

J2EE Security J2EE Security

Topics • J2EE Security Goals • JAAS and Application Server Security Setup • Security Layers • Web Applications • Web Service Clients • EJB Security • EAR Security • External EJB Clients J2EE Security

J2EE Security Goals • Lessen burden on application developer • Container can provide security infrastructure • Deployer and system administrator define security policies • Avoid hard-coding security policies in component implementations • Portability among servers that use different security mechanisms J2EE Security

J2EE Roles and Security • Application Assembler defines security roles for an application • web.xml • ejb-jar.xml • Deployer maps principals (or groups of principles) in an operational environment to the security roles defined by the application assembler • Component implementer may implement security policies in code (Avoid if possible) J2EE Security

Security Points Security Infrastructure (App Server *may* use JAAS to access) Business Logic (Vendor A) Web Tier (Servlets/JSP) http/https Rmi/ IIOP Resource Tier BASIC, Form, Mutual-SSL EJBs rmi/iiop new InitialContext(props) JAAS Business Logic (Vendor B) OMG CSIv2 Level 0 SSL/TLS Security Info in IOR Security Context in IIOP Message EJBs J2EE Security

Security Infrastructure J2EE Security

Security Infrastructure • J2EE specs dictate little concerning actual security implementation. • Many implementations possible • X.509 Certificates/LDAP/etc. • Kerberos • Application server is responsible for ‘adapting’ the security infrastructure in the deployment environment to the J2EE application’s needs • Every App server does this differently J2EE Security

Weblogic Security Infrastructure • Server • Users and Groups configured using console or Mbeans • Defines Service Provider Interface so various security implementations can be overridden • Authentication • Identity Assertion • Authorization • Auditing • Adjudication • Role Mapping • KeyStore • Credential Mapper J2EE Security

WL Security Infrastructure (Cont) • Contains an embedded LDAP adapter • Usage similar to old File Realm provider used for a default security implementation • Adapters to most commercial LDAP servers also • Can define advanced policies for access to resources • times of day, from where, etc. J2EE Security

Adding Groups using Console J2EE Security

Adding a User from the Console J2EE Security

Assigning User to a Group J2EE Security

Adding Users/Groups with MBeans runtime.properties WLS_ADMIN_USERS=jim,dan WLS_ADMIN_GROUP=WLSAdminRole $ corej2ee.bash tools addUserGroups mysite.properties=C:\cygwin\home\jcstaff\mysite.properties Buildfile: C:\cygwin\home\jcstaff\proj\corej2ee\deploy\bin\antfiles\tools.xml _addGroup_: executing addGroup group WLSAdminRole added _noPassword_: no -DuserPassword=<password> supplied, using default J2EE Security

Adding Users/Groups with MBeans _addUser_: executing addUser user jim/password added _noPassword_: no -DuserPassword=<password> supplied, using default _addUser_: executing addUser user dan/password added _addGroupMember_: executing addGroupMember added jim to group WLSAdminRole _addGroupMember_: executing addGroupMember added dan to group WLSAdminRole J2EE Security

WL Security Setup Summary • Realms have configured implementations for each required security component • Possible to write custom security implementations • Default implementation utilizes embedded LDAP server, user names/passwords, and certificates • Realm used is selected in web.xml deployment descriptor J2EE Security

JBoss Security Infrastructure • Uses JAAS heavily • Quick JAAS Overview • Example: Using a Database Login Module • Keeps users/roles in database tables • Can develop login modules for any desired security implementation • LDAP and property file implementations provided in JBoss distribution J2EE Security

Java Authorization and Authentication Service JAAS J2EE Security

JAAS • Two purposes • Authentication – Determine WHO is executing the code • Authorization – Verify user has permission to access the resource • Part of J2SDK, v 1.4 • Support mandated by J2EE specification • Weblogic uses JAAS for authentication. A proprietary mechanism is used to implement an extendable app server security infrastructure • JBoss uses JAAS for authentication and a ‘pluggable’ application server security infrastructure JBossSX J2EE Security

JAAS Components 2. Check configuration for ‘Client’ login module 1. LoginContext lc = new LoginContext(“Client", new MyCallbackHandler()); Configuration Login context 5. lc.login() 4. initialize Configuration implementation maps the login context name to a login module implementation 3. new Subject() 6. login Client Subject Client Login Module 8. Populate with principal Callback Handler 7. Ask for information e.g. password Note: commit() details omitted J2EE Security

JBoss JAAS Configuration • Server (Users/Passwords in Database) • Define Oracle Data Source (OracleDS) • deploy/oracle-service.xml • Copy classes12.jar to ‘lib’ • Create/Populate user database tables • Update login-config.xml J2EE Security

Server: deploy/oracle-service.xml …………………….. <attribute name="JndiName">OracleDS</attribute> <attribute name="ManagedConnectionFactoryProperties"> <properties> <config-property name="ConnectionURL" type="java.lang.String"> jdbc:oracle:thin:@linux1:1521:coredb</config-property> <config-property name="DriverClass" type="java.lang.String"> oracle.jdbc.driver.OracleDriver</config-property> <config-property name="UserName" type="java.lang.String">core</confi-property> <config-property name="Password" type="java.lang.String">corepassword</config-property> </properties> </attribute> ………….. J2EE Security

Server: Database Tables (Principal) CREATE TABLE principal_Principal ( id VARCHAR2(32) NOT NULL, password VARCHAR2(128), principalType CHAR(1), firstName VARCHAR2(128), lastName VARCHAR2(128) ); CREATE TABLE principal_PrincipalGroup ( principalId VARCHAR2(32) NOT NULL, groupId VARCHAR2(32) NOT NULL, roleName VARCHAR2(32) ); J2EE Security

Add Some Users (principal_data.ddl) INSERT INTO principal_Principal VALUES ('DAN', 'DAN', '1', 'Dan', 'Weimer'); INSERT INTO principal_Principal VALUES ('JIM', 'JIM', '1', 'Jim', 'Stafford'); INSERT INTO principal_Principal VALUES ('GROUP1', 'XXX', '2', 'G', '1'); INSERT INTO principal_PrincipalGroup VALUES ('DAN', 'GROUP1', 'ADMIN'); INSERT INTO principal_PrincipalGroup VALUES ('DAN', 'GROUP1', 'USERS'); INSERT INTO principal_PrincipalGroup VALUES ('JIM', 'GROUP1', 'USERS'); J2EE Security

Server: conf/login-config.xml <application-policy name="coreDB"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule“ flag="required"> <module-option name="dsJndiName">java:/OracleDS</module-option> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="principalsQuery">select password from principal_Principal where id=?</module-option> <module-option name="rolesQuery">select roleName, 'Roles' from principal_PrincipalGroup where principalId=?</module-option> </login-module> </authentication> </application-policy> J2EE Security

DtD for login-config.xml J2EE Security

JBoss Security Setup (Cont.) • Login Module utilized by the server is configured in the jboss proprietary deployment descriptor for J2EE components • Servlet and EJB examples shown later J2EE Security

Web Application Security J2EE Security

Web Tier Security • Authentication • BASIC • Form • Client X.509 Certificate • Confidentiality and Message Integrity • Can require communication to take place over SSL with <transport-guarantee> element J2EE Security

Web Tier Security Configuration (web.xml) Name a set of pages to protect <security-constraint> <web-resource-collection> <web-resource-name>Admin Pages</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <description>Pages for admin only</description> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> State what roles can access these pages Do requests for these pages need to be made over SSL? Not in this example J2EE Security

Security Configuration (Cont) <security-constraint> <web-resource-collection> <web-resource-name>Admin SSL Pages</web-resource-collection> <url-pattern>/adminssl/*</url-pattern> </web-resource-collection> <auth-constraint> <description>Pages for admin over ssl only</description> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> Have to use SSL to access these pages J2EE Security

Security Configuration (Cont) (web.xml) Use HTTP BASIC to collect user’s name and password <login-config> <auth-method>BASIC</auth-method> <realm>myrealm</realm> </login-config> <security-role> <role-name>admin</role-name> </security-role> </web-app> Have to list all security roles mentioned previously J2EE Security

Setting up Security (weblogic.xml) <!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application 7.0//EN“ "http://www.bea.com/servers/wls700/dtd/weblogic700-web-jar.dtd"> <weblogic-web-app> <description>WebLogic Descriptor</description> <security-role-assignment> <role-name>admin</role-name> <principal-name>WLSAdminRole</principal-name> </security-role-assignment> <iweblogic-web-app> Have to map ‘logical’ J2EE roles to a group configured in Weblogic J2EE Security

Setting up Security (jboss-web.xml) <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" "http://www.jboss.org/j2ee/dtds/jboss-web_3_0.dtd"> <jboss-web> <security-domain>java:/jaas/coreDB</security-domain> </jboss-web> Matches an application-policy in login-config.xml J2EE Security

Web Demo App • No constraints on the 1’st link • Second link requires login by user in the admin role • Third link will fail because link is not SSL • Fourth link uses SSL link. If user is not already authenticated, challenge box will appear J2EE Security

FORM-based authentication • Allows custom application form to be used to collect user credentials • Can look better than browser pop-up box J2EE Security

Web.xml Changed BASIC to FORM <login-config> <auth-method>FORM</auth-method> <realm-name>myrealm</realm-name> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/error.html</form-error-page> </form-login-config> </login-config> Our pages that look more like our application J2EE Security

Login.html <form action="j_security_check" method="POST"> <table border="0" width="30%" cellspacing="3" cellpadding="2"> <tr><td><b>User Name</b></td><td> <input type="text" size="20" name="j_username"> </td></tr> <tr><td><b>Password</b></td><td> <input type="password" size="10" name="j_password"> </td></tr> <tr><td><p><input type="submit" value="Login"></td></tr> </table> </form> J2EE Security

Custom Challenge Box J2EE Security

Programmatic Security J2EE Security

Servlet with Programmatic Security public class SecureServlet extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { PrintWriter pw=response.getWriter(); pw.println("<HTML><HEAD><TITLE>HelloWorld</TITLE></HEAD><BODY>"); if(request.isUserInRole("applicationAdmin")) { pw.println("You are an admin user"); } else { pw.println("You are not an admin user"); } pw.println("</BODY></HTML>"); } } J2EE Security

Web.xml <servlet> <servlet-name>secure</servlet-name> <servlet-class>corej2ee.examples.web.SecureServlet</servlet-class> <security-role-ref> <description>servlet checks for this role programmatically</description> <role-name>applicationAdmin</role-name> <role-link>admin</role-link> </security-role-ref> </servlet> …………………… <security-role> <role-name>admin</role-name> </security-role> We did an isUserInRole for this role in our code App Server please map this to the overall ‘admin’ logical role defined for the application J2EE Security

Web Services Security J2EE Security

Web Services Security (Cont) • Web Services for J2EE still being defined • JSR 109 (http://www-3.ibm.com/software/solutions/webservices/pdf/websvcs-0_3-pd.pdf) • HTTP Basic Auth and Symmetric SSL • Access to JAX-RPC web service endpoints is based upon the servlet/JSP security model • Still immature • No Support for credential propagation within a SOAP message i.e. no message-level security provisions J2EE Security

EJB Security J2EE Security

EJB Security • Authentication • validates the identity of the user • implemented through username/password logins, ID Cards, security certificates, etc. • Technique used not covered by EJB Specification • Authorization/Access Control • controls what a user can and cannot do within the system • Secure Communications • ensuring the privacy of a communications • implemented through private communication (infrequently) channels or (more commonly) encryption • not covered by EJB Specification J2EE Security

Authentication • EJB external clients • Specify principal and password properties when creating JNDI initial context (deprecated and proprietary) • JAAS with a client-login module • Web Clients • Authenticated with FORM, Basic, or certificates J2EE Security

Authentication • EJB Spec requires that every client access be associated with a security identity • user or role • getCallerPrincipal always returns a valid principal • User logs into EJB System and authenticated through an implementation-specific method • EJB Server passes security identity along with method invocation • EJB objects or EJB homes check access J2EE Security

J2EE Security

J2EE Security

Presentation Transcript

J2EE Security and Enterprise Java Beans

J2EE

J2EE Servlets

EP112 J2EE

J2EE Blueprints

J2EE Servlets

J2SE / J2EE

Implementing Security in J2EE Applications

J2EE EJB

J2EE /Java

J2EE Patterns

Security Analysis of the Core J2EE Patterns

Implementing Security in J2EE Applications

J2EE Security and Enterprise Java Beans