Post on 31-Dec-2015
description
Java EE Platform SecurityWhat is included, what is missing.
Masoud Kalali
Author of GlassFish security book
Http://kalali.me
What can Security refer to?
Security requirements
AuthenticationAuthorizationTransport SecuritySingle Sign-On
Java EE and Security Requirements I
@ServletSecurity(@HttpConstraint(rolesAllowed = {"manager", "administrator"}))
...String usrname = request.getParameter("username"); String pass = request.getParameter("password");request.login(strUsername, strPassword);....
<login-config> <auth-method>BASIC</auth-method> <realm-name>JDBCRealm</realm-name> </login-config>
What Java EE provides for Authentication:
Authentication Methods (Form, Basic, Digest, Client-Cert)Security RealmsProgrammatic login/ logout, setHttpOnly isHttpOnly, @ServletSecurityAdding new or Extending Realms, extending current realms JSR-196, pluggable authentication
Java EE and Security Requirements II
What Java EE platform provides for authorization:Role based access control over resourcesRoles are defined in a vendor specific wayRoles are based on the info from the same security realmEnforced using Annotation or XML descriptionCan be extend using JSR-115
Annotation Targets Level Target Kind
@DeclareRoles Class EJB, Servlet
@RunAs Class EJB, Servlet
@ServletSecurity Class Servlet
@PermitAll Class, Method EJB
@DenyAll Method EJB
@RolesAllowed Class, Method EJB
<method-permission> <role-name>manager</role-name> <method> <ejb-name>Emp</ejb-name> <method-name>getAge</method-name>
</method> </method-permission>
Java EE and Security Requirements III
The Transport Security facilities:ConfidentialityData integrityDifferent set of resources, different level of transport security
<security-constraint> <display-name>Current Online Users</display-name> <web-resource-collection> <web-resource-name>online users</web-resource-name> <description/> <url-pattern>/admin/online/*</url-pattern> </web-resource-collection> <auth-constraint> <description/> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <description/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Java EE and Security Requirements IV
What Java EE platform provides for SSO:Nothing out of JSRsApplication servers provide some basic functionalities with restrictions:
Same Realm Same Virtual Server/ Host
Other solutions like proxies like delegated authentication to Apache mod_proxyClustering the instances
Need same realm
Is that All?
Really, Is that all we need to have?Do we miss anything major?
Is there anything still basic and good to have?
Basic, but missing requirements
Authentication chainFine grained access controlSingle Sign-On
Basic, but missing requirements I
Chain of authentication challenges One realm, provider failed chain to the next one Put Challenges together in groups Basic rules to forms the groups
Authentication levels Higher level for more secure realms More resources accessible on higher authentication levels
Authentication chain:
Basic, but missing requirements II
Fine grained access control
Coarse grained allow/not-allow are not sufficient anymore A very common issue: time, location based access control
XACML is there, but not in the platformAttribute based access evaluationAttributes for all involving factorsVersion 2 is mature enough, Version 3 in the cornerJBoss and Sun open source XACML implementations
http://sunxacml.sourceforge.net/ http://www.jboss.org/picketbox/
Basic, but missing requirements III
What to do with more SSO requirements?
It may never get into the platformInvolve more than just Java EEHeavy, complex and open ended
Go with JOSSO, http://www.josso.org/Go with OpenSSO, http://opensso.dev.java.netBoth work with CDSSOIntegrate with many platforms/ serversCan be used from almost any language
Time For Questions
Questions?
You can contact me at kalali@gmail.com or http://twitter.com/MasoudKalali