Java Security Framework's

Java Security Framework’s

Choosing The Right Java Security Framework

@Mohammed Fazuluddin

Topics

OverviewList of Java Security Framework’sDetails of Java Security Framework’s

Overview

if you need your application "to be secure", there's no generic framework that you can just installed and be done.

You need to understand what exactly you need and for that you should good functional/business knowledge.

There are many java based security frameworks some are open source and some are commercial.

if you have specific requirements around encryption, digital signatures, authentication, authorization, etc. you should list what your requirements are, as multiple frameworks can provide better support for each of these.

This framework is written for web and standalone applications, to resolve simply, access control problems.

List of Java Security Framework’s

Following are the list of frameworks which can be integrated with java based application, both web and standalone applications to make the application secure. Spring Security Apache Shiro OACC PicketLink Wicket JGaurd HDIV

Details of Java Security Framework’s

“Spring Security”

Spring Security provides security services for J2EE-based enterprise software applications. Spring Security is a lightweight security framework that provides authentication and

authorization support in order to Secure Spring-based applications. It integrates well with Spring MVC and comes bundled with popular security algorithm

implementations. There are two main areas for application securities. Authentication: Process of checking the user, who they claim to be. Authorization: Process of deciding whether an user is allowed to perform an activity within the

application. Authentication Models supported by Spring Security: Spring security supports more then 20

models for authentication. Some of them are… X.509 client certificate exchange LDAP Authentication OpenID authentication Java Open Source Single Sign On



Spring Security Modules: Spring security code has been divided in different JARs(Can be considers as modules) Core (spring-security-core.jar) : Required Module. Contains core authentication and access-contol

classes and interfaces, remoting support and basic provisioning APIs. Web (spring-security-web.jar): Required* if web authentication services and URL-based access-control is

required. Contains filters and related web-security infrastructure code. Remoting : Provides integration with Spring Remoting. Config : Contains the security namespace parsing code. You need it if you are using the Spring Security

XML namespace for configuration. LDAP : LDAP authentication and provisioning code. Required if you need to use LDAP authentication or

manage LDAP user entries. ACL : Used to apply security to specific domain object instances within your application. CAS : If you want to use Spring Security web authentication with a CAS single sign-on server. OPENID :Used to authenticate users against an external OpenID server.


“Apache Shiro”

Apache Shiro is a top level open source project under the Apache Software Foundation.

Apache Shiro is a powerful and easy to use Java security framework that offers developers an intuitive yet comprehensive solution to authentication, authorization, cryptography, and session management.

In practical terms, it achieves to manage all facets of your application’s security, while keeping out of the way as much as possible.

It is built on sound interface-driven design and OO principles, enabling custom behavior wherever you can imagine it. But with sensible defaults for everything, it is as “hands off” as application security can be.

Apache Shiro can be run in any environment, from the simplest command line application to the biggest enterprise web and clustered applications.


“Apache Shiro”


“Apache Shiro”

The easiest to understand Java Security API anywhere. Class and Interface names are intuitive and make sense. Anything is pluggable but good defaults exist for everything.

Support authentication (‘logins’) across one or more pluggable data sources (LDAP, JDBC, Active Directory, etc.).

Perform authorization (‘access control’) based on roles or fine-grained permissions, also using pluggable data sources.

First-class caching support for enhanced application performance. Simple Single Sign-On (SSO) support piggybacking the above Enterprise Session Management.

If sessions are federated across multiple applications, the user’s authentication state can be shared too. Log in once to any application and the others all recognize that log-in.

Secure data with the easiest possible Cryptography APIs available, giving you power and simplicity beyond what Java provides by default for ciphers and hashes.

An incredibly robust yet low-configuration web framework that can secure any url or resource, automatically handle logins and logouts, perform Remember Me services, and more.


“OACC”

OACC - pronounced [oak] - is a fully featured Java API to both enforce and manage your application's authentication and authorization needs.

The OACC framework is an open-source project and encourages engagement with and contributions from community members like you.

OACC provides an API to manage security relationships like the above. Most current security frameworks for Java™, however, do not, because their security model lacks an abstraction for the application resources being secured.

This forces the application developer to implement a means to store and manage the security relationships. The abstraction for an application resource is core to OACC’s security model.

The security relationships are stored in OACC’s security data repository, backed by a set of relational database tables. As a result you will not see the concept of realms in OACC that exists in other security frameworks.


“OACC”

OACC features a fully functioning, rich API that doesn’t require any DIY implementation to enable the programmatic and dynamic modeling of complex security scenarios. In other words, OACC provides all the functionality to manage your application’s security model, out of the box. Fully implemented data store: OACC supplies a fully implemented RDBMS-backed data

store for its security model, which the API manages for you behind the scenes. Permission‐based security model: OACC’s security model is permission-based: it

essentially manages permissions between resources. Single access control paradigm: Other frameworks allow role-membership or expression-

language checks to enforce some level of authorization at the web and service layers (URLs and methods), and then provide a separate ACL interface to secure the domain-model layer (objects).

Annotations or expression language support: OACC is a security framework that facilitates programmatic authorization at the code-level, thus there currently is no support for aspect-oriented intercepts with annotations or expression-language constructs. Instead, simple API methods to check or assert permissions allow for authorization enforcement.


“OACC”

True RBAC modeling: If role membership checks aren’t enough to secure your application, you’ll be pleased to learn that OACC supports full RBAC, in which a “role is essentially a collection of permissions” (NIST). Roles - and groups for that matter - can be modeled through permission inheritance, allowing for hierarchical roles through which a subject transitively acquires any assigned permissions.

Symmetric query methods: OACC provides efficient query methods to find resources by permission, without loading all resources first and then filtering out the unauthorized ones. These methods are symmetric in the sense that you can find both

the resources to which a specified resource has a specific set of permissions, and the resources that have a specific set of permissions to a specified resource.

For auditing or for purposes of managing authorization, these query methods make it easy to find, for example, users “belonging” to a role, or users that have permissions on a resource.

Permission delegation: OACC is the only framework that natively supports delegation control at the authorization level. With OACC, subjects can delegate their permissions to others.

http://csrc.nist.gov/groups/SNS/rbac/faq.html


“OACC”

Automatic permission assignment: Another novel feature of OACC are create-permissions, which not only control what kind of resources a subject may create, but also define exactly what permissions they would get on a new resource after creating it - defined once, permissions are automatically assigned to a resource creator, without the need for explicit API calls.

Multi‐tenancy support: OACC supports partitioning the resource space into (hierarchical) logical security domains, which facilitates modeling security scenarios in multi-tenant applications. These domains constitute a useful abstraction in itself, because they also allow permissions to be efficiently assigned and queried at the domain-level.

Caching: OACC does not yet come with a built-in caching mechanism. To prevent any performance degradation in terms of memory or query time as the size of your secured data set increases, OACC uses dynamic, highly targeted queries into a very efficient data model for all access control checks. As a result, OACC doesn’t load a subject’s entire permission set into memory up front and then iterate over it for each authorization check.

Details of Java Security Framework’s “PicketLink”

PicketLink is an open source project for simplified security and identity management for Java Applications.

A Picket Fence is a secure system of pickets joined together via some type of links. Basically, the Pickets by themselves do not offer any security.

But when they are brought together by linking them, they provide the necessary security.

This project is that link for other security systems or systems to bring together or join, to finally provide the necessary secure system.


Robust IDM feature: Model Identie’s and Attributes. build model from various data sources such as Databases, LDAP, File System and mix-n-match! Simple API for Users, Roles, Groups and Attributes.

Suitable for JavaEE Applications: Use CDI based application programming. Robust Authentication Support: Application developers have greater control for authentication.

You use the IDM as the foundation for your authentication needs. Extensive Access Control/Authorization Support: PicketLink has a permission model that allows

you to have robust access control for your Java Applications. Permission implementations include ACL and Drools Rules based implementations.

Plug in your own access control: API allows custom authorization implementations. Easy migration to a fine grained access control model using XACML.

SAML Web Browser Profile Single Sign-On: PicketLink provides SSO using SAML v1.1 and v2.0,parsers and Object Model available to build robust SAML enabled applications.

Social Media Based Login: PicketLink allows you to incorporate Social Login into your applications. You can build applications that allow sign in using Facebook, Google and Twitter.

Open Standards: PicketLink supports SAML, XACML and WS-Trust.


“Wicket”

Apache Wicket is a simple and features rich component-based web framework , the real reusable components is the main selling point of this framework.

Security is one of the most important non-functional requirements we must implement in our applications.

This is particularly true for enterprise applications as they usually support multiple concurrent users, and therefore they need to have an access control policy.

In this chapter we will explore the security infrastructure provided by Wicket and we will learn how to use it to implement authentication and authorizations in our web applications.


“Wicket”

Authentication: The authentication is implemented in wicket based on the security policie, which means that we must authenticate them on the basis of trusted user credentials and it supports for web applications usually adopt a form-based authentication with a login form.

Authorizations: The authorization support provided by Wicket is built around the concept of authorization strategy, there 2 main authorization strategies…

Simple Page Authorization Strategy Role-based strategies

HTTPS protocol: HTTPS is the standard technology adopted on Internet to create a secure communication channel between web applications and their users. In Wicket we can easily protect our pages with HTTPS mounting a special request mapper called HttpsMapper.

URLs encryption: Wicket has a feature to encrypt/decrypt the URL using the interfaces like Icrypt.


“JGuard”

JGuard is an open source Java Security framework that is primarily used for securing Java Web Applications.

It is built on JAAS and offers simple and flexible configurations to authenticate and authorize user roles and manage the permission of the users.

It can be also considered for resolving access control problems and user rights in standalone and desktop based applications.

JGuard is very flexible and allows several different ways to configure those mechanisms for authentication and authorization, i.e., in a relational database, XML files, or LDAP service.

JGuard is under the open source LGPL license.


“JGuard”


“JGuard”

It can be adapted to any webapp, on any application server. It permits a user to have more than one role simultaneously. It Does not depend on a web framework, or an AOP framework. It built on top of the standard, very secure, and flexible JAAS. Authentication and authorization are handled by pluggable mechanisms. Authentication data stored in a database, an XML file, a JNDI data source, an LDAP directory,

Kerberos... The changes take effects 'on the fly' (dynamic configuration). In JGuard the permissions, roles, and their associations can be created, updated, deleted on the fly

through a webapp (an API is provided too), For each webapp has its own authentication and authorization configuration, A taglib is provided to protect jsp fragments. It provides the feature to support security manager.


“JGuard”


“HDIV”

Hdiv has pioneered application self-protection since 2008. Hdiv enables applications to protect themselves through runtime application self-

protection (RASP) products. By building protection in during development, we protect applications from the inside.

Hdiv solutions combine the strongest protection against OWASP Top 10 threats with deep understanding of business configuration and logic to enable real-time, all-the-time application protection.

Protect your applications in runtime, with fewer resources, and greater accuracy. Hdiv delivers the best protection against application risks without having to change

anything.


“HDIV”


“HDIV”

STRONGEST REAL-TIME PROTECTION: Hdiv repels 90% of application security risks included in the OWASP Top 10, such as SQL injection, cross-site scripting, cross-site request forgery, data tampering and brute force attacks. Hdiv offers higher effectiveness than any of the solutions currently available to fight web application security risks.

ULTRA-HIGH ACCURACY: Hdiv RASP has deep insight into application logic, configuration, and data and event flows. These capabilities enable Hdiv to analyze and block security attacks with less dependence on external security devices without false positives and with no need of learning processes and content parsing.

NO EXTENSIVE SECURITY EXPERTISE NEEDED: Programmers don’t have to be security experts to apply Hdiv during development. Hdiv enables self-protected applications with almost zero operations costs, and enables customers to avoid having to upgrade programming environments.

REAL-TIME VISIBILITY AND PROTECTION: It provides real-time visibility into actual attacks hitting applications in production. Get actionable information, including detected attacks, vulnerabilities and business logic flaws, and protect your business with instant information from interactive dashboards and alerts.

KEEP YOUR PROGRAMMING ENVIRONMENT: Hdiv installation and updates are easy, needing only a declarative configuration based on XML files. Hdiv does not change app source code, so it can be used with any application before and after development.

THANKS

Java Security Framework's

Technology

Transcript of Java Security Framework's