Utilize the Full Power of GlassFish Server and Java EE Security

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.1


Utilize the Full Power of GlassFish Server and Java EE SecurityMasoud KalaliPrincipal Member of Technical Staff - ORACLETwitter: @MasoudKalaliBlog: http://kalali.me

https://twitter.com/MasoudKalali

https://twitter.com/MasoudKalali

http://kalali.me/

http://kalali.me/


Program Agenda

Introduction

Java EE Security API

Java Authentication Service Provider Interface (JSR-

196)

Java Authorization Contract for Containers (JSR-115)


Introduction



A Subject: An individual identity which is to be authenticated. A Group: Group of users with common permissions and access levels. A Security Realm: Connects the application server identity storage. A Role: A Java EE concept to define access levels A Principal: Aka, A role attached to a authenticated subject A Credential: Contains or references information used to authenticate

a principal

Terms



Identify the sensitive data Identify the roles having access to sensitive data Identify resources representing sensitive data Group the mentioned resources into meaningful sets

And Document the above items!

Before anything else



Authentication– At Web Container

– Application Client Container

Authorization (Access Control)– At Web Container

– EJB Container

Subject Propagation– From Web Container to EJB Container

– From App Client To EJB container

– EIS to Connector (inflow messages)

Resource Protection



When a protected resource is requested Establish the client’s identity Authentication Methods

– Form

– Basic

– Digest

– Client-Cert

Authentication



Specify the protected resources<security-constraint>

<web-resource-collection>

<url-pattern>/manager/*</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>manager</role-name>

</auth-constraint>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

Authentication Continued…

Specify the permitted role/s

Specify the transport guarantee level



Specify the login configuration<login-config>

<auth-method>FORM</auth-method>

<realm-name>jdbc-realm</realm-name>

</login-config>

Authentication Continued…

Pick one of:• HTTP Basic Authentication: BASIC• Digest Authentication: DIGEST• HTTPS Client Authentication:

CLIENT-CERT• Form-Based Authentication:

FORM

Specify the security realm name



Use programmatic login in Java EE 6 Benefit from all that container security provides

– Principal propagation

– Unified security exceptions

– Any auditing/logging that container provides

– Authenticate against the configured realm

Do more than just two tokens (multi factor authentication)– Mix and match 3rd soft tokens with username/passwords

Got your own way of authenticating?



String userName = request.getParameter("user");

String password = request.getParameter("password");

String enteredSmsCode = request.getParameter("enteredSms");

if(enteredSmsCode.equals(getLastActiveSmsForUser(userName))){

try {

request.login(userName, password);

}

catch(ServletException ex) {

//Handling Exception

}

}

else{

invalidateLastSmsForUser(userName);

}

Got your own way of authenticating?


To wrap it upThe web.xml, *-web.xml security related structure, role mapping


Java EE Security APISecurity related methods on HTTPServletRequest

Method Description

String getRemoteUser()

If the user is authenticated returns the username otherwise return null.

boolean isUserInRole(String role) Return whether the current user has the specified roles or not.

Principal getUserPrincipal() Returns a java.security.Principal object containing the name of the current authenticated user.

String getAuthType() Returns an String containing authentication method used to protect this application.

void login(String username, String password) Perform the explained programmatic login

Void logout() Establish null as the value returned when getUserPrincipal, getRemoteUser, and getAuthType is called on the request.

String getScheme() Returns the schema portion of the URL, for example HTTP or HTTPS.



Now that you established the user identity we can Enforce access control:

– Using Annotations to annotate the permitted and not permitted roles

– Using XML Description to specify the permitted and not permitted roles

Authorization (Access Control)


Java EE Security APIAuthorization (Access Control): Security constraints (Web, EJB..)

Annotation Description

@DeclareRolesPrior to referencing to any role, it should be defined. The @DeclareRoles acts like security-role element in defining the roles used in application.

@RunAs Specifies the run-as role for the given Components.

@ServletSecurity Specifies the security constraint for the annotated Servlet.

@PermitAll Permitting users with any role to access the given method, EJB or Servlet

@RolesAllowed

On method permits the included roles to invoke it. On class, all methods are accessible to the roles unless the annotated with a different set of roles using @RolesAllowed

@DenyAll On a method.


Java EE Security APIWhere to place the Annotations?

Annotation Target Level Target Kind

@DeclareRoles Class

EJB, Servlet

@RunAs Class EJB, Servlet

@ServletSecurity Class Servlet

@PermitAll Class, Method EJB, Servlet

@RolesAllowed Class, Method EJB, Servlet

@DenyAll Method EJB, Servlet



Apply right level of transport security on your resources– CONFIDENTIAL

– INTEGRAL

Use as much strengths as needed, the best is not always the best Check country regulation before choosing cipher suites

Transport Security


Is that all that we can do?

No,There are much more…


Java Authentication Service Provider Interface (JSR-196)

SPI for integrating authentication mechanism implementations in message processing runtimes

Authentication is delegated to the corresponding provider at message processing points

Develop authentication modules that utilize non supported credentials or headers

Utilize the Container security integration Can plug-in off the shelf 3rd party Authentication Module implementing

JSR-196

What JSR-196 is…



In the client, before transmitting the request to the server. In the server, before the target service receives the client request. In the server, before a response can be sent back to the client. In the client, before the server response can be consumed.

Message interception points



Integrate any COTS authentication module Develop your own credentials and use them for authentication Benefit from container provided security

– Access control

– Subject propagation

– Unified error messages

– Auditing

– Etc

How you can benefit from it



The interface is javax.security.auth.message.module.ServerAuthModule

An overall of 5 methods to implement– 2 directly from javax.security.auth.message.module.ServerAuthModule

– 3 derived from javax.security.auth.message.ServerAuth

Implementation can be plugged to the container Implementation can be used by the web apps Supported by any Java EE 6 compliant app server

The good part, the SPI…



void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler handler, Map options)

– Called for each authentication event

– requestPolicy and responsePolicy specifies if authentication is mandatory or not

– handler communicate the user and group principals to be used in establishing the runtime's security context

– options coming from the container for having parameterized behavior in the SAM module.

2 directly from ServerAuthModule



Class[] getSupportedMessageTypes()

Returns an array of the supported message type class names.– HttpServletRequest.class

– HttpServletResponse.class

2 directly from ServerAuthModule



AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject)

– Custom credential scraping and/or authentication happens here

– Communicate authentication result and/or identity assertions to the message processing runtime through callbackHandler.

3 derived from javax.security.auth.message.ServerAuth



AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject)

– Nothing much to do here for servlet profile

– Usually return return AuthStatus.SEND_SUCCESS;




void cleanSubject(MessageInfo messageInfo, Subject subject)

remove method specific principals and groups from the provided Subject

Update the messageInfo if needed for multi step message exchange



Java Authentication Service Provider Interface (JSR-196)GlassFish and JSR-196, Install it in the domain

Create a new provider under Security>Message Security>HttpServlet



Use it for one web application if not made default– Use the httpservlet-security-provider attribute of glassfish-web.xml’s sun-

web-app element

And you are done!

GlassFish and JSR-196

<glassfish-web-app httpservlet-security-provider="new-sam"> <security-role-mapping> <role-name>role_1</role-name> <group-name>group_1</group-name> </security-role-mapping></glassfish-web-app>



To plug a new access control mechanism to the container Container delegates access control decision to the provider Use the same role mapping that is supported by Java EE Correlates with Authentication mechanism (Subject’s role)

What is JSR-115



Add a new decision making mechanism:– Add time of the day to decision making

– Use a different type of policy storage

– etc

How you can benefit from it



Mainly two classes should be implanted by provider:– javax.security.jacc.PolicyConfigurationFactory

– javax.security.jacc.PolicyConfiguration

If it is not compliant with default Java SE policy should implement– java.security.Policy

The rest is already done by the container!

The good part, the SPI…



Under Server-Config or any other config node:– Create new entry under Security>JACC Provider

– Select the newly installed provider under Security

To install a new provider


Are there more basics to know:

Yes,OWASP Top 10


Java EE Security, GlassFish

Comparative data should be stored salted hashed Encrypted data does not need to have clear text copies Keys must be protected properly Use security manager and policy files Avoid forward, redirect based on user provided values Paying enough attention to role mappings Choose the right security realm

Things to remember:



Watch out for SQL injection, limit database access, use bind parameters, etc.

Understand what you are storing in the session Never store unencrypted cookies with important bits Transmit cookies securely when needed Cookie.setSecure(true)

Things to remember:



To use service specific user in the os To use security manager and policy files To properly configuring the listeners Not to use the alias feature Not to Use default accounts (admin accounts) To Check the OWASP top 10 talk, and resources

Things to remember:


Date post:	10-May-2015
Category:	Documents
Upload:	masoud-kalali
View:	2,393 times
Download:	1 times

Utilize the Full Power of GlassFish Server and Java EE Security

Documents