j wagner security
DESCRIPTION
Web Application SecurityTRANSCRIPT
Web Application Security
Using Oracle products as an example
1
Syllabus
• It seems that organizations are taking security more and
more seriously these days. One motivator is avoiding
embarrassment which can collapse the organization in
a hurry. The architecture of a web based application
has a number of complexities when it comes to
implementing security properly. Jonathan will talk about
some of these complexities and identify a number of
considerations that can save you time and money. In
particular, he will explain how the Oracle suite of
products integrate and use that as a concrete example.
Architects, developers, and DBAs will learn from topics
such as virtual private databases, single sign on,
cookies, Hibernate interactions, and role-based security.
2
Setting the stage …
• Who is in the audience? Which one are you?
• Architect
• Database Administrator (DBA)
• Developer
• Java
• Other
• Other
• Goals:
• General Understanding
• Advice, related to Security in a web application
• Drill-in into to some unobvious specifics
• Questions?
3
What’s the big deal?
We have some challenges …
• Technology is more susceptible and more complicated
• unwanted system access
• localized damage
• global damage
• how do decision makers respond to pain? ~~ rational thinking
• Data (and Process) Ownership Trends
• Silos Sharing
• Terminology confusion ~~ talk about the same thing: Einstein quote
• Organizations Products AND Services
• Potential huge costs, time and $$$$
• Educate and then ask, are you sure?
4
Legal stuff …
• Legal questions can delay a project
• submit questions early as possible
• get feedback early as possible
• legal requirements are hard and fast – know them early to avoid
expensive rework
5
6
LEAN
Agile
Manage
Did someone say something about
Security?
Web Application Architecture
7
Step 1
• www.TeenagerExpenses.mb.ca
• Ask the Domain Name Server to provide a machine
readable address, call an Internet Protocol (IP) Address
8
Step 3
• Reverse Proxy (Oracle’s WebCache)
• Guard at the door into the architecture
• In the middle of the DMZ sandwich
• Robust solutions include:
• Caching of static “public” content (picture files, Javascript)
• Load Balancing
• Decryption of HTTPS requests … more on that later
10
Step 4
• The Web Application Server is the brains with all the
business logic --- it knows what to with the HTTP GET
request
11
Step 5
• The server needs to first get a list of teenagers, and so,
get it from the server responsible for persisting
information
12
Step 6
• Teenager Result Set:
• Raelene
• Jenna
13
• Let’s send HTTP Response of HTML:
<Label>Teenager Name:</Label>
<SelectionBox> <Selection>Raelene</Selection>
<Selection>Jenna</Selection> … 14
Step 7
Step 8
15
Step 9
16
Web Application Architecture
17
Web Application Architecture
18
Audit Columns
• Every table in the database include the following
columns:
• A_CREATED_BY
• A_CREATED_TIMESTAMP
• A_MODIFIED_BY
• A_MODIFIED_TIMESTAMP
• Know the affects of the Sarbanes-Oxley act
• Create a companion history table for every table in the
database. It will be a complete history of “snapshots”.
These tables have the exact same columns plus a
timestamp column. (Data is almost free!)
19
Web Application Architecture
20
We now going to concentrate on the Database.
Will talk about:
• Virtual Private Databases
• Oracle Label Security
Database Tables
• TEENAGER
• EXPENSE
21
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
TEENAGER
_ID
DETAILS AMOUNT DATE
1 Cell 45.00 Oct 1
1 Gum 1.35 Oct 6
2 Help Haiti 4.00 Oct 8
Raelene is allowed to see this …
• TEENAGER
• EXPENSE
22
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
TEENAGER
_ID
DETAILS AMOUNT DATE
1 Cell 45.00 Oct 1
1 Gum 1.35 Oct 6
2 Help Haiti 4.00 Oct 8
Jenna is allowed to see this …
• TEENAGER
• EXPENSE
23
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
TEENAGER
_ID
DETAILS AMOUNT DATE
1 Cell 45.00 Oct 1
1 Gum 1.35 Oct 6
2 Help Haiti 4.00 Oct 8
A VPD
• A Virtual Private Database (VPD) = restricts access on
horizontal slices
• Oracle Label Security is an implementation of a VPD
24
• Label Security allows you to create a policy on the
TEENAGER_ID
Who can view/edit what data?
25
TEENAGER
_ID = 1
(Raelene)
TEENAGER
_ID = 2
(Jenna)
Parents
(God-like access)
Jenna
Raelene
100
200
Database Tables
with Label Security column added …
• TEENAGER
• EXPENSE
26
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
TEENAGER
_ID
DETAILS AMOUNT DATE LS_
TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
Jenna will get a different answer
than Raelene and the Parents!
• TEENAGER
• EXPENSE
27
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
TEENAGER
_ID
DETAILS AMOUNT DATE LS_
TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
SELECT sum(amount)
FROM EXPENSE
Jenna will get a different answer
than Raelene and the Parents!
• TEENAGER
• EXPENSE
28
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
TEENAGER
_ID
DETAILS AMOUNT DATE LS_
TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
SELECT sum(amount)
FROM EXPENSE
WHERE LS_TEENAGER IN (100)
Parents type in …
• TEENAGER
• EXPENSE
29
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
TEENAGER
_ID
DETAILS AMOUNT DATE LS_
TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
SELECT sum(amount)
FROM EXPENSE
… and this what happens under the
covers:
• TEENAGER
• EXPENSE
30
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
TEENAGER
_ID
DETAILS AMOUNT DATE LS_
TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
SELECT sum(amount)
FROM EXPENSE
WHERE LS_TEENAGER IN (100, 200)
DBMS Triggers are used for INSERTs
and UPDATEs
• TEENAGER
• EXPENSE
31
TEENAGER_ID TEENAGER_NAME
1 Raelene
2 Jenna
TEENAGER
_ID
DETAILS AMOUNT DATE LS_
TEENAGER
1 Cell 45.00 Oct 1 100
1 Gum 1.35 Oct 6 100
2 Help Haiti 4.00 Oct 8 200
2 Book Fine 1.00 Oct 16 Calculated
by DBMS
Trigger
INSERT (TEENAGER_ID, DETAILS, AMOUNT, DATE)
VALUES (2, “Book Fine”, 1, Oct 16)
Oracle Label Security auto-generated a DBMS Trigger on the EXPENSE
table. The trigger calculates 200 based on TEENAGER_ID
Label Security can have up to 3 groupings
32
TEENAGER
_ID = 1
TEENAGER
_ID = 2
EXPENSE
_TYPE =
8
Grandparents
Teenagers
Younger
Siblings
100
200
8,000
770,000
Take a break …
• A story about University …
33
Web Application Architecture
34
LDAP
Oracle OAM & OID
• LDAP = Lightweight Directory Access Protocol
• Oracle Internet Directory is an implementation of
directory services, LDAPv3
• Oracle Access Manager (OAM) enforces policies and
works with OID
• Watch out for your firewalls settings -- timeouts
• Active Directory can “connect”
• DIP transfers name and passwords
35
Oracle LDAP Components
36
All the “green” servers support the LDAP responsibilities. Oracle Access Manager
(OAM) is the main interface into the outside world. However, the “purple” Oracle
Database has some direct connections with Oracle’s LDAP (OID), probably for
performance reasons. In theory, the dashed lines below were not really
necessary.
The two columns of “green” servers indicate that they can be clustered, and the
set of servers can be in different locations.
Web Application Architecture
37
How the LDAP interacts with the Web Application Server?
Oracle LDAP Interfaces
38
Web Application Architecture
39
Simplified Web Application Architecture
40
Simplified Web Application Architecture
• HTTP Server – Oracle’s MOD_OC4J
• Web Application Container – Oracle’s OC4J … and soon
WebLogic
41
Web Server interactions with LDAP
The “Happy Path” …
The Browser makes a HTTP Request, via interaction #1.
The HTTP Server looks at this request and asks the LDAP
Access services if this request is allowed to proceed. This
is done via interaction #2. If the answer is positive, it
passes on the request to the destination, via interaction #3.
42
Web Server interactions with LDAP
The “Happy Path” continued …
In this “Happy Path” scenario the user has already
authenticated (i.e. logged in).
Oracle can place authentication data in “HTTP Headers”
and/or in some “cookies”. It gives information about the
User ID, expiry time, etc. [Refer to interactions #1 & #3]
43
Web Server interactions with LDAP
The “Happy Path” continued …
The authorization rules are enforced in two different places:
• Interaction #2 – Can protect basic requests, such as, URL
requests that start with
www.TeenagerExpenses.mb.ca/expenses
• Interaction #4 – Using LDAP Queries, it can lookup more fine
grained permissions such as:
www.TeenagerExpenses.mb.ca/expenses/expense_details.jsp
44
Authorization and Role-based Security
45
Web Server interactions with LDAP
The “Happy Path” continued …
The authorization rules are enforced in two different places:
• Interaction #2 – Basic requests based on OAM polices
• Interaction #4 – Fine grained based on LDAP Queries / Role-
based Security
Decide which interaction is responsible for what, early in
the project!
46
Authorization and Role-based Security
User – Role – Feature
• Can be tricky. Can’t control the number of users. But
you can control the number of Roles and Features.
• Roles – Configure Roles and role names to match the
actual physical business processes – people need to
understand them. Be ready to refactor!
47
Authorization and Role-based Security
User – Role – Feature
• Can be tricky. Can’t control the number of users. But
you can control the number of Roles and Features.
• Roles – Configure Roles and role names to match the
actual physical business processes – people need to
understand them. Be ready to refactor!
48
Authorization and Role-based Security
• Features – Pick the number of features wisely, keep
them to a minimum and understandable.
• Ask questions! Find out what the real requirement is.
“Are you sure?” “Can this one feature represent both the
search and the detail page?” “How easy is it to test?”
49
Fine grained control Coarse grained control
Complicated Simple
Web Server interactions with LDAP
The “Unhappy Path” …
The “unhappy” path is one where the user has not logged
in yet. The Web Application Container can have two
applications:
• The OAM Single-Sign On (SSO) “helper” application, which
includes these pages: login, logout, and not authorized
• The business application, such as the “expenses” test
application
50
Web Server interactions with LDAP
Log out …
Your web applications will point to a logout page in the SSO
application. It can (or should) invalidate the web
applications under its protection.
51
Web Application Architecture
The Report Server
52
Oracle BI Publisher Report Server
• It has its own built-in security that doesn’t work directly
with OAM – Read up on how to integrate them.
53
Web Application Architecture
Database connections
54
Database Connections
• Perform adequate performance tests on this interactions
• Because we implemented a VPD at a low level, we want
to ensure that the end-user will be restricted from the
bottom up, and that means to connect as that user.
• Experience: Can take up to 5 seconds to “stamp” a user onto a
proxy connection. The solution is to make a connection pool for
each user
• Experience: The setup and use of Label Security is expensive
• Alternatives??
55
(If we have time …)
1. Creating a log of access – find out if one is needed
early in the project
2. Web Analytics – find out if test users are needed in
production, and what that means
3. Security on Web Services & Services (SOA) – again,
find out if this extra layer needs its own gatekeeper of
security
4. The need for Backend Reports with BI Publisher
5. Data Encryption in the Database
56
Web Application Security
Using Oracle products as an example
57
By: Jonathan Wagner, October 2011