java application security integration was class. agenda l introduction l challenges l technology...
TRANSCRIPT
Java Application Security Integration
WAS CLASS
Agenda Introduction Challenges Technology Overview Examples of Use
• solving problems• integration
Conclusion
What is Security?
Core Pillars• Authentication
• Authorization
• Integrity
• Confidentiality
• Non-repudiation
Disciplines• Threat Assessment
• Policy Definition
• Administration
• Intrusion Detection
• Optimization/Vulnerability Assessment
“Freedom from risk or danger; safety.” source: dictionary.com
Application security builds on infrastructure security
Authentication Challenges Multiple Realms
• Different technologies• OS, directory, database, AAA, file, legacy…
• Multiple instances• internally and cross-organization (trust)
Single-sign on/reduced sign-on Strong authentication
• PKI: how to do key management?• Multi-factor?
Delegation
Authorization Challenges Defining roles & permissions
• Mapping & specializing Functional authorization
• For resource, service, component, class & method Data-driven authorization
• For instance-level & field-level UI: showing only authorized
• Fields, commands (buttons) Consistent enforcement
Additional Challenges Non-Repudiation
• Tracking audit trails
• Digital signatures?
Confidentiality• Field-level encryption
• At-rest encryption (preferably infrastructure!)
Integrity• Digital signatures
Application Security Architecture
end-user
Service
Interaction Tier
Resource Tier
ApplicationTier
operations
Perimeter
Security Technologies The Java platform
• JAAS
Application servers Security products Fine grained security
• Aspect-Oriented Programming
• Filters and Proxies
Web services
Application Security DomainsEdge UI Domain Data
Identify
Protect
Manage
Security Servers (AAA)
Web
Ser-vices
SSL/PKI
Fine-grainedSecurity (AOP…)
Application Servers,
JAASData-base
Java Security Secure platform since inception
• sandbox supports untrusted code
• no pointers, bounds checking, GC
JCA, JCE• cryptography, certificates, keys
JAAS• pluggable authentication
• AccessController authorizes access
J2SE 1.4 moves JAAS capabilities into core
JAAS Authentication
Source: Sun Microsystems
JAAS Authorization
Source: Sun Microsystems
J2EE Security Declarative
• Role names and mapping
• Web resource constraints
• EJB component and method constraints
Programmatic• Principal (name)
• Role membership
Application Server Integration Until now
• Container-specific realms for authentication
• Container-specific policy for authorization
• JAAS not integrated
J2EE 1.4 will standardize with JAAS• Java Authorization Contract for Containers
• Java Authentication Service Provider Interface for Containers
J2EE 1.4 Security Architecture
Source: Sun Microsystems
AAA products
E.g., Netegrity, RSA, Oblix, Tivoli, Oracle…
end-user
Service
Interaction Tier
Resource Tier
ApplicationTier
operations
Perimeter
adminPDP identity, access
PEP
Security Integration Framework Example
Source: BEA
Weblogic Security Framework 8.1, Quadrasis
Web Services Security
Source: Sun Microsystems
Aspect-Oriented Programming (AOP)
Auxiliary concerns are scattered and tangled• Security: authorization, identity management, audit trail
• Business rules
• Error handling
So AOP uses aspects to provide:• modular support for crosscutting concerns
• language and tool integration
Evolutionary step for software development• structured objects components aspects
Into thisAOP turns this...
Filters & Proxies Special-case support for crosscutting Servlet Filters
• Allow all/certain servlet requests to enforce policy
• Authentication (JAAS, single-sign on…)
• Authorization (set up doAsSubject…)
Dynamic Proxies• Allow wrapping interfaces
• Can separate data-driven authorization
• Still scatters policy implementation
Functional Authorization Example
Add bug use case• Forces authentication
• Projects in groups with corresponding roles
• Functional authorization: check bug entry role
• UI Filtering: only employees can edit status
Traditional Web Container SecurityeditBug.jspwebContainer realm
dataSource (LDAP, dbms, OS...)browser
request add bug
redirect to authentication
isConstrained
submit authentication
authenticate
getRoles
authenticate
getRoles
add page response
add page response
getRoles
getRoles
isUserInRole
forward
service
Web Deployment Descriptor <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</> <url-pattern>/aTrack/internal/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>internal</role-name> </auth-constraint> </security-constraint>…
Web Deployment Descriptor… <login-config> <auth-method>FORM</auth-method> <realm-name>aTrack</realm-name> <form-login-config> <form-login-page>/aTrack/protected/login.jsp</> <form-error-page>/aTrack/protected/error.jsp</> </form-login-config> </login-config> <security-role> <role-name>internal</role-name> </security-role>
Tomcat 4.x JDBC Realm Setup<Server className="org.apache.catalina.core.StandardServer“ debug="0" port="8005" shutdown="SHUTDOWN">… <Realm className="org.apache.catalina.realm.JDBCRealm“ debug="99" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/authority?user=dbuser&password=dbpass" userTable="users" userNameCol="user_name“ userCredCol="user_pass“ userRoleTable="user_roles“ roleNameCol="role_name"/>…
UI Filtering…<% if (SecurityUtils.getRoles(getUser()). contains("internal")) { %> <html:list property="status"><% } else { %> <html:label property="status"><% } %>
Security Server Implementation editBug.jspPEP (plugin/proxy) realm
dataSource (LDAP, dbms, OS...)browser
request editBug
redirect to authentication
isRestricted
submit authentication
authenticate
getRoles
authenticate
isUserInRole
editBugPage
edit bug page
edit bug page
getRoles
webContainer
forward
PDP
redirect to bug page
JAAS Authentication in Web ContainerhttpSessionwebContainer loginContext
dataSource (LDAP, dbms, OS...)browser
request add bug
redirect to authentication
shouldFilter
submit authentication
login
getPrincipals
authenticate
loginModuleauthFilter
doFilter
authServlet
login
commit
redirect to add bug page
login
setAttribute
getAttribute
setAttribute
JAAS Authorization in Web Container
editBug.jspwebContainer
privExcAction
browser
request add bug
shouldFilter
add page response
subjectauthFilter
doFilter
httpSession
getAttribute
accessController
new
doAsPrivileged
run
filterChain subject
getAttribute
getPrincipals
service
checkPermission
doFilter
Servlet Filter to Set Up JAASpublic class AccessFilter implements Filter { public void doFilter(ServletRequest request, …) { Session session = ((HttpServletRequest)request).getSession(); Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // redirect to force authentication
try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { chain.doFilter(request, response); } }, null); } catch (PrivilegedActionException e) { throw e.getException();} } }
JAAS Authorizationpublic class AddBugAction extends Action { public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception {
// does the user have permission to enter bugs? AccessController.checkPermission( new AtrackPermission("bugEntry")); … }}
UI Filtering…<% if (getUserPrincipals().contains("internal")) { %> <html:list property="status"><% } else { %> <html:label property="status"><% } %>…
AspectJ JAAS Authenticationpublic aspect RoleBasedAccess { private pointcut request(HttpServletRequest request, HttpServletResponse response) : execution(* HttpServlet.do*(..)) && this(SensitiveServlet) && args(request, response);
private pointcut sensitiveOperations() : execution(* atrack.model.sensitive.*.* (..));
AspectJ JAAS Authentication… void around(HttpServletRequest request, HttpServletResponse response) : request(request, response) { HttpSession session = request.getSession(); Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // redirect to force authentication try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { proceed(request, response); } }, null); } catch (PrivilegedActionException e) { throw e.getException(); } }…
AspectJ JAAS Authorization… before(SensitiveServlet servlet, HttpServletRequest request, HttpServletResponse response) : sensitiveOperations() { Permission permission = getPermission(thisJoinPoint. getSignature().getName());
AccessController.checkPermission(permission); }
private Permission getPermission(String methodName) { // config or database lookup }}
Data-Driven Authorization Example
Edit employee data• Data-driven: employee, manager (transitively) and HR admin
role
• UI Filtering: invisible, visible, editable
Possible extension• Trust delegation: check in domain tier on commit
Data-Driven Authorization EJB security
ejbHelper employee ejbContext :Employee
securityException
1.1: getSalary
1.1.5: new
ejb
1: doOperation
1.1.1: getPrincipal
1.1.6: throws
1.1.2: getEmployee
reportsTo: 1.1.3
auditTrail
1.1.4: record()
public class Employee {… public int getSSN(EjbContext securityContext) { Principal p = securityContext.getPrincipal(); Employee caller = Employee.getEmployee(p); if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail return ssn; } public double getSalary(EjbContext securityContext) { Principal p = securityContext.getPrincipal(); … }}
EJB Implementation
public class ServiceEjb { public int getEmployeeDetails() { … employees.getRows(getContext()); }…}
public class Employees { … public int getRows(EjbContext securityContext) { … employee.getSSN(securityContext); … }}
Propagating Context
public class Employee { public int getSSN(Subject subject) { Set s = subject.getPrincipals(Employee.class); boolean ok = false; for (Iterator it = s.iterator(); it.hasNext();) { Employee caller = (Employee)s.next(); if (employee.reportsTo(caller))) ok = true; } if (!ok) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail return ssn; } public double getSalary(Subject subject) { Set s = subject.getPrincipals(Employee.class); …
JAAS Implementation
public class Service { public int getEmployeeDetails() { Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // forward to force authentication
try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { … employees.getRows(subject); … } }, null); } catch (PrivilegedActionException e) { throw e.getException(); } }…
JAAS Set Up
public class EmployeeFactory { public Employee getEmployee(int key, Subject subject) { InvocationHandler handler = new EmployeeInvocationHandler(subject);
return (Employee) Proxy.newProxyInstance( Employee.class.getClassLoader(), new Class[] { Employee.class }), handler); }}
Proxy Set Up
public class EmployeeInvocationHandler { public EmployeeInvocationHandler(EjbContext context) { this.context = context; } public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { if (proxy instanceof Employee && isSensitive(method)) { Principal p = context.getPrincipal(); Employee caller = Employee.getEmployee(p); Employee employee = (Employee)proxy; if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail return method.invoke(proxy, args); } …
Proxy Implementation
Data-Driven AuthorizationejbHelper employee ejbContext :Employee
securityException
1.1: getSalary
1.1.5: new
ejb
1: doOperation
1.1.1: getPrincipal
1.1.6: throws
1.1.2: getEmployee
reportsTo: 1.1.3
auditTrail
1.1.4: record()
EmployeeDataAuthorization Aspect
Using Aspects
public aspect SecurityPolicy { public pointcut securedCall(ManagedSessionBean ejb): cflow(EjbPointcuts.ejbTopLevelExec(*) && this(ejb)) && (call(* Employee.getSalary(..)) || call(* Employee.getSSN(..)) || call(* Employee.getAddress(..)));}
Policy Definition Aspect
public aspect EmployeeDataAuthorization { before(ManagedSessionBean ejb, Employee employee) : SecurityPolicy.securedCall(ejb) && target(employee) { Principal p = ejb.getContext().getPrincipal(); Employee caller = Employee.getEmployee(p); if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail }}
Data Authorization Aspect
Security: UI Filtering Requirements
Only authorized fields Only links to authorized resources Edit field only if authorized Saved same key as edited Within JSP, Servlet, etc.
AOP Implementation Strategy for JSP
Advice finds unauthorized field display• catch SecurityExceptions and flag
Filter removes complete context• We’ll use a servlet filter• Can also intercept PageContextFactory to extend PageContext to wrap the PrintWriter
Deployment options:• precompile JSPs, then link aspects in• configure JSP compiler to use ajc (we’ll use this with Tomcat)• the classloader (if available, e.g., WLS)
Catching Unauthorized Fields in JSPObject around() throws JspException: securityChecks() && call(* *(..) throws
(Throwable || Exception || JSPException)) { try { return proceed(); } catch (JspException je) { Exception e = (Exception)pageContext.getAttribute( Globals.EXCEPTION_KEY, PageContext.REQUEST_SCOPE); if (e != null && e instanceof SecurityException) { handleSecurityException(e); return null; // void or filtered... } throw je;} }
Aspect Uses FilteringResponseObject around() : securityChecks() { try { return proceed(); } catch (SecurityException e) { handleSecurityException(e); return null; // void or filtered...} }
private void handleSecurityException(Exception e) { try { jspWriter.flush(); // force buffer synch } catch (java.io.IOException ioe) { throw new RuntimeException("error flushing", ioe); } // specialized Response object adds the position to // a list of “locations to filter”; the contents are // then removed when flushing the buffer response.removeCurrentSection();}
Security Integration Many options for each of
• Application AAA
• Data Protection
• Message Protection
Scenarios have illustrated• Trade offs among approaches
• Possible integration ideas
Standards are improving integration But architecture is needed
Conclusion Application Security is multi-faceted
• Many challenges
• Pervasive in solutions
• Additional to infrastructure security
Solutions are available• Need for explicit policy
• Various trade-offs
• An effective architecture is critical to integrate the new technologies