Password-based authentication



Similar documents
Using jlock s Java Authentication and Authorization Service (JAAS) for Application-Level Security

JAAS Java Authentication and Authorization Services

Web Application Access Control with Java SE Security

Red Hat JBoss Enterprise Application Platform 6.4 Login Module Reference

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

A Pluggable Security Framework for Message Oriented Middleware

1.2 Using the GPG Gen key Command

Authentication Types. Password-based Authentication. Off-Line Password Guessing

European Access Point for Truck Parking Data

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

JBoss Enterprise Application Platform 6.2 Security Guide

Java E-Commerce Martin Cooke,

Lecture 9: Application of Cryptography

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Brekeke PBX Web Service

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Using ilove SharePoint Web Services Workflow Action

Project Software Security: Securing SendMail with JAAS and Polymer

Security Code Review- Identifying Web Vulnerabilities

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

RemotelyAnywhere. Security Considerations

Services. Relational. Databases & JDBC. Today. Relational. Databases SQL JDBC. Next Time. Services. Relational. Databases & JDBC. Today.

EJB 3.0 and IIOP.NET. Table of contents. Stefan Jäger / stefanjaeger@bluewin.ch

HTTP connections can use transport-layer security (SSL or its successor, TLS) to provide data integrity

High Security Online Backup. A Cyphertite White Paper February, Cloud-Based Backup Storage Threat Models

Hushmail Express Password Encryption in Hushmail. Brian Smith Hush Communications

Single sign-on for ASP.Net and SharePoint

Apache Ki (formerly JSecurity) DevNexus

VPN Client User s Guide Issue 2

Kerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts o. Presented by: Smitha Sundareswaran Chi Tsong Su

Paillier Threshold Encryption Toolbox

Configuring Secure Socket Layer (SSL)

SkyRecon Cryptographic Module (SCM)

An Introduction to Application Security in J2EE Environments

RemotelyAnywhere Getting Started Guide

Virtual Code Authentication User s Guide. June 25, 2015

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

AT&T Synaptic Storage as a Service SM Getting Started Guide

Internal Penetration Test

Firmware security features in HP Compaq business notebooks

Managed Portable Security Devices

Thick Client Application Security

kalmstrom.com Business Solutions

The Security Behind Sticky Password

10 steps to better secure your Mac laptop from physical data theft

Secure PostgreSQL Deployments

A Guide for Administrators

Virtual Code Authentication User Guide for Administrators

Securing corporate assets with two factor authentication

User Identification and Authentication Concepts

Personal Secure Certificate

Criteria for web application security check. Version

INTRODUCTION: SQL SERVER ACCESS / LOGIN ACCOUNT INFO:

Module 13 Implementing Java EE Web Services with JAX-WS

4cast Server Specification and Installation

Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...

J2EE Web Development. Agenda. Application servers. What is J2EE? Main component types Application Scenarios J2EE APIs and Services.

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

What is Web Security? Motivation

(n)code Solutions CA A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED P ROCEDURE F OR D OWNLOADING

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Architecture of Enterprise Applications III Single Sign-On

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Developing Applications for SSO

Enterprise SSO Manager (E-SSO-M)

QUANTIFY INSTALLATION GUIDE

Onset Computer Corporation

Project: Simulated Encrypted File System (SEFS)

First Java Programs. V. Paúl Pauca. CSC 111D Fall, Department of Computer Science Wake Forest University. Introduction to Computer Science

No no-argument constructor. No default constructor found

Research Article. Research of network payment system based on multi-factor authentication

DOMAIN CENTRAL HOSTING

System Security Fundamentals

Check Point FDE integration with Digipass Key devices

Name: 1. CSE331: Introduction to Networks and Security Fall 2003 Dec. 12, /14 2 /16 3 /16 4 /10 5 /14 6 /5 7 /5 8 /20 9 /35.

Software Engineering I CS524 Professor Dr. Liang Sheldon X. Liang

Brekeke PBX Version 3 Web Service Developer s Guide Brekeke Software, Inc.

Using FreePBX with Twilio Elastic SIP Trunking

Overview of Web Services API

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

CHAPTER 1 INTRODUCTION

Multi Factor Authentication API

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

FreeRADIUS Install and Configuration. Joel Jaeggli 05/04/2006

HOBCOM and HOBLink J-Term

RSA SecurID Software Token 1.0 for Android Administrator s Guide

NETWORK SECURITY: How do servers store passwords?

Centralized Oracle Database Authentication and Authorization in a Directory

Kerberos. Login via Password. Keys in Kerberos

1.00 Lecture 1. Course information Course staff (TA, instructor names on syllabus/faq): 2 instructors, 4 TAs, 2 Lab TAs, graders

BusinessObjects 4.0 Windows AD Single Sign on Configuration

Using Foundstone CookieDigger to Analyze Web Session Management

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Transcription:

Lecture topics Authentication and authorization for EJBs Password-based authentication The most popular authentication technology Storing passwords is a problem On the server machines Could encrypt them, but would have to store the key somewhere Solution: store only a hash of the password An attacker wouldn t be able to reconstruct the password from the hash Usability problem good security -> long key -> long passwords Many password hashing approaches use the password itself as a key E.g., to get 128 bits of security, need 20-character passwords, with characters as random as possible

Password manipulation pitfalls Displaying password in cleartext on the screen as it is entered Unlimited login attempts Letting users use the same password over a long period of time Using a non-random seed crypt(pw, pw) call in C Leaving passwords around in memory in plaintext E.g. core dump attacks E.g. swaps to the disk Need zero out memory that was taken by the password Access rights to the password database Password selection Problem: people pick things that are easy to remember Prone to dictionary attacks Password systems commonly check that specific password quality standards are satisfied Any suggestions for good password selection criteria? Must be: Easy to remember Hard to guess tbontbtitq!, anyone?

Dealing with the problem of having to remember multiple passwords Password safes E.g. PasswordSafe from Counterpane Microsoft attempted to be more than that Microsoft Passport One-time passwords People do wacky things Write their password on a Post-It and stick it to their monitor Send their password in an unencrypted email to their colleagues One-time passwords improve security of a password by using a shared secret between the user and the application as a part of the password E.g. SecurID

Reminder: role-based access control for EJBs Java Authentication and Authorization Service (JAAS) Used for two purposes: Authentication of users Who is executing our code? Authorization of users Are they allowed to perform security-sensitive operations? Pluggable: different methods for authentication and authorization can be implemented and plugged in the framework

JAAS terminology Subject is a source of request for service Could represent a person or a service Modeled as a javax.security.auth.subject object Authentication is he process of verifying the identity of a subject The subject has to provide some evidence to demonstrate its identity Principal is the dentity of a subject A subject can have several principals After authentication, a subject is populated with its principals E.g. a person can have a name principal Joe and an SSN principal 666-66-6666 Credentials are security-related attributes of a subject (other than principals) E.g. passwords, public key certificates, Kerberos tickets May contain data that enables the subject to perform certain activities E.g., cryptographic keys enable the subject to encrypt messages JAAS authentication User authentication is done in two steps: Instantiate a LoginContext Call the LoginContext s login method Instantiating a LoginContext: Provide a config file entry name and a CallbackHandler to use for communication with the user, e.g.: import javax.security.auth.login.*; import com.sun.security.auth.callback.textcallbackhandler;... LoginContext lc = new LoginContext("JaasSample", new TextCallbackHandler()); The config file jaas.conf will contain: JaasSample { com.sun.security.auth.module.krb5loginmodule required; ; com.sun.security.auth.module.krb5loginmodule can be replaced with any class that implements interface javax.security.auth.spi.loginmodule

JAAS authentication, cont. Using a CallbackHandler instance A LoginModule may need to communicate with the user E.g. to ask for username and password LoginModule uses a javax.security.auth.callback.callbackhandler instance for this communication Calling the LoginContext's login Method It actually carries out the authentication process: lc.login() Instantiates a new empty javax.security.auth.subject object Represents the user or service being authenticated Constructs the LoginModule and initializes it with the subject and CallbackHandler Calls methods in the LoginModule to perform the login (uses CallbackHandler to get the required info) If authentication is successful, the LoginModule populates the subject with a principal representing the user and user credentials

JAAS-based security in JBoss The EJB container intercepts calls to EJB methods and delegates the tasks of principal authentication and principal role mapping to two different security interfaces: org.jboss.security.ejbsecuritymanager org.jboss.security.realmmapping JBoss has a number of implementations of these interfaces in package org.jboss.security.plugins.samples The default security implementation consists of a JMX service bean org.jboss.security.plugins.jaassecuritymana gerservice and a JAAS-based implementation of both interfaces org.jboss.security.plugins.jaassecuritymana ger Configuring LoginModules to work with JaasSecurityManager The UsersRolesLoginModule class is a simple properties file based implemention that uses two Java Properties (users.properties and roles.properties) to perform authentication and role mapping users.properties: username1=password1 username2=password2... roles.properties: username1=role1[,role2,...] username2=role1...

The LoginModule configuration file This is where JAAS looks to find out what LoginModule implementation to use The default file for JBoss: ${jboss_home)/conf/default/auth.conf Syntax and example: name { login_module_class_name (required optional...) [options] ; ; example1 { org.jboss.security.auth.spi.usersrolesloginmodule required ; ; Use of the configuration file The name of the security configuration has to be used in jboss.xml <?xml version="1.0" encoding="utf-8"?> <jboss> <security-domain>java:/jaas/example1</security-domain> <enterprise-beans>

Example server code public class StatefulSessionBean implements SessionBean { private SessionContext sessioncontext; public void ejbcreate() throws CreateException { System.out.println("StatefulSessionBean.ejbCreate() called"); public void setsessioncontext(sessioncontext context) { sessioncontext = context; public String echo(string arg){ System.out.println("StatefulSessionBean.echo, arg="+arg); Principal p = sessioncontext.getcallerprincipal(); System.out.println("StatefulSessionBean.echo, callerprincipal="+p); return arg; public void noop() { System.out.println("StatefulSessionBean.noop"); Principal p = sessioncontext.getcallerprincipal(); System.out.println("StatefulSessionBean.noop, callerprincipal="+p); Example client code public static void main(string args[]) throws Exception { if( args.length!= 3 ) throw new IllegalArgumentException("Usage: username password example"); String name = args[0]; char[] password = args[1].tochararray(); String example = args[2]; try { AppCallbackHandler handler = new AppCallbackHandler(name, password); LoginContext lc = new LoginContext("TestClient", handler); lc.login(); catch (LoginException le) { System.out.println("Login failed"); System.exit(1); try { InitialContext inicontext = new InitialContext(); SessionHome home = (SessionHome) inicontext.lookup(example+"/statelesssession"); Session bean = home.create(); System.out.println("Bean.echo('Hello') -> "+bean.echo("hello")); bean.remove(); catch(exception e) {System.exit(1)

Example client code, cont. static class AppCallbackHandler implements CallbackHandler { private String username; private char[] password; public AppCallbackHandler(String username, char[] password) { this.username = username; this.password = password; public void handle(callback[] callbacks) throws java.io.ioexception, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof NameCallback) { NameCallback nc = (NameCallback)callbacks[i]; nc.setname(username); else if (callbacks[i] instanceof PasswordCallback) { PasswordCallback pc = (PasswordCallback)callbacks[i]; pc.setpassword(password); else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); User authentication in JBoss: JBossSX framework javax.ejb.ejbcontext defines the security context in the EJB container public boolean iscallerinrole(string rolename) checks if the caller has the specified role public java.security.principal getcallerprincipal() returns the Principal object that identifies the caller

Security proxies in JBoss org.jboss.security.securityproxy void invoke(method m, Object [] args, Object bean) An additional layer between clients and beans Convenient for custom security checks

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information