Web Application Access Control with Java SE Security



Similar documents
Using jlock s Java Authentication and Authorization Service (JAAS) for Application-Level Security

JAAS Java Authentication and Authorization Services

Welcome to Spring Forward September 26, 2006 Penn State Great Valley

Password-based authentication

A Pluggable Security Framework for Message Oriented Middleware

Web Service Authorization Framework

APPLICATION SECURITY ENHANCEMENTS IN JAVA EE 6

OUR COURSES 19 November All prices are per person in Swedish Krona. Solid Beans AB Kungsgatan Göteborg Sweden

End-to-End Security Policy Auditing and Enforcement in Service Oriented Architecture. Progress Report: January 2014 and Related Research

Glassbox: Open Source and Automated Application Troubleshooting. Ron Bodkin Glassbox Project Leader

Developing modular Java applications

Aspect Oriented Programming. with. Spring

GlassFish Security. open source community experience distilled. security measures. Secure your GlassFish installation, Web applications,

<Insert Picture Here> Hudson Security Architecture. Winston Prakash. Click to edit Master subtitle style

JBS-102: Jboss Application Server Administration. Course Length: 4 days

Running and Testing Java EE Applications in Embedded Mode with JupEEter Framework

XACML. extensible Access Control Markup Language

Customizing the Security Architecture

A (re)introduction to Spring Security

Rapid Application Development. and Application Generation Tools. Walter Knesel

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

A Model for Access Control Management in Distributed Networks

Project Software Security: Securing SendMail with JAAS and Polymer

vcommander will use SSL and session-based authentication to secure REST web services.

SPRING INTERVIEW QUESTIONS

Research Article. ISSN (Print) *Corresponding author Lili Wang

Programma corso di formazione J2EE

goberlin a Trusted Cloud Marketplace for Governmental and Commercial Services

SCUR203 Why Do We Need Security Standards?

ADMINISTERING ADOBE LIVECYCLE MOSAIC 9.5

How To Understand The Architecture Of Java 2Ee, J2Ee, And J2E (Java) In A Wordpress Blog Post

Case Studies of Running the Platform. NetBeans UML Servlet JSP GlassFish EJB

enterprise^ IBM WebSphere Application Server v7.0 Security "publishing Secure your WebSphere applications with Java EE and JAAS security standards

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

This presentation will provide a brief introduction to Rational Application Developer V7.5.

OpenHRE Security Architecture. (DRAFT v0.5)

Complete Java Web Development

Identification and Implementation of Authentication and Authorization Patterns in the Spring Security Framework

Security As A Service Leveraged by Apache Projects. Oliver Wulff, Talend

Kohsuke Kawaguchi Sun Microsystems, Inc. hk2.dev.java.net, glassfish.dev.java.net. Session ID

On XACML, role-based access control, and health grids

Java Enterprise Security. Stijn Van den Enden

Toward Configurable Access Control for. Healthcare Information Systems

Spring Security 3. rpafktl Pen source. intruders with this easy to follow practical guide. Secure your web applications against malicious

Using weblock s Servlet Filters for Application-Level Security

Spring Security SAML module

Spring Security 3.

BOF2337 Open Source Identity and Access Management Expert Panel, Part II. 23 September :30p Hilton - Golden Gate 6/7/8 San Francisco CA

Empowering Patients and Enabling Providers

Remote Pointcut - A Language Construct for Distributed AOP

What s new in Spring 3.1?

Test Automation Integration with Test Management QAComplete

Web Development in Java

MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE QUEUE

JBoss JEE5 with EJB3.0 on NonStop. JAVA SIG, San Jose

WebSphere Training Outline

UNIVERSITY OF ILLINOIS AT CHICAGO University of Illinois Ready

Japan Communication India Skill Development Center

Page: Unisys Corporation. All rights reserved.

Dragan Juričić, PBZ May 2015

Japan Communication India Skill Development Center

Dynamic Access Control Infrastructure for On-demand Provisioned Cloud Services

Oracle Identity Analytics Architecture. An Oracle White Paper July 2010

SSC - Web development Model-View-Controller for Java web application development

GlassFish v3. Building an ex tensible modular Java EE application server. Jerome Dochez and Ludovic Champenois Sun Microsystems, Inc.

Java Building Web Apps with Spring Rob Harrop, Interface21 Ltd.

Enterprise Application Development In Java with AJAX and ORM

A Guide to Migrating Enterprise Applications to Spring

Mastering Tomcat Development

ARM-BASED PERFORMANCE MONITORING FOR THE ECLIPSE PLATFORM

Reference Documentation

COMPARISON BETWEEN SPRING AND ASP.NET FRAMEWORKS

Using Federated Identity Management in a Business-Process-Management System Requirements, Architecture, and Implementation

JBoss Enterprise Application Platform 6.2 Security Guide

GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET

Overview of Web Services API

Meta Model Based Integration of Role-Based and Discretionary Access Control Using Path Expressions

FUSE-ESB4 An open-source OSGi based platform for EAI and SOA

CryptoNET: Security Management Protocols

JMS 2.0: Support for Multi-tenancy

A Beginners Guide to Fusion Middleware

Architecture Rules Enforcement and Governance Using Aspects

OpenSSO: Cross Domain Single Sign On

Java in Web 2.0. Alexis Roos Principal Field Technologist, CTO Office OEM SW Sales Sun Microsystems, Inc.

IONA Security Platform

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Identity Security Using Authentication and Authorization in Cloud Computing

Generating Aspect Code from UML Models

Aspect-oriented Refactoring of a J2EE Framework for Security and Validation Concerns

Advanced OpenEdge REST/Mobile Security

Single Sign On In A CORBA-Based

GP Connector (GPC) O. Heinze 1, H. Schmuhl 1, B. Bergh 1

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

OPENIAM ACCESS MANAGER. Web Access Management made Easy

by Charles Souillard CTO and co-founder, BonitaSoft

XACML and Access Management. A Business Case for Fine-Grained Authorization and Centralized Policy Management

REST and SOAP Services with Apache CXF

Specialized Programme on Web Application Development using Open Source Tools

Internet of Services. Project Introduction. Prof. Dr. Küpper, S. Göndör, M. Salem, M. Slawik, S. Zickau D. Thatmann, A. Uzun, B. Deva, J.

Das Spring Framework - Einführung in leichtgewichtige J2EE Architektur. Jürgen Höller. Organized by:

Transcription:

Web Application Access Control with Java SE Security Java Forum Stuttgart 2009 Jürgen Groothues Stuttgart,

Agenda 1. Access Control Basics 2. The Java Authentication and Authorization Service (JAAS) 3. Enhancement and Application of JAAS 4. Role-Based Access Control 5. Instance-Based Access Control 6. Sample Application: A Personal Health Record 2

Access Control Basics Action Subject Access Control Resource Environment Subject: A user, system, etc. Resource: A file, printer, domain object, etc. Action: An operation on a resource (read, print, create, etc.) Environment: Access control relevant attributes not available from Subject, Action or Resource (time, location, ) Access Control: Controls performing an Action in accordance with a Policy 3

Access Control Architecture 1. Business request PEP 6. Business request Subject 2. Access request 5. Access decision Resource PDP 3. Attributes (optional) 4. Policy Environment PEP: Policy Enforcement Point PDP: Policy Decision Point PAP: Policy Administration Point PAP Policy Store 4

Agenda 1. Access Control Basics 2. The Java Authentication and Authorization Service (JAAS) 3. Enhancement and Application of JAAS 4. Role-Based Access Control 5. Instance-Based Access Control 6. Sample Application: A Personal Health Record 5

Limitations of JEE Security With the declarative JEE security model, it is difficult to change security policies when new requirements arise The declarative model limits the expressiveness of security policies Only one authentication method per application allowed Supports only limited set of authentication methods 6

Java Authentication and Authorization Service (JAAS) Originally, Java SE Authorization was based exclusively on the code accessing resources and authentication was based on digital signatures applied to the code JAAS was designed to address this shortcoming and is part of Java SE since V. 1.4 JAAS authentication is an implementation of the Pluggable Authentication Module (PAM) framework and allows applications to authenticate independently from the underlying technology (user/password, certificate, ) JAAS authorization allows access control based on who is executing the code 7

JAAS Authentication API javax.security.auth.login.logincontext login() throws javax.security.auth.login.loginexception JAAS Authentication javax.security.auth.spi.loginmodule JAAS Configuration SPI initialize(subject s, CallbackHandler c, Map sharedstate, Map options); login() throws LoginException; commit() throws LoginException; abort() throws LoginException; logout() throws LoginException; 8

JAAS Authorization API java.security.accesscontroller checkpermission(java.security.permission) throws java.security.accesscontrolexception JAAS Authorization java.security.policy implies(java.security.protectiondomain, java.security.permission) SPI Permission: encapsulates access control relevant attributes of Action and Resource AccessControlException: thrown if access to Resource is denied ProtectionDomain: provides Subject 9

Agenda 1. Access Control Basics 2. The Java Authentication and Authorization Service (JAAS) 3. Enhancement and Application of JAAS 4. Role-Based Access Control 5. Instance-Based Access Control 6. Sample Application: A Personal Health Record 10

Application of JAAS Authentication Servlet Filter Servlet Filter Servlet Filter Servlet Filter FormLogin Filter BasicLogin Filter CertificateLogin Filter PinLogin Filter ServletFilter-driven Enforcement LoginContext JAAS Authentication LoginModule JAAS Configuration DefaultLoginModule User Store Pluggable Authenticator 11

Subject and Principals A successful authenticated subject is represented in Java by a javax.security.auth.subject instance A subject is associated with identities. In Java an identity is represented by the java.security.principal interface An application provides Principal implementations javax.security.auth.subject * java.security.principal UserPrincipal RolePrincipal 12

Application of JAAS Authorization Subject AccessController Security Annotation Framework (SAF) Resource Annotation-driven Enforcement JAAS Authorization Policy Access Decision Framework Extensible Access Decision 13

Security Annotation Framework (SAF) 1 1 Subject Spring AOP AspectJ RT Spring AOP Proxy 2 Method Interceptor CT Enhanced Bytecode 2 AspectJ Advice 4 Domain Object 4 Spring Bean Resource Resource RT Created at runtime SAF Access Manager CT Created at compile time 3 JAAS Adapter 3 14

SAF Service Annotations public interface RecordService { @Filter public Set<Record> findall(); } public Record create (@Secure (SecureAction.CREATE) Record record); 15

SAF Domain Object Annotations @SecureObject public class Record { private Set<Medication> medications; } @Secure (SecureAction.UPDATE) public void addmedication(medication medication) { medications.add(medication); }... 16

Access Decision Framework 1 java.security. Policy 1 * AccessDecision Voter AccessPolicy AccessDecision Combiner Product Product AccessDecision Combiner Product AccessDecision Voter A Product AccessDecision Voter B use via runtime configuration implements extends use 17

Enabling JAAS in a Web Application A JEE-compliant Web Application Server (WAS) is required to support JAAS However, the JEE specification does not require a WAS to use JAAS as its own authentication and authorization mechanism JAAS has to be enabled by the web application itself: Set the JAAS policy during application startup, i.e. call java.security.policy.setpolicy(custompolicy) in the ContextListener Use one (or more) JAAS authentication servlet filter/s Use a JAAS authorization servlet filter that adds a Subject to the JAAS access control context (i.e. call javax.security.auth.subject.doasprivileged( ) request JAAS Authentication Filter request JAAS Authorization Filter request Servlet e.g. FormLoginFilter, PinLoginFilter, etc DoAsPrivilegedFilter 18

Agenda 1. Access Control Basics 2. The Java Authentication and Authorization Service (JAAS) 3. Enhancement and Application of JAAS 4. Role-Based Access Control 5. Instance-Based Access Control 6. Sample Application: A Personal Health Record 19

Role-Based Access Control (RBAC) P1 P2 P3 Role A Role B Role C P4 JAAS Subject Bob : Role Assignment Bob Principal Bob Permission P4 Pn Permission n Permission Assignment Role A Role B Role C P1 - P2,P3 Effective Permissions for Subject Bob : P1,P2,P3,P4 20

Hierarchical Role-Based Access Control (HRBAC) User P1 P4 P2 Physician Professional Pharmacist Non- Professional P3 JAAS Subject Bob : Principal Permission Bob - Physician P4 Professional P2 User P1 Bob Effective Permissions for Subject Bob : P1,P2,P4 Pn Permission n Permission Assignment Parent Role Assignment 21

Principal Provider Pattern LoginContext JAAS Authentication LoginModule PrincipalProvider * JAAS Configuration DefaultLoginModule Composite PrincipalProvider Product Role PrincipalProvider Organization PrincipalProvider use via JAAS configuration implements use 22

Agenda 1. Access Control Basics 2. The Java Authentication and Authorization Service (JAAS) 3. Enhancement and Application of JAAS 4. Role-Based Access Control 5. Instance-Based Access Control 6. Sample Application: A Personal Health Record 23

Instance-Based Access Control (IBAC) Instances of domain objects are secured resources Access decisions are based on the state of the instances :Record owner= Sue :Record owner= Bob :Record owner= Alice :Record owner= Paul :Record owner= No Access on other Records Policy: Bob has access on Records where owner = Alice or Bob Bob 24

Annotation-Driven IBAC @SecureObject public class Record {... @SecurityRelevant private String owner; }... The PEP extracts all security relevant attributes from the domain object instance and puts them into a java.security.permission implementation. 25

Agenda 1. Access Control Basics 2. The Java Authentication and Authorization Service (JAAS) 3. Enhancement and Application of JAAS 4. Role-Based Access Control 5. Instance-Based Access Control 6. Sample Application: A Personal Health Record 26

Sample Application Domain Model Personal Health Record User Management Record owner 1 User * * Medication Observation * Role * Use Cases - Create a new user with roles and an associated new record - Grant access rights to a user - Add medications and observations to a record 27

Sample Application Technology Libraries: Testing Build Platform Java SE 6 Spring IOC / AOP / MVC V. 2.5 Security Annotation Framework (SAF) V. 0.9 Servlets V. 2.5 AspectJ V. 1.6 JUnit V. 4.4 EasyMock V.2.4 Maven V. 2.0 Tomcat V. 6.0 28

Resources Java SE Security http://java.sun.com/javase/technologies/security/ Security Annotation Platform (SAF) http://safr.sourceforge.net/ OASIS extensible Access Control Markup Language (XACML) http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml Enterprise Java Security: Building Secure J2EE Applications by Marco Pistoia et al., Addison Wesley, 2004 Creative Commons Icons http://creativecommons.org/licenses/by-nd/3.0/ 29

Contact InterComponentWare AG Jürgen Groothues Industriestraße 41 69190 Walldorf, Germany E-Mail: juergen.groothues@icw-global.com www.icw-global.com 30

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information