Download Web Application Access Control with Java SE Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
Document related concepts
no text concepts found
Transcript 
Web Application Access Control
with Java SE Security
Java Forum Stuttgart 2009
Jürgen Groothues
Stuttgart, 02.07.2009
Agenda
1. Access Control Basics
2. The Java Authentication and Authorization Service (JAAS)
3. Enhancement and Application of JAAS
4. Role-Based Access Control
5. Instance-Based Access Control
6. Sample Application: A Personal Health Record
2
02.07.2009
Web Application Access Control with Java SE Security
Access Control Basics
Action
Resource
Subject
Access Control
Environment
Subject: A user, system, etc.
Resource: A file, printer, domain object, etc.
Action: An operation on a resource (read, print, create, etc.)
Environment: Access control relevant attributes not available from Subject,
Action or Resource (time, location, …)
Access Control: Controls performing an Action in accordance with a Policy
3
02.07.2009
Web Application Access Control with Java SE Security
Access Control Architecture
1.
Business
request
6.
Business
request
PEP
Subject
2.
Resource
Access
request
5.
Access
decision
3.
PDP
4.
PEP: Policy Enforcement Point
PDP: Policy Decision Point
PAP: Policy Administration Point
4
02.07.2009
Web Application Access Control with Java SE Security
Policy
Attributes
(optional)
Environment
PAP
Policy Store
Agenda
1. Access Control Basics
2. The Java Authentication and Authorization Service (JAAS)
3. Enhancement and Application of JAAS
4. Role-Based Access Control
5. Instance-Based Access Control
6. Sample Application: A Personal Health Record
5
02.07.2009
Web Application Access Control with Java SE Security
Limitations of JEE Security
With the declarative JEE security model, it is difficult to change
security policies when new requirements arise
The declarative model limits the expressiveness of security policies
Only one authentication method per application allowed
Supports only limited set of authentication methods
6
02.07.2009
Web Application Access Control with Java SE Security
Java Authentication and Authorization Service (JAAS)
Originally, Java SE Authorization was based exclusively on the code
accessing resources and authentication was based on digital signatures
applied to the code
JAAS was designed to address this shortcoming and is part of Java SE since
V. 1.4
JAAS authentication is an implementation of the Pluggable Authentication
Module (PAM) framework and allows applications to authenticate
independently from the underlying technology (user/password, certificate,…)
JAAS authorization allows access control based on who is executing the
code
7
02.07.2009
Web Application Access Control with Java SE Security
JAAS Authentication
API
javax.security.auth.login.LoginContext
login() throws
javax.security.auth.login.LoginException
JAAS Authentication
JAAS Configuration
javax.security.auth.spi.LoginModule
SPI
initialize(Subject s, CallbackHandler c,
Map sharedState, Map options);
login() throws LoginException;
commit() throws LoginException;
abort() throws LoginException;
logout() throws LoginException;
8
02.07.2009
Web Application Access Control with Java SE Security
JAAS Authorization
API
java.security.AccessController
checkPermission(java.security.Permission)
throws java.security.AccessControlException
JAAS Authorization
implies(java.security.ProtectionDomain,
java.security.Permission)
java.security.Policy
SPI
Permission: encapsulates access control relevant attributes of Action and Resource
AccessControlException: thrown if access to Resource is denied
ProtectionDomain: provides Subject
9
02.07.2009
Web Application Access Control with Java SE Security
Agenda
1. Access Control Basics
2. The Java Authentication and Authorization Service (JAAS)
3. Enhancement and Application of JAAS
4. Role-Based Access Control
5. Instance-Based Access Control
6. Sample Application: A Personal Health Record
10
02.07.2009
Web Application Access Control with Java SE Security
Application of JAAS Authentication
Servlet
Filter
Servlet
Filter
FormLogin
Filter
Servlet
Filter
BasicLogin
Filter
CertificateLogin
Filter
Servlet
Filter
PinLogin
Filter
ServletFilter-driven
Enforcement
LoginContext
JAAS Authentication
LoginModule
JAAS
Configuration
Pluggable
Authenticator
DefaultLoginModule
User Store
11
02.07.2009
Web Application Access Control with Java SE Security
Subject and Principals
A successful authenticated subject is represented in Java by a
javax.security.auth.Subject instance
A subject is associated with identities. In Java an identity is
represented by the java.security.Principal interface
An application provides Principal implementations
javax.security.auth.Subject
*
java.security.Principal
UserPrincipal
12
02.07.2009
Web Application Access Control with Java SE Security
RolePrincipal
…
Application of JAAS Authorization
Security Annotation
Framework (SAF)
Subject
Annotation-driven
Enforcement
Resource
AccessController
JAAS Authorization
Policy
Access Decision
Framework
13
02.07.2009
Web Application Access Control with Java SE Security
Extensible
Access Decision
Security Annotation Framework (SAF)
1
1
Subject
Spring AOP
RT
Spring
AOP Proxy
2
AspectJ
CT
Method
Interceptor
2
Enhanced
Bytecode
Domain
Object
4
4
Resource
Spring
Bean
Resource
14
RT
Created at runtime
CT
Created at compile time
02.07.2009
SAF Access
Manager
3
Web Application Access Control with Java SE Security
JAAS
Adapter
3
AspectJ
Advice
SAF Service Annotations
public interface RecordService {
@Filter
public Set<Record> findAll();
public Record create (@Secure (SecureAction.CREATE) Record record);
}
15
02.07.2009
Web Application Access Control with Java SE Security
SAF Domain Object Annotations
@SecureObject
public class Record {
private Set<Medication> medications;
@Secure (SecureAction.UPDATE)
public void addMedication(Medication medication) {
medications.add(medication);
}
...
}
16
02.07.2009
Web Application Access Control with Java SE Security
Access Decision Framework
1
1
java.security.
Policy
AccessPolicy
Product
use via runtime configuration
17
02.07.2009
*
AccessDecision
Voter
AccessDecision
Combiner
Product
AccessDecision
Combiner
implements
Web Application Access Control with Java SE Security
Product
AccessDecision
Voter A
extends
use
Product
AccessDecision
Voter B
…
Enabling JAAS in a Web Application
A JEE-compliant Web Application Server (WAS) is required to support JAAS
However, the JEE specification does not require a WAS to use JAAS as its
own authentication and authorization mechanism
JAAS has to be enabled by the web application itself:
Set the JAAS policy during application startup,
i.e. call java.security.Policy.setPolicy(customPolicy) in the ContextListener
Use one (or more) JAAS authentication servlet filter/s
Use a JAAS authorization servlet filter that adds a Subject to the JAAS access
control context (i.e. call javax.security.auth.Subject.doAsPrivileged(…)
request
JAAS
Authentication
Filter
e.g. FormLoginFilter,
PinLoginFilter, etc…
18
02.07.2009
Web Application Access Control with Java SE Security
request
JAAS
Authorization
Filter
DoAsPrivilegedFilter
request
Servlet
Agenda
1. Access Control Basics
2. The Java Authentication and Authorization Service (JAAS)
3. Enhancement and Application of JAAS
4. Role-Based Access Control
5. Instance-Based Access Control
6. Sample Application: A Personal Health Record
19
02.07.2009
Web Application Access Control with Java SE Security
Role-Based Access Control (RBAC)
P2
P1
P3
Role A
Role B
Role C
P4
Role Assignment
“Bob”
Pn Permission n
Permission Assignment
JAAS Subject “Bob”:
Principal
Permission
Bob
P4
Role A
P1
Role B
-
Role C
P2,P3
Effective Permissions for Subject “Bob”: P1,P2,P3,P4
20
02.07.2009
Web Application Access Control with Java SE Security
Hierarchical Role-Based Access Control (HRBAC)
P1
User
P2
P3
Professional
NonProfessional
P4
JAAS Subject “Bob”:
Physician
Pharmacist
21
02.07.2009
Permission
Bob
-
Physician
P4
Professional
P2
User
P1
Effective Permissions for Subject “Bob”: P1,P2,P4
“Bob”
Pn Permission n
Principal
Permission Assignment
Web Application Access Control with Java SE Security
Parent
Role Assignment
Principal Provider Pattern
LoginContext
JAAS Authentication
PrincipalProvider
*
LoginModule
Composite
PrincipalProvider
DefaultLoginModule
JAAS
Configuration
Product
use via JAAS configuration
22
02.07.2009
implements
Web Application Access Control with Java SE Security
use
Role
PrincipalProvider
Organization
PrincipalProvider
…
Agenda
1. Access Control Basics
2. The Java Authentication and Authorization Service (JAAS)
3. Enhancement and Application of JAAS
4. Role-Based Access Control
5. Instance-Based Access Control
6. Sample Application: A Personal Health Record
23
02.07.2009
Web Application Access Control with Java SE Security
Instance-Based Access Control (IBAC)
Instances of domain objects are secured resources
Access decisions are based on the state of the instances
:Record
owner=“Sue”
:Record
owner=“Paul”
:Record
owner=“Bob”
:Record
owner=…
:Record
owner=“Alice”
No Access on other Records
Policy:
Bob has access on Records
where owner = “Alice” or “Bob”
24
02.07.2009
Web Application Access Control with Java SE Security
“Bob”
Annotation-Driven IBAC
@SecureObject
public class Record {
...
@SecurityRelevant
private String owner;
...
}
The PEP extracts all security relevant attributes from the domain object instance
and puts them into a java.security.Permission implementation.
25
02.07.2009
Web Application Access Control with Java SE Security
Agenda
1. Access Control Basics
2. The Java Authentication and Authorization Service (JAAS)
3. Enhancement and Application of JAAS
4. Role-Based Access Control
5. Instance-Based Access Control
6. Sample Application: A Personal Health Record
26
02.07.2009
Web Application Access Control with Java SE Security
Sample Application
Domain Model
Personal Health Record
User Management
owner
1
Record
*
User
*
Medication
Observation
*
*
Role
Use Cases
27
02.07.2009
-
Create a new user with roles and an associated new record
-
Grant access rights to a user
-
Add medications and observations to a record
Web Application Access Control with Java SE Security
Sample Application Technology
Libraries:
Java SE 6
Spring IOC / AOP / MVC V. 2.5
Security Annotation Framework (SAF) V. 0.9
Servlets V. 2.5
AspectJ V. 1.6
Testing
JUnit V. 4.4
EasyMock V.2.4
Build
Maven V. 2.0
Platform
Tomcat V. 6.0
28
02.07.2009
Web Application Access Control with Java SE Security
Resources
Java SE Security
http://java.sun.com/javase/technologies/security/
Security Annotation Platform (SAF)
http://safr.sourceforge.net/
OASIS eXtensible Access Control Markup Language (XACML)
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
Enterprise Java Security: Building Secure J2EE Applications
by Marco Pistoia et al., Addison Wesley, 2004
Creative Commons Icons
http://creativecommons.org/licenses/by-nd/3.0/
29
02.07.2009
Web Application Access Control with Java SE Security
Contact
InterComponentWare AG
Jürgen Groothues
Industriestraße 41
69190 Walldorf, Germany
E-Mail: [email protected]
www.icw-global.com
30
02.07.2009
Web Application Access Control with Java SE Security
Related documents