Download Lecture20

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
Document related concepts
no text concepts found
Transcript 
CS441
CURRENT TOPICS IN
PROGRAMMING LANGUAGES
Lecture 20
George Koutsogiannakis Summer 2011
1
Topics
•
•
•
•
Realms, Users, Groups.
Web Security Example.
Application Server Security.
Web Services definitions.
2
Realms, Users, Groups
• A Realm is defined on the Application Server
or the Web Server.
• In this lecture we assume that GlassFish is
used regardless if the application is just a web
application or a combination of web/ejb.
3
Realms, Users, Groups
• A REALM
– Contains a collection of users that are covered by
the same authentication policy.
– Users are assigned to roles as discussed in
previous lecture.
– A Group is a set of authenticated users classified
by common traits defined in the Application
Server.
4
Realms, Users, Groups
• Realm appears as a data source (can be a
table) of users and groups.
• There are 3 mappings of Realm:
– file:all clients except those that use certificates
and HTTPS.
– certificate: clients are authenticated using
certificates and HTTPS
– admin-realm: special realm reserved for
administrators to manage users.
5
Realms, Users, Groups
• Realm contains a collection of users which
may or may not be assigned to a group.
– For a web application, a realm is a complete
database of users and groups that identify valid
users of a web application (or a set of web
applications) and are controlled by the same
authentication policy.
6
Realms, Users, Groups
• A user is an individual (or application
program) identity that has been defined in the
Application Server.
– In a web application, a user can have a set of
roles associated with that identity, which entitles
them to access all resources protected by those
roles. Users can be associated with a group.
7
Realms, Users, Groups
• A group is a set of authenticated users,
classified by common traits, defined in the
Application Server.
• Principal: A principal is an entity that can be authenticated by
an authentication protocol in a security service that is
deployed in an enterprise (in other words a user).
• Security policy domain (also known as security domain or
realm): A security policy domain is a scope over which a
common security policy is defined and enforced by the
security administrator of the security service.
8
9
Web Security Example
• Overview of Web Application Security
– In the Java EE platform, web components provide
the dynamic extension capabilities for a web
server. Web components are either Java servlets,
JSP pages, JSF pages, or web service endpoints.
10
11
Web Security Example
• Basic Authentication with a Servlet
1. Add an authorized user to the Application
Server.
• Start the Application Server in NetBeans services window.
• Start the Admin Console by right clicking on the server in
NetBeans and choosing view admin console..
• To log in to the Admin Console, enter the user name and
password of a user in the admin-realm who belongs to the
asadmin group. The name and password entered during
installation will work, as will any users added to this realm
and group subsequent to installation.
• Expand the Configuration node in the Admin Console tree.
12
Web Security Example-Add user to
Application Server
• Expand the Security node in the Admin Console tree.
• Expand the Realms node.
• Select the file realm to add users you want to enable to
access applications running in this realm. (For the
example security applications, select the file realm.)
• Select the admin-realm to add users you want to
enable as system administrators of the Application
Server.
• You cannot enter users into the certificate realm using
the Admin Console. You can only add certificates to the
certificate realm.
13
Web Security Example-Add user to
Application Server
• Click the Manage Users button.
• Click New to add a new user to the realm.
• Enter the correct information into the User ID,
Password, and Group(s) fields.
• If you are adding a user to the file realm, enter the
name to identify the user, a password to allow the user
access to the realm, and a group to which this user
belongs.
14
Web Security Example-Add user to
Application Server
• For the example security applications, enter a user with
any name and password you like, but make sure that
the user is assigned to the group of user.
• If you are adding a user to the admin-realm, enter the
name to identify the user, a password to allow the user
access to the Application Server, and enter asadmin in
the Group field.
• Click OK to add this user to the list of users in the realm.
• Click Logout when you have completed this task.
15
Web Security Example-Add roles
2. Add roles:
– You can add roles in the web.xml descriptor file. The following is an
example of a security constraint from a web.xml application
deployment descriptor file where
• the role of DEPT-ADMIN is authorized for methods that review employee data and
• the role of DIRECTOR is authorized for methods that change employee data.
<security-constraint>
<web-resource-collection>
<web-resource-name>view dept data</web-resource-name>
<url-pattern>/hr/employee/*</url-pattern>
` <http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
16
Web Security Example-Add roles
<auth-constraint>
<role-name>DEPT_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
17
Web Security Example-Add roles
<security-constraint>
<web-resource-collection>
<web-resource-name>change dept data</web-resource-name>
<url-pattern>/hr/employee/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DIRECTOR</role-name>
</auth-constraint>
<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transportguarantee>
</user-data-constraint>
</security-constraint>
18
Web Security Example-Add roles
• Notice the element
<user-data-constraint>
This element requires that all security contraint URL pattrens and HTTP
methods are received over a protected transport layer.
– The choice COFIDENTIAL means that the transmitted data can not be
accessed by other entities. HTTPS is used (SSL)
• Notice the element <auth-constraint> is used to define the users in their
roles.
• The element <web-resource-collection> idetifies the URLs (resources) to
be protected.
• Another element (not shown) is <login-config> is used to authenticate
access to the web content by a user (before any request is processed base
don a role).
19
Web Security Example-Add roles
3. The last step is to map the security role to
the name of a user, or principal (in the
application server).
– The security architecture provides a mechanism for
mapping the roles defined in the application to the users
or groups defined in the runtime realm.
– Use the security-role-mapping element in the runtime
deployment descriptor (sun-application.xml, sun-web.xml,
or sun-ejb-jar.xml) file.
20
Web Security Example-Add roles
– The entry needs to declare a mapping between a security role used in the
application and one or more groups or principals defined for the applicable
realm of the Application Server. An example for the sun-web.xml file is shown
below:
– <sun-web-app>
<security-role-mapping>
<role-name>DIRECTOR</role-name>
<principal-name>mcneely</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>DEPT_ADMIN</role-name>
<group-name>administrators</group-name>
</security-role-mapping>
</sun-web-app>
21
Web Security Example-Servlets
•
Create a web module hello2.
The subsequent steps discuss adding security to
this basic application. The files for this example
application are in tutinstall/javaeetutorial5/examples/web/hello2_basica
uth/.
–
–
–
There are two servlets:
GreetingSerlet.java
ResponseServlet.java
22
Web Security Example-Servlets
@DeclareRoles("helloUser")
public class GreetingServlet extends HttpServlet {
public void doGet( HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
response.setBufferSize(8192);
PrintWriter out = response.getWriter();
// then write the data of the response
out.println("<html>" + "<head><title>Hello</title></head>");
out.println("<body bgcolor=\"#ffffff\">"
23
Web Security Example-Servlets
+ "<img src=\"duke.waving.gif\" alt=\"Duke waving\">"
+ "<h2>Hello, my name is Duke. What's yours?</h2>"
+ "<form method=\"get\">"
+ "<input type=\"text\" name=\"username\" size=\"25\">"
+ "<p></p>" + "<input type=\"submit\" value=\"Submit\">"
+ "<input type=\"reset\" value=\"Reset\">" + "</form>");
String username = request.getParameter("username");
if ((username != null) && (username.length() > 0)) {
RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(
"/response");
if (dispatcher != null) { dispatcher.include(request, response);}
}
out.println("</body></html>");
out.close(); }
24
Web Security Example-Servlets
public String getServletInfo() {
return "The Hello servlet says hello.";
}
}
25
Web Security Example-Servlets
public class ResponseServlet extends HttpServlet {
public void doGet( HttpServletRequest request,HttpServletResponse
response) throws ServletException, IOException {
PrintWriter out = response.getWriter();
// then write the data of the response
String username = request.getParameter("username");
if ((username != null) && (username.length() > 0)) {
out.println("<h2>Hello, " + username + "!</h2>");
}
}
public String getServletInfo() {
return "The Response servlet says hello.";
}
}
26
Web Security Example-Servlets
•
Declare the roles that will be used in this
application. For this example, this is done by adding
the @DeclareRoles annotation to
GreetingServlet.java.
• The deployment descriptor web.xml should have the role
described :
27
Web Security Example-web.xml
•
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WRCollection</web-resource-name>
<url-pattern>/greeting</url-pattern>
</web-resource-collection>
<auth-constraint> <role-name>helloUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config> <auth-method>BASIC</auth-method>
<realm-name>file</realm-name>
</login-config>
28
Web Security Examplesun-web.xml (Application Server)
•
Map the role name defined for this resource (helloUser) to a
group of users defined on the Application Server.
–
That is the roles define din the web.xml must be linked to the users
in the Application Server.
– Mapping Application Roles to Application Server
Groups
• Map the role of helloUser defined in the application to the group
of user defined on the Application Server by adding a securityrole-mapping element to the sun-web.xml runtime deployment
descriptor file.
29
Web Security Examplesun-web.xml
• The runtime deployment descriptor is an XML file that contains
information such as the context root of the web application and
the mapping of the portable names of an application’s resources
to the Application Server’s resources.
30
Web Security Examplesun-web.xml
<sun-web-app>
<context-root>/hello2_basicauth</context-root>
<security-role-mapping>
<role-name>helloUser</role-name>
<group-name>user</group-name>
</security-role-mapping>
</sun-web-app>
31
Web Security Example
• Add authorized users to the file type realm of
the Application Server
• Build, package, and deploy the web
application.
32
Summary of Security Settings for a
Web Application
1. Identify realms . Groups and users in the
Application server.
2. Create the web.xml security role sin combination
with annotations in your web resources code.
•
Identify the security roles.
33
Summary of Security Settings for a
Web Application
3. Map the security roles to the security constraints in
the Application server.
•
•
Elements of the security constraints will define the users/group
that pertain to the particular role and the security restrictions for
that role.
Notice that the security restrictions are linked to particular
resources defined in the proper element.
34
Security for Java EE Components.
• Let us discuss security for Enterprise Beans.
– Enterprise Beans can be called from application
clients or from web applications (as in previous
slides).
– The EJB container can provide additional security
pertaining to the beans. This can be accomplished
in a declarative way and/or in a programmatic
way.
35
36
Security for Java EE Components
• You can protect enterprise beans by doing the
following:
– Accessing an Enterprise Bean Caller's Security Context
– Declaring Security Role Names Referenced from Enterprise
Bean Code
– Defining a Security View of Enterprise Beans
– Using Enterprise Bean Security Annotations
– Using Enterprise Bean Security Deployment
DescriptorElements.
37
Security for Java EE Components
• Accessing an Enterprise Bean Caller’s Security
Context
– In general, security management should be enforced by
the container in a manner that is transparent to the
enterprise beans’ business methods.
– The security API described in this section should be used
only in the less frequent situations in which the enterprise
bean business methods need to access the security
context information.
38
Security for Java EE Components
– The javax.ejb.EJBContext interface provides two methods
that allow the bean provider to access security information
about the enterprise bean’s caller.
• java.security.Principal getCallerPrincipal();
The purpose of the getCallerPrincipal method is to allow the enterprise bean
methods to obtain the current caller principal’s name. The methods
might, for example, use the name as a key to information in a database.
• boolean isCallerInRole(String roleName);
The purpose of the isCallerInRole(String roleName) method is to test
whether the current caller has been assigned to a given security role.
39
Security for Java EE Components
• If we assume, for example, that the current caller user contains the
primary key used for the identification of employees (for example,
employee number):
/ /obtain the caller principal
callerPrincipal = ctx.getCallerPrincipal();
// obtain the caller principal’s name.
callerKey = callerPrincipal.getName();
// use callerKey as primary key to find EmployeeRecord
EmployeeRecord myEmployeeRecord =
em.findByPrimaryKey(EmployeeRecord.class, callerKey);
40
Security for Java EE Components
• Declaring Security Role Names Referenced
from Enterprise Bean Code
– You can declare security role names used in
enterprise bean code using either the
@DeclareRoles annotation (preferred) or the
security-role-ref elements of the deployment
descriptor.
41
Security for Java EE Components
• Defining a Security View of Enterprise Beans
– You can define a security view of the enterprise beans
contained in the ejb-jar file and pass this information along
to the deployer.
– When a security view is passed on to the deployer, the
deployer uses this information to define method
permissions for security roles.
– If you don’t define a security view, the deployer will have
to determine what each business method does to
determine which users are authorized to call each method.
42
Security for Java EE Components
• A security view consists :
– of a set of security roles, a semantic grouping of permissions that a
given type of users of an application must have to successfully access
the application. Security roles are meant to be logical roles,
representing a type of user.
– You can define method permissions for each security role.
• A method permission is a permission to invoke a specified group of
methods of the enterprise beans’ business interface, home
interface, component interface, and/or web service endpoints.
• You can specify an authentication mechanism that will be used to
verify the identity of a user.
43
Security for Java EE Components
• Use the @DeclareRoles and @RolesAllowed
annotations to define security roles using Java
language annotations.
• The set of security roles used by the
application is the total of the security roles
defined by the security role names used in the
@DeclareRoles and @RolesAllowed
annotations (multiple roles can be defined).
44
Security for Java EE Components
• Enterprise JavaBeans components use an EJB deployment
descriptor that must be named :
– META-INF/ejb-jar.xml (must be contained in the EJB JAR file).
– The role of the deployment descriptor is to relay information to the
deployer about security and other aspects of the application.
Specifying this information in annotations or in the deployment
descriptor helps the deployer set up the appropriate security policy for
the enterprise bean application.
45
Security for Java EE Components
• The following is a listing of deployment descriptor elements
that address security:
– The security-role-ref element declares each security role
referenced in the code.
– The security-role element defines broad categories of
users, and is used to provide access to protected methods.
– The method-permission element is used to specify
method permissions.
– The run-as element is used to configure a component’s
propagated security identity.
46
Security for Java EE Components
• You can augment the set of security roles defined for the
application by annotations using the security-role deployment
descriptor in the ejb-jar.xml file. i.e.
<security-role>
<description> This role includes the employees of the enterprise
who are allowed to access the employee self-service application.
This role is allowed only to access his/her own information.
</description>
<role-name>employee</role-name>
</security-role>
47
Security for Java EE Components
• We have two levels of security:
– We are trying to set the security references of the
component.
– We also have the security references at the application
level.
– The two need to be linked.
• In the absence of explicit linking a role at the component level will
be linked automatically to a role with the same name at the
application level.
• Or, you can explicitly link all the security role references declared
in the @DeclareRoles annotation or security-role-ref elements for
a component to the security roles defined by the use of
annotations and/or in the security-role elements.
48
Security for Java EE Components
• You can use the role-link element to link each security role
reference of a component to a security role at the application
level i.e.
<session>
<ejb-name>AardvarkPayroll</ejb-name>
<ejb-class>com.aardvark.payroll.PayrollBean</ejb-class> ... <security-roleref>
<description> This role should be assigned to the employees of the payroll
department. Members of this role have access to anyone’s payroll record. The role
has been linked to the payroll-department role.
</description>
<role-name>payroll</role-name>
<role-link>payroll-department</role-link>
</security-role-ref> ... </session>
49
Security for Java EE Components
• Specifying Method Permissions
– If you have defined security roles for the
enterprise beans in the ejb-jar file, you can also
specify the methods of the business interface,
home interface, component interface, and/or web
service endpoints that each security role is
allowed to invoke.
50
Security for Java EE Components
• Specifying Method Permissions Using Annotations
– The method permissions for the methods of a bean class
can be specified on the class, the business methods of the
class, or both.
– Method permissions can be specified on a method of the
bean class to override the method permissions value
specified on the entire bean class.
@RolesAllowed("list-of-roles")
list-of-roles is a list of security role names to be mapped to the security roles that
are permitted to execute the specified method or methods. Specifying this
annotation on the bean class means that it applies to all applicable business
methods of the class.
51
Security for Java EE Components
@PermitAll
Specifies that all security roles are permitted to execute the specified
method or methods. Specifying this annotation on the bean class means
that it applies to all applicable business methods of the class.
@DenyAll
Specifies that no security roles are permitted to execute the specified
method or methods.
52
Security for Java EE Components
@RolesAllowed("admin") public class SomeClass {
public void aMethod () {...}
public void bMethod () {...} ... }
@Stateless public class MyBean implements SomeClass {
@RolesAllowed("HR")
public void aMethod () {...}
public void cMethod () {...} ... }
The method permissions values of methods aMethod and bMethod are
@RolesAllowed("HR") and also
@RolesAllowed("admin") respectively.
The method permissions for method cMethod have not been specified.
53
WEB SERVISES
• What are Web Services?
– a software system designed to support
interoperable machine-to-machine interaction
over a network".
– Web services are frequently just Web application
programming interfaces (API) that can be accessed
over a network, such as the Internet, and
executed on a remote system hosting the
requested services
54
WEB SERVICES
• What are Web Services?
–
–
–
–
–
–
Web services are application components
Web services communicate using open protocols
Web services are self-contained and self-describing
Web services can be discovered using UDDI
Web services can be used by other applications
XML is the basis for Web services
55
WEB SERVICES
• The basic Web services platform is XML + HTTP.
– XML provides a language which can be used between
different platforms and programming languages and still
express complex messages and functions.
– The HTTP protocol is the most used Internet protocol.
– Web services platform elements:
• SOAP (Simple Object Access Protocol)
• UDDI (Universal Description, Discovery and Integration)
• WSDL (Web Services Description Language)
56
Study Guide
• Read Chapters 29 and 30 of EE5 Tutorial or
corresponding chapters in EE6 tutorial.
57
Related documents
Database Java Bean
Database Java Bean
Programming
Programming
Chapter 1 questions
Chapter 1 questions
CIS 521
CIS 521
Web Services In Action
Web Services In Action
A Java Environment for High-Performance Computing
A Java Environment for High-Performance Computing
JEE Programming
JEE Programming
XML Parsing Using JAXP
XML Parsing Using JAXP
Name - ReachIvy
Name - ReachIvy
Academic Vocabulary Chap 1-3
Academic Vocabulary Chap 1-3
Our direct client has an urgent need for Java Developer for
Our direct client has an urgent need for Java Developer for
Java Basic Syntax
Java Basic Syntax
A Big Test Result
A Big Test Result
Membership Manager
Membership Manager