Paranoiac Deployment with JBoss

1
Paranoiac Deployment with JBoss

• Securing a J2EE application
• Jean-Christophe Pazzaglia
• jean-christophe.pazzaglia_at_wanadoo.fr

2
Problematic

• How to secure a standard (albeit complex)
  application developed using the J2EE stack

3
Context

• Security application
• Distributed Intrusion Detection System (IDS)
• Database Centric Application

Federationof Sensors
AnalystGroupware
IntelligentDatabase
4
Constraints

• Data processing (1 Gb sensor)
• Data storage (10 Gbs per day)
• Data crawling
• Configuration management (100s sensors)
• Availability (24x7)

5
Consequence

• Heterogeneous architecture
• PC, Sun, Himalaya
• Heterogeneous OS
• Linux/BSD, NonStop, Windows, Solaris
• Heterogeneous languages
• Java, C
• XML, R/DBMS

• Not a Java everywhere problem

6
Choices

• CORBA to deal with heterogeneity
• Time critical component with C/C
• High volume data optimized model and specific
  hardware
• Configuration management XML based using domain
  specific abstraction
• Analyst groupware built with J2EE

7
Architecture
8
Security issues

• As secure as possible
• End to end security according that
• CORBA is not intrinsically secure
• Encryption is not viable on the critical path
  (except dedicated hardware)
• Legal and privacy issue

9
Network architecture
Corba
Corba-EJB bridge
EJB
10
Corba to EJB bridge (1/2)

• Isolate the CORBA world
• Disable the use of CORBA standard services
• Restrict the number of accessible objects
• Restrict the interface accessible (EJB reify a
  subset of the internal IDL)

• Gateway responsible to translate to/from CORBA

11
Corba to EJB bridge (2/2)

• Proprietary extension of IDL compiler (based on
  JacORB)
• EJB generation
• Specific annotation

12
Architecture
13
Securing the Analyst interactions

• Encryption
• Avoid third-party sniffing (push and pull)
• Authentication
• Ensure that each user is logged once per class of
  access (if authorized)
• Multiple gateway access
• Authorization
• Check that only legal access is done

• Standard solution based on JAAS/JCE

14
Connection phases

• Establish a bidirectional encrypted connection
  (SSL with hand check)
• Check the username/password and connection
  uniqueness
• Take into account the role of the user
• Download user profile

15
JAAS/JCE highlights

• JAAS
• Keep Business and Security Logic distinct
• Subject/Principal/Credential
• LoginModule and Handler mechanism
• Declarative approach
• JCE
• Strong encryption
• Symmetric and Asymmetric keys mechanism
• Message Authentication Code
• Large set of algorithms (RSA,Blowfish,DES,AES,)
• Java Standard (1.4)

16
Encryption requirements

• Support for encryption (JCE)
• Standard since JRE/JDK 1.4
• Certification authority
• Both sides should be trusted by the same
  authority
• Poor man solution using OpenSSL and keytool
• Support from the application server
• Standard EJB call
• JMS support

17
Encryption Configuration

• Security evolved a lot between 2.x, 3.0, 3.x, 4.0
• Buy the last documentation (10) !!!
• Application server setting (ltappNamegt\conf\jboss-s
  ervice.xml)
• Setup a security domain

ltmbean code"org.jboss.security.plugins.JaasSecuri
tyDomain" name"jboss.securityserviceJaasSecur
ityDomain,domainRMISSL"gt ltconstructorgt 
ltarg type"java.lang.String" value"RMISSL"
/gt   lt/constructorgt  ltattribute
name"KeyStoreURL"gtmyKeys.kslt/attributegt ltattribu
te name"KeyStorePass"gttryItlt/attributegt  
lt/mbeangt
18
Encryption Configuration

• Add an invoker
• Use the invoker for the Bean (jboss.xml)

ltmbean code"org.jboss.invocation.jrmp.server.JRMP
Invoker" name"jbossserviceinvoker,typejrmp,s
ocketTypeSSL"gt  ltattribute name"RMIObjectPort"
gt4445lt/attributegt ltattribute name"RMIClientSocke
tFactory"gt org.jboss.security.ssl.RMISSLClientSo
cketFactorylt/attributegt ltattribute
name"RMIServerSocketFactory"gt org.jboss.securit
y.ssl.RMISSLServerSocketFactorylt/attributegt
ltattribute name"SecurityDomain"gtjava/jaas/RMISS
Llt/attributegt lt/mbeangt
ltsessiongt ltejb-namegtMyBeanlt/ejb-namegt  
ltconfiguration-namegtStandard Stateful
SessionBeanlt/configuration-namegt lthome-invokergtjb
ossserviceinvoker,typejrmp,socketTypeSSLlt/home
-invokergt   ltbean-invokergtjbossserviceinvoker,
typejrmp,socketTypeSSLlt/bean-invokergt  
lt/sessiongt
19
Encryption Configuration

• Configure the JMS server (jbossmq-service.xml)

ltmbean code"org.jboss.mq.il.uil2.UILServerILServi
ce" name"jboss.mqserviceInvocationLayer,type
HTTPSUIL2"gt ltdepends optional-attribute-name"Inv
oker"gtjboss.mqserviceInvokerlt/dependsgt ltattribu
te name"ConnectionFactoryJNDIRef"gt HTTPSUIL2Con
nectionFactorylt/attributegt ltattribute
name"XAConnectionFactoryJNDIRef"gt HTTPSUIL2XACo
nnectionFactorylt/attributegt lt!-- ...  
--gt ltattribute name"ClientSocketFactory"gtorg.jbo
ss.security.ssl.ClientSocketFactorylt/attributegt  
ltattribute name"ServerSocketFactory"gtorg.jboss.se
curity.ssl.DomainServerSocketFactorylt/attributegt
ltattribute name"SecurityDomain"gtjava/jaas/RMISS
Llt/attributegt lt/mbeangt
20
Architecture
21
Login into the system

• Require a security domain
• Dedicated Login module
• Extending AbstractServerLoginModule
• Checking the username/password against the
  backend (in our case via CORBA)
• Retrieving Roles associated with the user
• Installing a CallbackHandler (used to store
  credentials)

22
Login Module Configuration

• Add a specific security domain (login-config.xml)
• Specify the domain (jboss.xml)

ltpolicygt ltapplication-policy name"CorbaLogin"gt
ltauthenticationgt  ltlogin-module
code"CorbaServerLoginModule" flag"required"
/gt lt/authenticationgt lt/application-policygt lt/pol
icygt
ltsecurity-domaingtjava/jaas/CorbaLoginlt/security-d
omaingt ltenterprise-beansgt ltsessiongt ltejb-namegtM
yBeanlt/ejb-namegt   lt!-- ../  
--gt lt/sessiongt lt!-- ../   --gt
23
Login Module Configuration

• Modify cache setting
• Default too permissive (30)

lt mbean code"org.jboss.security.plugins.JaasSecur
ityManagerService" name"jboss.securityservice
JaasSecurityManager"gt  ltattribute
name"SecurityManagerClassName"gt org.jboss.secur
ity.plugins.JaasSecurityManager lt/attributegt
ltattribute name"DefaultCacheResolution"gt5lt/attrib
utegt ltattribute name"DefaultCacheTimeout"gt60lt/at
tributegt lt/mbeangt
24
EJB Security Management

• Declarative approach
• Rely on the identity of the user (subject)
• Security roles (principals)
• Set of permission
• Security Roles x EJB x Method signature
• Security information accessible on Bean too

25
Mapping role-methods
ltassembly-descriptorgt ltsecurity-rolegt 
ltdescriptiongtMonitor incoming alerts and
create reportslt/descriptiongt ltrole-namegtanalystlt
/role-namegt lt/security-rolegt lt!-- ../   --gt
ltmethod-permissiongt ltrole-namegtanalystlt/role
-namegt ltmethodgt ltejb-namegtMyBeanlt/ejb-name
gt ltmethod-namegtgetAlertDetaillt/method-namegt
ltmethod-paramsgt  ltmethod-paramgtintlt/metho
d-paramgt lt!-- id   --gt lt/method-paramsgt
  lt/methodgt lt!-- ../   --gt
26
Architecture
Certificate
Sensors
GUI
Software agents
27
JAAS Limitation

• Declarative approach
• Method Signature x Role
• Authorization cannot take into account parameters
  value
• Example
• Analyst requesting data outside certain subnet
• Analyst requesting packet body sensitive
  (VoIP,mail, etc)

28
JBoss Security Architecture (2.4)
29
JBoss Security Extension

• Based on Security Proxy
• Stateless object intercepting method call
• Can be customized on a per bean basis
• org.jboss.security.securityProxy interface

30
Simple Security Proxy
public void invoke(Method m, Object args,
Object bean) throws SecurityException
EJBContext ctx (EJBContext)_ctx.get()      St
ring caller ctx.getCallerPrincipal().getName()
      String operation m.getName()      //
The implementation of the defined
policies.      if (operation.equals(retrieveAler
tsForSensor"))          int sensorId
((Integer)args1).intValue()     // An
analyst is member of a group responsible for a
set of sensors          if (!isInChargeOfSensor(se
norId,caller))             throw new
SecurityException(sensorId out of
scope")         else if ../
ltenterprise-beansgt ltsessiongt ltejb-namegtMyBeanlt/
ejb-namegt ltsecurity-proxygtanalystProxylt/
security-proxygt   lt!-- ../   --gt lt/sessiongt
31
Conclusion

• Typical n-tiers Application
• Securing an application
• Fair amount of effort
• Almost standard (except configuration !)
• Business and Security can be largely distinct
• Declarative
• Orthogonal
• Solution Open Source
• JAAS/JCE/keytool
• JBoss/OpenSSL
• JBoss 4.0 introduces AOP
• Enable result manipulation