Securing Access to the Application

1
(No Transcript)
2
Securing Access to the Application Session 4
Kevin WongSenior Product Manager Oracle
Corporation
3
Agenda

• Application Security Requirements
• Relevant Standards
• Authentication
• Authorization
• J2EE Security Walkthrough

4
Agenda

• Application Security Requirements
• Relevant Standards
• Authentication
• Authorization
• J2EE Security Walkthrough

5
Application Security Requirements

• Security is a Process, Not a Product
• No 100 security
• Security of System Security of Weakest Link
• Go beyond firewall security
• Implement multi-layer security
• Application-level Security Considerations
• Authentication
• Authorization
• Secure Transport
• Security aware vs. unaware applications

6
Agenda

• Application Security Requirements
• Relevant Standards
• Authentication
• Authorization
• J2EE Security Walkthrough

7
J2EE Security

• Design Principles
• Declarative security model
• Decouple security logic from application logic
• Portable
• Leverage existing security infrastructure
• J2EE Roles
• Application Provider
• Application Assembler
• Application Deployer
• System Administrator

8
J2EE Security Authentication

• Multiple Authentication Methods
• - BASIC, Form, SSL client-cert, etc.
• Declarative Security
• deployment descriptor web.xml, ejb-jar.xml
• Missing
• Extensible/Pluggable authentication
• JSR-196 Authentication Interface for Containers
• Single Sign-On support (web)

9
J2EE Security Authorization

• Protected Resources
• Web Resources URL-patterns
• Enterprise Beans Method permissions
• J2EE Logical Role (a.k.a. Security Role)
• Level of abstraction/indirection that ties users
  to permissions
• Not the same as NISTs Role Based Access Control
  (RBAC)
• Provides application portability
• Insulates developers from physical environment
• Java Authorization Contract for Containers (JACC)
  with J2EE 1.4

10
Java 2 Security
11
Java 2 Security (continued)

• Key components
• Security Manager/Access Controller determines
  access rights
• Security Policy defines permissions
• Necessary if running any untrusted code in your
  JVM
• Limitations
• Code-based security only
• File-based implementation difficult to manage and
  doesnt scale

12
JAAS (Java Authentication and Authorization
Service)

• Principal-Based security
• Authentication
• Pluggable Authentication Module (PAM) framework
• Authorization
• Extension to Java 2 Security Model
• Optional Package to JDK 1.3
• JDK 1.4 Core API
• J2EE 1.3 Requirement
• Integrated in J2EE 1.4 via JACC (JSR 115)

13
JAAS for J2EE Example OracleAS JAAS Provider

• JAAS implementation for J2EE environment
• Two repository types built-in
• XML flat-file
• Oracle Internet Directory (OID)
• Benefits
• Integrates J2EE Security (i.e deployment
  descriptors) with JAAS
• J2EE Apps can take advantage of Oracle Identity
  Management (OID and Single Sign-On)

14
Security Standards Secure Access
15
Agenda

• Application Security Requirements
• Relevant Standards
• Authentication
• Authorization
• J2EE Security Walkthrough

16
Which Authentication Mechanism?

• Many Authentication Mechanisms to Choose From
• username/password, SSL-cert, smartcard,
  biometrics, etc.
• Standards
• HTTP Authentication (Basic, Form, SSL Client
  Cert, etc.)
• Integrate with existing systems

17
Should You SSO-enable Your Applications?

• The Problem
• Unlimited connectivity Unlimited accounts
  passwords
• Administrative and Maintenance cost
• Security Implications
• Look for an SSO Solution Thats Integrated With
  Your Infrastructure and Supports The Relevant
  Standards

18
Which Authorization Mechanism?

• Roll Your Own Security?
• Maintenance
• Administrative Cost
• Inconsistent Authorization Policy gt Insecurity
• Understand The Relevant Standards
• J2EE Security
• Java 2/JAAS Security

19
Agenda

• Application Security Requirements
• Relevant Standards
• Authentication
• Authorization
• J2EE Security Walkthrough

20
Walkthrough Authentication and Authorization
Choices

• Authentication
• Username and password using login form (passed
  over the wire in cleartext)
• No integration with SSO service
• Authorization
• J2EE Logical Roles
• No Java 2 or JAAS based authorization

21
J2EE Logical Roles

• Security settings defined in standard J2EE
  deployment descriptors
• ejb-jar.xml, web.xml, application.xml
• Identities are abstracted through the use of
  logical roles
• A logical role is defined with the tag
  ltsecurity-rolegt
• Declare access restrictions using logical roles
• Protect Web application resources
• Protect EJB methods

22
J2EE Security Constraints
The Web World, web.xml

• Define the logical roles for this Web application
  using ltsecurity-rolegt
• Define a login requirement using ltlogin-configgt

ltsecurity-rolegt ltrole-namegtFAQRolelt/role-namegt lt
/security-rolegt ltlogin-configgt
ltauth-methodgtFORMlt/auth-methodgt ltrealm-namegtThe
FAQ Applicationlt/realm-namegt lt/login-configgt
23
J2EE Security Constraints
The Web World, web.xml

• Declare security constraints for a Web resource
  using defined logical roles

ltsecurity-constraintgt ltweb-resource-collectiongt
ltweb-resource-namegtFAQ App
Generallt/web-resource-namegt
lturl-patterngt.dolt/url-patterngt
lt/web-resource-collectiongt
ltauth-constraintgt ltrole-namegtFAQRolelt/role-na
megt lt/auth-constraintgt lt/security-constraintgt
24
D E M O N S T R A T I O N
Basic and Form Based Login
25
Security and the Deployer Role
OC4J
J2EEApp EAR
26
Security and the Deployer Role
OC4J
J2EEApp EAR
ltsecurity-rolegt FAQRole lt/security-rolegt
Locate logicalroles from DD
27
Security and the Deployer Role
OC4J
J2EEApp EAR
ltUSER Usernamefaq"gt ltGroupusers"/gt lt/Usergt
Consider local security environment
28
Security and the Deployer Role
OC4J
J2EEApp EAR
ltsecurity-role-mapping nameFAQRolegt
ltgroup nameusers /gtlt/security-role-mappinggt
OC4J Specific Mappings
Create Mappings
29
Security and the Deployer Role
OC4J
J2EEApp EAR
Deploy
OC4J Specific Mappings
Create Mappings
30
Security and the Deployer Role
OC4J
J2EEApp EAR
Deploy
OC4J Specific Mappings
Deployed J2EE App
Create Mappings
31
Mapping Logical Roles to Actual Users

• Deployer maps logical roles to actual users
• Use container specific deployment descriptors
• orion-ejb-jar.xml, orion-web.xml,
  orion-application.xml
• Mappings defined using tag ltsecurity-role-mapping
  gt

32
Mapping Logical Roles to Actual Users
ltsecurity-role-mapping nameFAQRolegt ltgroup
nameusers /gt ltuser namefaq
/gt lt/security-role-mappinggt
33
Mapping Logical Roles to Actual Users
ltsecurity-role-mapping nameFAQRolegt ltgroup
nameusers /gt ltuser namefaq
/gt lt/security-role-mappinggt
J2EE Logical Role
34
Mapping Logical Roles to Actual Users
ltsecurity-role-mapping nameFAQRolegt ltgroup
nameusers /gt ltuser namefaq
/gt lt/security-role-mappinggt
J2EE Logical Role as per Deployment Descriptor
Actual Users and Groupsfrom OC4J
35
Agenda

• Application Security Requirements
• Relevant Standards
• Authentication
• Authorization
• J2EE Security Walkthrough

36
Learn Oracle From Oracle

• Instructor led training
• Self-Study
• Online learning

• Oracle Certification
• Oracle iLearning
• Oracle Tutor

oracle.com/education Recommended Class
OracleAS Build J2EE Applications
37
otn.oracle.com
Join Over 3,000,000 Developers!
Free Technical Advice
Free Software Downloads
otn.oracle.com/tech/java
38
(No Transcript)