Enterprise Java Beans Security

1
Enterprise Java BeansSecurity
2
EJB Security Goals

• Lessen burden on application developer
• Container can provide security infrastructure
• Deployer and system administrator define security
  policies
• Avoid hard-coding security policies in bean
  implementations
• Bean portability among EJB servers that use
  different security mechanisms

3
EJB Roles and Security

• Application Assembler defines security roles for
  an application
• Deployer maps principals (or groups of
  principles) in an operational environment to the
  security roles defined by the application
  assembler
• Bean implementer may implement security policies
  in code (Avoid if possible)

4
Security Components

• Identification
• Login id (Principal)
• Authentication
• Validate users identity
• Authorization
• Determine what operations are permitted for the
  user
• Secure Communication
• encryption of client-server communication path

5
Identification

• Who is this?
• Not covered by EJB Spec
• Options
• User id
• Distinguished name in X.509 certificate

6
Authentication

• Are we sure this is who they say they are?
• Not covered by EJB Spec
• Weblogic approach
• Properties p new Properties()
• p.put(Context.SECURITY_PRINCIPAL, User1 )
• p.put(Context.SECURITY_CREDENTIALS, Password1
  )
• Context c new InitialContext( p )
• ..
• weblogic.password.User1Password1 //
  weblogic.properties
• SSL Client Side certificate

7
Authorization

• Authorization required to invoke bean methods
• Declarative
• Configure container to perform security checks
• Controlled by deployment descriptor
• Programmatic
• Programmer assumes responsibility for security
  checks

8
Secure Communications

• Not covered by EJB spec
• Typically SSL is employed

9
EJB Authorization

• Declarative
• Coarse-Grained security
• Check identity of caller and test against
  required role to invoke bean method
• Throw RemoteException if not authorized
• Programmatic
• Fine-Grained security
• getCallerPrincipal()
• isCallerInRole()

10
Declarative Authorization

• Declare beans access restrictions in deployment
  descriptor
• Declares what role(s) are permitted to invoke
  specific bean methods.
• For example, the user must be in the managers
  group to invoke the bean method fireEmployee

11
Declarative Security Control

• Declare logical security roles in ejb-jar.xml
• Grant access to bean methods with
  ltmethod-permissiongt
• Deployer maps logical security role to role/group
  in the run-time environment

12
Security Roles
ltassembly-descriptorgt ltsecurity-rolegt
ltdescriptiongt General account
maintenance lt/descriptiongt
ltrole-namegttellerlt/role-namegt
lt/security-rolegt lt!-- Other roles defined.
Scope is all beans in ejb-jar file
--gt lt/assembly-descriptorgt
13
Method Permissions
ltmethod-permissiongt ltrole-namegttellerlt/role-na
megt ltmethodgt ltejb-namegtTellerBeanlt/ej
b-namegt ltmethod-namegtlt/method-namegt
lt/methodgt lt/method-permissiongt
14
Deployment
lt!-- In weblogic-ejb-jar.xml --gt ltsecurity-role-as
signmentgt ltrole-namegttellerlt/role-namegt
ltprincipal-namegtLevel7lt/principal-namegt lt/security
-role-assignmentgt
15
Weblogic Roles

• weblogic.security.group.Level5E1, E2, E4
• weblogic.security.group.Level7E1
• weblogic.security.group.Level10E4
• Employee 1 (E1) has both Level5 and Level7 rights
• Employee 2 (E2) has only access rights granted to
  Level5
• Employee 4 (E4) can be a Level 10

16
Programmatic Access Control

• Code can check security authorization of caller
• in addition to container checks. May want to do
  bean instance specific security checks
• Query EJBContext to determine identity of caller

17
Declarative vs. Programmatic

• Can be viewed as two levels of security
• Container can perform checks that pertain to all
  bean instances
• Bean implementer can perform security checks that
  vary for individual bean instances
• e.g. BankSupervisor role is required for
  transfers to an account that is locked
• Declarative specifications de-couple beans
  operations from companys security policies

18
(No Transcript)
19
Programmatic Access Control
public class TellerBean public void
closeAccount(int accountID) throws
InvalidAccessException if(
getAccountType(accountID).equals(Special)
if( !ctx.isCallerInRole(managers))
throw new InvalidAccessException(Ma
nager req for special acct)
// Close the account. Tellers can
close all but special accounts .
20
Security Declarations

• Bean provider must declare all security role
  names used in bean code
• ltsecurity-role-refgt
• isCallerInRole() used in the code
• Application Assembler
• logical security view of the application
• ltsecurity-rolegt
• method permissions for each security role

21
Bean Provider

• ltenterprise-beansgt
• ltsessiongt
• ltejb-namegtTellerBeanltejb-namegt
• ltejb-classgtMyTellerBeanImpllt/ejb-classgt
• ltsecurity-role-refgt
• ltdescriptiongt special account maint.
  lt/descriptiongt
• ltrole-namegtmanagerslt/role-namegt
• lt/security-role-refgt
• ltsessiongt
• lt/enterprise-beansgt

22
Application Assembler

• ltassembly-descriptorgt
• ltsecurity-rolegt
• ltdescriptiongt
• Role defines users who may affect
  all employees in a department
• lt/descriptiongt
• ltrole-namegtsupervisorslt/role-namegt
• lt/security-rolegt
• lt!-- Other roles defined. Scope is all
  beans in ejb-jar file --gt
• lt!-- wed have tellers also --gt
• lt/assembly-descriptorgt

23
Method Permissions

• ltmethod-permissiongt
• ltrole-namegttellerslt/role-namegt
• ltmethodgt
• ltejb-namegtTellerBeanlt/ejb-namegt
• ltmethod-namegtlt/mehtod-namegt
• lt/methodgt
• lt/method-permissiongt

24
Linking Security Roles

• Must link application roles with any defined
  by bean provider
• ltsecurity-role-refgt
• ltdescriptiongt .. lt/descriptiongt
• ltrole-namegtmanagerslt/role-namegt
• ltrole-linkgtsupervisorslt/role-linkgt
• lt/security-role-refgt

25
Deployment
lt!-- In weblogic-ejb-jar.xml --gt ltsecurity-role-as
signmentgt ltrole-namegttellerslt/role-namegt
ltprincipal-namegtLevel5lt/principal-namegt lt/security
-role-assignmentgt ltsecurity-role-assignmentgt
ltrole-namegtsupervisorslt/role-namegt
ltprincipal-namegtLevel10lt/principal-namegt lt/securit
y-role-assignmentgt
26
Deployment (Cont)

• weblogic.password.jimpassword
• weblogic.password.danpassword
• weblogic.password.drzeuspassword
• weblogic.security.group.Level5jim,dan
• weblogic.security.group.Level10dan
• Can also use databases, LDAP, etc. instead of
  entries in weblogic.properties

27
Deployer Responsibilities

• Using application server tools, read security
  view of application and map this view to the
  target environment
• Assigns principals (users and groups) in the
  operational environment to defined
  ltsecurity-rolegts
• EJB does not define how a business should
  implement its security architecture

28
EJB Security Summary

• Security is role-based in EJB
• Declarative and Programmatic
• Roles defined for
• bean developer
• application assembler
• deployer
• Important security mechanisms not defined in EJB