Java EE Security: EJB 3.0 Auth, Authz, and Confidentiality - Prof. Ye Wu, Study notes of Engineering

An overview of ejb 3.0 security, focusing on authentication, authorization, and confidentiality protection in java enterprise edition. The concepts of authentication and identity, authorization, and security configuration using jndi and database services.

Typology: Study notes

Pre 2010

Uploaded on 02/12/2009

koofers-user-9z8-1
koofers-user-9z8-1 🇺🇸

10 documents

1 / 2

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
EJB 3.0 Security
Ye Wu
http://www.ise.gmu.edu/~wuye
SWE 645
Component-based Software Development
2007-4-3 © Dr. Ye Wu 2
EJB 3.0 Security Service
Authentication
Authentication is the process of validating the identity of
a user who is trying to access a secured system.
Authorization
Authorization can police a user’s access to subsystems,
data and business objects, or it can monitor more general
behavior
Confidentiality and integrity protection
Data transfer should be protected and attackers should
not be able to read or modify this data in transit.
2007-4-3 © Dr. Ye Wu 3
Authentication and Identity
EJB specification does not specify how
authentication happens
EJB specification does not specify how the client
is supposed to obtain and associate identity and
credentials with an EJB invocation.
EJB defines how security information is
propagated from a client to the server.
2007-4-3 © Dr. Ye Wu 4
Authentication and Identity
properties.setProperty
properties.setProperty(
(
Context.
Context.INITIAL_CONTEXT_FACTORY
INITIAL_CONTEXT_FACTORY,
,
"
"org.jboss.security.jndi.JndiLoginInitial ContextFactory
org.jboss.security.jndi.JndiLoginInitial ContextFactory");
");
properties.put
properties.put(
(
Context.
Context.URL_PKG_PREFIXES
URL_PKG_PREFIXES,
,
"
"org.jboss.naming:org.jnp.interfaces
org.jboss.naming:org.jnp.interfaces");
");
properties.put(Context.
properties.put(Context.PROVIDER_URL
PROVIDER_URL,
,
"jnp://localhost:1099");
"jnp://localhost:1099");
properties.setProperty
properties.setProperty(
(
Context.
Context.SECURITY_PRINCIPAL
SECURITY_PRINCIPAL, "admin");
, "admin");
properties.setProperty
properties.setProperty(
(
Context.
Context.SECURITY_CREDENTIALS
SECURITY_CREDENTIALS, "password");
, "password");
2007-4-3 © Dr. Ye Wu 5
Authorization
Authorization is performed in Java EE and EJB by
associating one or more roles with a given user and
then assigning method permissions based on that role.
The roles used to describe authorization are considered
logical roles because they do not directly reflect users,
groups, or any other security identities in a specific
operational environment.
Authorization is clearly defined in EJB specification
2007-4-3 © Dr. Ye Wu 6
Assigning Method Permissions
import org.jboss.annotation.security.SecurityDomain;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
@Stateless
@SecurityDomain("other")
public class StatelessEJB implements StatelessRemote {
@PermitAll
public void addFunds(double amount) {… …}
@RolesAllowed( { "admin" })
public void withdrawFunds(double amount) throws InsufficientBalanceException
{… …}
}
Users.properties
User=password
Roles.properties
User=user_role
pf2

Partial preview of the text

Download Java EE Security: EJB 3.0 Auth, Authz, and Confidentiality - Prof. Ye Wu and more Study notes Engineering in PDF only on Docsity!

EJB 3.0 Security

Ye Wu

http://www.ise.gmu.edu/~wuye

SWE 645

Component-based Software Development

2007-4-3 © Dr. Ye Wu 2

EJB 3.0 Security Service

• Authentication

Authentication is the process of validating the identity of

a user who is trying to access a secured system.

• Authorization

Authorization can police a user’s access to subsystems,

data and business objects, or it can monitor more general

behavior

• Confidentiality and integrity protection

Data transfer should be protected and attackers should

not be able to read or modify this data in transit.

2007-4-3 © Dr. Ye Wu 3

Authentication and Identity

• EJB specification does not specify how

authentication happens

• EJB specification does not specify how the client

is supposed to obtain and associate identity and

credentials with an EJB invocation.

• EJB defines how security information is

propagated from a client to the server.

2007-4-3 © Dr. Ye Wu 4

Authentication and Identity

properties.setPropertyproperties.setProperty(( Context.Context. INITIAL_CONTEXT_FACTORYINITIAL_CONTEXT_FACTORY ,, "" org.jboss.security.jndi.JndiLoginInitialContextFactoryorg.jboss.security.jndi.JndiLoginInitialContextFactory ");"); properties.putproperties.put(( Context.Context. URL_PKG_PREFIXESURL_PKG_PREFIXES ,, ""org.jboss.naming:org.jnp.interfacesorg.jboss.naming:org.jnp.interfaces");"); properties.put(Context.properties.put(Context. PROVIDER_URLPROVIDER_URL ,, "jnp://localhost:1099");"jnp://localhost:1099"); properties.setPropertyproperties.setProperty(( Context.Context. SECURITY_PRINCIPALSECURITY_PRINCIPAL ,, "admin");"admin"); properties.setPropertyproperties.setProperty(( Context.Context. SECURITY_CREDENTIALSSECURITY_CREDENTIALS , "password");, "password");

2007-4-3 © Dr. Ye Wu 5

Authorization

Authorization is performed in Java EE and EJB by

associating one or more roles with a given user and

then assigning method permissions based on that role.

The roles used to describe authorization are considered

logical roles because they do not directly reflect users,

groups, or any other security identities in a specific

operational environment.

Authorization is clearly defined in EJB specification

2007-4-3 © Dr. Ye Wu 6

Assigning Method Permissions

import org.jboss.annotation.security.SecurityDomain; import javax.annotation.security.PermitAll; import javax.annotation.security.RolesAllowed;

@Stateless @SecurityDomain("other") public class StatelessEJB implements StatelessRemote { @PermitAll public void addFunds(double amount) {… …}

@RolesAllowed( { "admin" }) public void withdrawFunds(double amount) throws InsufficientBalanceException {… …} }

Users.properties

User=password

Roles.properties

User=user_role

2007-4-3 © Dr. Ye Wu 7

The RunAs Security Identity

import org.jboss.annotation.security.SecurityDomain;

import javax.annotation.security.PermitAll;

import javax.annotation.security.RolesAllowed;

@Stateless

@SecurityDomain("other")

@RunAs(“Authorized_user”)

public class StatelessEJB implements StatelessRemote {

2007-4-3 © Dr. Ye Wu 8

Programmatic Security

@Stateless

@DeclareRoles (“Dynamic_role”)

public class StatelessEJB implements StatelessRemote {

@Resource SessionContext ctx;

ctx.isCallerInRole(“Dynamic_role”);

2007-4-3 © Dr. Ye Wu 9

EJB3 Security integration with other

LDAP Service

<application-policy name="testLDAP"> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory</module- option> <module-option name="java.naming.provider.url">ldap://ldaphost.jboss.org:1389/ </module- option> <module-option name="java.naming.security.authentication">simple </module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,ou=People,dc=jboss,dc=org </module-option> <module-option name="rolesCtxDN">ou=Roles,dc=jboss,dc=org</module-option> <module-option name="uidAttributeID">member</module-option> <module-option name="matchOnUserDN">true</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false </module-option> </login-module>

2007-4-3 © Dr. Ye Wu 10

EJB3 Security integration with other

Database Service

<application-policy name="testDB"> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/MyDatabaseDS</module-option> <module-option name="principalsQuery"> select passwd from Users username where username=?</module-option> <module-option name="rolesQuery"> select userRoles, 'Roles' from UserRoles where username=?</module-option> </login-module> </application-policy>