Download Java Security: Encryption, Digital Signatures, JAAS and JBOSS and more Study notes Computers and Information technologies in PDF only on Docsity!
Web Based Commerce 514H
Dr Kingsley Sage
Room 2R308, Chichester II
© University of Sussex 2009
Lecture 8
Security
Java Authentication and Authorisation Service
(JAAS)
Security concepts
Encryption
Public Key Infrastructure
Digital signatures
Digital certificates
More details in the notes on the course web
site
Encryption and PKI
The science of rendering message unintelligible to a
third party should they intercept your message
Message can only be unscrambled using a special
code, or “key”
“Traditional” encryption uses same key to scramble
and unscramble the message
“public” key algorithms have a public key used to
scramble the message and a private key (or set of keys)
used to unscramble the message
JAAS
Java Authentication and Authorisation Service (JAAS)
is a set of APIs that can be used for:
- Authentication of users : to reliably and securely determine who
is executing Java code, regardless of whether the code is
running as an application, an applet, a bean or a servlet
- Authorisation of users : to ensure that they have the access
control rights (permissions) required to do the actions
performed
JAAS authentication is performed in a pluggable
manner. This permits Java applications to remain
independent from the underlying authentication
technologies
JAAS (2)
At a high level, the steps to enable JAAS based
security are:
- Identify the resources that need to be secured. We shall
consider a web application and an EJB application
- Identify a suitable security provider. In our case, security is
provided by the JBOSS security manager
- Use a security implementation to secure the identified
resources
- Make the clients of the secured resources aware of the
security implementation and usage mechanisms. Security
identifiers will, in most cases, be username/password
combination or digital certificates
JAAS classes
To achieve all this, JAAS provides classes:
- LoginModule: authenticates and authorises clients
- LoginContext:user needs this to login
- CallbackHandler and Callback: these are the classes that allow interaction/data transfer between the clients and the LoginModule. The LoginModule uses a Callback to request information from the clients. The CallbackHandler on the client side provides that information
- Principal and Group: LoginModule populates identification information about the client into the Principal class and authorisation information (role list) into the Group class
- Subject: The result of a successful login. Contains the authenticated Principal and Group. Can be viewed as a secure representation of the client after authentication
Login process sequence
Using JAAS from your application
Performing a privileged action …
Subject sub = lc.getSubject(); Subject.doAs(sub, new MyPrivilegedAction()); private class MyPriviligedAction implements PriviligedAcion { public Object run() { try { /* Whatever code you want, call session beans … */ } catch (Exception e) {}; return null; } }
Security mechanisms in JBOSS
The JBOSS application server provides pluggable security managers The web and EJB containers use the security managers to perform authentication and authorisation The JAAS based security manager is the default security manager provided with JBOSS The JAAS security manager obtains the required configuration information from the login-config.xml file located in the conf folder The XML file provides a list of security domains that are available on the server. Each domain specifies a list of LoginModules that protect the domain To gain access to the resources protected by a domain, the client must be able to satisfy all the LoginModules that are configured as required
Security mechanisms in JBOSS (2)
Any options to the LoginModule can be specified in a
configuration file. These will be passed to the Module during the
call to the initialize() method
Each security domain will be read by the JAAS security
manager, converted into a SecurityDomainContext object,
and bound in JNDI at java:/jaas/<domain_name>
An application can choose from one (and only one) of the
configure security domains to protect itself
The JAAS security manager itself does not perform the
authentication. Instead it instantiates the LoginModules that
perform the actual authentication and authorisation
JBOSS provides LoginModules “out of the box” and you can
also implement your own
JBOSS LoginModules
Some of those provided “out of the box” with JBOSS:
- UserRolesLoginModule: reads the username, password and role information from the files that are packaged with the applications
- DatabaseServerLoginModule: reads the username, password and role information from tables in a database. The database is accessed using JDBC and the JDBC driver needs to be available in application classpath
- LDAPLoginModule: requires a username and password. If successful, the roles are based on the group memberships of the user
- BaseCertLoginModule: uses client certificates to perform authentication. It cannot provide role information. Typically used in conjunction with another LoginModule that provides role information
Securing a web application in
JBOSS (2)
All the resources with the URL pattern /secure/* are protected, and the client must belong to the “Secure” role to access these resources <security-constraint>
Restricted to Secure role Declarative security /secure/* HEAD GET POST PUT DELETE Secure Securing a web application in
JBOSS (3)
During application packaging, the administrator must choose the security domain that will protect the application. This is specified in the JBOSS specific deployment descriptor jboss-web.xml. A sample file might be:
java:/jaas/securedomain Securing an EJB application in
JBOSS
Only applies to session beans
Once again, let’s examine declarative security
Declarative security for a EJB application provides select access
to EJB methods based on the roles that a client is assigned
This is achieved using the <method-permission> tag in the
ejb-jar.xml file
Also need to add appropriate annotations to the session beans
themselves
Let’s see an example …
Securing an EJB application in
JBOSS (2)
Here method1 is available only to the client belonging to the
“Secure” role. But method2 in the same bean (MyBean) is
available to all clients
<method-permission> <role-name>Secure</role-name> <ejb-name>MyBean</ejb-name> <method-name>Method1</method-name> </method-permission> <method-permission> <ejb-name>MyBean</ejb-name> <method-name>Method2</method-name> </method-permission>
Introduction to Assignment 2 –
Ourspace
Mathematically, a social network is a directed
(not necessarily fully) connected cyclic graph.
In the context of a human social network,
human beings represent nodes in the social
network graph and the edges signify relations
between people.
Free public social network examples: MySpace,
Friendster, Orkut, Facebook, Bebo, LinkedIn
Introduction to Assignment 2 –
Ourspace (2)
Ourspace simplified model: bi-directed, equally
weighted edges in the social network graph.
This means that if person A considers B as a
friend then it is essential that person B
considers A as a friend (bi-directed); and the
friendship level from A to B is the same as that
from B to A (equal weighting).
Given functionality: create new profile, edit
profile, add/remove friend profiles, search
Introduction to Assignment 2 –
Ourspace (3)
Layers:
- Relational database layer holds the data about each social network nodes, their relations and other related entities (MySQL database).
- Persistence layer provides the object-to-relational mapping and provides an object-oriented way of accessing the persistent data in the database (Entity beans).
- Business logic layer consists of the data manipulation algorithms, which represent the business functionality of the system (Session beans).
- Web presentation layer , consisting of a model-view-controller (MVC) architecture, interacts with the user requests from the web client (front-end) and the business logic layer at the back-end.
OurSpace and security
Out of the box, OurSpace security isn’t provided by JAAS, so how is user information taken into account? If you look, you will find the LoginFilter. This is not a JAAS module, but an Interceptor LoginFilter intercepts HTTP requests Information about current logged in users is kept in a Hashtable. You will find a StatelessSessionBeanCache in the code LoginFilter stores user profile data stored in the HTTP session object So when an action requires a profile, LoginFIlter intercepts, looks up user properties in the Hashtable, populates the HTTP session object with user profile data, then control passes back to the action One of the assignment tasks is to use JAAS to provide A&A services