Java Security: Encryption, Digital Signatures, JAAS and JBOSS, Study notes of Computers and Information technologies

An overview of various security concepts including encryption, public key infrastructure, digital signatures, digital certificates, and java authentication and authorisation service (jaas). It also covers the use of jaas in securing web and ejb applications in jboss. Explanations of encryption algorithms, digital signature mechanisms, and the role of certificate authorities. It also provides instructions on how to use jaas from an application and discusses the security mechanisms in jboss.

Typology: Study notes

2010/2011

Uploaded on 09/09/2011

asdlol2
asdlol2 🇬🇧

4.4

(8)

232 documents

1 / 15

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Web Based Commerce 514H3
Dr Kingsley Sage
Room 2R308, Chichester II
© University of Sussex 2009
Lecture 8
Security
Java Authentication and Authorisation Service
(JAAS)
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download Java Security: Encryption, Digital Signatures, JAAS and JBOSS and more Study notes Computers and Information technologies in PDF only on Docsity!

Web Based Commerce 514H

Dr Kingsley Sage

Room 2R308, Chichester II

[email protected]

© University of Sussex 2009

Lecture 8

 Security

 Java Authentication and Authorisation Service

(JAAS)

Security concepts

 Encryption

 Public Key Infrastructure

 Digital signatures

 Digital certificates

 More details in the notes on the course web

site

Encryption and PKI

 The science of rendering message unintelligible to a

third party should they intercept your message

 Message can only be unscrambled using a special

code, or “key”

 “Traditional” encryption uses same key to scramble

and unscramble the message

 “public” key algorithms have a public key used to

scramble the message and a private key (or set of keys)

used to unscramble the message

JAAS

 Java Authentication and Authorisation Service (JAAS)

is a set of APIs that can be used for:

  • Authentication of users : to reliably and securely determine who

is executing Java code, regardless of whether the code is

running as an application, an applet, a bean or a servlet

  • Authorisation of users : to ensure that they have the access

control rights (permissions) required to do the actions

performed

 JAAS authentication is performed in a pluggable

manner. This permits Java applications to remain

independent from the underlying authentication

technologies

JAAS (2)

 At a high level, the steps to enable JAAS based

security are:

  • Identify the resources that need to be secured. We shall

consider a web application and an EJB application

  • Identify a suitable security provider. In our case, security is

provided by the JBOSS security manager

  • Use a security implementation to secure the identified

resources

  • Make the clients of the secured resources aware of the

security implementation and usage mechanisms. Security

identifiers will, in most cases, be username/password

combination or digital certificates

JAAS classes

 To achieve all this, JAAS provides classes:

  • LoginModule: authenticates and authorises clients
  • LoginContext:user needs this to login
  • CallbackHandler and Callback: these are the classes that allow interaction/data transfer between the clients and the LoginModule. The LoginModule uses a Callback to request information from the clients. The CallbackHandler on the client side provides that information
  • Principal and Group: LoginModule populates identification information about the client into the Principal class and authorisation information (role list) into the Group class
  • Subject: The result of a successful login. Contains the authenticated Principal and Group. Can be viewed as a secure representation of the client after authentication

Login process sequence

Using JAAS from your application

 Performing a privileged action …

Subject sub = lc.getSubject(); Subject.doAs(sub, new MyPrivilegedAction()); private class MyPriviligedAction implements PriviligedAcion { public Object run() { try { /* Whatever code you want, call session beans … */ } catch (Exception e) {}; return null; } }

Security mechanisms in JBOSS

 The JBOSS application server provides pluggable security managers  The web and EJB containers use the security managers to perform authentication and authorisation  The JAAS based security manager is the default security manager provided with JBOSS  The JAAS security manager obtains the required configuration information from the login-config.xml file located in the conf folder  The XML file provides a list of security domains that are available on the server. Each domain specifies a list of LoginModules that protect the domain  To gain access to the resources protected by a domain, the client must be able to satisfy all the LoginModules that are configured as required

Security mechanisms in JBOSS (2)

 Any options to the LoginModule can be specified in a

configuration file. These will be passed to the Module during the

call to the initialize() method

 Each security domain will be read by the JAAS security

manager, converted into a SecurityDomainContext object,

and bound in JNDI at java:/jaas/<domain_name>

 An application can choose from one (and only one) of the

configure security domains to protect itself

 The JAAS security manager itself does not perform the

authentication. Instead it instantiates the LoginModules that

perform the actual authentication and authorisation

 JBOSS provides LoginModules “out of the box” and you can

also implement your own

JBOSS LoginModules

 Some of those provided “out of the box” with JBOSS:

  • UserRolesLoginModule: reads the username, password and role information from the files that are packaged with the applications
  • DatabaseServerLoginModule: reads the username, password and role information from tables in a database. The database is accessed using JDBC and the JDBC driver needs to be available in application classpath
  • LDAPLoginModule: requires a username and password. If successful, the roles are based on the group memberships of the user
  • BaseCertLoginModule: uses client certificates to perform authentication. It cannot provide role information. Typically used in conjunction with another LoginModule that provides role information

Securing a web application in

JBOSS (2)

 All the resources with the URL pattern /secure/* are protected, and the client must belong to the “Secure” role to access these resources <security-constraint>

Restricted to Secure role Declarative security /secure/* HEAD GET POST PUT DELETE Secure

Securing a web application in

JBOSS (3)

 During application packaging, the administrator must choose the security domain that will protect the application. This is specified in the JBOSS specific deployment descriptor jboss-web.xml. A sample file might be:

java:/jaas/securedomain

Securing an EJB application in

JBOSS

 Only applies to session beans

 Once again, let’s examine declarative security

 Declarative security for a EJB application provides select access

to EJB methods based on the roles that a client is assigned

 This is achieved using the <method-permission> tag in the

ejb-jar.xml file

 Also need to add appropriate annotations to the session beans

themselves

 Let’s see an example …

Securing an EJB application in

JBOSS (2)

 Here method1 is available only to the client belonging to the

“Secure” role. But method2 in the same bean (MyBean) is

available to all clients

<method-permission> <role-name>Secure</role-name> <ejb-name>MyBean</ejb-name> <method-name>Method1</method-name> </method-permission> <method-permission> <ejb-name>MyBean</ejb-name> <method-name>Method2</method-name> </method-permission>

Introduction to Assignment 2 –

Ourspace

 Mathematically, a social network is a directed

(not necessarily fully) connected cyclic graph.

In the context of a human social network,

human beings represent nodes in the social

network graph and the edges signify relations

between people.

 Free public social network examples: MySpace,

Friendster, Orkut, Facebook, Bebo, LinkedIn

Introduction to Assignment 2 –

Ourspace (2)

 Ourspace simplified model: bi-directed, equally

weighted edges in the social network graph.

This means that if person A considers B as a

friend then it is essential that person B

considers A as a friend (bi-directed); and the

friendship level from A to B is the same as that

from B to A (equal weighting).

 Given functionality: create new profile, edit

profile, add/remove friend profiles, search

Introduction to Assignment 2 –

Ourspace (3)

 Layers:

  • Relational database layer holds the data about each social network nodes, their relations and other related entities (MySQL database).
  • Persistence layer provides the object-to-relational mapping and provides an object-oriented way of accessing the persistent data in the database (Entity beans).
  • Business logic layer consists of the data manipulation algorithms, which represent the business functionality of the system (Session beans).
  • Web presentation layer , consisting of a model-view-controller (MVC) architecture, interacts with the user requests from the web client (front-end) and the business logic layer at the back-end.

OurSpace and security

 Out of the box, OurSpace security isn’t provided by JAAS, so how is user information taken into account?  If you look, you will find the LoginFilter. This is not a JAAS module, but an Interceptor  LoginFilter intercepts HTTP requests  Information about current logged in users is kept in a Hashtable. You will find a StatelessSessionBeanCache in the code  LoginFilter stores user profile data stored in the HTTP session object  So when an action requires a profile, LoginFIlter intercepts, looks up user properties in the Hashtable, populates the HTTP session object with user profile data, then control passes back to the action  One of the assignment tasks is to use JAAS to provide A&A services