Java EE Platform SecurityWhat is included, what is missing.

Masoud Kalali

Author of GlassFish security book

Http://kalali.me

What can Security refer to?

Security requirements

AuthenticationAuthorizationTransport SecuritySingle Sign-On

Java EE and Security Requirements I

@ServletSecurity(@HttpConstraint(rolesAllowed = {"manager", "administrator"}))

...String usrname = request.getParameter("username"); String pass = request.getParameter("password");request.login(strUsername, strPassword);....

<login-config> <auth-method>BASIC</auth-method> <realm-name>JDBCRealm</realm-name> </login-config>

What Java EE provides for Authentication:

Authentication Methods (Form, Basic, Digest, Client-Cert)Security RealmsProgrammatic login/ logout, setHttpOnly isHttpOnly, @ServletSecurityAdding new or Extending Realms, extending current realms JSR-196, pluggable authentication

Java EE and Security Requirements II

What Java EE platform provides for authorization:Role based access control over resourcesRoles are defined in a vendor specific wayRoles are based on the info from the same security realmEnforced using Annotation or XML descriptionCan be extend using JSR-115

Annotation Targets Level Target Kind

@DeclareRoles Class EJB, Servlet

@RunAs Class EJB, Servlet

@ServletSecurity Class Servlet

@PermitAll Class, Method EJB

@DenyAll Method EJB

@RolesAllowed Class, Method EJB

<method-permission> <role-name>manager</role-name> <method> <ejb-name>Emp</ejb-name> <method-name>getAge</method-name>

</method> </method-permission>

Java EE and Security Requirements III

The Transport Security facilities:ConfidentialityData integrityDifferent set of resources, different level of transport security

<security-constraint> <display-name>Current Online Users</display-name> <web-resource-collection> <web-resource-name>online users</web-resource-name> <description/> <url-pattern>/admin/online/*</url-pattern> </web-resource-collection> <auth-constraint> <description/> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <description/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

Java EE and Security Requirements IV

What Java EE platform provides for SSO:Nothing out of JSRsApplication servers provide some basic functionalities with restrictions:

Same Realm Same Virtual Server/ Host

Other solutions like proxies like delegated authentication to Apache mod_proxyClustering the instances

Need same realm

Is that All?

Really, Is that all we need to have?Do we miss anything major?

Is there anything still basic and good to have?

Basic, but missing requirements

Authentication chainFine grained access controlSingle Sign-On

Basic, but missing requirements I

Chain of authentication challenges One realm, provider failed chain to the next one Put Challenges together in groups Basic rules to forms the groups

Authentication levels Higher level for more secure realms More resources accessible on higher authentication levels

Authentication chain:

Basic, but missing requirements II

Fine grained access control

Coarse grained allow/not-allow are not sufficient anymore A very common issue: time, location based access control

XACML is there, but not in the platformAttribute based access evaluationAttributes for all involving factorsVersion 2 is mature enough, Version 3 in the cornerJBoss and Sun open source XACML implementations

http://sunxacml.sourceforge.net/ http://www.jboss.org/picketbox/

Basic, but missing requirements III

What to do with more SSO requirements?

It may never get into the platformInvolve more than just Java EEHeavy, complex and open ended

Go with JOSSO, http://www.josso.org/Go with OpenSSO, http://opensso.dev.java.netBoth work with CDSSOIntegrate with many platforms/ serversCan be used from almost any language

Time For Questions

Questions?

You can contact me at kalali@gmail.com or http://twitter.com/MasoudKalali