![Page 1: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/1.jpg)
Java Application Security Integration
WAS CLASS
![Page 2: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/2.jpg)
Agenda Introduction Challenges Technology Overview Examples of Use
• solving problems• integration
Conclusion
![Page 3: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/3.jpg)
What is Security?
Core Pillars• Authentication
• Authorization
• Integrity
• Confidentiality
• Non-repudiation
Disciplines• Threat Assessment
• Policy Definition
• Administration
• Intrusion Detection
• Optimization/Vulnerability Assessment
“Freedom from risk or danger; safety.” source: dictionary.com
Application security builds on infrastructure security
![Page 4: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/4.jpg)
Authentication Challenges Multiple Realms
• Different technologies• OS, directory, database, AAA, file, legacy…
• Multiple instances• internally and cross-organization (trust)
Single-sign on/reduced sign-on Strong authentication
• PKI: how to do key management?• Multi-factor?
Delegation
![Page 5: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/5.jpg)
Authorization Challenges Defining roles & permissions
• Mapping & specializing Functional authorization
• For resource, service, component, class & method Data-driven authorization
• For instance-level & field-level UI: showing only authorized
• Fields, commands (buttons) Consistent enforcement
![Page 6: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/6.jpg)
Additional Challenges Non-Repudiation
• Tracking audit trails
• Digital signatures?
Confidentiality• Field-level encryption
• At-rest encryption (preferably infrastructure!)
Integrity• Digital signatures
![Page 7: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/7.jpg)
Application Security Architecture
end-user
Service
Interaction Tier
Resource Tier
ApplicationTier
operations
Perimeter
![Page 8: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/8.jpg)
Security Technologies The Java platform
• JAAS
Application servers Security products Fine grained security
• Aspect-Oriented Programming
• Filters and Proxies
Web services
![Page 9: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/9.jpg)
Application Security DomainsEdge UI Domain Data
Identify
Protect
Manage
Security Servers (AAA)
Web
Ser-vices
SSL/PKI
Fine-grainedSecurity (AOP…)
Application Servers,
JAASData-base
![Page 10: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/10.jpg)
Java Security Secure platform since inception
• sandbox supports untrusted code
• no pointers, bounds checking, GC
JCA, JCE• cryptography, certificates, keys
JAAS• pluggable authentication
• AccessController authorizes access
J2SE 1.4 moves JAAS capabilities into core
![Page 11: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/11.jpg)
JAAS Authentication
Source: Sun Microsystems
![Page 12: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/12.jpg)
JAAS Authorization
Source: Sun Microsystems
![Page 13: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/13.jpg)
J2EE Security Declarative
• Role names and mapping
• Web resource constraints
• EJB component and method constraints
Programmatic• Principal (name)
• Role membership
![Page 14: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/14.jpg)
Application Server Integration Until now
• Container-specific realms for authentication
• Container-specific policy for authorization
• JAAS not integrated
J2EE 1.4 will standardize with JAAS• Java Authorization Contract for Containers
• Java Authentication Service Provider Interface for Containers
![Page 15: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/15.jpg)
J2EE 1.4 Security Architecture
Source: Sun Microsystems
![Page 16: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/16.jpg)
AAA products
E.g., Netegrity, RSA, Oblix, Tivoli, Oracle…
end-user
Service
Interaction Tier
Resource Tier
ApplicationTier
operations
Perimeter
adminPDP identity, access
PEP
![Page 17: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/17.jpg)
Security Integration Framework Example
Source: BEA
Weblogic Security Framework 8.1, Quadrasis
![Page 18: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/18.jpg)
Web Services Security
Source: Sun Microsystems
![Page 19: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/19.jpg)
Aspect-Oriented Programming (AOP)
Auxiliary concerns are scattered and tangled• Security: authorization, identity management, audit trail
• Business rules
• Error handling
So AOP uses aspects to provide:• modular support for crosscutting concerns
• language and tool integration
Evolutionary step for software development• structured objects components aspects
Into thisAOP turns this...
![Page 20: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/20.jpg)
Filters & Proxies Special-case support for crosscutting Servlet Filters
• Allow all/certain servlet requests to enforce policy
• Authentication (JAAS, single-sign on…)
• Authorization (set up doAsSubject…)
Dynamic Proxies• Allow wrapping interfaces
• Can separate data-driven authorization
• Still scatters policy implementation
![Page 21: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/21.jpg)
Functional Authorization Example
Add bug use case• Forces authentication
• Projects in groups with corresponding roles
• Functional authorization: check bug entry role
• UI Filtering: only employees can edit status
![Page 22: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/22.jpg)
Traditional Web Container SecurityeditBug.jspwebContainer realm
dataSource (LDAP, dbms, OS...)browser
request add bug
redirect to authentication
isConstrained
submit authentication
authenticate
getRoles
authenticate
getRoles
add page response
add page response
getRoles
getRoles
isUserInRole
forward
service
![Page 23: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/23.jpg)
Web Deployment Descriptor <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</> <url-pattern>/aTrack/internal/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>internal</role-name> </auth-constraint> </security-constraint>…
![Page 24: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/24.jpg)
Web Deployment Descriptor… <login-config> <auth-method>FORM</auth-method> <realm-name>aTrack</realm-name> <form-login-config> <form-login-page>/aTrack/protected/login.jsp</> <form-error-page>/aTrack/protected/error.jsp</> </form-login-config> </login-config> <security-role> <role-name>internal</role-name> </security-role>
![Page 25: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/25.jpg)
Tomcat 4.x JDBC Realm Setup<Server className="org.apache.catalina.core.StandardServer“ debug="0" port="8005" shutdown="SHUTDOWN">… <Realm className="org.apache.catalina.realm.JDBCRealm“ debug="99" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/authority?user=dbuser&password=dbpass" userTable="users" userNameCol="user_name“ userCredCol="user_pass“ userRoleTable="user_roles“ roleNameCol="role_name"/>…
![Page 26: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/26.jpg)
UI Filtering…<% if (SecurityUtils.getRoles(getUser()). contains("internal")) { %> <html:list property="status"><% } else { %> <html:label property="status"><% } %>
![Page 27: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/27.jpg)
Security Server Implementation editBug.jspPEP (plugin/proxy) realm
dataSource (LDAP, dbms, OS...)browser
request editBug
redirect to authentication
isRestricted
submit authentication
authenticate
getRoles
authenticate
isUserInRole
editBugPage
edit bug page
edit bug page
getRoles
webContainer
forward
PDP
redirect to bug page
![Page 28: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/28.jpg)
JAAS Authentication in Web ContainerhttpSessionwebContainer loginContext
dataSource (LDAP, dbms, OS...)browser
request add bug
redirect to authentication
shouldFilter
submit authentication
login
getPrincipals
authenticate
loginModuleauthFilter
doFilter
authServlet
login
commit
redirect to add bug page
login
setAttribute
getAttribute
setAttribute
![Page 29: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/29.jpg)
JAAS Authorization in Web Container
editBug.jspwebContainer
privExcAction
browser
request add bug
shouldFilter
add page response
subjectauthFilter
doFilter
httpSession
getAttribute
accessController
new
doAsPrivileged
run
filterChain subject
getAttribute
getPrincipals
service
checkPermission
doFilter
![Page 30: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/30.jpg)
Servlet Filter to Set Up JAASpublic class AccessFilter implements Filter { public void doFilter(ServletRequest request, …) { Session session = ((HttpServletRequest)request).getSession(); Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // redirect to force authentication
try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { chain.doFilter(request, response); } }, null); } catch (PrivilegedActionException e) { throw e.getException();} } }
![Page 31: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/31.jpg)
JAAS Authorizationpublic class AddBugAction extends Action { public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception {
// does the user have permission to enter bugs? AccessController.checkPermission( new AtrackPermission("bugEntry")); … }}
![Page 32: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/32.jpg)
UI Filtering…<% if (getUserPrincipals().contains("internal")) { %> <html:list property="status"><% } else { %> <html:label property="status"><% } %>…
![Page 33: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/33.jpg)
AspectJ JAAS Authenticationpublic aspect RoleBasedAccess { private pointcut request(HttpServletRequest request, HttpServletResponse response) : execution(* HttpServlet.do*(..)) && this(SensitiveServlet) && args(request, response);
private pointcut sensitiveOperations() : execution(* atrack.model.sensitive.*.* (..));
![Page 34: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/34.jpg)
AspectJ JAAS Authentication… void around(HttpServletRequest request, HttpServletResponse response) : request(request, response) { HttpSession session = request.getSession(); Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // redirect to force authentication try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { proceed(request, response); } }, null); } catch (PrivilegedActionException e) { throw e.getException(); } }…
![Page 35: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/35.jpg)
AspectJ JAAS Authorization… before(SensitiveServlet servlet, HttpServletRequest request, HttpServletResponse response) : sensitiveOperations() { Permission permission = getPermission(thisJoinPoint. getSignature().getName());
AccessController.checkPermission(permission); }
private Permission getPermission(String methodName) { // config or database lookup }}
![Page 36: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/36.jpg)
Data-Driven Authorization Example
Edit employee data• Data-driven: employee, manager (transitively) and HR admin
role
• UI Filtering: invisible, visible, editable
Possible extension• Trust delegation: check in domain tier on commit
![Page 37: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/37.jpg)
Data-Driven Authorization EJB security
ejbHelper employee ejbContext :Employee
securityException
1.1: getSalary
1.1.5: new
ejb
1: doOperation
1.1.1: getPrincipal
1.1.6: throws
1.1.2: getEmployee
reportsTo: 1.1.3
auditTrail
1.1.4: record()
![Page 38: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/38.jpg)
public class Employee {… public int getSSN(EjbContext securityContext) { Principal p = securityContext.getPrincipal(); Employee caller = Employee.getEmployee(p); if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail return ssn; } public double getSalary(EjbContext securityContext) { Principal p = securityContext.getPrincipal(); … }}
EJB Implementation
![Page 39: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/39.jpg)
public class ServiceEjb { public int getEmployeeDetails() { … employees.getRows(getContext()); }…}
public class Employees { … public int getRows(EjbContext securityContext) { … employee.getSSN(securityContext); … }}
Propagating Context
![Page 40: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/40.jpg)
public class Employee { public int getSSN(Subject subject) { Set s = subject.getPrincipals(Employee.class); boolean ok = false; for (Iterator it = s.iterator(); it.hasNext();) { Employee caller = (Employee)s.next(); if (employee.reportsTo(caller))) ok = true; } if (!ok) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail return ssn; } public double getSalary(Subject subject) { Set s = subject.getPrincipals(Employee.class); …
JAAS Implementation
![Page 41: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/41.jpg)
public class Service { public int getEmployeeDetails() { Subject subject = session.getAttribute(SUBJECT_ID); if (subject == null) // forward to force authentication
try { Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { public Object run() throws Exception { … employees.getRows(subject); … } }, null); } catch (PrivilegedActionException e) { throw e.getException(); } }…
JAAS Set Up
![Page 42: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/42.jpg)
public class EmployeeFactory { public Employee getEmployee(int key, Subject subject) { InvocationHandler handler = new EmployeeInvocationHandler(subject);
return (Employee) Proxy.newProxyInstance( Employee.class.getClassLoader(), new Class[] { Employee.class }), handler); }}
Proxy Set Up
![Page 43: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/43.jpg)
public class EmployeeInvocationHandler { public EmployeeInvocationHandler(EjbContext context) { this.context = context; } public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { if (proxy instanceof Employee && isSensitive(method)) { Principal p = context.getPrincipal(); Employee caller = Employee.getEmployee(p); Employee employee = (Employee)proxy; if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail return method.invoke(proxy, args); } …
Proxy Implementation
![Page 44: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/44.jpg)
Data-Driven AuthorizationejbHelper employee ejbContext :Employee
securityException
1.1: getSalary
1.1.5: new
ejb
1: doOperation
1.1.1: getPrincipal
1.1.6: throws
1.1.2: getEmployee
reportsTo: 1.1.3
auditTrail
1.1.4: record()
EmployeeDataAuthorization Aspect
Using Aspects
![Page 45: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/45.jpg)
public aspect SecurityPolicy { public pointcut securedCall(ManagedSessionBean ejb): cflow(EjbPointcuts.ejbTopLevelExec(*) && this(ejb)) && (call(* Employee.getSalary(..)) || call(* Employee.getSSN(..)) || call(* Employee.getAddress(..)));}
Policy Definition Aspect
![Page 46: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/46.jpg)
public aspect EmployeeDataAuthorization { before(ManagedSessionBean ejb, Employee employee) : SecurityPolicy.securedCall(ejb) && target(employee) { Principal p = ejb.getContext().getPrincipal(); Employee caller = Employee.getEmployee(p); if (caller==null || !employee.reportsTo(caller))) { // record attempted security violation throw new AuthorizationException("…"); } // and log data access to audit trail }}
Data Authorization Aspect
![Page 47: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/47.jpg)
Security: UI Filtering Requirements
Only authorized fields Only links to authorized resources Edit field only if authorized Saved same key as edited Within JSP, Servlet, etc.
![Page 48: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/48.jpg)
AOP Implementation Strategy for JSP
Advice finds unauthorized field display• catch SecurityExceptions and flag
Filter removes complete context• We’ll use a servlet filter• Can also intercept PageContextFactory to extend PageContext to wrap the PrintWriter
Deployment options:• precompile JSPs, then link aspects in• configure JSP compiler to use ajc (we’ll use this with Tomcat)• the classloader (if available, e.g., WLS)
![Page 49: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/49.jpg)
Catching Unauthorized Fields in JSPObject around() throws JspException: securityChecks() && call(* *(..) throws
(Throwable || Exception || JSPException)) { try { return proceed(); } catch (JspException je) { Exception e = (Exception)pageContext.getAttribute( Globals.EXCEPTION_KEY, PageContext.REQUEST_SCOPE); if (e != null && e instanceof SecurityException) { handleSecurityException(e); return null; // void or filtered... } throw je;} }
![Page 50: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/50.jpg)
Aspect Uses FilteringResponseObject around() : securityChecks() { try { return proceed(); } catch (SecurityException e) { handleSecurityException(e); return null; // void or filtered...} }
private void handleSecurityException(Exception e) { try { jspWriter.flush(); // force buffer synch } catch (java.io.IOException ioe) { throw new RuntimeException("error flushing", ioe); } // specialized Response object adds the position to // a list of “locations to filter”; the contents are // then removed when flushing the buffer response.removeCurrentSection();}
![Page 51: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/51.jpg)
Security Integration Many options for each of
• Application AAA
• Data Protection
• Message Protection
Scenarios have illustrated• Trade offs among approaches
• Possible integration ideas
Standards are improving integration But architecture is needed
![Page 52: Java Application Security Integration WAS CLASS. Agenda l Introduction l Challenges l Technology Overview l Examples of Use solving problems integration](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f505503460f94c73259/html5/thumbnails/52.jpg)
Conclusion Application Security is multi-faceted
• Many challenges
• Pervasive in solutions
• Additional to infrastructure security
Solutions are available• Need for explicit policy
• Various trade-offs
• An effective architecture is critical to integrate the new technologies