extreme enterprise security
DESCRIPTION
Security ist nach wie vor das Sorgenkind in Java EE. Das rollenbasierte Access-Control-Konzept hat sich in der Praxis als untauglich erwiesen. Die Session stellt einen alternativen Ansatz vor – Domain Security. Dabei wird gezeigt, wie zur Gewährleistung der Wartbarkeit eine Trennung von Business- und Zugriffslogik erreicht werden kann, auch wenn der Zugriff durch die Fachlichkeit bestimmt wird.TRANSCRIPT
![Page 1: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/1.jpg)
Arne Limburg / open knowledge GmbH
eXtreme Enterprise Security
![Page 2: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/2.jpg)
Meine Person Arne Limburg @ArneLimburg Enterprise Architect @_openknowledge open knowledge GmbH www.openknowledge.de Schwerpunkte • JPA • CDI
![Page 3: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/3.jpg)
Enterprise Application Security
Authentication
Authorization Network Security - OS - Firewall - TCP/IP
Webserver - Konfiguration
Kommunikationssicherheit - HTTP / HTTPS - Application-Firewall
![Page 4: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/4.jpg)
Beispielanwendung E-Learning Plattform
![Page 5: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/5.jpg)
Security-Anforderungen
• Nur Dozenten dürfen Kurse anlegen • Dozenten dürfen Veranstaltungen für
ihre Kurse anlegen • Dozenten dürfen nur Studenten sehen,
die an ihren Kursen teilnehmen • Studenten dürfen nur Mitstudenten
sehen, mit denen sie gemeinsame Kurse haben
![Page 6: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/6.jpg)
Authentication vs. Authorization
![Page 7: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/7.jpg)
Wer ist der aktuelle Benutzer?
Authentication
Nutzername / Kennwort
Public Key
OAuth
Biometrisch
Kerberos
![Page 8: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/8.jpg)
Authentication in einer Web-App. web.xml
<login-config> <auth-method>FORM</auth-method> <realm-name>JAAS</realm-name> <form-login-config> <form-login-page>/login.xhtml</…> <form-error-page>/error.xhtml</…> </form-login-config> </login-config>
![Page 9: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/9.jpg)
Servlet 3.0 Authentication public void login(HttpServletRequest request, String username, String password) { request.login(username, password); } public void logout(HttpServletRequest req) { req.logout(); }
![Page 10: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/10.jpg)
Was darf der aktuelle Benutzer?
Authorization
Rollenbasiert
User-Permissions
Access Control Lists
Domain-Object-Security
![Page 11: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/11.jpg)
JAAS
• Pluggable Authentication • Authorization
– Pluggable Policy-Provider – Permission-Checks über AccessController
![Page 12: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/12.jpg)
Java Permissions Policy-Datei
grant principal de…User "arne" { de…ExecPermission "de…CourseDao.find*" } grant principal de…User "admin" { de…ExecPermission "de…CourseDao.*" }
![Page 13: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/13.jpg)
Java Permissions
public class ExecPermission extends BasicPermission { public ExecPermission(String methodName) { super(methodName); } }
![Page 14: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/14.jpg)
Java Permissions public void create(Course course) { String methodName = "de…CourseDao.create"; AccessController.checkPermission( new ExecPermission(methodName); ); entityManager.persist(course); }
![Page 15: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/15.jpg)
Fazit Permissons
• Jede Security-Anforderung abbildbar • Aber
– Viel zu aufwendig – Schlecht wartbar
èErweiterungen nötig
![Page 16: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/16.jpg)
Was darf der aktuelle Benutzer?
Authorization
Rollenbasiert
User-Permissions
Access Control Lists
Domain-Object-Security
![Page 17: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/17.jpg)
Role based Access Control
Create Course
See Course
…
Permissions
See Student
Teacher
Student
Roles Users
Teacher 1
Student 1
…
Student 2
![Page 18: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/18.jpg)
Role based Access Control
Servlet Spec à Permissions für Web-Resources
![Page 19: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/19.jpg)
Role based Access Control web.xml
<security-constraint> <web-resource-name>New Course</…> <url-pattern>/courses/create.xhtml</…> <auth-constraint> <role-name>teacher</…> </auth-constraint> </security-constraint>
![Page 20: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/20.jpg)
Role based Access Control
Servlet Spec à Permissions für Web-Resources
Java EE Security
à Permissions für Klassen und Methoden
![Page 21: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/21.jpg)
Role based Access Control in Java EE
@DeclareRoles @RolesAllowed @PermitAll @DenyAll
![Page 22: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/22.jpg)
Role Based Access Control @RolesAllowed("teacher") public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course; }
![Page 23: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/23.jpg)
@RolesAllowed("teacher") public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course; }
Anforderung: Dozenten dürfen nur ihre Kurse anlegen.
Anforderung: Dozenten dürfen nur ihre Kurse anlegen.
Role Based Access Control
![Page 24: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/24.jpg)
Role Based Access Control @Resource private EjbContext context; public Course create(Teacher lecturer, …) { Principal caller = ejbContext.getCallerPrincipal(); if (!lecturer.equals(caller)) { throw new SecurityException(…); } … }
![Page 25: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/25.jpg)
Role Based Access Control @Resource private EjbContext context; public Course create(Teacher lecturer, …) { Principal caller = ejbContext.getCallerPrincipal(); if (!lecturer.equals(caller)) { throw new SecurityException(…); } … }
Das Rollenkonzept ist sehr limitiert!
Komplexere Access-Control-Anforderungen finden sich im Code „verstreut“ wieder!
èWartbarkeits- und Erweiterbarkeitsprobleme!
![Page 26: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/26.jpg)
Alternativen zu Role based Access Control?
![Page 27: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/27.jpg)
Alternativen zu Role based Access Control?
Die Rechte sollten nicht danach vergeben werden, was der Benutzer ist
(welche Rolle er hat), sondern danach, was er darf!
![Page 28: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/28.jpg)
<h:outputLink value="editCourse.xhtml" rendered ="#{sec:isUserInRole('teacher')}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Edit Course"/> </h:outputLink>
Beispiel I
![Page 29: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/29.jpg)
Beispiel I <h:outputLink value="editCourse.xhtml" rendered ="#{sec:isUserInRole('teacher')}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Edit Course"/> </h:outputLink>
![Page 30: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/30.jpg)
Beispiel I <h:outputLink value="editCourse.xhtml" rendered ="#{sec:hasPermission('editCourse')}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Edit Course"/> </h:outputLink>
![Page 31: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/31.jpg)
Beispiel I <h:outputLink value="editCourse.xhtml" rendered ="#{sec:canUpdate(course)}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Edit Course"/> </h:outputLink>
![Page 32: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/32.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:isUserInRole('teacher')}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Create Lesson"/> </h:outputLink>
Beispiel II
![Page 33: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/33.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:isUserInRole('teacher')}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Create Lesson"/> </h:outputLink>
Beispiel II
![Page 34: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/34.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:hasPermission('createLesson')}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Create Lesson"/> </h:outputLink>
Beispiel II
![Page 35: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/35.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:canCreate('Lesson', course)}"/> <f:param name="courseId" value="#{course.id}"/> <h:outputText value="Create Lesson"/> </h:outputLink>
Beispiel II
![Page 36: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/36.jpg)
Authorization-Konzepte – Bewertung
Entwicklungsaufwand
Laufzeit
Separation of Concern
![Page 37: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/37.jpg)
Was darf der aktuelle Benutzer?
Authorization
Rollenbasiert
User-Permissions
Access Control Lists
Domain-Object-Security
![Page 38: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/38.jpg)
Access Control Lists
Object Access Control List
Access Control Entry Access Control Entry Access Control Entry
User 1
User 2
User 3
![Page 39: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/39.jpg)
Spring Security
Security für spring-basierten Web-Apps • Umfangreiche Authentication-Module • Authorization
– Request-basiert – Methoden-basiert – Access Control Lists
![Page 40: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/40.jpg)
ACLs in Spring Security public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList(); }
![Page 41: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/41.jpg)
ACLs in Spring Security public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList(); }
Anforderungen: Dozenten dürfen nur Studenten sehen, die ihre
Kurse besuchen.
Studenten dürfen nur Kommilitonen sehen, mit denen sie gemeinsame Kurse haben.
![Page 42: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/42.jpg)
ACLs in Spring Security
Spring Context
<global-method-security pre-post-annotations="enabled" />
![Page 43: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/43.jpg)
ACLs in Spring Security @PostFilter ("hasPermission(filterObject, 'read')") public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList(); }
![Page 44: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/44.jpg)
ACLs in Spring Security @PostFilter ("hasPermission(filterObject, 'read')") public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList(); }
Problem:
Filtern passiert im Speicher!
èSchlechte Performance bei großen Datenmengen!
![Page 45: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/45.jpg)
ACLs in Spring Security @PreAuthorize ("hasPermission(#course, 'create')") public void create(Course course) { entityManager.persist(course); }
AccessDeniedException
![Page 46: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/46.jpg)
ACLs in Spring Security @PreAuthorize ("hasPermission(#course, 'create')") public void create(Course course) { entityManager.persist(course); }
AccessDeniedException
Weiteres Problem:
Wie kommen die ACLs in die Datenbank?
![Page 47: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/47.jpg)
ACLs in Spring Security @PreAuthorize ("hasPermission(#course, 'create')") public void create(Course course) { entityManager.persist(course); }
![Page 48: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/48.jpg)
ACLs in Spring Security @PostAuthorize ("hasPermission(returnedObject, 'create')") public Course create(Course course) { entityManager.persist(course); return course; }
![Page 49: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/49.jpg)
ACLs in Spring Security @PostAuthorize ("hasPermission(returnedObject, 'create')") public Course create(Course course) { entityManager.persist(course); ObjectIdentity identity = new ObjectIdentityImpl(Course.class, course.getId()); … }
![Page 50: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/50.jpg)
ACLs in Spring Security @PostAuthorize ("hasPermission(returnedObject, 'create')") public Course create(Course course) { entityManager.persist(course); ObjectIdentity identity = …; String name = course.getTeacher().getName(); PrincipalSid principal = new PrincipalSid(name);
![Page 51: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/51.jpg)
ACLs in Spring Security @PostAuthorize ("hasPermission(returnedObject, 'create')") public Course create(Course course) { entityManager.persist(course); ObjectIdentity identity = …; PrincipalSid principal = …; MutableAcl acl = aclService.createAcl(i); acl.insertAce(0, CREATE, principal, true); aclService.updateAcl(acl); return course; }
![Page 52: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/52.jpg)
ACLs in Spring Security public void add(Course course, Student student) { course.subscribe(student); createACE(student, course.getLecturer()); for (Student participant: course.getParticipants()) { createACE(student, participant); createACE(participant, student); } }
![Page 53: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/53.jpg)
ACLs in Spring Security public void add(Course course, Student student) { course.subscribe(student); createACE(student, course.getLecturer()); for (Student participant: course.getParticipants()) { createACE(student, participant); createACE(participant, student); } }
Anlegen und Löschen von ACLs findet sich im Code „verstreut“ wieder!
èWartbarkeits- und Erweiterbarkeitsprobleme!
Was passiert, wenn ein Entwickler vergisst, eine ACL anzulegen oder zu löschen?
![Page 54: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/54.jpg)
Laufzeit Laufzeit
Entwicklungsaufwand Entwicklungsaufwand
Separation of Concern
Fazit ACLs in Spring Security
Separation of Concern
![Page 55: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/55.jpg)
Was darf der aktuelle Benutzer?
Authorization
Rollenbasiert
User-Permissions Domain-Object-Security
Access Control Lists
![Page 56: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/56.jpg)
Domain-Object-basiert @PreAuthorize("#lecturer == principal") @PostAuthorize ("returnedObject.lecturer == principal") public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course; }
![Page 57: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/57.jpg)
Domain-Object-basiert @PreAuthorize("#lecturer == principal") @PostAuthorize ("returnedObject.lecturer == principal") public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course; }
Was ist, wenn das Anlegen des Kurses nicht über die create-Methode erfolgt?
![Page 58: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/58.jpg)
Seam Security
Security für Seam Anwendungen • JAAS-based Authentication • Rule-based Authorization
– Seam 2 Security: Drools – Seam 3 Security: Picketlink mit AuthZ
![Page 59: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/59.jpg)
Seam 2 Security
Security für Seam Anwendungen • JAAS-based Authentication • Rule-based Authorization
– JSF-Pages – Business-Logik – Entities
![Page 60: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/60.jpg)
Entity-Security in Seam 2 @Restrict @Entity public Course { … }
![Page 61: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/61.jpg)
Entity-Security in Seam 2 Drools Konfiguration rule CreateCourse no-loop activation-group "permission" when principal: Principal() course: Course(lecturer: lecturer -> (lecturer.equals(principal))) check: PermissionCheck(target == course, action == "insert", granted == false) then check.grant(); end;
![Page 62: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/62.jpg)
Entity-Security mit Seam 2 orm.xml
<persistence-unit-metadata> <persistence-unit-defaults> <entity-listeners> <entity-listener class= "org.jboss.seam.security.EntitySecurityListener" /> </entity-listeners> </persistence-unit-defaults> </persistence-unit-metadata>
![Page 63: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/63.jpg)
Entity-Security mit Seam 2 public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList(); }
AuthorizationException
![Page 64: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/64.jpg)
Entity-Security mit Seam 2 public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList(); }
AuthorizationException
èZwei Methoden notwendig
![Page 65: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/65.jpg)
Entity-Security mit Seam 2 public List<Student> find(Teacher lecturer) { … } public List<Student> find(Student fellow) { … }
![Page 66: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/66.jpg)
Entity-Security mit Seam 2 public List<Student> find(Teacher lecturer) { … } public List<Student> find(Student fellow) { … }
Aufruf geschieht auf Basis des aktuell angemeldeten Benutzers!
![Page 67: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/67.jpg)
Entity-Security mit Seam 2 public List<Student> findAll() { Principal caller = ejbContext.getCallerPrincipal(); if (caller instanceof Teacher) { return find((Teacher)caller); } else { return find((Student)caller); } }
![Page 68: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/68.jpg)
Entity-Security mit Seam 2 public List<Student> findAll() { Principal caller = ejbContext.getCallerPrincipal(); if (caller instanceof Teacher) { return find((Teacher)caller); } else { return find((Student)caller); } }
Wieder Security im Code „verstreut“!
![Page 69: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/69.jpg)
Laufzeit Laufzeit
Entwicklungsaufwand Entwicklungsaufwand
Separation of Concern
Fazit Entity-Security mit Seam Security
Separation of Concern
![Page 70: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/70.jpg)
JPA Security
Security Framework für JPA • Pluggable Authentication • Authorization
– JSP- und JSF-Support – Access-Check bei CRUD-Operationen – In-Memory-Filtern von Collections – In-Database-Filtern von Queries
(JPQL und Criteria)
![Page 71: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/71.jpg)
@Permit(access = AccessType.CREATE, rule = "lecturer = CURRENT_PRINCIPAL") @Entity public Course { … }
Entity-Security mit JPA Security
![Page 72: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/72.jpg)
@Permit(access = AccessType.CREATE, rule = "lecturer = CURRENT_PRINCIPAL") @Entity public Course { … }
Automatischer Check bei entityManager.persist(…) oder entityManager.merge(…) oder bei
Cascarding!
Entity-Security mit JPA Security
![Page 73: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/73.jpg)
Entity-Security mit JPA Security public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList(); }
![Page 74: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/74.jpg)
Entity-Security mit JPA Security public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList(); }
Automatische Filterung von JPA Queries und Criterias!
![Page 75: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/75.jpg)
@PermitAny({ @Permit(access = AccessType.READ, rule = "this IN (SELECT p" + " FROM Course course" + " JOIN course.participants p" + " WHERE course.lecturer" + " = CURRENT_PRINCIPAL"), @Permit(…)}) @Entity public Student { …
Entity-Security mit JPA Security
![Page 76: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/76.jpg)
Entity-Security mit JPA Security persistence.xml
<persistence …> <persistence-unit name="…"> <provider>org.hibernate.ejb.HibernatePersistence</…> <properties> … </properties> </persistence-unit> </persistence>
![Page 77: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/77.jpg)
<persistence …> <persistence-unit name="…"> <provider>net.sf.jpase…SecurePersistenceProvider</…> <properties> <property name="net.sf.jpasecurity.persistence.provider" value="org.hibernate.ejb.HibernatePersistence"/> </properties> </persistence-unit> </persistence>
<persistence …> <persistence-unit name="…"> <provider>net.sf.jpase…SecurePersistenceProvider</…> <properties> </properties> </persistence-unit> </persistence>
Entity-Security mit JPA Security persistence.xml
![Page 78: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/78.jpg)
Laufzeit Laufzeit
Entwicklungsaufwand Entwicklungsaufwand
Separation of Concern
Fazit JPA Security
Separation of Concern
![Page 79: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/79.jpg)
Live Demo
![Page 80: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/80.jpg)
Arne Limburg / open knowledge GmbH
Zeit für Fragen und Diskussion
![Page 81: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/81.jpg)
Vielen Dank! http://www.openknowledge.de/publikationen/vortraege.html
![Page 82: eXtreme Enterprise Security](https://reader034.vdocuments.us/reader034/viewer/2022052522/554f818cb4c905d25b8b4ab1/html5/thumbnails/82.jpg)
Arne Limburg / open knowledge GmbH
Vielen Dank!