Documente Academic
Documente Profesional
Documente Cultură
EJB-tier
Security
Sang Shin
sang.shin@sun.com
www.javapassion.com/j2ee
Technology Evangelist
Sun Microsystems, Inc.
07/16/2003
Agenda
? Security issues (review)
? J2EE security architecture & concepts
? Authorization (at EJB-tier)
? Authentication (at EJB-tier)
? Confidentiality and integrity (at EJB-tier)
? Security context propagation (at EJB-tier)
? Issues to be discussed in “J2EE security
best practices” (advanced J2EE
programming course)
5
General Security
Issues (Review)
These are general security issues which we talked about during the security
basics session. So let's just quickly review them here again.
Confidentiality is sometimes called privacy and it means that the data should
be accessible only to the party the data is intended. It means nobody can
07/16/2003
Data integrity is making sure data does not get tampered with while it is on
the wire.
The security issues on this slide are not standardized yet by J2EE specification
but most of the commercial vendors support these security features as value-
added features.
07/16/2003
J2EE Security
Architecture
Roles
Principals
Network infrastructure
At both web-tier and EJb-tier, the concept of abstract role is important. The
container can enforce access control based on roles defined in the web-tier and
EJB-tier. Under J2EE, user credentials are represented in the form of Principal
objects. The Principal objects are created from the actual user identity
information that was entered by user.
Also under J2EE arcitecture, the transport level security such as SSL can be
leveraged for confidentiality.
07/16/2003
11
Now let's talk a bit on security services that J2EE containers provide. One of
the system services that container provides is enforcing security policy that is
specified in the deployment descriptor. The security policy can be specified
by bean developer and deployer of the application. Obviously Web-tier
container enforces security policy specified in web.xml deployment descriptor
and EJB container will enforce security policy specified in ejb-jar.xml
deployment descriptor.
Transport-layer Security
? Provides encryption over TCP/IP
connection
? SSL & TLS
? Supports encryption
? Between Web browser and Web-tier
components
? Between EJB container to EJB container (from
EJB 2.0)
? Between CORBA client and EJB container (from
EJB 2.0)
Now we talked about this during Web application security session. But I
would like to talk about this one more time because it is important for you to
understand this.
J2EE security is an abstraction. What this means is that when you are writing
your J2EE application, basically you have to deal with the user identity as an
abstraction. This is because when you are writing your J2EE application, you
don't know over which operating system or App server or realms your
applications will run. That is, different deployment environment have
different ways of maintaining their user identity information. Some
environment use username/password while others might use certificates or
kerberos. Some environments might use combination of theses. Also the
user identity information can be maintained using different schemes, for
example, LDAP server, or database or file system. In some cases, they are
tied up with operating system specific ways.
07/16/2003
Now under this abstract J2EE security scheme, there are notions of Principals,
Roles, and Role mappings. By “Role”, we mean abstract “Roles”, which in
turn need to be mapped into concrete roles during deployment time.
07/16/2003
Now just to repeat the concept of abstract security role we talked about in
the previous slides, bean developers should be able to define the access
control with no dependence on security schemes of a particular operating
environment, that is, no dependence on the security schemes of operating
systems, app server products, or even operating environments. What this
means is that there has to be a mapping between abstract security roles and
operating environment environment specific user names and groups at the
time of deployment.
Role Mapping
Group 1
User1 User2 User3
Vendor-
specific
Principal1 Principal2 Principal3
Role1 Role2
J2EE
Role Role
reference1 reference2
16
source: Applied Enterprise JavaBeans[1]
18
Now let's talk a little bit of declarative versus programmatic access control.
The declarative access control means the access control policy is specified
inside the deployment descriptor. For example, at EJB tier, a bean developer
or deployer can specify which role can access what methods. The
programmatic access control means you as a bean developer can enforce
access control based on programming logic. For example, you can enforce
access control in such a way that only people who belong to a particular role
can invoke a certain set of methods of a bean. In general, both declarative
and programmatic access controls are used together.
07/16/2003
Authorization
(Access Control)
07/16/2003
4 Types of Authorization
(Access Control) over J2EE
• Web-tier vs. EJB-tier
– Can be used together
• Declarative vs. Programmatic
– Can be used together
• 4 possible combination
– Declarative access control at Web-tier
– Programmatic access control at Web-tier
– Declarative access control at EJB-tier
– Programmatic access control at EJB-tier
21
07/16/2003
First let's compare web-tier access control versus ejb-tier access control.
At both tiers, there could be both declarative and programmatic access
control.
Declarative
Authorization
at EJB-tier
25
26
<assembly-descriptor>
<security-role>
<description>People manages other people</description>
<role-name>manager</role-name>
</security-role>
<security-role>
<description>People who are employeed</description>
<role-name>employee</role-name>
</security-role>
</assembly-descriptor>
...
27
<assembly-descriptor>
<method-permission>
<role-name>manager</role-name>
<method>
<ejb-name>EmploySalary</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
<method-permission>
<role-name>employee</role-name>
<method>
<ejb-name>EmploySalary</ejb-name>
<method-name>doNothingMuch</method-name>
</method>
</method-permission>
</assembly-descriptor>
...
28
Programmatic
Authorization
at EJB-tier
Now these roles are called abstract roles because they are not
really actual roles defined in the actual operational environments.
In other words, as a bean developer, you don't know how each
operational environment define their users and the roles they
play. So in the bean you use the abstract roles.
Assembly Descriptor
Method level
“ payroll-dept” permissions
Assembler
Container Specific
“ payroll-group” (Operational User)
Deployer
Bean provider may and will probably not use role-names that are compatible with
your application
The assembler maps the bean provider’s role-names with links to role-names
used by the application
The <role-link> tag in the EJB container does not have the same use as in
the Web container, where <role-link> is a direct link to the operational
role
The container provides deployment tools to map the assembler’s logical roles to
the containers operational roles.
This is container specific
07/16/2003
Authentication
O
07/16/2003
J2EE Authentication
? J2EE security is an abstraction of real security
infrastructure
? Authentication does not resolve into actual
(operating environment specific) userid but
resolves into a “Principal”
? Principal is an abstract user identity
– A user might have multiple Principals depending on
authentication schemes (username/password,
certificate-based, eyescan, etc..)
37
T
07/16/2003
Authentication at EJB-Tier
? Authentication is the job of the container
not the EJB developer
? Authentication schemes are container
specific
– Recommended, but not required:
• Username/password
• X.509
• Kerberos
? Programmatic authentication is not
supported
07/16/2003
T
07/16/2003
40
T
07/16/2003
EJB
Servlet/JSP EJB
HTTP EIS
Client EJB
Web
Container EJB
Container
Initiator Intermediate
41
07/16/2003
Protection Domains
for the J2EE Platform
N
07/16/2003
43
T
07/16/2003
Client Container
? Client container is wrapper of EJB client
application
? Client container collects user credentials and
authenticate the user against the EJB server
before it passes control to the client program
– User credential could be
? username/password pair, certificate
– Client container implementation varies in their
sophistication
? graphical display or text display or part of library
44
T
07/16/2003
45
T
07/16/2003
EJB-tier Confidentiality
& Integrity
O
07/16/2003
Confidentiality for
EJB Components
? J2EE 1.3 Containers must support SSL
3.0 and TLS 1.0
? Configuration is container-specific
? Not declared in deployment descriptor
07/16/2003
Integrity
? Ensures that a message has not
been modified
? Java technology provides programmatic
support for message digests
– java.security.*
– Java Cryptography Extension (JCE)
48
U
07/16/2003
Possible Combinations
EJB-tier Security
O
07/16/2003
50
U
07/16/2003
Security Context
Propagation at EJB-tier
EJB1 EJB2
Client P1 P2
method1() method2()
I
07/16/2003
“ EJB Identity” at P2
? Delegated
<security-identity>
<run-as>
<role-name>
RoleNameTobePropagated
</role-name>
</run-as>
</security-identity>
? Propagated
<security-identity>
<use-caller-identity/>
</security-identity>
53
G
07/16/2003
Example: Propagated
• Propagate client's identity to other
beans it calls
<enterprise-beans>
...
<session>
<ejb-name>EmployeeManagement</ejb-name>
<home>examples.EmployeeManagementHome</home>
...
<security-identity
<use-caller-identity/>
</security-identity>
</session>
...
54
S
07/16/2003
I
07/16/2003
Issues to be talked
about in “J2EE Security Best
Practices” session in
Advanced J2EE Programming
S
07/16/2003
I
07/16/2003
Resources
07/16/2003
Resources Used
? Applied Enterprise JavaBeans Technology written by
Kevin Boone (Sun Microsystems, Inc.), published by
Prentice Hall, 2003 [1]
? J2EE Tutorial in java.sun.com, 2002 [2]
? Mastering Enterprise JavaBeans, 2 nd edition written by
Ed Roman, published by Wiley, 2002 [3]
07/16/2003