java technologies java ee security
play

Java Technologies Java EE Security Securing Applications Software - PowerPoint PPT Presentation

Oct 11, 2022 •361 likes •702 views

Java Technologies Java EE Security Securing Applications Software Security - Protecting applications against malicious / unauthorized actions Desktop What kind of code is executed by the application, on the client machine? Where

  1. Java Technologies Java EE Security

  2. Securing Applications ● Software Security - Protecting applications against malicious / unauthorized actions ● Desktop – What kind of code is executed by the application, on the client machine? – Where does the code comes from? – Who wrote the code? ● Web – Who is accessing the application? – What operations does the client want to execute?

  3. Java SE Security ● SecurityManager ● Codebase ● Digital signatures ● Permissions – File, Socket, Net, Security, Runtime, Property, AWT, Reflect, Serializable, etc.

  4. SecurityManager ● A security manager is an object that defines a security policy for an application. ● It contains methods of type check... : checkRead (String file) throws SecurityException ,... – checkWrite (String file) throws SecurityException ,... – ● Called before potentially sensitive operation: public class java.io.File { ... public boolean canRead() { SecurityManager security = System.getSecurityManager(); if (security != null) { security.checkRead(path); } FileSystem fs = FileSystem.getFileSystem(); return fs.checkAccess(this, FileSystem.ACCESS_READ); } }

  5. Java SE Permissions ● A policy file specifies which permissions are available for code from various sources ● CodeBase=URL ("from where") ● SignedBy ("from whom") grant signedBy "student" codeBase "file://d:/java/projects/" { permission java.io.FilePermission "/test/*" , "read, write"; }; java -Djava.security.manager -Djava.security.policy=test.policy TestApp

  6. Securing Java EE Applications ● Java EE applications are made up of components that are deployed into various containers. ● Security for components is provided by their containers ● Web Tier Security ● Enterprise Tier (EJB) Security ● Transport / Messages / Data Security

  7. Characteristics of Application Security ● Authentication – the users are who they say they are ● Authorization, or access control – the users have permissions – data integrity / (confidentiality) data privacy ● Non-repudiation – the transactions can be proved to have happened. ● Auditing – records of security-related events for the purpose of being able to evaluate the effectiveness of security policies and mechanisms.

  8. Security Layers ● Application-Layer – Declarative security expresses an application component's security requirements by using either deployment descriptors or annotations. – Programmatic security is embedded in an application and is used to make security decisions. ● Transport-Layer : cryptographic protocols: TLS, SSL for securing the network communication ● Message-Layer : security information is contained within the message and/or attachment, travelling along with it.

  9. Realm, User, Group, Role ● A realm is a security policy domain defined for a web or application server. A realm contains a collection of users , who may or may not be assigned to a group . ● A user is an individual or application program identity that has been defined in the server. ● A role is an abstract name for the permission to access a particular set of resources in an application. ● Credentials – data that contains or references security attributes used for authentication.

  10. Subject, Principal ● A Subject represents a grouping of related information for a single entity, such as a person. Such information includes the Subject's identities as well as its security- related attributes (passwords and cryptographic keys, for example). ● Subjects may potentially have multiple identities. Each identity is represented as a Principal within the Subject. Principals simply bind names to a Subject. For example, a Subject that happens to be a person, Alice, might ● have two Principals: one which binds "Alice Bar", the name on her driver license, to the Subject, and another which binds, "999-99- 9999", the number on her student identification card, to the Subject. Both Principals refer to the same Subject even though each has a different name.

  11. Securing the Web Layer ● Create the user domain (realm) – a common scenario is using a relational database ● Create the security roles ● Define the authentication mechanism ● Define the security constraints for accessing the Web resources ● Map users to roles

  12. Example: the users and groups tables create table groups ( id varchar(32) unique not null, name varchar(100) not null, primary key (id) ); insert into groups values ('admin', 'System Admin'); insert into groups values ('user', 'Common people'); insert into groups values ('manager', 'The Boss'); create table users( id varchar(32) unique not null, password varchar(64) not null, name varchar(100) not null, email varchar(100), primary key(id) ); insert into users values ( 'admin', encode(digest('admin', 'sha256'), 'hex'), 'Administrator' 'admin@mycompany.com');

  13. Example: grouping the users create table user_groups( group_id varchar(32) not null references groups(id) on delete restrict, user_id varchar(32) not null references users(id) on delete cascade, primary key (group_id, user_id) ); insert into user_groups values ('admin', 'admin');

  14. Configuring the Security Realm (GF) ● GF: Configuration → Security → Realms realm name: myapp-realm classname: com.sun.enterprise.security.ee.auth.realm.jdbc.JDBCRealm jaas-context : jdbcRealm datasource-jndi : jdbc/myDataSource user-table: users user-name-column : id password-column : password group-table : user_groups group-name-column : group_id group-table-user-name-column : user_id digestrealm-password-enc-algorithm : SHA-256 encoding: Hex charset: UTF-8 db-password db-user ● Or use asadmin: create-auth-realm command

  15. Creating the roles ● web.xml <security-role> <description>Administrator</description> <role-name> admin </role-name> </security-role> <security-role> <description>Management</description> <role-name> manager </role-name> </security-role> <security-role> <description>Normal user</description> <role-name> user </role-name> </security-role>

  16. Login Configuration ● web.xml <login-config> <auth-method> FORM </auth-method> <realm-name> myapp-realm </realm-name> <form-login-config> <form-login-page>/faces/login.xhtml</form-login-page> <form-error-page>/faces/login.xhtml</form-error-page> </form-login-config> </login-config> ● NONE, DIGEST, CLIENT CERTIFICATE, BASIC, FORM

  17. Digest Authentication ● Like basic authentication, digest authentication authenticates a user based on a user name and a password. ● However, unlike basic authentication, digest authentication does not send user passwords over the network. Instead, the client sends a one-way cryptographic hash of the password and additional data. ● Although passwords are not sent on the wire, digest authentication requires that clear-text password equivalents be available to the authenticating container so that it can validate received authenticators by calculating the expected digest.

  18. Client Certificate ● The web server authenticates the client by using the client’s public key certificate. Client authentication is a more secure method of authentication than either basic or form-based authentication. It uses HTTP over SSL (HTTPS), in which the server authenticates the client using the client’s public key certificate. ● You can think of a public key certificate as the digital equivalent of a passport. The certificate is issued by a trusted organization, a certificate authority (CA), and provides identification for the bearer. ● Before using client authentication, make sure the client has a valid public key certificate.

  19. Implementing the Login in JSF FacesContext context = FacesContext.getCurrentInstance(); ExternalContext externalContext = context.getExternalContext(); HttpServletRequest request = (HttpServletRequest) externalContext.getRequest(); try { In the submit method of the login.xhtml backing bean. request.login( userId , password ); (or maybe in a helper User user = userRepo.findById(userId); AuthService class) ... externalContext.log("Login successful: " + userId); } catch (ServletException | RuntimeException e) { externalContext.log("Login failed: " + userId + "\n" + e); throw new MyLoginException(userId, e); }

  20. Implementing the login in HTML Using standard HTML form tags allows developers to specify the correct action and input IDs for the form. <form action=" j_security_check " method="POST"> <input type="text" name=" j_username " /> <input type="secret" name=" j_password " /> ... </form>

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Java Technologies Java EE - Introduction First of All Course Information The Goal The

Java Technologies Java EE - Introduction First of All Course Information The Goal The

Java Technologies Java EE - Introduction First of All Course Information The Goal The Motivation Teaching / Learning Bibliography Evaluation Lab: problems, personal projects, essays easy Exam: written test /

711 views • 22 slides
Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of

Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of

Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of developing large , distributed applications. What components should contain the code that fulfills the purpose of the application: where should we write

779 views • 43 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements Repetition statements (loops) Writing Classes in Java Selim Aksoy Class definitions Bilkent University Encapsulation and Java modifiers

346 views • 11 slides
Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by

Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by

Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by an application in order to persist its state, that is to store and retrieve information using some sort of database management system. Presentation

633 views • 60 slides
Java Technologies Java Server Faces (JSF) The Context Web Components (Servlets, JSP, Beans,

Java Technologies Java Server Faces (JSF) The Context Web Components (Servlets, JSP, Beans,

Java Technologies Java Server Faces (JSF) The Context Web Components (Servlets, JSP, Beans, etc.) = The Bricks needed for creating Web Apps Frameworks are sets of design patterns, APIs, and runtime implementations intended to

1.02k views • 64 slides
1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i &lt; 100;

1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i &lt; 100;

The Java programming environment Introduction to JVM Based on material produced by Bill Venners 1 2 The Java platform The role of the virtual machime byte code generated by the Java front-end is an intermediate representation (IR)

834 views • 3 slides
TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java Authoring Team: Bill Foote, Chihiro Saito, A. Sundararajan, Jaya Hangal TS-5449 Talk Outline HD Cookbook Community Overview Target: Blu-ray

592 views • 44 slides
DTrace Topics: -&gt; java/lang/System.arraycopy &lt;- java/lang/System.arraycopy Java &lt;-

DTrace Topics: -&gt; java/lang/System.arraycopy &lt;- java/lang/System.arraycopy Java &lt;-

# ./jflow.d &lt;- java/lang/Thread.sleep -&gt; Greeting.greet -&gt; java/io/PrintStream.println -&gt; java/io/PrintStream.print -&gt; java/io/PrintStream.write -&gt; java/io/PrintStream.ensureOpen &lt;- java/io/PrintStream.ensureOpen -&gt;

632 views • 34 slides
The need for a formal model of Java Safety guarantees of Java definedness type safety

The need for a formal model of Java Safety guarantees of Java definedness type safety

Making the Java Memory Model Safe Andreas Lochbihler Institute for Information Security ETH Zurich supported by DFG Sn11/10-1,2 The need for a formal model of Java Safety guarantees of Java definedness type safety security

595 views • 44 slides
Java Technology Goes to the Movies: Java Technology in Next- Generation Optical Disc Formats

Java Technology Goes to the Movies: Java Technology in Next- Generation Optical Disc Formats

Java Technology Goes to the Movies: Java Technology in Next- Generation Optical Disc Formats Bill Foote Erik Moll Staff Engineer System Architect Sun Microsystems, Inc. Philips Applied Technologies http://java.sun.com

935 views • 61 slides
Java in Web 2.0 Alexis Roos Principal Field Technologist, CTO Office OEM SW Sales Sun

Java in Web 2.0 Alexis Roos Principal Field Technologist, CTO Office OEM SW Sales Sun

Java in Web 2.0 Alexis Roos Principal Field Technologist, CTO Office OEM SW Sales Sun Microsystems, Inc. 1 Agenda Java overview Technologies supported by Java Platform to create Web 2.0 services Future trends 2 The Java

430 views • 27 slides
Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp ..

Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp ..

Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp .. -jar myapp.jar Java 9 java -cp .. -jar myapp.jar Today's journey Running on Java 9 Java 9 modules Migrating to modules Modularising code

851 views • 45 slides
C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well.

C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well.

CSCI 2132: Software Development Norbert Zeh Faculty of Computer Science C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well. Focus on differences between C and Java. Arithmetic Operators Most

152 views • 14 slides
Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3

Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3

C is a high level language (HLL) Its syntax is much the same as Java and C++, but no objects. Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3 Why C ? 1. Millions of lines of code have been

377 views • 23 slides
Dawn Song dawnsong@cs.berkeley.edu 1 Primer on Internet Worms (I) First Instance: Morris

Dawn Song dawnsong@cs.berkeley.edu 1 Primer on Internet Worms (I) First Instance: Morris

Automatic Worm Defense (I) Dawn Song dawnsong@cs.berkeley.edu 1 Primer on Internet Worms (I) First Instance: Morris worm (1988) Infected 6000 machines (10% of Internet) $10M for downtime &amp; cleanup Whats a worm?

512 views • 13 slides
Data and Process Modelling 3. Object-Role Modeling - CSDP Step 6 Marco Montali KRDB Research

Data and Process Modelling 3. Object-Role Modeling - CSDP Step 6 Marco Montali KRDB Research

Data and Process Modelling 3. Object-Role Modeling - CSDP Step 6 Marco Montali KRDB Research Centre for Knowledge and Data Faculty of Computer Science Free University of Bozen-Bolzano A.Y. 2014/2015 Marco Montali (unibz) DPM - 3.CDSP-6 A.Y.

257 views • 4 slides
Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead

Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead

Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead Mark is the lead maintainer of Guardr, a suite of modules predicated around Drupal security. He is passionate about architecting systems to solve

812 views • 38 slides
Group Lending and Enforcement October 2007 () Group lending October 2007 1 / 26 Group Lending

Group Lending and Enforcement October 2007 () Group lending October 2007 1 / 26 Group Lending

Group Lending and Enforcement October 2007 () Group lending October 2007 1 / 26 Group Lending in Theory Grameen I (&quot;classic&quot;) 2:2:1 staggering at 4-6 week intervals 1 loan cycle = a year joint liability: formal sanctions in case

837 views • 26 slides
Positive TAGED with a Bounded Number of Constraints P.-C. Ham, Vincent Hugot, O. Kouchnarenko

Positive TAGED with a Bounded Number of Constraints P.-C. Ham, Vincent Hugot, O. Kouchnarenko

On Positive TAGED with a Bounded Number of Constraints P.-C. Ham, Vincent Hugot, O. Kouchnarenko {pheam,vhugot,okouchna}@femto-st.fr University of Franche-Comt DGA &amp; INRIA/CASSIS &amp; FEMTO-ST (DISC) July 2, 2013 Introduction

758 views • 71 slides
GNOME for system administrators Jessie edition Mini Debconf Lyon 2015 12 april 2015

GNOME for system administrators Jessie edition Mini Debconf Lyon 2015 12 april 2015

GNOME for system administrators Jessie edition Mini Debconf Lyon 2015 12 april 2015 Introduction Debian is awesome to use in a 1000+ machines environment Automated deployment tools Customization: custom APT repositories

538 views • 28 slides
t r t

t r t

t r t r r tts ts r

1.14k views • 46 slides
Planning in Context Planning in the Context of Domain Modelling, Task Assignment and Execution

Planning in Context Planning in the Context of Domain Modelling, Task Assignment and Execution

http://www.inf.ed.ac.uk/teaching/courses/plan/ Planning in Context Planning in the Context of Domain Modelling, Task Assignment and Execution Literature O-Plan Papers http://www.aiai.ed.ac.uk/project/oplan/ Tate, A., Dalton, J. and

634 views • 15 slides

More recommend