the anatomy of a secure web app using javaee spring
play

The Anatomy of a Secure Web App Using JavaEE, Spring Security and - PowerPoint PPT Presentation

Mar 20, 2023 •177 likes •1.03k views

The Anatomy of a Secure Web App Using JavaEE, Spring Security and Apache Fortress May 18, 2017 ApacheCon NA, Miami Objective Think about how a web app would behave, if we spared no expense for security. ApacheCon NA, Miami 2017 2 @play

  1. The Anatomy of a Secure Web App Using JavaEE, Spring Security and Apache Fortress May 18, 2017 ApacheCon NA, Miami

  2. Objective • Think about how a web app would behave, if we spared no expense for security. ApacheCon NA, Miami 2017 2

  3. @play Introductions Shawn McKinney @work • Software Architect • PMC Apache Directory Project • Engineering Team ApacheCon NA, Miami 2017 3

  4. Agenda Look at two examples… 1. Apache Fortress Demo + Java EE + Spring Security – https://github.com/shawnmckinney/apache-fortress-demo 2. Fortress SAML Demo + Spring Security SP – https://github.com/shawnmckinney/fortress-saml-demo ApacheCon NA, Miami 2017 4

  5. Themes Covered 1. Simplicity 2. Common Sense 3. Household Analogies to explain ‘Why’ ApacheCon NA, Miami 2017 5

  6. With a few caveats… • Not cloud native • Not microservices • Not big data Not a problem em, same e rules s apply ApacheCon NA, Miami 2017 6

  7. And a couple of recommendations • Listen, don’t take notes. These slides are published and have all the details you need. • Save questions for the end (we’ve got a lot of ground to cover). ApacheCon NA, Miami 2017 7

  8. Example #1 Apache Fortress Demo https://github.com/shawnmckinney/apache-fortress-demo ApacheCon NA, Miami 2017 8

  9. The Five Security Layers of Java Web Apps 1.Java Secure Socket Extension (JSSE) 2.Java EE Security 3.Spring Security 4.Web App Framework 5.Database Functions ApacheCon NA, Miami 2017 9

  10. Rationale for Each ------- ----- ----- ----- ------ ----- ----- ------ ----- -- private te conversa ersation tions 1.JSSE 2.Java EE Security ------- ----- --- deadbol olt t on front door 3.Spring Security ------- ----- ----- -- locks on room doors - locks on equipmen ment t in rooms 4.Web App Framework 5.Database Functions ---- conten ---- ent t filtering ApacheCon NA, Miami 2017 10

  11. Two Areas of Access Control 1.Java EE and Spring Role Declarative checks 2.RBAC Permission Programmatic checks ApacheCon NA, Miami 2017 11

  12. Start with Tomcat Servlet Container ApacheCon NA, Miami 2017 12

  13. ssss ssh!!! !!! 1 & 2. Enable HTTPS 1. Update the Server.xml 2. Add private key ApacheCon NA, Miami 2017 13

  14. Enable Tomcat TLS 1. Generate keystore with private key (Steps 1 - 5): http://shawnmckinney.github.io/ apache-fortress-demo/apidocs/doc-files/keys.html 2. Add the following to server.xml: <Connector port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled= " true“ “/path/mykeystore” keystoreFile= keystorePass= “******” clientAuth="false" sslProtocol="TLS"/> http://shawnmckinney.github.io/ apache-fortress-demo/apidocs/doc-files/apache-tomcat-ssl .html

  15. Change Tomcat TLS Enabled Cipher Suites <Connector port="8443" … Disable e weak Diffie-Hel ellman man ciphers ciphers= "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_E CDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECD H_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_EC DH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS _ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_S HA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_12 8_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_2 56_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH _3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE _RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_NULL_SHA,TLS_ECDH_ RSA_WITH_NULL_SHA,TLS_ECDHE_ECDSA_WITH_NULL_SHA,TLS_ECDHE_RSA_WIT H_NULL_SHA” ApacheCon NA, Miami 2017 15

  16. the deadbol olt 3. Enable Java EE Security a. Update web.xml b. Drop the proxy jar c. Add context.xml d. Add fortress to pom.xml ApacheCon NA, Miami 2017 16

  17. Enable Java EE Security Realm 1. Java EE conta tainer er Add to App’s Web.xml prote tects cts this URL <security-constraint> Automa omatical cally. y. <display-name>My Project Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/wicket/*</url-pattern> </web-resource-collection> 2. All users must <auth-constraint> <role-name>DEMO2_USER</role-name> have e this role to </auth-constraint> </security-constraint> gain entry. <login-config> <auth-method>FORM</auth-method> 3. Route e un-authN uthN <realm-name>MySecurityRealm</realm-name> reques ests ts to my form. <form-login-config> <form-login-page>/login/login.html</form-login-page> https://github.com/shawnmckinney/apache-fortress-demo/blob/master/src/main/webapp/WEB-INF/web.xml ApacheCon NA, Miami 2017 17

  18. Enable Java EE Security Realm Drop the Fortress Realm Proxy Jar in Tomcat’s lib folder Fortres ess Realm m Proxy y uses depende denci cies es within the web app p via URLClassloa oader. er. ApacheCon NA, Miami 2017 18

  19. Enable Java EE Security Realm Add context.xml to META-INF folder: <Context reloadable="true"> Apach che e Fortres ess Tomcat cat Realm Realm className= < “ org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxy " defaultRoles="ROLE_DEMO2_SUPER_USER,DEMO2_ALL_PAGES, ROLE_PAGE1, ROLE_PAGE2, ROLE_PAGE3" The set of role candi dida dates tes eligible e to be actived ed into a session on. /> </Context> https://github.com/shawnmckinney/ apache-fortress-demo /blob/master/src/main/resources/META-INF/context.xml ApacheCon NA, Miami 2017 19

  20. Enable RBAC Policy Decision Point Add Fortress Dependency to web app’s pom.xml: <dependency> <groupId>org.apache.directory.fortress</groupId> <artifactId> fortress-realm-impl </artifactId> <version>2.0.0-RC2</version> </dependency> ApacheCon NA, Miami 2017 20

  21. the securit ity y system tem 4. Setup RBAC PDP Policy Decision Point a. Install b. Configure c. Use ApacheCon NA, Miami 2017 21

  22. https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-APACHEDS.md ApacheCon NA, Miami 2017 22

  23. Or Or https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-SLAPD.md ApacheCon NA, Miami 2017 23

  24. Use ANSI RBAC INCITS 359 Specification RBAC0 : – Users, Roles, Perms, Sessions RBAC1 : – Hierarchical Roles RBAC2 : – Static Separation of Duties RBAC3 : – x Dynamic Separation of Duties Toda day y we demo o this ApacheCon NA, Miami 2017 24

  25. Use RBAC Object Model Six basic elements: 1. User – human or machine entity 2. Role – a job function within an organization 3. Object – maps to system resources 4. Operation – executable image of program 5. Permission – approval to perform an Operation on one or more Objects 6. Session – contains set of activated roles for User ApacheCon NA, Miami 2017 25

  26. Use RBAC Functional Model APIs form three standard interfaces: Managem ement ent and Config process sses es 1. Admin – Add, Update, Delete 2. Review – Read, Search System – Access Control 3. x Demo runtime e proces esse ses ApacheCon NA, Miami 2017 26

  27. Use RBAC Functional Model System Manager APIs: http://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/directory/fortress/core/impl/ AccessMgrImpl .html 1. createSession – authenticate, activate roles 2. checkAccess – permission check 3. sessionPermissions – all perms active for user 4. sessionRoles – return all roles active 5. addActiveRole – add new role to session 6. dropActiveRole – remove role from session ApacheCon NA, Miami 2017 27

  28. confident identialit iality 5 – 8 Enable LDAP SSL ApacheCon NA, Miami 2017 28

  29. Enable LDAP SSL Client 1. Import public key to java truststore: http://shawnmckinney.github.io/apache-fortress- demo/apidocs/doc-files/keys.html common name 2. Add to fortress.properties host=ldap-server-domain-name.com in server r cert port=636 enable.ldap.ssl=true trust.store=mytruststore Can be found trust.store.password=changeit trust.store.onclasspath=true on classpa path th ApacheCon NA, Miami 2017 29

  30. Enable ApacheDS LDAP SSL Server 1.Import keystore with Apache Directory Studio 2.Restart ApacheDS Server http://shawnmckinney.github.io/apache-fortress-demo/apidocs/doc-files/apache-directory-ssl.html

  31. Or Or Enable OpenLDAP SSL Server Add locations of crypto artifacts to slapd server config: TLSCACertificateFile /path/to/my/ca-certificate TLSCertificateFile /path/to/my/server-certificate TLSCertificateKeyFile /path/to/my/private-key http://shawnmckinney.github.io/apache-fortress-demo/apidocs/doc-files/openldap-ssl.html ApacheCon NA, Miami 2017 31

  32. locks ks on the rooms ms 9. Enable Spring Security a. Authorization b. Role mapping ApacheCon NA, Miami 2017 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Anatomy of a Secure Web Applica6on Using Java

The Anatomy of a Secure Web Applica6on Using Java

The Anatomy of a Secure Web Applica6on Using Java ApacheCon NA 2015 John Field, Pivotal Services @EMC 1 Image:

907 views • 76 slides
Slides of Anatomy Please note: These slides are Dr. Maher Hadidis slides of spring 2016 and

Slides of Anatomy Please note: These slides are Dr. Maher Hadidis slides of spring 2016 and

Slides of Anatomy Please note: These slides are Dr. Maher Hadidis slides of spring 2016 and were edited by the Premed Academic Team to fit the slides of spring 2019. 1 Axilla Pyramidal space between side of the chest and upper part of the

444 views • 15 slides
Slides of Anatomy Please note : These slides are Dr. Maher Hadidis slides of spring 2016 and

Slides of Anatomy Please note : These slides are Dr. Maher Hadidis slides of spring 2016 and

Slides of Anatomy Please note : These slides are Dr. Maher Hadidis slides of spring 2016 and were edited by the Premed Academic Team to fit the slides of spring 2019. 1 Medical Language Most derived from Latin and/ Greek language.

516 views • 26 slides
Security DevOps staying secure in agile projects Christian Schneider @cschneider4711 mail@

Security DevOps staying secure in agile projects Christian Schneider @cschneider4711 mail@

Security DevOps staying secure in agile projects Christian Schneider @cschneider4711 mail@ www. `whoami` Christian-Schneider.net Software Developer, Whitehat Hacker &amp; Trainer Freelancer since 1997 Focus on JavaEE &amp;

773 views • 59 slides
CS 241: Systems Programming Lecture 3. More Shell Spring 2020 Prof. Stephen Checkoway 1 Anatomy

CS 241: Systems Programming Lecture 3. More Shell Spring 2020 Prof. Stephen Checkoway 1 Anatomy

CS 241: Systems Programming Lecture 3. More Shell Spring 2020 Prof. Stephen Checkoway 1 Anatomy of a single command 2 Anatomy of a single command command options arguments 2 Anatomy of a single command command

702 views • 55 slides
and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff &amp; Kenneth R. Van Wyk

753 views • 17 slides
Worm enabling exploits Cyber Security Lab Spring 10 Background reading Worm Anatomy and

Worm enabling exploits Cyber Security Lab Spring 10 Background reading Worm Anatomy and

Worm enabling exploits Cyber Security Lab Spring 10 Background reading Worm Anatomy and Model http://portal.acm.org/citation.cfm?id=948196 Smashing the Stack for Fun and Profit

525 views • 36 slides
Anatomy of HB 232Land Use Amendments Utah Municipal Attorneys Association Spring Conference

Anatomy of HB 232Land Use Amendments Utah Municipal Attorneys Association Spring Conference

Anatomy of HB 232Land Use Amendments Utah Municipal Attorneys Association Spring Conference May 10-12, 2017 Jodi Hoffman, Hoffman Law jhoffman@xmission.com 435.901.0805 LUDMA Themes 2017: 1. Broad Discretion to Regulate Land Use : City

290 views • 14 slides
Basic Anatomy Anatomy: General Planes of the body

Basic Anatomy Anatomy: General Planes of the body

Musculoskeletal Biomechanics BIOEN 520 | ME 527 Mini-Lab 1 Basic Anatomy Anatomy: General Planes of the body DirecGonal terms Joint

1.24k views • 65 slides
2D and 3D Medical Ima 2D and 3D Medical Ima ages for Anatomy ages for Anatomy Education using a

2D and 3D Medical Ima 2D and 3D Medical Ima ages for Anatomy ages for Anatomy Education using a

2D and 3D Medical Ima 2D and 3D Medical Ima ages for Anatomy ages for Anatomy Education using a cloud d computing platform Lih Shyang Chen Department of Electrical En ngineering National Cheng Kung Unive N ti l Ch K U i ersity

319 views • 27 slides
QCon SP Java EE: Extendable and Functional David Blevins Tomitribe #JavaEE @dblevins

QCon SP Java EE: Extendable and Functional David Blevins Tomitribe #JavaEE @dblevins

QCon SP Java EE: Extendable and Functional David Blevins Tomitribe #JavaEE @dblevins @tomitribe QCon SP Talk Overview Part 1: Extensibility CDI Scopes Connectors Java EE 6-7 Part 2: Functions New API Opportunities

728 views • 28 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides
1 Reason Anatomy and Physiology are the foundation on which all medicine is based. Learn well

1 Reason Anatomy and Physiology are the foundation on which all medicine is based. Learn well

EAPIntroduction to Anatomy and Physiology PFN: SOMAPL11 Hours: 1.5 JSOMTC, SWMG(A) Slide 1 Terminal Learning Objective Action: Communicate knowledge of Introduction to Anatomy and Physiology Condition: Given a lecture in a

630 views • 30 slides
CS 1655 / Spring 2013 Secure Data Management and Web Applications 01 Data Mining and

CS 1655 / Spring 2013 Secure Data Management and Web Applications 01 Data Mining and

CS 1655 / Spring 2013 Secure Data Management and Web Applications 01 Data Mining and Knowledge Discovery Alexandros Labrinidis University of Pittsburgh CS 1655 / Spring 2013 1 Trends leading to Data Flood More data is generated:

327 views • 15 slides
CS 1655 / Spring 2010 Secure Data Management and Web Applications 01 Data Mining and

CS 1655 / Spring 2010 Secure Data Management and Web Applications 01 Data Mining and

CS 1655 / Spring 2010 Secure Data Management and Web Applications 01 Data Mining and Knowledge Discovery Alexandros Labrinidis University of Pittsburgh CS 1655 / Spring 2010 1 Trends leading to Data Flood More data is generated:

355 views • 14 slides
BIOMETRY COURSE Module 1 Anatomy &amp; Vision Welcome to Anatomy Emma Deighan Trainer in

BIOMETRY COURSE Module 1 Anatomy &amp; Vision Welcome to Anatomy Emma Deighan Trainer in

BIOMETRY COURSE Module 1 Anatomy &amp; Vision Welcome to Anatomy Emma Deighan Trainer in Ophthalmology for 20 Years Please ask questions! Email emma@medsalesacademy.co.uk www.medsalesacademy.co.uk Today we will learn Anatomy

1.24k views • 29 slides
Teil I - Nodes Jaroslav Tulach, Sun Microsystems Ergnzungen: David Strupl, Sun Microsystems

Teil I - Nodes Jaroslav Tulach, Sun Microsystems Ergnzungen: David Strupl, Sun Microsystems

Teil I - Nodes Jaroslav Tulach, Sun Microsystems Ergnzungen: David Strupl, Sun Microsystems Geertjan Wielenga, Sun Microsystems Deutsche berarbeitung - Aljoscha Rittner Sepix GmbH NetBeans Dream Team Agenda Teil I Nodes &gt; Warum

572 views • 53 slides
EJB Clients EJB Clients Transactions in Clients Transactions in Clients Unit III

EJB Clients EJB Clients Transactions in Clients Transactions in Clients Unit III

Topics Topics EJB Bean as a Client to Another Bean EJB Bean as a Client to Another Bean Serializing a Handle EJB Clients EJB Clients Transactions in Clients Transactions in Clients Unit III Authentication in Clients

650 views • 12 slides
T echnology &amp; Architecture FOSDEM Brussels, Januari 2015 Jan De Moerloose 1 &lt;Date&gt;

T echnology &amp; Architecture FOSDEM Brussels, Januari 2015 Jan De Moerloose 1 &lt;Date&gt;

T echnology &amp; Architecture FOSDEM Brussels, Januari 2015 Jan De Moerloose 1 &lt;Date&gt; Geomajas T echnology &amp; Architecture T odays menu: What is Geomajas? Code samples (Security in Geomajas) Demo Q &amp; A

516 views • 30 slides
Session 27 ThymeLeaf Reading and Reference Reading www.baeldung.com/thymeleaf-in-spring-mvc

Session 27 ThymeLeaf Reading and Reference Reading www.baeldung.com/thymeleaf-in-spring-mvc

Session 27 Thymeleaf Session 27 ThymeLeaf Reading and Reference Reading www.baeldung.com/thymeleaf-in-spring-mvc Reference: API https://www.thymeleaf.org/apidocs/thymeleaf/2.1.6.RELEASE/index.html 2 Robert Kelly, 2018 1

369 views • 9 slides
301AA - Advanced Programming Lecturer: Andrea Corradini andrea@di.unipi.it

301AA - Advanced Programming Lecturer: Andrea Corradini andrea@di.unipi.it

301AA - Advanced Programming Lecturer: Andrea Corradini andrea@di.unipi.it http://pages.di.unipi.it/corradini/ AP-2018-11 : Frameworks and Inversion of Control Frameworks and Inversion of Control Recap: JavaBeans as Components

644 views • 42 slides
Driving MDA with UML: Principles and Practices Junichi Suzuki, Ph.D. jxs@computer.org

Driving MDA with UML: Principles and Practices Junichi Suzuki, Ph.D. jxs@computer.org

Driving MDA with UML: Principles and Practices Junichi Suzuki, Ph.D. jxs@computer.org http://www.jks.la/jxs/ School of Information and Computer Science University of California, Irvine 1 Who am I? Research fellow, UC Irvine (2000-)

492 views • 23 slides
Notifications What is a Notification? A notification is a short message briefly displayed on the

Notifications What is a Notification? A notification is a short message briefly displayed on the

Lesson 23 Lesson 23 Android Android Notifications Victor Matos Cleveland State University Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced from

304 views • 16 slides
The GATE Embedded API Track II, Module 5 Fourth GATE Training Course May 2011 2011 The

The GATE Embedded API Track II, Module 5 Fourth GATE Training Course May 2011 2011 The

GATE API Basics The CREOLE Model Execution Control The GATE Embedded API Track II, Module 5 Fourth GATE Training Course May 2011 2011 The University of Sheffield c This material is licenced under the Creative Commons

778 views • 65 slides

More recommend