SlideShare a Scribd company logo

Security in java ee platform: what is included, what is missing

Download as PPT, PDF
Masoud Kalali, profile picture
Masoud Kalali

The document discusses security features provided by the Java EE platform and some missing requirements. It covers authentication, authorization, transport security, and single sign-on capabilities. Some basic missing requirements mentioned are authentication chaining, fine-grained access control, and robust single sign-on support. The document recommends additional open source solutions that can help address some of these limitations.

Technology
1 of 13
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
Java EE Platform Security What is included, what is missing. Masoud Kalali Author of GlassFish security book Http://kalali.me
What can Security refer to?
Security requirements Authentication Authorization Transport Security Single Sign-On
Java EE and Security Requirements I @ServletSecurity(@HttpConstraint(rolesAllowed = {&quot;manager&quot;, &quot;administrator&quot;})) ... String usrname = request.getParameter(&quot;username&quot;); String pass = request.getParameter(&quot;password&quot;); request.login(strUsername, strPassword); .... <login-config> <auth-method>BASIC</auth-method> <realm-name>JDBCRealm</realm-name> </login-config> What Java EE provides for Authentication: Authentication Methods (Form, Basic, Digest, Client-Cert) Security Realms Programmatic login/ logout, setHttpOnly isHttpOnly, @ServletSecurity Adding new or Extending Realms, extending current realms JSR-196, pluggable authentication
Java EE and Security Requirements II What Java EE platform provides for authorization: Role based access control over resources Roles are defined in a vendor specific way Roles are based on the info from the same security realm Enforced using Annotation or XML description Can be extend using JSR-115 <method-permission> <role-name>manager</role-name> <method> <ejb-name>Emp</ejb-name> <method-name>getAge</method-name> </method> </method-permission> Annotation Targets Level Target Kind @DeclareRoles Class EJB, Servlet @RunAs Class EJB, Servlet @ServletSecurity Class Servlet @PermitAll Class, Method EJB @DenyAll Method EJB @RolesAllowed Class, Method EJB
Java EE and Security Requirements III The Transport Security facilities: Confidentiality Data integrity Different set of resources, different level of transport security <security-constraint> <display-name>Current Online Users</display-name> <web-resource-collection> <web-resource-name>online users</web-resource-name> <description/> <url-pattern>/admin/online/*</url-pattern> </web-resource-collection> <auth-constraint> <description/> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <description/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Java EE and Security Requirements IV What Java EE platform provides for SSO: Nothing out of JSRs Application servers provide some basic functionalities with restrictions: Same Realm Same Virtual Server/ Host Other solutions like proxies like delegated authentication to Apache mod_proxy Clustering the instances Need same realm
Is that All? Really, Is that all we need to have? Do we miss anything major? Is there anything still basic and good to have?
Basic, but missing requirements Authentication chain Fine grained access control Single Sign-On
Basic, but missing requirements I Chain of authentication challenges One realm, provider failed chain to the next one Put Challenges together in groups Basic rules to forms the groups Authentication levels Higher level for more secure realms More resources accessible on higher authentication levels Authentication chain:
Basic, but missing requirements II Fine grained access control Coarse grained allow/not-allow are not sufficient anymore A very common issue: time, location based access control XACML is there, but not in the platform Attribute based access evaluation Attributes for all involving factors Version 2 is mature enough, Version 3 in the corner JBoss and Sun open source XACML implementations http://sunxacml.sourceforge.net/ http://www.jboss.org/picketbox/
Basic, but missing requirements III What to do with more SSO requirements? It may never get into the platform Involve more than just Java EE Heavy, complex and open ended Go with JOSSO, http://www.josso.org/ Go with OpenSSO, http://opensso.dev.java.net Both work with CDSSO Integrate with many platforms/ servers Can be used from almost any language
Time For Questions Questions? You can contact me at [email_address] or http://twitter.com/MasoudKalali

More Related Content

PPT
JavaEE Security
Alex Kim
 
PPT
Developing With JAAS
rahmed_sct
 
PPTX
Extending Arquillian graphene
Rudy De Busscher
 
PDF
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
PPTX
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
 
PDF
Java EE Application Security With PicketLink
pigorcraveiro
 
PPTX
Java ee 8 + security overview
Rudy De Busscher
 
PDF
J2EE Security with Apache SHIRO
Cygnet Infotech
 
JavaEE Security
Alex Kim
 
Developing With JAAS
rahmed_sct
 
Extending Arquillian graphene
Rudy De Busscher
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
 
Java EE Application Security With PicketLink
pigorcraveiro
 
Java ee 8 + security overview
Rudy De Busscher
 
J2EE Security with Apache SHIRO
Cygnet Infotech
 

What's hot (20)

PDF
From 0 to Spring Security 4.0
robwinch
 
PPTX
Learn Apache Shiro
Smita Prasad
 
PPTX
Spring Security
Manish Sharma
 
PPTX
Spring Security 3
Jason Ferguson
 
PDF
Super simple application security with Apache Shiro
Marakana Inc.
 
PPTX
Intro to Apache Shiro
Claire Hunsaker
 
PPTX
Java Security Framework's
Mohammed Fazuluddin
 
PPTX
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
DataStax Academy
 
PPT
Java Security
elliando dias
 
PDF
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
Artur Barseghyan
 
PPTX
Access Control Pitfalls v2
Jim Manico
 
PPTX
Spring Security
Boy Tech
 
PDF
Securing REST APIs
Claire Hunsaker
 
PPT
CAS Enhancement
Guo Albert
 
PPTX
Spring Security 5
Jesus Perez Franco
 
PPTX
Deep dive into Java security architecture
Prabath Siriwardena
 
PPTX
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
PDF
Fun With Spring Security
Burt Beckwith
 
PPTX
Token Authentication for Java Applications
Stormpath
 
From 0 to Spring Security 4.0
robwinch
 
Learn Apache Shiro
Smita Prasad
 
Spring Security
Manish Sharma
 
Spring Security 3
Jason Ferguson
 
Super simple application security with Apache Shiro
Marakana Inc.
 
Intro to Apache Shiro
Claire Hunsaker
 
Java Security Framework's
Mohammed Fazuluddin
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
DataStax Academy
 
Java Security
elliando dias
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
Artur Barseghyan
 
Access Control Pitfalls v2
Jim Manico
 
Spring Security
Boy Tech
 
Securing REST APIs
Claire Hunsaker
 
CAS Enhancement
Guo Albert
 
Spring Security 5
Jesus Perez Franco
 
Deep dive into Java security architecture
Prabath Siriwardena
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
Fun With Spring Security
Burt Beckwith
 
Token Authentication for Java Applications
Stormpath
 
Ad

Viewers also liked (6)

PDF
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Josef Cacek
 
PDF
Java Security Overview
white paper
 
PPTX
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Martin Toshev
 
PPT
Java security
Ankush Kumar
 
PPT
Security As A Service
guest536dd0e
 
PPT
Security via Java
Bahaa Zaid
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Josef Cacek
 
Java Security Overview
white paper
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Martin Toshev
 
Java security
Ankush Kumar
 
Security As A Service
guest536dd0e
 
Security via Java
Bahaa Zaid
 
Ad

Similar to Security in java ee platform: what is included, what is missing (20)

PDF
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
Markus Eisele
 
PPTX
Utilize the Full Power of GlassFish Server and Java EE Security
Masoud Kalali
 
PDF
Finally, EE Security API JSR 375
Alex Kosowski
 
PDF
Java EE Services
Abdalla Mahmoud
 
PPTX
Introduction To Building Enterprise Web Application With Spring Mvc
Abdelmonaim Remani
 
PPTX
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
Werner Keil
 
PPTX
SCWCD : Secure web : CHAP : 7
Ben Abdallah Helmi
 
PPTX
SCWCD : Secure web
Ben Abdallah Helmi
 
PDF
Dev objecttives-2015 auth-auth-fine-grained-slides
ColdFusionConference
 
PDF
Authentication Control
devObjective
 
PPTX
Java EE 8 security and JSON binding API
Alex Theedom
 
PDF
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
elliando dias
 
PDF
Spring4 security
Sang Shin
 
PDF
Apache Roller, Acegi Security and Single Sign-on
Matt Raible
 
PPT
Websphere on z/OS and RACF security
Michael Erichsen
 
PPT
Extending Oracle SSO
kurtvm
 
PDF
Single Sign-on Framework in Tizen
Ryo Jin
 
PDF
Anil saldhana securityassurancewithj_bosseap
Anil Saldanha
 
PPTX
Enrterprise Java-Unit 1 (All chapters) for TYIT PPTx
dcruzsophia24
 
PPTX
Enterprise Java TYIT Sem 5 Unit 1 Chapter 1 and 2 PPT
dcruzsophia24
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
Markus Eisele
 
Utilize the Full Power of GlassFish Server and Java EE Security
Masoud Kalali
 
Finally, EE Security API JSR 375
Alex Kosowski
 
Java EE Services
Abdalla Mahmoud
 
Introduction To Building Enterprise Web Application With Spring Mvc
Abdelmonaim Remani
 
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
Werner Keil
 
SCWCD : Secure web : CHAP : 7
Ben Abdallah Helmi
 
SCWCD : Secure web
Ben Abdallah Helmi
 
Dev objecttives-2015 auth-auth-fine-grained-slides
ColdFusionConference
 
Authentication Control
devObjective
 
Java EE 8 security and JSON binding API
Alex Theedom
 
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
elliando dias
 
Spring4 security
Sang Shin
 
Apache Roller, Acegi Security and Single Sign-on
Matt Raible
 
Websphere on z/OS and RACF security
Michael Erichsen
 
Extending Oracle SSO
kurtvm
 
Single Sign-on Framework in Tizen
Ryo Jin
 
Anil saldhana securityassurancewithj_bosseap
Anil Saldanha
 
Enrterprise Java-Unit 1 (All chapters) for TYIT PPTx
dcruzsophia24
 
Enterprise Java TYIT Sem 5 Unit 1 Chapter 1 and 2 PPT
dcruzsophia24
 

More from Masoud Kalali (12)

PPTX
Real world RESTful service development problems and solutions
Masoud Kalali
 
PDF
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
Masoud Kalali
 
PDF
BOF 2193 - How to work from home effectively
Masoud Kalali
 
PDF
Real-World RESTful Service Development Problems and Solutions
Masoud Kalali
 
PDF
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
PDF
Java EE 7 overview
Masoud Kalali
 
PPT
Confess 2013: OWASP Top 10 and Java EE security in practice
Masoud Kalali
 
ODP
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Masoud Kalali
 
PPTX
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
PPT
An Overview of RUP methodology
Masoud Kalali
 
PPT
An overview of software development methodologies.
Masoud Kalali
 
PPT
NIO.2, the I/O API for the future
Masoud Kalali
 
Real world RESTful service development problems and solutions
Masoud Kalali
 
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
Masoud Kalali
 
BOF 2193 - How to work from home effectively
Masoud Kalali
 
Real-World RESTful Service Development Problems and Solutions
Masoud Kalali
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
Java EE 7 overview
Masoud Kalali
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Masoud Kalali
 
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Masoud Kalali
 
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
An Overview of RUP methodology
Masoud Kalali
 
An overview of software development methodologies.
Masoud Kalali
 
NIO.2, the I/O API for the future
Masoud Kalali
 

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
A Presentation on Artificial Intelligence
memembruh336
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Teaching material agriculture food technology
LiaRayya
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

Security in java ee platform: what is included, what is missing

  • 1. Java EE Platform Security What is included, what is missing. Masoud Kalali Author of GlassFish security book Http://kalali.me
  • 2. What can Security refer to?
  • 3. Security requirements Authentication Authorization Transport Security Single Sign-On
  • 4. Java EE and Security Requirements I @ServletSecurity(@HttpConstraint(rolesAllowed = {&quot;manager&quot;, &quot;administrator&quot;})) ... String usrname = request.getParameter(&quot;username&quot;); String pass = request.getParameter(&quot;password&quot;); request.login(strUsername, strPassword); .... <login-config> <auth-method>BASIC</auth-method> <realm-name>JDBCRealm</realm-name> </login-config> What Java EE provides for Authentication: Authentication Methods (Form, Basic, Digest, Client-Cert) Security Realms Programmatic login/ logout, setHttpOnly isHttpOnly, @ServletSecurity Adding new or Extending Realms, extending current realms JSR-196, pluggable authentication
  • 5. Java EE and Security Requirements II What Java EE platform provides for authorization: Role based access control over resources Roles are defined in a vendor specific way Roles are based on the info from the same security realm Enforced using Annotation or XML description Can be extend using JSR-115 <method-permission> <role-name>manager</role-name> <method> <ejb-name>Emp</ejb-name> <method-name>getAge</method-name> </method> </method-permission> Annotation Targets Level Target Kind @DeclareRoles Class EJB, Servlet @RunAs Class EJB, Servlet @ServletSecurity Class Servlet @PermitAll Class, Method EJB @DenyAll Method EJB @RolesAllowed Class, Method EJB
  • 6. Java EE and Security Requirements III The Transport Security facilities: Confidentiality Data integrity Different set of resources, different level of transport security <security-constraint> <display-name>Current Online Users</display-name> <web-resource-collection> <web-resource-name>online users</web-resource-name> <description/> <url-pattern>/admin/online/*</url-pattern> </web-resource-collection> <auth-constraint> <description/> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <description/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
  • 7. Java EE and Security Requirements IV What Java EE platform provides for SSO: Nothing out of JSRs Application servers provide some basic functionalities with restrictions: Same Realm Same Virtual Server/ Host Other solutions like proxies like delegated authentication to Apache mod_proxy Clustering the instances Need same realm
  • 8. Is that All? Really, Is that all we need to have? Do we miss anything major? Is there anything still basic and good to have?
  • 9. Basic, but missing requirements Authentication chain Fine grained access control Single Sign-On
  • 10. Basic, but missing requirements I Chain of authentication challenges One realm, provider failed chain to the next one Put Challenges together in groups Basic rules to forms the groups Authentication levels Higher level for more secure realms More resources accessible on higher authentication levels Authentication chain:
  • 11. Basic, but missing requirements II Fine grained access control Coarse grained allow/not-allow are not sufficient anymore A very common issue: time, location based access control XACML is there, but not in the platform Attribute based access evaluation Attributes for all involving factors Version 2 is mature enough, Version 3 in the corner JBoss and Sun open source XACML implementations http://sunxacml.sourceforge.net/ http://www.jboss.org/picketbox/
  • 12. Basic, but missing requirements III What to do with more SSO requirements? It may never get into the platform Involve more than just Java EE Heavy, complex and open ended Go with JOSSO, http://www.josso.org/ Go with OpenSSO, http://opensso.dev.java.net Both work with CDSSO Integrate with many platforms/ servers Can be used from almost any language
  • 13. Time For Questions Questions? You can contact me at [email_address] or http://twitter.com/MasoudKalali